From 2ec7bcfd32c2151e2e42ae7b19631dcc4018f93e Mon Sep 17 00:00:00 2001
From: Folker Bernitt <fbernitt@thoughtworks.com>
Date: Fri, 27 Mar 2015 11:14:14 +0100
Subject: Splitting certificate validation into provider and bootstrap
 certificate.

- Issue #333
- Now a different certificate is used to communicate with the provider's
  HTTPS website than for all other connections, e.g. to the api
---
 service/pixelated/bitmask_libraries/certs.py | 45 ++++++++++++++++++++--------
 1 file changed, 33 insertions(+), 12 deletions(-)

(limited to 'service/pixelated/bitmask_libraries/certs.py')

diff --git a/service/pixelated/bitmask_libraries/certs.py b/service/pixelated/bitmask_libraries/certs.py
index 4ee28a19..bafc809d 100644
--- a/service/pixelated/bitmask_libraries/certs.py
+++ b/service/pixelated/bitmask_libraries/certs.py
@@ -27,7 +27,13 @@ LEAP_CERT = None
 def which_bundle(provider):
     if LEAP_CERT:
         return LEAP_CERT
-    return str(LeapCertificate(provider).auto_detect_ca_bundle())
+    return str(LeapCertificate(provider).provider_ca_bundle())
+
+
+def which_bootstrap_bundle(provider):
+    if LEAP_CERT:
+        return LEAP_CERT
+    return str(LeapCertificate(provider).auto_detect_bootstrap_ca_bundle())
 
 
 class LeapCertificate(object):
@@ -35,18 +41,37 @@ class LeapCertificate(object):
         self._config = provider.config
         self._server_name = provider.server_name
         self._certs_home = self._config.certs_home
+        self._provider = provider
 
-    def auto_detect_ca_bundle(self):
-        if self._config.ca_cert_bundle == AUTO_DETECT_CA_BUNDLE:
-            local_cert = self._local_server_cert()
+    def auto_detect_bootstrap_ca_bundle(self):
+        if self._config.bootstrap_ca_cert_bundle == AUTO_DETECT_CA_BUNDLE:
+            local_cert = self._local_bootstrap_server_cert()
             if local_cert:
                 return local_cert
             else:
                 return ca_bundle.where()
         else:
-            return self._config.ca_cert_bundle
+            return self._config.bootstrap_ca_cert_bundle
+
+    def provider_ca_bundle(self):
+        if self._provider.config.ca_cert_bundle:
+            return self._provider.config.ca_cert_bundle
+
+        certs_root = self._provider_certs_root_path()
+        cert_file = os.path.join(certs_root, 'provider.pem')
+
+        if not os.path.isfile(cert_file):
+            self._download_server_cert(cert_file)
+
+        return cert_file
+
+    def _provider_certs_root_path(self):
+        path = os.path.join(self._provider.config.leap_home, 'providers', self._server_name, 'keys', 'client')
+        if not os.path.isdir(path):
+            os.makedirs(path, 0700)
+        return path
 
-    def _local_server_cert(self):
+    def _local_bootstrap_server_cert(self):
         cert_file = os.path.join(self._certs_home, '%s.ca.crt' % self._server_name)
         if not os.path.isfile(cert_file):
             self._download_server_cert(cert_file)
@@ -54,11 +79,7 @@ class LeapCertificate(object):
         return cert_file
 
     def _download_server_cert(self, cert_file_name):
-        response = requests.get('https://%s/provider.json' % self._server_name)
-        provider_data = json.loads(response.content)
-        ca_cert_uri = str(provider_data['ca_cert_uri'])
+        cert = self._provider.fetch_valid_certificate()
 
-        response = requests.get(ca_cert_uri)
         with open(cert_file_name, 'w') as file:
-            file.write(response.content)
-            file.close
+            file.write(cert)
-- 
cgit v1.2.3