From c1a35317fe4ebb82bf7d24dc5d8c171d29c9c501 Mon Sep 17 00:00:00 2001 From: Tulio Casagrande Date: Mon, 29 Aug 2016 18:23:14 -0300 Subject: [#765] Move combined_ca_bundle to UA initialization With this change we don't have to create the combined_ca_bundle for every user at every login. To support this change, we started migrating away from the LeapCertificate class that was making the LeapProvider setup more brittle --- service/pixelated/bitmask_libraries/certs.py | 16 +------ service/pixelated/bitmask_libraries/keymanager.py | 5 ++- service/pixelated/bitmask_libraries/provider.py | 51 +++++++++++++++++++++-- service/pixelated/config/leap.py | 6 +-- service/pixelated/config/sessions.py | 4 +- service/pixelated/register.py | 4 +- 6 files changed, 58 insertions(+), 28 deletions(-) (limited to 'service/pixelated') diff --git a/service/pixelated/bitmask_libraries/certs.py b/service/pixelated/bitmask_libraries/certs.py index e3466d05..9a76a01d 100644 --- a/service/pixelated/bitmask_libraries/certs.py +++ b/service/pixelated/bitmask_libraries/certs.py @@ -14,6 +14,7 @@ # You should have received a copy of the GNU Affero General Public License # along with Pixelated. If not, see . import os + from pixelated.config import leap_config @@ -38,18 +39,3 @@ class LeapCertificate(object): @property def provider_web_cert(self): return self.LEAP_CERT - - @property - def provider_api_cert(self): - return str(os.path.join(leap_config.leap_home, 'providers', self._server_name, 'keys', 'client', 'api.pem')) - - def setup_ca_bundle(self): - path = os.path.join(leap_config.leap_home, 'providers', self._server_name, 'keys', 'client') - if not os.path.isdir(path): - os.makedirs(path, 0700) - self._download_cert(self.provider_api_cert) - - def _download_cert(self, cert_file_name): - cert = self._provider.fetch_valid_certificate() - with open(cert_file_name, 'w') as file: - file.write(cert) diff --git a/service/pixelated/bitmask_libraries/keymanager.py b/service/pixelated/bitmask_libraries/keymanager.py index 78d6e935..46125a6c 100644 --- a/service/pixelated/bitmask_libraries/keymanager.py +++ b/service/pixelated/bitmask_libraries/keymanager.py @@ -28,9 +28,10 @@ class Keymanager(object): self._email = email_address self.keymanager = KeyManager(self._email, nicknym_url, soledad, - token=token, ca_cert_path=LeapCertificate(provider).provider_api_cert, api_uri=provider.api_uri, + token=token, ca_cert_path=provider.provider_api_cert, api_uri=provider.api_uri, api_version=provider.api_version, - uid=uuid, gpgbinary=leap_config.gpg_binary) + uid=uuid, gpgbinary=leap_config.gpg_binary, + combined_ca_bundle=provider.combined_ca_bundle) @defer.inlineCallbacks def generate_openpgp_key(self): diff --git a/service/pixelated/bitmask_libraries/provider.py b/service/pixelated/bitmask_libraries/provider.py index 02318ec2..97becac8 100644 --- a/service/pixelated/bitmask_libraries/provider.py +++ b/service/pixelated/bitmask_libraries/provider.py @@ -15,9 +15,12 @@ # along with Pixelated. If not, see . import json import os +import fileinput +import tempfile +import requests from leap.common.certs import get_digest -import requests +from leap.common import ca_bundle from .certs import LeapCertificate from pixelated.config import leap_config from pixelated.support.tls_adapter import EnforceTLSv1Adapter @@ -31,6 +34,10 @@ class LeapProvider(object): self.local_ca_crt = '%s/ca.crt' % leap_config.leap_home self.provider_json = self.fetch_provider_json() + @property + def provider_api_cert(self): + return str(os.path.join(leap_config.leap_home, 'providers', self.server_name, 'keys', 'client', 'api.pem')) + @property def api_uri(self): return self.provider_json.get('api_uri') @@ -140,14 +147,14 @@ class LeapProvider(object): def fetch_soledad_json(self): service_url = "%s/%s/config/soledad-service.json" % ( self.api_uri, self.api_version) - response = requests.get(service_url, verify=LeapCertificate(self).provider_api_cert, timeout=REQUESTS_TIMEOUT) + response = requests.get(service_url, verify=self.provider_api_cert, timeout=REQUESTS_TIMEOUT) response.raise_for_status() return json.loads(response.content) def fetch_smtp_json(self): service_url = '%s/%s/config/smtp-service.json' % ( self.api_uri, self.api_version) - response = requests.get(service_url, verify=LeapCertificate(self).provider_api_cert, timeout=REQUESTS_TIMEOUT) + response = requests.get(service_url, verify=self.provider_api_cert, timeout=REQUESTS_TIMEOUT) response.raise_for_status() return json.loads(response.content) @@ -166,3 +173,41 @@ class LeapProvider(object): def _discover_nicknym_server(self): return 'https://nicknym.%s:6425/' % self.domain + + def create_combined_bundle_file(self): + leap_ca_bundle = ca_bundle.where() + + if self.provider_api_cert == leap_ca_bundle: + return self.provider_api_cert + elif not self.provider_api_cert: + return leap_ca_bundle + + tmp_file = tempfile.NamedTemporaryFile(delete=False) + + with open(tmp_file.name, 'w') as fout: + fin = fileinput.input(files=(leap_ca_bundle, self.provider_api_cert)) + for line in fin: + fout.write(line) + fin.close() + + self.combined_ca_bundle = tmp_file.name + + def setup_ca_bundle(self): + path = os.path.join(leap_config.leap_home, 'providers', self.server_name, 'keys', 'client') + if not os.path.isdir(path): + os.makedirs(path, 0700) + self._download_cert(self.provider_api_cert) + + def _download_cert(self, cert_file_name): + cert = self.fetch_valid_certificate() + with open(cert_file_name, 'w') as file: + file.write(cert) + + def setup_ca(self): + self.download_certificate() + self.setup_ca_bundle() + self.create_combined_bundle_file() + + def download_settings(self): + self.download_soledad_json() + self.download_smtp_json() diff --git a/service/pixelated/config/leap.py b/service/pixelated/config/leap.py index 371c0dc8..42eb495d 100644 --- a/service/pixelated/config/leap.py +++ b/service/pixelated/config/leap.py @@ -19,10 +19,8 @@ def initialize_leap_provider(provider_hostname, provider_cert, provider_fingerpr provider_fingerprint) leap_config.set_leap_home(leap_home) provider = LeapProvider(provider_hostname) - provider.download_certificate() - LeapCertificate(provider).setup_ca_bundle() - provider.download_soledad_json() - provider.download_smtp_json() + provider.setup_ca() + provider.download_settings() return provider diff --git a/service/pixelated/config/sessions.py b/service/pixelated/config/sessions.py index ed492ea9..9ce0a212 100644 --- a/service/pixelated/config/sessions.py +++ b/service/pixelated/config/sessions.py @@ -43,7 +43,7 @@ class LeapSessionFactory(object): self._create_database_dir(auth.uuid) - api_cert = LeapCertificate(self._provider).provider_api_cert + api_cert = self._provider.provider_api_cert soledad = yield self.setup_soledad(auth.token, auth.uuid, password, api_cert) @@ -283,7 +283,7 @@ class SmtpClientCertificate(object): cert_url, params=params, data=params, - verify=LeapCertificate(self._provider).provider_api_cert, + verify=self._provider.provider_api_cert, timeout=15, headers=headers) response.raise_for_status() diff --git a/service/pixelated/register.py b/service/pixelated/register.py index 93b55872..eaa80937 100644 --- a/service/pixelated/register.py +++ b/service/pixelated/register.py @@ -53,8 +53,8 @@ def register( LeapCertificate.set_cert_and_fingerprint(provider_cert, provider_cert_fingerprint) config = LeapConfig(leap_home=leap_home) provider = LeapProvider(server_name) - LeapCertificate(provider).setup_ca_bundle() - srp_auth = SRPAuth(provider.api_uri, LeapCertificate(provider).provider_api_cert) + provider.setup_ca_bundle() + srp_auth = SRPAuth(provider.api_uri, provider.provider_api_cert) if srp_auth.register(username, password): LeapSessionFactory(provider).create(username, password) -- cgit v1.2.3