1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
|
#
# Copyright (c) 2014 ThoughtWorks, Inc.
#
# Pixelated is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Pixelated is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with Pixelated. If not, see <http://www.gnu.org/licenses/>.
import json
from leap.common.certs import get_digest
import requests
from .certs import LeapCertificate
from pixelated.support.tls_adapter import EnforceTLSv1Adapter
class LeapProvider(object):
def __init__(self, server_name, config):
self.server_name = server_name
self.config = config
self.local_ca_crt = '%s/ca.crt' % self.config.leap_home
self.provider_json = self.fetch_provider_json()
@property
def api_uri(self):
return self.provider_json.get('api_uri')
@property
def ca_cert_fingerprint(self):
return self.provider_json.get('ca_cert_fingerprint')
@property
def ca_cert_uri(self):
return self.provider_json.get('ca_cert_uri')
@property
def api_version(self):
return self.provider_json.get('api_version')
@property
def domain(self):
return self.provider_json.get('domain')
@property
def services(self):
return self.provider_json.get('services')
def __hash__(self):
return hash(self.server_name)
def __eq__(self, other):
return self.server_name == other.server_name
def ensure_supports_mx(self):
if 'mx' not in self.services:
raise Exception
def download_certificate(self, filename=None):
"""
Downloads the server certificate, validates it against the provided fingerprint and stores it to file
"""
path = filename or self.local_ca_crt
cert = self.fetch_valid_certificate()
with open(path, 'w') as out:
out.write(cert)
def fetch_valid_certificate(self):
cert = self._fetch_certificate()
self.validate_certificate(cert)
return cert
def _fetch_certificate(self):
cert_url = '%s/ca.crt' % self._provider_base_url()
response = self._validated_get(cert_url)
cert_data = response.content
return cert_data
def validate_certificate(self, cert_data=None):
if cert_data is None:
cert_data = self._fetch_certificate()
parts = str(self.ca_cert_fingerprint).split(':')
method = parts[0].strip()
fingerprint = parts[1].strip()
digest = get_digest(cert_data, method)
if fingerprint.strip() != digest:
raise Exception('Certificate fingerprints don\'t match')
def _validated_get(self, url):
session = requests.session()
try:
session.mount('https://', EnforceTLSv1Adapter(assert_fingerprint=LeapCertificate.LEAP_FINGERPRINT))
response = session.get(url, verify=LeapCertificate(self).provider_web_cert, timeout=self.config.timeout_in_s)
response.raise_for_status()
return response
finally:
session.close()
def fetch_provider_json(self):
url = '%s/provider.json' % self._provider_base_url()
response = self._validated_get(url)
json_data = json.loads(response.content)
return json_data
def fetch_soledad_json(self):
service_url = "%s/%s/config/soledad-service.json" % (
self.api_uri, self.api_version)
response = requests.get(service_url, verify=LeapCertificate(self).provider_api_cert, timeout=self.config.timeout_in_s)
response.raise_for_status()
return json.loads(response.content)
def fetch_smtp_json(self):
service_url = '%s/%s/config/smtp-service.json' % (
self.api_uri, self.api_version)
response = requests.get(service_url, verify=LeapCertificate(self).provider_api_cert, timeout=self.config.timeout_in_s)
response.raise_for_status()
return json.loads(response.content)
def _provider_base_url(self):
return 'https://%s' % self.server_name
def address_for(self, username):
return '%s@%s' % (username, self.domain)
|