1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
|
#
# Copyright (c) 2014 ThoughtWorks, Inc.
#
# Pixelated is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Pixelated is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with Pixelated. If not, see <http://www.gnu.org/licenses/>.
import json
from leap.common.certs import get_digest
import requests
from .certs import which_bootstrap_CA_bundle, which_api_CA_bundle, which_bootstrap_cert_fingerprint
from pixelated.support.tls_adapter import EnforceTLSv1Adapter
class LeapProvider(object):
def __init__(self, server_name, config):
self.server_name = server_name
self.config = config
self.provider_json = self.fetch_provider_json()
@property
def api_uri(self):
return self.provider_json.get('api_uri')
@property
def ca_cert_fingerprint(self):
return self.provider_json.get('ca_cert_fingerprint')
@property
def ca_cert_uri(self):
return self.provider_json.get('ca_cert_uri')
@property
def api_version(self):
return self.provider_json.get('api_version')
@property
def domain(self):
return self.provider_json.get('domain')
@property
def services(self):
return self.provider_json.get('services')
def __hash__(self):
return hash(self.server_name)
def __eq__(self, other):
return self.server_name == other.server_name
def ensure_supports_mx(self):
if 'mx' not in self.services:
raise Exception
def download_certificate_to(self, filename):
"""
Downloads the server certificate, validates it against the provided fingerprint and stores it to file
"""
cert = self.fetch_valid_certificate()
with open(filename, 'w') as out:
out.write(cert)
def fetch_valid_certificate(self):
cert = self._fetch_certificate()
self.validate_certificate(cert)
return cert
def _fetch_certificate(self):
cert_url = '%s/ca.crt' % self._provider_base_url()
response = self._validated_get(cert_url)
cert_data = response.content
return cert_data
def validate_certificate(self, cert_data=None):
if cert_data is None:
cert_data = self._fetch_certificate()
parts = str(self.ca_cert_fingerprint).split(':')
method = parts[0].strip()
fingerprint = parts[1].strip()
digest = get_digest(cert_data, method)
if fingerprint.strip() != digest:
raise Exception('Certificate fingerprints don\'t match')
def _validated_get(self, url):
session = requests.session()
try:
session.mount('https://', EnforceTLSv1Adapter(assert_fingerprint=which_bootstrap_cert_fingerprint()))
response = session.get(url, verify=which_bootstrap_CA_bundle(self), timeout=self.config.timeout_in_s)
response.raise_for_status()
return response
finally:
session.close()
def fetch_provider_json(self):
url = '%s/provider.json' % self._provider_base_url()
response = self._validated_get(url)
json_data = json.loads(response.content)
return json_data
def fetch_soledad_json(self):
service_url = "%s/%s/config/soledad-service.json" % (
self.api_uri, self.api_version)
response = requests.get(service_url, verify=which_api_CA_bundle(self), timeout=self.config.timeout_in_s)
response.raise_for_status()
return json.loads(response.content)
def fetch_smtp_json(self):
service_url = '%s/%s/config/smtp-service.json' % (
self.api_uri, self.api_version)
response = requests.get(service_url, verify=which_api_CA_bundle(self), timeout=self.config.timeout_in_s)
response.raise_for_status()
return json.loads(response.content)
def _provider_base_url(self):
return 'https://%s' % self.server_name
|