summaryrefslogtreecommitdiff
path: root/service/pixelated/bitmask_libraries/provider.py
blob: a0bf4843d484f68c49b6fc42e85cae203339897d (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
#
# Copyright (c) 2014 ThoughtWorks, Inc.
#
# Pixelated is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Pixelated is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with Pixelated. If not, see <http://www.gnu.org/licenses/>.
import json

from leap.common.certs import get_digest
import requests
from .certs import which_bootstrap_CA_bundle, which_api_CA_bundle, which_bootstrap_cert_fingerprint
from pixelated.support.tls_adapter import EnforceTLSv1Adapter


class LeapProvider(object):
    def __init__(self, server_name, config):
        self.server_name = server_name
        self.config = config

        self.provider_json = self.fetch_provider_json()

    @property
    def api_uri(self):
        return self.provider_json.get('api_uri')

    @property
    def ca_cert_fingerprint(self):
        return self.provider_json.get('ca_cert_fingerprint')

    @property
    def ca_cert_uri(self):
        return self.provider_json.get('ca_cert_uri')

    @property
    def api_version(self):
        return self.provider_json.get('api_version')

    @property
    def domain(self):
        return self.provider_json.get('domain')

    @property
    def services(self):
        return self.provider_json.get('services')

    def __hash__(self):
        return hash(self.server_name)

    def __eq__(self, other):
        return self.server_name == other.server_name

    def ensure_supports_mx(self):
        if 'mx' not in self.services:
            raise Exception

    def download_certificate_to(self, filename):
        """
        Downloads the server certificate, validates it against the provided fingerprint and stores it to file
        """
        cert = self.fetch_valid_certificate()
        with open(filename, 'w') as out:
            out.write(cert)

    def fetch_valid_certificate(self):
        cert = self._fetch_certificate()
        self.validate_certificate(cert)
        return cert

    def _fetch_certificate(self):
        cert_url = '%s/ca.crt' % self._provider_base_url()
        response = self._validated_get(cert_url)
        cert_data = response.content
        return cert_data

    def validate_certificate(self, cert_data=None):
        if cert_data is None:
            cert_data = self._fetch_certificate()

        parts = str(self.ca_cert_fingerprint).split(':')
        method = parts[0].strip()
        fingerprint = parts[1].strip()

        digest = get_digest(cert_data, method)

        if fingerprint.strip() != digest:
            raise Exception('Certificate fingerprints don\'t match')

    def _validated_get(self, url):
        session = requests.session()
        try:
            session.mount('https://', EnforceTLSv1Adapter(assert_fingerprint=which_bootstrap_cert_fingerprint()))
            response = session.get(url, verify=which_bootstrap_CA_bundle(self), timeout=self.config.timeout_in_s)
            response.raise_for_status()
            return response
        finally:
            session.close()

    def fetch_provider_json(self):
        url = '%s/provider.json' % self._provider_base_url()
        response = self._validated_get(url)
        json_data = json.loads(response.content)
        return json_data

    def fetch_soledad_json(self):
        service_url = "%s/%s/config/soledad-service.json" % (
            self.api_uri, self.api_version)
        response = requests.get(service_url, verify=which_api_CA_bundle(self), timeout=self.config.timeout_in_s)
        response.raise_for_status()
        return json.loads(response.content)

    def fetch_smtp_json(self):
        service_url = '%s/%s/config/smtp-service.json' % (
            self.api_uri, self.api_version)
        response = requests.get(service_url, verify=which_api_CA_bundle(self), timeout=self.config.timeout_in_s)
        response.raise_for_status()
        return json.loads(response.content)

    def _provider_base_url(self):
        return 'https://%s' % self.server_name