service/pixelated/bitmask_libraries/provider.py


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130

#
# Copyright (c) 2014 ThoughtWorks, Inc.
#
# Pixelated is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Pixelated is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with Pixelated. If not, see <http://www.gnu.org/licenses/>.
import json

from leap.common.certs import get_digest
import requests
from .certs import which_bootstrap_CA_bundle, which_api_CA_bundle, which_bootstrap_cert_fingerprint
from pixelated.support.tls_adapter import EnforceTLSv1Adapter


class LeapProvider(object):
    def __init__(self, server_name, config):
        self.server_name = server_name
        self.config = config
        self.local_ca_crt = '%s/ca.crt' % self.config.leap_home

        self.provider_json = self.fetch_provider_json()

    @property
    def api_uri(self):
        return self.provider_json.get('api_uri')

    @property
    def ca_cert_fingerprint(self):
        return self.provider_json.get('ca_cert_fingerprint')

    @property
    def ca_cert_uri(self):
        return self.provider_json.get('ca_cert_uri')

    @property
    def api_version(self):
        return self.provider_json.get('api_version')

    @property
    def domain(self):
        return self.provider_json.get('domain')

    @property
    def services(self):
        return self.provider_json.get('services')

    def __hash__(self):
        return hash(self.server_name)

    def __eq__(self, other):
        return self.server_name == other.server_name

    def ensure_supports_mx(self):
        if 'mx' not in self.services:
            raise Exception

    def download_certificate(self, filename=None):
        """
        Downloads the server certificate, validates it against the provided fingerprint and stores it to file
        """
        path = filename or self.local_ca_crt
        cert = self.fetch_valid_certificate()
        with open(path, 'w') as out:
            out.write(cert)

    def fetch_valid_certificate(self):
        cert = self._fetch_certificate()
        self.validate_certificate(cert)
        return cert

    def _fetch_certificate(self):
        cert_url = '%s/ca.crt' % self._provider_base_url()
        response = self._validated_get(cert_url)
        cert_data = response.content
        return cert_data

    def validate_certificate(self, cert_data=None):
        if cert_data is None:
            cert_data = self._fetch_certificate()

        parts = str(self.ca_cert_fingerprint).split(':')
        method = parts[0].strip()
        fingerprint = parts[1].strip()

        digest = get_digest(cert_data, method)

        if fingerprint.strip() != digest:
            raise Exception('Certificate fingerprints don\'t match')

    def _validated_get(self, url):
        session = requests.session()
        try:
            session.mount('https://', EnforceTLSv1Adapter(assert_fingerprint=which_bootstrap_cert_fingerprint()))
            response = session.get(url, verify=which_bootstrap_CA_bundle(self), timeout=self.config.timeout_in_s)
            response.raise_for_status()
            return response
        finally:
            session.close()

    def fetch_provider_json(self):
        url = '%s/provider.json' % self._provider_base_url()
        response = self._validated_get(url)
        json_data = json.loads(response.content)
        return json_data

    def fetch_soledad_json(self):
        service_url = "%s/%s/config/soledad-service.json" % (
            self.api_uri, self.api_version)
        response = requests.get(service_url, verify=which_api_CA_bundle(self), timeout=self.config.timeout_in_s)
        response.raise_for_status()
        return json.loads(response.content)

    def fetch_smtp_json(self):
        service_url = '%s/%s/config/smtp-service.json' % (
            self.api_uri, self.api_version)
        response = requests.get(service_url, verify=which_api_CA_bundle(self), timeout=self.config.timeout_in_s)
        response.raise_for_status()
        return json.loads(response.content)

    def _provider_base_url(self):
        return 'https://%s' % self.server_name