client/src/leap/soledad/client/http_client.py


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194

# -*- coding: utf-8 -*-
# http_client.py
# Copyright (C) 2015 LEAP
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.


"""
Twisted HTTP/HTTPS client.
"""

import os

from zope.interface import implements

from OpenSSL.crypto import load_certificate
from OpenSSL.crypto import FILETYPE_PEM

from twisted.internet import reactor
from twisted.internet.ssl import ClientContextFactory
from twisted.internet.ssl import CertificateOptions
from twisted.internet.defer import succeed

from twisted.web.client import Agent
from twisted.web.client import HTTPConnectionPool
from twisted.web.client import readBody
from twisted.web.http_headers import Headers
from twisted.web.error import Error
from twisted.web.iweb import IBodyProducer


from leap.soledad.common.errors import InvalidAuthTokenError


#
# Setup a pool of connections
#

_pool = HTTPConnectionPool(reactor, persistent=True)
_pool.maxPersistentPerHost = 10
_agent = None

# if we ever want to trust the system's CAs, we should use an agent like this:
# from twisted.web.client import BrowserLikePolicyForHTTPS
# _agent = Agent(reactor, BrowserLikePolicyForHTTPS(), pool=_pool)


#
# SSL/TLS certificate configuration
#

def configure_certificate(cert_file):
    """
    Configure an agent that verifies server certificates against a CA cert
    file.

    :param cert_file: The path to the certificate file.
    :type cert_file: str
    """
    global _agent
    cert = _load_cert(cert_file)
    _agent = Agent(
        reactor,
        SoledadClientContextFactory(cert),
        pool=_pool)


def _load_cert(cert_file):
    """
    Load a X509 certificate from a file.

    :param cert_file: The path to the certificate file.
    :type cert_file: str

    :return: The X509 certificate.
    :rtype: OpenSSL.crypto.X509
    """
    if os.path.exists(cert_file):
        with open(cert_file) as f:
            data = f.read()
            return load_certificate(FILETYPE_PEM, data)


class SoledadClientContextFactory(ClientContextFactory):
    """
    A context factory that will verify the server's certificate against a
    given CA certificate.
    """

    def __init__(self, cacert):
        """
        Initialize the context factory.

        :param cacert: The CA certificate.
        :type cacert: OpenSSL.crypto.X509
        """
        self._cacert = cacert

    def getContext(self, hostname, port):
        opts = CertificateOptions(verify=True, caCerts=[self._cacert])
        return opts.getContext()


#
# HTTP request facilities
#

def _unauth_to_invalid_token_error(failure):
    """
    An errback to translate unauthorized errors to our own invalid token
    class.

    :param failure: The original failure.
    :type failure: twisted.python.failure.Failure

    :return: Either the original failure or an invalid auth token error.
    :rtype: twisted.python.failure.Failure
    """
    failure.trap(Error)
    if failure.getErrorMessage() == "401 Unauthorized":
        raise InvalidAuthTokenError
    return failure


class StringBodyProducer(object):
    """
    A producer that writes the body of a request to a consumer.
    """

    implements(IBodyProducer)

    def __init__(self, body):
        """
        Initialize the string produer.

        :param body: The body of the request.
        :type body: str
        """
        self.body = body
        self.length = len(body)

    def startProducing(self, consumer):
        """
        Write the body to the consumer.

        :param consumer: Any IConsumer provider.
        :type consumer: twisted.internet.interfaces.IConsumer

        :return: A successful deferred.
        :rtype: twisted.internet.defer.Deferred
        """
        consumer.write(self.body)
        return succeed(None)

    def pauseProducing(self):
        pass

    def stopProducing(self):
        pass


def httpRequest(url, method='GET', body=None, headers={}):
    """
    Perform an HTTP request.

    :param url: The URL for the request.
    :type url: str
    :param method: The HTTP method of the request.
    :type method: str
    :param body: The body of the request, if any.
    :type body: str
    :param headers: The headers of the request.
    :type headers: dict

    :return: A deferred that fires with the body of the request.
    :rtype: twisted.internet.defer.Deferred
    """
    if body:
        body = StringBodyProducer(body)
    d = _agent.request(
        method, url, headers=Headers(headers), bodyProducer=body)
    d.addCallbacks(readBody, _unauth_to_invalid_token_error)
    return d