From fa6181293a1bf3207c4da1494d9d6cf9d715377b Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 5 Sep 2017 13:14:32 -0400
Subject: [PATCH] Use TLS for the cert-find operation

The goal is to avoid using HTTP where possible and use TLS everywhere.
This provides not only privacy protection but also integrity protection.
We should consider any network except localhost as untrusted.

Switch from using urllib.request to dogtag.https_request.

https://pagure.io/freeipa/issue/7027

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
---
 ipaserver/plugins/dogtag.py | 42 +++++++++++++++++--------------------
 1 file changed, 19 insertions(+), 23 deletions(-)

diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index f258ad7ba..13b3c507b 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -248,7 +248,6 @@ import time
 import contextlib
 
 import six
-from six.moves import urllib
 
 from ipalib import Backend, api
 from ipapython.dn import DN
@@ -1904,36 +1903,33 @@ class ra(rabase.rabase, RestClient):
             e = etree.SubElement(page, opt)
             e.text = str(booloptions[opt]).lower()
 
-        payload = etree.tostring(doc, pretty_print=False, xml_declaration=True, encoding='UTF-8')
+        payload = etree.tostring(doc, pretty_print=False,
+                                 xml_declaration=True, encoding='UTF-8')
         logger.debug('%s.find(): request: %s', type(self).__name__, payload)
 
-        url = 'http://%s/ca/rest/certs/search?size=%d' % (
-            ipautil.format_netloc(self.ca_host, 80),
-            options.get('sizelimit', 0x7fffffff))
+        # pylint: disable=unused-variable
+        status, _, data = dogtag.https_request(
+            self.ca_host, 443,
+            url='/ca/rest/certs/search?size=%d' % (
+                 options.get('sizelimit', 0x7fffffff)),
+            client_certfile=None,
+            client_keyfile=None,
+            cafile=self.ca_cert,
+            method='POST',
+            headers={'Accept-Encoding': 'gzip, deflate',
+                     'User-Agent': 'IPA',
+                     'Content-Type': 'application/xml'},
+            body=payload
+        )
 
-        opener = urllib.request.build_opener()
-        opener.addheaders = [('Accept-Encoding', 'gzip, deflate'),
-                             ('User-Agent', 'IPA')]
-
-        req = urllib.request.Request(url=url, data=payload, headers={'Content-Type': 'application/xml'})
-        try:
-            response = opener.open(req)
-        except urllib.error.HTTPError as e:
-            logger.debug('HTTP Response code: %d', e.getcode())
-            if e.getcode() == 501:
-                self.raise_certificate_operation_error('find',
-                    detail=_('find not supported on CAs upgraded from 9 to 10'))
+        if status != 200:
             self.raise_certificate_operation_error('find',
-                                                   detail=e.msg)
-        except urllib.error.URLError as e:
-            self.raise_certificate_operation_error('find',
-                                                   detail=e.reason)
+                                                   detail=status)
 
-        data = response.readlines()
         logger.debug('%s.find(): response: %s', type(self).__name__, data)
         parser = etree.XMLParser()
         try:
-            doc = etree.fromstring(data[0], parser)
+            doc = etree.fromstring(data, parser)
         except etree.XMLSyntaxError as e:
             self.raise_certificate_operation_error('find',
                                                    detail=e.msg)