From 550986895891153d2aa17161f6e0296f64f6ecb9 Mon Sep 17 00:00:00 2001
From: Markus Unterwaditzer <markus@unterwaditzer.net>
Date: Wed, 20 Aug 2014 18:43:34 +0200
Subject: [PATCH] Revert "Revert "Tls fingerprints""

---
 AUTHORS.rst                  |  1 +
 CONTRIBUTING.rst             |  2 +-
 tests/storage/test_http.py   |  4 ++--
 vdirsyncer/storage/dav.py    | 15 ++++++++++-----
 vdirsyncer/storage/http.py   |  6 +++++-
 vdirsyncer/utils/__init__.py | 31 +++++++++++++++++++++++++++----
 6 files changed, 46 insertions(+), 13 deletions(-)

diff --git a/AUTHORS.rst b/AUTHORS.rst
index c4b63ec..89114c3 100644
--- a/AUTHORS.rst
+++ b/AUTHORS.rst
@@ -7,3 +7,4 @@ In alphabetical order:
 - Clément Mondon
 - Julian Mehne
 - Markus Unterwaditzer
+- Thomas Weißschuh
diff --git a/CONTRIBUTING.rst b/CONTRIBUTING.rst
index 2da2c5b..f5b83f4 100644
--- a/CONTRIBUTING.rst
+++ b/CONTRIBUTING.rst
@@ -20,6 +20,6 @@
 
   * But not because you wrote too few tests.
 
-  * Add yourself to ``CONTRIBUTORS.rst``. Don't add anything to
+  * Add yourself to ``AUTHORS.rst``. Don't add anything to
     ``CHANGELOG.rst``, I do that myself shortly before the release. You can
     help by writing meaningful commit messages.
diff --git a/tests/storage/test_http.py b/tests/storage/test_http.py
index 648f98a..d3d74cf 100644
--- a/tests/storage/test_http.py
+++ b/tests/storage/test_http.py
@@ -41,7 +41,7 @@ def test_list(monkeypatch):
         u'\n'.join([u'BEGIN:VCALENDAR'] + items + [u'END:VCALENDAR'])
     ] * 2
 
-    def get(method, url, *a, **kw):
+    def get(self, method, url, *a, **kw):
         assert method == 'GET'
         assert url == collection_url
         r = Response()
@@ -52,7 +52,7 @@ def test_list(monkeypatch):
         r.encoding = 'ISO-8859-1'
         return r
 
-    monkeypatch.setattr('requests.request', get)
+    monkeypatch.setattr('requests.sessions.Session.request', get)
 
     s = HttpStorage(url=collection_url)
 
diff --git a/vdirsyncer/storage/dav.py b/vdirsyncer/storage/dav.py
index e224b8f..a2b7b46 100644
--- a/vdirsyncer/storage/dav.py
+++ b/vdirsyncer/storage/dav.py
@@ -162,13 +162,14 @@ class DavSession(object):
     '''
 
     def __init__(self, url, username='', password='', verify=True, auth=None,
-                 useragent=USERAGENT, dav_header=None):
+                 useragent=USERAGENT, tls_fingerprint=None, dav_header=None):
         if username and not password:
             password = utils.get_password(username, url)
 
         self._settings = {
             'verify': prepare_verify(verify),
-            'auth': prepare_auth(auth, username, password)
+            'auth': prepare_auth(auth, username, password),
+            'tls_fingerprint': tls_fingerprint,
         }
         self.useragent = useragent
         self.url = url.rstrip('/') + '/'
@@ -222,6 +223,8 @@ class DavStorage(Storage):
     :param password: Password for authentication.
     :param verify: Verify SSL certificate, default True. This can also be a
         local path to a self-signed SSL certificate.
+    :param tls_fingerprint: Optional. SHA1 or MD5 fingerprint of the
+        expected server certificate.
     :param auth: Optional. Either ``basic``, ``digest`` or ``guess``. Default
         ``guess``. If you know yours, consider setting it explicitly for
         performance.
@@ -248,14 +251,15 @@ class DavStorage(Storage):
 
     def __init__(self, url, username='', password='', collection=None,
                  verify=True, auth=None, useragent=USERAGENT,
-                 unsafe_href_chars='@', **kwargs):
+                 unsafe_href_chars='@', tls_fingerprint=None, **kwargs):
         super(DavStorage, self).__init__(**kwargs)
 
         url = url.rstrip('/') + '/'
         if collection is not None:
             url = utils.urlparse.urljoin(url, collection)
         self.session = DavSession(url, username, password, verify, auth,
-                                  useragent, dav_header=self.dav_header)
+                                  useragent, tls_fingerprint,
+                                  dav_header=self.dav_header)
         self.collection = collection
         self.unsafe_href_chars = unsafe_href_chars
 
@@ -268,7 +272,8 @@ class DavStorage(Storage):
         if kwargs.pop('collection', None) is not None:
             raise TypeError('collection argument must not be given.')
         discover_args, _ = utils.split_dict(kwargs, lambda key: key in (
-            'username', 'password', 'verify', 'auth', 'useragent'
+            'username', 'password', 'verify', 'auth', 'useragent',
+            'tls_fingerprint',
         ))
         d = cls.discovery_class(DavSession(
             url=url, dav_header=cls.dav_header, **discover_args))
diff --git a/vdirsyncer/storage/http.py b/vdirsyncer/storage/http.py
index ad918e6..4e0ef11 100644
--- a/vdirsyncer/storage/http.py
+++ b/vdirsyncer/storage/http.py
@@ -54,6 +54,8 @@ class HttpStorage(Storage):
     :param password: Password for authentication.
     :param verify: Verify SSL certificate, default True. This can also be a
         local path to a self-signed SSL certificate.
+    :param tls_fingerprint: Optional. SHA1 or MD5 fingerprint of the
+        expected server certificate.
     :param auth: Optional. Either ``basic``, ``digest`` or ``guess``. Default
         ``guess``. If you know yours, consider setting it explicitly for
         performance.
@@ -81,7 +83,8 @@ class HttpStorage(Storage):
     _items = None
 
     def __init__(self, url, username='', password='', collection=None,
-                 verify=True, auth=None, useragent=USERAGENT, **kwargs):
+                 verify=True, auth=None, useragent=USERAGENT,
+                 tls_fingerprint=None, **kwargs):
         super(HttpStorage, self).__init__(**kwargs)
 
         if username and not password:
@@ -89,6 +92,7 @@ class HttpStorage(Storage):
 
         self._settings = {
             'verify': prepare_verify(verify),
+            'tls_fingerprint': tls_fingerprint,
             'auth': prepare_auth(auth, username, password),
             'latin1_fallback': False
         }
diff --git a/vdirsyncer/utils/__init__.py b/vdirsyncer/utils/__init__.py
index 75bc384..72b3067 100644
--- a/vdirsyncer/utils/__init__.py
+++ b/vdirsyncer/utils/__init__.py
@@ -10,6 +10,7 @@
 import os
 
 import requests
+from requests.packages.urllib3.poolmanager import PoolManager
 
 from .. import exceptions, log
 from ..doubleclick import click
@@ -177,8 +178,23 @@ def _password_from_keyring(username, resource):
         key = new_key
 
 
+class _FingerprintAdapter(requests.adapters.HTTPAdapter):
+    def __init__(self, fingerprint=None, **kwargs):
+        self.fingerprint = str(fingerprint)
+        super(_FingerprintAdapter, self).__init__(**kwargs)
+
+    def send(self, *args, **kwargs):
+        return super(_FingerprintAdapter, self).send(*args, **kwargs)
+
+    def init_poolmanager(self, connections, maxsize, block=False):
+        self.poolmanager = PoolManager(num_pools=connections,
+                                       maxsize=maxsize,
+                                       block=block,
+                                       assert_fingerprint=self.fingerprint)
+
+
 def request(method, url, data=None, headers=None, auth=None, verify=None,
-            session=None, latin1_fallback=True):
+            session=None, latin1_fallback=True, tls_fingerprint=None):
     '''
     Wrapper method for requests, to ease logging and mocking. Parameters should
     be the same as for ``requests.request``, except:
@@ -193,9 +209,16 @@ def request(method, url, data=None, headers=None, auth=None, verify=None,
     '''
 
     if session is None:
-        func = requests.request
-    else:
-        func = session.request
+        session = requests.Session()
+
+    if tls_fingerprint is not None:
+        https_prefix = 'https://'
+
+        if not isinstance(session.adapters[https_prefix], _FingerprintAdapter):
+            fingerprint_adapter = _FingerprintAdapter(tls_fingerprint)
+            session.mount(https_prefix, fingerprint_adapter)
+
+    func = session.request
 
     logger.debug(u'{} {}'.format(method, url))
     logger.debug(headers)