[feat] detect if pkexec is present in the system

Check it before starting the vpn.

- Resolves: #8895

4 files changed, 25 insertions, 13 deletions

diff --git a/src/leap/bitmask/vpn/_checks.py b/src/leap/bitmask/vpn/_checks.py
index 6c089628..c6117d0d 100644
--- a/src/leap/bitmask/vpn/_checks.py
+++ b/src/leap/bitmask/vpn/_checks.py
@@ -2,13 +2,14 @@ import os
 
 from datetime import datetime
 from time import mktime
+from twisted.logger import Logger
 
+from leap.bitmask.vpn.privilege import is_pkexec_in_system, NoPkexecAvailable
 from leap.common.certs import get_cert_time_boundaries
 from leap.common.config import get_path_prefix
 
+log = Logger()
 
-# TODO use privilege.py module, plenty of checks in there for pkexec and
-# friends.
 
 class ImproperlyConfigured(Exception):
     pass
@@ -18,6 +19,10 @@ def is_service_ready(provider):
     if not _has_valid_cert(provider):
         raise ImproperlyConfigured('Missing VPN certificate')
 
+    if not is_pkexec_in_system():
+        log.warn('System has no pkexec')
+        raise NoPkexecAvailable()
+
     return True
 
 
@@ -40,10 +45,12 @@ def _has_valid_cert(provider):
     cert_path = get_vpn_cert_path(provider)
     has_file = os.path.isfile(cert_path)
     if not has_file:
+        log.warn("VPN cert not present for %s" % (provider,))
         return False
 
     expiry = cert_expires(provider)
     if datetime.now() > expiry:
+        log.warn("VPN cert expired for %s" % (provider,))
         return False
 
     return True
diff --git a/src/leap/bitmask/vpn/helpers/__init__.py b/src/leap/bitmask/vpn/helpers/__init__.py
index e09f406d..57847e16 100644
--- a/src/leap/bitmask/vpn/helpers/__init__.py
+++ b/src/leap/bitmask/vpn/helpers/__init__.py
@@ -4,6 +4,7 @@ import os.path
 import sys
 
 from leap.bitmask.vpn.constants import IS_LINUX, IS_MAC
+from leap.bitmask.vpn.privilege import is_pkexec_in_system
 from leap.bitmask.vpn import _config
 
 from leap.bitmask.util import STANDALONE
@@ -38,7 +39,7 @@ if IS_LINUX:
         polkit = (
             os.path.exists(polkit_to) or
             os.path.exists(deb_polkit_to))
-        return helper and polkit
+        return is_pkexec_in_system() and helper and polkit
 
 if IS_MAC:
 
diff --git a/src/leap/bitmask/vpn/privilege.py b/src/leap/bitmask/vpn/privilege.py
index 458f690d..dd8d29a9 100644
--- a/src/leap/bitmask/vpn/privilege.py
+++ b/src/leap/bitmask/vpn/privilege.py
@@ -109,7 +109,7 @@ class LinuxPolicyChecker(object):
         :returns: a list of the paths where pkexec is to be found
         :rtype: list
         """
-        if not self._is_pkexec_in_system():
+        if not is_pkexec_in_system():
             log.warn('System has no pkexec')
             raise NoPkexecAvailable()
 
@@ -181,12 +181,12 @@ class LinuxPolicyChecker(object):
 
         return is_running
 
-    @classmethod
-    def _is_pkexec_in_system(self):
-        """
-        Checks the existence of the pkexec binary in system.
-        """
-        pkexec_path = which('pkexec')
-        if len(pkexec_path) == 0:
-            return False
-        return True
+
+def is_pkexec_in_system():
+    """
+    Checks the existence of the pkexec binary in system.
+    """
+    pkexec_path = which('pkexec')
+    if len(pkexec_path) == 0:
+        return False
+    return True
diff --git a/src/leap/bitmask/vpn/service.py b/src/leap/bitmask/vpn/service.py
index 1ecfa797..36699712 100644
--- a/src/leap/bitmask/vpn/service.py
+++ b/src/leap/bitmask/vpn/service.py
@@ -106,6 +106,10 @@ class VPNService(HookableService):
                 exc = Exception("VPN can't start, a provider is needed")
                 exc.expected = True
                 raise exc
+        if not is_service_ready(domain):
+            exc = Exception("VPN is not ready")
+            exc.expected = True
+            raise exc
 
         yield self._setup(domain)