[feat] port the polkit agent launcher

this commit is porting the polkit launcher from the legacy bitmask
client. if no polkit authentication agent is running, it will try to run
one that is found in the system.

- Resolves: #8836

5 files changed, 97 insertions, 24 deletions

diff --git a/pkg/requirements.pip b/pkg/requirements.pip
index a34f8295..80dca0bf 100644
--- a/pkg/requirements.pip
+++ b/pkg/requirements.pip
@@ -2,6 +2,7 @@ twisted
 colorama
 zope.interface
 service-identity
+python-daemon
 gnupg
 leap.common>=0.5.5
 leap.soledad.client>=0.9.5
diff --git a/setup.py b/setup.py
index c4ddb4dc..76fb4a55 100644
--- a/setup.py
+++ b/setup.py
@@ -18,6 +18,7 @@ required = [
     'service-identity',
     'colorama',
     'srp',
+    'python-daemon',
     'leap.common',
 ]
 
diff --git a/src/leap/bitmask/vpn/helpers/linux/polkit_agent.py b/src/leap/bitmask/vpn/helpers/linux/polkit_agent.py
new file mode 100644
index 00000000..10bf7db1
--- /dev/null
+++ b/src/leap/bitmask/vpn/helpers/linux/polkit_agent.py
@@ -0,0 +1,82 @@
+# -*- coding: utf-8 -*-
+# polkit_agent.py
+# Copyright (C) 2013 LEAP
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+"""
+Daemonizes polkit authentication agent.
+"""
+
+import os
+import subprocess
+
+import daemon
+
+
+POLKIT_PATHS = (
+    '/usr/lib/lxpolkit/lxpolkit',
+    '/usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1',
+    '/usr/lib/mate-polkit/polkit-mate-authentication-agent-1',
+    '/usr/lib/kde4/libexec/polkit-kde-authentication-agent-1',
+)
+
+
+# TODO write tests for this piece.
+def _get_polkit_agent():
+    """
+    Return a valid polkit agent to use.
+
+    :rtype: str or None
+    """
+    # TODO: in caso of having more than one polkit agent we may want to
+    # stablish priorities. E.g.: lxpolkit over gnome-polkit for minimalistic
+    # desktops.
+    for polkit in POLKIT_PATHS:
+        if os.path.isfile(polkit):
+            return polkit
+
+    return None
+
+
+def _launch_agent():
+    """
+    Launch a polkit authentication agent on a subprocess.
+    """
+    polkit_agent = _get_polkit_agent()
+
+    if polkit_agent is None:
+        print("No usable polkit was found.")
+        return
+
+    print('Launching polkit auth agent')
+    try:
+        # XXX fix KDE launch. See: #3755
+        subprocess.call(polkit_agent)
+    except Exception as e:
+        print('Error launching polkit authentication agent %r' % (e, ))
+
+
+def launch():
+    """
+    Launch a polkit authentication agent as a daemon.
+    """
+    with daemon.DaemonContext():
+        _launch_agent()
+
+
+if __name__ == "__main__":
+    # TODO pass a --nodaemon flag so that we can launch this in the foreground
+    # and debug this module, getting errors to stderr.
+    launch()
diff --git a/src/leap/bitmask/vpn/launchers/linux.py b/src/leap/bitmask/vpn/launchers/linux.py
index 5852d1e5..d68d6ef1 100644
--- a/src/leap/bitmask/vpn/launchers/linux.py
+++ b/src/leap/bitmask/vpn/launchers/linux.py
@@ -21,18 +21,13 @@ Linux VPN launcher implementation.
 
 import commands
 import os
-import sys
 
 from twisted.logger import Logger
 
 from leap.bitmask.util import STANDALONE
 from leap.bitmask.vpn.utils import first, force_eval
 from leap.bitmask.vpn.privilege import LinuxPolicyChecker
-from leap.bitmask.vpn.privilege import NoPkexecAvailable
-from leap.bitmask.vpn.privilege import NoPolkitAuthAgentAvailable
 from leap.bitmask.vpn.launcher import VPNLauncher
-from leap.bitmask.vpn.launcher import VPNLauncherException
-from leap.common.config import get_path_prefix
 
 logger = Logger()
 COM = commands
diff --git a/src/leap/bitmask/vpn/privilege.py b/src/leap/bitmask/vpn/privilege.py
index 2576877a..4617aedf 100644
--- a/src/leap/bitmask/vpn/privilege.py
+++ b/src/leap/bitmask/vpn/privilege.py
@@ -169,26 +169,20 @@ class LinuxPolicyChecker(PolicyChecker):
     @classmethod
     def launch(self):
         """
-        Tries to launch policykit
+        Tries to launch policykit.
         """
-        env = None
-        if STANDALONE:
-            # This allows us to send to subprocess the environment configs that
-            # works for the standalone bundle (like the PYTHONPATH)
-            env = dict(os.environ)
-            # The LD_LIBRARY_PATH is set on the launcher but not forwarded to
-            # subprocess unless we do so explicitly.
-            env["LD_LIBRARY_PATH"] = os.path.abspath("./lib/")
-        try:
-            # We need to quote the command because subprocess call
-            # will do "sh -c 'foo'", so if we do not quoute it we'll end
-            # up with a invocation to the python interpreter. And that
-            # is bad.
-            log.debug('Trying to launch polkit agent')
-            subprocess.call(["python -m leap.bitmask.util.polkit_agent"],
-                            shell=True, env=env)
-        except Exception:
-            log.failure('Error while launching vpn')
+        if not self.is_up():
+            try:
+                # We need to quote the command because subprocess call
+                # will do "sh -c 'foo'", so if we do not quoute it we'll end
+                # up with a invocation to the python interpreter. And that
+                # is bad.
+                log.debug('Trying to launch polkit agent')
+                subprocess.call(
+                    ["python -m leap.bitmask.vpn.helpers.linux.polkit_agent"],
+                    shell=True)
+            except Exception:
+                log.failure('Error while launching vpn')
 
     @classmethod
     def is_up(self):