summaryrefslogtreecommitdiff
path: root/src/leap/eip/config.py
diff options
context:
space:
mode:
authorkali <kali@leap.se>2012-08-08 06:53:10 +0900
committerkali <kali@leap.se>2012-08-08 06:53:10 +0900
commit530e10214a6f018909714b288d997df13ab4f9df (patch)
tree995596699e26d27ddcbd442698646b32dd11ba6c /src/leap/eip/config.py
parent36b0dfacca794e9cb899b5dde2dae3b8bbc6cc43 (diff)
check for bad permissions on vpn key files
Diffstat (limited to 'src/leap/eip/config.py')
-rw-r--r--src/leap/eip/config.py56
1 files changed, 55 insertions, 1 deletions
diff --git a/src/leap/eip/config.py b/src/leap/eip/config.py
index 9af6f57a..91c3953b 100644
--- a/src/leap/eip/config.py
+++ b/src/leap/eip/config.py
@@ -4,13 +4,17 @@ import logging
import os
import platform
-from leap.util.fileutil import which, mkdir_p
+from leap.util.fileutil import (which, mkdir_p,
+ check_and_fix_urw_only)
from leap.baseapp.permcheck import (is_pkexec_in_system,
is_auth_agent_running)
logger = logging.getLogger(name=__name__)
logger.setLevel('DEBUG')
+# XXX move exceptions to
+# from leap.eip import exceptions as eip_exceptions
+
class EIPNoPkexecAvailable(Exception):
pass
@@ -20,6 +24,14 @@ class EIPNoPolkitAuthAgentAvailable(Exception):
pass
+class EIPInitNoKeyFileError(Exception):
+ pass
+
+
+class EIPInitBadKeyFilePermError(Exception):
+ pass
+
+
OPENVPN_CONFIG_TEMPLATE = """#Autogenerated by eip-client wizard
remote {VPN_REMOTE_HOST} {VPN_REMOTE_PORT}
@@ -345,3 +357,45 @@ def get_config(config_file=None):
config.readfp(config_file)
return config
+
+
+def check_vpn_keys(config):
+ """
+ performs an existance and permission check
+ over the openvpn keys file.
+ Currently we're expecting a single file
+ per provider, containing the CA cert,
+ the provider key, and our client certificate
+ """
+
+ keyopt = ('provider', 'keyfile')
+
+ # XXX at some point,
+ # should separate between CA, provider cert
+ # and our certificate.
+ # make changes in the default provider template
+ # accordingly.
+
+ # get vpn keys
+ if config.has_option(*keyopt):
+ keyfile = config.get(*keyopt)
+ else:
+ keyfile = get_config_file(
+ 'openvpn.keys',
+ folder=get_default_provider_path())
+ logger.debug('keyfile = %s', keyfile)
+
+ # if no keys, raise error.
+ # should be catched by the ui and signal user.
+
+ if not os.path.isfile(keyfile):
+ logger.error('key file %s not found. aborting.',
+ keyfile)
+ raise EIPInitNoKeyFileError
+
+ # check proper permission on keys
+ # bad perms? try to fix them
+ try:
+ check_and_fix_urw_only(keyfile)
+ except OSError:
+ raise EIPInitBadKeyFilePermError