14 files changed, 145 insertions, 16 deletions

diff --git a/setup.py b/setup.py
index da61958f..c4ddb4dc 100644
--- a/setup.py
+++ b/setup.py
@@ -62,6 +62,7 @@ DOWNLOAD_URL = DOWNLOAD_BASE % VERSION
 # Entry points
 gui_launcher = 'bitmask=leap.bitmask.gui.app:start_app'
 bitmask_cli = 'bitmaskctl=leap.bitmask.cli.bitmask_cli:main'
+bitmask_helpers = 'bitmask_helpers=leap.bitmask.vpn.helpers:main'
 bitmaskd = 'bitmaskd=leap.bitmask.core.launcher:run_bitmaskd'
 
 
@@ -87,7 +88,10 @@ setup(
     include_package_data=True,
     zip_safe=False,
     entry_points={
-        'console_scripts': [gui_launcher, bitmask_cli, bitmaskd]
+        'console_scripts': [
+            gui_launcher, bitmask_cli,
+            bitmaskd,
+            bitmask_helpers]
     },
     install_requires=required,
     extras_require=extras,
diff --git a/src/leap/bitmask/cli/eip.py b/src/leap/bitmask/cli/eip.py
index b7016ef8..f5c97955 100644
--- a/src/leap/bitmask/cli/eip.py
+++ b/src/leap/bitmask/cli/eip.py
@@ -35,8 +35,10 @@ SUBCOMMANDS:
    status     Display status about service
    check      Check whether EIP service is properly configured
    get_cert   Get EIP Certificate from provider
-   install    Install helpers (need superuser)
+   install    Install helpers (needs root)
+   uninstall  Uninstall helpers (needs root)
 
 '''.format(name=command.appname)
 
-    commands = ['start', 'stop', 'status', 'check', 'get_cert']
+    commands = ['start', 'stop', 'status', 'check',
+                'get_cert', 'install', 'uninstall']
diff --git a/src/leap/bitmask/core/dispatcher.py b/src/leap/bitmask/core/dispatcher.py
index a93c3ec5..36ae1b28 100644
--- a/src/leap/bitmask/core/dispatcher.py
+++ b/src/leap/bitmask/core/dispatcher.py
@@ -224,6 +224,16 @@ class EIPCmd(SubCommand):
         d = eip.do_get_cert(provider)
         return d
 
+    @register_method('install')
+    def do_INSTALL(self, eip, *parts):
+        d = eip.do_install()
+        return d
+
+    @register_method('install')
+    def do_UNINSTALL(self, eip, *parts):
+        d = eip.do_uninstall()
+        return d
+
 
 class MailCmd(SubCommand):
 
diff --git a/src/leap/bitmask/vpn/README.rst b/src/leap/bitmask/vpn/README.rst
deleted file mode 100644
index 50310c0b..00000000
--- a/src/leap/bitmask/vpn/README.rst
+++ /dev/null
@@ -1,6 +0,0 @@
-To be migrated
---------------
-Here we should expect the vpn parts under the legacy bitmask_client project.
-However, it would be nice to move all the fail-close boilerplate to an
-independent project (leap.fw), and declare that as an extra dependency in the
-setup.py
diff --git a/src/leap/bitmask/vpn/_checks.py b/src/leap/bitmask/vpn/_checks.py
index 3a1914f1..f4d4ed3d 100644
--- a/src/leap/bitmask/vpn/_checks.py
+++ b/src/leap/bitmask/vpn/_checks.py
@@ -3,18 +3,21 @@ import os
 from leap.common.config import get_path_prefix
 
 
+# TODO use privilege.py module, plenty of checks in there for pkexec and
+# friends.
+
 class ImproperlyConfigured(Exception):
     pass
 
 
 def is_service_ready(provider):
-    valid_cert = _has_valid_cert(provider)
+    _has_valid_cert(provider)
     return True
 
 
 def get_eip_cert_path(provider):
     return os.path.join(get_path_prefix(),
-                        'leap', 'providers', provider, 
+                        'leap', 'providers', provider,
                         'keys', 'client', 'openvpn.pem')
 
 
@@ -23,5 +26,3 @@ def _has_valid_cert(provider):
     has_file = os.path.isfile(cert_path)
     if not has_file:
         raise ImproperlyConfigured('Missing EIP certificate')
-
-    
diff --git a/src/leap/bitmask/vpn/_config.py b/src/leap/bitmask/vpn/_config.py
index 7dfabf7d..267f61eb 100644
--- a/src/leap/bitmask/vpn/_config.py
+++ b/src/leap/bitmask/vpn/_config.py
@@ -1,3 +1,17 @@
+import pkg_resources
+from .constants import IS_LINUX
+
+
+if IS_LINUX:
+
+    def get_bitmask_helper_path():
+        return pkg_resources.resource_filename(
+            'leap.bitmask.vpn.helpers.linux', 'bitmask-root')
+
+    def get_bitmask_polkit_policy_path():
+        return pkg_resources.resource_filename(
+            'leap.bitmask.vpn.helpers.linux', 'se.leap.bitmask.bundle.policy')
+
 
 class _TempEIPConfig(object):
     """Current EIP code on bitmask depends on EIPConfig object, this temporary
diff --git a/src/leap/bitmask/vpn/helpers/__init__.py b/src/leap/bitmask/vpn/helpers/__init__.py
new file mode 100644
index 00000000..1f46fd79
--- /dev/null
+++ b/src/leap/bitmask/vpn/helpers/__init__.py
@@ -0,0 +1,35 @@
+from os import remove
+from shutil import copyfile
+import sys
+
+from leap.bitmask.vpn.constants import IS_LINUX
+from leap.bitmask.vpn import _config
+
+if IS_LINUX:
+
+    helper_to = '/usr/local/sbin/bitmask-root'
+    polkit_to = '/usr/share/polkit-1/actions/se.bitmask.bundle.policy'
+
+    def install():
+        helper_from = _config.get_bitmask_helper_path()
+        polkit_from = _config.get_bitmask_polkit_policy_path()
+        copyfile(helper_from, helper_to)
+        copyfile(polkit_from, polkit_to)
+
+    def uninstall():
+        try:
+            remove(helper_to)
+            remove(polkit_to)
+        except:
+            raise
+
+
+def main():
+    if sys.argv[-1] == 'install':
+        install()
+    if sys.argv[-1] == 'uninstall':
+        uninstall()
+
+
+if __name__ == "__main__":
+    main()
diff --git a/src/leap/bitmask/vpn/helpers/linux/__init__.py b/src/leap/bitmask/vpn/helpers/linux/__init__.py
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/src/leap/bitmask/vpn/helpers/linux/__init__.py
diff --git a/src/leap/bitmask/vpn/fw/bitmask-root b/src/leap/bitmask/vpn/helpers/linux/bitmask-root
index 80ac12e8..80ac12e8 100755
--- a/src/leap/bitmask/vpn/fw/bitmask-root
+++ b/src/leap/bitmask/vpn/helpers/linux/bitmask-root
diff --git a/src/leap/bitmask/vpn/helpers/linux/se.leap.bitmask.bundle.policy b/src/leap/bitmask/vpn/helpers/linux/se.leap.bitmask.bundle.policy
new file mode 100644
index 00000000..58fcaaa8
--- /dev/null
+++ b/src/leap/bitmask/vpn/helpers/linux/se.leap.bitmask.bundle.policy
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE policyconfig PUBLIC
+ "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
+<policyconfig>
+
+  <vendor>LEAP Project</vendor>
+  <vendor_url>http://leap.se/</vendor_url>
+
+  <action id="se.leap.bitmask.bundle.policy">
+    <description>Runs bitmask helper to launch firewall and openvpn (bundle version)</description>
+    <description xml:lang="es">Ejecuta el asistente de bitmask para lanzar el firewall y openvpn (version bundle)</description>
+    <message>Bitmask needs that you authenticate to start</message>
+    <message xml:lang="es">Bitmask necesita autorizacion para comenzar</message>
+    <icon_name>package-x-generic</icon_name> 
+    <defaults>
+      <allow_any>yes</allow_any>
+      <allow_inactive>yes</allow_inactive>
+      <allow_active>yes</allow_active>
+    </defaults>
+    <annotate key="org.freedesktop.policykit.exec.path">/usr/local/sbin/bitmask-root</annotate>
+  </action>
+</policyconfig>
diff --git a/src/leap/bitmask/vpn/helpers/linux/se.leap.bitmask.policy b/src/leap/bitmask/vpn/helpers/linux/se.leap.bitmask.policy
new file mode 100644
index 00000000..c66f4701
--- /dev/null
+++ b/src/leap/bitmask/vpn/helpers/linux/se.leap.bitmask.policy
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE policyconfig PUBLIC
+ "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
+<policyconfig>
+
+  <vendor>LEAP Project</vendor>
+  <vendor_url>http://leap.se/</vendor_url>
+
+  <action id="se.leap.bitmask.policy">
+    <description>Runs bitmask helper to launch firewall and openvpn</description>
+    <description xml:lang="es">Ejecuta el asistente de bitmask para lanzar el firewall y openvpn</description>
+    <message>Bitmask needs that you authenticate to start</message>
+    <message xml:lang="es">Bitmask necesita autorizacion para comenzar</message>
+    <icon_name>package-x-generic</icon_name> 
+    <defaults>
+      <allow_any>yes</allow_any>
+      <allow_inactive>yes</allow_inactive>
+      <allow_active>yes</allow_active>
+    </defaults>
+    <annotate key="org.freedesktop.policykit.exec.path">/usr/sbin/bitmask-root</annotate>
+  </action>
+</policyconfig>
diff --git a/src/leap/bitmask/vpn/privilege.py b/src/leap/bitmask/vpn/privilege.py
index e8ed5576..097f5f8a 100644
--- a/src/leap/bitmask/vpn/privilege.py
+++ b/src/leap/bitmask/vpn/privilege.py
@@ -37,6 +37,14 @@ logger = Logger()
 flags_STANDALONE = False
 
 
+def install_helpers():
+    commands.getoutput('pkexec bitmask_helpers install')
+
+
+def uninstall_helpers():
+    commands.getoutput('pkexec bitmask_helpers uninstall')
+
+
 class NoPolkitAuthAgentAvailable(Exception):
     pass
 
diff --git a/src/leap/bitmask/vpn/process.py b/src/leap/bitmask/vpn/process.py
index ef5ee37f..813025d7 100644
--- a/src/leap/bitmask/vpn/process.py
+++ b/src/leap/bitmask/vpn/process.py
@@ -38,7 +38,7 @@ from leap.bitmask.vpn.constants import IS_MAC
 from leap.bitmask.vpn.utils import first, force_eval
 from leap.bitmask.vpn.utils import get_vpn_launcher
 from leap.bitmask.vpn.launchers import linux
-from leap.bitmask.vpn.udstelnet import UDSTelnet
+from leap.bitmask.vpn._telnet import UDSTelnet
 from leap.bitmask.vpn import _observer
 from leap.bitmask.vpn import _management
 
diff --git a/src/leap/bitmask/vpn/service.py b/src/leap/bitmask/vpn/service.py
index 3550b4b7..72fd2bbf 100644
--- a/src/leap/bitmask/vpn/service.py
+++ b/src/leap/bitmask/vpn/service.py
@@ -27,6 +27,9 @@ from twisted.internet import defer
 from leap.bitmask.hooks import HookableService
 from leap.bitmask.vpn.eip import EIPManager
 from leap.bitmask.vpn._checks import is_service_ready, get_eip_cert_path
+from leap.bitmask.vpn._config import get_bitmask_helper_path
+from leap.bitmask.vpn._config import get_bitmask_polkit_policy_path
+from leap.bitmask.vpn import privilege
 from leap.common.config import get_path_prefix
 from leap.common.files import check_and_fix_urw_only
 
@@ -81,7 +84,11 @@ class EIPService(HookableService):
         and can be started"""
         # TODO either pass a provider, or set a given provider
         _ready = is_service_ready('demo.bitmask.net')
-        return {'eip_ready': 'ok'}
+        if _ready:
+            result = 'ok'
+        else:
+            result = 'no'
+        return {'eip_ready': result}
 
     @defer.inlineCallbacks
     def do_get_cert(self, provider):
@@ -98,13 +105,21 @@ class EIPService(HookableService):
         check_and_fix_urw_only(cert_path)
         defer.returnValue({'get_cert': 'ok'})
 
+    def do_install(self):
+        ask = privilege.install_helpers()
+        return {'install': 'ok'}
+
+    def do_uninstall(self):
+        ask = privilege.uninstall_helpers()
+        return {'uninstall': 'ok'}
+
     def _setup(self, provider):
         """Set up EIPManager for a specified provider.
 
         :param provider: the provider to use, e.g. 'demo.bitmask.net'
         :type provider: str"""
 
-        # FIXME
+        # FIXME ---------------------------------------------------------
         # XXX picked manually from eip-service.json
         remotes = (
             ("198.252.153.84", "1194"),