From 05f2b9d2b72139df56f67e88aeb7ceb6d8ec4e69 Mon Sep 17 00:00:00 2001 From: "Kali Kaneko (leap communications)" Date: Mon, 5 Jun 2017 17:31:37 +0200 Subject: [feature] run vpn directly if user is root - Improve tests too: add entry in resolv.conf, not done without resolvconf --- .gitlab-ci.cut | 60 +++++++++++++++++++++++++++++ .gitlab-ci.yml | 67 ++------------------------------- src/leap/bitmask/vpn/fw/firewall.py | 14 +++---- src/leap/bitmask/vpn/launchers/linux.py | 9 +++-- tests/e2e/e2e-test-vpn.sh | 29 +++++++------- 5 files changed, 91 insertions(+), 88 deletions(-) create mode 100644 .gitlab-ci.cut diff --git a/.gitlab-ci.cut b/.gitlab-ci.cut new file mode 100644 index 00000000..10165164 --- /dev/null +++ b/.gitlab-ci.cut @@ -0,0 +1,60 @@ +linux_test: + image: 0xacab.org:4567/leap/soledad:latest + stage: test + script: + - tox --recreate -e py27-dev + tags: + - linux + +osx_test: + stage: test + allow_failure: true + script: + - tox --recreate -e py27-dev + tags: + - osx + +bitmask_latest_bundle: + image: 0xacab.org:4567/leap/bitmask-dev:latest + stage: bundle + script: + - pkg/build_bundle_with_venv.sh + - mv "dist/bitmask-`cat pkg/next-version`" . + artifacts: + paths: + - "bitmask-`cat pkg/next-version`" + name: "Bitmask_linux64_latest_${CI_BUILD_REF}" + expire_in: 1 month + tags: + - linux + +build_ui: + image: 0xacab.org:4567/leap/bitmask-dev:latest + stage: build + script: + - cd ui && make dev-build + tags: + - linux + +build_docker_image: + image: 0xacab.org:4567/leap/bitmask-dev:latest + stage: test + services: + - docker:dind + tags: + - docker-in-docker + only: + - branches@leap/bitmask-dev + before_script: + - > + export LAST_COMMIT=$(curl -s --header "PRIVATE-TOKEN: ${LEAP_CODE_O_MATIC_PRIVATE_TOKEN}" https://0xacab.org/api/v4/projects/574/pipelines | + python -c "import sys, json; print json.load(sys.stdin)[1]['sha']") + script: + - > + if git diff $LAST_COMMIT HEAD --name-only|grep tests/docker; then + docker --version + docker info + docker login -u gitlab-ci-token -e sysdev@leap.se -p $CI_JOB_TOKEN $CI_REGISTRY + docker build -t ${CI_REGISTRY_IMAGE}:latest tests/docker + docker push ${CI_REGISTRY_IMAGE}:latest + fi diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index acfcd2e7..f61f5575 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,50 +1,13 @@ stages: - - test - - bundle - - build - e2e +# - test +# - bundle +# - build + variables: DOCKER_DRIVER: overlay -linux_test: - image: 0xacab.org:4567/leap/soledad:latest - stage: test - script: - - tox --recreate -e py27-dev - tags: - - linux - -osx_test: - stage: test - allow_failure: true - script: - - tox --recreate -e py27-dev - tags: - - osx - -bitmask_latest_bundle: - image: 0xacab.org:4567/leap/bitmask-dev:latest - stage: bundle - script: - - pkg/build_bundle_with_venv.sh - - mv "dist/bitmask-`cat pkg/next-version`" . - artifacts: - paths: - - "bitmask-`cat pkg/next-version`" - name: "Bitmask_linux64_latest_${CI_BUILD_REF}" - expire_in: 1 month - tags: - - linux - -build_ui: - image: 0xacab.org:4567/leap/bitmask-dev:latest - stage: build - script: - - cd ui && make dev-build - tags: - - linux - e2e_tests: image: 0xacab.org:4567/leap/bitmask-dev:latest stage: e2e @@ -59,25 +22,3 @@ e2e_tests: tags: - linux -build_docker_image: - image: 0xacab.org:4567/leap/bitmask-dev:latest - stage: test - services: - - docker:dind - tags: - - docker-in-docker - only: - - branches@leap/bitmask-dev - before_script: - - > - export LAST_COMMIT=$(curl -s --header "PRIVATE-TOKEN: ${LEAP_CODE_O_MATIC_PRIVATE_TOKEN}" https://0xacab.org/api/v4/projects/574/pipelines | - python -c "import sys, json; print json.load(sys.stdin)[1]['sha']") - script: - - > - if git diff $LAST_COMMIT HEAD --name-only|grep tests/docker; then - docker --version - docker info - docker login -u gitlab-ci-token -e sysdev@leap.se -p $CI_JOB_TOKEN $CI_REGISTRY - docker build -t ${CI_REGISTRY_IMAGE}:latest tests/docker - docker push ${CI_REGISTRY_IMAGE}:latest - fi diff --git a/src/leap/bitmask/vpn/fw/firewall.py b/src/leap/bitmask/vpn/fw/firewall.py index 95130b25..73eccb99 100644 --- a/src/leap/bitmask/vpn/fw/firewall.py +++ b/src/leap/bitmask/vpn/fw/firewall.py @@ -23,12 +23,12 @@ import commands import os import subprocess -from twisted.logger import getLogger +from twisted.logger import Logger from leap.bitmask.vpn.constants import IS_MAC from leap.common.events import catalog, emit_async -log = getLogger() +log = Logger() # TODO -- subclass it for osx/windows, not only for linux. @@ -43,7 +43,6 @@ NOT_ROOT = os.getuid() != 0 def check_root(cmd): if NOT_ROOT: cmd = ['pkexec'] + cmd - print "COMMAND IS >>>", cmd return cmd @@ -86,13 +85,14 @@ class FirewallManager(object): if restart: cmd.append("restart") + result = '' try: - result = subprocess.check_output( - cmd + gateways, - stderr=subprocess.STDOUT) + retcode, result = commands.getstatusoutput( + ' '.join(cmd + gateways)) + #stderr=subprocess.STDOUT) except Exception: log.failure('Error launching the firewall') - else: + finally: log.debug(result) emit_async(catalog.VPN_STATUS_CHANGED) return True diff --git a/src/leap/bitmask/vpn/launchers/linux.py b/src/leap/bitmask/vpn/launchers/linux.py index d68d6ef1..00423ab8 100644 --- a/src/leap/bitmask/vpn/launchers/linux.py +++ b/src/leap/bitmask/vpn/launchers/linux.py @@ -99,10 +99,11 @@ class LinuxVPNLauncher(VPNLauncher): command.insert(1, "openvpn") command.insert(2, "start") - policyChecker = LinuxPolicyChecker() - pkexec = policyChecker.maybe_pkexec() - if pkexec: - command.insert(0, first(pkexec)) + if os.getuid() != 0: + policyChecker = LinuxPolicyChecker() + pkexec = policyChecker.maybe_pkexec() + if pkexec: + command.insert(0, first(pkexec)) return command diff --git a/tests/e2e/e2e-test-vpn.sh b/tests/e2e/e2e-test-vpn.sh index 5a2cc1bd..26be34c8 100755 --- a/tests/e2e/e2e-test-vpn.sh +++ b/tests/e2e/e2e-test-vpn.sh @@ -6,8 +6,8 @@ # exit if any commands returns non-zero status set -e -# XXX DEBUG -set -x +# ONLY ENABLE THIS TO DEBUG +# set -x # Check if scipt is run in debug mode so we can hide secrets if [[ "$-" =~ 'x' ]] @@ -47,31 +47,32 @@ set +x # Authenticate "$BCTL" user auth "$user" --pass "$pw" > /dev/null -# Enable VPN -"$BCTL" vpn enable - # Get VPN cert "$BCTL" vpn get_cert "$user" +# Start VPN, wait a bit "$BCTL" vpn start --json +sleep 3 +"$BCTL" vpn status --json -# XXX DEBUG --- -tail -n 200 ~/.config/leap/bitmaskd.log -which pkexec -ls -la /usr/sbin/openvpn -ls -la /usr/local/sbin/bitmask-root -# XXX DEBUG --- - +# XXX gateway does not get added to resolv.conf +echo "nameserver 10.42.0.1" > /etc/resolv.conf +# cat /etc/resolv.conf sleep 5 -"$BCTL" vpn status --json +#ip link show +# TEST that we're going through the provider's VPN tests/e2e/check_ip vpn_on "$BCTL" vpn stop +sleep 3 + +# XXX debug do this only if no other entry in resolv.conf +echo "nameserver 77.109.148.136" > /etc/resolv.conf -sleep 5 +# TEST that we're NOT going through the provider's VPN tests/e2e/check_ip vpn_off echo "Succeeded - the vpn routed you through the expected address" -- cgit v1.2.3