From d0e4444555df79978aed5cd6c9548e2fd1c63936 Mon Sep 17 00:00:00 2001
From: Ruben Pollan <meskio@sindominio.net>
Date: Mon, 18 Sep 2017 17:33:53 +0200
Subject: [bug] flag vpn_ready == false if cert expired

We were not renewing the vpn cert. Now the UI will trigger a cert
renewal by telling it that is the vpn is not ready if the cert is
expired.

- Resolves: #9059
---
 src/leap/bitmask/vpn/_checks.py | 25 +++++++++++++++++++++++--
 src/leap/bitmask/vpn/service.py | 20 +++++++-------------
 2 files changed, 30 insertions(+), 15 deletions(-)

diff --git a/src/leap/bitmask/vpn/_checks.py b/src/leap/bitmask/vpn/_checks.py
index 3921d03b..6c089628 100644
--- a/src/leap/bitmask/vpn/_checks.py
+++ b/src/leap/bitmask/vpn/_checks.py
@@ -1,5 +1,9 @@
 import os
 
+from datetime import datetime
+from time import mktime
+
+from leap.common.certs import get_cert_time_boundaries
 from leap.common.config import get_path_prefix
 
 
@@ -11,10 +15,21 @@ class ImproperlyConfigured(Exception):
 
 
 def is_service_ready(provider):
-    _has_valid_cert(provider)
+    if not _has_valid_cert(provider):
+        raise ImproperlyConfigured('Missing VPN certificate')
+
     return True
 
 
+def cert_expires(provider):
+    path = get_vpn_cert_path(provider)
+    with open(path, 'r') as f:
+        cert = f.read()
+    _, to = get_cert_time_boundaries(cert)
+    expiry_date = datetime.fromtimestamp(mktime(to))
+    return expiry_date
+
+
 def get_vpn_cert_path(provider):
     return os.path.join(get_path_prefix(),
                         'leap', 'providers', provider,
@@ -25,4 +40,10 @@ def _has_valid_cert(provider):
     cert_path = get_vpn_cert_path(provider)
     has_file = os.path.isfile(cert_path)
     if not has_file:
-        raise ImproperlyConfigured('Missing VPN certificate')
+        return False
+
+    expiry = cert_expires(provider)
+    if datetime.now() > expiry:
+        return False
+
+    return True
diff --git a/src/leap/bitmask/vpn/service.py b/src/leap/bitmask/vpn/service.py
index c9e1890d..1ecfa797 100644
--- a/src/leap/bitmask/vpn/service.py
+++ b/src/leap/bitmask/vpn/service.py
@@ -22,7 +22,6 @@ VPN service declaration.
 import json
 import os
 
-from time import strftime
 from twisted.internet import defer
 from twisted.logger import Logger
 
@@ -31,11 +30,14 @@ from leap.bitmask.util import merge_status
 from leap.bitmask.vpn.gateways import GatewaySelector
 from leap.bitmask.vpn.fw.firewall import FirewallManager
 from leap.bitmask.vpn.tunnel import ConfiguredTunnel
-from leap.bitmask.vpn._checks import is_service_ready, get_vpn_cert_path
+from leap.bitmask.vpn._checks import (
+    is_service_ready,
+    get_vpn_cert_path,
+    cert_expires
+)
 from leap.bitmask.vpn import privilege, helpers
 from leap.common.config import get_path_prefix
 from leap.common.files import check_and_fix_urw_only
-from leap.common.certs import get_cert_time_boundaries
 
 
 class ImproperlyConfigured(Exception):
@@ -166,7 +168,8 @@ class VPNService(HookableService):
         ret = {'installed': helpers.check()}
         if domain:
             ret['vpn_ready'] = is_service_ready(domain)
-            ret['cert_expires'] = self._cert_expires(domain)
+            expiry = cert_expires(domain).strftime('%Y-%m-%dT%H:%M:%SZ')
+            ret['cert_expires'] = expiry
         return ret
 
     @defer.inlineCallbacks
@@ -270,15 +273,6 @@ class VPNService(HookableService):
             provider, remotes, cert_path, key_path, ca_path, extra_flags)
         self._firewall = FirewallManager(remotes)
 
-    def _cert_expires(self, provider):
-        path = os.path.join(
-            self._basepath, "leap", "providers", provider,
-            "keys", "client", "openvpn.pem")
-        with open(path, 'r') as f:
-            cert = f.read()
-        _, to = get_cert_time_boundaries(cert)
-        return strftime('%Y-%m-%dT%H:%M:%SZ', to)
-
     def _write_last(self, domain):
         path = os.path.join(self._basepath, self._last_vpn_path)
         with open(path, 'w') as f:
-- 
cgit v1.2.3