From df200f6379608b379c5fec47ddb030b6d72ce93a Mon Sep 17 00:00:00 2001 From: Ivan Alejandro Date: Mon, 29 Jul 2013 12:17:40 -0300 Subject: Refactor policies to the policies module. --- src/leap/services/eip/vpnlaunchers.py | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) (limited to 'src/leap/services/eip') diff --git a/src/leap/services/eip/vpnlaunchers.py b/src/leap/services/eip/vpnlaunchers.py index 8522d1df..992f0c50 100644 --- a/src/leap/services/eip/vpnlaunchers.py +++ b/src/leap/services/eip/vpnlaunchers.py @@ -38,6 +38,7 @@ from leap.common.files import which from leap.config.providerconfig import ProviderConfig from leap.services.eip.eipconfig import EIPConfig, VPNGatewaySelector from leap.util import first +from leap.util.privilege_policies import LinuxPolicyChecker logger = logging.getLogger(__name__) @@ -62,7 +63,7 @@ class EIPNoTunKextLoaded(VPNLauncherException): pass -class VPNLauncher: +class VPNLauncher(object): """ Abstract launcher class """ @@ -250,12 +251,25 @@ class LinuxVPNLauncher(VPNLauncher): OPENVPN_DOWN_ROOT_BASE, OPENVPN_DOWN_ROOT_FILE) - POLKIT_BASE = "/usr/share/polkit-1/actions" - POLKIT_FILE = "net.openvpn.gui.leap.policy" - POLKIT_PATH = "%s/%s" % (POLKIT_BASE, POLKIT_FILE) - UPDOWN_FILES = (UP_DOWN_PATH,) - OTHER_FILES = (POLKIT_PATH,) + POLKIT_PATH = LinuxPolicyChecker.get_polkit_path() + OTHER_FILES = (POLKIT_PATH, ) + + def missing_other_files(self): + """ + 'Extend' the VPNLauncher's missing_other_files to check if the polkit + files is outdated. If the polkit file is in OTHER_FILES, exists, but is + not up to date, it is added to the missing list. + + :rtype: list + """ + missing = VPNLauncher.missing_other_files.im_func(self) + polkit_file = LinuxPolicyChecker().get_polkit_path() + if polkit_file not in missing: + if privilege_policies.is_policy_outdated(self.OPENVPN_BIN_PATH): + missing.append(polkit_file) + + return missing @classmethod def cmd_for_missing_scripts(kls, frompath, pol_file): -- cgit v1.2.3 From 4a8b4afd158076d63aac75e1014071ee340da12b Mon Sep 17 00:00:00 2001 From: Ivan Alejandro Date: Mon, 29 Jul 2013 18:01:34 -0300 Subject: Add check for outdated polkit file. Closes #3209. --- src/leap/services/eip/vpnlaunchers.py | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) (limited to 'src/leap/services/eip') diff --git a/src/leap/services/eip/vpnlaunchers.py b/src/leap/services/eip/vpnlaunchers.py index 992f0c50..7f66275d 100644 --- a/src/leap/services/eip/vpnlaunchers.py +++ b/src/leap/services/eip/vpnlaunchers.py @@ -39,6 +39,7 @@ from leap.config.providerconfig import ProviderConfig from leap.services.eip.eipconfig import EIPConfig, VPNGatewaySelector from leap.util import first from leap.util.privilege_policies import LinuxPolicyChecker +from leap.util import privilege_policies logger = logging.getLogger(__name__) @@ -238,6 +239,10 @@ class LinuxVPNLauncher(VPNLauncher): PKEXEC_BIN = 'pkexec' OPENVPN_BIN = 'openvpn' + OPENVPN_BIN_PATH = os.path.join( + ProviderConfig().get_path_prefix(), + "..", "apps", "eip", OPENVPN_BIN) + SYSTEM_CONFIG = "/etc/leap" UP_DOWN_FILE = "resolv-update" UP_DOWN_PATH = "%s/%s" % (SYSTEM_CONFIG, UP_DOWN_FILE) @@ -258,13 +263,14 @@ class LinuxVPNLauncher(VPNLauncher): def missing_other_files(self): """ 'Extend' the VPNLauncher's missing_other_files to check if the polkit - files is outdated. If the polkit file is in OTHER_FILES, exists, but is - not up to date, it is added to the missing list. + files is outdated. If the polkit file that is in OTHER_FILES exists but + is not up to date, it is added to the missing list. - :rtype: list + :returns: a list of missing files + :rtype: list of str """ missing = VPNLauncher.missing_other_files.im_func(self) - polkit_file = LinuxPolicyChecker().get_polkit_path() + polkit_file = LinuxPolicyChecker.get_polkit_path() if polkit_file not in missing: if privilege_policies.is_policy_outdated(self.OPENVPN_BIN_PATH): missing.append(polkit_file) -- cgit v1.2.3 From b655c0ab05bf55e62e2f27174b34ca63fe45431b Mon Sep 17 00:00:00 2001 From: Ivan Alejandro Date: Tue, 30 Jul 2013 10:01:57 -0300 Subject: Refactor cmd and add permission change. The polkit file should be readable by everyone, so we can check its contents without asking for permission. --- src/leap/services/eip/vpnlaunchers.py | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) (limited to 'src/leap/services/eip') diff --git a/src/leap/services/eip/vpnlaunchers.py b/src/leap/services/eip/vpnlaunchers.py index 7f66275d..b591b3ca 100644 --- a/src/leap/services/eip/vpnlaunchers.py +++ b/src/leap/services/eip/vpnlaunchers.py @@ -291,11 +291,13 @@ class LinuxVPNLauncher(VPNLauncher): :rtype: str """ to = kls.SYSTEM_CONFIG - cmd = "#!/bin/sh\nset -e\nmkdir -p %s\n" - cmd = (cmd + "cp %s/%s %s\ncp \"%s\" \"%s\"") % ( - to, - frompath, kls.UP_DOWN_FILE, to, - pol_file, kls.POLKIT_PATH) + + cmd = '#!/bin/sh\nset -e\n' + cmd += 'mkdir -p "%s"\n' % (to, ) + cmd += 'cp "%s/%s" "%s"\n' % (frompath, kls.UP_DOWN_FILE, to) + cmd += 'cp "%s" "%s"\n' % (pol_file, kls.POLKIT_PATH) + cmd += 'chmod 644 "%s"\n' % (kls.POLKIT_PATH, ) + return cmd @classmethod -- cgit v1.2.3 From d36b671ac12f99699f2195d50e68d5e354f4525b Mon Sep 17 00:00:00 2001 From: Ivan Alejandro Date: Tue, 30 Jul 2013 13:31:04 -0300 Subject: Update failing tests for ProviderBootstrapper. Closes #3317. --- .../eip/tests/test_providerbootstrapper.py | 46 ++++++++++++++++------ 1 file changed, 33 insertions(+), 13 deletions(-) (limited to 'src/leap/services/eip') diff --git a/src/leap/services/eip/tests/test_providerbootstrapper.py b/src/leap/services/eip/tests/test_providerbootstrapper.py index cd740793..4ef0774c 100644 --- a/src/leap/services/eip/tests/test_providerbootstrapper.py +++ b/src/leap/services/eip/tests/test_providerbootstrapper.py @@ -43,6 +43,7 @@ from leap.common.testing.https_server import where from leap.common.testing.basetest import BaseLeapTest from leap.services.eip.providerbootstrapper import ProviderBootstrapper from leap.services.eip.providerbootstrapper import UnsupportedProviderAPI +from leap.services.eip.providerbootstrapper import WrongFingerprint from leap.provider.supportedapis import SupportedAPIs from leap.config.providerconfig import ProviderConfig from leap.crypto.tests import fake_provider @@ -194,7 +195,7 @@ class ProviderBootstrapperTest(BaseLeapTest): self.pb._should_proceed_cert = mock.MagicMock(return_value=True) - with self.assertRaises(AssertionError): + with self.assertRaises(WrongFingerprint): self.pb._check_ca_fingerprint() # This two hashes different in the last byte, but that's good enough @@ -282,7 +283,7 @@ yV8e self.pb._should_proceed_cert = mock.MagicMock(return_value=True) - with self.assertRaises(AssertionError): + with self.assertRaises(WrongFingerprint): self.pb._check_ca_fingerprint() os.unlink(cert_path) @@ -412,6 +413,8 @@ class ProviderBootstrapperActiveTest(unittest.TestCase): p.write("A") return provider_path + @mock.patch('leap.config.providerconfig.ProviderConfig.get_ca_cert_path', + lambda x: where('cacert.pem')) def test_download_provider_info_not_modified(self): self._setup_provider_config_with("1", tempfile.mkdtemp()) self._setup_providerbootstrapper(True) @@ -420,12 +423,16 @@ class ProviderBootstrapperActiveTest(unittest.TestCase): # set mtime to something really new os.utime(provider_path, (-1, time.time())) - self.pb._download_provider_info() - # we check that it doesn't do anything with the provider + with mock.patch.object( + ProviderConfig, 'get_api_uri', + return_value="https://localhost:%s" % (self.https_port,)): + self.pb._download_provider_info() + # we check that it doesn't save the provider # config, because it's new enough - self.assertFalse(ProviderConfig.load.called) self.assertFalse(ProviderConfig.save.called) + @mock.patch('leap.config.providerconfig.ProviderConfig.get_ca_cert_path', + lambda x: where('cacert.pem')) def test_download_provider_info_modified(self): self._setup_provider_config_with("1", tempfile.mkdtemp()) self._setup_providerbootstrapper(True) @@ -434,32 +441,45 @@ class ProviderBootstrapperActiveTest(unittest.TestCase): # set mtime to something really old os.utime(provider_path, (-1, 100)) - self.pb._download_provider_info() + with mock.patch.object( + ProviderConfig, 'get_api_uri', + return_value="https://localhost:%s" % (self.https_port,)): + self.pb._download_provider_info() self.assertTrue(ProviderConfig.load.called) self.assertTrue(ProviderConfig.save.called) + @mock.patch('leap.config.providerconfig.ProviderConfig.get_ca_cert_path', + lambda x: where('cacert.pem')) def test_download_provider_info_unsupported_api_raises(self): self._setup_provider_config_with("9999999", tempfile.mkdtemp()) self._setup_providerbootstrapper(False) self._produce_dummy_provider_json() - with self.assertRaises(UnsupportedProviderAPI): - self.pb._download_provider_info() + with mock.patch.object( + ProviderConfig, 'get_api_uri', + return_value="https://localhost:%s" % (self.https_port,)): + with self.assertRaises(UnsupportedProviderAPI): + self.pb._download_provider_info() + @mock.patch('leap.config.providerconfig.ProviderConfig.get_ca_cert_path', + lambda x: where('cacert.pem')) def test_download_provider_info_unsupported_api(self): self._setup_provider_config_with(SupportedAPIs.SUPPORTED_APIS[0], tempfile.mkdtemp()) self._setup_providerbootstrapper(False) self._produce_dummy_provider_json() - self.pb._download_provider_info() + with mock.patch.object( + ProviderConfig, 'get_api_uri', + return_value="https://localhost:%s" % (self.https_port,)): + self.pb._download_provider_info() + @mock.patch('leap.config.providerconfig.ProviderConfig.get_api_uri', + lambda x: 'api.uri') + @mock.patch('leap.config.providerconfig.ProviderConfig.get_ca_cert_path', + lambda x: '/cert/path') def test_check_api_certificate_skips(self): self.pb._provider_config = ProviderConfig() - self.pb._provider_config.get_api_uri = mock.MagicMock( - return_value="api.uri") - self.pb._provider_config.get_ca_cert_path = mock.MagicMock( - return_value="/cert/path") self.pb._session.get = mock.MagicMock(return_value=Response()) self.pb._should_proceed_cert = mock.MagicMock(return_value=False) -- cgit v1.2.3 From 114d55d6447b18053e53d38d2aedd0ebf1ead0bc Mon Sep 17 00:00:00 2001 From: Ivan Alejandro Date: Wed, 31 Jul 2013 10:15:25 -0300 Subject: Add test for: download new provider config. --- src/leap/services/eip/tests/test_providerbootstrapper.py | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'src/leap/services/eip') diff --git a/src/leap/services/eip/tests/test_providerbootstrapper.py b/src/leap/services/eip/tests/test_providerbootstrapper.py index 4ef0774c..b24334a2 100644 --- a/src/leap/services/eip/tests/test_providerbootstrapper.py +++ b/src/leap/services/eip/tests/test_providerbootstrapper.py @@ -413,6 +413,13 @@ class ProviderBootstrapperActiveTest(unittest.TestCase): p.write("A") return provider_path + def test_download_provider_info_new_provider(self): + self._setup_provider_config_with("1", tempfile.mkdtemp()) + self._setup_providerbootstrapper(True) + + self.pb._download_provider_info() + self.assertTrue(ProviderConfig.save.called) + @mock.patch('leap.config.providerconfig.ProviderConfig.get_ca_cert_path', lambda x: where('cacert.pem')) def test_download_provider_info_not_modified(self): -- cgit v1.2.3