diff options
author | Tomás Touceda <chiiph@leap.se> | 2014-09-26 10:15:06 -0300 |
---|---|---|
committer | Tomás Touceda <chiiph@leap.se> | 2014-09-26 10:15:06 -0300 |
commit | 6f7177f3ca359f8c3e74d094b0dcd0f9239fb069 (patch) | |
tree | f04b0eb5c4665a129c5c49719b2da65d325b111f /pkg | |
parent | e8c028f3eb6cd0681f039c456dc1ac45c98d598f (diff) | |
parent | 0db3d5a4aecc0a3c271b92c6187922c50d46df0a (diff) |
Diffstat (limited to 'pkg')
-rwxr-xr-x | pkg/linux/bitmask-root | 147 | ||||
-rwxr-xr-x | pkg/postmkvenv.sh | 8 | ||||
-rw-r--r-- | pkg/requirements-dev.pip | 10 | ||||
-rw-r--r-- | pkg/requirements.pip | 7 | ||||
-rwxr-xr-x | pkg/scripts/bootstrap_develop.sh | 48 |
5 files changed, 206 insertions, 14 deletions
diff --git a/pkg/linux/bitmask-root b/pkg/linux/bitmask-root index c9034b0d..ee195e3b 100755 --- a/pkg/linux/bitmask-root +++ b/pkg/linux/bitmask-root @@ -1,4 +1,4 @@ -#!/usr/bin/python +#!/usr/bin/python2.7 # -*- coding: utf-8 -*- # # Copyright (C) 2014 LEAP @@ -25,6 +25,8 @@ USAGE: bitmask-root firewall start [restart] GATEWAY1 GATEWAY2 ... bitmask-root openvpn stop bitmask-root openvpn start CONFIG1 CONFIG1 ... + bitmask-root fw-email stop + bitmask-root fw-email start uid All actions return exit code 0 for success, non-zero otherwise. @@ -49,12 +51,17 @@ cmdcheck = subprocess.check_output # CONSTANTS # -VERSION = "2" +VERSION = "3" SCRIPT = "bitmask-root" NAMESERVER = "10.42.0.1" BITMASK_CHAIN = "bitmask" BITMASK_CHAIN_NAT_OUT = "bitmask" BITMASK_CHAIN_NAT_POST = "bitmask_postrouting" +BITMASK_CHAIN_EMAIL = "bitmask_email" +BITMASK_CHAIN_EMAIL_OUT = "bitmask_email_output" +LOCAL_INTERFACE = "lo" +IMAP_PORT = "1984" +SMTP_PORT = "2013" IP = "/bin/ip" IPTABLES = "/sbin/iptables" @@ -101,7 +108,8 @@ PARAM_FORMATS = { "^[a-zA-Z0-9_\.\@][a-zA-Z0-9_\-\.\@]*\$?$", s), # IEEE Std 1003.1-2001 "FILE": lambda s: os.path.isfile(s), "DIR": lambda s: os.path.isdir(os.path.split(s)[0]), - "UNIXSOCKET": lambda s: s == "unix" + "UNIXSOCKET": lambda s: s == "unix", + "UID": lambda s: re.match("^[a-zA-Z0-9]+$", s) } @@ -740,6 +748,119 @@ def firewall_stop(): "Please try `firewall stop` again.") +def fw_email_start(args): + """ + Bring up the email firewall. + + :param args: the user uid of the bitmask process + :type args: list + """ + # add custom chain "bitmask_email" to front of INPUT chain + if not ipv4_chain_exists(BITMASK_CHAIN_EMAIL): + ip4tables("--new-chain", BITMASK_CHAIN_EMAIL) + if not ipv6_chain_exists(BITMASK_CHAIN_EMAIL): + ip6tables("--new-chain", BITMASK_CHAIN_EMAIL) + iptables("--insert", "INPUT", "--jump", BITMASK_CHAIN_EMAIL) + + # add custom chain "bitmask_email_output" to front of OUTPUT chain + if not ipv4_chain_exists(BITMASK_CHAIN_EMAIL_OUT): + ip4tables("--new-chain", BITMASK_CHAIN_EMAIL_OUT) + if not ipv6_chain_exists(BITMASK_CHAIN_EMAIL_OUT): + ip6tables("--new-chain", BITMASK_CHAIN_EMAIL_OUT) + iptables("--insert", "OUTPUT", "--jump", BITMASK_CHAIN_EMAIL_OUT) + + # Disable the access to imap and smtp from outside + iptables("--append", BITMASK_CHAIN_EMAIL, + "--in-interface", LOCAL_INTERFACE, "--protocol", "tcp", + "--dport", IMAP_PORT, "--jump", "ACCEPT") + iptables("--append", BITMASK_CHAIN_EMAIL, + "--in-interface", LOCAL_INTERFACE, "--protocol", "tcp", + "--dport", SMTP_PORT, "--jump", "ACCEPT") + iptables("--append", BITMASK_CHAIN_EMAIL, + "--protocol", "tcp", "--dport", IMAP_PORT, "--jump", "REJECT") + iptables("--append", BITMASK_CHAIN_EMAIL, + "--protocol", "tcp", "--dport", SMTP_PORT, "--jump", "REJECT") + + if not args or not PARAM_FORMATS["UID"](args[0]): + raise Exception("No uid given") + uid = args[0] + + # Only the unix 'uid' have access to the email imap and smtp ports + iptables("--append", BITMASK_CHAIN_EMAIL_OUT, + "--out-interface", LOCAL_INTERFACE, + "--match", "owner", "--uid-owner", uid, "--protocol", "tcp", + "--dport", IMAP_PORT, "--jump", "ACCEPT") + iptables("--append", BITMASK_CHAIN_EMAIL_OUT, + "--out-interface", LOCAL_INTERFACE, + "--match", "owner", "--uid-owner", uid, "--protocol", "tcp", + "--dport", SMTP_PORT, "--jump", "ACCEPT") + iptables("--append", BITMASK_CHAIN_EMAIL_OUT, + "--out-interface", LOCAL_INTERFACE, + "--protocol", "tcp", "--dport", IMAP_PORT, "--jump", "REJECT") + iptables("--append", BITMASK_CHAIN_EMAIL_OUT, + "--out-interface", LOCAL_INTERFACE, + "--protocol", "tcp", "--dport", SMTP_PORT, "--jump", "REJECT") + + +def fw_email_stop(): + """ + Stop the email firewall. + """ + ok = True + + try: + iptables("--delete", "INPUT", "--jump", BITMASK_CHAIN_EMAIL, + throw=True) + except subprocess.CalledProcessError as exc: + debug("INFO: not able to remove bitmask email firewall from INPUT " + "chain (maybe it is already removed?)", exc) + ok = False + + try: + iptables("--delete", "OUTPUT", "--jump", BITMASK_CHAIN_EMAIL_OUT, + throw=True) + except subprocess.CalledProcessError as exc: + debug("INFO: not able to remove bitmask email firewall from OUTPUT " + "chain (maybe it is already removed?)", exc) + ok = False + + try: + ip4tables("--flush", BITMASK_CHAIN_EMAIL, throw=True) + ip4tables("--delete-chain", BITMASK_CHAIN_EMAIL, throw=True) + except subprocess.CalledProcessError as exc: + debug("INFO: not able to flush and delete bitmask ipv4 email firewall " + "chain (maybe it is already destroyed?)", exc) + ok = False + + try: + ip6tables("--flush", BITMASK_CHAIN_EMAIL, throw=True) + ip6tables("--delete-chain", BITMASK_CHAIN_EMAIL, throw=True) + except subprocess.CalledProcessError as exc: + debug("INFO: not able to flush and delete bitmask ipv6 email firewall " + "chain (maybe it is already destroyed?)", exc) + ok = False + + try: + ip4tables("--flush", BITMASK_CHAIN_EMAIL_OUT, throw=True) + ip4tables("--delete-chain", BITMASK_CHAIN_EMAIL_OUT, throw=True) + except subprocess.CalledProcessError as exc: + debug("INFO: not able to flush and delete bitmask ipv4 email firewall " + "chain (maybe it is already destroyed?)", exc) + ok = False + + try: + ip6tables("--flush", BITMASK_CHAIN_EMAIL_OUT, throw=True) + ip6tables("--delete-chain", BITMASK_CHAIN_EMAIL_OUT, throw=True) + except subprocess.CalledProcessError as exc: + debug("INFO: not able to flush and delete bitmask ipv6 email firewall " + "chain (maybe it is already destroyed?)", exc) + ok = False + + if not (ok or ipv4_chain_exists or ipv6_chain_exists): + raise Exception("email firewall might still be left up. " + "Please try `fw-email stop` again.") + + # # MAIN # @@ -793,6 +914,26 @@ def main(): else: bail("INFO: bitmask firewall is down") + elif command == "fw-email_start": + try: + fw_email_start(args) + except Exception as ex: + if not is_restart: + fw_email_stop() + bail("ERROR: could not start email firewall", ex) + + elif command == "fw-email_stop": + try: + fw_email_stop() + except Exception as ex: + bail("ERROR: could not stop email firewall", ex) + + elif command == "fw-email_isup": + if ipv4_chain_exists(BITMASK_CHAIN_EMAIL): + log("%s: INFO: bitmask email firewall is up" % (SCRIPT,)) + else: + bail("INFO: bitmask email firewall is down") + else: bail("ERROR: No such command") else: diff --git a/pkg/postmkvenv.sh b/pkg/postmkvenv.sh index 04f8d372..7b06fa6d 100755 --- a/pkg/postmkvenv.sh +++ b/pkg/postmkvenv.sh @@ -27,7 +27,13 @@ LIB_VIRTUALENV_PATH=$(python -c "$GET_PYTHON_LIB_CMD") if [[ $platform == 'linux' ]]; then LIB_SYSTEM_PATH=$(${VAR[-1]} -c "$GET_PYTHON_LIB_CMD") elif [[ $platform == 'darwin' ]]; then - LIB_SYSTEM_PATH=$(/opt/local/bin/python2.6 -c "$GET_PYTHON_LIB_CMD") + ORIGINAL_PATH=$PATH + #change first colon of path to | because path substitution is greedy + PATH=${PATH/:/|} + #remove everything up to | from path + PATH=${PATH/*|/} + LIB_SYSTEM_PATH=$(python -c "$GET_PYTHON_LIB_CMD") + PATH=$ORIGINAL_PATH else echo "unsupported platform; not doing symlinks" fi diff --git a/pkg/requirements-dev.pip b/pkg/requirements-dev.pip index 8b5a8d85..799376d2 100644 --- a/pkg/requirements-dev.pip +++ b/pkg/requirements-dev.pip @@ -10,8 +10,12 @@ # NOTE: you have to run pip install -r pkg/requirements.pip for pip # to install it. (do it after python setup.py develop and it # will only install this) - +# +wheel sphinx +ipdb --e git+https://github.com/leapcode/leap_pycommon.git@develop#egg=leap.common --e git+https://github.com/leapcode/soledad.git@develop#egg=leap.soledad +# in case you want to install a package from a git source, you can use this: +# Useful to test pre-release branches together. +#-e git+https://github.com/leapcode/leap_pycommon.git@develop#egg=leap.common +#-e git+https://github.com/leapcode/soledad.git@develop#egg=leap.soledad diff --git a/pkg/requirements.pip b/pkg/requirements.pip index bf05aa28..9f49bf03 100644 --- a/pkg/requirements.pip +++ b/pkg/requirements.pip @@ -9,7 +9,10 @@ argparse requests>=1.1.0 srp>=1.0.2 pyopenssl -python-dateutil + +# This won't be needed after we refactor leap.common.events +# to use zmq. +python-dateutil==1.4 # See https://leap.se/code/issues/6099 psutil @@ -19,6 +22,8 @@ python-daemon # this should not be needed for Windows. keyring zope.proxy +# You will want to install this bundled if you don't have sodium in your system: +# pip install pyzmq --install-option="--zmq=bundled" pyzmq leap.common>=0.3.7 diff --git a/pkg/scripts/bootstrap_develop.sh b/pkg/scripts/bootstrap_develop.sh index 7027a908..68edcd43 100755 --- a/pkg/scripts/bootstrap_develop.sh +++ b/pkg/scripts/bootstrap_develop.sh @@ -159,6 +159,32 @@ update() { finish } +helpers() { + if [[ "$1" == "cleanup" ]]; then + status="removing helper files" + echo "${cc_green}Status: $status...${cc_normal}" + set -x + sudo rm -f /usr/sbin/bitmask-root + sudo rm -f /usr/share/polkit-1/actions/se.leap.bitmask.policy + set +x + else + status="installing helper files" + echo "${cc_green}Status: $status...${cc_normal}" + set -x + sudo cp bitmask_client/pkg/linux/bitmask-root /usr/sbin/ + sudo cp bitmask_client/pkg/linux/polkit/se.leap.bitmask.policy /usr/share/polkit-1/actions/ + set +x + fi +} + +install_dependencies() { + status="installing system dependencies" + echo "${cc_green}Status: $status...${cc_normal}" + set -x + sudo apt-get install -y git python-dev python-setuptools python-virtualenv python-pip libssl-dev python-openssl libsqlite3-dev g++ openvpn pyside-tools python-pyside libffi-dev + set +x +} + run() { shift # remove 'run' from arg list passthrough_args=$@ @@ -174,13 +200,17 @@ help() { echo "Bootstraps the environment to start developing the bitmask client" echo "with all the needed repositories and dependencies." echo - echo "Usage: $0 {init | update | run | help}" + echo "Usage: $0 {init | update | run | help | deps | helpers}" echo - echo " init : Initialize repositories, create virtualenv and \`python setup.py develop\` all." - echo " You can use \`init ro\` in order to use the https remotes if you don't have rw access." - echo " update : Update the repositories and install new deps (if needed)." - echo " run : Runs the client (any extra parameters will be sent to the app)." - echo " help : Show this help" + echo " init : Initialize repositories, create virtualenv and \`python setup.py develop\` all." + echo " You can use \`init ro\` in order to use the https remotes if you don't have rw access." + echo " update : Update the repositories and install new deps (if needed)." + echo " run : Runs the client (any extra parameters will be sent to the app)." + echo " help : Show this help" + echo " -- system helpers --" + echo " deps : Install the system dependencies needed for bitmask dev (Debian based Linux only)." + echo " helpers : Install the helper files needed to use bitmask (Linux only)." + echo " You can use \`helpers cleanup\` to remove those files." echo } @@ -191,6 +221,12 @@ case "$1" in update) update ;; + helpers) + helpers $2 + ;; + deps) + install_dependencies + ;; run) run "$@" ;; |