summaryrefslogtreecommitdiff
path: root/pkg
diff options
context:
space:
mode:
authorKali Kaneko <kali@leap.se>2016-04-25 21:32:54 -0400
committerKali Kaneko <kali@leap.se>2016-04-25 21:32:54 -0400
commit434d0534661d7c222e5dabc4e5e237b060d2212b (patch)
tree2e7bf0e556f983bd5404481a9aa4fb0fd7d75778 /pkg
parent9ee728108f3b894d097206cc6ff6d0a70808f2d5 (diff)
parentf47416804ad2f88ba27aa032e0d2fc1c9fd314c8 (diff)
Merge branch 'develop' into debian/experimental
Diffstat (limited to 'pkg')
-rw-r--r--pkg/PixelatedWebmail.README38
-rw-r--r--pkg/branding/bitmask-logo.svg19
-rw-r--r--pkg/branding/branding.mk2
-rw-r--r--pkg/branding/patch_pixel_logo.py57
-rw-r--r--pkg/deps.mk28
-rw-r--r--pkg/launcher/.gitignore2
-rw-r--r--pkg/launcher/Makefile15
-rw-r--r--pkg/launcher/README.rst14
-rw-r--r--pkg/launcher/bitmask-launcher.c23
-rw-r--r--pkg/leap_versions.txt8
-rwxr-xr-xpkg/linux/bitmask-launcher17
-rw-r--r--pkg/next-version1
-rwxr-xr-xpkg/osx/Bitmask.pkgproj750
-rw-r--r--pkg/osx/Makefile51
-rw-r--r--pkg/osx/README.rst48
-rw-r--r--pkg/osx/__init__.py49
-rwxr-xr-xpkg/osx/bitmask-helper430
-rwxr-xr-xpkg/osx/bitmask-wrapper3
-rw-r--r--pkg/osx/bitmask.icnsbin239193 -> 47303 bytes
-rw-r--r--pkg/osx/bitmask.pf.conf17
-rwxr-xr-xpkg/osx/client.down.sh426
-rwxr-xr-xpkg/osx/client.up.sh1521
-rw-r--r--pkg/osx/daemon/_metadata.py154
-rw-r--r--pkg/osx/daemon/daemon.py927
-rw-r--r--pkg/osx/daemon/pidfile.py67
-rw-r--r--pkg/osx/daemon/runner.py324
-rw-r--r--pkg/osx/install/ProcessNetworkChanges.plist.template16
-rwxr-xr-xpkg/osx/install/client.down.sh148
-rwxr-xr-xpkg/osx/install/client.up.sh599
-rwxr-xr-xpkg/osx/install/install-leapc.sh42
-rw-r--r--pkg/osx/install/leap-installer.platypus90
-rw-r--r--pkg/osx/install/tun.kext/Info.plist36
-rwxr-xr-xpkg/osx/post-inst.sh7
-rwxr-xr-xpkg/osx/pre-inst.sh3
-rw-r--r--pkg/osx/se.leap.bitmask-helper.plist29
-rw-r--r--pkg/pyinst/README.rst17
-rw-r--r--pkg/pyinst/bitmask.spec41
-rw-r--r--pkg/pyinst/bitmask.spec.orig38
l---------pkg/pyinst/bitmask_cli1
-rw-r--r--pkg/pyinst/bitmask_cli.spec32
l---------pkg/pyinst/bitmaskd1
-rw-r--r--pkg/pyinst/bitmaskd.spec33
-rw-r--r--pkg/pyinst/multi.spec75
-rw-r--r--pkg/pyinst/pyinst-build.mk99
-rw-r--r--pkg/pyinst/qt.conf2
-rw-r--r--pkg/pyinst/trim-notes.txt12
-rw-r--r--pkg/requirements-leap.pip8
-rw-r--r--pkg/requirements-pixelated.pip4
-rwxr-xr-xpkg/scripts/bootstrap_develop.sh2
-rw-r--r--pkg/sumo-tarballs.mk25
-rw-r--r--pkg/tools/profile.mk23
-rw-r--r--pkg/version-template8
-rw-r--r--pkg/windows/Makefile25
-rw-r--r--pkg/windows/README.rst144
-rw-r--r--pkg/windows/TODO15
-rw-r--r--pkg/windows/bitmask.nis2
-rw-r--r--pkg/windows/bitmask.nsh115
-rw-r--r--pkg/windows/bitmask_client_product.nsh8
-rw-r--r--pkg/windows/bitmask_client_registry_install.nsh17
-rw-r--r--pkg/windows/docker-compose.yml42
-rwxr-xr-xpkg/windows/installer-build.sh119
-rw-r--r--pkg/windows/installer/Dockerfile17
-rwxr-xr-xpkg/windows/openvpn-build.sh63
-rw-r--r--pkg/windows/openvpn/Dockerfile17
-rwxr-xr-xpkg/windows/pyinstaller-build.sh288
-rw-r--r--pkg/windows/pyinstaller/Dockerfile105
-rw-r--r--pkg/windows/pyinstaller/pysqlcipher_setup.py.patch14
-rw-r--r--pkg/windows/pyinstaller/zlib-mingw-shared.patch10
68 files changed, 6341 insertions, 1042 deletions
diff --git a/pkg/PixelatedWebmail.README b/pkg/PixelatedWebmail.README
new file mode 100644
index 00000000..06e52964
--- /dev/null
+++ b/pkg/PixelatedWebmail.README
@@ -0,0 +1,38 @@
+How to enable Pixelated Webmail
+-------------------------------
+
+WARNING! This is an experimental feature.
+It can expose your mail to *any* user with access to your machine, since there
+is no authentication in place at the moment. It could even eat your data. You
+have been warned.
+
+Ok, how do I enable this wonderful feature?
+-------------------------------------------
+
+First, run the bundle for a first time, and ensure that you can register a new
+account with a mail-enabled provider (for instance, mail.bitmask.net).
+
+Then, you have to edit a config file living inside the bundle folders. You have
+to add "Pixmail=true" under the [General] section, like this:
+
+lib/config/leap/leap.conf:
+
+[General]
+SkipFirstRun=true
+Provider=mail.bitmask.net
+Pixmail=true
+
+[mail.bitmask.net]
+Services=mx
+
+Then, run bitmask again:
+
+./bitmask --debug
+
+And a new "Bitmask Webmail" option should have appeared under the "Bitmask"
+menu.
+
+If you want to disable the Webmail functionality, just set the Pixmail property
+to 'false'.
+
+Enjoy your local and encrypted pixelated webmail!
diff --git a/pkg/branding/bitmask-logo.svg b/pkg/branding/bitmask-logo.svg
new file mode 100644
index 00000000..0eccc057
--- /dev/null
+++ b/pkg/branding/bitmask-logo.svg
@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg xmlns="http://www.w3.org/2000/svg" version="1.1" id="Layer_1" x="0px" y="0px" viewBox="30.4 627.3 612 171.1" enable-background="new 30.4 627.3 612 171.1" xml:space="preserve">
+<g>
+ <path fill="#3E3B38" d="m 233.99276,705.92697 q 3.69186,0 5.59865,-1.90576 1.90679,-1.90575 1.90679,-5.62198 0,-3.66857 -1.90679,-5.57433 -1.90679,-1.95339 -5.59865,-1.95339 l -8.64139,0 0,15.05546 8.64139,0 z m 0.52741,31.11145 q 4.70611,0 7.05917,-2.33455 2.39362,-2.33456 2.39362,-7.0513 0,-4.62145 -2.35305,-6.90836 -2.35306,-2.33455 -7.09974,-2.33455 l -9.1688,0 0,18.62876 9.1688,0 z m 14.52403,-25.58477 q 5.03067,1.71519 7.78943,6.33664 2.75875,4.62146 2.75875,11.33924 0,10.29108 -5.92321,15.34132 -5.92321,5.05026 -18.01304,5.05026 l -25.92418,0 0,-71.1323 23.44941,0 q 12.61725,0 18.25646,4.47852 5.67979,4.47853 5.67979,14.34081 0,5.19318 -2.06906,8.86176 -2.06906,3.62093 -6.00435,5.38375 z" />
+ <path fill="#3E3B38" d="m 263.627,678.38881 15.61943,0 0,71.1323 -15.61943,0 0,-71.1323 z" />
+ <path fill="#3E3B38" d="m 282.6846,678.38881 55.82421,0 0,13.86437 -20.08211,0 0,57.26793 -15.61943,0 0,-57.26793 -20.12267,0 0,-13.86437 z" />
+ <path fill="#3E3B38" d="m 341.82528,678.38881 19.87926,0 13.79377,38.06745 13.87492,-38.06745 19.83869,0 0,71.1323 -14.76745,0 0,-52.02711 -13.95605,38.35332 -9.89906,0 -13.95606,-38.35332 0,52.02711 -14.80802,0 0,-71.1323 z" />
+ <path fill="#3E3B38" d="m 456.62789,736.56198 -24.42309,0 -3.85415,12.95913 -15.70056,0 22.43518,-71.1323 18.62158,0 22.43517,71.1323 -15.70055,0 -3.81358,-12.95913 z m -20.52838,-13.19736 16.5931,0 -8.27627,-28.30046 -8.31683,28.30046 z" />
+ <path fill="#3E3B38" d="m 521.57008,680.62807 0,15.05547 q -4.9901,-2.62042 -9.73679,-3.95445 -4.74667,-1.33402 -8.96595,-1.33402 -5.59865,0 -8.27626,1.81046 -2.67762,1.81047 -2.67762,5.62198 0,2.85863 1.78509,4.47852 1.82563,1.57225 6.57232,2.71571 l 6.65347,1.57225 q 10.1019,2.38219 14.36175,7.24186 4.25984,4.85968 4.25984,13.81672 0,11.76804 -5.96378,17.53295 -5.92321,5.71726 -18.13476,5.71726 -5.76093,0 -11.56242,-1.28638 -5.8015,-1.28638 -11.603,-3.81151 l 0,-15.48426 q 5.8015,3.62093 11.1973,5.47904 5.43637,1.81047 10.46704,1.81047 5.11181,0 7.83,-2.00104 2.71818,-2.00104 2.71818,-5.71727 0,-3.33507 -1.86622,-5.14554 -1.82565,-1.81046 -7.34316,-3.23977 l -6.04491,-1.57226 q -9.08767,-2.2869 -13.30694,-7.28951 -4.1787,-5.00261 -4.1787,-13.48321 0,-10.62458 5.84207,-16.34184 5.84207,-5.71728 16.79595,-5.71728 4.9901,0 10.26419,0.90524 5.27409,0.85759 10.91331,2.62041 z" />
+ <path fill="#3E3B38" d="m 529.68237,678.38881 15.61942,0 0,25.96591 22.51631,-25.96591 18.13475,0 -29.16977,33.68421 32.17195,37.44809 -19.55471,0 -24.09853,-28.01459 0,28.01459 -15.61942,0 0,-71.1323 z" />
+ <path fill="#3E3B38" d="m 105.9,627.20077 -75.5,42.70117 0,85.79883 75.5,42.69922 75.5,-42.69922 0,-85.79883 -75.5,-42.70117 z m -32.06836,63.70508 -0.002,0.0976 c 4.21029,0.3754 7.67856,2.66948 11.22851,4.17579 5.587227,2.37079 9.140367,5.17357 14.253907,6.73437 2.529723,0.7722 4.122153,0.59681 5.978523,0.63281 l 0.004,0 c -0.008,-2e-4 0.0371,3e-4 0.0527,0 1.85774,-0.0365 3.45562,0.13969 5.98632,-0.63281 5.11354,-1.5608 8.66863,-4.36357 14.25586,-6.73437 3.80753,-1.61561 7.50206,-4.16896 12.14063,-4.25196 2.62211,-0.0472 5.77411,0.4276 7.9082,2.5918 4.02062,4.0774 5.05182,10.36502 4.81836,15.70312 -0.31466,7.1947 -3.34042,14.43571 -7.94726,19.91211 -3.21011,3.8161 -7.79539,7.87699 -13.29102,8.05469 -4.31698,0.1397 -7.55863,-3.15065 -10.25195,-5.24805 -2.24435,-1.7478 -5.32382,-3.79215 -8.14453,-4.96875 -2.7399,-1.1429 -5.50339,-1.15234 -5.49219,-1.15234 l -0.002,0 -0.0137,0 -0.004,0 c 0.0694,3e-4 -2.74684,0.01 -5.486333,1.15234 -2.8212,1.1768 -5.90485,3.22155 -8.14844,4.96875 -2.6927,2.0969 -5.929147,5.38775 -10.246087,5.24805 -5.49562,-0.1777 -10.08285,-4.23859 -13.29297,-8.05469 -4.60683,-5.4764 -7.63261,-12.71741 -7.94727,-19.91211 -0.23346,-5.3381 0.79774,-11.62572 4.81836,-15.70312 1.99925,-2.0275 4.90008,-2.56866 7.40625,-2.59766 l 1.41797,-0.0156 z m 2.22852,16.40625 c -0.40471,0.008 -0.79685,0.0358 -1.18555,0.0898 -0.93568,0.1303 -2.80387,1.0037 -4.26953,1.875 -0.62959,0.3742 -1.14469,0.71251 -1.58789,1.00781 0.35713,0.6424 0.85002,1.5059 1.42578,2.4375 1.16857,1.8908 2.74114,4.05049 3.72656,4.83789 4.74234,3.695 13.045167,4.66926 19.001957,-0.43554 0.83821,-0.6427 1.5034,-1.21185 2.08593,-1.71485 -1.06931,-0.6782 -2.15957,-1.38346 -3.21875,-2.00586 -2.49446,-1.4657 -4.73528,-3.08627 -7.113277,-3.95507 -2.99838,-1.0955 -6.05879,-2.18772 -8.86523,-2.13672 z m 58.22265,0 c -2.72231,0.0254 -5.66946,1.08042 -8.56054,2.13672 -2.37801,0.8688 -4.61882,2.48927 -7.11328,3.95507 -1.05934,0.6224 -2.15146,1.32766 -3.22071,2.00586 0.58205,0.5028 1.24645,1.07235 2.08399,1.71485 1.98552,1.5232 4.5424,3.12162 6.22851,3.51562 4.73565,1.1065 8.46108,0.36762 12.77539,-3.08008 0.98542,-0.7874 2.55996,-2.94904 3.72852,-4.83984 0.57576,-0.9316 1.06865,-1.79315 1.42578,-2.43555 -0.4432,-0.2953 -0.95829,-0.63361 -1.58789,-1.00781 -1.46565,-0.8713 -3.33385,-1.7447 -4.26953,-1.875 -0.48446,-0.067 -0.98075,-0.0898 -1.49024,-0.0898 z" />
+</g>
+<polygon id="clock1" fill="#3E3B38" points="105.8,657.8 105.8,628 105.8,627.3 181.4,669.9 152.5,683.1 " />
+<polygon id="clock2" fill="#3E3B38" points="152.5,683.1 181.4,669.9 181.4,755.7 152.5,743 " />
+<polygon id="clock3" fill="#3E3B38" points="105.9,798.3 105.9,769 152.5,743 181.4,755.7 " />
+<polygon id="clock4" fill="#3E3B38" points="58.7,743.1 105.9,769 105.9,798.3 30.4,755.7 " />
+<polygon id="clock5" fill="#3E3B38" points="30.4,669.9 58.6,683.1 58.7,743.1 30.4,755.7 " />
+<polygon id="clock6" fill="#3E3B38" points="105.8,628 105.8,657.8 58.6,683.1 30.4,669.9 105.8,627.3 " />
+</svg> \ No newline at end of file
diff --git a/pkg/branding/branding.mk b/pkg/branding/branding.mk
new file mode 100644
index 00000000..6b98d40d
--- /dev/null
+++ b/pkg/branding/branding.mk
@@ -0,0 +1,2 @@
+branding-logo:
+ python pkg/branding/patch_pixel_logo.py
diff --git a/pkg/branding/patch_pixel_logo.py b/pkg/branding/patch_pixel_logo.py
new file mode 100644
index 00000000..464bb729
--- /dev/null
+++ b/pkg/branding/patch_pixel_logo.py
@@ -0,0 +1,57 @@
+# -*- coding: utf-8 -*-
+# patch_pixelated_logo.py
+# Copyright (C) 2016 LEAP Encryption Acess Project
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+"""
+Patch the Pixelated Logo in the index.html, replacing it with a rebranded
+Bitmask Logo. To be used in the pixelated_www assets distributed with the
+Bitmask bundles.
+"""
+__author__ = 'Kali Kaneko <kali@leap.se>'
+
+import os
+import sys
+
+from BeautifulSoup import BeautifulSoup
+
+
+def patch_logo(orig_path, replacement_path):
+
+ with open(orig_path, 'r') as of:
+ orig = BeautifulSoup(of.read())
+
+ with open(replacement_path, 'r') as rf:
+ new = BeautifulSoup(rf.read())
+
+ new_svg = new.find('svg')
+ old_svg = orig.find('svg')
+ old_svg.replaceWith(new_svg)
+
+ with open(orig_path, 'w') as f:
+ f.write(str(orig))
+
+
+if __name__ == "__main__":
+ here = os.path.dirname(os.path.realpath(__file__))
+ if len(sys.argv) > 1:
+ orig_path = sys.argv[1]
+ else:
+ import pixelated_www
+ orig_path = os.path.join(pixelated_www.__path__[0],
+ 'index.html')
+ assert os.path.isfile(orig_path)
+ new_path = os.path.join(here, 'bitmask-logo.svg')
+ print('>>> patching file %s with logo in %s' % (orig_path, new_path))
+ patch_logo(orig_path, new_path)
diff --git a/pkg/deps.mk b/pkg/deps.mk
new file mode 100644
index 00000000..26bed466
--- /dev/null
+++ b/pkg/deps.mk
@@ -0,0 +1,28 @@
+get_wheels:
+ pip install --upgrade setuptools
+ pip install --upgrade pip
+ pip install wheel
+
+gather_wheels:
+ pip wheel --wheel-dir=../wheelhouse pyzmq --build-option "--zmq=bundled"
+ # because fuck u1db externals, that's why...
+ pip wheel --wheel-dir=../wheelhouse --allow-external dirspec --allow-unverified dirspec --allow-external u1db --allow-unverified u1db -r pkg/requirements.pip
+
+install_wheel:
+ # if it's the first time, you'll need to get_wheels first
+ pip install --pre --use-wheel --no-index --find-links=../wheelhouse -r pkg/requirements.pip
+
+gather_deps:
+ pipdeptree | pkg/scripts/filter-bitmask-deps
+
+install_base_deps:
+ for repo in leap_pycommon keymanager leap_mail soledad/common soledad/client; do cd $(CURDIR)/../$$repo && pkg/pip_install_requirements.sh; done
+ pkg/pip_install_requirements.sh
+
+pull_leapdeps:
+ for repo in $(LEAP_REPOS); do cd $(CURDIR)/../$$repo && git pull; done
+
+checkout_leapdeps_develop:
+ for repo in $(LEAP_REPOS); do cd $(CURDIR)/../$$repo && git checkout develop; done
+ git checkout develop
+
diff --git a/pkg/launcher/.gitignore b/pkg/launcher/.gitignore
new file mode 100644
index 00000000..60de46d7
--- /dev/null
+++ b/pkg/launcher/.gitignore
@@ -0,0 +1,2 @@
+*.o
+bitmask
diff --git a/pkg/launcher/Makefile b/pkg/launcher/Makefile
new file mode 100644
index 00000000..8dd1013d
--- /dev/null
+++ b/pkg/launcher/Makefile
@@ -0,0 +1,15 @@
+CC = gcc
+CFLAGS = -g -Wall
+STRIP = strip
+
+default: bitmask
+
+bitmask.o: bitmask-launcher.c
+ $(CC) $(CFLAGS) -c bitmask-launcher.c -o bitmask.o
+
+bitmask: bitmask.o
+ $(CC) bitmask.o -o bitmask
+ $(STRIP) bitmask
+clean:
+ -rm -f bitmask.o
+ -rm -f bitmask
diff --git a/pkg/launcher/README.rst b/pkg/launcher/README.rst
new file mode 100644
index 00000000..9a840dec
--- /dev/null
+++ b/pkg/launcher/README.rst
@@ -0,0 +1,14 @@
+bitmask-launcher.c
+------------------
+
+A small, portable launcher for bitmask bundles.
+
+Problem that solves
+-------------------
+PyInstaller bundles leave everything (libs, data and the main binary) in a
+single folder. In a case like ours, there are too many files cluttering this
+top-most folder.
+
+We wanted to have a cleaner folder, with an obviously clickable entrypoint, that
+calls the binary that hides in an inferior folder.
+
diff --git a/pkg/launcher/bitmask-launcher.c b/pkg/launcher/bitmask-launcher.c
new file mode 100644
index 00000000..cf5c2a18
--- /dev/null
+++ b/pkg/launcher/bitmask-launcher.c
@@ -0,0 +1,23 @@
+/*
+ * bitmask-launcher.c
+ *
+ * part of the bitmask bundle.
+ * execute main entrypoint in a child folder inside the bundle.
+ *
+ * (c) LEAP Encryption Access Project, 2016.
+ * License: GPL.
+ *
+*/
+
+#include <unistd.h>
+#include <stdlib.h>
+
+char* const bitmask_path = "lib";
+char* const entrypoint = "bitmask";
+
+int main(int argc, char *argv[])
+{
+ argv[0] = entrypoint;
+ chdir(bitmask_path);
+ execv(entrypoint, argv);
+}
diff --git a/pkg/leap_versions.txt b/pkg/leap_versions.txt
index ff0dd91c..6a5a8b7a 100644
--- a/pkg/leap_versions.txt
+++ b/pkg/leap_versions.txt
@@ -1,4 +1,4 @@
-soledad 0.7.2
-keymanager 0.4.2
-leap_common 0.4.2
-leap_mail 0.4.0rc2
+soledad 0.8.0
+keymanager 0.5.0
+leap_common 0.5.1
+leap_mail 0.4.1
diff --git a/pkg/linux/bitmask-launcher b/pkg/linux/bitmask-launcher
index 550dd134..3eae57c0 100755
--- a/pkg/linux/bitmask-launcher
+++ b/pkg/linux/bitmask-launcher
@@ -4,6 +4,19 @@
[ -f libQtCore.so.4 ] || ln -s libQtCore.so.4.orig libQtCore.so.4
[ -f libQtGui.so.4 ] || ln -s libQtGui.so.4.orig libQtGui.so.4
-cat /etc/os-release | grep ID | grep -i ubuntu && unlink libQtCore.so.4 && unlink libQtGui.so.4
+[ -f libQtNetwork.so.4 ] || ln -s libQtNetwork.so.4.orig libQtNetwork.so.4
+[ -f libQtSvg.so.4 ] || ln -s libQtSvg.so.4.orig libQtSvg.so.4
+[ -f libQtWebKit.so.4 ] || ln -s libQtWebKit.so.4.orig libQtWebKit.so.4
+[ -f libQtXmlPatterns.so.4 ] || ln -s libQtXmlPatterns.so.4.orig libQtXmlPatterns.so.4
+[ -f libQtXml.so.4 ] || ln -s libQtXml.so.4.orig libQtXml.so.4
-./bitmask-app "$@"
+cat /etc/os-release | grep ID | grep -i ubuntu && \
+ unlink libQtCore.so.4 && \
+ unlink libQtGui.so.4 && \
+ unlink libQtNetwork.so.4 && \
+ unlink libQtSvg.so.4 && \
+ unlink libQtWebKit.so.4 && \
+ unlink libQtXmlPatterns.so.4 && \
+ unlink libQtXml.so.4
+
+./bitmask-app --standalone "$@"
diff --git a/pkg/next-version b/pkg/next-version
new file mode 100644
index 00000000..3d4f0a85
--- /dev/null
+++ b/pkg/next-version
@@ -0,0 +1 @@
+0.9.2.rc1
diff --git a/pkg/osx/Bitmask.pkgproj b/pkg/osx/Bitmask.pkgproj
new file mode 100755
index 00000000..bf882850
--- /dev/null
+++ b/pkg/osx/Bitmask.pkgproj
@@ -0,0 +1,750 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+ <key>PROJECT</key>
+ <dict>
+ <key>PACKAGE_FILES</key>
+ <dict>
+ <key>DEFAULT_INSTALL_LOCATION</key>
+ <string>/Applications</string>
+ <key>HIERARCHY</key>
+ <dict>
+ <key>CHILDREN</key>
+ <array>
+ <dict>
+ <key>CHILDREN</key>
+ <array>
+ <dict>
+ <key>CHILDREN</key>
+ <array/>
+ <key>GID</key>
+ <integer>80</integer>
+ <key>PATH</key>
+ <string>/Users/user/leap/bitmask_client/dist/Bitmask.app</string>
+ <key>PATH_TYPE</key>
+ <integer>0</integer>
+ <key>PERMISSIONS</key>
+ <integer>493</integer>
+ <key>TYPE</key>
+ <integer>3</integer>
+ <key>UID</key>
+ <integer>0</integer>
+ </dict>
+ <dict>
+ <key>CHILDREN</key>
+ <array/>
+ <key>GID</key>
+ <integer>80</integer>
+ <key>PATH</key>
+ <string>Utilities</string>
+ <key>PATH_TYPE</key>
+ <integer>0</integer>
+ <key>PERMISSIONS</key>
+ <integer>493</integer>
+ <key>TYPE</key>
+ <integer>1</integer>
+ <key>UID</key>
+ <integer>0</integer>
+ </dict>
+ </array>
+ <key>GID</key>
+ <integer>80</integer>
+ <key>PATH</key>
+ <string>Applications</string>
+ <key>PATH_TYPE</key>
+ <integer>0</integer>
+ <key>PERMISSIONS</key>
+ <integer>509</integer>
+ <key>TYPE</key>
+ <integer>1</integer>
+ <key>UID</key>
+ <integer>0</integer>
+ </dict>
+ <dict>
+ <key>CHILDREN</key>
+ <array>
+ <dict>
+ <key>CHILDREN</key>
+ <array/>
+ <key>GID</key>
+ <integer>80</integer>
+ <key>PATH</key>
+ <string>Application Support</string>
+ <key>PATH_TYPE</key>
+ <integer>0</integer>
+ <key>PERMISSIONS</key>
+ <integer>493</integer>
+ <key>TYPE</key>
+ <integer>1</integer>
+ <key>UID</key>
+ <integer>0</integer>
+ </dict>
+ <dict>
+ <key>CHILDREN</key>
+ <array/>
+ <key>GID</key>
+ <integer>0</integer>
+ <key>PATH</key>
+ <string>Automator</string>
+ <key>PATH_TYPE</key>
+ <integer>0</integer>
+ <key>PERMISSIONS</key>
+ <integer>493</integer>
+ <key>TYPE</key>
+ <integer>1</integer>
+ <key>UID</key>
+ <integer>0</integer>
+ </dict>
+ <dict>
+ <key>CHILDREN</key>
+ <array/>
+ <key>GID</key>
+ <integer>0</integer>
+ <key>PATH</key>
+ <string>Documentation</string>
+ <key>PATH_TYPE</key>
+ <integer>0</integer>
+ <key>PERMISSIONS</key>
+ <integer>493</integer>
+ <key>TYPE</key>
+ <integer>1</integer>
+ <key>UID</key>
+ <integer>0</integer>
+ </dict>
+ <dict>
+ <key>CHILDREN</key>
+ <array/>
+ <key>GID</key>
+ <integer>0</integer>
+ <key>PATH</key>
+ <string>Filesystems</string>
+ <key>PATH_TYPE</key>
+ <integer>0</integer>
+ <key>PERMISSIONS</key>
+ <integer>493</integer>
+ <key>TYPE</key>
+ <integer>1</integer>
+ <key>UID</key>
+ <integer>0</integer>
+ </dict>
+ <dict>
+ <key>CHILDREN</key>
+ <array/>
+ <key>GID</key>
+ <integer>0</integer>
+ <key>PATH</key>
+ <string>Frameworks</string>
+ <key>PATH_TYPE</key>
+ <integer>0</integer>
+ <key>PERMISSIONS</key>
+ <integer>493</integer>
+ <key>TYPE</key>
+ <integer>1</integer>
+ <key>UID</key>
+ <integer>0</integer>
+ </dict>
+ <dict>
+ <key>CHILDREN</key>
+ <array/>
+ <key>GID</key>
+ <integer>0</integer>
+ <key>PATH</key>
+ <string>Input Methods</string>
+ <key>PATH_TYPE</key>
+ <integer>0</integer>
+ <key>PERMISSIONS</key>
+ <integer>493</integer>
+ <key>TYPE</key>
+ <integer>1</integer>
+ <key>UID</key>
+ <integer>0</integer>
+ </dict>
+ <dict>
+ <key>CHILDREN</key>
+ <array/>
+ <key>GID</key>
+ <integer>0</integer>
+ <key>PATH</key>
+ <string>Internet Plug-Ins</string>
+ <key>PATH_TYPE</key>
+ <integer>0</integer>
+ <key>PERMISSIONS</key>
+ <integer>493</integer>
+ <key>TYPE</key>
+ <integer>1</integer>
+ <key>UID</key>
+ <integer>0</integer>
+ </dict>
+ <dict>
+ <key>CHILDREN</key>
+ <array/>
+ <key>GID</key>
+ <integer>0</integer>
+ <key>PATH</key>
+ <string>LaunchAgents</string>
+ <key>PATH_TYPE</key>
+ <integer>0</integer>
+ <key>PERMISSIONS</key>
+ <integer>493</integer>
+ <key>TYPE</key>
+ <integer>1</integer>
+ <key>UID</key>
+ <integer>0</integer>
+ </dict>
+ <dict>
+ <key>CHILDREN</key>
+ <array/>
+ <key>GID</key>
+ <integer>0</integer>
+ <key>PATH</key>
+ <string>LaunchDaemons</string>
+ <key>PATH_TYPE</key>
+ <integer>0</integer>
+ <key>PERMISSIONS</key>
+ <integer>493</integer>
+ <key>TYPE</key>
+ <integer>1</integer>
+ <key>UID</key>
+ <integer>0</integer>
+ </dict>
+ <dict>
+ <key>CHILDREN</key>
+ <array/>
+ <key>GID</key>
+ <integer>0</integer>
+ <key>PATH</key>
+ <string>PreferencePanes</string>
+ <key>PATH_TYPE</key>
+ <integer>0</integer>
+ <key>PERMISSIONS</key>
+ <integer>493</integer>
+ <key>TYPE</key>
+ <integer>1</integer>
+ <key>UID</key>
+ <integer>0</integer>
+ </dict>
+ <dict>
+ <key>CHILDREN</key>
+ <array/>
+ <key>GID</key>
+ <integer>0</integer>
+ <key>PATH</key>
+ <string>Preferences</string>
+ <key>PATH_TYPE</key>
+ <integer>0</integer>
+ <key>PERMISSIONS</key>
+ <integer>493</integer>
+ <key>TYPE</key>
+ <integer>1</integer>
+ <key>UID</key>
+ <integer>0</integer>
+ </dict>
+ <dict>
+ <key>CHILDREN</key>
+ <array/>
+ <key>GID</key>
+ <integer>80</integer>
+ <key>PATH</key>
+ <string>Printers</string>
+ <key>PATH_TYPE</key>
+ <integer>0</integer>
+ <key>PERMISSIONS</key>
+ <integer>493</integer>
+ <key>TYPE</key>
+ <integer>1</integer>
+ <key>UID</key>
+ <integer>0</integer>
+ </dict>
+ <dict>
+ <key>CHILDREN</key>
+ <array/>
+ <key>GID</key>
+ <integer>0</integer>
+ <key>PATH</key>
+ <string>PrivilegedHelperTools</string>
+ <key>PATH_TYPE</key>
+ <integer>0</integer>
+ <key>PERMISSIONS</key>
+ <integer>493</integer>
+ <key>TYPE</key>
+ <integer>1</integer>
+ <key>UID</key>
+ <integer>0</integer>
+ </dict>
+ <dict>
+ <key>CHILDREN</key>
+ <array/>
+ <key>GID</key>
+ <integer>0</integer>
+ <key>PATH</key>
+ <string>QuickLook</string>
+ <key>PATH_TYPE</key>
+ <integer>0</integer>
+ <key>PERMISSIONS</key>
+ <integer>493</integer>
+ <key>TYPE</key>
+ <integer>1</integer>
+ <key>UID</key>
+ <integer>0</integer>
+ </dict>
+ <dict>
+ <key>CHILDREN</key>
+ <array/>
+ <key>GID</key>
+ <integer>0</integer>
+ <key>PATH</key>
+ <string>QuickTime</string>
+ <key>PATH_TYPE</key>
+ <integer>0</integer>
+ <key>PERMISSIONS</key>
+ <integer>493</integer>
+ <key>TYPE</key>
+ <integer>1</integer>
+ <key>UID</key>
+ <integer>0</integer>
+ </dict>
+ <dict>
+ <key>CHILDREN</key>
+ <array/>
+ <key>GID</key>
+ <integer>0</integer>
+ <key>PATH</key>
+ <string>Screen Savers</string>
+ <key>PATH_TYPE</key>
+ <integer>0</integer>
+ <key>PERMISSIONS</key>
+ <integer>493</integer>
+ <key>TYPE</key>
+ <integer>1</integer>
+ <key>UID</key>
+ <integer>0</integer>
+ </dict>
+ <dict>
+ <key>CHILDREN</key>
+ <array/>
+ <key>GID</key>
+ <integer>0</integer>
+ <key>PATH</key>
+ <string>Scripts</string>
+ <key>PATH_TYPE</key>
+ <integer>0</integer>
+ <key>PERMISSIONS</key>
+ <integer>493</integer>
+ <key>TYPE</key>
+ <integer>1</integer>
+ <key>UID</key>
+ <integer>0</integer>
+ </dict>
+ <dict>
+ <key>CHILDREN</key>
+ <array/>
+ <key>GID</key>
+ <integer>0</integer>
+ <key>PATH</key>
+ <string>Services</string>
+ <key>PATH_TYPE</key>
+ <integer>0</integer>
+ <key>PERMISSIONS</key>
+ <integer>493</integer>
+ <key>TYPE</key>
+ <integer>1</integer>
+ <key>UID</key>
+ <integer>0</integer>
+ </dict>
+ <dict>
+ <key>CHILDREN</key>
+ <array/>
+ <key>GID</key>
+ <integer>0</integer>
+ <key>PATH</key>
+ <string>Widgets</string>
+ <key>PATH_TYPE</key>
+ <integer>0</integer>
+ <key>PERMISSIONS</key>
+ <integer>493</integer>
+ <key>TYPE</key>
+ <integer>1</integer>
+ <key>UID</key>
+ <integer>0</integer>
+ </dict>
+ </array>
+ <key>GID</key>
+ <integer>0</integer>
+ <key>PATH</key>
+ <string>Library</string>
+ <key>PATH_TYPE</key>
+ <integer>0</integer>
+ <key>PERMISSIONS</key>
+ <integer>493</integer>
+ <key>TYPE</key>
+ <integer>1</integer>
+ <key>UID</key>
+ <integer>0</integer>
+ </dict>
+ <dict>
+ <key>CHILDREN</key>
+ <array>
+ <dict>
+ <key>CHILDREN</key>
+ <array>
+ <dict>
+ <key>CHILDREN</key>
+ <array/>
+ <key>GID</key>
+ <integer>0</integer>
+ <key>PATH</key>
+ <string>Extensions</string>
+ <key>PATH_TYPE</key>
+ <integer>0</integer>
+ <key>PERMISSIONS</key>
+ <integer>493</integer>
+ <key>TYPE</key>
+ <integer>1</integer>
+ <key>UID</key>
+ <integer>0</integer>
+ </dict>
+ </array>
+ <key>GID</key>
+ <integer>0</integer>
+ <key>PATH</key>
+ <string>Library</string>
+ <key>PATH_TYPE</key>
+ <integer>0</integer>
+ <key>PERMISSIONS</key>
+ <integer>493</integer>
+ <key>TYPE</key>
+ <integer>1</integer>
+ <key>UID</key>
+ <integer>0</integer>
+ </dict>
+ </array>
+ <key>GID</key>
+ <integer>0</integer>
+ <key>PATH</key>
+ <string>System</string>
+ <key>PATH_TYPE</key>
+ <integer>0</integer>
+ <key>PERMISSIONS</key>
+ <integer>493</integer>
+ <key>TYPE</key>
+ <integer>1</integer>
+ <key>UID</key>
+ <integer>0</integer>
+ </dict>
+ <dict>
+ <key>CHILDREN</key>
+ <array>
+ <dict>
+ <key>CHILDREN</key>
+ <array/>
+ <key>GID</key>
+ <integer>0</integer>
+ <key>PATH</key>
+ <string>Shared</string>
+ <key>PATH_TYPE</key>
+ <integer>0</integer>
+ <key>PERMISSIONS</key>
+ <integer>1023</integer>
+ <key>TYPE</key>
+ <integer>1</integer>
+ <key>UID</key>
+ <integer>0</integer>
+ </dict>
+ </array>
+ <key>GID</key>
+ <integer>80</integer>
+ <key>PATH</key>
+ <string>Users</string>
+ <key>PATH_TYPE</key>
+ <integer>0</integer>
+ <key>PERMISSIONS</key>
+ <integer>493</integer>
+ <key>TYPE</key>
+ <integer>1</integer>
+ <key>UID</key>
+ <integer>0</integer>
+ </dict>
+ </array>
+ <key>GID</key>
+ <integer>0</integer>
+ <key>PATH</key>
+ <string>/</string>
+ <key>PATH_TYPE</key>
+ <integer>0</integer>
+ <key>PERMISSIONS</key>
+ <integer>493</integer>
+ <key>TYPE</key>
+ <integer>1</integer>
+ <key>UID</key>
+ <integer>0</integer>
+ </dict>
+ <key>PAYLOAD_TYPE</key>
+ <integer>0</integer>
+ <key>VERSION</key>
+ <integer>3</integer>
+ </dict>
+ <key>PACKAGE_SCRIPTS</key>
+ <dict>
+ <key>POSTINSTALL_PATH</key>
+ <dict>
+ <key>PATH</key>
+ <string>../pkg/osx/post-inst.sh</string>
+ <key>PATH_TYPE</key>
+ <integer>3</integer>
+ </dict>
+ <key>PREINSTALL_PATH</key>
+ <dict>
+ <key>PATH</key>
+ <string>/Users/user/leap/bitmask_client/pkg/osx/pre-inst.sh</string>
+ <key>PATH_TYPE</key>
+ <integer>0</integer>
+ </dict>
+ <key>RESOURCES</key>
+ <array>
+ <dict>
+ <key>CHILDREN</key>
+ <array/>
+ <key>GID</key>
+ <integer>0</integer>
+ <key>PATH</key>
+ <string>../pkg/osx/se.leap.bitmask-helper.plist</string>
+ <key>PATH_TYPE</key>
+ <integer>3</integer>
+ <key>PERMISSIONS</key>
+ <integer>420</integer>
+ <key>TYPE</key>
+ <integer>3</integer>
+ <key>UID</key>
+ <integer>0</integer>
+ </dict>
+ </array>
+ </dict>
+ <key>PACKAGE_SETTINGS</key>
+ <dict>
+ <key>AUTHENTICATION</key>
+ <integer>1</integer>
+ <key>CONCLUSION_ACTION</key>
+ <integer>0</integer>
+ <key>IDENTIFIER</key>
+ <string>se.leap.pkg.Bitmask</string>
+ <key>OVERWRITE_PERMISSIONS</key>
+ <false/>
+ <key>RELOCATABLE</key>
+ <true/>
+ <key>VERSION</key>
+ <string>0.9.0rc4</string>
+ </dict>
+ <key>PROJECT_COMMENTS</key>
+ <dict>
+ <key>NOTES</key>
+ <data>
+ PCFET0NUWVBFIGh0bWwgUFVCTElDICItLy9XM0MvL0RURCBIVE1M
+ IDQuMDEvL0VOIiAiaHR0cDovL3d3dy53My5vcmcvVFIvaHRtbDQv
+ c3RyaWN0LmR0ZCI+CjxodG1sPgo8aGVhZD4KPG1ldGEgaHR0cC1l
+ cXVpdj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7
+ IGNoYXJzZXQ9VVRGLTgiPgo8bWV0YSBodHRwLWVxdWl2PSJDb250
+ ZW50LVN0eWxlLVR5cGUiIGNvbnRlbnQ9InRleHQvY3NzIj4KPHRp
+ dGxlPjwvdGl0bGU+CjxtZXRhIG5hbWU9IkdlbmVyYXRvciIgY29u
+ dGVudD0iQ29jb2EgSFRNTCBXcml0ZXIiPgo8bWV0YSBuYW1lPSJD
+ b2NvYVZlcnNpb24iIGNvbnRlbnQ9IjEyNjUuMjEiPgo8c3R5bGUg
+ dHlwZT0idGV4dC9jc3MiPgo8L3N0eWxlPgo8L2hlYWQ+Cjxib2R5
+ Pgo8L2JvZHk+CjwvaHRtbD4K
+ </data>
+ </dict>
+ <key>PROJECT_SETTINGS</key>
+ <dict>
+ <key>BUILD_PATH</key>
+ <dict>
+ <key>PATH</key>
+ <string>/Users/user/Bitmask/build</string>
+ <key>PATH_TYPE</key>
+ <integer>0</integer>
+ </dict>
+ <key>CERTIFICATE</key>
+ <dict>
+ <key>NAME</key>
+ <string>Developer ID Installer: LEAP Encryption Access Project (SB5RR8K33W)</string>
+ <key>PATH</key>
+ <string>/Users/user/Library/Keychains/login.keychain</string>
+ </dict>
+ <key>EXCLUDED_FILES</key>
+ <array>
+ <dict>
+ <key>PATTERNS_ARRAY</key>
+ <array>
+ <dict>
+ <key>REGULAR_EXPRESSION</key>
+ <false/>
+ <key>STRING</key>
+ <string>.DS_Store</string>
+ <key>TYPE</key>
+ <integer>0</integer>
+ </dict>
+ </array>
+ <key>PROTECTED</key>
+ <true/>
+ <key>PROXY_NAME</key>
+ <string>Remove .DS_Store files</string>
+ <key>PROXY_TOOLTIP</key>
+ <string>Remove ".DS_Store" files created by the Finder.</string>
+ <key>STATE</key>
+ <true/>
+ </dict>
+ <dict>
+ <key>PATTERNS_ARRAY</key>
+ <array>
+ <dict>
+ <key>REGULAR_EXPRESSION</key>
+ <false/>
+ <key>STRING</key>
+ <string>.pbdevelopment</string>
+ <key>TYPE</key>
+ <integer>0</integer>
+ </dict>
+ </array>
+ <key>PROTECTED</key>
+ <true/>
+ <key>PROXY_NAME</key>
+ <string>Remove .pbdevelopment files</string>
+ <key>PROXY_TOOLTIP</key>
+ <string>Remove ".pbdevelopment" files created by ProjectBuilder or Xcode.</string>
+ <key>STATE</key>
+ <true/>
+ </dict>
+ <dict>
+ <key>PATTERNS_ARRAY</key>
+ <array>
+ <dict>
+ <key>REGULAR_EXPRESSION</key>
+ <false/>
+ <key>STRING</key>
+ <string>CVS</string>
+ <key>TYPE</key>
+ <integer>1</integer>
+ </dict>
+ <dict>
+ <key>REGULAR_EXPRESSION</key>
+ <false/>
+ <key>STRING</key>
+ <string>.cvsignore</string>
+ <key>TYPE</key>
+ <integer>0</integer>
+ </dict>
+ <dict>
+ <key>REGULAR_EXPRESSION</key>
+ <false/>
+ <key>STRING</key>
+ <string>.cvspass</string>
+ <key>TYPE</key>
+ <integer>0</integer>
+ </dict>
+ <dict>
+ <key>REGULAR_EXPRESSION</key>
+ <false/>
+ <key>STRING</key>
+ <string>.svn</string>
+ <key>TYPE</key>
+ <integer>1</integer>
+ </dict>
+ <dict>
+ <key>REGULAR_EXPRESSION</key>
+ <false/>
+ <key>STRING</key>
+ <string>.git</string>
+ <key>TYPE</key>
+ <integer>1</integer>
+ </dict>
+ <dict>
+ <key>REGULAR_EXPRESSION</key>
+ <false/>
+ <key>STRING</key>
+ <string>.gitignore</string>
+ <key>TYPE</key>
+ <integer>0</integer>
+ </dict>
+ </array>
+ <key>PROTECTED</key>
+ <true/>
+ <key>PROXY_NAME</key>
+ <string>Remove SCM metadata</string>
+ <key>PROXY_TOOLTIP</key>
+ <string>Remove helper files and folders used by the CVS, SVN or Git Source Code Management systems.</string>
+ <key>STATE</key>
+ <true/>
+ </dict>
+ <dict>
+ <key>PATTERNS_ARRAY</key>
+ <array>
+ <dict>
+ <key>REGULAR_EXPRESSION</key>
+ <false/>
+ <key>STRING</key>
+ <string>classes.nib</string>
+ <key>TYPE</key>
+ <integer>0</integer>
+ </dict>
+ <dict>
+ <key>REGULAR_EXPRESSION</key>
+ <false/>
+ <key>STRING</key>
+ <string>designable.db</string>
+ <key>TYPE</key>
+ <integer>0</integer>
+ </dict>
+ <dict>
+ <key>REGULAR_EXPRESSION</key>
+ <false/>
+ <key>STRING</key>
+ <string>info.nib</string>
+ <key>TYPE</key>
+ <integer>0</integer>
+ </dict>
+ </array>
+ <key>PROTECTED</key>
+ <true/>
+ <key>PROXY_NAME</key>
+ <string>Optimize nib files</string>
+ <key>PROXY_TOOLTIP</key>
+ <string>Remove "classes.nib", "info.nib" and "designable.nib" files within .nib bundles.</string>
+ <key>STATE</key>
+ <true/>
+ </dict>
+ <dict>
+ <key>PATTERNS_ARRAY</key>
+ <array>
+ <dict>
+ <key>REGULAR_EXPRESSION</key>
+ <false/>
+ <key>STRING</key>
+ <string>Resources Disabled</string>
+ <key>TYPE</key>
+ <integer>1</integer>
+ </dict>
+ </array>
+ <key>PROTECTED</key>
+ <true/>
+ <key>PROXY_NAME</key>
+ <string>Remove Resources Disabled folders</string>
+ <key>PROXY_TOOLTIP</key>
+ <string>Remove "Resources Disabled" folders.</string>
+ <key>STATE</key>
+ <true/>
+ </dict>
+ <dict>
+ <key>SEPARATOR</key>
+ <true/>
+ </dict>
+ </array>
+ <key>NAME</key>
+ <string>Bitmask</string>
+ <key>REFERENCE_FOLDER_PATH</key>
+ <string>/Users/user/leap/bitmask_client/dist</string>
+ </dict>
+ </dict>
+ <key>TYPE</key>
+ <integer>1</integer>
+ <key>VERSION</key>
+ <integer>2</integer>
+</dict>
+</plist>
diff --git a/pkg/osx/Makefile b/pkg/osx/Makefile
deleted file mode 100644
index 15dfb810..00000000
--- a/pkg/osx/Makefile
+++ /dev/null
@@ -1,51 +0,0 @@
-OSX = dist/LEAP\ Client.app/Contents/MacOS/
-GITC = `git rev-parse --short HEAD`
-DMG = "dist/leap-client-$(GITC).dmg"
-INST = "dist/LEAP Client installer.app"
-INSTR = "dist/LEAP Client installer.app/Contents/Resources"
-
-pkg : check-env dist tuntap installer dmg
-
-dist :
- ~/pyinstaller/pyinstaller.py -w -s leap-client.spec
- cp -r /opt/local/Library/Frameworks/QtGui.framework/Versions/4/Resources/qt_menu.nib "dist/LEAP Client.app/Contents/Resources"
- cp Info.plist "dist/LEAP Client.app/Contents/Info.plist"
- cp ../../data/images/leap-client.icns "dist/LEAP Client.app/Contents/Resources/icon-windowed.icns"
-
-trim:
- #XXX this should go properly in pyinstaller spec excludes, but going quick'n'dirty
- #XXX adapt to PySide
- rm $(OSX)QtSvg $(OSX)QtXml $(OSX)QtNetwork $(OSX)QtOpenGL $(OSX)Qt3Support $(OSX)QtSql
-
-tuntap:
- ./build_tuntaposx clean && ./build_tuntaposx
-
-installer:
- #XXX need to fix some paths there (binary, etc)
- platypus -P install/leap-installer.platypus -y $(INST)
- # build tuntaposx kernel extension
- mkdir $(INSTR)/StartupItems
- mkdir $(INSTR)/Extensions
- cp -r dist/tun.kext $(INSTR)/Extensions
- cp -r dist/tuntaposx/StartupItems/* $(INSTR)/StartupItems
- cp install/tun.kext/Info.plist $(INSTR)/Extensions/tun.kext/Contents/
- #copy the binary that we have previously built (not yet)
- cp ../../openvpn/build/openvpn.leap $(INSTR)
- #copy startup scripts
- cp install/client.up.sh $(INSTR)
- cp install/client.down.sh $(INSTR)
- cp install/ProcessNetworkChanges.plist.template $(INSTR)
- #Finally, copy application bundle...
- cp -r "dist/LEAP Client.app" $(INSTR)
-
-dmg :
- rm -f $(DMG)
- hdiutil create -format UDBZ -srcfolder $(INST) $(DMG)
-
-check-env:
-ifndef VIRTUAL_ENV
- $(error WHAT DO YOU THINK VIRTUALENV IS FOR??!! Please go get into one..)
-endif
-
-clean :
- rm -rf dist/ build/
diff --git a/pkg/osx/README.rst b/pkg/osx/README.rst
index 92799ebd..eaf04fa1 100644
--- a/pkg/osx/README.rst
+++ b/pkg/osx/README.rst
@@ -1,49 +1,19 @@
environment setup in osx
========================
-TODO:: REALLY old notes, adapting to newest flow.
-
-basically you need this to setup your environment:
-
-# check and consolidate
-
-# install xcode and homebrew
-
-# brew install python2.7
-# brew install python-virtualenwrapper
-# brew install qt
-# brew install git
-# brew install platypus
-# brew install upx
-
Requirements
============
+
pyinstaller
-----------
+You need at least version 3.0.
-You need the development version. do `python setup.py develop` inside your
-virtualenv.
-
-platypus (tested with latest macports)
-
-... + install environment as usual,
- inside virtualenv.
-
-Building the package
-====================
-
-Building the binary
--------------------
-We use the scripts in openvpn/build.zsh
-The packaging Makefile is expecting the final binary in the location::
-
- ../../openvpn/build/openvpn.leap
-
-Running the build
------------------
-IMPORTANT: activate the VIRTUALENV FIRST!
-(you will get an import error otherwise)
+pyside
+----------
+use repo branch kalikaneko/PySide (has --standalone patch)
-For running all steps at once::
+python2.7 setup.py bdist_wheel --version=1.2.2 --standalone
- make pkg
+Blockers
+========
+#7321 - requests bug in merge_environment_settings
diff --git a/pkg/osx/__init__.py b/pkg/osx/__init__.py
new file mode 100644
index 00000000..77ff624b
--- /dev/null
+++ b/pkg/osx/__init__.py
@@ -0,0 +1,49 @@
+# -*- coding: utf-8 -*-
+
+# daemon/__init__.py
+# Part of ‘python-daemon’, an implementation of PEP 3143.
+#
+# Copyright © 2009–2015 Ben Finney <ben+python@benfinney.id.au>
+# Copyright © 2006 Robert Niederreiter
+#
+# This is free software: you may copy, modify, and/or distribute this work
+# under the terms of the Apache License, version 2.0 as published by the
+# Apache Software Foundation.
+# No warranty expressed or implied. See the file ‘LICENSE.ASF-2’ for details.
+
+""" Library to implement a well-behaved Unix daemon process.
+
+ This library implements the well-behaved daemon specification of
+ :pep:`3143`, “Standard daemon process library”.
+
+ A well-behaved Unix daemon process is tricky to get right, but the
+ required steps are much the same for every daemon program. A
+ `DaemonContext` instance holds the behaviour and configured
+ process environment for the program; use the instance as a context
+ manager to enter a daemon state.
+
+ Simple example of usage::
+
+ import daemon
+
+ from spam import do_main_program
+
+ with daemon.DaemonContext():
+ do_main_program()
+
+ Customisation of the steps to become a daemon is available by
+ setting options on the `DaemonContext` instance; see the
+ documentation for that class for each option.
+
+ """
+
+from __future__ import (absolute_import, unicode_literals)
+
+from .daemon import DaemonContext
+
+
+# Local variables:
+# coding: utf-8
+# mode: python
+# End:
+# vim: fileencoding=utf-8 filetype=python :
diff --git a/pkg/osx/bitmask-helper b/pkg/osx/bitmask-helper
new file mode 100755
index 00000000..a1a3e86a
--- /dev/null
+++ b/pkg/osx/bitmask-helper
@@ -0,0 +1,430 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+#
+# Author: Kali Kaneko
+# Copyright (C) 2015-2016 LEAP Encryption Access Project
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+"""
+This is a privileged helper script for safely running certain commands as root
+under OSX.
+
+It should be run by launchd, and it exposes a Unix Domain Socket to where
+the following commmands can be written by the Bitmask application:
+
+ firewall_start [restart] GATEWAY1 GATEWAY2 ...
+ firewall_stop
+ openvpn_start CONFIG1 CONFIG1 ...
+ openvpn_stop
+ fw_email_start uid
+ fw_email_stop
+
+To load it manually:
+
+ sudo launchctl load /Library/LaunchDaemons/se.leap.bitmask-helper
+
+To see the loaded rules:
+
+ sudo pfctl -s rules -a bitmask
+
+"""
+import os
+import re
+import socket
+import signal
+import subprocess
+import syslog
+import threading
+
+from commands import getoutput as exec_cmd
+from functools import partial
+
+import daemon
+
+VERSION = "1"
+SCRIPT = "bitmask-helper"
+NAMESERVER = "10.42.0.1"
+BITMASK_ANCHOR = "com.apple/250.BitmaskFirewall"
+BITMASK_ANCHOR_EMAIL = "bitmask_email"
+
+OPENVPN_USER = 'nobody'
+OPENVPN_GROUP = 'nogroup'
+LEAPOPENVPN = 'LEAPOPENVPN'
+APP_PATH = '/Applications/Bitmask.app/'
+RESOURCES_PATH = APP_PATH + 'Contents/Resources/'
+OPENVPN_LEAP_BIN = RESOURCES_PATH + 'openvpn.leap'
+
+FIXED_FLAGS = [
+ "--setenv", "LEAPOPENVPN", "1",
+ "--nobind",
+ "--client",
+ "--dev", "tun",
+ "--tls-client",
+ "--remote-cert-tls", "server",
+ "--management-signal",
+ "--script-security", "1",
+ "--user", "nobody",
+ "--remap-usr1", "SIGTERM",
+ "--group", OPENVPN_GROUP,
+]
+
+ALLOWED_FLAGS = {
+ "--remote": ["IP", "NUMBER", "PROTO"],
+ "--tls-cipher": ["CIPHER"],
+ "--cipher": ["CIPHER"],
+ "--auth": ["CIPHER"],
+ "--management": ["DIR", "UNIXSOCKET"],
+ "--management-client-user": ["USER"],
+ "--cert": ["FILE"],
+ "--key": ["FILE"],
+ "--ca": ["FILE"],
+ "--fragment": ["NUMBER"]
+}
+
+PARAM_FORMATS = {
+ "NUMBER": lambda s: re.match("^\d+$", s),
+ "PROTO": lambda s: re.match("^(tcp|udp)$", s),
+ "IP": lambda s: is_valid_address(s),
+ "CIPHER": lambda s: re.match("^[A-Z0-9-]+$", s),
+ "USER": lambda s: re.match(
+ "^[a-zA-Z0-9_\.\@][a-zA-Z0-9_\-\.\@]*\$?$", s), # IEEE Std 1003.1-2001
+ "FILE": lambda s: os.path.isfile(s),
+ "DIR": lambda s: os.path.isdir(os.path.split(s)[0]),
+ "UNIXSOCKET": lambda s: s == "unix",
+ "UID": lambda s: re.match("^[a-zA-Z0-9]+$", s)
+}
+
+#
+# paths (must use absolute paths, since this script is run as root)
+#
+
+PFCTL = '/sbin/pfctl'
+ROUTE = '/sbin/route'
+AWK = '/usr/bin/awk'
+GREP = '/usr/bin/grep'
+CAT = '/bin/cat'
+
+UID = os.getuid()
+SERVER_ADDRESS = '/tmp/bitmask-helper.socket'
+
+
+#
+# COMMAND DISPATCH
+#
+
+def serve_forever():
+ try:
+ os.unlink(SERVER_ADDRESS)
+ except OSError:
+ if os.path.exists(SERVER_ADDRESS):
+ raise
+
+ syslog.syslog(syslog.LOG_WARNING, "serving forever")
+ # XXX should check permissions on the socket file
+ sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
+ sock.bind(SERVER_ADDRESS)
+ sock.listen(1)
+ syslog.syslog(syslog.LOG_WARNING, "Binded to %s" % SERVER_ADDRESS)
+
+ while True:
+ connection, client_address = sock.accept()
+ thread = threading.Thread(target=handle_command, args=[connection])
+ thread.daemon = True
+ thread.start()
+
+def recv_until_marker(sock):
+ end = '/CMD'
+ total_data=[]
+ data=''
+ while True:
+ data=sock.recv(8192)
+ if end in data:
+ total_data.append(data[:data.find(end)])
+ break
+ total_data.append(data)
+ if len(total_data)>1:
+ #check if end_of_data was split
+ last_pair=total_data[-2]+total_data[-1]
+ if end in last_pair:
+ total_data[-2] = last_pair[:last_pair.find(end)]
+ total_data.pop()
+ break
+ return ''.join(total_data)
+
+
+def handle_command(sock):
+ syslog.syslog(syslog.LOG_WARNING, "handle")
+
+ received = recv_until_marker(sock)
+ syslog.syslog(syslog.LOG_WARNING, "GOT -----> %s" % received)
+ line = received.replace('\n', '').split(' ')
+
+ command, args = line[0], line[1:]
+ syslog.syslog(syslog.LOG_WARNING, 'command %s' % (command))
+
+ cmd_dict = {
+ 'firewall_start': (firewall_start, args),
+ 'firewall_stop': (firewall_stop, []),
+ 'firewall_isup': (firewall_isup, []),
+ 'openvpn_start': (openvpn_start, args),
+ 'openvpn_stop': (openvpn_stop, []),
+ 'openvpn_force_stop': (openvpn_stop, ['KILL']),
+ 'openvpn_set_watcher': (openvpn_set_watcher, args)
+ }
+
+ cmd_call = cmd_dict.get(command, None)
+ syslog.syslog(syslog.LOG_WARNING, 'call: %s' % (str(cmd_call)))
+ try:
+ if cmd_call:
+ syslog.syslog(
+ syslog.LOG_WARNING, 'GOT "%s"' % (command))
+ cmd, args = cmd_call
+ if args:
+ cmd = partial(cmd, *args)
+
+ # TODO Use a MUTEX in here
+ result = cmd()
+ syslog.syslog(syslog.LOG_WARNING, "Executed")
+ syslog.syslog(syslog.LOG_WARNING, "Result: %s" % (str(result)))
+ if result == 'YES':
+ sock.sendall("%s: YES\n" % command)
+ elif result == 'NO':
+ sock.sendall("%s: NO\n" % command)
+ else:
+ sock.sendall("%s: OK\n" % command)
+
+ else:
+ syslog.syslog(syslog.LOG_WARNING, 'invalid command: %s' % (command,))
+ sock.sendall("%s: ERROR\n" % command)
+ except Exception as exc:
+ syslog.syslog(syslog.LOG_WARNING, "error executing function %r" % (exc))
+ finally:
+ sock.close()
+
+
+
+#
+# OPENVPN
+#
+
+
+openvpn_proc = None
+openvpn_watcher_pid = None
+
+
+def openvpn_start(*args):
+ """
+ Sanitize input and run openvpn as a subprocess of this long-running daemon.
+ Keeps a reference to the subprocess Popen class instance.
+
+ :param args: arguments to be passed to openvpn
+ :type args: list
+ """
+ syslog.syslog(syslog.LOG_WARNING, "OPENVPN START")
+ opts = list(args[1:])
+
+ opts += ['--dhcp-option', 'DNS', '10.42.0.1',
+ '--up', RESOURCES_PATH + 'client.up.sh',
+ '--down', RESOURCES_PATH + 'client.down.sh']
+ binary = [RESOURCES_PATH + 'openvpn.leap']
+
+ syslog.syslog(syslog.LOG_WARNING, ' '.join(binary + opts))
+
+ # TODO sanitize options
+ global openvpn_proc
+ openvpn_proc = subprocess.Popen(binary + opts, shell=False)
+ syslog.syslog(syslog.LOG_WARNING, "OpenVPN PID: %s" % str(openvpn_proc.pid))
+
+
+def openvpn_stop(sig='TERM'):
+ """
+ Stop the openvpn that has been launched by this privileged helper.
+
+ :param args: arguments to openvpn
+ :type args: list
+ """
+ global openvpn_proc
+
+ if openvpn_proc:
+ syslog.syslog(syslog.LOG_WARNING, "OVPN PROC: %s" % str(openvpn_proc.pid))
+
+ if sig == 'KILL':
+ stop_signal = signal.SIGKILL
+ openvpn_proc.kill()
+ elif sig == 'TERM':
+ stop_signal = signal.SIGTERM
+ openvpn_proc.terminate()
+
+ returncode = openvpn_proc.wait()
+ syslog.syslog(syslog.LOG_WARNING, "openvpn return code: %s" % str(returncode))
+ syslog.syslog(syslog.LOG_WARNING, "openvpn_watcher_pid: %s" % str(openvpn_watcher_pid))
+ if openvpn_watcher_pid:
+ os.kill(openvpn_watcher_pid, stop_signal)
+
+
+def openvpn_set_watcher(pid, *args):
+ global openvpn_watcher_pid
+ openvpn_watcher_pid = int(pid)
+ syslog.syslog(syslog.LOG_WARNING, "Watcher PID: %s" % pid)
+
+
+#
+# FIREWALL
+#
+
+
+def firewall_start(*gateways):
+ """
+ Bring up the firewall.
+
+ :param gws: list of gateways, to be sanitized.
+ :type gws: list
+ """
+
+ gateways = get_gateways(gateways)
+
+ if not gateways:
+ return False
+
+ _enable_pf()
+ _reset_bitmask_gateways_table(gateways)
+
+ default_device = _get_default_device()
+ _load_bitmask_anchor(default_device)
+
+
+def firewall_stop():
+ """
+ Flush everything from anchor bitmask
+ """
+ cmd = '{pfctl} -a {anchor} -F all'.format(
+ pfctl=PFCTL, anchor=BITMASK_ANCHOR)
+ return exec_cmd(cmd)
+
+
+def firewall_isup():
+ """
+ Return YES if anchor bitmask is loaded with rules
+ """
+ syslog.syslog(syslog.LOG_WARNING, 'PID---->%s' % os.getpid())
+ cmd = '{pfctl} -s rules -a {anchor} | wc -l'.format(
+ pfctl=PFCTL, anchor=BITMASK_ANCHOR)
+ output = exec_cmd(cmd)
+ rules = output[-1]
+ if int(rules) > 0:
+ return 'YES'
+ else:
+ return 'NO'
+
+
+def _enable_pf():
+ exec_cmd('{pfctl} -e'.format(pfctl=PFCTL))
+
+
+def _reset_bitmask_gateways_table(gateways):
+ cmd = '{pfctl} -a {anchor} -t bitmask_gateways -T delete'.format(
+ pfctl=PFCTL, anchor=BITMASK_ANCHOR)
+ output = exec_cmd(cmd)
+
+ for gateway in gateways:
+ cmd = '{pfctl} -a {anchor} -t bitmask_gateways -T add {gw}'.format(
+ pfctl=PFCTL, anchor=BITMASK_ANCHOR, gw=gateway)
+ output = exec_cmd(cmd)
+ syslog.syslog(syslog.LOG_WARNING, "adding gw %s" % gateway)
+
+ #cmd = '{pfctl} -a {anchor} -t bitmask_nameservers -T delete'.format(
+ # pfctl=PFCTL, anchor=BITMASK_ANCHOR)
+ #output = exec_cmd(cmd)
+
+ cmd = '{pfctl} -a {anchor} -t bitmask_gateways -T add {ns}'.format(
+ pfctl=PFCTL, anchor=BITMASK_ANCHOR, ns=NAMESERVER)
+ output = exec_cmd(cmd)
+ syslog.syslog(syslog.LOG_WARNING, "adding ns %s" % NAMESERVER)
+
+def _load_bitmask_anchor(default_device):
+ cmd = ('{pfctl} -D default_device={defaultdevice} '
+ '-a {anchor} -f {rulefile}').format(
+ pfctl=PFCTL, defaultdevice=default_device,
+ anchor=BITMASK_ANCHOR,
+ rulefile=RESOURCES_PATH + 'bitmask-helper/bitmask.pf.conf')
+ syslog.syslog(syslog.LOG_WARNING, "LOADING CMD: %s" % cmd)
+ return exec_cmd(cmd)
+
+
+def _get_default_device():
+ """
+ Retrieve the current default network device.
+
+ :rtype: str
+ """
+ cmd_def_device = (
+ '{route} -n get -net default | '
+ '{grep} interface | {awk} "{{print $2}}"').format(
+ route=ROUTE, grep=GREP, awk=AWK)
+ iface = exec_cmd(cmd_def_device)
+ iface = iface.replace("interface: ", "").strip()
+ syslog.syslog(syslog.LOG_WARNING, "default device %s" % iface)
+ return iface
+
+
+
+#
+# UTILITY
+#
+
+
+def is_valid_address(value):
+ """
+ Validate that the passed ip is a valid IP address.
+
+ :param value: the value to be validated
+ :type value: str
+ :rtype: bool
+ """
+ try:
+ socket.inet_aton(value)
+ return True
+ except Exception:
+ syslog.syslog(syslog.LOG_WARNING, 'MALFORMED IP: %s!' % (value))
+ return False
+
+
+#
+# FIREWALL
+#
+
+
+def get_gateways(gateways):
+ """
+ Filter a passed sequence of gateways, returning only the valid ones.
+
+ :param gateways: a sequence of gateways to filter.
+ :type gateways: iterable
+ :rtype: iterable
+ """
+ syslog.syslog(syslog.LOG_WARNING, 'Filtering %s' % str(gateways))
+ result = filter(is_valid_address, gateways)
+ if not result:
+ syslog.syslog(syslog.LOG_ERR, 'No valid gateways specified')
+ return False
+ else:
+ return result
+
+
+
+if __name__ == "__main__":
+ with daemon.DaemonContext():
+ syslog.syslog(syslog.LOG_WARNING, "Serving...")
+ serve_forever()
diff --git a/pkg/osx/bitmask-wrapper b/pkg/osx/bitmask-wrapper
new file mode 100755
index 00000000..c861380b
--- /dev/null
+++ b/pkg/osx/bitmask-wrapper
@@ -0,0 +1,3 @@
+#!/bin/sh
+DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
+exec $DIR/bitmask-app --debug
diff --git a/pkg/osx/bitmask.icns b/pkg/osx/bitmask.icns
index 74fa0af6..7cc3e752 100644
--- a/pkg/osx/bitmask.icns
+++ b/pkg/osx/bitmask.icns
Binary files differ
diff --git a/pkg/osx/bitmask.pf.conf b/pkg/osx/bitmask.pf.conf
new file mode 100644
index 00000000..eb0e858f
--- /dev/null
+++ b/pkg/osx/bitmask.pf.conf
@@ -0,0 +1,17 @@
+default_device = "en99"
+
+set block-policy drop
+set skip on lo0
+
+# block all traffic on default device
+block out on $default_device all
+
+# allow traffic to gateways
+pass out on $default_device to <bitmask_gateways>
+
+# allow traffic to local networks over the default device
+pass out on $default_device to $default_device:network
+
+# block all DNS, except to the gateways
+block out proto udp to any port 53
+pass out proto udp to <bitmask_gateways> port 53
diff --git a/pkg/osx/client.down.sh b/pkg/osx/client.down.sh
new file mode 100755
index 00000000..1e173bba
--- /dev/null
+++ b/pkg/osx/client.down.sh
@@ -0,0 +1,426 @@
+#!/bin/bash -e
+# Note: must be bash; uses bash-specific tricks
+#
+# ******************************************************************************************************************
+# Copyright By Tunnelblick. Redistributed with Bitmask under the GPL.
+# This Tunnelblick script does everything! It handles TUN and TAP interfaces,
+# pushed configurations and DHCP leases. :)
+#
+# This is the "Down" version of the script, executed after the connection is
+# closed.
+#
+# Created by: Nick Williams (using original code and parts of old Tblk scripts)
+#
+# ******************************************************************************************************************
+
+# @param String message - The message to log
+logMessage()
+{
+ echo "${@}"
+}
+
+# @param String message - The message to log
+logDebugMessage()
+{
+ echo "${@}" > /dev/null
+}
+
+trim()
+{
+echo ${@}
+}
+
+# @param String list - list of network service names, output from disable_ipv6()
+restore_ipv6() {
+
+ # Undoes the actions performed by the disable_ipv6() routine in client.up.tunnelblick.sh by restoring the IPv6
+ # 'automatic' setting for each network service for which that routine disabled IPv6.
+ #
+ # $1 must contain the output from disable_ipv6() -- the list of network services.
+ #
+ # This routine outputs log messages describing its activities.
+
+ if [ "$1" = "" ] ; then
+ exit
+ fi
+
+ printf %s "$1
+" | \
+ while IFS= read -r ripv6_service ; do
+ networksetup -setv6automatic "$ripv6_service"
+ logMessage "Re-enabled IPv6 (automatic) for '$ripv6_service'"
+ done
+}
+
+##########################################################################################
+flushDNSCache()
+{
+ if ${ARG_FLUSH_DNS_CACHE} ; then
+ set +e # "grep" will return error status (1) if no matches are found, so don't fail on individual errors
+ readonly OSVER="$(sw_vers | grep 'ProductVersion:' | grep -o '10\.[0-9]*')"
+ set -e # We instruct bash that it CAN again fail on errors
+ if [ "${OSVER}" = "10.4" ] ; then
+
+ if [ -f /usr/sbin/lookupd ] ; then
+ set +e # we will catch errors from lookupd
+ /usr/sbin/lookupd -flushcache
+ if [ $? != 0 ] ; then
+ logMessage "WARNING: Unable to flush the DNS cache via lookupd"
+ else
+ logMessage "Flushed the DNS cache via lookupd"
+ fi
+ set -e # bash should again fail on errors
+ else
+ logMessage "WARNING: /usr/sbin/lookupd not present. Not flushing the DNS cache"
+ fi
+
+ else
+
+ if [ -f /usr/bin/dscacheutil ] ; then
+ set +e # we will catch errors from dscacheutil
+ /usr/bin/dscacheutil -flushcache
+ if [ $? != 0 ] ; then
+ logMessage "WARNING: Unable to flush the DNS cache via dscacheutil"
+ else
+ logMessage "Flushed the DNS cache via dscacheutil"
+ fi
+ set -e # bash should again fail on errors
+ else
+ logMessage "WARNING: /usr/bin/dscacheutil not present. Not flushing the DNS cache via dscacheutil"
+ fi
+
+ if [ -f /usr/sbin/discoveryutil ] ; then
+ set +e # we will catch errors from discoveryutil
+ /usr/sbin/discoveryutil udnsflushcaches
+ if [ $? != 0 ] ; then
+ logMessage "WARNING: Unable to flush the DNS cache via discoveryutil udnsflushcaches"
+ else
+ logMessage "Flushed the DNS cache via discoveryutil udnsflushcaches"
+ fi
+ /usr/sbin/discoveryutil mdnsflushcache
+ if [ $? != 0 ] ; then
+ logMessage "WARNING: Unable to flush the DNS cache via discoveryutil mdnsflushcache"
+ else
+ logMessage "Flushed the DNS cache via discoveryutil mdnsflushcache"
+ fi
+ set -e # bash should again fail on errors
+ else
+ logMessage "/usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil"
+ fi
+
+ set +e # "grep" will return error status (1) if no matches are found, so don't fail on individual errors
+ hands_off_ps="$( ps -ax | grep HandsOffDaemon | grep -v grep.HandsOffDaemon )"
+ set -e # We instruct bash that it CAN again fail on errors
+ if [ "${hands_off_ps}" = "" ] ; then
+ if [ -f /usr/bin/killall ] ; then
+ set +e # ignore errors if mDNSResponder isn't currently running
+ /usr/bin/killall -HUP mDNSResponder
+ if [ $? != 0 ] ; then
+ logMessage "mDNSResponder not running. Not notifying it that the DNS cache was flushed"
+ else
+ logMessage "Notified mDNSResponder that the DNS cache was flushed"
+ fi
+ set -e # bash should again fail on errors
+ else
+ logMessage "WARNING: /usr/bin/killall not present. Not notifying mDNSResponder that the DNS cache was flushed"
+ fi
+ else
+ logMessage "WARNING: Hands Off is running. Not notifying mDNSResponder that the DNS cache was flushed"
+ fi
+
+ fi
+ fi
+}
+
+##########################################################################################
+resetPrimaryInterface()
+{
+ set +e # "grep" will return error status (1) if no matches are found, so don't fail on individual errors
+ WIFI_INTERFACE="$(networksetup -listallhardwareports | awk '$3=="Wi-Fi" {getline; print $2}')"
+ if [ "${WIFI_INTERFACE}" == "" ] ; then
+ WIFI_INTERFACE="$(networksetup -listallhardwareports | awk '$3=="AirPort" {getline; print $2}')"
+ fi
+ PINTERFACE="$( scutil <<-EOF |
+ open
+ show State:/Network/Global/IPv4
+ quit
+EOF
+ grep PrimaryInterface | sed -e 's/.*PrimaryInterface : //'
+ )"
+ set -e # resume abort on error
+
+ if [ "${PINTERFACE}" != "" ] ; then
+ if [ "${PINTERFACE}" == "${WIFI_INTERFACE}" -a "${OSVER}" != "10.4" -a -f /usr/sbin/networksetup ] ; then
+ if [ "${OSVER}" == "10.5" ] ; then
+ logMessage "Resetting primary interface '${PINTERFACE}' via networksetup -setairportpower off/on..."
+ /usr/sbin/networksetup -setairportpower off
+ sleep 2
+ /usr/sbin/networksetup -setairportpower on
+ else
+ logMessage "Resetting primary interface '${PINTERFACE}' via networksetup -setairportpower ${PINTERFACE} off/on..."
+ /usr/sbin/networksetup -setairportpower "${PINTERFACE}" off
+ sleep 2
+ /usr/sbin/networksetup -setairportpower "${PINTERFACE}" on
+ fi
+ else
+ if [ -f /sbin/ifconfig ] ; then
+ logMessage "Resetting primary interface '${PINTERFACE}' via ifconfig ${PINTERFACE} down/up..."
+ /sbin/ifconfig "${PINTERFACE}" down
+ sleep 2
+ /sbin/ifconfig "${PINTERFACE}" up
+ else
+ logMessage "WARNING: Not resetting primary interface because /sbin/ifconfig does not exist."
+ fi
+ fi
+ else
+ logMessage "WARNING: Not resetting primary interface because it cannot be found."
+ fi
+}
+
+##########################################################################################
+trap "" TSTP
+trap "" HUP
+trap "" INT
+export PATH="/bin:/sbin:/usr/sbin:/usr/bin"
+
+readonly OUR_NAME=$(basename "${0}")
+
+logMessage "**********************************************"
+logMessage "Start of output from ${OUR_NAME}"
+
+# Remove the flag file that indicates we need to run the down script
+
+if [ -e "/tmp/bitmask-downscript-needs-to-be-run.txt" ] ; then
+ rm -f "/tmp/bitmask-downscript-needs-to-be-run.txt"
+fi
+
+# Test for the "-r" Bitmask option (Reset primary interface after disconnecting) because we _always_ need its value.
+# Usually we get the value for that option (and the other options) from State:/Network/OpenVPN,
+# but that key may not exist (because, for example, there were no DNS changes).
+# So we get the value from the Bitmask options passed to this script by OpenVPN.
+#
+# We do the same thing for the -f Bitmask option (Flush DNS cache after connecting or disconnecting)
+ARG_RESET_PRIMARY_INTERFACE_ON_DISCONNECT="false"
+ARG_FLUSH_DNS_CACHE="false"
+while [ {$#} ] ; do
+ if [ "${1:0:1}" != "-" ] ; then # Bitmask arguments start with "-" and come first
+ break # so if this one doesn't start with "-" we are done processing Bitmask arguments
+ fi
+ if [ "$1" = "-r" ] ; then
+ ARG_RESET_PRIMARY_INTERFACE_ON_DISCONNECT="true"
+ else
+ if [ "$1" = "-f" ] ; then
+ ARG_FLUSH_DNS_CACHE="true"
+ fi
+ fi
+ shift # Shift arguments to examine the next option (if there is one)
+done
+
+# Quick check - is the configuration there?
+if ! scutil -w State:/Network/OpenVPN &>/dev/null -t 1 ; then
+ # Configuration isn't there
+ logMessage "WARNING: Not restoring DNS settings because no saved Bitmask DNS information was found."
+
+ flushDNSCache
+
+ if ${ARG_RESET_PRIMARY_INTERFACE_ON_DISCONNECT} ; then
+ resetPrimaryInterface
+ fi
+ logMessage "End of output from ${OUR_NAME}"
+ logMessage "**********************************************"
+ exit 0
+fi
+
+# Get info saved by the up script
+TUNNELBLICK_CONFIG="$( scutil <<-EOF
+ open
+ show State:/Network/OpenVPN
+ quit
+EOF
+)"
+
+ARG_MONITOR_NETWORK_CONFIGURATION="$(echo "${TUNNELBLICK_CONFIG}" | grep -i '^[[:space:]]*MonitorNetwork :' | sed -e 's/^.*: //g')"
+LEASEWATCHER_PLIST_PATH="$(echo "${TUNNELBLICK_CONFIG}" | grep -i '^[[:space:]]*LeaseWatcherPlistPath :' | sed -e 's/^.*: //g')"
+REMOVE_LEASEWATCHER_PLIST="$(echo "${TUNNELBLICK_CONFIG}" | grep -i '^[[:space:]]*RemoveLeaseWatcherPlist :' | sed -e 's/^.*: //g')"
+PSID="$(echo "${TUNNELBLICK_CONFIG}" | grep -i '^[[:space:]]*Service :' | sed -e 's/^.*: //g')"
+# Don't need: SCRIPT_LOG_FILE="$(echo "${TUNNELBLICK_CONFIG}" | grep -i '^[[:space:]]*ScriptLogFile :' | sed -e 's/^.*: //g')"
+# Don't need: ARG_RESTORE_ON_DNS_RESET="$(echo "${TUNNELBLICK_CONFIG}" | grep -i '^[[:space:]]*RestoreOnDNSReset :' | sed -e 's/^.*: //g')"
+# Don't need: ARG_RESTORE_ON_WINS_RESET="$(echo "${TUNNELBLICK_CONFIG}" | grep -i '^[[:space:]]*RestoreOnWINSReset :' | sed -e 's/^.*: //g')"
+# Don't need: PROCESS="$(echo "${TUNNELBLICK_CONFIG}" | grep -i '^[[:space:]]*PID :' | sed -e 's/^.*: //g')"
+# Don't need: ARG_IGNORE_OPTION_FLAGS="$(echo "${TUNNELBLICK_CONFIG}" | grep -i '^[[:space:]]*IgnoreOptionFlags :' | sed -e 's/^.*: //g')"
+ARG_TAP="$(echo "${TUNNELBLICK_CONFIG}" | grep -i '^[[:space:]]*IsTapInterface :' | sed -e 's/^.*: //g')"
+ARG_FLUSH_DNS_CACHE="$(echo "${TUNNELBLICK_CONFIG}" | grep -i '^[[:space:]]*FlushDNSCache :' | sed -e 's/^.*: //g')"
+ARG_RESET_PRIMARY_INTERFACE_ON_DISCONNECT="$(echo "${TUNNELBLICK_CONFIG}" | grep -i '^[[:space:]]*ResetPrimaryInterface :' | sed -e 's/^.*: //g')"
+bRouteGatewayIsDhcp="$(echo "${TUNNELBLICK_CONFIG}" | grep -i '^[[:space:]]*RouteGatewayIsDhcp :' | sed -e 's/^.*: //g')"
+bTapDeviceHasBeenSetNone="$(echo "${TUNNELBLICK_CONFIG}" | grep -i '^[[:space:]]*TapDeviceHasBeenSetNone :' | sed -e 's/^.*: //g')"
+bAlsoUsingSetupKeys="$(echo "${TUNNELBLICK_CONFIG}" | grep -i '^[[:space:]]*bAlsoUsingSetupKeys :' | sed -e 's/^.*: //g')"
+sTunnelDevice="$(echo "${TUNNELBLICK_CONFIG}" | grep -i '^[[:space:]]*TunnelDevice :' | sed -e 's/^.*: //g')"
+
+# Note: '\n' was translated into '\t', so we translate it back (it was done because grep and sed only work with single lines)
+sRestoreIpv6Services="$(echo "${TUNNELBLICK_CONFIG}" | grep -i '^[[:space:]]*RestoreIpv6Services :' | sed -e 's/^.*: //g' | tr '\t' '\n')"
+
+# Remove leasewatcher
+if ${ARG_MONITOR_NETWORK_CONFIGURATION} ; then
+ launchctl unload "${LEASEWATCHER_PLIST_PATH}"
+ if ${REMOVE_LEASEWATCHER_PLIST} ; then
+ rm -f "${LEASEWATCHER_PLIST_PATH}"
+ fi
+ logMessage "Cancelled monitoring of system configuration changes"
+fi
+
+if ${ARG_TAP} ; then
+ if [ "$bRouteGatewayIsDhcp" == "true" ]; then
+ if [ "$bTapDeviceHasBeenSetNone" == "false" ]; then
+ if [ -z "$dev" ]; then
+ # If $dev is not defined, then use TunnelDevice, which was set from $dev by client.up.tunnelblick.sh
+ # ($def is not defined when this script is called from MenuController to clean up when exiting Bitmask)
+ if [ -n "${sTunnelDevice}" ]; then
+ logMessage "WARNING: \$dev not defined; using TunnelDevice: ${sTunnelDevice}"
+ set +e
+ ipconfig set "${sTunnelDevice}" NONE 2>/dev/null
+ set -e
+ logMessage "Released the DHCP lease via ipconfig set ${sTunnelDevice} NONE."
+ else
+ logMessage "WARNING: Cannot configure TAP interface to NONE without \$dev or State:/Network/OpenVPN/TunnelDevice being defined. Device may not have disconnected properly."
+ fi
+ else
+ set +e
+ ipconfig set "$dev" NONE 2>/dev/null
+ set -e
+ logMessage "Released the DHCP lease via ipconfig set $dev NONE."
+ fi
+ fi
+ fi
+fi
+
+# Issue warning if the primary service ID has changed
+set +e # "grep" will return error status (1) if no matches are found, so don't fail if not found
+PSID_CURRENT="$( scutil <<-EOF |
+ open
+ show State:/Network/OpenVPN
+ quit
+EOF
+grep 'Service : ' | sed -e 's/.*Service : //'
+)"
+set -e # resume abort on error
+if [ "${PSID}" != "${PSID_CURRENT}" ] ; then
+ logMessage "Ignoring change of Network Primary Service from ${PSID} to ${PSID_CURRENT}"
+fi
+
+# Restore configurations
+DNS_OLD="$( scutil <<-EOF
+ open
+ show State:/Network/OpenVPN/OldDNS
+ quit
+EOF
+)"
+SMB_OLD="$( scutil <<-EOF
+ open
+ show State:/Network/OpenVPN/OldSMB
+ quit
+EOF
+)"
+DNS_OLD_SETUP="$( scutil <<-EOF
+ open
+ show State:/Network/OpenVPN/OldDNSSetup
+ quit
+EOF
+)"
+TB_NO_SUCH_KEY="<dictionary> {
+ BitmaskNoSuchKey : true
+}"
+
+if [ "${DNS_OLD}" = "${TB_NO_SUCH_KEY}" ] ; then
+ scutil <<-EOF
+ open
+ remove State:/Network/Service/${PSID}/DNS
+ quit
+EOF
+else
+ scutil <<-EOF
+ open
+ get State:/Network/OpenVPN/OldDNS
+ set State:/Network/Service/${PSID}/DNS
+ quit
+EOF
+fi
+
+if [ "${DNS_OLD_SETUP}" = "${TB_NO_SUCH_KEY}" ] ; then
+ if ${bAlsoUsingSetupKeys} ; then
+ logDebugMessage "DEBUG: Removing 'Setup:' DNS key"
+ scutil <<-EOF
+ open
+ remove Setup:/Network/Service/${PSID}/DNS
+ quit
+EOF
+ else
+ logDebugMessage "DEBUG: Not removing 'Setup:' DNS key"
+ fi
+else
+ if ${bAlsoUsingSetupKeys} ; then
+ logDebugMessage "DEBUG: Restoring 'Setup:' DNS key"
+ scutil <<-EOF
+ open
+ get State:/Network/OpenVPN/OldDNSSetup
+ set Setup:/Network/Service/${PSID}/DNS
+ quit
+EOF
+ else
+ logDebugMessage "DEBUG: Not restoring 'Setup:' DNS key"
+ fi
+fi
+
+if [ "${SMB_OLD}" = "${TB_NO_SUCH_KEY}" ] ; then
+ scutil > /dev/null <<-EOF
+ open
+ remove State:/Network/Service/${PSID}/SMB
+ quit
+EOF
+else
+ scutil > /dev/null <<-EOF
+ open
+ get State:/Network/OpenVPN/OldSMB
+ set State:/Network/Service/${PSID}/SMB
+ quit
+EOF
+fi
+
+logMessage "Restored the DNS and SMB configurations"
+
+set +e # "grep" will return error status (1) if no matches are found, so don't fail if not found
+new_resolver_contents="$( grep -v '#' < /etc/resolv.conf )"
+set -e # resume abort on error
+logDebugMessage "DEBUG:"
+logDebugMessage "DEBUG: /etc/resolve = ${new_resolver_contents}"
+
+set +e # scutil --dns will return error status in case dns is already down, so don't fail if no dns found
+scutil_dns="$( scutil --dns)"
+set -e # resume abort on error
+logDebugMessage "DEBUG:"
+logDebugMessage "DEBUG: scutil --dns = ${scutil_dns}"
+logDebugMessage "DEBUG:"
+
+restore_ipv6 "$sRestoreIpv6Services"
+
+flushDNSCache
+
+# Remove our system configuration data
+scutil <<-EOF
+ open
+ remove State:/Network/OpenVPN/OldDNS
+ remove State:/Network/OpenVPN/OldSMB
+ remove State:/Network/OpenVPN/OldDNSSetup
+ remove State:/Network/OpenVPN/DNS
+ remove State:/Network/OpenVPN/SMB
+ remove State:/Network/OpenVPN
+ quit
+EOF
+
+if ${ARG_RESET_PRIMARY_INTERFACE_ON_DISCONNECT} ; then
+ resetPrimaryInterface
+fi
+
+logMessage "End of output from ${OUR_NAME}"
+logMessage "**********************************************"
+
+exit 0
diff --git a/pkg/osx/client.up.sh b/pkg/osx/client.up.sh
new file mode 100755
index 00000000..a713c10e
--- /dev/null
+++ b/pkg/osx/client.up.sh
@@ -0,0 +1,1521 @@
+#!/bin/bash -e
+# Note: must be bash; uses bash-specific tricks
+#
+# ******************************************************************************************************************
+# Copyright by Tunnelblick. Redistributed under GPL as part of Bitmask.
+# This Tunnelblick script does everything! It handles TUN and TAP interfaces,
+# pushed configurations, DHCP with DNS and SMB, and renewed DHCP leases. :)
+#
+# This is the "Up" version of the script, executed after the interface is
+# initialized.
+#
+# Created by: Nick Williams (using original code and parts of old Tblk scripts)
+# Modifed by: Jonathan K. Bullard for Mountain Lion
+# Adapted to use by Bitmask by: Kali Kaneko
+#
+# ******************************************************************************************************************
+
+
+##########################################################################################
+# @param String message - The message to log
+logMessage()
+{
+ echo "${@}"
+}
+
+##########################################################################################
+# @param String message - The message to log
+logDebugMessage()
+{
+ if ${ARG_EXTRA_LOGGING} ; then
+ echo "${@}"
+ fi
+}
+
+##########################################################################################
+# log a change to a setting
+# @param String filters - empty, or one or two '#' if not performing the change
+# @param String name of setting that is being changed
+# @param String new value
+# @param String old value
+logChange()
+{
+ if [ "$1" = "" ] ; then
+ if [ "$3" = "$4" ] ; then
+ echo "Did not change $2 setting of '$3' (but re-set it)"
+ else
+ echo "Changed $2 setting from '$4' to '$3'"
+ fi
+ else
+ echo "Did not change $2 setting of '$4'"
+ fi
+}
+
+##########################################################################################
+# @param String string - Content to trim
+trim()
+{
+ echo ${@}
+}
+
+##########################################################################################
+disable_ipv6() {
+
+# Disables IPv6 on each enabled (active) network service on which it is set to the OS X default "IPv6 Automatic".
+#
+# For each such service, outputs a line with the name of the service.
+# (A separate line is output for each name because a name may include spaces.)
+#
+# The 'restore_ipv6' routine in client.down.sh undoes the actions performed by this routine.
+#
+# NOTE: Done only for enabled services because some versions of OS X enable the service if this IPv6 setting is changed.
+#
+# This only works for OS X 10.5 and higher (10.4 does not implement IPv6.)
+
+ if [ "$OSVER" = "10.4" ] ; then
+ exit
+ fi
+
+ # Get list of services and remove the first line which contains a heading
+ dipv6_services="$( networksetup -listallnetworkservices | sed -e '1,1d')"
+
+ # Go through the list disabling IPv6 for enabled services, and outputting lines with the names of the services
+ printf %s "$dipv6_services
+" | \
+ while IFS= read -r dipv6_service ; do
+
+ # If first character of a line is an asterisk, the service is disabled, so we skip it
+ if [ "${dipv6_service:0:1}" != "*" ] ; then
+ dipv6_ipv6_status="$( networksetup -getinfo "$dipv6_service" | grep 'IPv6: ' | sed -e 's/IPv6: //')"
+ if [ "$dipv6_ipv6_status" = "Automatic" ] ; then
+ networksetup -setv6off "$dipv6_service"
+ echo "$dipv6_service"
+ fi
+ fi
+
+ done
+}
+
+##########################################################################################
+# @param String[] dnsServers - The name servers to use
+# @param String domainName - The domain name to use
+# @param \optional String[] winsServers - The SMB servers to use
+# @param \optional String[] searchDomains - The search domains to use
+#
+# Throughout this routine:
+# MAN_ is a prefix for manually set parameters
+# DYN_ is a prefix for dynamically set parameters (by a "push", config file, or command line option)
+# CUR_ is a prefix for the current parameters (as arbitrated by OS X between manual and DHCP data)
+# FIN_ is a prefix for the parameters we want to end up with
+# SKP_ is a prefix for an empty string or a "#" used to control execution of statements that set parameters in scutil
+#
+# DNS_SA is a suffix for the ServerAddresses value in a System Configuration DNS key
+# DNS_SD is a suffix for the SearchDomains value in a System Configuration DNS key
+# DNS_DN is a suffix for the DomainName value in a System Configuration DNS key
+#
+# SMB_NN is a suffix for the NetBIOSName value in a System Configuration SMB key
+# SMB_WG is a suffix for the Workgroup value in a System Configuration SMB key
+# SMB_WA is a suffix for the WINSAddresses value in a System Configuration SMB key
+#
+# So, for example, MAN_SMB_NN is the manually set NetBIOSName value (or the empty string if not set manually)
+
+setDnsServersAndDomainName()
+{
+ set +e # "grep" will return error status (1) if no matches are found, so don't fail on individual errors
+
+ PSID="$( scutil <<-EOF |
+ open
+ show State:/Network/Global/IPv4
+ quit
+EOF
+grep PrimaryService | sed -e 's/.*PrimaryService : //'
+)"
+
+ set -e # resume abort on error
+
+ MAN_DNS_CONFIG="$( scutil <<-EOF |
+ open
+ show Setup:/Network/Service/${PSID}/DNS
+ quit
+EOF
+sed -e 's/^[[:space:]]*[[:digit:]]* : //g' | tr '\n' ' '
+)"
+
+ MAN_SMB_CONFIG="$( scutil <<-EOF |
+ open
+ show Setup:/Network/Service/${PSID}/SMB
+ quit
+EOF
+sed -e 's/^[[:space:]]*[[:digit:]]* : //g' | tr '\n' ' '
+)"
+ CUR_DNS_CONFIG="$( scutil <<-EOF |
+ open
+ show State:/Network/Global/DNS
+ quit
+EOF
+sed -e 's/^[[:space:]]*[[:digit:]]* : //g' | tr '\n' ' '
+)"
+
+ CUR_SMB_CONFIG="$( scutil <<-EOF |
+ open
+ show State:/Network/Global/SMB
+ quit
+EOF
+sed -e 's/^[[:space:]]*[[:digit:]]* : //g' | tr '\n' ' '
+)"
+
+# Set up the DYN_... variables to contain what is asked for (dynamically, by a 'push' directive, for example)
+
+ declare -a vDNS=("${!1}")
+ declare -a vSMB=("${!3}")
+ declare -a vSD=("${!4}")
+
+ if [ ${#vDNS[*]} -eq 0 ] ; then
+ readonly DYN_DNS_SA=""
+ else
+ readonly DYN_DNS_SA="${!1}"
+ fi
+
+ if [ ${#vSMB[*]} -eq 0 ] ; then
+ readonly DYN_SMB_WA=""
+ else
+ readonly DYN_SMB_WA="${!3}"
+ fi
+
+ if [ ${#vSD[*]} -eq 0 ] ; then
+ readonly DYN_DNS_SD=""
+ else
+ readonly DYN_DNS_SD="${!4}"
+ fi
+
+ DYN_DNS_DN="$2"
+
+ # The variables
+ # DYN_SMB_WG
+ # DYN_SMB_NN
+ # are left empty. There isn't a way for OpenVPN to set them.
+
+ logDebugMessage "DEBUG:"
+ logDebugMessage "DEBUG: MAN_DNS_CONFIG = ${MAN_DNS_CONFIG}"
+ logDebugMessage "DEBUG: MAN_SMB_CONFIG = ${MAN_SMB_CONFIG}"
+ logDebugMessage "DEBUG:"
+ logDebugMessage "DEBUG: CUR_DNS_CONFIG = ${CUR_DNS_CONFIG}"
+ logDebugMessage "DEBUG: CUR_SMB_CONFIG = ${CUR_SMB_CONFIG}"
+ logDebugMessage "DEBUG:"
+ logDebugMessage "DEBUG:"
+ logDebugMessage "DEBUG: DYN_DNS_DN = ${DYN_DNS_DN}; DYN_DNS_SA = ${DYN_DNS_SA}; DYN_DNS_SD = ${DYN_DNS_SD}"
+ logDebugMessage "DEBUG: DYN_SMB_NN = ${DYN_SMB_NN}; DYN_SMB_WG = ${DYN_SMB_WG}; DYN_SMB_WA = ${DYN_SMB_WA}"
+
+# Set up the MAN_... variables to contain manual network settings
+
+ set +e # "grep" will return error status (1) if no matches are found, so don't fail on individual errors
+
+ if echo "${MAN_DNS_CONFIG}" | grep -q "DomainName" ; then
+ readonly MAN_DNS_DN="$( trim "$( echo "${MAN_DNS_CONFIG}" | sed -e 's/^.*DomainName[^{]*{[[:space:]]*\([^}]*\)[[:space:]]*}.*$/\1/g' )" )"
+ else
+ readonly MAN_DNS_DN="";
+ fi
+ if echo "${MAN_DNS_CONFIG}" | grep -q "ServerAddresses" ; then
+ readonly MAN_DNS_SA="$( trim "$( echo "${MAN_DNS_CONFIG}" | sed -e 's/^.*ServerAddresses[^{]*{[[:space:]]*\([^}]*\)[[:space:]]*}.*$/\1/g' )" )"
+ else
+ readonly MAN_DNS_SA="";
+ fi
+ if echo "${MAN_DNS_CONFIG}" | grep -q "SearchDomains" ; then
+ readonly MAN_DNS_SD="$( trim "$( echo "${MAN_DNS_CONFIG}" | sed -e 's/^.*SearchDomains[^{]*{[[:space:]]*\([^}]*\)[[:space:]]*}.*$/\1/g' )" )"
+ else
+ readonly MAN_DNS_SD="";
+ fi
+ if echo "${MAN_SMB_CONFIG}" | grep -q "NetBIOSName" ; then
+ readonly MAN_SMB_NN="$( trim "$( echo "${MAN_SMB_CONFIG}" | sed -e 's/^.*NetBIOSName : \([^[:space:]]*\).*$/\1/g' )" )"
+ else
+ readonly MAN_SMB_NN="";
+ fi
+ if echo "${MAN_SMB_CONFIG}" | grep -q "Workgroup" ; then
+ readonly MAN_SMB_WG="$( trim "$( echo "${MAN_SMB_CONFIG}" | sed -e 's/^.*Workgroup : \([^[:space:]]*\).*$/\1/g' )" )"
+ else
+ readonly MAN_SMB_WG="";
+ fi
+ if echo "${MAN_SMB_CONFIG}" | grep -q "WINSAddresses" ; then
+ readonly MAN_SMB_WA="$( trim "$( echo "${MAN_SMB_CONFIG}" | sed -e 's/^.*WINSAddresses[^{]*{[[:space:]]*\([^}]*\)[[:space:]]*}.*$/\1/g' )" )"
+ else
+ readonly MAN_SMB_WA="";
+ fi
+
+ set -e # resume abort on error
+
+ logDebugMessage "DEBUG:"
+ logDebugMessage "DEBUG: MAN_DNS_DN = ${MAN_DNS_DN}; MAN_DNS_SA = ${MAN_DNS_SA}; MAN_DNS_SD = ${MAN_DNS_SD}"
+ logDebugMessage "DEBUG: MAN_SMB_NN = ${MAN_SMB_NN}; MAN_SMB_WG = ${MAN_SMB_WG}; MAN_SMB_WA = ${MAN_SMB_WA}"
+
+# Set up the CUR_... variables to contain the current network settings (from manual or DHCP, as arbitrated by OS X
+
+ set +e # "grep" will return error status (1) if no matches are found, so don't fail on individual errors
+
+ if echo "${CUR_DNS_CONFIG}" | grep -q "DomainName" ; then
+ readonly CUR_DNS_DN="$(trim "$( echo "${CUR_DNS_CONFIG}" | sed -e 's/^.*DomainName : \([^[:space:]]*\).*$/\1/g' )")"
+ else
+ readonly CUR_DNS_DN="";
+ fi
+ if echo "${CUR_DNS_CONFIG}" | grep -q "ServerAddresses" ; then
+ readonly CUR_DNS_SA="$(trim "$( echo "${CUR_DNS_CONFIG}" | sed -e 's/^.*ServerAddresses[^{]*{[[:space:]]*\([^}]*\)[[:space:]]*}.*$/\1/g' )")"
+ else
+ readonly CUR_DNS_SA="";
+ fi
+ if echo "${CUR_DNS_CONFIG}" | grep -q "SearchDomains" ; then
+ readonly CUR_DNS_SD="$(trim "$( echo "${CUR_DNS_CONFIG}" | sed -e 's/^.*SearchDomains[^{]*{[[:space:]]*\([^}]*\)[[:space:]]*}.*$/\1/g' )")"
+ else
+ readonly CUR_DNS_SD="";
+ fi
+ if echo "${CUR_SMB_CONFIG}" | grep -q "NetBIOSName" ; then
+ readonly CUR_SMB_NN="$(trim "$( echo "${CUR_SMB_CONFIG}" | sed -e 's/^.*NetBIOSName : \([^[:space:]]*\).*$/\1/g' )")"
+ else
+ readonly CUR_SMB_NN="";
+ fi
+ if echo "${CUR_SMB_CONFIG}" | grep -q "Workgroup" ; then
+ readonly CUR_SMB_WG="$(trim "$( echo "${CUR_SMB_CONFIG}" | sed -e 's/^.*Workgroup : \([^[:space:]]*\).*$/\1/g' )")"
+ else
+ readonly CUR_SMB_WG="";
+ fi
+ if echo "${CUR_SMB_CONFIG}" | grep -q "WINSAddresses" ; then
+ readonly CUR_SMB_WA="$(trim "$( echo "${CUR_SMB_CONFIG}" | sed -e 's/^.*WINSAddresses[^{]*{[[:space:]]*\([^}]*\)[[:space:]]*}.*$/\1/g' )")"
+ else
+ readonly CUR_SMB_WA="";
+ fi
+
+ set -e # resume abort on error
+
+ logDebugMessage "DEBUG:"
+ logDebugMessage "DEBUG: CUR_DNS_DN = ${CUR_DNS_DN}; CUR_DNS_SA = ${CUR_DNS_SA}; CUR_DNS_SD = ${CUR_DNS_SD}"
+ logDebugMessage "DEBUG: CUR_SMB_NN = ${CUR_SMB_NN}; CUR_SMB_WG = ${CUR_SMB_WG}; CUR_SMB_WA = ${CUR_SMB_WA}"
+
+# set up the FIN_... variables with what we want to set things to
+
+ # Three FIN_... variables are simple -- no aggregation is done for them
+
+ if [ "${DYN_DNS_DN}" != "" ] ; then
+ if [ "${MAN_DNS_DN}" != "" ] ; then
+ logMessage "WARNING: Ignoring DomainName '$DYN_DNS_DN' because DomainName was set manually"
+ readonly FIN_DNS_DN="${MAN_DNS_DN}"
+ else
+ readonly FIN_DNS_DN="${DYN_DNS_DN}"
+ fi
+ else
+ readonly FIN_DNS_DN="${CUR_DNS_DN}"
+ fi
+
+ if [ "${DYN_SMB_NN}" != "" ] ; then
+ if [ "${MAN_SMB_NN}" != "" ] ; then
+ logMessage "WARNING: Ignoring NetBIOSName '$DYN_SMB_NN' because NetBIOSName was set manually"
+ readonly FIN_SMB_NN="${MAN_SMB_NN}"
+ else
+ readonly FIN_SMB_NN="${DYN_SMB_NN}"
+ fi
+ else
+ readonly FIN_SMB_NN="${CUR_SMB_NN}"
+ fi
+
+ if [ "${DYN_SMB_WG}" != "" ] ; then
+ if [ "${MAN_SMB_WG}" != "" ] ; then
+ logMessage "WARNING: Ignoring Workgroup '$DYN_SMB_WG' because Workgroup was set manually"
+ readonly FIN_SMB_WG="${MAN_SMB_WG}"
+ else
+ readonly FIN_SMB_WG="${DYN_SMB_WG}"
+ fi
+ else
+ readonly FIN_SMB_WG="${CUR_SMB_WG}"
+ fi
+
+ # DNS ServerAddresses (FIN_DNS_SA) are aggregated for 10.4 and 10.5
+ if [ ${#vDNS[*]} -eq 0 ] ; then
+ readonly FIN_DNS_SA="${CUR_DNS_SA}"
+ else
+ if [ "${MAN_DNS_SA}" != "" ] ; then
+ logMessage "WARNING: Ignoring ServerAddresses '$DYN_DNS_SA' because ServerAddresses was set manually"
+ readonly FIN_DNS_SA="${CUR_DNS_SA}"
+ else
+ case "${OSVER}" in
+ 10.4 | 10.5 )
+ # We need to remove duplicate DNS entries, so that our reference list matches MacOSX's
+ SDNS="$( echo "${DYN_DNS_SA}" | tr ' ' '\n' )"
+ (( i=0 ))
+ for n in "${vDNS[@]}" ; do
+ if echo "${SDNS}" | grep -q "${n}" ; then
+ unset vDNS[${i}]
+ fi
+ (( i++ ))
+ done
+ if [ ${#vDNS[*]} -gt 0 ] ; then
+ readonly FIN_DNS_SA="$( trim "${DYN_DNS_SA}" "${vDNS[*]}" )"
+ else
+ readonly FIN_DNS_SA="${DYN_DNS_SA}"
+ fi
+ logMessage "Aggregating ServerAddresses because running on OS X 10.4 or 10.5"
+ ;;
+ * )
+ # Do nothing - in 10.6 and higher -- we don't aggregate our configurations, apparently
+ readonly FIN_DNS_SA="${DYN_DNS_SA}"
+ logMessage "Not aggregating ServerAddresses because running on OS X 10.6 or higher"
+ ;;
+ esac
+ fi
+ fi
+
+ # SMB WINSAddresses (FIN_SMB_WA) are aggregated for 10.4 and 10.5
+ if [ ${#vSMB[*]} -eq 0 ] ; then
+ readonly FIN_SMB_WA="${CUR_SMB_WA}"
+ else
+ if [ "${MAN_SMB_WA}" != "" ] ; then
+ logMessage "WARNING: Ignoring WINSAddresses '$DYN_SMB_WA' because WINSAddresses was set manually"
+ readonly FIN_SMB_WA="${MAN_SMB_WA}"
+ else
+ case "${OSVER}" in
+ 10.4 | 10.5 )
+ # We need to remove duplicate SMB entries, so that our reference list matches MacOSX's
+ SSMB="$( echo "${DYN_SMB_WA}" | tr ' ' '\n' )"
+ (( i=0 ))
+ for n in "${vSMB[@]}" ; do
+ if echo "${SSMB}" | grep -q "${n}" ; then
+ unset vSMB[${i}]
+ fi
+ (( i++ ))
+ done
+ if [ ${#vSMB[*]} -gt 0 ] ; then
+ readonly FIN_SMB_WA="$( trim "${DYN_SMB_WA}" "${vSMB[*]}" )"
+ else
+ readonly FIN_SMB_WA="${DYN_SMB_WA}"
+ fi
+ logMessage "Aggregating WINSAddresses because running on OS X 10.4 or 10.5"
+ ;;
+ * )
+ # Do nothing - in 10.6 and higher -- we don't aggregate our configurations, apparently
+ readonly FIN_SMB_WA="${DYN_SMB_WA}"
+ logMessage "Not aggregating WINSAddresses because running on OS X 10.6 or higher"
+ ;;
+ esac
+ fi
+ fi
+
+ # DNS SearchDomains (FIN_DNS_SD) is treated specially
+ #
+ # OLD BEHAVIOR:
+ # if SearchDomains was not set manually, we set SearchDomains to the DomainName
+ # else
+ # In OS X 10.4-10.5, we add the DomainName to the end of any manual SearchDomains (unless it is already there)
+ # In OS X 10.6+, if SearchDomains was entered manually, we ignore the DomainName
+ # else we set SearchDomains to the DomainName
+ #
+ # NEW BEHAVIOR (done if ARG_PREPEND_DOMAIN_NAME is "true"):
+ #
+ # if SearchDomains was entered manually, we do nothing
+ # else we PREpend new SearchDomains (if any) to the existing SearchDomains (NOT replacing them)
+ # and PREpend DomainName to that
+ #
+ # (done if ARG_PREPEND_DOMAIN_NAME is "false" and there are new SearchDomains from DOMAIN-SEARCH):
+ #
+ # if SearchDomains was entered manually, we do nothing
+ # else we PREpend any new SearchDomains to the existing SearchDomains (NOT replacing them)
+ #
+ # This behavior is meant to behave like Linux with Network Manager and Windows
+
+ if "${ARG_PREPEND_DOMAIN_NAME}" ; then
+ if [ "${MAN_DNS_SD}" = "" ] ; then
+ if [ "${DYN_DNS_SD}" != "" ] ; then
+ if ! echo "${CUR_DNS_SD}" | tr ' ' '\n' | grep -q "${DYN_DNS_SD}" ; then
+ logMessage "Prepending '${DYN_DNS_SD}' to search domains '${CUR_DNS_SD}' because the search domains were not set manually and 'Prepend domain name to search domains' was selected"
+ readonly TMP_DNS_SD="$( trim "${DYN_DNS_SD}" "${CUR_DNS_SD}" )"
+ else
+ logMessage "Not prepending '${DYN_DNS_SD}' to search domains '${CUR_DNS_SD}' because it is already there"
+ readonly TMP_DNS_SD="${CUR_DNS_SD}"
+ fi
+ else
+ readonly TMP_DNS_SD="${CUR_DNS_SD}"
+ fi
+ if [ "${FIN_DNS_DN}" != "" -a "${FIN_DNS_DN}" != "localdomain" ] ; then
+ if ! echo "${TMP_DNS_SD}" | tr ' ' '\n' | grep -q "${FIN_DNS_DN}" ; then
+ logMessage "Prepending '${FIN_DNS_DN}' to search domains '${TMP_DNS_SD}' because the search domains were not set manually and 'Prepend domain name to search domains' was selected"
+ readonly FIN_DNS_SD="$( trim "${FIN_DNS_DN}" "${TMP_DNS_SD}" )"
+ else
+ logMessage "Not prepending '${FIN_DNS_DN}' to search domains '${TMP_DNS_SD}' because it is already there"
+ readonly FIN_DNS_SD="${TMP_DNS_SD}"
+ fi
+ else
+ readonly FIN_DNS_SD="${TMP_DNS_SD}"
+ fi
+ else
+ if [ "${DYN_DNS_SD}" != "" ] ; then
+ logMessage "WARNING: Not prepending '${DYN_DNS_SD}' to search domains '${CUR_DNS_SD}' because the search domains were set manually"
+ fi
+ if [ "${FIN_DNS_DN}" != "" ] ; then
+ logMessage "WARNING: Not prepending domain '${FIN_DNS_DN}' to search domains '${CUR_DNS_SD}' because the search domains were set manually"
+ fi
+ readonly FIN_DNS_SD="${CUR_DNS_SD}"
+ fi
+ else
+ if [ "${DYN_DNS_SD}" != "" ] ; then
+ if [ "${MAN_DNS_SD}" = "" ] ; then
+ logMessage "Prepending '${DYN_DNS_SD}' to search domains '${CUR_DNS_SD}' because the search domains were not set manually but were set via OpenVPN and 'Prepend domain name to search domains' was not selected"
+ readonly FIN_DNS_SD="$( trim "${DYN_DNS_SD}" "${CUR_DNS_SD}" )"
+ else
+ logMessage "WARNING: Not prepending '${DYN_DNS_SD}' to search domains '${CUR_DNS_SD}' because the search domains were set manually"
+ readonly FIN_DNS_SD="${CUR_DNS_SD}"
+ fi
+ else
+ if [ "${FIN_DNS_DN}" != "" -a "${FIN_DNS_DN}" != "localdomain" ] ; then
+ case "${OSVER}" in
+ 10.4 | 10.5 )
+ if ! echo "${MAN_DNS_SD}" | tr ' ' '\n' | grep -q "${FIN_DNS_DN}" ; then
+ logMessage "Appending '${FIN_DNS_DN}' to search domains '${CUR_DNS_SD}' that were set manually because running under OS X 10.4 or 10.5 and 'Prepend domain name to search domains' was not selected"
+ readonly FIN_DNS_SD="$( trim "${MAN_DNS_SD}" "${FIN_DNS_DN}" )"
+ else
+ logMessage "Not appending '${FIN_DNS_DN}' to search domains '${CUR_DNS_SD}' because it is already in the search domains that were set manually and 'Prepend domain name to search domains' was not selected"
+ readonly FIN_DNS_SD="${CUR_DNS_SD}"
+ fi
+ ;;
+ * )
+ if [ "${MAN_DNS_SD}" = "" ] ; then
+ logMessage "Setting search domains to '${FIN_DNS_DN}' because running under OS X 10.6 or higher and the search domains were not set manually and 'Prepend domain name to search domains' was not selected"
+ readonly FIN_DNS_SD="${FIN_DNS_DN}"
+ else
+ logMessage "Not replacing search domains '${CUR_DNS_SD}' with '${FIN_DNS_DN}' because the search domains were set manually and 'Prepend domain name to search domains' was not selected"
+ readonly FIN_DNS_SD="${CUR_DNS_SD}"
+ fi
+ ;;
+ esac
+ else
+ readonly FIN_DNS_SD="${CUR_DNS_SD}"
+ fi
+ fi
+ fi
+
+ logDebugMessage "DEBUG:"
+ logDebugMessage "DEBUG: FIN_DNS_DN = ${FIN_DNS_DN}; FIN_DNS_SA = ${FIN_DNS_SA}; FIN_DNS_SD = ${FIN_DNS_SD}"
+ logDebugMessage "DEBUG: FIN_SMB_NN = ${FIN_SMB_NN}; FIN_SMB_WG = ${FIN_SMB_WG}; FIN_SMB_WA = ${FIN_SMB_WA}"
+
+# Set up SKP_... variables to inhibit scutil from making some changes
+
+ # SKP_DNS_... and SKP_SMB_... are used to comment out individual items that are not being set
+ if [ "${FIN_DNS_DN}" = "" -o "${FIN_DNS_DN}" = "${CUR_DNS_DN}" ] ; then
+ SKP_DNS_DN="#"
+ else
+ SKP_DNS_DN=""
+ fi
+ if [ "${FIN_DNS_SA}" = "" -o "${FIN_DNS_SA}" = "${CUR_DNS_SA}" ] ; then
+ SKP_DNS_SA="#"
+ else
+ SKP_DNS_SA=""
+ fi
+ if [ "${FIN_DNS_SD}" = "" -o "${FIN_DNS_SD}" = "${CUR_DNS_SD}" ] ; then
+ SKP_DNS_SD="#"
+ else
+ SKP_DNS_SD=""
+ fi
+ if [ "${FIN_SMB_NN}" = "" -o "${FIN_SMB_NN}" = "${CUR_SMB_NN}" ] ; then
+ SKP_SMB_NN="#"
+ else
+ SKP_SMB_NN=""
+ fi
+ if [ "${FIN_SMB_WG}" = "" -o "${FIN_SMB_WG}" = "${CUR_SMB_WG}" ] ; then
+ SKP_SMB_WG="#"
+ else
+ SKP_SMB_WG=""
+ fi
+ if [ "${FIN_SMB_WA}" = "" -o "${FIN_SMB_WA}" = "${CUR_SMB_WA}" ] ; then
+ SKP_SMB_WA="#"
+ else
+ SKP_SMB_WA=""
+ fi
+
+ # if any DNS items should be set, set all that have values
+ if [ "${SKP_DNS_DN}${SKP_DNS_SA}${SKP_DNS_SD}" = "###" ] ; then
+ readonly SKP_DNS="#"
+ else
+ readonly SKP_DNS=""
+ if [ "${FIN_DNS_DN}" != "" ] ; then
+ SKP_DNS_DN=""
+ fi
+ if [ "${FIN_DNS_SA}" != "" ] ; then
+ SKP_DNS_SA=""
+ fi
+ if [ "${FIN_DNS_SD}" != "" ] ; then
+ SKP_DNS_SD=""
+ fi
+ fi
+
+ # if any SMB items should be set, set all that have values
+ if [ "${SKP_SMB_NN}${SKP_SMB_WG}${SKP_SMB_WA}" = "###" ] ; then
+ readonly SKP_SMB="#"
+ else
+ readonly SKP_SMB=""
+ if [ "${FIN_SMB_NN}" != "" ] ; then
+ SKP_SMB_NN=""
+ fi
+ if [ "${FIN_SMB_WG}" != "" ] ; then
+ SKP_SMB_WG=""
+ fi
+ if [ "${FIN_SMB_WA}" != "" ] ; then
+ SKP_SMB_WA=""
+ fi
+ fi
+
+ readonly SKP_DNS_SA SKP_DNS_SD SKP_DNS_DN
+ readonly SKP_SMB_NN SKP_SMB_WG SKP_SMB_WA
+
+# special-case fiddling:
+
+ # in 10.8 and higher, ServerAddresses and SearchDomains must be set via the Setup: key in addition to the State: key
+ # in 10.7 if ServerAddresses or SearchDomains are manually set, ServerAddresses and SearchDomains must be similarly set with the Setup: key in addition to the State: key
+ #
+ # we pass a flag indicating whether we've done that to the other scripts in 'bAlsoUsingSetupKeys'
+
+ case "${OSVER}" in
+ 10.4 | 10.5 | 10.6 )
+ logDebugMessage "DEBUG: OS X 10.4-10.6, so will modify settings using only State:"
+ readonly SKP_SETUP_DNS="#"
+ readonly bAlsoUsingSetupKeys="false"
+ ;;
+ 10.7 )
+ if [ "${MAN_DNS_SA}" = "" -a "${MAN_DNS_SD}" = "" ] ; then
+ logDebugMessage "DEBUG: OS X 10.7 and neither ServerAddresses nor SearchDomains were set manually, so will modify DNS settings using only State:"
+ readonly SKP_SETUP_DNS="#"
+ readonly bAlsoUsingSetupKeys="false"
+ else
+ logDebugMessage "DEBUG: OS X 10.7 and ServerAddresses or SearchDomains were set manually, so will modify DNS settings using Setup: in addition to State:"
+ readonly SKP_SETUP_DNS=""
+ readonly bAlsoUsingSetupKeys="true"
+ fi
+ ;;
+ * )
+ logDebugMessage "DEBUG: OS X 10.8 or higher, so will modify DNS settings using Setup: in addition to State:"
+ readonly SKP_SETUP_DNS=""
+ readonly bAlsoUsingSetupKeys="true"
+ ;;
+ esac
+
+ logDebugMessage "DEBUG:"
+ logDebugMessage "DEBUG: SKP_DNS = ${SKP_DNS}; SKP_DNS_SA = ${SKP_DNS_SA}; SKP_DNS_SD = ${SKP_DNS_SD}; SKP_DNS_DN = ${SKP_DNS_DN}"
+ logDebugMessage "DEBUG: SKP_SETUP_DNS = ${SKP_SETUP_DNS}"
+ logDebugMessage "DEBUG: SKP_SMB = ${SKP_SMB}; SKP_SMB_NN = ${SKP_SMB_NN}; SKP_SMB_WG = ${SKP_SMB_WG}; SKP_SMB_WA = ${SKP_SMB_WA}"
+
+ set +e # "grep" will return error status (1) if no matches are found, so don't fail if not found
+ original_resolver_contents="$( grep -v '#' < /etc/resolv.conf )"
+ set -e # resume abort on error
+ logDebugMessage "DEBUG:"
+ logDebugMessage "DEBUG: /etc/resolve = ${original_resolver_contents}"
+ logDebugMessage "DEBUG:"
+
+ set +e # scutil --dns will return error status in case dns is already down, so don't fail if no dns found
+ scutil_dns="$( scutil --dns)"
+ set -e # resume abort on error
+ logDebugMessage "DEBUG:"
+ logDebugMessage "DEBUG: scutil --dns BEFORE CHANGES = ${scutil_dns}"
+ logDebugMessage "DEBUG:"
+
+ logDebugMessage "DEBUG:"
+ logDebugMessage "DEBUG: Configuration changes:"
+ logDebugMessage "DEBUG: ${SKP_DNS}${SKP_DNS_SA}ADD State: ServerAddresses ${FIN_DNS_SA}"
+ logDebugMessage "DEBUG: ${SKP_DNS}${SKP_DNS_SD}ADD State: SearchDomains ${FIN_DNS_SD}"
+ logDebugMessage "DEBUG: ${SKP_DNS}${SKP_DNS_DN}ADD State: DomainName ${FIN_DNS_DN}"
+ logDebugMessage "DEBUG:"
+ logDebugMessage "DEBUG: ${SKP_SETUP_DNS}${SKP_DNS}${SKP_DNS_SA}ADD Setup: ServerAddresses ${FIN_DNS_SA}"
+ logDebugMessage "DEBUG: ${SKP_SETUP_DNS}${SKP_DNS}${SKP_DNS_SD}ADD Setup: SearchDomains ${FIN_DNS_SD}"
+ logDebugMessage "DEBUG: ${SKP_SETUP_DNS}${SKP_DNS}${SKP_DNS_DN}ADD Setup: DomainName ${FIN_DNS_DN}"
+ logDebugMessage "DEBUG:"
+ logDebugMessage "DEBUG: ${SKP_SMB}${SKP_SMB_NN}ADD State: NetBIOSName ${FIN_SMB_NN}"
+ logDebugMessage "DEBUG: ${SKP_SMB}${SKP_SMB_WG}ADD State: Workgroup ${FIN_SMB_WG}"
+ logDebugMessage "DEBUG: ${SKP_SMB}${SKP_SMB_WA}ADD State: WINSAddresses ${FIN_SMB_WA}"
+
+ # Save the openvpn process ID and the Network Primary Service ID, leasewather.plist path, logfile path, and optional arguments from Bitmask,
+ # then save old and new DNS and SMB settings
+ # PPID is a script variable (defined by bash itself) that contains the process ID of the parent of the process running the script (i.e., OpenVPN's process ID)
+ # config is an environmental variable set to the configuration path by OpenVPN prior to running this up script
+
+ scutil <<-EOF > /dev/null
+ open
+
+ # Store our variables for the other scripts (leasewatch, down, etc.) to use
+ d.init
+ # The '#' in the next line does NOT start a comment; it indicates to scutil that a number follows it (as opposed to a string or an array)
+ d.add PID # ${PPID}
+ d.add Service ${PSID}
+ d.add LeaseWatcherPlistPath "${LEASEWATCHER_PLIST_PATH}"
+ d.add RemoveLeaseWatcherPlist "${REMOVE_LEASEWATCHER_PLIST}"
+ d.add ScriptLogFile "${SCRIPT_LOG_FILE}"
+ d.add MonitorNetwork "${ARG_MONITOR_NETWORK_CONFIGURATION}"
+ d.add RestoreOnDNSReset "${ARG_RESTORE_ON_DNS_RESET}"
+ d.add RestoreOnWINSReset "${ARG_RESTORE_ON_WINS_RESET}"
+ d.add IgnoreOptionFlags "${ARG_IGNORE_OPTION_FLAGS}"
+ d.add IsTapInterface "${ARG_TAP}"
+ d.add FlushDNSCache "${ARG_FLUSH_DNS_CACHE}"
+ d.add ResetPrimaryInterface "${ARG_RESET_PRIMARY_INTERFACE_ON_DISCONNECT}"
+ d.add RouteGatewayIsDhcp "${bRouteGatewayIsDhcp}"
+ d.add bAlsoUsingSetupKeys "${bAlsoUsingSetupKeys}"
+ d.add TapDeviceHasBeenSetNone "false"
+ d.add TunnelDevice "$dev"
+ d.add RestoreIpv6Services "$ipv6_disabled_services_encoded"
+ set State:/Network/OpenVPN
+
+ # Back up the device's current DNS and SMB configurations,
+ # Indicate 'no such key' by a dictionary with a single entry: "BitmaskNoSuchKey : true"
+ # If there isn't a key, "BitmaskNoSuchKey : true" won't be removed.
+ # If there is a key, "BitmaskNoSuchKey : true" will be removed and the key's contents will be used
+
+ d.init
+ d.add BitmaskNoSuchKey true
+ get State:/Network/Service/${PSID}/DNS
+ set State:/Network/OpenVPN/OldDNS
+
+ d.init
+ d.add BitmaskNoSuchKey true
+ get Setup:/Network/Service/${PSID}/DNS
+ set State:/Network/OpenVPN/OldDNSSetup
+
+ d.init
+ d.add BitmaskNoSuchKey true
+ get State:/Network/Service/${PSID}/SMB
+ set State:/Network/OpenVPN/OldSMB
+
+ # Initialize the new DNS map via State:
+ ${SKP_DNS}d.init
+ ${SKP_DNS}${SKP_DNS_SA}d.add ServerAddresses * ${FIN_DNS_SA}
+ ${SKP_DNS}${SKP_DNS_SD}d.add SearchDomains * ${FIN_DNS_SD}
+ ${SKP_DNS}${SKP_DNS_DN}d.add DomainName ${FIN_DNS_DN}
+ ${SKP_DNS}set State:/Network/Service/${PSID}/DNS
+
+ # If necessary, initialize the new DNS map via Setup: also
+ ${SKP_SETUP_DNS}${SKP_DNS}d.init
+ ${SKP_SETUP_DNS}${SKP_DNS}${SKP_DNS_SA}d.add ServerAddresses * ${FIN_DNS_SA}
+ ${SKP_SETUP_DNS}${SKP_DNS}${SKP_DNS_SD}d.add SearchDomains * ${FIN_DNS_SD}
+ ${SKP_SETUP_DNS}${SKP_DNS}${SKP_DNS_DN}d.add DomainName ${FIN_DNS_DN}
+ ${SKP_SETUP_DNS}${SKP_DNS}set Setup:/Network/Service/${PSID}/DNS
+
+ # Initialize the SMB map
+ ${SKP_SMB}d.init
+ ${SKP_SMB}${SKP_SMB_NN}d.add NetBIOSName ${FIN_SMB_NN}
+ ${SKP_SMB}${SKP_SMB_WG}d.add Workgroup ${FIN_SMB_WG}
+ ${SKP_SMB}${SKP_SMB_WA}d.add WINSAddresses * ${FIN_SMB_WA}
+ ${SKP_SMB}set State:/Network/Service/${PSID}/SMB
+
+ quit
+EOF
+
+ logDebugMessage "DEBUG:"
+ logDebugMessage "DEBUG: Pause for configuration changes to be propagated to State:/Network/Global/DNS and .../SMB"
+ sleep 1
+
+ scutil <<-EOF > /dev/null
+ open
+
+ # Initialize the maps that will be compared when a configuration change occurs
+ d.init
+ d.add BitmaskNoSuchKey true
+ get State:/Network/Global/DNS
+ set State:/Network/OpenVPN/DNS
+
+ d.init
+ d.add BitmaskNoSuchKey true
+ get State:/Network/Global/SMB
+ set State:/Network/OpenVPN/SMB
+
+ quit
+EOF
+
+ readonly NEW_DNS_SETUP_CONFIG="$( scutil <<-EOF |
+ open
+ show Setup:/Network/Service/${PSID}/DNS
+ quit
+EOF
+sed -e 's/^[[:space:]]*[[:digit:]]* : //g' | tr '\n' ' '
+)"
+ readonly NEW_SMB_SETUP_CONFIG="$( scutil <<-EOF |
+ open
+ show Setup:/Network/Service/${PSID}/SMB
+ quit
+EOF
+sed -e 's/^[[:space:]]*[[:digit:]]* : //g' | tr '\n' ' '
+)"
+ readonly NEW_DNS_STATE_CONFIG="$( scutil <<-EOF |
+ open
+ show State:/Network/Service/${PSID}/DNS
+ quit
+EOF
+sed -e 's/^[[:space:]]*[[:digit:]]* : //g' | tr '\n' ' '
+)"
+ readonly NEW_SMB_STATE_CONFIG="$( scutil <<-EOF |
+ open
+ show State:/Network/Service/${PSID}/SMB
+ quit
+EOF
+sed -e 's/^[[:space:]]*[[:digit:]]* : //g' | tr '\n' ' '
+)"
+ readonly NEW_DNS_GLOBAL_CONFIG="$( scutil <<-EOF |
+ open
+ show State:/Network/Global/DNS
+ quit
+EOF
+sed -e 's/^[[:space:]]*[[:digit:]]* : //g' | tr '\n' ' '
+)"
+ readonly NEW_SMB_GLOBAL_CONFIG="$( scutil <<-EOF |
+ open
+ show State:/Network/Global/SMB
+ quit
+EOF
+sed -e 's/^[[:space:]]*[[:digit:]]* : //g' | tr '\n' ' '
+)"
+ readonly EXPECTED_NEW_DNS_GLOBAL_CONFIG="$( scutil <<-EOF |
+ open
+ show State:/Network/OpenVPN/DNS
+ quit
+EOF
+sed -e 's/^[[:space:]]*[[:digit:]]* : //g' | tr '\n' ' '
+)"
+ readonly EXPECTED_NEW_SMB_GLOBAL_CONFIG="$( scutil <<-EOF |
+ open
+ show State:/Network/OpenVPN/SMB
+ quit
+EOF
+sed -e 's/^[[:space:]]*[[:digit:]]* : //g' | tr '\n' ' '
+)"
+
+
+ logDebugMessage "DEBUG:"
+ logDebugMessage "DEBUG: Configurations as read back after changes:"
+ logDebugMessage "DEBUG: State:/.../DNS = ${NEW_DNS_STATE_CONFIG}"
+ logDebugMessage "DEBUG: State:/.../SMB = ${NEW_SMB_STATE_CONFIG}"
+ logDebugMessage "DEBUG:"
+ logDebugMessage "DEBUG: Setup:/.../DNS = ${NEW_DNS_SETUP_CONFIG}"
+ logDebugMessage "DEBUG: Setup:/.../SMB = ${NEW_SMB_SETUP_CONFIG}"
+ logDebugMessage "DEBUG:"
+ logDebugMessage "DEBUG: State:/Network/Global/DNS = ${NEW_DNS_GLOBAL_CONFIG}"
+ logDebugMessage "DEBUG: State:/Network/Global/SMB = ${NEW_SMB_GLOBAL_CONFIG}"
+ logDebugMessage "DEBUG:"
+ logDebugMessage "DEBUG: Expected by process-network-changes:"
+ logDebugMessage "DEBUG: State:/Network/OpenVPN/DNS = ${EXPECTED_NEW_DNS_GLOBAL_CONFIG}"
+ logDebugMessage "DEBUG: State:/Network/OpenVPN/SMB = ${EXPECTED_NEW_SMB_GLOBAL_CONFIG}"
+
+ set +e # "grep" will return error status (1) if no matches are found, so don't fail if not found
+ new_resolver_contents="$( grep -v '#' < /etc/resolv.conf )"
+ set -e # resume abort on error
+ logDebugMessage "DEBUG:"
+ logDebugMessage "DEBUG: /etc/resolve = ${new_resolver_contents}"
+ logDebugMessage "DEBUG:"
+
+ set +e # scutil --dns will return error status in case dns is already down, so don't fail if no dns found
+ scutil_dns="$( scutil --dns )"
+ set -e # resume abort on error
+ logDebugMessage "DEBUG:"
+ logDebugMessage "DEBUG: scutil --dns AFTER CHANGES = ${scutil_dns}"
+ logDebugMessage "DEBUG:"
+
+ logMessage "Saved the DNS and SMB configurations so they can be restored"
+
+ logChange "${SKP_DNS}${SKP_DNS_SA}" "DNS ServerAddresses" "${FIN_DNS_SA}" "${CUR_DNS_SA}"
+ logChange "${SKP_DNS}${SKP_DNS_SD}" "DNS SearchDomains" "${FIN_DNS_SD}" "${CUR_DNS_SD}"
+ logChange "${SKP_DNS}${SKP_DNS_DN}" "DNS DomainName" "${FIN_DNS_DN}" "${CUR_DNS_DN}"
+ logChange "${SKP_SMB}${SKP_SMB_NN}" "SMB NetBIOSName" "${FIN_SMB_SA}" "${CUR_SMB_SA}"
+ logChange "${SKP_SMB}${SKP_SMB_WG}" "SMB Workgroup" "${FIN_SMB_WG}" "${CUR_SMB_WG}"
+ logChange "${SKP_SMB}${SKP_SMB_WA}" "SMB WINSAddresses" "${FIN_SMB_WA}" "${CUR_SMB_WA}"
+
+ logDnsInfo "${MAN_DNS_SA}" "${FIN_DNS_SA}"
+
+ flushDNSCache
+
+ if ${ARG_MONITOR_NETWORK_CONFIGURATION} ; then
+ if [ "${ARG_IGNORE_OPTION_FLAGS:0:2}" = "-p" ] ; then
+ logMessage "Setting up to monitor system configuration with process-network-changes"
+ else
+ logMessage "Setting up to monitor system configuration with leasewatch"
+ fi
+ if [ "${LEASEWATCHER_TEMPLATE_PATH}" != "" ] ; then
+ sed -e "s|/Applications/Bitmask/.app/Contents/Resources|${TB_RESOURCES_PATH}|g" "${LEASEWATCHER_TEMPLATE_PATH}" > "${LEASEWATCHER_PLIST_PATH}"
+ fi
+ launchctl load "${LEASEWATCHER_PLIST_PATH}"
+ fi
+}
+
+##########################################################################################
+# Used for TAP device which does DHCP
+configureDhcpDns()
+{
+ # whilst ipconfig will have created the neccessary Network Service keys, the DNS
+ # settings won't actually be used by OS X unless the SupplementalMatchDomains key
+ # is added
+ # ref. <http://lists.apple.com/archives/Macnetworkprog/2005/Jun/msg00011.html>
+ # - is there a way to extract the domains from the SC dictionary and re-insert
+ # as SupplementalMatchDomains? i.e. not requiring the ipconfig domain_name call?
+
+ # - wait until we get a lease before extracting the DNS domain name and merging into SC
+ # - despite it's name, ipconfig waitall doesn't (but maybe one day it will :-)
+ logDebugMessage "DEBUG: About to 'ipconfig waitall'"
+ ipconfig waitall
+ logDebugMessage "DEBUG: Completed 'ipconfig waitall'"
+
+ unset test_domain_name
+ unset test_name_server
+
+ set +e # We instruct bash NOT to exit on individual command errors, because if we need to wait longer these commands will fail
+
+ # usually takes at least a few seconds to get a DHCP lease
+ sleep 3
+ n=0
+ while [ -z "$test_domain_name" -a -z "$test_name_server" -a $n -lt 5 ]
+ do
+ logMessage "Sleeping for $n seconds to wait for DHCP to finish setup."
+ sleep $n
+ n="$( expr $n + 1 )"
+
+ if [ -z "$test_domain_name" ]; then
+ test_domain_name="$( ipconfig getoption "$dev" domain_name 2>/dev/null )"
+ fi
+
+ if [ -z "$test_name_server" ]; then
+ test_name_server="$( ipconfig getoption "$dev" domain_name_server 2>/dev/null )"
+ fi
+ done
+
+ logDebugMessage "DEBUG: Finished waiting for DHCP lease: test_domain_name = '$test_domain_name', test_name_server = '$test_name_server'"
+
+ logDebugMessage "DEBUG: About to 'ipconfig getpacket $dev'"
+ sGetPacketOutput="$( ipconfig getpacket "$dev" )"
+ logDebugMessage "DEBUG: Completed 'ipconfig getpacket $dev'; sGetPacketOutput = $sGetPacketOutput"
+
+ set -e # We instruct bash that it CAN again fail on individual errors
+
+ unset aNameServers
+ unset aWinsServers
+ unset aSearchDomains
+
+ nNameServerIndex=1
+ nWinsServerIndex=1
+ nSearchDomainIndex=1
+
+ if [ "$sGetPacketOutput" ]; then
+ sGetPacketOutput_FirstLine="$( echo "$sGetPacketOutput" | head -n 1 )"
+ logDebugMessage "DEBUG: sGetPacketOutput_FirstLine = $sGetPacketOutput_FirstLine"
+
+ if [ "$sGetPacketOutput_FirstLine" == "op = BOOTREPLY" ]; then
+ set +e # "grep" will return error status (1) if no matches are found, so don't fail on individual errors
+
+ for tNameServer in $( echo "$sGetPacketOutput" | grep "domain_name_server" | grep -Eo "\{([0-9\.]+)(, [0-9\.]+)*\}" | grep -Eo "([0-9\.]+)" ); do
+ aNameServers[nNameServerIndex-1]="$( trim "$tNameServer" )"
+ let nNameServerIndex++
+ done
+
+ for tWINSServer in $( echo "$sGetPacketOutput" | grep "nb_over_tcpip_name_server" | grep -Eo "\{([0-9\.]+)(, [0-9\.]+)*\}" | grep -Eo "([0-9\.]+)" ); do
+ aWinsServers[nWinsServerIndex-1]="$( trim "$tWINSServer" )"
+ let nWinsServerIndex++
+ done
+
+ for tSearchDomain in $( echo "$sGetPacketOutput" | grep "search_domain" | grep -Eo "\{([-A-Za-z0-9\-\.]+)(, [-A-Za-z0-9\-\.]+)*\}" | grep -Eo "([-A-Za-z0-9\-\.]+)" ); do
+ aSearchDomains[nSearchDomainIndex-1]="$( trim "$tSearchDomain" )"
+ let nSearchDomainIndex++
+ done
+
+ sDomainName="$( echo "$sGetPacketOutput" | grep "domain_name " | grep -Eo ": [-A-Za-z0-9\-\.]+" | grep -Eo "[-A-Za-z0-9\-\.]+" )"
+ sDomainName="$( trim "$sDomainName" )"
+
+ if [ ${#aNameServers[*]} -gt 0 -a "$sDomainName" ]; then
+ logMessage "Retrieved from DHCP/BOOTP packet: name server(s) [ ${aNameServers[@]} ], domain name [ $sDomainName ], search domain(s) [ ${aSearchDomains[@]} ] and SMB server(s) [ ${aWinsServers[@]} ]"
+ setDnsServersAndDomainName aNameServers[@] "$sDomainName" aWinsServers[@] aSearchDomains[@]
+ return 0
+ elif [ ${#aNameServers[*]} -gt 0 ]; then
+ logMessage "Retrieved from DHCP/BOOTP packet: name server(s) [ ${aNameServers[@]} ], search domain(s) [ ${aSearchDomains[@]} ] and SMB server(s) [ ${aWinsServers[@]} ] and using default domain name [ $DEFAULT_DOMAIN_NAME ]"
+ setDnsServersAndDomainName aNameServers[@] "$DEFAULT_DOMAIN_NAME" aWinsServers[@] aSearchDomains[@]
+ return 0
+ else
+ # Should we return 1 here and indicate an error, or attempt the old method?
+ logMessage "No useful information extracted from DHCP/BOOTP packet. Attempting legacy configuration."
+ fi
+
+ set -e # We instruct bash that it CAN again fail on errors
+ else
+ # Should we return 1 here and indicate an error, or attempt the old method?
+ logMessage "No DHCP/BOOTP packet found on interface. Attempting legacy configuration."
+ fi
+ fi
+
+ unset sDomainName
+ unset sNameServer
+ unset aNameServers
+
+ set +e # We instruct bash NOT to exit on individual command errors, because if we need to wait longer these commands will fail
+
+ logDebugMessage "DEBUG: About to 'ipconfig getoption $dev domain_name'"
+ sDomainName="$( ipconfig getoption "$dev" domain_name 2>/dev/null )"
+ logDebugMessage "DEBUG: Completed 'ipconfig getoption $dev domain_name'"
+ logDebugMessage "DEBUG: About to 'ipconfig getoption $dev domain_name_server'"
+ sNameServer="$( ipconfig getoption "$dev" domain_name_server 2>/dev/null )"
+ logDebugMessage "DEBUG: Completed 'ipconfig getoption $dev domain_name_server'"
+
+ set -e # We instruct bash that it CAN again fail on individual errors
+
+ sDomainName="$( trim "$sDomainName" )"
+ sNameServer="$( trim "$sNameServer" )"
+
+ declare -a aWinsServers=( ) # Declare empty WINSServers array to avoid any useless error messages
+ declare -a aSearchDomains=( ) # Declare empty SearchDomains array to avoid any useless error messages
+
+ if [ "$sDomainName" -a "$sNameServer" ]; then
+ aNameServers[0]=$sNameServer
+ logMessage "Retrieved OpenVPN (DHCP): name server [ $sNameServer ], domain name [ $sDomainName ], and no SMB servers or search domains"
+ setDnsServersAndDomainName aNameServers[@] "$sDomainName" aWinsServers[@] aSearchDomains[@]
+ elif [ "$sNameServer" ]; then
+ aNameServers[0]=$sNameServer
+ logMessage "Retrieved OpenVPN (DHCP): name server [ $sNameServer ] and no SMB servers or search domains, and using default domain name [ $DEFAULT_DOMAIN_NAME ]"
+ setDnsServersAndDomainName aNameServers[@] "$DEFAULT_DOMAIN_NAME" aWinsServers[@] aSearchDomains[@]
+ elif [ "$sDomainName" ]; then
+ logMessage "WARNING: Retrieved domain name [ $sDomainName ] but no name servers from OpenVPN via DHCP, which is not sufficient to make network/DNS configuration changes."
+ if ${ARG_MONITOR_NETWORK_CONFIGURATION} ; then
+ logMessage "WARNING: Will NOT monitor for other network configuration changes."
+ fi
+ logDnsInfoNoChanges
+ flushDNSCache
+ else
+ logMessage "WARNING: No DNS information received from OpenVPN via DHCP, so no network/DNS configuration changes need to be made."
+ if ${ARG_MONITOR_NETWORK_CONFIGURATION} ; then
+ logMessage "WARNING: Will NOT monitor for other network configuration changes."
+ fi
+ logDnsInfoNoChanges
+ flushDNSCache
+ fi
+
+ return 0
+}
+
+##########################################################################################
+# Configures using OpenVPN foreign_option_* instead of DHCP
+
+configureOpenVpnDns()
+{
+# Description of foreign_option_ parameters (from OpenVPN 2.3-alpha_2 man page):
+#
+# DOMAIN name -- Set Connection-specific DNS Suffix.
+#
+# DOMAIN-SEARCH name -- Set Connection-specific DNS Search Address. Repeat this option to
+# set additional search domains. (Bitmask-specific addition.)
+#
+# DNS addr -- Set primary domain name server address. Repeat this option to set
+# secondary DNS server addresses.
+#
+# WINS addr -- Set primary WINS server address (NetBIOS over TCP/IP Name Server).
+# Repeat this option to set secondary WINS server addresses.
+#
+# NBDD addr -- Set primary NBDD server address (NetBIOS over TCP/IP Datagram Distribution Server)
+# Repeat this option to set secondary NBDD server addresses.
+#
+# NTP addr -- Set primary NTP server address (Network Time Protocol). Repeat this option
+# to set secondary NTP server addresses.
+#
+# NBT type -- Set NetBIOS over TCP/IP Node type. Possible options: 1 = b-node
+# (broadcasts), 2 = p-node (point-to-point name queries to a WINS server), 4 = m-
+# node (broadcast then query name server), and 8 = h-node (query name server, then
+# broadcast).
+#
+# NBS scope-id -- Set NetBIOS over TCP/IP Scope. A NetBIOS Scope ID provides an
+# extended naming service for the NetBIOS over TCP/IP (Known as NBT) module. The
+# primary purpose of a NetBIOS scope ID is to isolate NetBIOS traffic on a single
+# network to only those nodes with the same NetBIOS scope ID. The NetBIOS scope ID
+# is a character string that is appended to the NetBIOS name. The NetBIOS scope ID
+# on two hosts must match, or the two hosts will not be able to communicate. The
+# NetBIOS Scope ID also allows computers to use the same computer name, as they have
+# different scope IDs. The Scope ID becomes a part of the NetBIOS name, making the
+# name unique. (This description of NetBIOS scopes courtesy of NeonSurge@abyss.com)
+#
+#DISABLE-NBT -- Disable Netbios-over-TCP/IP.
+
+ unset vForOptions
+ unset vOptions
+ unset aNameServers
+ unset aWinsServers
+ unset aSearchDomains
+
+ nOptionIndex=1
+ nNameServerIndex=1
+ nWinsServerIndex=1
+ nSearchDomainIndex=1
+
+ while vForOptions=foreign_option_$nOptionIndex; [ -n "${!vForOptions}" ]; do
+ vOptions[nOptionIndex-1]=${!vForOptions}
+ case ${vOptions[nOptionIndex-1]} in
+ *DOMAIN-SEARCH* )
+ aSearchDomains[nSearchDomainIndex-1]="$( trim "${vOptions[nOptionIndex-1]//dhcp-option DOMAIN-SEARCH /}" )"
+ let nSearchDomainIndex++
+ ;;
+ *DOMAIN* )
+ sDomainName="$( trim "${vOptions[nOptionIndex-1]//dhcp-option DOMAIN /}" )"
+ ;;
+ *DNS* )
+ aNameServers[nNameServerIndex-1]="$( trim "${vOptions[nOptionIndex-1]//dhcp-option DNS /}" )"
+ let nNameServerIndex++
+ ;;
+ *WINS* )
+ aWinsServers[nWinsServerIndex-1]="$( trim "${vOptions[nOptionIndex-1]//dhcp-option WINS /}" )"
+ let nWinsServerIndex++
+ ;;
+ * )
+ logMessage "WARNING: 'foreign_option_${nOptionIndex}' = '${vOptions[nOptionIndex-1]}' ignored"
+ ;;
+ esac
+ let nOptionIndex++
+ done
+
+ if [ ${#aNameServers[*]} -gt 0 -a "$sDomainName" ]; then
+ logMessage "Retrieved from OpenVPN: name server(s) [ ${aNameServers[@]} ], domain name [ $sDomainName ], search domain(s) [ ${aSearchDomains[@]} ], and SMB server(s) [ ${aWinsServers[@]} ]"
+ setDnsServersAndDomainName aNameServers[@] "$sDomainName" aWinsServers[@] aSearchDomains[@]
+ elif [ ${#aNameServers[*]} -gt 0 ]; then
+ logMessage "Retrieved from OpenVPN: name server(s) [ ${aNameServers[@]} ], search domain(s) [ ${aSearchDomains[@]} ] and SMB server(s) [ ${aWinsServers[@]} ] and using default domain name [ $DEFAULT_DOMAIN_NAME ]"
+ setDnsServersAndDomainName aNameServers[@] "$DEFAULT_DOMAIN_NAME" aWinsServers[@] aSearchDomains[@]
+ else
+ logMessage "WARNING: No DNS information received from OpenVPN, so no network configuration changes need to be made."
+ if ${ARG_MONITOR_NETWORK_CONFIGURATION} ; then
+ logMessage "WARNING: Will NOT monitor for other network configuration changes."
+ fi
+ logDnsInfoNoChanges
+ flushDNSCache
+ fi
+
+ return 0
+}
+
+##########################################################################################
+flushDNSCache()
+{
+ if ${ARG_FLUSH_DNS_CACHE} ; then
+ if [ "${OSVER}" = "10.4" ] ; then
+
+ if [ -f /usr/sbin/lookupd ] ; then
+ set +e # we will catch errors from lookupd
+ /usr/sbin/lookupd -flushcache
+ if [ $? != 0 ] ; then
+ logMessage "WARNING: Unable to flush the DNS cache via lookupd"
+ else
+ logMessage "Flushed the DNS cache via lookupd"
+ fi
+ set -e # bash should again fail on errors
+ else
+ logMessage "WARNING: /usr/sbin/lookupd not present. Not flushing the DNS cache"
+ fi
+
+ else
+
+ if [ -f /usr/bin/dscacheutil ] ; then
+ set +e # we will catch errors from dscacheutil
+ /usr/bin/dscacheutil -flushcache
+ if [ $? != 0 ] ; then
+ logMessage "WARNING: Unable to flush the DNS cache via dscacheutil"
+ else
+ logMessage "Flushed the DNS cache via dscacheutil"
+ fi
+ set -e # bash should again fail on errors
+ else
+ logMessage "WARNING: /usr/bin/dscacheutil not present. Not flushing the DNS cache via dscacheutil"
+ fi
+
+ if [ -f /usr/sbin/discoveryutil ] ; then
+ set +e # we will catch errors from discoveryutil
+ /usr/sbin/discoveryutil udnsflushcaches
+ if [ $? != 0 ] ; then
+ logMessage "WARNING: Unable to flush the DNS cache via discoveryutil udnsflushcaches"
+ else
+ logMessage "Flushed the DNS cache via discoveryutil udnsflushcaches"
+ fi
+ /usr/sbin/discoveryutil mdnsflushcache
+ if [ $? != 0 ] ; then
+ logMessage "WARNING: Unable to flush the DNS cache via discoveryutil mdnsflushcache"
+ else
+ logMessage "Flushed the DNS cache via discoveryutil mdnsflushcache"
+ fi
+ set -e # bash should again fail on errors
+ else
+ logMessage "/usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil"
+ fi
+
+ set +e # "grep" will return error status (1) if no matches are found, so don't fail on individual errors
+ hands_off_ps="$( ps -ax | grep HandsOffDaemon | grep -v grep.HandsOffDaemon )"
+ set -e # We instruct bash that it CAN again fail on errors
+ if [ "${hands_off_ps}" = "" ] ; then
+ if [ -f /usr/bin/killall ] ; then
+ set +e # ignore errors if mDNSResponder isn't currently running
+ /usr/bin/killall -HUP mDNSResponder
+ if [ $? != 0 ] ; then
+ logMessage "mDNSResponder not running. Not notifying it that the DNS cache was flushed"
+ else
+ logMessage "Notified mDNSResponder that the DNS cache was flushed"
+ fi
+ set -e # bash should again fail on errors
+ else
+ logMessage "WARNING: /usr/bin/killall not present. Not notifying mDNSResponder that the DNS cache was flushed"
+ fi
+ else
+ logMessage "WARNING: Hands Off is running. Not notifying mDNSResponder that the DNS cache was flushed"
+ fi
+
+ fi
+ fi
+}
+
+
+##########################################################################################
+# log information about the DNS settings
+# @param String Manual DNS_SA
+# @param String New DNS_SA
+logDnsInfo() {
+
+ log_dns_info_manual_dns_sa="$1"
+ log_dns_info_new_dns_sa="$2"
+
+ if [ "${log_dns_info_manual_dns_sa}" != "" ] ; then
+ logMessage "DNS servers '${log_dns_info_manual_dns_sa}' were set manually"
+ if [ "${log_dns_info_manual_dns_sa}" != "${log_dns_info_new_dns_sa}" ] ; then
+ logMessage "WARNING: that setting is being ignored by OS X; '${log_dns_info_new_dns_sa}' is being used."
+ fi
+ fi
+
+ if [ "${log_dns_info_new_dns_sa}" != "" ] ; then
+ logMessage "DNS servers '${log_dns_info_new_dns_sa}' will be used for DNS queries when the VPN is active"
+ if [ "${log_dns_info_new_dns_sa}" == "127.0.0.1" ] ; then
+ logMessage "NOTE: DNS server 127.0.0.1 often is used inside virtual machines (e.g., 'VirtualBox', 'Parallels', or 'VMWare'). The actual VPN server may be specified by the host machine. This DNS server setting may cause DNS queries to fail or be intercepted or falsified. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems."
+ else
+ set +e # "grep" will return error status (1) if no matches are found, so don't fail on individual errors
+ serversContainLoopback="$( echo "${log_dns_info_new_dns_sa}" | grep "127.0.0.1" )"
+ set -e # We instruct bash that it CAN again fail on errors
+ if [ "${serversContainLoopback}" != "" ] ; then
+ logMessage "NOTE: DNS server 127.0.0.1 often is used inside virtual machines (e.g., 'VirtualBox', 'Parallels', or 'VMWare'). The actual VPN server may be specified by the host machine. If used, 127.0.0.1 may cause DNS queries to fail or be intercepted or falsified. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems."
+ else
+ readonly knownPublicDnsServers="$( cat "${FREE_PUBLIC_DNS_SERVERS_LIST_PATH}" )"
+ knownDnsServerNotFound="true"
+ unknownDnsServerFound="false"
+ for server in ${log_dns_info_new_dns_sa} ; do
+ set +e # "grep" will return error status (1) if no matches are found, so don't fail on individual errors
+ serverIsKnown="$( echo "${knownPublicDnsServers}" | grep "${server}" )"
+ set -e # We instruct bash that it CAN again fail on errors
+ if [ "${serverIsKnown}" != "" ] ; then
+ knownDnsServerNotFound="false"
+ else
+ unknownDnsServerFound="true"
+ fi
+ done
+ if ${knownDnsServerNotFound} ; then
+ logMessage "NOTE: The DNS servers do not include any free public DNS servers known to Bitmask. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems."
+ else
+ if ${unknownDnsServerFound} ; then
+ logMessage "NOTE: The DNS servers include one or more free public DNS servers known to Bitmask and one or more DNS servers not known to Bitmask. If used, the DNS servers not known to Bitmask may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems."
+ else
+ logMessage "The DNS servers include only free public DNS servers known to Bitmask."
+ fi
+ fi
+ fi
+ fi
+ else
+ logMessage "WARNING: There are no DNS servers in this computer's new network configuration. This computer or a DHCP server that this computer uses may be configured incorrectly."
+ fi
+}
+
+logDnsInfoNoChanges() {
+# log information about DNS settings if they are not changing
+
+ set +e # "grep" will return error status (1) if no matches are found, so don't fail on individual errors
+
+ PSID="$( scutil <<-EOF |
+ open
+ show State:/Network/Global/IPv4
+ quit
+EOF
+grep PrimaryService | sed -e 's/.*PrimaryService : //'
+)"
+
+ readonly LOGDNSINFO_MAN_DNS_CONFIG="$( scutil <<-EOF |
+ open
+ show Setup:/Network/Service/${PSID}/DNS
+ quit
+EOF
+sed -e 's/^[[:space:]]*[[:digit:]]* : //g' | tr '\n' ' '
+)"
+
+ readonly LOGDNSINFO_CUR_DNS_CONFIG="$( scutil <<-EOF |
+ open
+ show State:/Network/Global/DNS
+ quit
+EOF
+sed -e 's/^[[:space:]]*[[:digit:]]* : //g' | tr '\n' ' '
+)"
+
+ if echo "${LOGDNSINFO_MAN_DNS_CONFIG}" | grep -q "ServerAddresses" ; then
+ readonly LOGDNSINFO_MAN_DNS_SA="$( trim "$( echo "${LOGDNSINFO_MAN_DNS_CONFIG}" | sed -e 's/^.*ServerAddresses[^{]*{[[:space:]]*\([^}]*\)[[:space:]]*}.*$/\1/g' )" )"
+ else
+ readonly LOGDNSINFO_MAN_DNS_SA="";
+ fi
+
+ if echo "${LOGDNSINFO_CUR_DNS_CONFIG}" | grep -q "ServerAddresses" ; then
+ readonly LOGDNSINFO_CUR_DNS_SA="$( trim "$( echo "${LOGDNSINFO_CUR_DNS_CONFIG}" | sed -e 's/^.*ServerAddresses[^{]*{[[:space:]]*\([^}]*\)[[:space:]]*}.*$/\1/g' )" )"
+ else
+ readonly LOGDNSINFO_CUR_DNS_SA="";
+ fi
+
+ set -e # resume abort on error
+
+ logDnsInfo "${LOGDNSINFO_MAN_DNS_SA}" "${LOGDNSINFO_CUR_DNS_SA}"
+}
+
+##########################################################################################
+#
+# START OF SCRIPT
+#
+##########################################################################################
+
+trap "" TSTP
+trap "" HUP
+trap "" INT
+export PATH="/bin:/sbin:/usr/sbin:/usr/bin"
+
+readonly OUR_NAME="$( basename "${0}" )"
+
+logMessage "**********************************************"
+logMessage "Start of output from ${OUR_NAME}"
+
+# Process optional arguments (if any) for the script
+# Each one begins with a "-"
+# They come from Bitmask, and come first, before the OpenVPN arguments
+# So we set ARG_ script variables to their values and shift them out of the argument list
+# When we're done, only the OpenVPN arguments remain for the rest of the script to use
+ARG_TAP="false"
+ARG_WAIT_FOR_DHCP_IF_TAP="false"
+ARG_RESTORE_ON_DNS_RESET="false"
+ARG_FLUSH_DNS_CACHE="false"
+ARG_IGNORE_OPTION_FLAGS=""
+ARG_EXTRA_LOGGING="false"
+ARG_MONITOR_NETWORK_CONFIGURATION="false"
+ARG_DO_NO_USE_DEFAULT_DOMAIN="false"
+ARG_PREPEND_DOMAIN_NAME="false"
+ARG_RESET_PRIMARY_INTERFACE_ON_DISCONNECT="false"
+ARG_TB_PATH="/Applications/Bitmask.app"
+ARG_RESTORE_ON_WINS_RESET="false"
+ARG_DISABLE_IPV6_ON_TUN="false"
+ARG_ENABLE_IPV6_ON_TAP="false"
+
+# Handle the arguments we know about by setting ARG_ script variables to their values, then shift them out
+while [ {$#} ] ; do
+ if [ "$1" = "-6" ] ; then # -6 = ARG_ENABLE_IPV6_ON_TAP (for TAP connections only)
+ ARG_ENABLE_IPV6_ON_TAP="true"
+ shift
+ elif [ "$1" = "-9" ] ; then # -9 = ARG_DISABLE_IPV6_ON_TUN (for TUN connections only)
+ ARG_DISABLE_IPV6_ON_TUN="true"
+ shift
+ elif [ "$1" = "-a" ] ; then # -a = ARG_TAP
+ ARG_TAP="true"
+ shift
+ elif [ "$1" = "-b" ] ; then # -b = ARG_WAIT_FOR_DHCP_IF_TAP
+ ARG_WAIT_FOR_DHCP_IF_TAP="true"
+ shift
+ elif [ "$1" = "-d" ] ; then # -d = ARG_RESTORE_ON_DNS_RESET
+ ARG_RESTORE_ON_DNS_RESET="true"
+ shift
+ elif [ "$1" = "-f" ] ; then # -f = ARG_FLUSH_DNS_CACHE
+ ARG_FLUSH_DNS_CACHE="true"
+ shift
+ elif [ "${1:0:2}" = "-i" ] ; then # -i arguments are for leasewatcher
+ ARG_IGNORE_OPTION_FLAGS="${1}"
+ shift
+ elif [ "$1" = "-l" ] ; then # -l = ARG_EXTRA_LOGGING
+ ARG_EXTRA_LOGGING="true"
+ shift
+ elif [ "$1" = "-m" ] ; then # -m = ARG_MONITOR_NETWORK_CONFIGURATION
+ ARG_MONITOR_NETWORK_CONFIGURATION="true"
+ shift
+ elif [ "$1" = "-n" ] ; then # -n = ARG_DO_NO_USE_DEFAULT_DOMAIN
+ ARG_DO_NO_USE_DEFAULT_DOMAIN="true"
+ shift
+ elif [ "$1" = "-p" ] ; then # -p = ARG_PREPEND_DOMAIN_NAME
+ ARG_PREPEND_DOMAIN_NAME="true"
+ shift
+ elif [ "${1:0:2}" = "-p" ] ; then # -p arguments are for process-network-changes
+ ARG_IGNORE_OPTION_FLAGS="${1}"
+ shift
+ elif [ "$1" = "-r" ] ; then # -r = ARG_RESET_PRIMARY_INTERFACE_ON_DISCONNECT
+ ARG_RESET_PRIMARY_INTERFACE_ON_DISCONNECT="true"
+ shift
+ elif [ "${1:0:2}" = "-t" ] ; then
+ ARG_TB_PATH="${1:2}" # -t path of Bitmask.app
+ shift
+ elif [ "$1" = "-w" ] ; then # -w = ARG_RESTORE_ON_WINS_RESET
+ ARG_RESTORE_ON_WINS_RESET="true"
+ shift
+ else
+ if [ "${1:0:1}" = "-" ] ; then # Shift out Bitmask arguments (they start with "-") that we don't understand
+ shift # so the rest of the script sees only the OpenVPN arguments
+ else
+ break
+ fi
+ fi
+done
+
+readonly ARG_MONITOR_NETWORK_CONFIGURATION ARG_RESTORE_ON_DNS_RESET ARG_RESTORE_ON_WINS_RESET ARG_TAP ARG_PREPEND_DOMAIN_NAME ARG_FLUSH_DNS_CACHE ARG_RESET_PRIMARY_INTERFACE_ON_DISCONNECT ARG_IGNORE_OPTION_FLAGS
+
+# Note: The script log path name is constructed from the path of the regular config file, not the shadow copy
+# if the config is shadow copy, e.g. /Library/Application Support/Bitmask/Users/Jonathan/Folder/Subfolder/config.ovpn
+# then convert to regular config /Users/Jonathan/Library/Application Support/Bitmask/Configurations/Folder/Subfolder/config.ovpn
+# to get the script log path
+# Note: "/Users/..." works even if the home directory has a different path; it is used in the name of the log file, and is not used as a path to get to anything.
+readonly TBALTPREFIX="/Library/Application Support/Bitmask/Users/"
+readonly TBALTPREFIXLEN="${#TBALTPREFIX}"
+readonly TBCONFIGSTART="${config:0:$TBALTPREFIXLEN}"
+if [ "$TBCONFIGSTART" = "$TBALTPREFIX" ] ; then
+ readonly TBBASE="${config:$TBALTPREFIXLEN}"
+ readonly TBSUFFIX="${TBBASE#*/}"
+ readonly TBUSERNAME="${TBBASE%%/*}"
+ readonly TBCONFIG="/Users/$TBUSERNAME/Library/Application Support/Bitmask/Configurations/$TBSUFFIX"
+else
+ readonly TBCONFIG="${config}"
+fi
+
+readonly CONFIG_PATH_DASHES_SLASHES="$( echo "${TBCONFIG}" | sed -e 's/-/--/g' | sed -e 's/\//-S/g' )"
+readonly SCRIPT_LOG_FILE="/Library/Application Support/Bitmask/Logs/${CONFIG_PATH_DASHES_SLASHES}.script.log"
+
+readonly TB_RESOURCES_PATH="${ARG_TB_PATH}/Contents/Resources"
+readonly FREE_PUBLIC_DNS_SERVERS_LIST_PATH="${TB_RESOURCES_PATH}/FreePublicDnsServersList.txt"
+
+# These scripts use a launchd .plist to set up to monitor the network configuration.
+#
+# If Bitmask.app is located in /Applications, we load the launchd .plist directly from within the .app.
+#
+# If Bitmask.app is not located in /Applications (i.e., we are debugging), we create a modified version of the launchd .plist and use
+# that modified copy in the 'launchctl load' command. (The modification is that the path to process-network-changes or leasewatch program
+# in the .plist is changed to point to the copy of the program that is inside the running Bitmask.)
+#
+# The variables involved in this are set up here:
+#
+# LEASEWATCHER_PLIST_PATH is the path of the .plist to use in the 'launchctl load' command
+# LEASEWATCHER_TEMPLATE_PATH is an empty string if we load the .plist directly from within the .app,
+# or it is the path to the original .plist inside the .app which we copy and modify
+# REMOVE_LEASEWATCHER_PLIST is "true" if a modified .plist was used and should be deleted after it is unloaded
+# or "false' if the plist was loaded directly from the .app
+#
+# LEASEWATCHER_PLIST_PATH and REMOVE_LEASEWATCHER_PLIST are passed to the other scripts via the scutil State:/Network/OpenVPN mechanism
+
+if [ "${ARG_IGNORE_OPTION_FLAGS:0:2}" = "-p" ] ; then
+ readonly LEASEWATCHER_PLIST="ProcessNetworkChanges.plist"
+else
+ readonly LEASEWATCHER_PLIST="LeaseWatch.plist"
+fi
+if [ "${ARG_TB_PATH}" = "/Applications/Bitmask.app" ] ; then
+ readonly LEASEWATCHER_PLIST_PATH="${TB_RESOURCES_PATH}/${LEASEWATCHER_PLIST}"
+ readonly LEASEWATCHER_TEMPLATE_PATH=""
+ readonly REMOVE_LEASEWATCHER_PLIST="false"
+else
+ readonly LEASEWATCHER_PLIST_PATH="/Library/Application Support/Bitmask/${LEASEWATCHER_PLIST}"
+ readonly LEASEWATCHER_TEMPLATE_PATH="${TB_RESOURCES_PATH}/${LEASEWATCHER_PLIST}"
+ readonly REMOVE_LEASEWATCHER_PLIST="true"
+fi
+
+set +e # "grep" will return error status (1) if no matches are found, so don't fail on individual errors
+readonly OSVER="$( sw_vers | grep 'ProductVersion:' | grep -o '10\.[0-9]*' )"
+set -e # We instruct bash that it CAN again fail on errors
+
+if ${ARG_DO_NO_USE_DEFAULT_DOMAIN} ; then
+ readonly DEFAULT_DOMAIN_NAME=""
+else
+ readonly DEFAULT_DOMAIN_NAME="openvpn"
+fi
+
+bRouteGatewayIsDhcp="false"
+
+# We sleep to allow time for OS X to process network settings
+sleep 2
+
+EXIT_CODE=0
+
+if ${ARG_TAP} ; then
+
+ # IPv6 should be re-enabled only for TUN, not TAP
+ readonly ipv6_disabled_services=""
+ readonly ipv6_disabled_services_encoded=""
+
+ # Still need to do: Look for route-gateway dhcp (TAP isn't always DHCP)
+ bRouteGatewayIsDhcp="false"
+ if [ -z "${route_vpn_gateway}" -o "$route_vpn_gateway" == "dhcp" -o "$route_vpn_gateway" == "DHCP" ]; then
+ bRouteGatewayIsDhcp="true"
+ fi
+
+ if [ "$bRouteGatewayIsDhcp" == "true" ]; then
+ logDebugMessage "DEBUG: bRouteGatewayIsDhcp is TRUE"
+ if [ -z "$dev" ]; then
+ logMessage "ERROR: Cannot configure TAP interface for DHCP without \$dev being defined. Exiting."
+ # We don't create the "/tmp/bitmask-downscript-needs-to-be-run.txt" file, because the down script does NOT need to be run since we didn't do anything
+ logMessage "End of output from ${OUR_NAME}"
+ logMessage "**********************************************"
+ exit 1
+ fi
+
+ logDebugMessage "DEBUG: About to 'ipconfig set \"$dev\" DHCP"
+ ipconfig set "$dev" DHCP
+ logMessage "Did 'ipconfig set \"$dev\" DHCP'"
+
+ if ${ARG_ENABLE_IPV6_ON_TAP} ; then
+ ipconfig set "$dev" AUTOMATIC-V6
+ logMessage "Did 'ipconfig set \"$dev\" AUTOMATIC-V6'"
+ fi
+
+ if ${ARG_WAIT_FOR_DHCP_IF_TAP} ; then
+ logMessage "Configuring tap DNS via DHCP synchronously"
+ configureDhcpDns
+ else
+ logMessage "Configuring tap DNS via DHCP asynchronously"
+ configureDhcpDns & # This must be run asynchronously; the DHCP lease will not complete until this script exits
+ EXIT_CODE=0
+ fi
+ elif [ "$foreign_option_1" == "" ]; then
+ logMessage "NOTE: No network configuration changes need to be made."
+ if ${ARG_MONITOR_NETWORK_CONFIGURATION} ; then
+ logMessage "WARNING: Will NOT monitor for other network configuration changes."
+ fi
+ if ${ARG_ENABLE_IPV6_ON_TAP} ; then
+ logMessage "WARNING: Will NOT set up IPv6 on TAP device because it does not use DHCP."
+ fi
+ logDnsInfoNoChanges
+ flushDNSCache
+ else
+ if ${ARG_ENABLE_IPV6_ON_TAP} ; then
+ logMessage "WARNING: Will NOT set up IPv6 on TAP device because it does not use DHCP."
+ fi
+ logMessage "Configuring tap DNS via OpenVPN"
+ configureOpenVpnDns
+ EXIT_CODE=$?
+ fi
+else
+ if [ "$foreign_option_1" == "" ]; then
+ logMessage "NOTE: No network configuration changes need to be made."
+ if ${ARG_MONITOR_NETWORK_CONFIGURATION} ; then
+ logMessage "WARNING: Will NOT monitor for other network configuration changes."
+ fi
+ if ${ARG_DISABLE_IPV6_ON_TUN} ; then
+ logMessage "WARNING: Will NOT disable IPv6 settings."
+ fi
+ logDnsInfoNoChanges
+ flushDNSCache
+ else
+
+ ipv6_disabled_services=""
+ if ${ARG_DISABLE_IPV6_ON_TUN} ; then
+ ipv6_disabled_services="$( disable_ipv6 )"
+ if [ "$ipv6_disabled_services" != "" ] ; then
+ printf %s "$ipv6_disabled_services
+" | \
+ while IFS= read -r dipv6_service ; do
+ logMessage "Disabled IPv6 for '$dipv6_service'"
+ done
+ fi
+ fi
+ readonly ipv6_disabled_services
+ # Note '\n' is translated into '\t' so it is all on one line, because grep and sed only work with single lines
+ readonly ipv6_disabled_services_encoded="$( echo "$ipv6_disabled_services" | tr '\n' '\t' )"
+
+ configureOpenVpnDns
+ EXIT_CODE=$?
+ fi
+fi
+
+touch "/tmp/bitmask-downscript-needs-to-be-run.txt"
+
+logMessage "End of output from ${OUR_NAME}"
+logMessage "**********************************************"
+
+exit $EXIT_CODE
diff --git a/pkg/osx/daemon/_metadata.py b/pkg/osx/daemon/_metadata.py
new file mode 100644
index 00000000..88843df7
--- /dev/null
+++ b/pkg/osx/daemon/_metadata.py
@@ -0,0 +1,154 @@
+# -*- coding: utf-8 -*-
+
+# daemon/_metadata.py
+# Part of ‘python-daemon’, an implementation of PEP 3143.
+#
+# Copyright © 2008–2015 Ben Finney <ben+python@benfinney.id.au>
+#
+# This is free software: you may copy, modify, and/or distribute this work
+# under the terms of the Apache License, version 2.0 as published by the
+# Apache Software Foundation.
+# No warranty expressed or implied. See the file ‘LICENSE.ASF-2’ for details.
+
+""" Package metadata for the ‘python-daemon’ distribution. """
+
+from __future__ import (absolute_import, unicode_literals)
+
+import json
+import re
+import collections
+import datetime
+
+import pkg_resources
+
+
+distribution_name = "python-daemon"
+version_info_filename = "version_info.json"
+
+
+def get_distribution_version_info(filename=version_info_filename):
+ """ Get the version info from the installed distribution.
+
+ :param filename: Base filename of the version info resource.
+ :return: The version info as a mapping of fields. If the
+ distribution is not available, the mapping is empty.
+
+ The version info is stored as a metadata file in the
+ distribution.
+
+ """
+ version_info = {
+ 'release_date': "UNKNOWN",
+ 'version': "UNKNOWN",
+ 'maintainer': "UNKNOWN",
+ }
+
+ try:
+ distribution = pkg_resources.get_distribution(distribution_name)
+ except pkg_resources.DistributionNotFound:
+ distribution = None
+
+ if distribution is not None:
+ if distribution.has_metadata(version_info_filename):
+ content = distribution.get_metadata(version_info_filename)
+ version_info = json.loads(content)
+
+ return version_info
+
+version_info = get_distribution_version_info()
+
+version_installed = version_info['version']
+
+
+rfc822_person_regex = re.compile(
+ "^(?P<name>[^<]+) <(?P<email>[^>]+)>$")
+
+ParsedPerson = collections.namedtuple('ParsedPerson', ['name', 'email'])
+
+
+def parse_person_field(value):
+ """ Parse a person field into name and email address.
+
+ :param value: The text value specifying a person.
+ :return: A 2-tuple (name, email) for the person's details.
+
+ If the `value` does not match a standard person with email
+ address, the `email` item is ``None``.
+
+ """
+ result = (None, None)
+
+ match = rfc822_person_regex.match(value)
+ if len(value):
+ if match is not None:
+ result = ParsedPerson(
+ name=match.group('name'),
+ email=match.group('email'))
+ else:
+ result = ParsedPerson(name=value, email=None)
+
+ return result
+
+author_name = "Ben Finney"
+author_email = "ben+python@benfinney.id.au"
+author = "{name} <{email}>".format(name=author_name, email=author_email)
+
+
+class YearRange:
+ """ A range of years spanning a period. """
+
+ def __init__(self, begin, end=None):
+ self.begin = begin
+ self.end = end
+
+ def __unicode__(self):
+ text = "{range.begin:04d}".format(range=self)
+ if self.end is not None:
+ if self.end > self.begin:
+ text = "{range.begin:04d}–{range.end:04d}".format(range=self)
+ return text
+
+ __str__ = __unicode__
+
+
+def make_year_range(begin_year, end_date=None):
+ """ Construct the year range given a start and possible end date.
+
+ :param begin_date: The beginning year (text) for the range.
+ :param end_date: The end date (text, ISO-8601 format) for the
+ range, or a non-date token string.
+ :return: The range of years as a `YearRange` instance.
+
+ If the `end_date` is not a valid ISO-8601 date string, the
+ range has ``None`` for the end year.
+
+ """
+ begin_year = int(begin_year)
+
+ try:
+ end_date = datetime.datetime.strptime(end_date, "%Y-%m-%d")
+ except (TypeError, ValueError):
+ # Specified end_date value is not a valid date.
+ end_year = None
+ else:
+ end_year = end_date.year
+
+ year_range = YearRange(begin=begin_year, end=end_year)
+
+ return year_range
+
+copyright_year_begin = "2001"
+build_date = version_info['release_date']
+copyright_year_range = make_year_range(copyright_year_begin, build_date)
+
+copyright = "Copyright © {year_range} {author} and others".format(
+ year_range=copyright_year_range, author=author)
+license = "Apache-2"
+url = "https://alioth.debian.org/projects/python-daemon/"
+
+
+# Local variables:
+# coding: utf-8
+# mode: python
+# End:
+# vim: fileencoding=utf-8 filetype=python :
diff --git a/pkg/osx/daemon/daemon.py b/pkg/osx/daemon/daemon.py
new file mode 100644
index 00000000..7ca8770e
--- /dev/null
+++ b/pkg/osx/daemon/daemon.py
@@ -0,0 +1,927 @@
+# -*- coding: utf-8 -*-
+
+# daemon/daemon.py
+# Part of ‘python-daemon’, an implementation of PEP 3143.
+#
+# Copyright © 2008–2015 Ben Finney <ben+python@benfinney.id.au>
+# Copyright © 2007–2008 Robert Niederreiter, Jens Klein
+# Copyright © 2004–2005 Chad J. Schroeder
+# Copyright © 2003 Clark Evans
+# Copyright © 2002 Noah Spurrier
+# Copyright © 2001 Jürgen Hermann
+#
+# This is free software: you may copy, modify, and/or distribute this work
+# under the terms of the Apache License, version 2.0 as published by the
+# Apache Software Foundation.
+# No warranty expressed or implied. See the file ‘LICENSE.ASF-2’ for details.
+
+""" Daemon process behaviour.
+ """
+
+from __future__ import (absolute_import, unicode_literals)
+
+import os
+import sys
+import resource
+import errno
+import signal
+import socket
+import atexit
+try:
+ # Python 2 has both ‘str’ (bytes) and ‘unicode’ (text).
+ basestring = basestring
+ unicode = unicode
+except NameError:
+ # Python 3 names the Unicode data type ‘str’.
+ basestring = str
+ unicode = str
+
+
+class DaemonError(Exception):
+ """ Base exception class for errors from this module. """
+
+ def __init__(self, *args, **kwargs):
+ self._chain_from_context()
+
+ super(DaemonError, self).__init__(*args, **kwargs)
+
+ def _chain_from_context(self):
+ _chain_exception_from_existing_exception_context(self, as_cause=True)
+
+
+class DaemonOSEnvironmentError(DaemonError, OSError):
+ """ Exception raised when daemon OS environment setup receives error. """
+
+
+class DaemonProcessDetachError(DaemonError, OSError):
+ """ Exception raised when process detach fails. """
+
+
+class DaemonContext:
+ """ Context for turning the current program into a daemon process.
+
+ A `DaemonContext` instance represents the behaviour settings and
+ process context for the program when it becomes a daemon. The
+ behaviour and environment is customised by setting options on the
+ instance, before calling the `open` method.
+
+ Each option can be passed as a keyword argument to the `DaemonContext`
+ constructor, or subsequently altered by assigning to an attribute on
+ the instance at any time prior to calling `open`. That is, for
+ options named `wibble` and `wubble`, the following invocation::
+
+ foo = daemon.DaemonContext(wibble=bar, wubble=baz)
+ foo.open()
+
+ is equivalent to::
+
+ foo = daemon.DaemonContext()
+ foo.wibble = bar
+ foo.wubble = baz
+ foo.open()
+
+ The following options are defined.
+
+ `files_preserve`
+ :Default: ``None``
+
+ List of files that should *not* be closed when starting the
+ daemon. If ``None``, all open file descriptors will be closed.
+
+ Elements of the list are file descriptors (as returned by a file
+ object's `fileno()` method) or Python `file` objects. Each
+ specifies a file that is not to be closed during daemon start.
+
+ `chroot_directory`
+ :Default: ``None``
+
+ Full path to a directory to set as the effective root directory of
+ the process. If ``None``, specifies that the root directory is not
+ to be changed.
+
+ `working_directory`
+ :Default: ``'/'``
+
+ Full path of the working directory to which the process should
+ change on daemon start.
+
+ Since a filesystem cannot be unmounted if a process has its
+ current working directory on that filesystem, this should either
+ be left at default or set to a directory that is a sensible “home
+ directory” for the daemon while it is running.
+
+ `umask`
+ :Default: ``0``
+
+ File access creation mask (“umask”) to set for the process on
+ daemon start.
+
+ A daemon should not rely on the parent process's umask value,
+ which is beyond its control and may prevent creating a file with
+ the required access mode. So when the daemon context opens, the
+ umask is set to an explicit known value.
+
+ If the conventional value of 0 is too open, consider setting a
+ value such as 0o022, 0o027, 0o077, or another specific value.
+ Otherwise, ensure the daemon creates every file with an
+ explicit access mode for the purpose.
+
+ `pidfile`
+ :Default: ``None``
+
+ Context manager for a PID lock file. When the daemon context opens
+ and closes, it enters and exits the `pidfile` context manager.
+
+ `detach_process`
+ :Default: ``None``
+
+ If ``True``, detach the process context when opening the daemon
+ context; if ``False``, do not detach.
+
+ If unspecified (``None``) during initialisation of the instance,
+ this will be set to ``True`` by default, and ``False`` only if
+ detaching the process is determined to be redundant; for example,
+ in the case when the process was started by `init`, by `initd`, or
+ by `inetd`.
+
+ `signal_map`
+ :Default: system-dependent
+
+ Mapping from operating system signals to callback actions.
+
+ The mapping is used when the daemon context opens, and determines
+ the action for each signal's signal handler:
+
+ * A value of ``None`` will ignore the signal (by setting the
+ signal action to ``signal.SIG_IGN``).
+
+ * A string value will be used as the name of an attribute on the
+ ``DaemonContext`` instance. The attribute's value will be used
+ as the action for the signal handler.
+
+ * Any other value will be used as the action for the
+ signal handler. See the ``signal.signal`` documentation
+ for details of the signal handler interface.
+
+ The default value depends on which signals are defined on the
+ running system. Each item from the list below whose signal is
+ actually defined in the ``signal`` module will appear in the
+ default map:
+
+ * ``signal.SIGTTIN``: ``None``
+
+ * ``signal.SIGTTOU``: ``None``
+
+ * ``signal.SIGTSTP``: ``None``
+
+ * ``signal.SIGTERM``: ``'terminate'``
+
+ Depending on how the program will interact with its child
+ processes, it may need to specify a signal map that
+ includes the ``signal.SIGCHLD`` signal (received when a
+ child process exits). See the specific operating system's
+ documentation for more detail on how to determine what
+ circumstances dictate the need for signal handlers.
+
+ `uid`
+ :Default: ``os.getuid()``
+
+ `gid`
+ :Default: ``os.getgid()``
+
+ The user ID (“UID”) value and group ID (“GID”) value to switch
+ the process to on daemon start.
+
+ The default values, the real UID and GID of the process, will
+ relinquish any effective privilege elevation inherited by the
+ process.
+
+ `prevent_core`
+ :Default: ``True``
+
+ If true, prevents the generation of core files, in order to avoid
+ leaking sensitive information from daemons run as `root`.
+
+ `stdin`
+ :Default: ``None``
+
+ `stdout`
+ :Default: ``None``
+
+ `stderr`
+ :Default: ``None``
+
+ Each of `stdin`, `stdout`, and `stderr` is a file-like object
+ which will be used as the new file for the standard I/O stream
+ `sys.stdin`, `sys.stdout`, and `sys.stderr` respectively. The file
+ should therefore be open, with a minimum of mode 'r' in the case
+ of `stdin`, and mimimum of mode 'w+' in the case of `stdout` and
+ `stderr`.
+
+ If the object has a `fileno()` method that returns a file
+ descriptor, the corresponding file will be excluded from being
+ closed during daemon start (that is, it will be treated as though
+ it were listed in `files_preserve`).
+
+ If ``None``, the corresponding system stream is re-bound to the
+ file named by `os.devnull`.
+
+ """
+
+ __metaclass__ = type
+
+ def __init__(
+ self,
+ chroot_directory=None,
+ working_directory="/",
+ umask=0,
+ uid=None,
+ gid=None,
+ prevent_core=True,
+ detach_process=None,
+ files_preserve=None,
+ pidfile=None,
+ stdin=None,
+ stdout=None,
+ stderr=None,
+ signal_map=None,
+ ):
+ """ Set up a new instance. """
+ self.chroot_directory = chroot_directory
+ self.working_directory = working_directory
+ self.umask = umask
+ self.prevent_core = prevent_core
+ self.files_preserve = files_preserve
+ self.pidfile = pidfile
+ self.stdin = stdin
+ self.stdout = stdout
+ self.stderr = stderr
+
+ if uid is None:
+ uid = os.getuid()
+ self.uid = uid
+ if gid is None:
+ gid = os.getgid()
+ self.gid = gid
+
+ if detach_process is None:
+ detach_process = is_detach_process_context_required()
+ self.detach_process = detach_process
+
+ if signal_map is None:
+ signal_map = make_default_signal_map()
+ self.signal_map = signal_map
+
+ self._is_open = False
+
+ @property
+ def is_open(self):
+ """ ``True`` if the instance is currently open. """
+ return self._is_open
+
+ def open(self):
+ """ Become a daemon process.
+
+ :return: ``None``.
+
+ Open the daemon context, turning the current program into a daemon
+ process. This performs the following steps:
+
+ * If this instance's `is_open` property is true, return
+ immediately. This makes it safe to call `open` multiple times on
+ an instance.
+
+ * If the `prevent_core` attribute is true, set the resource limits
+ for the process to prevent any core dump from the process.
+
+ * If the `chroot_directory` attribute is not ``None``, set the
+ effective root directory of the process to that directory (via
+ `os.chroot`).
+
+ This allows running the daemon process inside a “chroot gaol”
+ as a means of limiting the system's exposure to rogue behaviour
+ by the process. Note that the specified directory needs to
+ already be set up for this purpose.
+
+ * Set the process UID and GID to the `uid` and `gid` attribute
+ values.
+
+ * Close all open file descriptors. This excludes those listed in
+ the `files_preserve` attribute, and those that correspond to the
+ `stdin`, `stdout`, or `stderr` attributes.
+
+ * Change current working directory to the path specified by the
+ `working_directory` attribute.
+
+ * Reset the file access creation mask to the value specified by
+ the `umask` attribute.
+
+ * If the `detach_process` option is true, detach the current
+ process into its own process group, and disassociate from any
+ controlling terminal.
+
+ * Set signal handlers as specified by the `signal_map` attribute.
+
+ * If any of the attributes `stdin`, `stdout`, `stderr` are not
+ ``None``, bind the system streams `sys.stdin`, `sys.stdout`,
+ and/or `sys.stderr` to the files represented by the
+ corresponding attributes. Where the attribute has a file
+ descriptor, the descriptor is duplicated (instead of re-binding
+ the name).
+
+ * If the `pidfile` attribute is not ``None``, enter its context
+ manager.
+
+ * Mark this instance as open (for the purpose of future `open` and
+ `close` calls).
+
+ * Register the `close` method to be called during Python's exit
+ processing.
+
+ When the function returns, the running program is a daemon
+ process.
+
+ """
+ if self.is_open:
+ return
+
+ if self.chroot_directory is not None:
+ change_root_directory(self.chroot_directory)
+
+ if self.prevent_core:
+ prevent_core_dump()
+
+ change_file_creation_mask(self.umask)
+ change_working_directory(self.working_directory)
+ change_process_owner(self.uid, self.gid)
+
+ if self.detach_process:
+ detach_process_context()
+
+ signal_handler_map = self._make_signal_handler_map()
+ set_signal_handlers(signal_handler_map)
+
+ exclude_fds = self._get_exclude_file_descriptors()
+ close_all_open_files(exclude=exclude_fds)
+
+ redirect_stream(sys.stdin, self.stdin)
+ redirect_stream(sys.stdout, self.stdout)
+ redirect_stream(sys.stderr, self.stderr)
+
+ if self.pidfile is not None:
+ self.pidfile.__enter__()
+
+ self._is_open = True
+
+ register_atexit_function(self.close)
+
+ def __enter__(self):
+ """ Context manager entry point. """
+ self.open()
+ return self
+
+ def close(self):
+ """ Exit the daemon process context.
+
+ :return: ``None``.
+
+ Close the daemon context. This performs the following steps:
+
+ * If this instance's `is_open` property is false, return
+ immediately. This makes it safe to call `close` multiple times
+ on an instance.
+
+ * If the `pidfile` attribute is not ``None``, exit its context
+ manager.
+
+ * Mark this instance as closed (for the purpose of future `open`
+ and `close` calls).
+
+ """
+ if not self.is_open:
+ return
+
+ if self.pidfile is not None:
+ # Follow the interface for telling a context manager to exit,
+ # <URL:http://docs.python.org/library/stdtypes.html#typecontextmanager>.
+ self.pidfile.__exit__(None, None, None)
+
+ self._is_open = False
+
+ def __exit__(self, exc_type, exc_value, traceback):
+ """ Context manager exit point. """
+ self.close()
+
+ def terminate(self, signal_number, stack_frame):
+ """ Signal handler for end-process signals.
+
+ :param signal_number: The OS signal number received.
+ :param stack_frame: The frame object at the point the
+ signal was received.
+ :return: ``None``.
+
+ Signal handler for the ``signal.SIGTERM`` signal. Performs the
+ following step:
+
+ * Raise a ``SystemExit`` exception explaining the signal.
+
+ """
+ exception = SystemExit(
+ "Terminating on signal {signal_number!r}".format(
+ signal_number=signal_number))
+ raise exception
+
+ def _get_exclude_file_descriptors(self):
+ """ Get the set of file descriptors to exclude closing.
+
+ :return: A set containing the file descriptors for the
+ files to be preserved.
+
+ The file descriptors to be preserved are those from the
+ items in `files_preserve`, and also each of `stdin`,
+ `stdout`, and `stderr`. For each item:
+
+ * If the item is ``None``, it is omitted from the return
+ set.
+
+ * If the item's ``fileno()`` method returns a value, that
+ value is in the return set.
+
+ * Otherwise, the item is in the return set verbatim.
+
+ """
+ files_preserve = self.files_preserve
+ if files_preserve is None:
+ files_preserve = []
+ files_preserve.extend(
+ item for item in [self.stdin, self.stdout, self.stderr]
+ if hasattr(item, 'fileno'))
+
+ exclude_descriptors = set()
+ for item in files_preserve:
+ if item is None:
+ continue
+ file_descriptor = _get_file_descriptor(item)
+ if file_descriptor is not None:
+ exclude_descriptors.add(file_descriptor)
+ else:
+ exclude_descriptors.add(item)
+
+ return exclude_descriptors
+
+ def _make_signal_handler(self, target):
+ """ Make the signal handler for a specified target object.
+
+ :param target: A specification of the target for the
+ handler; see below.
+ :return: The value for use by `signal.signal()`.
+
+ If `target` is ``None``, return ``signal.SIG_IGN``. If `target`
+ is a text string, return the attribute of this instance named
+ by that string. Otherwise, return `target` itself.
+
+ """
+ if target is None:
+ result = signal.SIG_IGN
+ elif isinstance(target, unicode):
+ name = target
+ result = getattr(self, name)
+ else:
+ result = target
+
+ return result
+
+ def _make_signal_handler_map(self):
+ """ Make the map from signals to handlers for this instance.
+
+ :return: The constructed signal map for this instance.
+
+ Construct a map from signal numbers to handlers for this
+ context instance, suitable for passing to
+ `set_signal_handlers`.
+
+ """
+ signal_handler_map = dict(
+ (signal_number, self._make_signal_handler(target))
+ for (signal_number, target) in self.signal_map.items())
+ return signal_handler_map
+
+
+def _get_file_descriptor(obj):
+ """ Get the file descriptor, if the object has one.
+
+ :param obj: The object expected to be a file-like object.
+ :return: The file descriptor iff the file supports it; otherwise
+ ``None``.
+
+ The object may be a non-file object. It may also be a
+ file-like object with no support for a file descriptor. In
+ either case, return ``None``.
+
+ """
+ file_descriptor = None
+ if hasattr(obj, 'fileno'):
+ try:
+ file_descriptor = obj.fileno()
+ except ValueError:
+ # The item doesn't support a file descriptor.
+ pass
+
+ return file_descriptor
+
+
+def change_working_directory(directory):
+ """ Change the working directory of this process.
+
+ :param directory: The target directory path.
+ :return: ``None``.
+
+ """
+ try:
+ os.chdir(directory)
+ except Exception as exc:
+ error = DaemonOSEnvironmentError(
+ "Unable to change working directory ({exc})".format(exc=exc))
+ raise error
+
+
+def change_root_directory(directory):
+ """ Change the root directory of this process.
+
+ :param directory: The target directory path.
+ :return: ``None``.
+
+ Set the current working directory, then the process root directory,
+ to the specified `directory`. Requires appropriate OS privileges
+ for this process.
+
+ """
+ try:
+ os.chdir(directory)
+ os.chroot(directory)
+ except Exception as exc:
+ error = DaemonOSEnvironmentError(
+ "Unable to change root directory ({exc})".format(exc=exc))
+ raise error
+
+
+def change_file_creation_mask(mask):
+ """ Change the file creation mask for this process.
+
+ :param mask: The numeric file creation mask to set.
+ :return: ``None``.
+
+ """
+ try:
+ os.umask(mask)
+ except Exception as exc:
+ error = DaemonOSEnvironmentError(
+ "Unable to change file creation mask ({exc})".format(exc=exc))
+ raise error
+
+
+def change_process_owner(uid, gid):
+ """ Change the owning UID and GID of this process.
+
+ :param uid: The target UID for the daemon process.
+ :param gid: The target GID for the daemon process.
+ :return: ``None``.
+
+ Set the GID then the UID of the process (in that order, to avoid
+ permission errors) to the specified `gid` and `uid` values.
+ Requires appropriate OS privileges for this process.
+
+ """
+ try:
+ os.setgid(gid)
+ os.setuid(uid)
+ except Exception as exc:
+ error = DaemonOSEnvironmentError(
+ "Unable to change process owner ({exc})".format(exc=exc))
+ raise error
+
+
+def prevent_core_dump():
+ """ Prevent this process from generating a core dump.
+
+ :return: ``None``.
+
+ Set the soft and hard limits for core dump size to zero. On Unix,
+ this entirely prevents the process from creating core dump.
+
+ """
+ core_resource = resource.RLIMIT_CORE
+
+ try:
+ # Ensure the resource limit exists on this platform, by requesting
+ # its current value.
+ core_limit_prev = resource.getrlimit(core_resource)
+ except ValueError as exc:
+ error = DaemonOSEnvironmentError(
+ "System does not support RLIMIT_CORE resource limit"
+ " ({exc})".format(exc=exc))
+ raise error
+
+ # Set hard and soft limits to zero, i.e. no core dump at all.
+ core_limit = (0, 0)
+ resource.setrlimit(core_resource, core_limit)
+
+
+def detach_process_context():
+ """ Detach the process context from parent and session.
+
+ :return: ``None``.
+
+ Detach from the parent process and session group, allowing the
+ parent to exit while this process continues running.
+
+ Reference: “Advanced Programming in the Unix Environment”,
+ section 13.3, by W. Richard Stevens, published 1993 by
+ Addison-Wesley.
+
+ """
+
+ def fork_then_exit_parent(error_message):
+ """ Fork a child process, then exit the parent process.
+
+ :param error_message: Message for the exception in case of a
+ detach failure.
+ :return: ``None``.
+ :raise DaemonProcessDetachError: If the fork fails.
+
+ """
+ try:
+ pid = os.fork()
+ if pid > 0:
+ os._exit(0)
+ except OSError as exc:
+ error = DaemonProcessDetachError(
+ "{message}: [{exc.errno:d}] {exc.strerror}".format(
+ message=error_message, exc=exc))
+ raise error
+
+ fork_then_exit_parent(error_message="Failed first fork")
+ os.setsid()
+ fork_then_exit_parent(error_message="Failed second fork")
+
+
+def is_process_started_by_init():
+ """ Determine whether the current process is started by `init`.
+
+ :return: ``True`` iff the parent process is `init`; otherwise
+ ``False``.
+
+ The `init` process is the one with process ID of 1.
+
+ """
+ result = False
+
+ init_pid = 1
+ if os.getppid() == init_pid:
+ result = True
+
+ return result
+
+
+def is_socket(fd):
+ """ Determine whether the file descriptor is a socket.
+
+ :param fd: The file descriptor to interrogate.
+ :return: ``True`` iff the file descriptor is a socket; otherwise
+ ``False``.
+
+ Query the socket type of `fd`. If there is no error, the file is a
+ socket.
+
+ """
+ result = False
+
+ file_socket = socket.fromfd(fd, socket.AF_INET, socket.SOCK_RAW)
+
+ try:
+ socket_type = file_socket.getsockopt(
+ socket.SOL_SOCKET, socket.SO_TYPE)
+ except socket.error as exc:
+ exc_errno = exc.args[0]
+ if exc_errno == errno.ENOTSOCK:
+ # Socket operation on non-socket.
+ pass
+ else:
+ # Some other socket error.
+ result = True
+ else:
+ # No error getting socket type.
+ result = True
+
+ return result
+
+
+def is_process_started_by_superserver():
+ """ Determine whether the current process is started by the superserver.
+
+ :return: ``True`` if this process was started by the internet
+ superserver; otherwise ``False``.
+
+ The internet superserver creates a network socket, and
+ attaches it to the standard streams of the child process. If
+ that is the case for this process, return ``True``, otherwise
+ ``False``.
+
+ """
+ result = False
+
+ stdin_fd = sys.__stdin__.fileno()
+ if is_socket(stdin_fd):
+ result = True
+
+ return result
+
+
+def is_detach_process_context_required():
+ """ Determine whether detaching the process context is required.
+
+ :return: ``True`` iff the process is already detached; otherwise
+ ``False``.
+
+ The process environment is interrogated for the following:
+
+ * Process was started by `init`; or
+
+ * Process was started by `inetd`.
+
+ If any of the above are true, the process is deemed to be already
+ detached.
+
+ """
+ result = True
+ if is_process_started_by_init() or is_process_started_by_superserver():
+ result = False
+
+ return result
+
+
+def close_file_descriptor_if_open(fd):
+ """ Close a file descriptor if already open.
+
+ :param fd: The file descriptor to close.
+ :return: ``None``.
+
+ Close the file descriptor `fd`, suppressing an error in the
+ case the file was not open.
+
+ """
+ try:
+ os.close(fd)
+ except EnvironmentError as exc:
+ if exc.errno == errno.EBADF:
+ # File descriptor was not open.
+ pass
+ else:
+ error = DaemonOSEnvironmentError(
+ "Failed to close file descriptor {fd:d} ({exc})".format(
+ fd=fd, exc=exc))
+ raise error
+
+
+MAXFD = 2048
+
+
+def get_maximum_file_descriptors():
+ """ Get the maximum number of open file descriptors for this process.
+
+ :return: The number (integer) to use as the maximum number of open
+ files for this process.
+
+ The maximum is the process hard resource limit of maximum number of
+ open file descriptors. If the limit is “infinity”, a default value
+ of ``MAXFD`` is returned.
+
+ """
+ limits = resource.getrlimit(resource.RLIMIT_NOFILE)
+ result = limits[1]
+ if result == resource.RLIM_INFINITY:
+ result = MAXFD
+ return result
+
+
+def close_all_open_files(exclude=set()):
+ """ Close all open file descriptors.
+
+ :param exclude: Collection of file descriptors to skip when closing
+ files.
+ :return: ``None``.
+
+ Closes every file descriptor (if open) of this process. If
+ specified, `exclude` is a set of file descriptors to *not*
+ close.
+
+ """
+ maxfd = get_maximum_file_descriptors()
+ for fd in reversed(range(maxfd)):
+ if fd not in exclude:
+ close_file_descriptor_if_open(fd)
+
+
+def redirect_stream(system_stream, target_stream):
+ """ Redirect a system stream to a specified file.
+
+ :param standard_stream: A file object representing a standard I/O
+ stream.
+ :param target_stream: The target file object for the redirected
+ stream, or ``None`` to specify the null device.
+ :return: ``None``.
+
+ `system_stream` is a standard system stream such as
+ ``sys.stdout``. `target_stream` is an open file object that
+ should replace the corresponding system stream object.
+
+ If `target_stream` is ``None``, defaults to opening the
+ operating system's null device and using its file descriptor.
+
+ """
+ if target_stream is None:
+ target_fd = os.open(os.devnull, os.O_RDWR)
+ else:
+ target_fd = target_stream.fileno()
+ os.dup2(target_fd, system_stream.fileno())
+
+
+def make_default_signal_map():
+ """ Make the default signal map for this system.
+
+ :return: A mapping from signal number to handler object.
+
+ The signals available differ by system. The map will not contain
+ any signals not defined on the running system.
+
+ """
+ name_map = {
+ 'SIGTSTP': None,
+ 'SIGTTIN': None,
+ 'SIGTTOU': None,
+ 'SIGTERM': 'terminate',
+ }
+ signal_map = dict(
+ (getattr(signal, name), target)
+ for (name, target) in name_map.items()
+ if hasattr(signal, name))
+
+ return signal_map
+
+
+def set_signal_handlers(signal_handler_map):
+ """ Set the signal handlers as specified.
+
+ :param signal_handler_map: A map from signal number to handler
+ object.
+ :return: ``None``.
+
+ See the `signal` module for details on signal numbers and signal
+ handlers.
+
+ """
+ for (signal_number, handler) in signal_handler_map.items():
+ signal.signal(signal_number, handler)
+
+
+def register_atexit_function(func):
+ """ Register a function for processing at program exit.
+
+ :param func: A callable function expecting no arguments.
+ :return: ``None``.
+
+ The function `func` is registered for a call with no arguments
+ at program exit.
+
+ """
+ atexit.register(func)
+
+
+def _chain_exception_from_existing_exception_context(exc, as_cause=False):
+ """ Decorate the specified exception with the existing exception context.
+
+ :param exc: The exception instance to decorate.
+ :param as_cause: If true, the existing context is declared to be
+ the cause of the exception.
+ :return: ``None``.
+
+ :PEP:`344` describes syntax and attributes (`__traceback__`,
+ `__context__`, `__cause__`) for use in exception chaining.
+
+ Python 2 does not have that syntax, so this function decorates
+ the exception with values from the current exception context.
+
+ """
+ (existing_exc_type, existing_exc, existing_traceback) = sys.exc_info()
+ if as_cause:
+ exc.__cause__ = existing_exc
+ else:
+ exc.__context__ = existing_exc
+ exc.__traceback__ = existing_traceback
+
+
+# Local variables:
+# coding: utf-8
+# mode: python
+# End:
+# vim: fileencoding=utf-8 filetype=python :
diff --git a/pkg/osx/daemon/pidfile.py b/pkg/osx/daemon/pidfile.py
new file mode 100644
index 00000000..68f7b2ac
--- /dev/null
+++ b/pkg/osx/daemon/pidfile.py
@@ -0,0 +1,67 @@
+# -*- coding: utf-8 -*-
+
+# daemon/pidfile.py
+# Part of ‘python-daemon’, an implementation of PEP 3143.
+#
+# Copyright © 2008–2015 Ben Finney <ben+python@benfinney.id.au>
+#
+# This is free software: you may copy, modify, and/or distribute this work
+# under the terms of the Apache License, version 2.0 as published by the
+# Apache Software Foundation.
+# No warranty expressed or implied. See the file ‘LICENSE.ASF-2’ for details.
+
+""" Lockfile behaviour implemented via Unix PID files.
+ """
+
+from __future__ import (absolute_import, unicode_literals)
+
+from lockfile.pidlockfile import PIDLockFile
+
+
+class TimeoutPIDLockFile(PIDLockFile, object):
+ """ Lockfile with default timeout, implemented as a Unix PID file.
+
+ This uses the ``PIDLockFile`` implementation, with the
+ following changes:
+
+ * The `acquire_timeout` parameter to the initialiser will be
+ used as the default `timeout` parameter for the `acquire`
+ method.
+
+ """
+
+ def __init__(self, path, acquire_timeout=None, *args, **kwargs):
+ """ Set up the parameters of a TimeoutPIDLockFile.
+
+ :param path: Filesystem path to the PID file.
+ :param acquire_timeout: Value to use by default for the
+ `acquire` call.
+ :return: ``None``.
+
+ """
+ self.acquire_timeout = acquire_timeout
+ super(TimeoutPIDLockFile, self).__init__(path, *args, **kwargs)
+
+ def acquire(self, timeout=None, *args, **kwargs):
+ """ Acquire the lock.
+
+ :param timeout: Specifies the timeout; see below for valid
+ values.
+ :return: ``None``.
+
+ The `timeout` defaults to the value set during
+ initialisation with the `acquire_timeout` parameter. It is
+ passed to `PIDLockFile.acquire`; see that method for
+ details.
+
+ """
+ if timeout is None:
+ timeout = self.acquire_timeout
+ super(TimeoutPIDLockFile, self).acquire(timeout, *args, **kwargs)
+
+
+# Local variables:
+# coding: utf-8
+# mode: python
+# End:
+# vim: fileencoding=utf-8 filetype=python :
diff --git a/pkg/osx/daemon/runner.py b/pkg/osx/daemon/runner.py
new file mode 100644
index 00000000..de9025d3
--- /dev/null
+++ b/pkg/osx/daemon/runner.py
@@ -0,0 +1,324 @@
+# -*- coding: utf-8 -*-
+
+# daemon/runner.py
+# Part of ‘python-daemon’, an implementation of PEP 3143.
+#
+# Copyright © 2009–2015 Ben Finney <ben+python@benfinney.id.au>
+# Copyright © 2007–2008 Robert Niederreiter, Jens Klein
+# Copyright © 2003 Clark Evans
+# Copyright © 2002 Noah Spurrier
+# Copyright © 2001 Jürgen Hermann
+#
+# This is free software: you may copy, modify, and/or distribute this work
+# under the terms of the Apache License, version 2.0 as published by the
+# Apache Software Foundation.
+# No warranty expressed or implied. See the file ‘LICENSE.ASF-2’ for details.
+
+""" Daemon runner library.
+ """
+
+from __future__ import (absolute_import, unicode_literals)
+
+import sys
+import os
+import signal
+import errno
+try:
+ # Python 3 standard library.
+ ProcessLookupError
+except NameError:
+ # No such class in Python 2.
+ ProcessLookupError = NotImplemented
+
+import lockfile
+
+from . import pidfile
+from .daemon import (basestring, unicode)
+from .daemon import DaemonContext
+from .daemon import _chain_exception_from_existing_exception_context
+
+
+class DaemonRunnerError(Exception):
+ """ Abstract base class for errors from DaemonRunner. """
+
+ def __init__(self, *args, **kwargs):
+ self._chain_from_context()
+
+ super(DaemonRunnerError, self).__init__(*args, **kwargs)
+
+ def _chain_from_context(self):
+ _chain_exception_from_existing_exception_context(self, as_cause=True)
+
+
+class DaemonRunnerInvalidActionError(DaemonRunnerError, ValueError):
+ """ Raised when specified action for DaemonRunner is invalid. """
+
+ def _chain_from_context(self):
+ # This exception is normally not caused by another.
+ _chain_exception_from_existing_exception_context(self, as_cause=False)
+
+
+class DaemonRunnerStartFailureError(DaemonRunnerError, RuntimeError):
+ """ Raised when failure starting DaemonRunner. """
+
+
+class DaemonRunnerStopFailureError(DaemonRunnerError, RuntimeError):
+ """ Raised when failure stopping DaemonRunner. """
+
+
+class DaemonRunner:
+ """ Controller for a callable running in a separate background process.
+
+ The first command-line argument is the action to take:
+
+ * 'start': Become a daemon and call `app.run()`.
+ * 'stop': Exit the daemon process specified in the PID file.
+ * 'restart': Stop, then start.
+
+ """
+
+ __metaclass__ = type
+
+ start_message = "started with pid {pid:d}"
+
+ def __init__(self, app):
+ """ Set up the parameters of a new runner.
+
+ :param app: The application instance; see below.
+ :return: ``None``.
+
+ The `app` argument must have the following attributes:
+
+ * `stdin_path`, `stdout_path`, `stderr_path`: Filesystem paths
+ to open and replace the existing `sys.stdin`, `sys.stdout`,
+ `sys.stderr`.
+
+ * `pidfile_path`: Absolute filesystem path to a file that will
+ be used as the PID file for the daemon. If ``None``, no PID
+ file will be used.
+
+ * `pidfile_timeout`: Used as the default acquisition timeout
+ value supplied to the runner's PID lock file.
+
+ * `run`: Callable that will be invoked when the daemon is
+ started.
+
+ """
+ self.parse_args()
+ self.app = app
+ self.daemon_context = DaemonContext()
+ self.daemon_context.stdin = open(app.stdin_path, 'rt')
+ self.daemon_context.stdout = open(app.stdout_path, 'w+t')
+ self.daemon_context.stderr = open(
+ app.stderr_path, 'w+t', buffering=0)
+
+ self.pidfile = None
+ if app.pidfile_path is not None:
+ self.pidfile = make_pidlockfile(
+ app.pidfile_path, app.pidfile_timeout)
+ self.daemon_context.pidfile = self.pidfile
+
+ def _usage_exit(self, argv):
+ """ Emit a usage message, then exit.
+
+ :param argv: The command-line arguments used to invoke the
+ program, as a sequence of strings.
+ :return: ``None``.
+
+ """
+ progname = os.path.basename(argv[0])
+ usage_exit_code = 2
+ action_usage = "|".join(self.action_funcs.keys())
+ message = "usage: {progname} {usage}".format(
+ progname=progname, usage=action_usage)
+ emit_message(message)
+ sys.exit(usage_exit_code)
+
+ def parse_args(self, argv=None):
+ """ Parse command-line arguments.
+
+ :param argv: The command-line arguments used to invoke the
+ program, as a sequence of strings.
+
+ :return: ``None``.
+
+ The parser expects the first argument as the program name, the
+ second argument as the action to perform.
+
+ If the parser fails to parse the arguments, emit a usage
+ message and exit the program.
+
+ """
+ if argv is None:
+ argv = sys.argv
+
+ min_args = 2
+ if len(argv) < min_args:
+ self._usage_exit(argv)
+
+ self.action = unicode(argv[1])
+ if self.action not in self.action_funcs:
+ self._usage_exit(argv)
+
+ def _start(self):
+ """ Open the daemon context and run the application.
+
+ :return: ``None``.
+ :raises DaemonRunnerStartFailureError: If the PID file cannot
+ be locked by this process.
+
+ """
+ if is_pidfile_stale(self.pidfile):
+ self.pidfile.break_lock()
+
+ try:
+ self.daemon_context.open()
+ except lockfile.AlreadyLocked:
+ error = DaemonRunnerStartFailureError(
+ "PID file {pidfile.path!r} already locked".format(
+ pidfile=self.pidfile))
+ raise error
+
+ pid = os.getpid()
+ message = self.start_message.format(pid=pid)
+ emit_message(message)
+
+ self.app.run()
+
+ def _terminate_daemon_process(self):
+ """ Terminate the daemon process specified in the current PID file.
+
+ :return: ``None``.
+ :raises DaemonRunnerStopFailureError: If terminating the daemon
+ fails with an OS error.
+
+ """
+ pid = self.pidfile.read_pid()
+ try:
+ os.kill(pid, signal.SIGTERM)
+ except OSError as exc:
+ error = DaemonRunnerStopFailureError(
+ "Failed to terminate {pid:d}: {exc}".format(
+ pid=pid, exc=exc))
+ raise error
+
+ def _stop(self):
+ """ Exit the daemon process specified in the current PID file.
+
+ :return: ``None``.
+ :raises DaemonRunnerStopFailureError: If the PID file is not
+ already locked.
+
+ """
+ if not self.pidfile.is_locked():
+ error = DaemonRunnerStopFailureError(
+ "PID file {pidfile.path!r} not locked".format(
+ pidfile=self.pidfile))
+ raise error
+
+ if is_pidfile_stale(self.pidfile):
+ self.pidfile.break_lock()
+ else:
+ self._terminate_daemon_process()
+
+ def _restart(self):
+ """ Stop, then start.
+ """
+ self._stop()
+ self._start()
+
+ action_funcs = {
+ 'start': _start,
+ 'stop': _stop,
+ 'restart': _restart,
+ }
+
+ def _get_action_func(self):
+ """ Get the function for the specified action.
+
+ :return: The function object corresponding to the specified
+ action.
+ :raises DaemonRunnerInvalidActionError: if the action is
+ unknown.
+
+ The action is specified by the `action` attribute, which is set
+ during `parse_args`.
+
+ """
+ try:
+ func = self.action_funcs[self.action]
+ except KeyError:
+ error = DaemonRunnerInvalidActionError(
+ "Unknown action: {action!r}".format(
+ action=self.action))
+ raise error
+ return func
+
+ def do_action(self):
+ """ Perform the requested action.
+
+ :return: ``None``.
+
+ The action is specified by the `action` attribute, which is set
+ during `parse_args`.
+
+ """
+ func = self._get_action_func()
+ func(self)
+
+
+def emit_message(message, stream=None):
+ """ Emit a message to the specified stream (default `sys.stderr`). """
+ if stream is None:
+ stream = sys.stderr
+ stream.write("{message}\n".format(message=message))
+ stream.flush()
+
+
+def make_pidlockfile(path, acquire_timeout):
+ """ Make a PIDLockFile instance with the given filesystem path. """
+ if not isinstance(path, basestring):
+ error = ValueError("Not a filesystem path: {path!r}".format(
+ path=path))
+ raise error
+ if not os.path.isabs(path):
+ error = ValueError("Not an absolute path: {path!r}".format(
+ path=path))
+ raise error
+ lockfile = pidfile.TimeoutPIDLockFile(path, acquire_timeout)
+
+ return lockfile
+
+
+def is_pidfile_stale(pidfile):
+ """ Determine whether a PID file is stale.
+
+ :return: ``True`` iff the PID file is stale; otherwise ``False``.
+
+ The PID file is “stale” if its contents are valid but do not
+ match the PID of a currently-running process.
+
+ """
+ result = False
+
+ pidfile_pid = pidfile.read_pid()
+ if pidfile_pid is not None:
+ try:
+ os.kill(pidfile_pid, signal.SIG_DFL)
+ except ProcessLookupError:
+ # The specified PID does not exist.
+ result = True
+ except OSError as exc:
+ if exc.errno == errno.ESRCH:
+ # Under Python 2, process lookup error is an OSError.
+ # The specified PID does not exist.
+ result = True
+
+ return result
+
+
+# Local variables:
+# coding: utf-8
+# mode: python
+# End:
+# vim: fileencoding=utf-8 filetype=python :
diff --git a/pkg/osx/install/ProcessNetworkChanges.plist.template b/pkg/osx/install/ProcessNetworkChanges.plist.template
deleted file mode 100644
index eaf54fcf..00000000
--- a/pkg/osx/install/ProcessNetworkChanges.plist.template
+++ /dev/null
@@ -1,16 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
- <dict>
- <key>Label</key>
- <string>se.leap.openvpn.process-network-changes</string>
- <key>ProgramArguments</key>
- <array>
- <string>${DIR}/process-network-changes</string>
- </array>
- <key>WatchPaths</key>
- <array>
- <string>/Library/Preferences/SystemConfiguration</string>
- </array>
- </dict>
-</plist>
diff --git a/pkg/osx/install/client.down.sh b/pkg/osx/install/client.down.sh
deleted file mode 100755
index 52ba4de6..00000000
--- a/pkg/osx/install/client.down.sh
+++ /dev/null
@@ -1,148 +0,0 @@
-#!/bin/bash -e
-# Note: must be bash; uses bash-specific tricks
-#
-# ******************************************************************************************************************
-# Based on the Tunnelblick script that just "does everything!"
-# It handles TUN and TAP interfaces,
-# pushed configurations and DHCP leases. :)
-#
-# This is the "Down" version of the script, executed after the connection is
-# closed.
-#
-# Created by: Nick Williams (using original code and parts of old Tblk scripts)
-#
-# ******************************************************************************************************************
-# TODO: review and adapt version 3 of the clientX.down.sh
-
-trap "" TSTP
-trap "" HUP
-trap "" INT
-export PATH="/bin:/sbin:/usr/sbin:/usr/bin"
-
-readonly LOG_MESSAGE_COMMAND=$(basename "${0}")
-
-# Quick check - is the configuration there?
-if ! scutil -w State:/Network/OpenVPN &>/dev/null -t 1 ; then
- # Configuration isn't there, so we forget it
- echo "$(date '+%a %b %e %T %Y') *LEAPClient $LOG_MESSAGE_COMMAND: WARNING: No existing OpenVPN DNS configuration found; not tearing down anything; exiting."
- exit 0
-fi
-
-# NOTE: This script does not use any arguments passed to it by OpenVPN, so it doesn't shift LEAPClient options out of the argument list
-
-# Get info saved by the up script
-LEAPCLIENT_CONFIG="$(/usr/sbin/scutil <<-EOF
- open
- show State:/Network/OpenVPN
- quit
-EOF)"
-
-ARG_MONITOR_NETWORK_CONFIGURATION="$(echo "${LEAPCLIENT_CONFIG}" | grep -i '^[[:space:]]*MonitorNetwork :' | sed -e 's/^.*: //g')"
-LEASEWATCHER_PLIST_PATH="$(echo "${LEAPCLIENT_CONFIG}" | grep -i '^[[:space:]]*LeaseWatcherPlistPath :' | sed -e 's/^.*: //g')"
-PSID="$(echo "${LEAPCLIENT_CONFIG}" | grep -i '^[[:space:]]*Service :' | sed -e 's/^.*: //g')"
-SCRIPT_LOG_FILE="$(echo "${LEAPCLIENT_CONFIG}" | grep -i '^[[:space:]]*ScriptLogFile :' | sed -e 's/^.*: //g')"
-# Don't need: ARG_RESTORE_ON_DNS_RESET="$(echo "${LEAPCLIENT_CONFIG}" | grep -i '^[[:space:]]*RestoreOnDNSReset :' | sed -e 's/^.*: //g')"
-# Don't need: ARG_RESTORE_ON_WINS_RESET="$(echo "${LEAPCLIENT_CONFIG}" | grep -i '^[[:space:]]*RestoreOnWINSReset :' | sed -e 's/^.*: //g')"
-# Don't need: PROCESS="$(echo "${LEAPCLIENT_CONFIG}" | grep -i '^[[:space:]]*PID :' | sed -e 's/^.*: //g')"
-# Don't need: ARG_IGNORE_OPTION_FLAGS="$(echo "${LEAPCLIENT_CONFIG}" | grep -i '^[[:space:]]*IgnoreOptionFlags :' | sed -e 's/^.*: //g')"
-ARG_TAP="$(echo "${LEAPCLIENT_CONFIG}" | grep -i '^[[:space:]]*IsTapInterface :' | sed -e 's/^.*: //g')"
-bRouteGatewayIsDhcp="$(echo "${LEAPCLIENT_CONFIG}" | grep -i '^[[:space:]]*RouteGatewayIsDhcp :' | sed -e 's/^.*: //g')"
-
-# @param String message - The message to log
-logMessage()
-{
- echo "$(date '+%a %b %e %T %Y') *LEAP CLient $LOG_MESSAGE_COMMAND: "${@} >> "${SCRIPT_LOG_FILE}"
-}
-
-trim()
-{
- echo ${@}
-}
-
-if ${ARG_TAP} ; then
- if [ "$bRouteGatewayIsDhcp" == "true" ]; then
- if [ -z "$dev" ]; then
- logMessage "Cannot configure TAP interface for DHCP without \$dev being defined. Device may not have disconnected properly."
- else
- set +e
- ipconfig set "$dev" NONE 2>/dev/null
- set -e
- fi
- fi
-fi
-
-# Issue warning if the primary service ID has changed
-PSID_CURRENT="$( (scutil | grep Service | sed -e 's/.*Service : //')<<- EOF
- open
- show State:/Network/OpenVPN
- quit
-EOF)"
-if [ "${PSID}" != "${PSID_CURRENT}" ] ; then
- logMessage "Ignoring change of Network Primary Service from ${PSID} to ${PSID_CURRENT}"
-fi
-
-# Remove leasewatcher
-if ${ARG_MONITOR_NETWORK_CONFIGURATION} ; then
- launchctl unload "${LEASEWATCHER_PLIST_PATH}"
- logMessage "Cancelled monitoring of system configuration changes"
-fi
-
-# Restore configurations
-DNS_OLD="$(/usr/sbin/scutil <<-EOF
- open
- show State:/Network/OpenVPN/OldDNS
- quit
-EOF)"
-WINS_OLD="$(/usr/sbin/scutil <<-EOF
- open
- show State:/Network/OpenVPN/OldSMB
- quit
-EOF)"
-TB_NO_SUCH_KEY="<dictionary> {
- LEAPClientNoSuchKey : true
-}"
-
-if [ "${DNS_OLD}" = "${TB_NO_SUCH_KEY}" ] ; then
- scutil <<- EOF
- open
- remove State:/Network/Service/${PSID}/DNS
- quit
-EOF
-else
- scutil <<- EOF
- open
- get State:/Network/OpenVPN/OldDNS
- set State:/Network/Service/${PSID}/DNS
- quit
-EOF
-fi
-
-if [ "${WINS_OLD}" = "${TB_NO_SUCH_KEY}" ] ; then
- scutil <<- EOF
- open
- remove State:/Network/Service/${PSID}/SMB
- quit
-EOF
-else
- scutil <<- EOF
- open
- get State:/Network/OpenVPN/OldSMB
- set State:/Network/Service/${PSID}/SMB
- quit
-EOF
-fi
-
-logMessage "Restored the DNS and WINS configurations"
-
-# Remove our system configuration data
-scutil <<- EOF
- open
- remove State:/Network/OpenVPN/SMB
- remove State:/Network/OpenVPN/DNS
- remove State:/Network/OpenVPN/OldSMB
- remove State:/Network/OpenVPN/OldDNS
- remove State:/Network/OpenVPN
- quit
-EOF
-
-exit 0
diff --git a/pkg/osx/install/client.up.sh b/pkg/osx/install/client.up.sh
deleted file mode 100755
index be9814c2..00000000
--- a/pkg/osx/install/client.up.sh
+++ /dev/null
@@ -1,599 +0,0 @@
-#!/bin/bash -e
-# Note: must be bash; uses bash-specific tricks
-#
-# ******************************************************************************************************************
-# Taken from the Tunnelblick script that "just does everything!"
-# It handles TUN and TAP interfaces,
-# pushed configurations, DHCP with DNS and WINS, and renewed DHCP leases. :)
-#
-# This is the "Up" version of the script, executed after the interface is
-# initialized.
-#
-# Created by: Nick Williams (using original code and parts of old Tblk scripts)
-#
-# ******************************************************************************************************************
-# TODO: review and adapt revision 3 of the clientX-up.sh instead
-
-trap "" TSTP
-trap "" HUP
-trap "" INT
-export PATH="/bin:/sbin:/usr/sbin:/usr/bin"
-
-# Process optional arguments (if any) for the script
-# Each one begins with a "-"
-# They come from the leap-client invocation, and come first, before the OpenVPN arguments
-# So we set ARG_ script variables to their values and shift them out of the argument list
-# When we're done, only the OpenVPN arguments remain for the rest of the script to use
-ARG_MONITOR_NETWORK_CONFIGURATION="false"
-ARG_RESTORE_ON_DNS_RESET="false"
-ARG_RESTORE_ON_WINS_RESET="false"
-ARG_TAP="false"
-ARG_IGNORE_OPTION_FLAGS=""
-
-while [ {$#} ] ; do
- if [ "$1" = "-m" ] ; then # Handle the arguments we know about
- ARG_MONITOR_NETWORK_CONFIGURATION="true" # by setting ARG_ script variables to their values
- shift # Then shift them out
- elif [ "$1" = "-d" ] ; then
- ARG_RESTORE_ON_DNS_RESET="true"
- shift
- elif [ "$1" = "-w" ] ; then
- ARG_RESTORE_ON_WINS_RESET="true"
- shift
- elif [ "$1" = "-a" ] ; then
- ARG_TAP="true"
- shift
- elif [ "${1:0:2}" = "-i" ] ; then
- ARG_IGNORE_OPTION_FLAGS="${1}"
- shift
- elif [ "${1:0:2}" = "-a" ] ; then
- ARG_IGNORE_OPTION_FLAGS="${1}"
- shift
- else
- if [ "${1:0:1}" = "-" ] ; then # Shift out Tunnelblick arguments (they start with "-") that we don't understand
- shift # so the rest of the script sees only the OpenVPN arguments
- else
- break
- fi
- fi
-done
-
-readonly ARG_MONITOR_NETWORK_CONFIGURATION ARG_RESTORE_ON_DNS_RESET ARG_RESTORE_ON_WINS_RESET ARG_TAP ARG_IGNORE_OPTION_FLAGS
-
-# Note: The script log path name is constructed from the path of the regular config file, not the shadow copy
-# if the config is shadow copy, e.g. /Library/Application Support/Tunnelblick/Users/Jonathan/Folder/Subfolder/config.ovpn
-# then convert to regular config /Users/Jonathan/Library/Application Support/Tunnelblick/Configurations/Folder/Subfolder/config.ovpn
-# to get the script log path
-# Note: "/Users/..." works even if the home directory has a different path; it is used in the name of the log file, and is not used as a path to get to anything.
-readonly TBALTPREFIX="/Library/Application Support/LEAP Client/Users/"
-readonly TBALTPREFIXLEN="${#TBALTPREFIX}"
-readonly TBCONFIGSTART="${config:0:$TBALTPREFIXLEN}"
-if [ "$TBCONFIGSTART" = "$TBALTPREFIX" ] ; then
- readonly TBBASE="${config:$TBALTPREFIXLEN}"
- readonly TBSUFFIX="${TBBASE#*/}"
- readonly TBUSERNAME="${TBBASE%%/*}"
- readonly TBCONFIG="/Users/$TBUSERNAME/Library/Application Support/LEAP Client/Configurations/$TBSUFFIX"
-else
- readonly TBCONFIG="${config}"
-fi
-
-readonly CONFIG_PATH_DASHES_SLASHES="$(echo "${TBCONFIG}" | sed -e 's/-/--/g' | sed -e 's/\//-S/g')"
-
-# XXX PUT LOGS SOMEWHERE BETTER
-readonly SCRIPT_LOG_FILE="/Users/$LEAPUSER/.config/leap/logs/${CONFIG_PATH_DASHES_SLASHES}.script.log"
-readonly TB_RESOURCE_PATH=$(dirname "${0}")
-
-LEASEWATCHER_PLIST_PATH="/Users/$LEAPUSER/.config/leap/logs/LeaseWatch.plist"
-
-readonly OSVER="$(sw_vers | grep 'ProductVersion:' | grep -o '10\.[0-9]*')"
-
-readonly DEFAULT_DOMAIN_NAME="openvpn"
-
-bRouteGatewayIsDhcp="false"
-
-# @param String message - The message to log
-readonly LOG_MESSAGE_COMMAND=$(basename "${0}")
-logMessage()
-{
- echo "$(date '+%a %b %e %T %Y') *LEAP Client $LOG_MESSAGE_COMMAND: "${@} >> "${SCRIPT_LOG_FILE}"
-}
-
-# @param String string - Content to trim
-trim()
-{
- echo ${@}
-}
-
-# @param String[] dnsServers - The name servers to use
-# @param String domainName - The domain name to use
-# @param \optional String[] winsServers - The WINS servers to use
-setDnsServersAndDomainName()
-{
- declare -a vDNS=("${!1}")
- domain=$2
- declare -a vWINS=("${!3}")
-
- set +e # "grep" will return error status (1) if no matches are found, so don't fail on individual errors
-
- PSID=$( (scutil | grep PrimaryService | sed -e 's/.*PrimaryService : //')<<- EOF
- open
- show State:/Network/Global/IPv4
- quit
-EOF )
-
- STATIC_DNS_CONFIG="$( (scutil | sed -e 's/^[[:space:]]*[[:digit:]]* : //g' | tr '\n' ' ')<<- EOF
- open
- show Setup:/Network/Service/${PSID}/DNS
- quit
-EOF )"
- if echo "${STATIC_DNS_CONFIG}" | grep -q "ServerAddresses" ; then
- readonly STATIC_DNS="$(trim "$( echo "${STATIC_DNS_CONFIG}" | sed -e 's/^.*ServerAddresses[^{]*{[[:space:]]*\([^}]*\)[[:space:]]*}.*$/\1/g' )")"
- fi
- if echo "${STATIC_DNS_CONFIG}" | grep -q "SearchDomains" ; then
- readonly STATIC_SEARCH="$(trim "$( echo "${STATIC_DNS_CONFIG}" | sed -e 's/^.*SearchDomains[^{]*{[[:space:]]*\([^}]*\)[[:space:]]*}.*$/\1/g' )")"
- fi
-
- STATIC_WINS_CONFIG="$( (scutil | sed -e 's/^[[:space:]]*[[:digit:]]* : //g' | tr '\n' ' ')<<- EOF
- open
- show Setup:/Network/Service/${PSID}/SMB
- quit
-EOF )"
- STATIC_WINS_SERVERS=""
- STATIC_WORKGROUP=""
- STATIC_NETBIOSNAME=""
- if echo "${STATIC_WINS_CONFIG}" | grep -q "WINSAddresses" ; then
- STATIC_WINS_SERVERS="$(trim "$( echo "${STATIC_WINS_CONFIG}" | sed -e 's/^.*WINSAddresses[^{]*{[[:space:]]*\([^}]*\)[[:space:]]*}.*$/\1/g' )")"
- fi
- if echo "${STATIC_WINS_CONFIG}" | grep -q "Workgroup" ; then
- STATIC_WORKGROUP="$(trim "$( echo "${STATIC_WINS_CONFIG}" | sed -e 's/^.*Workgroup : \([^[:space:]]*\).*$/\1/g' )")"
- fi
- if echo "${STATIC_WINS_CONFIG}" | grep -q "NetBIOSName" ; then
- STATIC_NETBIOSNAME="$(trim "$( echo "${STATIC_WINS_CONFIG}" | sed -e 's/^.*NetBIOSName : \([^[:space:]]*\).*$/\1/g' )")"
- fi
- readonly STATIC_WINS_SERVERS STATIC_WORKGROUP STATIC_NETBIOSNAME
-
- if [ ${#vDNS[*]} -eq 0 ] ; then
- DYN_DNS="false"
- ALL_DNS="${STATIC_DNS}"
- elif [ -n "${STATIC_DNS}" ] ; then
- case "${OSVER}" in
- 10.6 | 10.7 )
- # Do nothing - in 10.6 we don't aggregate our configurations, apparently
- DYN_DNS="false"
- ALL_DNS="${STATIC_DNS}"
- ;;
- 10.4 | 10.5 )
- DYN_DNS="true"
- # We need to remove duplicate DNS entries, so that our reference list matches MacOSX's
- SDNS="$(echo "${STATIC_DNS}" | tr ' ' '\n')"
- (( i=0 ))
- for n in "${vDNS[@]}" ; do
- if echo "${SDNS}" | grep -q "${n}" ; then
- unset vDNS[${i}]
- fi
- (( i++ ))
- done
- if [ ${#vDNS[*]} -gt 0 ] ; then
- ALL_DNS="$(trim "${STATIC_DNS}" "${vDNS[*]}")"
- else
- DYN_DNS="false"
- ALL_DNS="${STATIC_DNS}"
- fi
- ;;
- esac
- else
- DYN_DNS="true"
- ALL_DNS="$(trim "${vDNS[*]}")"
- fi
- readonly DYN_DNS ALL_DNS
-
- if [ ${#vWINS[*]} -eq 0 ] ; then
- DYN_WINS="false"
- ALL_WINS_SERVERS="${STATIC_WINS_SERVERS}"
- elif [ -n "${STATIC_WINS_SERVERS}" ] ; then
- case "${OSVER}" in
- 10.6 | 10.7 )
- # Do nothing - in 10.6 we don't aggregate our configurations, apparently
- DYN_WINS="false"
- ALL_WINS_SERVERS="${STATIC_WINS_SERVERS}"
- ;;
- 10.4 | 10.5 )
- DYN_WINS="true"
- # We need to remove duplicate WINS entries, so that our reference list matches MacOSX's
- SWINS="$(echo "${STATIC_WINS_SERVERS}" | tr ' ' '\n')"
- (( i=0 ))
- for n in "${vWINS[@]}" ; do
- if echo "${SWINS}" | grep -q "${n}" ; then
- unset vWINS[${i}]
- fi
- (( i++ ))
- done
- if [ ${#vWINS[*]} -gt 0 ] ; then
- ALL_WINS_SERVERS="$(trim "${STATIC_WINS_SERVERS}" "${vWINS[*]}")"
- else
- DYN_WINS="false"
- ALL_WINS_SERVERS="${STATIC_WINS_SERVERS}"
- fi
- ;;
- esac
- else
- DYN_WINS="true"
- ALL_WINS_SERVERS="$(trim "${vWINS[*]}")"
- fi
- readonly DYN_WINS ALL_WINS_SERVERS
-
- # We double-check that our search domain isn't already on the list
- SEARCH_DOMAIN="${domain}"
- case "${OSVER}" in
- 10.6 | 10.7 )
- # Do nothing - in 10.6 we don't aggregate our configurations, apparently
- if [ -n "${STATIC_SEARCH}" ] ; then
- ALL_SEARCH="${STATIC_SEARCH}"
- SEARCH_DOMAIN=""
- else
- ALL_SEARCH="${SEARCH_DOMAIN}"
- fi
- ;;
- 10.4 | 10.5 )
- if echo "${STATIC_SEARCH}" | tr ' ' '\n' | grep -q "${SEARCH_DOMAIN}" ; then
- SEARCH_DOMAIN=""
- fi
- if [ -z "${SEARCH_DOMAIN}" ] ; then
- ALL_SEARCH="${STATIC_SEARCH}"
- else
- ALL_SEARCH="$(trim "${STATIC_SEARCH}" "${SEARCH_DOMAIN}")"
- fi
- ;;
- esac
- readonly SEARCH_DOMAIN ALL_SEARCH
-
- if ! ${DYN_DNS} ; then
- NO_DNS="#"
- fi
- if ! ${DYN_WINS} ; then
- NO_WS="#"
- fi
- if [ -z "${SEARCH_DOMAIN}" ] ; then
- NO_SEARCH="#"
- fi
- if [ -z "${STATIC_WORKGROUP}" ] ; then
- NO_WG="#"
- fi
- if [ -z "${STATIC_NETBIOSNAME}" ] ; then
- NO_NB="#"
- fi
- if [ -z "${ALL_DNS}" ] ; then
- AGG_DNS="#"
- fi
- if [ -z "${ALL_SEARCH}" ] ; then
- AGG_SEARCH="#"
- fi
- if [ -z "${ALL_WINS_SERVERS}" ] ; then
- AGG_WINS="#"
- fi
-
- # Now, do the aggregation
- # Save the openvpn process ID and the Network Primary Service ID, leasewather.plist path, logfile path, and optional arguments from LEAP Client,
- # then save old and new DNS and WINS settings
- # PPID is a bash-script variable that contains the process ID of the parent of the process running the script (i.e., OpenVPN's process ID)
- # config is an environmental variable set to the configuration path by OpenVPN prior to running this up script
- logMessage "Up to two 'No such key' warnings are normal and may be ignored"
-
- # If DNS is manually set, it overrides the DHCP setting, which isn't reflected in 'State:/Network/Service/${PSID}/DNS'
- if echo "${STATIC_DNS_CONFIG}" | grep -q "ServerAddresses" ; then
- CORRECT_OLD_DNS_KEY="Setup:"
- else
- CORRECT_OLD_DNS_KEY="State:"
- fi
-
- # If WINS is manually set, it overrides the DHCP setting, which isn't reflected in 'State:/Network/Service/${PSID}/DNS'
- if echo "${STATIC_WINS_CONFIG}" | grep -q "WINSAddresses" ; then
- CORRECT_OLD_WINS_KEY="Setup:"
- else
- CORRECT_OLD_WINS_KEY="State:"
- fi
-
- # If we are not expecting any WINS value, add <LEAPClientNoSuchKey : true> to the expected WINS setup
- NO_NOSUCH_KEY_WINS="#"
- if [ "${NO_NB}" = "#" -a "${AGG_WINS}" = "#" -a "${NO_WG}" = "#" ] ; then
- NO_NOSUCH_KEY_WINS=""
- fi
- readonly NO_NOSUCH_KEY_WINS
-
- set -e # We instruct bash that it CAN again fail on errors
-
- scutil <<- EOF
- open
- d.init
- d.add PID # ${PPID}
- d.add Service ${PSID}
- d.add LeaseWatcherPlistPath "${LEASEWATCHER_PLIST_PATH}"
- d.add ScriptLogFile "${SCRIPT_LOG_FILE}"
- d.add MonitorNetwork "${ARG_MONITOR_NETWORK_CONFIGURATION}"
- d.add RestoreOnDNSReset "${ARG_RESTORE_ON_DNS_RESET}"
- d.add RestoreOnWINSReset "${ARG_RESTORE_ON_WINS_RESET}"
- d.add IgnoreOptionFlags "${ARG_IGNORE_OPTION_FLAGS}"
- d.add IsTapInterface "${ARG_TAP}"
- d.add RouteGatewayIsDhcp "${bRouteGatewayIsDhcp}"
- set State:/Network/OpenVPN
-
- # First, back up the device's current DNS and WINS configurations
- # Indicate 'no such key' by a dictionary with a single entry: "LEAPClientNoSuchKey : true"
- d.init
- d.add LEAPClientNoSuchKey true
- get ${CORRECT_OLD_DNS_KEY}/Network/Service/${PSID}/DNS
- set State:/Network/OpenVPN/OldDNS
-
- d.init
- d.add LEAPClientNoSuchKey true
- get ${CORRECT_OLD_WINS_KEY}/Network/Service/${PSID}/SMB
- set State:/Network/OpenVPN/OldSMB
-
- # Second, initialize the new DNS map
- d.init
- ${NO_DNS}d.add ServerAddresses * ${vDNS[*]}
- ${NO_SEARCH}d.add SearchDomains * ${SEARCH_DOMAIN}
- d.add DomainName ${domain}
- set State:/Network/Service/${PSID}/DNS
-
- # Third, initialize the WINS map
- d.init
- ${NO_NB}d.add NetBIOSName ${STATIC_NETBIOSNAME}
- ${NO_WS}d.add WINSAddresses * ${vWINS[*]}
- ${NO_WG}d.add Workgroup ${STATIC_WORKGROUP}
- set State:/Network/Service/${PSID}/SMB
-
- # Now, initialize the maps that will be compared against the system-generated map
- # which means that we will have to aggregate configurations of statically-configured
- # nameservers, and statically-configured search domains
- d.init
- ${AGG_DNS}d.add ServerAddresses * ${ALL_DNS}
- ${AGG_SEARCH}d.add SearchDomains * ${ALL_SEARCH}
- d.add DomainName ${domain}
- set State:/Network/OpenVPN/DNS
-
- d.init
- ${NO_NB}d.add NetBIOSName ${STATIC_NETBIOSNAME}
- ${AGG_WINS}d.add WINSAddresses * ${ALL_WINS_SERVERS}
- ${NO_WG}d.add Workgroup ${STATIC_WORKGROUP}
- ${NO_NOSUCH_KEY_WINS}d.add LEAPClientNoSuchKey true
- set State:/Network/OpenVPN/SMB
-
- # We are done
- quit
-EOF
-
- logMessage "Saved the DNS and WINS configurations for later use"
-
- if ${ARG_MONITOR_NETWORK_CONFIGURATION} ; then
- if [ "${ARG_IGNORE_OPTION_FLAGS:0:2}" = "-a" ] ; then
- # Generate an updated plist with the path for process-network-changes
- readonly LEASEWATCHER_TEMPLATE_PATH="$(dirname "${0}")/ProcessNetworkChanges.plist.template"
- sed -e "s|\${DIR}|$(dirname "${0}")|g" "${LEASEWATCHER_TEMPLATE_PATH}" > "${LEASEWATCHER_PLIST_PATH}"
- launchctl load "${LEASEWATCHER_PLIST_PATH}"
- logMessage "Set up to monitor system configuration with process-network-changes"
- else
- # Generate an updated plist with the path for leasewatch
- readonly LEASEWATCHER_TEMPLATE_PATH="$(dirname "${0}")/LeaseWatch.plist.template"
- sed -e "s|\${DIR}|$(dirname "${0}")|g" "${LEASEWATCHER_TEMPLATE_PATH}" > "${LEASEWATCHER_PLIST_PATH}"
- launchctl load "${LEASEWATCHER_PLIST_PATH}"
- logMessage "Set up to monitor system configuration with leasewatch"
- fi
- fi
-}
-
-configureDhcpDns()
-{
- # whilst ipconfig will have created the neccessary Network Service keys, the DNS
- # settings won't actually be used by OS X unless the SupplementalMatchDomains key
- # is added
- # ref. <http://lists.apple.com/archives/Macnetworkprog/2005/Jun/msg00011.html>
- # - is there a way to extract the domains from the SC dictionary and re-insert
- # as SupplementalMatchDomains? i.e. not requiring the ipconfig domain_name call?
-
- # - wait until we get a lease before extracting the DNS domain name and merging into SC
- # - despite it's name, ipconfig waitall doesn't (but maybe one day it will :-)
- ipconfig waitall
-
- unset test_domain_name
- unset test_name_server
-
- set +e # We instruct bash NOT to exit on individual command errors, because if we need to wait longer these commands will fail
-
- # usually takes at least a few seconds to get a DHCP lease
- sleep 3
- n=0
- while [ -z "$test_domain_name" -a -z "$test_name_server" -a $n -lt 5 ]
- do
- logMessage "Sleeping for $n seconds to wait for DHCP to finish setup."
- sleep $n
- n=`expr $n + 1`
-
- if [ -z "$test_domain_name" ]; then
- test_domain_name=`ipconfig getoption $dev domain_name 2>/dev/null`
- fi
-
- if [ -z "$test_name_server" ]; then
- test_name_server=`ipconfig getoption $dev domain_name_server 2>/dev/null`
- fi
- done
-
- sGetPacketOutput=`ipconfig getpacket $dev`
-
- set -e # We instruct bash that it CAN again fail on individual errors
-
- #echo "`date` test_domain_name = $test_domain_name, test_name_server = $test_name_server, sGetPacketOutput = $sGetPacketOutput"
-
- unset aNameServers
- unset aWinsServers
-
- nNameServerIndex=1
- nWinsServerIndex=1
-
- if [ "$sGetPacketOutput" ]; then
- sGetPacketOutput_FirstLine=`echo "$sGetPacketOutput"|head -n 1`
- #echo $sGetPacketOutput_FirstLine
-
- if [ "$sGetPacketOutput_FirstLine" == "op = BOOTREPLY" ]; then
- set +e # "grep" will return error status (1) if no matches are found, so don't fail on individual errors
-
- for tNameServer in `echo "$sGetPacketOutput"|grep "domain_name_server"|grep -Eo "\{([0-9\.]+)(, [0-9\.]+)*\}"|grep -Eo "([0-9\.]+)"`; do
- aNameServers[nNameServerIndex-1]="$(trim "$tNameServer")"
- let nNameServerIndex++
- done
-
- for tWINSServer in `echo "$sGetPacketOutput"|grep "nb_over_tcpip_name_server"|grep -Eo "\{([0-9\.]+)(, [0-9\.]+)*\}"|grep -Eo "([0-9\.]+)"`; do
- aWinsServers[nWinsServerIndex-1]="$(trim "$tWINSServer")"
- let nWinsServerIndex++
- done
-
- sDomainName=`echo "$sGetPacketOutput"|grep "domain_name "|grep -Eo ": [-A-Za-z0-9\-\.]+"|grep -Eo "[-A-Za-z0-9\-\.]+"`
- sDomainName="$(trim "$sDomainName")"
-
- if [ ${#aNameServers[*]} -gt 0 -a "$sDomainName" ]; then
- logMessage "Retrieved name server(s) [ ${aNameServers[@]} ], domain name [ $sDomainName ], and WINS server(s) [ ${aWinsServers[@]} ]"
- setDnsServersAndDomainName aNameServers[@] "$sDomainName" aWinsServers[@]
- return 0
- elif [ ${#aNameServers[*]} -gt 0 ]; then
- logMessage "Retrieved name server(s) [ ${aNameServers[@]} ] and WINS server(s) [ ${aWinsServers[@]} ] and using default domain name [ $DEFAULT_DOMAIN_NAME ]"
- setDnsServersAndDomainName aNameServers[@] "$DEFAULT_DOMAIN_NAME" aWinsServers[@]
- return 0
- else
- # Should we return 1 here and indicate an error, or attempt the old method?
- logMessage "No useful information extracted from DHCP/BOOTP packet. Attempting legacy configuration."
- fi
-
- set -e # We instruct bash that it CAN again fail on errors
- else
- # Should we return 1 here and indicate an error, or attempt the old method?
- logMessage "No DHCP/BOOTP packet found on interface. Attempting legacy configuration."
- fi
- fi
-
- unset sDomainName
- unset sNameServer
- unset aNameServers
-
- sDomainName=`ipconfig getoption $dev domain_name 2>/dev/null`
- sNameServer=`ipconfig getoption $dev domain_name_server 2>/dev/null`
-
- sDomainName="$(trim "$sDomainName")"
- sNameServer="$(trim "$sNameServer")"
-
- declare -a aWinsServers=( ) # Declare empty WINS array to avoid any useless error messages
-
- if [ "$sDomainName" -a "$sNameServer" ]; then
- aNameServers[0]=$sNameServer
- logMessage "Retrieved name server [ $sNameServer ], domain name [ $sDomainName ], and no WINS servers"
- setDnsServersAndDomainName aNameServers[@] "$sDomainName" aWinsServers[@]
- elif [ "$sNameServer" ]; then
- aNameServers[0]=$sNameServer
- logMessage "Retrieved name server [ $sNameServer ] and no WINS servers, and using default domain name [ $DEFAULT_DOMAIN_NAME ]"
- setDnsServersAndDomainName aNameServers[@] "$DEFAULT_DOMAIN_NAME" aWinsServers[@]
- elif [ "$sDomainName" ]; then
- logMessage "WARNING: Retrieved domain name [ $sDomainName ] but no name servers from OpenVPN (DHCP), which is not sufficient to make network/DNS configuration changes."
- if ${ARG_MONITOR_NETWORK_CONFIGURATION} ; then
- logMessage "Will NOT monitor for other network configuration changes."
- fi
- else
- logMessage "WARNING: No DNS information received from OpenVPN (DHCP), so no network/DNS configuration changes need to be made."
- if ${ARG_MONITOR_NETWORK_CONFIGURATION} ; then
- logMessage "Will NOT monitor for other network configuration changes."
- fi
- fi
-
- return 0
-}
-
-configureOpenVpnDns()
-{
- unset vForOptions
- unset vOptions
- unset aNameServers
- unset aWinsServers
-
- nOptionIndex=1
- nNameServerIndex=1
- nWinsServerIndex=1
-
- while vForOptions=foreign_option_$nOptionIndex; [ -n "${!vForOptions}" ]; do
- vOptions[nOptionIndex-1]=${!vForOptions}
- case ${vOptions[nOptionIndex-1]} in
- *DOMAIN* )
- sDomainName="$(trim "${vOptions[nOptionIndex-1]//dhcp-option DOMAIN /}")"
- ;;
- *DNS* )
- aNameServers[nNameServerIndex-1]="$(trim "${vOptions[nOptionIndex-1]//dhcp-option DNS /}")"
- let nNameServerIndex++
- ;;
- *WINS* )
- aWinsServers[nWinsServerIndex-1]="$(trim "${vOptions[nOptionIndex-1]//dhcp-option WINS /}")"
- let nWinsServerIndex++
- ;;
- * )
- logMessage "Unknown: 'foreign_option_${nOptionIndex}' = '${vOptions[nOptionIndex-1]}'"
- ;;
- esac
- let nOptionIndex++
- done
-
- if [ ${#aNameServers[*]} -gt 0 -a "$sDomainName" ]; then
- logMessage "Retrieved name server(s) [ ${aNameServers[@]} ], domain name [ $sDomainName ], and WINS server(s) [ ${aWinsServers[@]} ]"
- setDnsServersAndDomainName aNameServers[@] "$sDomainName" aWinsServers[@]
- elif [ ${#aNameServers[*]} -gt 0 ]; then
- logMessage "Retrieved name server(s) [ ${aNameServers[@]} ] and WINS server(s) [ ${aWinsServers[@]} ] and using default domain name [ $DEFAULT_DOMAIN_NAME ]"
- setDnsServersAndDomainName aNameServers[@] "$DEFAULT_DOMAIN_NAME" aWinsServers[@]
- else
- # Should we maybe just return 1 here to indicate an error? Does this mean that something bad has happened?
- logMessage "No DNS information recieved from OpenVPN, so no network configuration changes need to be made."
- if ${ARG_MONITOR_NETWORK_CONFIGURATION} ; then
- logMessage "Will NOT monitor for other network configuration changes."
- fi
- fi
-
- return 0
-}
-
-# We sleep here to allow time for OS X to process network settings
-sleep 2
-
-EXIT_CODE=0
-
-if ${ARG_TAP} ; then
- # Still need to do: Look for route-gateway dhcp (TAP isn't always DHCP)
- bRouteGatewayIsDhcp="false"
- if [ -z "${route_vpn_gateway}" -o "$route_vpn_gateway" == "dhcp" -o "$route_vpn_gateway" == "DHCP" ]; then
- bRouteGatewayIsDhcp="true"
- fi
-
- if [ "$bRouteGatewayIsDhcp" == "true" ]; then
- if [ -z "$dev" ]; then
- logMessage "Cannot configure TAP interface for DHCP without \$dev being defined. Exiting."
- exit 1
- fi
-
- ipconfig set "$dev" DHCP
-
- configureDhcpDns &
- elif [ "$foreign_option_1" == "" ]; then
- logMessage "No network configuration changes need to be made."
- if ${ARG_MONITOR_NETWORK_CONFIGURATION} ; then
- logMessage "Will NOT monitor for other network configuration changes."
- fi
- else
- configureOpenVpnDns
- EXIT_CODE=$?
- fi
-else
- if [ "$foreign_option_1" == "" ]; then
- logMessage "No network configuration changes need to be made."
- if ${ARG_MONITOR_NETWORK_CONFIGURATION} ; then
- logMessage "Will NOT monitor for other network configuration changes."
- fi
- else
- configureOpenVpnDns
- EXIT_CODE=$?
- fi
-fi
-
-exit $EXIT_CODE
diff --git a/pkg/osx/install/install-leapc.sh b/pkg/osx/install/install-leapc.sh
deleted file mode 100755
index e47abb7c..00000000
--- a/pkg/osx/install/install-leapc.sh
+++ /dev/null
@@ -1,42 +0,0 @@
-#!/bin/bash
-
-# Bitmask Installer Script.
-#
-# Copyright (C) 2013 LEAP Encryption Access Project
-#
-# This file is part of LEAP Client, as
-# available from http://leap.se/. This file is free software;
-# you can redistribute it and/or modify it under the terms of the GNU
-# General Public License (GPL) as published by the Free Software
-# Foundation, in version 2 as it comes in the "COPYING" file of the
-# LEAP Client distribution. LEAP Client is distributed in the
-# hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
-#
-
-set -e
-
-destlibs=/opt/local/lib
-leapdir=/Applications/LEAP\ Client.app
-leaplibs=${leapdir}/Contents/MacOS
-tunstartup=/Library/StartupItems/tun/tun
-
-echo "Installing Bitmask in /Applications..."
-cp -r "LEAP Client.app" /Applications
-
-echo "Copying openvpn binary..."
-cp -r openvpn.leap /usr/bin
-
-echo "Installing tun/tap drivers..."
-test -f $tunstartup && $tunstartup stop
-
-test -d /Library/Extensions || mkdir -p /Library/Extensions
-test -d /Library/StartupItems || mkdir -p /Library/StartupItems
-
-cp -r Extensions/* /Library/Extensions
-cp -r StartupItems/* /Library/StartupItems
-
-echo "Loading tun/tap kernel extension..."
-
-$tunstartup start
-
-echo "Installation Finished!"
diff --git a/pkg/osx/install/leap-installer.platypus b/pkg/osx/install/leap-installer.platypus
deleted file mode 100644
index 9150961e..00000000
--- a/pkg/osx/install/leap-installer.platypus
+++ /dev/null
@@ -1,90 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
- <key>AcceptsFiles</key>
- <true/>
- <key>AcceptsText</key>
- <false/>
- <key>Authentication</key>
- <true/>
- <key>Author</key>
- <string>Kali Yuga</string>
- <key>BundledFiles</key>
- <array/>
- <key>Creator</key>
- <string>Platypus-4.7</string>
- <key>DeclareService</key>
- <false/>
- <key>Destination</key>
- <string>MyPlatypusApp.app</string>
- <key>DestinationOverride</key>
- <false/>
- <key>DevelopmentVersion</key>
- <false/>
- <key>DocIcon</key>
- <string></string>
- <key>Droppable</key>
- <false/>
- <key>ExecutablePath</key>
- <string>/opt/local/share/platypus/ScriptExec</string>
- <key>FileTypes</key>
- <array>
- <string>****</string>
- <string>fold</string>
- </array>
- <key>IconPath</key>
- <string></string>
- <key>Identifier</key>
- <string>se.leap.LEAPClientInstaller</string>
- <key>Interpreter</key>
- <string>/bin/sh</string>
- <key>InterpreterArgs</key>
- <array/>
- <key>Name</key>
- <string>LEAPClient Installer</string>
- <key>NibPath</key>
- <string>/opt/local/share/platypus/MainMenu.nib</string>
- <key>OptimizeApplication</key>
- <true/>
- <key>Output</key>
- <string>Progress Bar</string>
- <key>RemainRunning</key>
- <true/>
- <key>Role</key>
- <string>Viewer</string>
- <key>ScriptArgs</key>
- <array/>
- <key>ScriptPath</key>
- <string>./install/install-leapc.sh</string>
- <key>Secure</key>
- <false/>
- <key>ShowInDock</key>
- <false/>
- <key>StatusItemDisplayType</key>
- <string>Text</string>
- <key>StatusItemIcon</key>
- <data>
- </data>
- <key>StatusItemTitle</key>
- <string>MyPlatypusApp</string>
- <key>Suffixes</key>
- <array>
- <string>*</string>
- </array>
- <key>TextBackground</key>
- <string>#ffffff</string>
- <key>TextEncoding</key>
- <integer>4</integer>
- <key>TextFont</key>
- <string>Monaco</string>
- <key>TextForeground</key>
- <string>#000000</string>
- <key>TextSize</key>
- <real>10</real>
- <key>UseXMLPlistFormat</key>
- <true/>
- <key>Version</key>
- <string>1.0</string>
-</dict>
-</plist>
diff --git a/pkg/osx/install/tun.kext/Info.plist b/pkg/osx/install/tun.kext/Info.plist
deleted file mode 100644
index fb69ba85..00000000
--- a/pkg/osx/install/tun.kext/Info.plist
+++ /dev/null
@@ -1,36 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
- <key>CFBundleDevelopmentRegion</key>
- <string>English</string>
- <key>CFBundleExecutable</key>
- <string>tun</string>
- <key>CFBundleIdentifier</key>
- <string>leap.tun</string>
- <key>CFBundleInfoDictionaryVersion</key>
- <string>6.0</string>
- <key>CFBundleName</key>
- <string>tun</string>
- <key>CFBundlePackageType</key>
- <string>KEXT</string>
- <key>CFBundleShortVersionString</key>
- <string>20120120</string>
- <key>CFBundleSignature</key>
- <string>????</string>
- <key>CFBundleVersion</key>
- <string>1.0</string>
- <key>OSBundleLibraries</key>
- <dict>
- <key>com.apple.kpi.mach</key>
- <string>8.0</string>
- <key>com.apple.kpi.bsd</key>
- <string>8.0</string>
- <key>com.apple.kpi.libkern</key>
- <string>8.0</string>
- <key>com.apple.kpi.unsupported</key>
- <string>8.0</string>
- </dict>
-</dict>
-</plist>
-
diff --git a/pkg/osx/post-inst.sh b/pkg/osx/post-inst.sh
new file mode 100755
index 00000000..f88ea97a
--- /dev/null
+++ b/pkg/osx/post-inst.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+# Bitmask Post-Instalation script
+
+cp se.leap.bitmask-helper.plist /Library/LaunchDaemons/
+launchctl load /Library/LaunchDaemons/se.leap.bitmask-helper.plist
+cp tuntap_20150118.pkg /tmp/
+open /tmp/tuntap_20150118.pkg
diff --git a/pkg/osx/pre-inst.sh b/pkg/osx/pre-inst.sh
new file mode 100755
index 00000000..1651a221
--- /dev/null
+++ b/pkg/osx/pre-inst.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+# Bitmask Post-Instalation script
+[[ -f /Library/LaunchDaemons/se.leap.bitmask-helper.plist ]] && launchctl unload /Library/LaunchDaemons/se.leap.bitmask-helper.plist
diff --git a/pkg/osx/se.leap.bitmask-helper.plist b/pkg/osx/se.leap.bitmask-helper.plist
new file mode 100644
index 00000000..4428f131
--- /dev/null
+++ b/pkg/osx/se.leap.bitmask-helper.plist
@@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+ <key>StandardOutPath</key>
+ <string>bitmask-helper.log</string>
+ <key>StandardErrorPath</key>
+ <string>bitmask-helper-err.log</string>
+ <key>GroupName</key>
+ <string>daemon</string>
+ <key>KeepAlive</key>
+ <dict>
+ <key>SuccessfulExit</key>
+ <false/>
+ </dict>
+ <key>Label</key>
+ <string>se.leap.bitmask-helper</string>
+ <key>ProgramArguments</key>
+ <array>
+ <string>/Applications/Bitmask.app/Contents/Resources/bitmask-helper/bitmask-helper</string>
+ </array>
+ <key>RunAtLoad</key>
+ <true/>
+ <key>WorkingDirectory</key>
+ <string>/Applications/Bitmask.app/Contents/Resources/bitmask-helper/</string>
+ <key>SessionCreate</key>
+ <true/>
+</dict>
+</plist>
diff --git a/pkg/pyinst/README.rst b/pkg/pyinst/README.rst
new file mode 100644
index 00000000..b6784a52
--- /dev/null
+++ b/pkg/pyinst/README.rst
@@ -0,0 +1,17 @@
+Building da bundles
+--------------------
+Because, you know, bundles are cool. Who needs a decent package manager nowadays? </rant>.
+
+You need a couple of things in your virtualenv:
+
+- All the dependencies. A sumo tarball is probably a good idea.
+- PyInstaller. Version 3 or higher.
+- A PySide build. While the postmkenv.sh hack is good enough for
+ developing, you will need a wheel built with --standalone flag.
+ See
+ http://pyside.readthedocs.org/en/latest/building/linux.html#building-pyside-distribution::
+
+ $ python2.7 setup.py bdist_wheel --qmake=/usr/bin/qmake-qt4 --standalone
+
+ (since this takes a while, you can probably grab the already built wheel from
+ the leap servers).
diff --git a/pkg/pyinst/bitmask.spec b/pkg/pyinst/bitmask.spec
index 2bc2f9d2..8c6561cf 100644
--- a/pkg/pyinst/bitmask.spec
+++ b/pkg/pyinst/bitmask.spec
@@ -1,31 +1,49 @@
# -*- mode: python -*-
+import sys
block_cipher = None
-
-a = Analysis([os.path.join('pkg', 'pyinst', 'bitmask.py')],
+# TODO remove QtWebKit for bundles that don't ship pixelated???
+a = Analysis(['bitmask.py'],
hiddenimports=[
- 'zope.interface', 'zope.proxy',
- 'PySide.QtCore', 'PySide.QtGui'],
+ 'zope.interface', 'zope.proxy',
+ 'PySide.QtCore', 'PySide.QtGui', 'PySide.QtWebKit',
+ 'pysqlcipher', 'service_identity',
+ 'leap.common', 'leap.bitmask'
+ ],
+ binaries=None,
+ datas=None,
hookspath=None,
runtime_hooks=None,
excludes=None,
+ win_no_prefer_redirects=None,
+ win_private_assemblies=None,
cipher=block_cipher)
-pyz = PYZ(a.pure,
+pyz = PYZ(a.pure, a.zipped_data,
cipher=block_cipher)
+
+# Binary files you need to include in the form of:
+# (<destination>, <source>, '<TYPE>')
+
+# Data files you want to include, in the form of:
+# (<destination>, <source>, '<TYPE>')
+data = [
+ ('qt.conf', 'qt.conf', 'DATA')
+]
exe = EXE(pyz,
a.scripts,
exclude_binaries=True,
name='bitmask',
- debug=False,
- strip=False,
+ debug=True,
+ strip=None,
upx=True,
- console=False )
+ console=False,
+ icon='../../data/images/mask-icon.ico')
coll = COLLECT(exe,
a.binaries,
a.zipfiles,
a.datas,
- strip=False,
+ strip=None,
upx=True,
name='bitmask')
if sys.platform.startswith("darwin"):
@@ -33,6 +51,7 @@ if sys.platform.startswith("darwin"):
name=os.path.join(
'dist', 'Bitmask.app'),
appname='Bitmask',
- version='0.9.0rc2',
+ # TODO get this from ../next-version.txt
+ version='0.9.0.rc1',
icon='pkg/osx/bitmask.icns',
- bundle_identifier='bitmask-0.9.0rc2')
+ bundle_identifier='bitmask-0.9.0alpha7')
diff --git a/pkg/pyinst/bitmask.spec.orig b/pkg/pyinst/bitmask.spec.orig
new file mode 100644
index 00000000..617104b9
--- /dev/null
+++ b/pkg/pyinst/bitmask.spec.orig
@@ -0,0 +1,38 @@
+# -*- mode: python -*-
+
+block_cipher = None
+
+
+a = Analysis([os.path.join('bitmask.py')],
+ hiddenimports=[
+ 'zope.interface', 'zope.proxy',
+ 'PySide.QtCore', 'PySide.QtGui'],
+ hookspath=None,
+ runtime_hooks=None,
+ excludes=None,
+ cipher=block_cipher)
+pyz = PYZ(a.pure,
+ cipher=block_cipher)
+exe = EXE(pyz,
+ a.scripts,
+ exclude_binaries=True,
+ name='bitmask',
+ debug=False,
+ strip=False,
+ upx=True,
+ console=False )
+coll = COLLECT(exe,
+ a.binaries,
+ a.zipfiles,
+ a.datas,
+ strip=False,
+ upx=True,
+ name='bitmask')
+if sys.platform.startswith("darwin"):
+ app = BUNDLE(coll,
+ name=os.path.join(
+ 'dist', 'Bitmask.app'),
+ appname='Bitmask',
+ version='0.9.0rc2',
+ icon='pkg/osx/bitmask.icns',
+ bundle_identifier='bitmask-0.9.0rc2')
diff --git a/pkg/pyinst/bitmask_cli b/pkg/pyinst/bitmask_cli
new file mode 120000
index 00000000..7842f03b
--- /dev/null
+++ b/pkg/pyinst/bitmask_cli
@@ -0,0 +1 @@
+../../src/leap/bitmask/cli/bitmask_cli.py \ No newline at end of file
diff --git a/pkg/pyinst/bitmask_cli.spec b/pkg/pyinst/bitmask_cli.spec
new file mode 100644
index 00000000..5157e179
--- /dev/null
+++ b/pkg/pyinst/bitmask_cli.spec
@@ -0,0 +1,32 @@
+# -*- mode: python -*-
+
+block_cipher = None
+
+
+a = Analysis(['bitmask_cli'],
+ pathex=['/home/kali/leap/bitmask_client/pkg/pyinst'],
+ binaries=None,
+ datas=None,
+ hiddenimports=[],
+ hookspath=[],
+ runtime_hooks=[],
+ excludes=[],
+ win_no_prefer_redirects=False,
+ win_private_assemblies=False,
+ cipher=block_cipher)
+pyz = PYZ(a.pure, a.zipped_data, cipher=block_cipher)
+exe = EXE(pyz,
+ a.scripts,
+ exclude_binaries=True,
+ name='bitmask_cli',
+ debug=False,
+ strip=False,
+ upx=True,
+ console=True )
+coll = COLLECT(exe,
+ a.binaries,
+ a.zipfiles,
+ a.datas,
+ strip=False,
+ upx=True,
+ name='bitmask_cli')
diff --git a/pkg/pyinst/bitmaskd b/pkg/pyinst/bitmaskd
new file mode 120000
index 00000000..c5b08597
--- /dev/null
+++ b/pkg/pyinst/bitmaskd
@@ -0,0 +1 @@
+../../src/leap/bitmask/core/launcher.py \ No newline at end of file
diff --git a/pkg/pyinst/bitmaskd.spec b/pkg/pyinst/bitmaskd.spec
new file mode 100644
index 00000000..4e2e2d6a
--- /dev/null
+++ b/pkg/pyinst/bitmaskd.spec
@@ -0,0 +1,33 @@
+# -*- mode: python -*-
+
+block_cipher = None
+
+
+a = Analysis(['bitmaskd'],
+ pathex=['/home/kali/leap/bitmask_client/pkg/pyinst'],
+ binaries=None,
+ datas=None,
+ hiddenimports=[],
+ hookspath=[],
+ runtime_hooks=[],
+ excludes=[],
+ win_no_prefer_redirects=False,
+ win_private_assemblies=False,
+ cipher=block_cipher)
+pyz = PYZ(a.pure, a.zipped_data,
+ cipher=block_cipher)
+exe = EXE(pyz,
+ a.scripts,
+ exclude_binaries=True,
+ name='bitmaskd',
+ debug=False,
+ strip=False,
+ upx=True,
+ console=True )
+coll = COLLECT(exe,
+ a.binaries,
+ a.zipfiles,
+ a.datas,
+ strip=False,
+ upx=True,
+ name='bitmaskd')
diff --git a/pkg/pyinst/multi.spec b/pkg/pyinst/multi.spec
new file mode 100644
index 00000000..aa5c83c0
--- /dev/null
+++ b/pkg/pyinst/multi.spec
@@ -0,0 +1,75 @@
+
+# -*- mode: python -*-
+
+block_cipher = None
+
+
+gui_a = Analysis(['bitmask.py'],
+ hiddenimports=[
+ 'zope.interface', 'zope.proxy',
+ 'PySide.QtCore', 'PySide.QtGui'],
+ hookspath=None,
+ runtime_hooks=None,
+ excludes=None,
+ cipher=block_cipher)
+cli_a = Analysis(['bitmask_cli'],
+ binaries=None,
+ datas=None,
+ hiddenimports=[
+ 'zope.interface', 'zope.proxy'],
+ hookspath=[],
+ runtime_hooks=[],
+ excludes=[],
+ win_no_prefer_redirects=False,
+ win_private_assemblies=False,
+ cipher=block_cipher)
+daemon_a = Analysis(['bitmaskd'],
+ binaries=None,
+ datas=None,
+ hiddenimports=[
+ 'leap.bitmask.core.service'],
+ hookspath=[],
+ runtime_hooks=[],
+ excludes=[],
+ win_no_prefer_redirects=False,
+ win_private_assemblies=False,
+ cipher=block_cipher)
+
+MERGE( (gui_a, 'bitmask', 'bitmask'),
+ (cli_a, 'bitmask_cli', 'bitmask'),
+ (daemon_a, 'bitmaskd', 'bitmaskd'))
+
+gui_pyz = PYZ(gui_a.pure, gui_a.zipped_data, cipher=block_cipher)
+gui_exe = EXE(gui_pyz,
+ gui_a.scripts,
+ exclude_binaries=True,
+ name='bitmask', debug=False, strip=False,
+ upx=True, console=False )
+
+cli_pyz = PYZ(cli_a.pure, cli_a.zipped_data, cipher=block_cipher)
+cli_exe = EXE(cli_pyz,
+ cli_a.scripts,
+ exclude_binaries=True,
+ name='bitmask_cli', debug=False, strip=False,
+ upx=True, console=True)
+daemon_pyz = PYZ(daemon_a.pure, daemon_a.zipped_data, cipher=block_cipher)
+daemon_exe = EXE(daemon_pyz,
+ daemon_a.scripts,
+ exclude_binaries=True,
+ name='bitmaskd', debug=False, strip=False, upx=True, console=True )
+
+gui_coll = COLLECT(gui_exe,
+ gui_a.binaries,
+ gui_a.zipfiles,
+ gui_a.datas,
+ strip=False, upx=True, name='bitmask')
+cli_coll = COLLECT(cli_exe,
+ cli_a.binaries,
+ cli_a.zipfiles,
+ cli_a.datas,
+ strip=False, upx=True, name='bitmask_cli')
+daemon_coll = COLLECT(daemon_exe,
+ daemon_a.binaries,
+ daemon_a.zipfiles,
+ daemon_a.datas,
+ strip=False, upx=True, name='bitmaskd')
diff --git a/pkg/pyinst/pyinst-build.mk b/pkg/pyinst/pyinst-build.mk
new file mode 100644
index 00000000..92a1cbb3
--- /dev/null
+++ b/pkg/pyinst/pyinst-build.mk
@@ -0,0 +1,99 @@
+freeze-ver:
+ cp pkg/version-template src/leap/bitmask/_version.py
+ sed -i 's/^version_version\(.*\)/version_version = "$(NEXT_VERSION)"/' src/leap/bitmask/_version.py
+ sed -i "s/^full_revisionid\(.*\)/full_revisionid='$(GIT_COMMIT)'/" src/leap/bitmask/_version.py
+
+freeze-ver-osx:
+ cp pkg/version-template src/leap/bitmask/_version.py
+ sed -i ' ' 's/^version_version\(.*\)/version_version = "$(NEXT_VERSION)"/' src/leap/bitmask/_version.py
+ sed -i ' ' "s/^full_revisionid\(.*\)/full_revisionid='$(GIT_COMMIT)'/" src/leap/bitmask/_version.py
+
+hash-binaries:
+ OPENVPN_BIN=$(LEAP_BUILD_DIR)openvpn BITMASK_ROOT=pkg/linux/bitmask-root python setup.py hash_binaries
+
+pyinst: freeze-ver hash-binaries
+ pyinstaller -y pkg/pyinst/bitmask.spec
+
+pyinst_osx: freeze-ver-osx hash-binaries
+ pyinstaller -y pkg/pyinst/bitmask.spec
+
+reset-ver:
+ git checkout -- src/leap/bitmask/_version.py
+
+pyinst-hacks-linux:
+ # XXX this should be taken care of by pyinstaller data collector
+ cp $(VIRTUAL_ENV)/lib/python2.7/site-packages/leap/common/cacert.pem $(DIST)
+ mkdir -p $(DIST)pysqlcipher
+ mkdir -p $(DIST)pixelated
+ mkdir -p $(DIST)twisted/web
+ cp $(VIRTUAL_ENV)/lib/python2.7/site-packages/pysqlcipher/_sqlite.so $(DIST)pysqlcipher
+ cp -r $(VIRTUAL_ENV)/lib/python2.7/site-packages/pixelated_www $(DIST)
+ cp -r $(VIRTUAL_ENV)/lib/python2.7/site-packages/pixelated/assets/ $(DIST)pixelated
+ cp -r $(VIRTUAL_ENV)/lib/python2.7/site-packages/twisted/web/failure.xhtml $(DIST)twisted/web/
+
+pyinst-hacks-osx:
+ # XXX this should be taken care of by pyinstaller data collector
+ cp $(VIRTUAL_ENV)/lib/python2.7/site-packages/leap/common/cacert.pem $(DIST)
+ cp $(VIRTUAL_ENV)/lib/python2.7/site-packages/leap/common/cacert.pem $(DIST_OSX)Contents/MacOS/
+ mv $(DIST_OSX)Contents/MacOS/bitmask $(DIST_OSX)Contents/MacOS/bitmask-app
+ cp pkg/osx/bitmask-wrapper $(DIST_OSX)Contents/MacOS/bitmask
+ # XXX need the rest???
+
+pyinst-trim:
+ rm -f $(DIST)libQtOpenGL.so.4
+ rm -f $(DIST)libQtSql.so.4
+ rm -f $(DIST)libQt3Support.so.4
+ rm -f $(DIST)libaudio.so.2
+ rm -f $(DIST)libnvidia-*
+
+pyinst-cleanup:
+ rm -rf $(DIST)config
+ mkdir -p $(DIST_VERSION)
+ mv $(DIST) $(DIST_VERSION)lib
+ cd pkg/launcher && make
+ mv pkg/launcher/bitmask $(DIST_VERSION)
+
+pyinst-distribution-data:
+ cp release-notes.rst $(DIST_VERSION)
+ cp pkg/PixelatedWebmail.README $(DIST_VERSION)
+ cp LICENSE $(DIST_VERSION)
+
+pyinst-helpers-linux:
+ mkdir -p $(DIST_VERSION)apps/eip/files
+ cp $(LEAP_BUILD_DIR)openvpn $(DIST_VERSION)apps/eip/files/leap-openvpn
+ cp pkg/linux/bitmask-root $(DIST_VERSION)apps/eip/files/
+ cp pkg/linux/leap-install-helper.sh $(DIST_VERSION)apps/eip/files/
+ cp pkg/linux/polkit/se.leap.bitmask.bundle.policy $(DIST_VERSION)apps/eip/files/
+ mkdir -p $(DIST_VERSION)apps/mail
+ cp $(LEAP_BUILD_DIR)gpg $(DIST_VERSION)apps/mail
+
+pyinst-helpers-osx:
+ mkdir -p $(DIST_OSX_RES)bitmask-helper
+ mkdir -p $(DIST_OSX)Contents/MacOS/apps/mail
+ cp pkg/osx/client.up.sh $(DIST_OSX_RES)
+ cp pkg/osx/client.down.sh $(DIST_OSX_RES)
+ cp pkg/osx/bitmask-helper $(DIST_OSX_RES)bitmask-helper/
+ cp pkg/osx/bitmask.pf.conf $(DIST_OSX_RES)bitmask-helper/
+ cp pkg/osx/se.leap.bitmask-helper.plist $(DIST_OSX_RES)bitmask-helper/
+ cp pkg/osx/post-inst.sh $(DIST_OSX_RES)bitmask-helper/
+ cp pkg/osx/daemon/daemon.py $(DIST_OSX_RES)bitmask-helper/
+ cp /opt/homebrew-cask/Caskroom/tuntap/20150118/tuntap_20150118.pkg $(DIST_OSX_RES)
+ # TODO make the build script put it there
+ cp $(LEAP_BUILD_DIR)openvpn.leap.polarssl $(DIST_OSX_RES)openvpn.leap
+ cp $(LEAP_BUILD_DIR)gpg $(DIST_OSX)Contents/MacOS/apps/mail/
+
+pyinst-tar:
+ cd dist/ && tar cvzf Bitmask.$(NEXT_VERSION).tar.gz bitmask-$(NEXT_VERSION)
+
+pyinst-sign:
+ gpg2 -a --sign --detach-sign dist/Bitmask.$(NEXT_VERSION).tar.gz
+
+pyinst-upload:
+ rsync --rsh='ssh' -avztlpog --progress --partial dist/Bitmask.$(NEXT_VERSION).* salmon.leap.se:./
+
+pyinst-linux: pyinst reset-ver pyinst-hacks-linux pyinst-trim pyinst-cleanup pyinst-distribution-data pyinst-helpers-linux pyinst-tar
+
+pyinst-osx: pyinst_osx reset-ver pyinst-hacks-osx pyinst-helpers-osx
+
+clean_pkg:
+ rm -rf build dist
diff --git a/pkg/pyinst/qt.conf b/pkg/pyinst/qt.conf
new file mode 100644
index 00000000..7eecd342
--- /dev/null
+++ b/pkg/pyinst/qt.conf
@@ -0,0 +1,2 @@
+[Paths]
+Plugins=qt4_plugins \ No newline at end of file
diff --git a/pkg/pyinst/trim-notes.txt b/pkg/pyinst/trim-notes.txt
new file mode 100644
index 00000000..2d825760
--- /dev/null
+++ b/pkg/pyinst/trim-notes.txt
@@ -0,0 +1,12 @@
+88M
+-------------
+libaudio.so.2
+libQt3Support.so.4
+libQtNetwork.so.4
+libtiff.so.5
+libQtSvg.so.4
+libQtXml.so.4
+libQtSql.so.4
+libQtOpenGL.so.4
+libnvidia-glcore.so.352.79
+PySide.QtNetwork.x86_64-linux-gnu.so
diff --git a/pkg/requirements-leap.pip b/pkg/requirements-leap.pip
index 8e353c33..abaeb8fc 100644
--- a/pkg/requirements-leap.pip
+++ b/pkg/requirements-leap.pip
@@ -1,4 +1,4 @@
-leap.soledad.client>=0.6.0
-leap.keymanager>=0.4.0
-leap.mail>=0.4.0
-leap.common>=0.4.0
+leap.soledad.client>=0.8.0
+leap.keymanager>=0.5.0
+leap.mail>=0.4.1
+leap.common>=0.5.1
diff --git a/pkg/requirements-pixelated.pip b/pkg/requirements-pixelated.pip
new file mode 100644
index 00000000..d1f8004d
--- /dev/null
+++ b/pkg/requirements-pixelated.pip
@@ -0,0 +1,4 @@
+--find-links https://downloads.leap.se/libs/pixelated/
+pixelated-user-agent
+pixelated-www
+whoosh
diff --git a/pkg/scripts/bootstrap_develop.sh b/pkg/scripts/bootstrap_develop.sh
index 68edcd43..af3dce20 100755
--- a/pkg/scripts/bootstrap_develop.sh
+++ b/pkg/scripts/bootstrap_develop.sh
@@ -118,6 +118,8 @@ setup_develop() {
# hack to solve gnupg version problem
pip uninstall -y gnupg && pip install gnupg
+ # XXX this fails in trusty; see #8009
+ # pip install -r pkg/requirements-pixelated.pip
set +x
echo "${cc_green}Status: $status done.${cc_normal}"
}
diff --git a/pkg/sumo-tarballs.mk b/pkg/sumo-tarballs.mk
new file mode 100644
index 00000000..3bd5fa77
--- /dev/null
+++ b/pkg/sumo-tarballs.mk
@@ -0,0 +1,25 @@
+checkout_leapdeps_release:
+ pkg/scripts/checkout_leap_versions.sh
+
+setup_without_namespace:
+ awk '!/namespace_packages*/' setup.py > file && mv file setup.py
+
+sumo_tarball_release: checkout_leapdeps_release setup_without_namespace
+ python setup.py sdist --sumo
+ git checkout -- src/leap/__init__.py
+ git checkout -- src/leap/bitmask/_version.py
+ rm -rf src/leap/soledad
+ git checkout -- setup.py
+
+# XXX We need two sets of sumo-tarballs: the one published for a release
+# (that will pick the pinned leap deps), and the other which will be used
+# for the nightly builds.
+# TODO change naming scheme for sumo-latest: should include date (in case
+# bitmask is not updated bu the dependencies are)
+
+sumo_tarball_latest: checkout_leapdeps_develop pull_leapdeps setup_without_namespace
+ python setup.py sdist --sumo # --latest
+ git checkout -- src/leap/__init__.py
+ git checkout -- src/leap/bitmask/_version.py
+ rm -rf src/leap/soledad
+ git checkout -- setup.py
diff --git a/pkg/tools/profile.mk b/pkg/tools/profile.mk
new file mode 100644
index 00000000..8d45c01a
--- /dev/null
+++ b/pkg/tools/profile.mk
@@ -0,0 +1,23 @@
+do_cprofile:
+ python -m cProfile -o bitmask.cprofile src/leap/bitmask/app.py --debug -N
+
+view_cprofile:
+ cprofilev bitmask.cprofile
+
+mailprofile:
+ gprof2dot -f pstats /tmp/leap_mail_profile.pstats -n 0.2 -e 0.2 | dot -Tpdf -o /tmp/leap_mail_profile.pdf
+
+do_lineprof:
+ LEAP_PROFILE_IMAPCMD=1 LEAP_MAIL_MANHOLE=1 kernprof.py -l src/leap/bitmask/app.py --debug
+
+do_lineprof_offline:
+ LEAP_PROFILE_IMAPCMD=1 LEAP_MAIL_MANHOLE=1 kernprof.py -l src/leap/bitmask/app.py --offline --debug -N
+
+view_lineprof:
+ @python -m line_profiler app.py.lprof | $(EDITOR) -
+
+resource_graph:
+ #./pkg/scripts/monitor_resource.zsh `ps aux | grep app.py | head -1 | awk '{print $$2}'` $(RESOURCE_TIME)
+ ./pkg/scripts/monitor_resource.zsh `pgrep bitmask` $(RESOURCE_TIME)
+ display bitmask-resources.png
+
diff --git a/pkg/version-template b/pkg/version-template
new file mode 100644
index 00000000..ecb5b987
--- /dev/null
+++ b/pkg/version-template
@@ -0,0 +1,8 @@
+version_version = "xxx"
+full_revisionid = 'deadbeef'
+
+
+def get_versions(default={}, verbose=False):
+ return {'version': version_version,
+ 'full-revisionid': full_revisionid}
+
diff --git a/pkg/windows/Makefile b/pkg/windows/Makefile
new file mode 100644
index 00000000..5d19353e
--- /dev/null
+++ b/pkg/windows/Makefile
@@ -0,0 +1,25 @@
+.PHONY: all pkg installer openvpn pyinstaller
+all:
+ docker-compose build
+ $(MAKE) pkg
+
+pkg:
+ $(MAKE) openvpn
+ $(MAKE) pyinstaller
+ $(MAKE) installer
+
+pyinstaller:
+ docker-compose run --rm pyinstaller
+
+openvpn:
+ docker-compose run --rm openvpn
+
+installer:
+ docker-compose run --rm installer
+
+clean:
+ docker rmi windows_pyinstaller
+ docker rmi windows_openvpn
+ docker rmi windows_installer
+ rm -rf ../../dist/*.exe
+ rm -rf ../../build/* \ No newline at end of file
diff --git a/pkg/windows/README.rst b/pkg/windows/README.rst
new file mode 100644
index 00000000..0bdfb1d1
--- /dev/null
+++ b/pkg/windows/README.rst
@@ -0,0 +1,144 @@
+Environment setup in debian:jessie
+==================================
+
+basically you need this to setup your environment:
+
+# apt-get install mingw-w64
+# apt-get install wine
+# apt-get install nsis
+
+this is a incomplete list of dependencies, review the pyinstaller/Dockerfile
+to get a understanding of what needs to be setup in order to have a
+environment that builds the installer
+
+Requirements
+============
+
+docker-compose
+
+Building the package
+====================
+
+make pkg
+
+
+Reproducible builds
+===================
+
+please run the binary and installer builds on a clean machine eg
+using docker or any virtual environment that can easily be prepared
+by a third party to verify that the binaries are actually what the
+sourcecode suggests.
+
+to use reproducible build you need to install docker which then installs
+a clean debian:jessie to install nsis or the mingw environment
+
+
+Installer
+=========
+
+NSIS was choosen because it provided a out of the box toolchain to build
+installers for the windows platform with minimal dependencies. The downside
+of nsis is that it does not produce msi binaries
+
+to build the binary dependencies run:
+
+```
+docker-compose run --rm openvpn
+docker-compose run --rm pyinstaller
+```
+
+the produced binaries will be stored in ${ROOT}/build
+
+to build the installer run:
+
+```
+docker-compose run --rm installer
+```
+
+the produced installer will be stored in ${ROOT}/dist
+
+
+Pyinstaller
+===========
+
+Pyinstaller is a docker image based on debian:jessie with a cross-compile
+toolchain (gcc) for building zlib and openssl in linux and wine (staging)
+with installed python and mingw32 for pip/wheel compiling.
+All pip installed dependencies are
+part of the pyinstaller-build.sh script so they can be re-executed when the
+dependencies of the project change. The image should be rebuild when openssl,
+python or pyinstaller is updated:
+
+```
+docker-compose build pyinstaller
+```
+
+To debug or fine-tune the compile process it may be useful to setup the
+following software on the development machine:
+
+```
+X :1 -listen tcp
+DISPLAY=:1 xhost +
+docker-compose run --rm pyinstaller /bin/bash
+root@0fa19215321f:/# export DISPLAY=${YOUR_LOCAL_IP}:1
+root@0fa19215321f:/# wine cmd
+Z:\>python
+>>>
+```
+
+the configured volumes are:
+
+- the (read-only) sourcecode of the bitmask project in /var/src/bitmask
+- the result of the builds in /var/build
+
+pyinstaller-build.sh
+====================
+
+Contains all steps to build the win32 executables. The project relies on
+a read-write source tree which will pollute the development environment and
+make it hard to reproduce 'clean' builds. therefore it expects that the source
+is freshly checked out and not used to run in the host-environment. Otherwise
+pyc and ui elements will mess up the binary in unpredictable ways.
+
+* copy the /var/src/bitmask sources to a read-write location (/var/build)
+* execute ```make all``` in wine to build the qt ui and other resources
+* execute ```pip install $dependencies``` to have all dependencies available
+* execute ```pyinstaller``` in wine to compile the executable for
+** bitmask (src/leap/bitmask/app.py)
+* cleanup
+** remove the read-write copy
+** remove wine-dlls from the installer
+
+As the step 'install dependencies' may take long on slow internet connections
+during development it is advised to recycle the container and share the
+build/executables path with a windows-vm to test the result in short cycles
+instead of make pkg, uninstall, install.
+
+```
+docker-compose run --rm --entrypoint=/bin/bash pyinstalle
+root@0fa19215321f:/# cd /var/src/bitmask/pkg/windows
+root@0fa19215321f:/var/src/bitmask/pkg/windows# ./pyinstaller-build.sh
+root@0fa19215321f:/var/src/bitmask/pkg/windows# ./pyinstaller-build.sh
+root@0fa19215321f:/var/src/bitmask/pkg/windows# ./pyinstaller-build.sh
+....
+```
+
+and test the result binary (accessible in bitmask/build in a separate vm.
+
+OpenVPN
+=======
+
+OpenVPN is a straight forward cross compile image that builds the openvpn
+sourcecode from the git-repository to a windows executable that can be
+used by bitmask_root to launch eip.
+It needs to be rebuild regulary as openssl gets a new version about every
+month. PyInstaller uses the openssl that is compiled by this image
+
+Installer
+=========
+
+Installer is a straight forward debian image with makensis installed. The
+installer-build script lists the previously built files from pyinstaller and
+openvpn to pass it as nsh file to makensis. bitmask.nis controls what will
+be displayed to the user and how the components are installed and uninstalled \ No newline at end of file
diff --git a/pkg/windows/TODO b/pkg/windows/TODO
new file mode 100644
index 00000000..49c6bac1
--- /dev/null
+++ b/pkg/windows/TODO
@@ -0,0 +1,15 @@
+TODO
+====
+
+fix python-code (0.9.1) that fails on windows:
+- fix the race condition for the backend/frontend startup.
+ spawning the backend takes time. with a introduced 15s timeout
+ it was possible to ensure the backend is up. It would be ideal
+ if the backend could signal the app to continue loading the frontend
+- fix the ~/leap/events/zmq_certificates/public_keys/server.key
+- fix logger (& remove hack in pyinstaller-build.sh:228)
+- fix pysqlcipher (/LIB:,https get not working in setup.py, remove hack
+ in pyinstaller-build:164)
+- merge bitmask_root from https://github.com/alirezamirzaeiyan/bitmask-root
+
+create similar infrastructure for osx dmg, preferably run on osx for compressed dmg \ No newline at end of file
diff --git a/pkg/windows/bitmask.nis b/pkg/windows/bitmask.nis
new file mode 100644
index 00000000..8705c058
--- /dev/null
+++ b/pkg/windows/bitmask.nis
@@ -0,0 +1,2 @@
+!define PKGNAME bitmask
+!include .\bitmask.nsh \ No newline at end of file
diff --git a/pkg/windows/bitmask.nsh b/pkg/windows/bitmask.nsh
new file mode 100644
index 00000000..fe02f84e
--- /dev/null
+++ b/pkg/windows/bitmask.nsh
@@ -0,0 +1,115 @@
+# pwd is a ro-mounted source-tree that had all dependencies build into
+# package-name directories
+!define PKGNAMEPATH ..\..\build\executables\${PKGNAME}
+!include ${PKGNAMEPATH}_version.nsh
+!include .\bitmask_client_product.nsh
+!include ${PKGNAMEPATH}_install_files_size.nsh
+
+RequestExecutionLevel admin ;Require admin rights on NT6+ (When UAC is turned on)
+
+InstallDir "$PROGRAMFILES\${APPNAME}"
+
+LicenseData "..\..\LICENSE"
+Name "${COMPANYNAME} - ${APPNAME}"
+Icon "..\..\build\executables\mask-icon.ico"
+
+# /var/dist is a rw mounted volume
+outFile "/var/dist/${PKGNAME}-${VERSIONMAJOR}.${VERSIONMINOR}.${VERSIONBUILD}${VERSIONSUFFIX}.exe"
+!include LogicLib.nsh
+
+# Just three pages - license agreement, install location, and installation
+page license
+page directory
+Page instfiles
+
+!macro VerifyUserIsAdmin
+UserInfo::GetAccountType
+pop $0
+${If} $0 != "admin" ;Require admin rights on NT4+
+ messageBox mb_iconstop "Administrator rights required!"
+ setErrorLevel 740 ;ERROR_ELEVATION_REQUIRED
+ quit
+${EndIf}
+!macroend
+
+function .onInit
+ setShellVarContext all
+ !insertmacro VerifyUserIsAdmin
+functionEnd
+
+section "TAP Virtual Ethernet Adapter" SecTAP
+ SetOverwrite on
+ SetOutPath "$TEMP"
+ File /oname=tap-windows.exe "..\..\build\executables\openvpn\tap-windows.exe"
+
+ DetailPrint "Installing TAP (may need confirmation)..."
+ nsExec::ExecToLog '"$TEMP\tap-windows.exe" /S /SELECT_UTILITIES=1'
+ Pop $R0 # return value/error/timeout
+
+ Delete "$TEMP\tap-windows.exe"
+ WriteRegStr HKLM "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\${COMPANYNAME} ${APPNAME}" "tap" "installed"
+sectionEnd
+
+section "install"
+ setOutPath $INSTDIR
+
+ !include ${PKGNAMEPATH}_install_files.nsh
+
+ # Uninstaller - See function un.onInit and section "uninstall" for configuration
+ writeUninstaller "$INSTDIR\uninstall.exe"
+
+ # Start Menu
+ createDirectory "$SMPROGRAMS\${COMPANYNAME}"
+ createShortCut "$SMPROGRAMS\${COMPANYNAME}\${APPNAME}.lnk" "$INSTDIR\bitmask.exe" "" "$INSTDIR\bitmask.exe"
+
+ !include bitmask_client_registry_install.nsh
+sectionEnd
+
+# Uninstaller
+
+function un.onInit
+ SetShellVarContext all
+ !insertmacro VerifyUserIsAdmin
+functionEnd
+
+section "uninstall"
+
+ delete "$SMPROGRAMS\${COMPANYNAME}\${APPNAME}.lnk"
+ # Try to remove the Start Menu folder - this will only happen if it is empty
+ rmDir "$SMPROGRAMS\${COMPANYNAME}"
+
+ # Remove files
+ !include ${PKGNAMEPATH}_uninstall_files.nsh
+
+ # Remove TAP Drivers
+ ReadRegStr $R0 HKLM "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\${COMPANYNAME} ${APPNAME}" "tap"
+ ${If} $R0 == "installed"
+ DetailPrint "Uninstalling TAP as we installed it..."
+ ReadRegStr $R0 HKLM "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TAP-Windows" "UninstallString"
+ ${If} $R0 != ""
+ DetailPrint "Uninstalling TAP..."
+ nsExec::ExecToLog '"$R0" /S'
+ Pop $R0 # return value/error/timeout
+ ${Else}
+ # on x64 windows the uninstall location needs to be accessed using WOW
+ SetRegView 64
+ ReadRegStr $R0 HKLM "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TAP-Windows" "UninstallString"
+ SetRegView 32
+ ${If} $R0 != ""
+ DetailPrint "Uninstalling TAP 64..."
+ nsExec::ExecToLog '"$R0" /S'
+ Pop $R0 # return value/error/timeout
+ ${EndIf}
+ ${EndIf}
+ DeleteRegValue HKLM "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\${COMPANYNAME} ${APPNAME}" "tap"
+ ${EndIf}
+
+ # Always delete uninstaller as the last action
+ delete $INSTDIR\uninstall.exe
+
+ # Try to remove the install directory - this will only happen if it is empty
+ rmDir $INSTDIR
+
+ # Remove uninstaller information from the registry
+ DeleteRegKey HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\${COMPANYNAME} ${APPNAME}"
+sectionEnd \ No newline at end of file
diff --git a/pkg/windows/bitmask_client_product.nsh b/pkg/windows/bitmask_client_product.nsh
new file mode 100644
index 00000000..64f59ac7
--- /dev/null
+++ b/pkg/windows/bitmask_client_product.nsh
@@ -0,0 +1,8 @@
+!define APPNAME "Bitmask"
+!define COMPANYNAME "leap.se"
+!define DESCRIPTION "With Bitmask VPN, all your traffic is securely routed through your provider before it is decrypted and sent on to the open internet."
+# These will be displayed by the "Click here for support information" link in "Add/Remove Programs"
+# It is possible to use "mailto:" links in here to open the email client
+!define HELPURL "https://bitmask.net/en/help" # "Support Information" link
+!define UPDATEURL "https://bitmask.net/en/install" # "Product Updates" link
+!define ABOUTURL "https://bitmask.net/" # "Publisher" link \ No newline at end of file
diff --git a/pkg/windows/bitmask_client_registry_install.nsh b/pkg/windows/bitmask_client_registry_install.nsh
new file mode 100644
index 00000000..5bf04045
--- /dev/null
+++ b/pkg/windows/bitmask_client_registry_install.nsh
@@ -0,0 +1,17 @@
+WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\${COMPANYNAME} ${APPNAME}" "DisplayName" "${COMPANYNAME} - ${APPNAME} - ${DESCRIPTION}"
+WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\${COMPANYNAME} ${APPNAME}" "UninstallString" "$\"$INSTDIR\uninstall.exe$\""
+WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\${COMPANYNAME} ${APPNAME}" "QuietUninstallString" "$\"$INSTDIR\uninstall.exe$\" /S"
+WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\${COMPANYNAME} ${APPNAME}" "InstallLocation" "$\"$INSTDIR$\""
+WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\${COMPANYNAME} ${APPNAME}" "DisplayIcon" "$\"$INSTDIR\bitmask.exe$\""
+WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\${COMPANYNAME} ${APPNAME}" "Publisher" "${COMPANYNAME}"
+WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\${COMPANYNAME} ${APPNAME}" "HelpLink" "${HELPURL}"
+WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\${COMPANYNAME} ${APPNAME}" "URLUpdateInfo" "$\"${UPDATEURL}$\""
+WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\${COMPANYNAME} ${APPNAME}" "URLInfoAbout" "$\"${ABOUTURL}$\""
+WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\${COMPANYNAME} ${APPNAME}" "DisplayVersion" "${VERSIONMAJOR}.${VERSIONMINOR}.${VERSIONBUILD}${VERSIONSUFFIX}"
+WriteRegDWORD HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\${COMPANYNAME} ${APPNAME}" "VersionMajor" ${VERSIONMAJOR}
+WriteRegDWORD HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\${COMPANYNAME} ${APPNAME}" "VersionMinor" ${VERSIONMINOR}
+# There is no option for modifying or repairing the install
+WriteRegDWORD HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\${COMPANYNAME} ${APPNAME}" "NoModify" 1
+WriteRegDWORD HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\${COMPANYNAME} ${APPNAME}" "NoRepair" 1
+# Set the INSTALLSIZE constant (!defined at the top of this script) so Add/Remove Programs can accurately report the size
+WriteRegDWORD HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\${COMPANYNAME} ${APPNAME}" "EstimatedSize" ${INSTALLSIZE} \ No newline at end of file
diff --git a/pkg/windows/docker-compose.yml b/pkg/windows/docker-compose.yml
new file mode 100644
index 00000000..92b310c8
--- /dev/null
+++ b/pkg/windows/docker-compose.yml
@@ -0,0 +1,42 @@
+# mingw environment to build dependency binaries in a reproducible environment
+# https://wiki.debian.org/ReproducibleBuilds
+# service to build a windows executable using pyinstaller
+# utilizes wine and pyinstaller-build.sh to produce
+# build/executables/pyinstaller/bitmask/*
+# usage: docker-compose run --rm pyinstaller
+# non-zero exit code on failure
+pyinstaller:
+ build: pyinstaller
+ volumes:
+# bitmask sources
+ - ../../:/var/src/bitmask:ro
+# produced binaries
+ - ../../build:/var/build
+# service to build a windows-executable from openvpn sources
+# uses the openvpn-build infrastructure to produce
+# build/executables/openvpn/*
+# produces the openvpn.exe and provides openssl that is to be
+# used by pyinsaller
+# usage: docker-compose run --rm openvpn
+# non-zero exit code on failure
+openvpn:
+ build: openvpn
+ volumes:
+# bitmask sources
+ - ../../:/var/src/bitmask:ro
+# produced binaries
+ - ../../build:/var/build
+# service to compile a installer using nullsoft installer
+# nsis environment to build installer (exe) that contains all required binaries
+# for a clean, just installed windows machine
+# utilizes the debian makensis and installer-build to produce
+# dist/bitmask-VERSION.exe
+# usage: docker-compose run --rm installer
+# non-zero exit code on failure
+installer:
+ build: installer
+ volumes:
+# bitmask sources
+ - ../../:/var/src/bitmask:ro
+# produced installers - configured in bitmask.nsh
+ - ../../dist:/var/dist
diff --git a/pkg/windows/installer-build.sh b/pkg/windows/installer-build.sh
new file mode 100755
index 00000000..cf664200
--- /dev/null
+++ b/pkg/windows/installer-build.sh
@@ -0,0 +1,119 @@
+#!/bin/bash
+
+# build installer
+# ===============
+#
+# builds several installers from previously compiled binaries
+
+product=bitmask
+# the location of the nsis installer nis files dictates the path of the files
+relative_executable_path=../../build/executables
+source_ro_path=/var/src/${product}
+temporary_build_path=/var/tmp/installer
+
+setups=($(ls -1 ${source_ro_path}/pkg/windows | grep '.nis$' | sed 's|.nis$||'))
+
+# generate nsis file references for installer for single directory
+# appends File and Remove to files that are later included by makensis
+# separate files for install and uninstall statements
+#
+# directory_root: the tree root that is currently generated
+# subdir: any directory in the tree
+# setup_name: the name of the setup this nsh entries are generated for
+function generateDirectoryNSISStatements() {
+ directory_root=$1
+ subdir=$2
+ setup_name=$3
+ find ${subdir} -maxdepth 1 -type f -exec echo 'File "'${relative_executable_path}'/{}"' \;>> ${setup_name}_install_files.nsh
+ find ${subdir} -maxdepth 1 -type f -exec echo 'Delete "$INSTDIR/{}"' \; >> ${setup_name}_uninstall_files.nsh
+}
+# generate a tree of files into nsis installer definitions
+# directory_root: the tree root that is currently generated
+# setup_name: the name of the setup this nsh entries are generated for
+function generateDirectoryNSISStatementsTree() {
+ directory_root=$1
+ setup_name=$2
+ subdirs=$(find ${directory_root} -type d | sort)
+ for subdir in ${subdirs[@]}
+ do
+ if [ "${directory_root}" != "${subdir}" ]; then
+ echo 'SetOutPath "$INSTDIR/'${subdir}'"' >> ${setup_name}_install_files.nsh
+ fi
+ generateDirectoryNSISStatements ${directory_root} ${subdir} ${setup_name}
+ done
+ # again to remove emptied directories on uninstall so reverse
+ subdirs=$(find ${directory_root} -type d | sort | tac)
+ for subdir in ${subdirs[@]}
+ do
+ if [ "${directory_root}" != "${subdir}" ]; then
+ echo 'RMDir "$INSTDIR/'${subdir}'"' >> ${setup_name}_uninstall_files.nsh
+ fi
+ done
+}
+# generate installer files for the available setups
+# those files include install and uninstall statements and are
+# modified (backslashes/source_path) to generate a sane target
+# structure
+function generateNSISStatements() {
+ pushd ${temporary_build_path}/build/executables
+ for setup in "${setups[@]}"
+ do
+ echo "setup:" ${setup}
+ echo "# auto generated by pkg/windows/installer-build.sh please do not modify" > ${setup}_install_files.nsh
+ echo "# auto generated by pkg/windows/installer-build.sh please do not modify" > ${setup}_uninstall_files.nsh
+ setup_source_path=${setup}
+ generateDirectoryNSISStatementsTree ${setup_source_path} ${setup}
+ # remove the setup_source_path from the nsh files
+ sed -i "s|INSTDIR/${setup_source_path}/|INSTDIR/|" ${setup}_install_files.nsh
+ sed -i "s|/${setup_source_path}/|/|" ${setup}_uninstall_files.nsh
+ # make backslashes
+ sed -i "s|/|\\\\|g" ${setup}_install_files.nsh ${setup}_uninstall_files.nsh
+ # make install size
+ installed_size=$(du -s --block-size=1000 ${setup} | awk '{print $1}')
+ echo "!define INSTALLSIZE ${installed_size}" > ${setup}_install_files_size.nsh
+ done
+ popd
+}
+# makensis to produce a installer.exe
+# the result is placed in /var/dist
+function buildInstaller() {
+ pushd ${temporary_build_path}/pkg/windows
+ for setup in ${setups[@]}
+ do
+ makensis ${setup}.nis || die 'build setup "'${setup}'" failed'
+ done
+ popd
+}
+# prepare build path
+# copies files that have been produced by other containers
+# merges the product so the nsis files are correct
+function prepareBuildPath() {
+ mkdir -p ${temporary_build_path}/pkg/windows
+ mkdir -p ${temporary_build_path}/build
+ cp -r ${source_ro_path}/pkg/windows/* ${temporary_build_path}/pkg/windows
+ cp -r ${source_ro_path}/build/* ${temporary_build_path}/build
+ cp -r ${source_ro_path}/LICENSE ${temporary_build_path}/LICENSE
+
+ test -d ${temporary_build_path}/build/executables/bitmask || die 'bitmask not available run docker-compose run --rm pyinstaller'
+ test -d ${temporary_build_path}/build/executables/openvpn || die 'openvpn not available run docker-compose run --rm openvpn'
+ pushd ${temporary_build_path}/build/executables
+ cp openvpn/bin/openvpn.exe bitmask
+ cp openvpn/bin/*.dll bitmask
+ popd
+}
+# remove build files to ensure subsequent builds
+function cleanup() {
+ rm -r ${temporary_build_path}
+}
+# display failure message and emit non-zero exit code
+function die() {
+ echo "die:" $@
+ exit 1
+}
+function main() {
+ prepareBuildPath
+ generateNSISStatements
+ buildInstaller
+ cleanup
+}
+main $@ \ No newline at end of file
diff --git a/pkg/windows/installer/Dockerfile b/pkg/windows/installer/Dockerfile
new file mode 100644
index 00000000..ae46acb6
--- /dev/null
+++ b/pkg/windows/installer/Dockerfile
@@ -0,0 +1,17 @@
+FROM debian:jessie
+MAINTAINER paixu@0xn0.de
+RUN apt-get update
+
+######
+# install packages required to build
+
+RUN apt-get -y install \
+ nsis
+WORKDIR /var/src/bitmask/pkg/windows
+
+######
+# set a specific user
+# needs external tuning of the /var/dist rights!
+# RUN useradd installer
+# USER installer
+ENTRYPOINT ["/var/src/bitmask/pkg/windows/installer-build.sh"] \ No newline at end of file
diff --git a/pkg/windows/openvpn-build.sh b/pkg/windows/openvpn-build.sh
new file mode 100755
index 00000000..7f8ed84f
--- /dev/null
+++ b/pkg/windows/openvpn-build.sh
@@ -0,0 +1,63 @@
+#!/bin/bash
+
+# render openvpn prepared for installer
+# ================================================
+#
+# requires
+# - a linux host with mingw installed
+# - a rw directory mounted to /var/build
+# returns nonzero exit code when failed
+#
+# clone openvpn-build repository
+# runs cross-compile build
+# - downloads openvpn dependencies
+# - compiles
+# copy files to executables so they can be installed
+# cleans up (remove read-write copy)
+
+# the location where the openvpn binaries are placed
+absolute_executable_path=/var/build/executables
+temporary_build_path=/var/build/openvpn
+
+# cleanup the temporary build path for subsequent executes
+function cleanup() {
+ rm -r ${temporary_build_path} 2>/dev/null
+}
+# build openvpn source
+function buildSource() {
+ pushd ${temporary_build_path}/openvpn-build/generic
+ CHOST=i686-w64-mingw32 \
+ CBUILD=i686-pc-linux-gnu \
+ ./build \
+ || die 'build openvpn from source failed'
+ mkdir -p ${absolute_executable_path}
+ cp -r image/openvpn ${absolute_executable_path}/openvpn
+ popd
+}
+# fetch tap-windows.exe as defined in the openvpn vars
+function fetchTapWindows() {
+ pushd ${temporary_build_path}/openvpn-build
+ source windows-nsis/build-complete.vars
+ wget ${TAP_WINDOWS_INSTALLER_URL} -O ${absolute_executable_path}/openvpn/tap-windows.exe || die 'tap-windows.exe could not be fetched'
+ popd
+}
+# prepare read-write copy
+function prepareBuildPath() {
+ cleanup
+ mkdir -p ${temporary_build_path}
+ pushd ${temporary_build_path}
+ git clone https://github.com/OpenVPN/openvpn-build || die 'openvpn-build could not be cloned'
+ popd
+}
+# display failure message and emit non-zero exit code
+function die() {
+ echo "die:" $@
+ exit 1
+}
+function main() {
+ prepareBuildPath
+ buildSource
+ fetchTapWindows
+ cleanup
+}
+main $@
diff --git a/pkg/windows/openvpn/Dockerfile b/pkg/windows/openvpn/Dockerfile
new file mode 100644
index 00000000..471685a1
--- /dev/null
+++ b/pkg/windows/openvpn/Dockerfile
@@ -0,0 +1,17 @@
+FROM debian:jessie
+MAINTAINER paixu@0xn0.de
+
+######
+# install packages required to build
+# https-transport: winehq deb
+# winbind: pip install keyring (requirements.pip) needs this somehow
+# git-core: clone rw copy of repo and build specific commit
+# imagemagick: convert png to ico-files
+RUN apt-get update && apt-get -y install \
+ unzip bzip2 \
+ curl wget \
+ apt-transport-https \
+ man2html \
+ git-core \
+ build-essential autoconf mingw-w64
+ENTRYPOINT ["/var/src/bitmask/pkg/windows/openvpn-build.sh"] \ No newline at end of file
diff --git a/pkg/windows/pyinstaller-build.sh b/pkg/windows/pyinstaller-build.sh
new file mode 100755
index 00000000..522fc10f
--- /dev/null
+++ b/pkg/windows/pyinstaller-build.sh
@@ -0,0 +1,288 @@
+#!/bin/bash
+
+# render dependencies into separate subdirectories
+# ================================================
+#
+# requires
+# - a linux host with wine, wine with python and mingw installed
+# - the sourcecode mounted to /var/src/
+# - a rw directory mounted to /var/build
+# returns nonzero exit code when pyinstaller failed
+#
+# prepares a read-write copy of the sourcecode
+# executes qt-uic and qt-rcc for gui dialogs
+# installs dependencies from pkg/dependencies-windows.pip
+# runs pyinstaller
+# cleans up (remove wine-dlls, remove read-write copy)
+# creates nsis install/uninstall scripts for the files for each package
+# if $1 is set it is expected to be a branch/git-tag
+
+product=bitmask
+# the location where the pyinstaller results are placed
+absolute_executable_path=/var/build/executables
+# the location of the nsis installer nis files dictates the path of the files
+relative_executable_path=../../build/executables
+source_ro_path=/var/src/${product}
+temporary_build_path=/var/build/pyinstaller
+git_tag=HEAD
+version_prefix=leap.bitmask
+git_version=unknown
+# option that is changed when a dependency-cache is found
+install_dependencies=true
+# default options for components
+with_eip=false
+with_mail=true
+
+setups=($(ls -1 ${source_ro_path}/pkg/windows | grep '.nis$' | sed 's|.nis$||'))
+# add mingw dlls that are build in other steps
+function addMingwDlls() {
+ root=$1
+ cp /usr/lib/gcc/i686-w64-mingw32/4.9-win32/libgcc_s_sjlj-1.dll ${root}
+ cp /root/.wine/drive_c/Python27/Lib/site-packages/zmq/libzmq.pyd ${root}
+ cp /root/.wine/drive_c/Python27/Lib/site-packages/zmq/libzmq.pyd ${root}
+ mkdir -p ${root}/pysqlcipher
+ cp /var/build/pyinstaller/pkg/pyinst/build/bitmask/pysqlcipher-2.6.4-py2.7-win32.egg/pysqlcipher/_sqlite.pyd ${root}/pysqlcipher
+ cp ~/.wine/drive_c/openssl/bin/*.dll ${root}
+}
+# cleanup the temporary build path for subsequent executes
+function cleanup() {
+ rm -rf ${temporary_build_path} 2>/dev/null
+}
+# create files that are not part of the repository but are needed
+# in the windows environment:
+# - license with \r\n
+# - ico from png (multiple sizes for best results on high-res displays)
+function createInstallablesDependencies() {
+ pushd ${temporary_build_path} > /dev/null
+ cat LICENSE | sed 's|\n|\r\n|g' > LICENSE.txt
+ convert data/images/mask-icon.png -filter Cubic -scale 256x256! data/images/mask-icon-256.png
+ convert data/images/mask-icon-256.png -define icon:auto-resize data/images/mask-icon.ico
+ # execute qt-uic / qt-rcc
+ wine mingw32-make all || die 'qt-uic / qt-rcc failed'
+ # get version using git (only available in host)
+ git_version=$(python setup.py version| grep 'Version is currently' | awk -F': ' '{print $2}')
+ # run setup.py in a path with the version contained so versioneer can
+ # find the information and put it into the egg
+ versioned_build_path=/var/tmp/${version_prefix}-${git_version}
+ mkdir -p ${versioned_build_path}
+ cp -r ${temporary_build_path}/* ${versioned_build_path}
+ # apply patches to the source that are required for working code
+ # should not be required in the future as it introduces possible
+ # hacks that are hard to debug
+ applyPatches ${versioned_build_path}
+ pushd ${versioned_build_path} > /dev/null
+ # XXX what's this update_files command?
+ #wine python setup.py update_files || die 'setup.py update_files failed'
+ wine python setup.py build || die 'setup.py build failed'
+ wine python setup.py install || die 'setup.py install failed'
+ popd
+ rm -rf ${versioned_build_path}
+ popd
+}
+# create installer version that may be used by installer-build.sh / makensis
+# greps the version-parts from the previously extracted git_version and stores
+# the result in a setup_version.nsh
+# when the git_version does provide a suffix it is prefixed with a dash so the
+# installer output needs no conditional for this
+function createInstallerVersion() {
+ setup=$1
+ # [0-9]*.[0-9]*.[0-9]*-[0-9]*_g[0-9a-f]*_dirty
+ VERSIONMAJOR=$(echo ${git_version} | sed 's|^\([0-9]*\)\..*$|\1|')
+ VERSIONMINOR=$(echo ${git_version} | sed 's|^[0-9]*\.\([0-9]*\).*$|\1|')
+ VERSIONBUILD=$(echo ${git_version} | sed 's|^[0-9]*\.[0-9]*\.\([0-9]*\).*$|\1|')
+ VERSIONSUFFIX=$(echo ${git_version} | sed 's|^[0-9]*\.[0-9]*\.[0-9]*-\(.*\)$|\1|')
+ echo "!define VERSIONMAJOR ${VERSIONMAJOR}" > ${absolute_executable_path}/${setup}_version.nsh
+ echo "!define VERSIONMINOR ${VERSIONMINOR}" >> ${absolute_executable_path}/${setup}_version.nsh
+ echo "!define VERSIONBUILD ${VERSIONBUILD}" >> ${absolute_executable_path}/${setup}_version.nsh
+ if [ ${VERSIONSUFFIX} != "" ]; then
+ VERSIONSUFFIX="-${VERSIONSUFFIX}"
+ fi
+ echo "!define VERSIONSUFFIX ${VERSIONSUFFIX}" >> ${absolute_executable_path}/${setup}_version.nsh
+}
+# create installable binaries with dlls
+function createInstallables() {
+ mkdir -p ${absolute_executable_path}
+ pushd ${temporary_build_path}/pkg/pyinst
+ # build install directories (contains multiple files with pyd,dll, some of
+ # them look like windows WS_32.dll but are from wine)
+ for setup in ${setups[@]}
+ do
+ # --clean do not cache anything and overwrite everything --noconfirm
+ # --distpath to place on correct location
+ # --debug to see what may be wrong with the result
+ # --paths=c:\python\lib\site-packages;c:\python27\lib\site-packages
+ wine pyinstaller \
+ --clean \
+ --noconfirm \
+ --distpath=.\\installables \
+ --paths=Z:\\var\\build\\pyinstaller\\src\\ \
+ --paths=C:\\Python27\\Lib\\site-packages\\ \
+ --debug \
+ ${setup}.spec \
+ || die 'pyinstaller for "'${setup}'" failed'
+ removeWineDlls installables/${setup}
+ addMingwDlls installables/${setup}
+ rm -r ${absolute_executable_path}/${setup}
+ cp -r installables/${setup} ${absolute_executable_path}
+ cp ${absolute_executable_path}/cacert.pem ${absolute_executable_path}/${setup}
+ rm -r installables
+ createInstallerVersion ${setup}
+ done
+ popd
+ pushd ${temporary_build_path}
+ cp data/images/mask-icon.ico ${absolute_executable_path}/
+ popd
+}
+# install (windows)dependencies of project
+function installProjectDependencies() {
+ pushd ${temporary_build_path} > /dev/null
+ unsupported_packages="dirspec"
+ pip_flags="--find-links=Z:${temporary_build_path}/wheels"
+ for unsupported_package in ${unsupported_packages}
+ do
+ pip_flags="${pip_flags} --allow-external ${unsupported_package} --allow-unverified ${unsupported_package}"
+ done
+ pip_flags="${pip_flags} -r"
+
+ # install dependencies
+ mkdir -p ${temporary_build_path}/wheels
+ wine pip install ${pip_flags} pkg/requirements-leap.pip || die 'requirements-leap.pip could not be installed'
+ # fix requirements
+ # python-daemon breaks windows build
+ sed -i 's|^python-daemon|#python-daemon|' pkg/requirements.pip
+ wine pip install ${pip_flags} pkg/requirements.pip || die 'requirements.pip could not be installed'
+ git checkout pkg/requirements.pip
+ popd
+ cp -r /root/.wine/drive_c/Python27/Lib/site-packages ${absolute_executable_path}
+ curl https://curl.haxx.se/ca/cacert.pem > ${absolute_executable_path}/cacert.pem || die 'cacert.pem could not be fetched - would result in bad ssl in installer'
+}
+# workaround for broken dependencies
+# runs before pip install requirements
+# fixes failure for pysqlcipher as this requests a https file that the
+# windows-python fails to request
+function installProjectDependenciesBroken() {
+ pushd ${temporary_build_path} > /dev/null
+ curl https://pypi.python.org/packages/source/p/pysqlcipher/pysqlcipher-2.6.4.tar.gz \
+ > pysqlcipher-2.6.4.tar.gz \
+ || die 'fetch pysqlcipher failed'
+ tar xzf pysqlcipher-2.6.4.tar.gz
+ pushd pysqlcipher-2.6.4
+ curl https://downloads.leap.se/libs/pysqlcipher/amalgamation-sqlcipher-2.1.0.zip \
+ > amalgamation-sqlcipher-2.1.0.zip \
+ || die 'fetch amalgamation for pysqlcipher failed'
+ unzip -o amalgamation-sqlcipher-2.1.0.zip || die 'unzip amalgamation failed'
+ mv sqlcipher amalgamation
+ patch -p0 < ${source_ro_path}/pkg/windows/pyinstaller/pysqlcipher_setup.py.patch \
+ || die 'patch pysqlcipher setup.py failed'
+ wine python setup.py build install || die 'setup.py for pysqlcipher failed'
+ popd
+ popd # temporary_build_path
+}
+# prepare read-write copy
+function prepareBuildPath() {
+ cleanup
+ # ensure shared openssl for all pip builds
+ test -d ${absolute_executable_path}/openvpn || die 'openvpn not available run docker-compose run --rm openvpn'
+ cp -r ${absolute_executable_path}/openvpn /root/.wine/drive_c/openssl
+ if [ -d ${absolute_executable_path}/site-packages ]; then
+ # use pip install cache for slow connections
+ rm -r /root/.wine/drive_c/Python27/Lib/site-packages
+ cp -r ${absolute_executable_path}/site-packages /root/.wine/drive_c/Python27/Lib/
+ install_dependencies=false
+ fi
+ if [ ! -z $1 ]; then
+ git_tag=$1
+ fi
+ if [ ${git_tag} != "HEAD" ]; then
+ echo "using ${git_tag} as source for the project"
+ git clone ${source_ro_path} ${temporary_build_path}
+ pushd ${temporary_build_path}
+ git checkout ${git_tag} || die 'checkout "'${git_tag}'" failed'
+ popd
+ else
+ echo "using current source tree for build"
+ mkdir -p ${temporary_build_path}/data
+ mkdir -p ${temporary_build_path}/docs
+ mkdir -p ${temporary_build_path}/pkg
+ mkdir -p ${temporary_build_path}/src
+ mkdir -p ${temporary_build_path}/.git
+ cp -r ${source_ro_path}/data/* ${temporary_build_path}/data
+ cp -r ${source_ro_path}/data/* ${temporary_build_path}/docs
+ cp -r ${source_ro_path}/pkg/* ${temporary_build_path}/pkg
+ cp -r ${source_ro_path}/src/* ${temporary_build_path}/src
+ cp -r ${source_ro_path}/.git/* ${temporary_build_path}/.git
+ cp ${source_ro_path}/* ${temporary_build_path}/
+ fi
+}
+# add patches to the sourcetree
+# this function should do nothing some day and should be run after
+# the version has been evaluated
+function applyPatches() {
+ root_path=$1
+ # disable eip
+ if [ !${with_eip} ]; then
+ sed -i "s|HAS_EIP = True|HAS_EIP = False|" ${root_path}/src/leap/bitmask/_components.py
+ fi
+ # disable mail
+ if [ !${with_mail} ]; then
+ sed -i "s|HAS_MAIL = True|HAS_MAIL = False|" ${root_path}/src/leap/bitmask/_components.py
+ fi
+ # hack the logger
+ sed -i "s|'bitmask.log'|str(random.random()) + '_bitmask.log'|;s|import sys|import sys\nimport random|" ${root_path}/src/leap/bitmask/logs/utils.py
+ sed -i "s|perform_rollover=True|perform_rollover=False|" ${root_path}/src/leap/bitmask/app.py
+ # fix requirements
+ # python-daemon breaks windows build
+ sed -i 's|^python-daemon|#python-daemon|' ${root_path}/pkg/requirements.pip
+}
+# remove wine dlls that should not be in the installer
+# root: path that should be cleaned from dlls
+function removeWineDlls() {
+ root=$1
+ declare -a wine_dlls=(\
+ advapi32.dll \
+ comctl32.dll \
+ comdlg32.dll \
+ gdi32.dll \
+ imm32.dll \
+ iphlpapi.dll \
+ ktmw32.dll \
+ msvcp90.dll \
+ msvcrt.dll \
+ mswsock.dll \
+ mpr.dll \
+ netapi32.dll \
+ ole32.dll \
+ oleaut32.dll \
+ opengl32.dll \
+ psapi.dll \
+ rpcrt4.dll \
+ shell32.dll \
+ user32.dll \
+ version.dll \
+ winmm.dll \
+ winspool.drv \
+ ws2_32.dll \
+ wtsapi32.dll \
+ )
+ for wine_dll in "${wine_dlls[@]}"
+ do
+ # not all of the listed dlls are in all directories
+ rm ${root}/${wine_dll} 2>/dev/null
+ done
+}
+# display failure message and emit non-zero exit code
+function die() {
+ echo "die:" $@
+ exit 1
+}
+function main() {
+ prepareBuildPath $@
+ if [ ${install_dependencies} == true ]; then
+ installProjectDependenciesBroken
+ installProjectDependencies
+ fi
+ createInstallablesDependencies
+ createInstallables
+ cleanup
+}
+main $@
diff --git a/pkg/windows/pyinstaller/Dockerfile b/pkg/windows/pyinstaller/Dockerfile
new file mode 100644
index 00000000..2da0da3a
--- /dev/null
+++ b/pkg/windows/pyinstaller/Dockerfile
@@ -0,0 +1,105 @@
+FROM debian:jessie
+MAINTAINER paixu@0xn0.de
+
+ENV PYTHON_VERSION=2.7.11
+ENV OPENSSL_VERSION=1.0.2f
+ENV ZLIB_VERSION=1.2.8
+ENV MINGW_VERSION=0.6.2-beta-20131004-1
+ENV MINGW_BIN_VERSION=0.6.2-mingw32-beta-20131004-1-bin
+ENV WINEDEBUG=fixme-all
+
+######
+# install packages required to build
+# https-transport: winehq deb
+# winbind: pip install keyring (requirements.pip) needs this somehow
+# git-core: clone rw copy of repo and build specific commit
+# imagemagick: convert png to ico-files
+RUN apt-get update && apt-get -y install \
+ unzip curl apt-transport-https \
+ winbind \
+ build-essential autoconf bison gperf flex libtool mingw-w64 \
+ git-core \
+ imagemagick \
+ pkg-config
+
+# install wine > 1.6.2 (debian:jessie version fails with pip)
+RUN dpkg --add-architecture i386 \
+ && curl https://dl.winehq.org/wine-builds/Release.key | apt-key add - \
+ && echo 'deb https://dl.winehq.org/wine-builds/debian/ jessie main' >> /etc/apt/sources.list.d/wine.list \
+ && apt-get update
+
+RUN curl https://www.python.org/ftp/python/${PYTHON_VERSION}/python-${PYTHON_VERSION}.msi > /tmp/python-${PYTHON_VERSION}.msi
+RUN curl -L http://sourceforge.net/projects/mingw/files/Installer/mingw-get/mingw-get-${MINGW_VERSION}/mingw-get-${MINGW_BIN_VERSION}.zip/download > /tmp/mingw-get.zip
+
+# alternative with messy python afterwards
+# RUN curl -L http://download.microsoft.com/download/7/9/6/796EF2E4-801B-4FC4-AB28-B59FBF6D907B/VCForPython27.msi > /tmp/msvcforpython27.msi
+
+RUN curl -L http://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz > /tmp/openssl-${OPENSSL_VERSION}.tar.gz
+RUN apt-get install -y winehq-staging
+
+RUN curl -L http://sourceforge.net/projects/mingw/files/Installer/mingw-get/mingw-get-${MINGW_VERSION}/mingw-get-${MINGW_BIN_VERSION}.zip/download > /tmp/mingw-get.zip
+RUN mkdir -p /root/.wine/drive_c/mingw \
+ && unzip -d /root/.wine/drive_c/mingw /tmp/mingw-get.zip
+
+#######
+# Build python dependency
+# using the 'host' (linux) xcompiler instead of fiddeling in wine
+# zlib - needs a update every 5 years
+# adds a patch that makes a shared lib - default is static
+RUN curl -L http://zlib.net/zlib-${ZLIB_VERSION}.tar.gz > /tmp/zlib-${ZLIB_VERSION}.tar.gz
+ADD zlib-mingw-shared.patch /zlib-mingw-shared.patch
+RUN mkdir -p /root/.wine/drive_c/zlib/src \
+ && mv /tmp/zlib-${ZLIB_VERSION}.tar.gz /root/.wine/drive_c/zlib/src \
+ && cd /root/.wine/drive_c/zlib/src \
+ && tar xzf zlib-${ZLIB_VERSION}.tar.gz \
+ && cd zlib-${ZLIB_VERSION} \
+ && patch -p0 < /zlib-mingw-shared.patch \
+ && make -f win32/Makefile.gcc PREFIX=/usr/bin/i686-w64-mingw32- \
+ && make -f win32/Makefile.gcc INCLUDE_PATH=/root/.wine/drive_c/zlib/include LIBRARY_PATH=/root/.wine/drive_c/zlib/lib BINARY_PATH=/root/.wine/drive_c/zlib/bin install
+
+######
+# install gcc for most pip builds
+# install g++ for pycryptopp
+# this is mingw in wine, not to get confused with mingw-w64 in container-host
+RUN wine msiexec -i /tmp/python-${PYTHON_VERSION}.msi -q \
+ && wine c:/mingw/bin/mingw-get.exe install gcc g++ mingw32-make \
+ && rm -r /tmp/.wine-0
+
+####
+# pip configuration
+# set wine mingw compiler to be used by "python setup build"
+# set default include dirs, libraries and library paths
+# the libraries=crypto is added because srp will only link using -lssl but links to BN_* (libcrypto) code
+# 'install' zlib to mingw so python may find its dlls
+# pyside-rcc fix (https://srinikom.github.io/pyside-bz-archive/670.html)
+RUN printf "[build]\ncompiler=mingw32\n\n[build_ext]\ninclude_dirs=c:\\openssl\\include;c:\\zlib\\include\nlibraries=crypto\nlibrary_dirs=c:\\openssl\\lib;c:\\openssl\\bin;c:\\zlib\\lib;c:\\zlib\\bin" > /root/.wine/drive_c/Python27/Lib/distutils/distutils.cfg \
+ && printf 'REGEDIT4\n\n[HKEY_CURRENT_USER\\Environment]\n"PATH"="C:\\\\python27;C:\\\\python27\\\\Scripts;C:\\\\python27\\\\Lib\\\\site-packages\\\\PySide;C:\\\\mingw\\\\bin;c:\\\\windows;c:\\\\windows\\\\system"' > /root/.wine/drive_c/path.reg \
+ && printf 'REGEDIT4\n\n[HKEY_CURRENT_USER\\Environment]\n"OPENSSL_CONF"="C:\\\\openssl"' > /root/.wine/drive_c/openssl_conf.reg \
+ && printf 'REGEDIT4\n\n[HKEY_CURRENT_USER\\Environment]\n"PYTHONPATH"="C:\\\\python27\\\\lib\\\\site-packages;Z:\\\\var\\\\build\\\\bitmask_rw\\\\src"' > /root/.wine/drive_c/pythonpath.reg \
+ && cp /root/.wine/drive_c/zlib/bin/zlib1.dll /root/.wine/drive_c/mingw/bin \
+ && cp /root/.wine/drive_c/zlib/lib/libz.dll.a /root/.wine/drive_c/mingw/lib
+
+####
+# prepare the environment with all python dependencies installed
+# inject dirspec from distribution
+#
+RUN apt-get install -y python-dirspec \
+ && cp -r /usr/lib/python2.7/dist-packages/dirspec* /root/.wine/drive_c/Python27/Lib/site-packages/
+RUN apt-get install -y python-setuptools
+RUN wine regedit /root/.wine/drive_c/path.reg \
+ && wine regedit /root/.wine/drive_c/openssl_conf.reg \
+ && wine regedit /root/.wine/drive_c/pythonpath.reg \
+ && wine pip install virtualenv pyinstaller \
+ && wine pip install wheel \
+ && wine pip install -U setuptools-scm \
+ && wine pip install -U setuptools_scm \
+ && wine pip install -U pyside python-qt \
+ && wine pip install -I psutil==3.4.2 \
+ && rm -r /tmp/.wine-0
+
+# alternative msvc: after python is installed (or before?)
+# && wine msiexec -i /tmp/msvcforpython27.msi -q \
+
+RUN apt-get -y install \
+ mc
+ENTRYPOINT ["/var/src/bitmask/pkg/windows/pyinstaller-build.sh"] \ No newline at end of file
diff --git a/pkg/windows/pyinstaller/pysqlcipher_setup.py.patch b/pkg/windows/pyinstaller/pysqlcipher_setup.py.patch
new file mode 100644
index 00000000..dcec54fa
--- /dev/null
+++ b/pkg/windows/pyinstaller/pysqlcipher_setup.py.patch
@@ -0,0 +1,14 @@
+--- setup.py.org 2014-11-12 16:38:07.000000000 +0000
++++ setup.py 2016-01-23 14:08:13.255261595 +0000
+@@ -192,10 +192,7 @@
+ ext.define_macros.append(("inline", "__inline"))
+
+ # Configure the linker
+- ext.extra_link_args.append("libeay32.lib")
+- ext.extra_link_args.append(
+- "/LIBPATH:" + os.path.join(openssl, "lib")
+- )
++ ext.extra_link_args.append("-lcrypto")
+ else:
+ ext.extra_link_args.append("-lcrypto")
+
diff --git a/pkg/windows/pyinstaller/zlib-mingw-shared.patch b/pkg/windows/pyinstaller/zlib-mingw-shared.patch
new file mode 100644
index 00000000..1b980cb8
--- /dev/null
+++ b/pkg/windows/pyinstaller/zlib-mingw-shared.patch
@@ -0,0 +1,10 @@
+diff -Naur ../zlib-1.2.8-org/win32/Makefile.gcc ./win32/Makefile.gcc
+--- ../zlib-1.2.8-org/win32/Makefile.gcc 2008-10-23 17:44:36.000000000 +0000
++++ ./win32/Makefile.gcc 2015-12-06 19:20:00.449471787 +0000
+@@ -37,6 +37,6 @@
+ # Set to 1 if shared object needs to be installed
+ #
+-SHARED_MODE=0
++SHARED_MODE=1
+
+ #LOC = -DASMV \ No newline at end of file