summaryrefslogtreecommitdiff
path: root/pkg
diff options
context:
space:
mode:
authorTomás Touceda <chiiph@leap.se>2014-09-26 10:15:06 -0300
committerTomás Touceda <chiiph@leap.se>2014-09-26 10:15:06 -0300
commit6f7177f3ca359f8c3e74d094b0dcd0f9239fb069 (patch)
treef04b0eb5c4665a129c5c49719b2da65d325b111f /pkg
parente8c028f3eb6cd0681f039c456dc1ac45c98d598f (diff)
parent0db3d5a4aecc0a3c271b92c6187922c50d46df0a (diff)
Merge branch 'release-0.7.0'0.7.0rc20.7.0rc1
Diffstat (limited to 'pkg')
-rwxr-xr-xpkg/linux/bitmask-root147
-rwxr-xr-xpkg/postmkvenv.sh8
-rw-r--r--pkg/requirements-dev.pip10
-rw-r--r--pkg/requirements.pip7
-rwxr-xr-xpkg/scripts/bootstrap_develop.sh48
5 files changed, 206 insertions, 14 deletions
diff --git a/pkg/linux/bitmask-root b/pkg/linux/bitmask-root
index c9034b0d..ee195e3b 100755
--- a/pkg/linux/bitmask-root
+++ b/pkg/linux/bitmask-root
@@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/usr/bin/python2.7
# -*- coding: utf-8 -*-
#
# Copyright (C) 2014 LEAP
@@ -25,6 +25,8 @@ USAGE:
bitmask-root firewall start [restart] GATEWAY1 GATEWAY2 ...
bitmask-root openvpn stop
bitmask-root openvpn start CONFIG1 CONFIG1 ...
+ bitmask-root fw-email stop
+ bitmask-root fw-email start uid
All actions return exit code 0 for success, non-zero otherwise.
@@ -49,12 +51,17 @@ cmdcheck = subprocess.check_output
# CONSTANTS
#
-VERSION = "2"
+VERSION = "3"
SCRIPT = "bitmask-root"
NAMESERVER = "10.42.0.1"
BITMASK_CHAIN = "bitmask"
BITMASK_CHAIN_NAT_OUT = "bitmask"
BITMASK_CHAIN_NAT_POST = "bitmask_postrouting"
+BITMASK_CHAIN_EMAIL = "bitmask_email"
+BITMASK_CHAIN_EMAIL_OUT = "bitmask_email_output"
+LOCAL_INTERFACE = "lo"
+IMAP_PORT = "1984"
+SMTP_PORT = "2013"
IP = "/bin/ip"
IPTABLES = "/sbin/iptables"
@@ -101,7 +108,8 @@ PARAM_FORMATS = {
"^[a-zA-Z0-9_\.\@][a-zA-Z0-9_\-\.\@]*\$?$", s), # IEEE Std 1003.1-2001
"FILE": lambda s: os.path.isfile(s),
"DIR": lambda s: os.path.isdir(os.path.split(s)[0]),
- "UNIXSOCKET": lambda s: s == "unix"
+ "UNIXSOCKET": lambda s: s == "unix",
+ "UID": lambda s: re.match("^[a-zA-Z0-9]+$", s)
}
@@ -740,6 +748,119 @@ def firewall_stop():
"Please try `firewall stop` again.")
+def fw_email_start(args):
+ """
+ Bring up the email firewall.
+
+ :param args: the user uid of the bitmask process
+ :type args: list
+ """
+ # add custom chain "bitmask_email" to front of INPUT chain
+ if not ipv4_chain_exists(BITMASK_CHAIN_EMAIL):
+ ip4tables("--new-chain", BITMASK_CHAIN_EMAIL)
+ if not ipv6_chain_exists(BITMASK_CHAIN_EMAIL):
+ ip6tables("--new-chain", BITMASK_CHAIN_EMAIL)
+ iptables("--insert", "INPUT", "--jump", BITMASK_CHAIN_EMAIL)
+
+ # add custom chain "bitmask_email_output" to front of OUTPUT chain
+ if not ipv4_chain_exists(BITMASK_CHAIN_EMAIL_OUT):
+ ip4tables("--new-chain", BITMASK_CHAIN_EMAIL_OUT)
+ if not ipv6_chain_exists(BITMASK_CHAIN_EMAIL_OUT):
+ ip6tables("--new-chain", BITMASK_CHAIN_EMAIL_OUT)
+ iptables("--insert", "OUTPUT", "--jump", BITMASK_CHAIN_EMAIL_OUT)
+
+ # Disable the access to imap and smtp from outside
+ iptables("--append", BITMASK_CHAIN_EMAIL,
+ "--in-interface", LOCAL_INTERFACE, "--protocol", "tcp",
+ "--dport", IMAP_PORT, "--jump", "ACCEPT")
+ iptables("--append", BITMASK_CHAIN_EMAIL,
+ "--in-interface", LOCAL_INTERFACE, "--protocol", "tcp",
+ "--dport", SMTP_PORT, "--jump", "ACCEPT")
+ iptables("--append", BITMASK_CHAIN_EMAIL,
+ "--protocol", "tcp", "--dport", IMAP_PORT, "--jump", "REJECT")
+ iptables("--append", BITMASK_CHAIN_EMAIL,
+ "--protocol", "tcp", "--dport", SMTP_PORT, "--jump", "REJECT")
+
+ if not args or not PARAM_FORMATS["UID"](args[0]):
+ raise Exception("No uid given")
+ uid = args[0]
+
+ # Only the unix 'uid' have access to the email imap and smtp ports
+ iptables("--append", BITMASK_CHAIN_EMAIL_OUT,
+ "--out-interface", LOCAL_INTERFACE,
+ "--match", "owner", "--uid-owner", uid, "--protocol", "tcp",
+ "--dport", IMAP_PORT, "--jump", "ACCEPT")
+ iptables("--append", BITMASK_CHAIN_EMAIL_OUT,
+ "--out-interface", LOCAL_INTERFACE,
+ "--match", "owner", "--uid-owner", uid, "--protocol", "tcp",
+ "--dport", SMTP_PORT, "--jump", "ACCEPT")
+ iptables("--append", BITMASK_CHAIN_EMAIL_OUT,
+ "--out-interface", LOCAL_INTERFACE,
+ "--protocol", "tcp", "--dport", IMAP_PORT, "--jump", "REJECT")
+ iptables("--append", BITMASK_CHAIN_EMAIL_OUT,
+ "--out-interface", LOCAL_INTERFACE,
+ "--protocol", "tcp", "--dport", SMTP_PORT, "--jump", "REJECT")
+
+
+def fw_email_stop():
+ """
+ Stop the email firewall.
+ """
+ ok = True
+
+ try:
+ iptables("--delete", "INPUT", "--jump", BITMASK_CHAIN_EMAIL,
+ throw=True)
+ except subprocess.CalledProcessError as exc:
+ debug("INFO: not able to remove bitmask email firewall from INPUT "
+ "chain (maybe it is already removed?)", exc)
+ ok = False
+
+ try:
+ iptables("--delete", "OUTPUT", "--jump", BITMASK_CHAIN_EMAIL_OUT,
+ throw=True)
+ except subprocess.CalledProcessError as exc:
+ debug("INFO: not able to remove bitmask email firewall from OUTPUT "
+ "chain (maybe it is already removed?)", exc)
+ ok = False
+
+ try:
+ ip4tables("--flush", BITMASK_CHAIN_EMAIL, throw=True)
+ ip4tables("--delete-chain", BITMASK_CHAIN_EMAIL, throw=True)
+ except subprocess.CalledProcessError as exc:
+ debug("INFO: not able to flush and delete bitmask ipv4 email firewall "
+ "chain (maybe it is already destroyed?)", exc)
+ ok = False
+
+ try:
+ ip6tables("--flush", BITMASK_CHAIN_EMAIL, throw=True)
+ ip6tables("--delete-chain", BITMASK_CHAIN_EMAIL, throw=True)
+ except subprocess.CalledProcessError as exc:
+ debug("INFO: not able to flush and delete bitmask ipv6 email firewall "
+ "chain (maybe it is already destroyed?)", exc)
+ ok = False
+
+ try:
+ ip4tables("--flush", BITMASK_CHAIN_EMAIL_OUT, throw=True)
+ ip4tables("--delete-chain", BITMASK_CHAIN_EMAIL_OUT, throw=True)
+ except subprocess.CalledProcessError as exc:
+ debug("INFO: not able to flush and delete bitmask ipv4 email firewall "
+ "chain (maybe it is already destroyed?)", exc)
+ ok = False
+
+ try:
+ ip6tables("--flush", BITMASK_CHAIN_EMAIL_OUT, throw=True)
+ ip6tables("--delete-chain", BITMASK_CHAIN_EMAIL_OUT, throw=True)
+ except subprocess.CalledProcessError as exc:
+ debug("INFO: not able to flush and delete bitmask ipv6 email firewall "
+ "chain (maybe it is already destroyed?)", exc)
+ ok = False
+
+ if not (ok or ipv4_chain_exists or ipv6_chain_exists):
+ raise Exception("email firewall might still be left up. "
+ "Please try `fw-email stop` again.")
+
+
#
# MAIN
#
@@ -793,6 +914,26 @@ def main():
else:
bail("INFO: bitmask firewall is down")
+ elif command == "fw-email_start":
+ try:
+ fw_email_start(args)
+ except Exception as ex:
+ if not is_restart:
+ fw_email_stop()
+ bail("ERROR: could not start email firewall", ex)
+
+ elif command == "fw-email_stop":
+ try:
+ fw_email_stop()
+ except Exception as ex:
+ bail("ERROR: could not stop email firewall", ex)
+
+ elif command == "fw-email_isup":
+ if ipv4_chain_exists(BITMASK_CHAIN_EMAIL):
+ log("%s: INFO: bitmask email firewall is up" % (SCRIPT,))
+ else:
+ bail("INFO: bitmask email firewall is down")
+
else:
bail("ERROR: No such command")
else:
diff --git a/pkg/postmkvenv.sh b/pkg/postmkvenv.sh
index 04f8d372..7b06fa6d 100755
--- a/pkg/postmkvenv.sh
+++ b/pkg/postmkvenv.sh
@@ -27,7 +27,13 @@ LIB_VIRTUALENV_PATH=$(python -c "$GET_PYTHON_LIB_CMD")
if [[ $platform == 'linux' ]]; then
LIB_SYSTEM_PATH=$(${VAR[-1]} -c "$GET_PYTHON_LIB_CMD")
elif [[ $platform == 'darwin' ]]; then
- LIB_SYSTEM_PATH=$(/opt/local/bin/python2.6 -c "$GET_PYTHON_LIB_CMD")
+ ORIGINAL_PATH=$PATH
+ #change first colon of path to | because path substitution is greedy
+ PATH=${PATH/:/|}
+ #remove everything up to | from path
+ PATH=${PATH/*|/}
+ LIB_SYSTEM_PATH=$(python -c "$GET_PYTHON_LIB_CMD")
+ PATH=$ORIGINAL_PATH
else
echo "unsupported platform; not doing symlinks"
fi
diff --git a/pkg/requirements-dev.pip b/pkg/requirements-dev.pip
index 8b5a8d85..799376d2 100644
--- a/pkg/requirements-dev.pip
+++ b/pkg/requirements-dev.pip
@@ -10,8 +10,12 @@
# NOTE: you have to run pip install -r pkg/requirements.pip for pip
# to install it. (do it after python setup.py develop and it
# will only install this)
-
+#
+wheel
sphinx
+ipdb
--e git+https://github.com/leapcode/leap_pycommon.git@develop#egg=leap.common
--e git+https://github.com/leapcode/soledad.git@develop#egg=leap.soledad
+# in case you want to install a package from a git source, you can use this:
+# Useful to test pre-release branches together.
+#-e git+https://github.com/leapcode/leap_pycommon.git@develop#egg=leap.common
+#-e git+https://github.com/leapcode/soledad.git@develop#egg=leap.soledad
diff --git a/pkg/requirements.pip b/pkg/requirements.pip
index bf05aa28..9f49bf03 100644
--- a/pkg/requirements.pip
+++ b/pkg/requirements.pip
@@ -9,7 +9,10 @@ argparse
requests>=1.1.0
srp>=1.0.2
pyopenssl
-python-dateutil
+
+# This won't be needed after we refactor leap.common.events
+# to use zmq.
+python-dateutil==1.4 # See https://leap.se/code/issues/6099
psutil
@@ -19,6 +22,8 @@ python-daemon # this should not be needed for Windows.
keyring
zope.proxy
+# You will want to install this bundled if you don't have sodium in your system:
+# pip install pyzmq --install-option="--zmq=bundled"
pyzmq
leap.common>=0.3.7
diff --git a/pkg/scripts/bootstrap_develop.sh b/pkg/scripts/bootstrap_develop.sh
index 7027a908..68edcd43 100755
--- a/pkg/scripts/bootstrap_develop.sh
+++ b/pkg/scripts/bootstrap_develop.sh
@@ -159,6 +159,32 @@ update() {
finish
}
+helpers() {
+ if [[ "$1" == "cleanup" ]]; then
+ status="removing helper files"
+ echo "${cc_green}Status: $status...${cc_normal}"
+ set -x
+ sudo rm -f /usr/sbin/bitmask-root
+ sudo rm -f /usr/share/polkit-1/actions/se.leap.bitmask.policy
+ set +x
+ else
+ status="installing helper files"
+ echo "${cc_green}Status: $status...${cc_normal}"
+ set -x
+ sudo cp bitmask_client/pkg/linux/bitmask-root /usr/sbin/
+ sudo cp bitmask_client/pkg/linux/polkit/se.leap.bitmask.policy /usr/share/polkit-1/actions/
+ set +x
+ fi
+}
+
+install_dependencies() {
+ status="installing system dependencies"
+ echo "${cc_green}Status: $status...${cc_normal}"
+ set -x
+ sudo apt-get install -y git python-dev python-setuptools python-virtualenv python-pip libssl-dev python-openssl libsqlite3-dev g++ openvpn pyside-tools python-pyside libffi-dev
+ set +x
+}
+
run() {
shift # remove 'run' from arg list
passthrough_args=$@
@@ -174,13 +200,17 @@ help() {
echo "Bootstraps the environment to start developing the bitmask client"
echo "with all the needed repositories and dependencies."
echo
- echo "Usage: $0 {init | update | run | help}"
+ echo "Usage: $0 {init | update | run | help | deps | helpers}"
echo
- echo " init : Initialize repositories, create virtualenv and \`python setup.py develop\` all."
- echo " You can use \`init ro\` in order to use the https remotes if you don't have rw access."
- echo " update : Update the repositories and install new deps (if needed)."
- echo " run : Runs the client (any extra parameters will be sent to the app)."
- echo " help : Show this help"
+ echo " init : Initialize repositories, create virtualenv and \`python setup.py develop\` all."
+ echo " You can use \`init ro\` in order to use the https remotes if you don't have rw access."
+ echo " update : Update the repositories and install new deps (if needed)."
+ echo " run : Runs the client (any extra parameters will be sent to the app)."
+ echo " help : Show this help"
+ echo " -- system helpers --"
+ echo " deps : Install the system dependencies needed for bitmask dev (Debian based Linux only)."
+ echo " helpers : Install the helper files needed to use bitmask (Linux only)."
+ echo " You can use \`helpers cleanup\` to remove those files."
echo
}
@@ -191,6 +221,12 @@ case "$1" in
update)
update
;;
+ helpers)
+ helpers $2
+ ;;
+ deps)
+ install_dependencies
+ ;;
run)
run "$@"
;;