Merge branch '0.6.1-rc' into deb-0.6.1-rc

Conflicts:
	pkg/linux/bitmask-root
	src/leap/bitmask/gui/login.py

6 files changed, 237 insertions, 30 deletions

diff --git a/pkg/linux/bitmask-root b/pkg/linux/bitmask-root
index 56202b5f..c9034b0d 100755..100644
--- a/pkg/linux/bitmask-root
+++ b/pkg/linux/bitmask-root
@@ -34,7 +34,6 @@ not be teared down in the case of an error during launch.
 """
 # TODO should be tested with python3, which can be the default on some distro.
 from __future__ import print_function
-import atexit
 import os
 import re
 import signal
@@ -42,7 +41,6 @@ import socket
 import syslog
 import subprocess
 import sys
-import time
 import traceback
 
 cmdcheck = subprocess.check_output
@@ -51,7 +49,7 @@ cmdcheck = subprocess.check_output
 # CONSTANTS
 #
 
-VERSION = "1"
+VERSION = "2"
 SCRIPT = "bitmask-root"
 NAMESERVER = "10.42.0.1"
 BITMASK_CHAIN = "bitmask"
@@ -659,17 +657,6 @@ def firewall_start(args):
     ip4tables("--append", BITMASK_CHAIN, "-o",
               default_device, "--jump", "REJECT")
 
-    # workaround for ipv6 servers being blocked and not falling back to ipv4.
-    # See #5693
-    ip6tables("--append", "OUTPUT", "--jump", "REJECT",
-              "-s", "::/0",  "-d", "::/0",
-              "-p", "tcp",
-              "--reject-with", "icmp6-port-unreachable")
-    ip6tables("--append", "OUTPUT", "--jump", "REJECT",
-              "-s", "::/0",  "-d", "::/0",
-              "-p", "udp",
-              "--reject-with", "icmp6-port-unreachable")
-
 
 def firewall_stop():
     """
diff --git a/pkg/osx/Info.plist b/pkg/osx/Info.plist
index e90d920a..dc427c4a 100644
--- a/pkg/osx/Info.plist
+++ b/pkg/osx/Info.plist
@@ -2,21 +2,23 @@
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
-	<key>CFBundleDisplayName</key>
-	<string>leap-client</string>
-	<key>CFBundleExecutable</key>
-	<string>MacOS/app</string>
-	<key>CFBundleIconFile</key>
-	<string>icon-windowed.icns</string>
-	<key>CFBundleInfoDictionaryVersion</key>
-	<string>6.0</string>
-	<key>CFBundleName</key>
-	<string>leap-client</string>
-	<key>CFBundlePackageType</key>
-	<string>APPL</string>
-	<key>CFBundleShortVersionString</key>
-	<string>1</string>
-	<key>LSBackgroundOnly</key>
-	<false/>
+        <key>CFBundleDisplayName</key>
+        <string>Bitmask</string>
+        <key>CFBundleExecutable</key>
+        <string>app</string>
+        <key>CFBundleIconFile</key>
+        <string>bitmask.icns</string>
+        <key>CFBundleInfoDictionaryVersion</key>
+        <string>6.0</string>
+        <key>CFBundleName</key>
+        <string>Bitmask</string>
+        <key>CFBundlePackageType</key>
+        <string>APPL</string>
+        <key>CFBundleShortVersionString</key>
+        <string>1</string>
+        <key>LSBackgroundOnly</key>
+        <false/>
+        <key>CFBundleIdentifier</key>
+        <string>se.leap.bitmask</string>
 </dict>
 </plist>
diff --git a/pkg/osx/bitmask.icns b/pkg/osx/bitmask.icns
new file mode 100644
index 00000000..7cc3e752
--- /dev/null
+++ b/pkg/osx/bitmask.icns
diff --git a/pkg/requirements.pip b/pkg/requirements.pip
index 3d6b33a3..bf05aa28 100644
--- a/pkg/requirements.pip
+++ b/pkg/requirements.pip
@@ -19,6 +19,8 @@ python-daemon # this should not be needed for Windows.
 keyring
 zope.proxy
 
+pyzmq
+
 leap.common>=0.3.7
 leap.soledad.client>=0.5.0
 leap.keymanager>=0.3.8
diff --git a/pkg/tuf/init.py b/pkg/tuf/init.py
new file mode 100755
index 00000000..7300da0a
--- /dev/null
+++ b/pkg/tuf/init.py
@@ -0,0 +1,102 @@
+#!/usr/bin/env python
+# init.py
+# Copyright (C) 2014 LEAP
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+"""
+Tool to initialize a TUF repo.
+
+The keys can be generated with:
+    openssl genrsa -des3 -out private.pem 4096
+The public key can be exported with:
+    openssl rsa -in private.pem -outform PEM -pubout -out public.pem
+"""
+
+import sys
+
+from tuf.repository_tool import create_new_repository
+from tuf.repository_tool import import_rsa_privatekey_from_file
+from tuf.repository_tool import import_rsa_publickey_from_file
+
+
+def usage():
+    print ("Usage:  %s repo root_private_key root_pub_key targets_pub_key"
+           " timestamp_pub_key") % (sys.argv[0],)
+
+
+def main():
+    if len(sys.argv) < 6:
+        usage()
+        return
+
+    repo_path = sys.argv[1]
+    root_priv_path = sys.argv[2]
+    root_pub_path = sys.argv[3]
+    targets_pub_path = sys.argv[4]
+    timestamp_pub_path = sys.argv[5]
+    repo = Repo(repo_path, root_priv_path)
+    repo.build(root_pub_path, targets_pub_path, timestamp_pub_path)
+
+    print "%s/metadata.staged/root.json is ready" % (repo_path,)
+
+
+class Repo(object):
+    """
+    Repository builder class
+    """
+
+    def __init__(self, repo_path, key_path):
+        """
+        Constructor
+
+        :param repo_path: path where the repo lives
+        :type repo_path: str
+        :param key_path: path where the private root key lives
+        :type key_path: str
+        """
+        self._repo_path = repo_path
+        self._key = import_rsa_privatekey_from_file(key_path)
+
+    def build(self, root_pub_path, targets_pub_path, timestamp_pub_path):
+        """
+        Create a new repo
+
+        :param root_pub_path: path where the public root key lives
+        :type root_pub_path: str
+        :param targets_pub_path: path where the public targets key lives
+        :type targets_pub_path: str
+        :param timestamp_pub_path: path where the public timestamp key lives
+        :type timestamp_pub_path: str
+        """
+        repository = create_new_repository(self._repo_path)
+
+        pub_root_key = import_rsa_publickey_from_file(root_pub_path)
+        repository.root.add_verification_key(pub_root_key)
+        repository.root.load_signing_key(self._key)
+
+        pub_target_key = import_rsa_publickey_from_file(targets_pub_path)
+        repository.targets.add_verification_key(pub_target_key)
+        repository.snapshot.add_verification_key(pub_target_key)
+        repository.targets.compressions = ["gz"]
+        repository.snapshot.compressions = ["gz"]
+
+        pub_timestamp_key = import_rsa_publickey_from_file(timestamp_pub_path)
+        repository.timestamp.add_verification_key(pub_timestamp_key)
+
+        repository.write_partial()
+
+
+if __name__ == "__main__":
+    main()
diff --git a/pkg/tuf/release.py b/pkg/tuf/release.py
new file mode 100755
index 00000000..c4abcd0d
--- /dev/null
+++ b/pkg/tuf/release.py
@@ -0,0 +1,114 @@
+#!/usr/bin/env python
+# release.py
+# Copyright (C) 2014 LEAP
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+"""
+Tool to generate TUF related files after a release
+
+The 'repo' folder should contain two folders:
+  - 'metadata.staged' with all the jsons from the previows release
+  - 'targets' where the release targets are
+"""
+
+import datetime
+import os.path
+import sys
+
+from tuf.repository_tool import load_repository
+from tuf.repository_tool import import_rsa_privatekey_from_file
+from tuf.repository_tool import import_rsa_publickey_from_file
+
+"""
+Days until the expiration of targets.json and snapshot.json. After this ammount
+of days the TUF client won't accept this files.
+"""
+EXPIRATION_DAYS = 90
+
+
+def usage():
+    print "Usage:  %s repo key" % (sys.argv[0],)
+
+
+def main():
+    if len(sys.argv) < 3:
+        usage()
+        return
+
+    repo_path = sys.argv[1]
+    key_path = sys.argv[2]
+    targets = Targets(repo_path, key_path)
+    targets.build()
+
+    print "%s/metadata.staged/(targets|snapshot).json[.gz] are ready" % \
+          (repo_path,)
+
+
+class Targets(object):
+    """
+    Targets builder class
+    """
+
+    def __init__(self, repo_path, key_path):
+        """
+        Constructor
+
+        :param repo_path: path where the repo lives
+        :type repo_path: str
+        :param key_path: path where the private targets key lives
+        :type key_path: str
+        """
+        self._repo_path = repo_path
+        self._key = import_rsa_privatekey_from_file(key_path)
+
+    def build(self):
+        """
+        Generate snapshot.json[.gz] and targets.json[.gz]
+        """
+        self._repo = load_repository(self._repo_path)
+        self._load_targets()
+
+        self._repo.targets.load_signing_key(self._key)
+        self._repo.snapshot.load_signing_key(self._key)
+        self._repo.targets.compressions = ["gz"]
+        self._repo.snapshot.compressions = ["gz"]
+        self._repo.snapshot.expiration = (
+            datetime.datetime.now() +
+            datetime.timedelta(days=EXPIRATION_DAYS))
+        self._repo.targets.expiration = (
+            datetime.datetime.now() +
+            datetime.timedelta(days=EXPIRATION_DAYS))
+        self._repo.write_partial()
+
+    def _load_targets(self):
+        """
+        Load a list of targets
+        """
+        targets_path = os.path.join(self._repo_path, 'targets')
+        target_list = self._repo.get_filepaths_in_directory(
+            targets_path,
+            recursive_walk=True,
+            followlinks=True)
+
+        for target in target_list:
+            octal_file_permissions = oct(os.stat(target).st_mode)[3:]
+            custom_file_permissions = {
+                'file_permissions': octal_file_permissions
+            }
+            self._repo.targets.add_target(target, custom_file_permissions)
+
+
+if __name__ == "__main__":
+    main()