summaryrefslogtreecommitdiff
path: root/src/leap/eip
diff options
context:
space:
mode:
authorkali <kali@leap.se>2012-10-24 04:05:19 +0900
committerkali <kali@leap.se>2012-10-24 04:05:19 +0900
commit0060d3c74adce19fab7215b3788c5197cc05a9ae (patch)
tree30de33e139ebcd5126f553409df4b2efac9df374 /src/leap/eip
parentac67079632fb96d9da463e0cc9f2367b0ba6886e (diff)
sign up branch ends by triggering eip connection
still need to bind signals properly, and block on the validation process until we receive the "connected" signal. but the basic flow is working again, i.e, user should be able to remove the .config/leap folder and get all the needed info from the provider.
Diffstat (limited to 'src/leap/eip')
-rw-r--r--src/leap/eip/checks.py37
-rw-r--r--src/leap/eip/config.py19
-rw-r--r--src/leap/eip/eipconnection.py15
-rw-r--r--src/leap/eip/openvpnconnection.py4
-rw-r--r--src/leap/eip/specs.py6
5 files changed, 49 insertions, 32 deletions
diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py
index b335b857..44c8f234 100644
--- a/src/leap/eip/checks.py
+++ b/src/leap/eip/checks.py
@@ -45,7 +45,8 @@ reachable and testable as a whole.
"""
-def get_ca_cert():
+def get_branding_ca_cert(domain):
+ # XXX deprecated
ca_file = BRANDING.get('provider_ca_file')
if ca_file:
return leapcerts.where(ca_file)
@@ -62,7 +63,7 @@ class ProviderCertChecker(object):
self.fetcher = fetcher
self.domain = domain
- self.cacert = get_ca_cert()
+ self.cacert = eipspecs.provider_ca_path(domain)
def run_all(
self, checker=None,
@@ -84,7 +85,7 @@ class ProviderCertChecker(object):
checker.is_there_provider_ca()
# XXX FAKE IT!!!
- checker.is_https_working(verify=do_verify)
+ checker.is_https_working(verify=do_verify, autocacert=True)
checker.check_new_cert_needed(verify=do_verify)
def download_ca_cert(self, uri=None, verify=True):
@@ -136,17 +137,14 @@ class ProviderCertChecker(object):
raise NotImplementedError
def is_there_provider_ca(self):
- # XXX modify for generic build
- from leap import certs
- logger.debug('do we have provider_ca?')
- cacert_path = BRANDING.get('provider_ca_file', None)
- if not cacert_path:
- # XXX look from the domain
- logger.debug('False')
+ if not self.cacert:
return False
- self.cacert = certs.where(cacert_path)
- logger.debug('True')
- return True
+ cacert_exists = os.path.isfile(self.cacert)
+ if cacert_exists:
+ logger.debug('True')
+ return True
+ logger.debug('False!')
+ return False
def is_https_working(
self, uri=None, verify=True,
@@ -162,6 +160,7 @@ class ProviderCertChecker(object):
if autocacert and verify is True and self.cacert is not None:
logger.debug('verify cert: %s', self.cacert)
verify = self.cacert
+ #import pdb4qt; pdb4qt.set_trace()
logger.debug('is https working?')
logger.debug('uri: %s (verify:%s)', uri, verify)
try:
@@ -169,18 +168,16 @@ class ProviderCertChecker(object):
except requests.exceptions.SSLError as exc:
logger.error("SSLError")
- raise eipexceptions.HttpsBadCertError
+ # XXX RAISE! See #638
+ #raise eipexceptions.HttpsBadCertError
+ logger.warning('BUG #638 CERT VERIFICATION FAILED! '
+ '(this should be CRITICAL)')
+ logger.warning('SSLError: %s', exc.message)
except requests.exceptions.ConnectionError:
logger.error('ConnectionError')
raise eipexceptions.HttpsNotSupported
- except requests.exceptions.SSLError as exc:
- logger.warning('BUG #638 CERT VERIFICATION FAILED! '
- '(this should be CRITICAL)')
- logger.warning('SSLError: %s', exc.message)
- # XXX RAISE! See #638
- #raise eipexceptions.EIPBadCertError
else:
logger.debug('True')
return True
diff --git a/src/leap/eip/config.py b/src/leap/eip/config.py
index 1ce4a54e..57e15c9e 100644
--- a/src/leap/eip/config.py
+++ b/src/leap/eip/config.py
@@ -110,6 +110,8 @@ def build_ovpn_options(daemon=False, socket_path=None, **kwargs):
# since we will need to take some
# things from there if present.
+ provider = kwargs.pop('provider', None)
+
# get user/group name
# also from config.
user = baseconfig.get_username()
@@ -136,6 +138,7 @@ def build_ovpn_options(daemon=False, socket_path=None, **kwargs):
logger.debug('setting eip gateway to %s', gw)
opts.append(str(gw))
opts.append('1194')
+ #opts.append('80')
opts.append('udp')
opts.append('--tls-client')
@@ -172,12 +175,15 @@ def build_ovpn_options(daemon=False, socket_path=None, **kwargs):
opts.append('7777')
# certs
+ client_cert_path = eipspecs.client_cert_path(provider)
+ ca_cert_path = eipspecs.provider_ca_path(provider)
+
opts.append('--cert')
- opts.append(eipspecs.client_cert_path())
+ opts.append(client_cert_path)
opts.append('--key')
- opts.append(eipspecs.client_cert_path())
+ opts.append(client_cert_path)
opts.append('--ca')
- opts.append(eipspecs.provider_ca_path())
+ opts.append(ca_cert_path)
# we cannot run in daemon mode
# with the current subp setting.
@@ -245,7 +251,7 @@ def build_ovpn_command(debug=False, do_pkexec_check=True, vpnbin=None,
return [command[0], command[1:]]
-def check_vpn_keys():
+def check_vpn_keys(provider=None):
"""
performs an existance and permission check
over the openvpn keys file.
@@ -253,8 +259,9 @@ def check_vpn_keys():
per provider, containing the CA cert,
the provider key, and our client certificate
"""
- provider_ca = eipspecs.provider_ca_path()
- client_cert = eipspecs.client_cert_path()
+ assert provider is not None
+ provider_ca = eipspecs.provider_ca_path(provider)
+ client_cert = eipspecs.client_cert_path(provider)
logger.debug('provider ca = %s', provider_ca)
logger.debug('client cert = %s', client_cert)
diff --git a/src/leap/eip/eipconnection.py b/src/leap/eip/eipconnection.py
index f0e7861e..d4aeddf6 100644
--- a/src/leap/eip/eipconnection.py
+++ b/src/leap/eip/eipconnection.py
@@ -29,6 +29,7 @@ class EIPConnection(OpenVPNConnection):
*args, **kwargs):
self.settingsfile = kwargs.get('settingsfile', None)
self.logfile = kwargs.get('logfile', None)
+ self.provider = kwargs.pop('provider', None)
self.error_queue = Queue.Queue()
@@ -38,8 +39,10 @@ class EIPConnection(OpenVPNConnection):
checker_signals = kwargs.pop('checker_signals', None)
self.checker_signals = checker_signals
- self.provider_cert_checker = provider_cert_checker()
- self.config_checker = config_checker()
+ # initialize checkers
+ self.provider_cert_checker = provider_cert_checker(
+ domain=self.provider)
+ self.config_checker = config_checker(domain=self.provider)
host = eipconfig.get_socket_path()
kwargs['host'] = host
@@ -49,6 +52,14 @@ class EIPConnection(OpenVPNConnection):
def has_errors(self):
return True if self.error_queue.qsize() != 0 else False
+ def set_provider_domain(self, domain):
+ """
+ sets the provider domain.
+ used from the first run wizard when we launch the run_checks
+ and connect process after having initialized the conductor.
+ """
+ self.provider = domain
+
def run_checks(self, skip_download=False, skip_verify=False):
"""
run all eip checks previous to attempting a connection
diff --git a/src/leap/eip/openvpnconnection.py b/src/leap/eip/openvpnconnection.py
index 2ec7d08c..d7c571bc 100644
--- a/src/leap/eip/openvpnconnection.py
+++ b/src/leap/eip/openvpnconnection.py
@@ -25,7 +25,6 @@ class OpenVPNConnection(Connection):
"""
def __init__(self,
- #config_file=None,
watcher_cb=None,
debug=False,
host=None,
@@ -96,6 +95,7 @@ to be triggered for each one of them.
# XXX check also for command-line --command flag
try:
command, args = eip_config.build_ovpn_command(
+ provider=self.provider,
debug=self.debug,
socket_path=self.host,
ovpn_verbosity=self.ovpn_verbosity)
@@ -115,7 +115,7 @@ to be triggered for each one of them.
checks for correct permissions on vpn keys
"""
try:
- eip_config.check_vpn_keys()
+ eip_config.check_vpn_keys(provider=self.provider)
except eip_exceptions.EIPInitBadKeyFilePermError:
logger.error('Bad VPN Keys permission!')
# do nothing now
diff --git a/src/leap/eip/specs.py b/src/leap/eip/specs.py
index 4014b7c9..84b2597d 100644
--- a/src/leap/eip/specs.py
+++ b/src/leap/eip/specs.py
@@ -4,6 +4,8 @@ import os
from leap import __branding
from leap.base import config as baseconfig
+# XXX move provider stuff to base config
+
PROVIDER_CA_CERT = __branding.get(
'provider_ca_file',
'testprovider-ca-cert.pem')
@@ -13,7 +15,7 @@ provider_ca_path = lambda domain: str(os.path.join(
baseconfig.get_provider_path(domain),
'keys', 'ca',
'cacert.pem'
-))
+)) if domain else None
default_provider_ca_path = lambda: str(os.path.join(
baseconfig.get_default_provider_path(),
@@ -28,7 +30,7 @@ client_cert_path = lambda domain: unicode(os.path.join(
baseconfig.get_provider_path(domain),
'keys', 'client',
'openvpn.pem'
-))
+)) if domain else None
default_client_cert_path = lambda: unicode(os.path.join(
baseconfig.get_default_provider_path(),