summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorTomás Touceda <chiiph@leap.se>2013-03-12 09:56:05 -0300
committerTomás Touceda <chiiph@leap.se>2013-03-12 09:56:05 -0300
commit2da60cd0f78378fdcb8f6364a798720281b34b4d (patch)
tree066497f18c47ebd24c8626800f2a2341cfd1f05b /src
parentcf83b3ffe300058a4ed30d255481f0c781b0b942 (diff)
Check and try to fix certificate permissions
Diffstat (limited to 'src')
-rw-r--r--src/leap/gui/mainwindow.py31
-rw-r--r--src/leap/services/eip/eipbootstrapper.py12
-rw-r--r--src/leap/services/eip/providerbootstrapper.py14
-rw-r--r--src/leap/util/files.py27
4 files changed, 69 insertions, 15 deletions
diff --git a/src/leap/gui/mainwindow.py b/src/leap/gui/mainwindow.py
index 08b8f08b..aa9b4ffd 100644
--- a/src/leap/gui/mainwindow.py
+++ b/src/leap/gui/mainwindow.py
@@ -395,13 +395,15 @@ class MainWindow(QtGui.QMainWindow):
status = "<font color='red'><b>%s</b></font>" % (status,)
self.ui.lblStatus.setText(status)
- def _set_eip_status(self, status):
+ def _set_eip_status(self, status, error=False):
"""
Sets the status label at the VPN stage to status
@param status: status message
@type status: str
"""
+ if error:
+ status = "<font color='red'><b>%s</b></font>" % (status,)
self.ui.lblEIPStatus.setText(status)
def _login_set_enabled(self, enabled=False):
@@ -579,7 +581,7 @@ class MainWindow(QtGui.QMainWindow):
self.ui.btnEipStartStop.clicked.connect(
self._stop_eip)
except VPNLauncherException as e:
- self._set_eip_status("%s" % (e,))
+ self._set_eip_status("%s" % (e,), error=True)
self.ui.btnEipStartStop.setEnabled(True)
def _stop_eip(self):
@@ -609,7 +611,8 @@ class MainWindow(QtGui.QMainWindow):
download_if_needed=True)
else:
self._set_eip_status(self.tr("%s does not support EIP") %
- (self._provider_config.get_domain(),))
+ (self._provider_config.get_domain(),),
+ error=True)
def _set_eip_status_icon(self, status):
"""
@@ -681,15 +684,21 @@ class MainWindow(QtGui.QMainWindow):
leap_assert(self._eip_config, "We need an eip config!")
leap_assert(self._provider_config, "We need a provider config!")
- if self._eip_config.loaded() or \
- self._eip_config.load(os.path.join("leap",
- "providers",
- self._provider_config
- .get_domain(),
- "eip-service.json")):
+ if data[self._eip_bootstrapper.PASSED_KEY] and \
+ (self._eip_config.loaded() or
+ self._eip_config.load(os.path.join("leap",
+ "providers",
+ self._provider_config
+ .get_domain(),
+ "eip-service.json"))):
self._start_eip()
- # TODO: display a message if the EIP configuration cannot be
- # loaded
+ else:
+ if data[self._eip_bootstrapper.PASSED_KEY]:
+ self._set_eip_status(self.tr("Could not load EIP "
+ "Configuration"), error=True)
+ else:
+ self._set_eip_status(data[self._eip_bootstrapper.ERROR_KEY],
+ error=True)
def _logout(self):
"""
diff --git a/src/leap/services/eip/eipbootstrapper.py b/src/leap/services/eip/eipbootstrapper.py
index bd6ab715..79ff28d6 100644
--- a/src/leap/services/eip/eipbootstrapper.py
+++ b/src/leap/services/eip/eipbootstrapper.py
@@ -30,6 +30,7 @@ from leap.config.providerconfig import ProviderConfig
from leap.services.eip.eipconfig import EIPConfig
from leap.util.check import leap_assert, leap_assert_type
from leap.util.checkerthread import CheckerThread
+from leap.util.files import check_and_fix_urw_only
logger = logging.getLogger(__name__)
@@ -147,9 +148,14 @@ class EIPBootstrapper(QtCore.QObject):
if self._download_if_needed and \
os.path.exists(client_cert_path):
- download_cert[self.PASSED_KEY] = True
+ try:
+ check_and_fix_urw_only(client_cert_path)
+ download_cert[self.PASSED_KEY] = True
+ except Exception as e:
+ download_cert[self.PASSED_KEY] = False
+ download_cert[self.ERROR_KEY] = "%s" % (e,)
self.download_client_certificate.emit(download_cert)
- return True
+ return download_cert[self.PASSED_KEY]
try:
res = self._session.get("%s/%s/%s/" %
@@ -176,6 +182,8 @@ class EIPBootstrapper(QtCore.QObject):
with open(client_cert_path, "w") as f:
f.write(client_cert)
+ check_and_fix_urw_only(client_cert_path)
+
download_cert[self.PASSED_KEY] = True
except Exception as e:
download_cert[self.ERROR_KEY] = "%s" % (e,)
diff --git a/src/leap/services/eip/providerbootstrapper.py b/src/leap/services/eip/providerbootstrapper.py
index ecdc4e07..0e9f8563 100644
--- a/src/leap/services/eip/providerbootstrapper.py
+++ b/src/leap/services/eip/providerbootstrapper.py
@@ -31,6 +31,7 @@ from PySide import QtGui, QtCore
from leap.config.providerconfig import ProviderConfig
from leap.util.check import leap_assert, leap_assert_type
from leap.util.checkerthread import CheckerThread
+from leap.util.files import check_and_fix_urw_only
logger = logging.getLogger(__name__)
@@ -258,9 +259,16 @@ class ProviderBootstrapper(QtCore.QObject):
}
if not self._should_proceed_cert():
- download_ca_cert_data[self.PASSED_KEY] = True
+ try:
+ check_and_fix_urw_only(
+ self._provider_config
+ .get_ca_cert_path(about_to_download=True))
+ download_ca_cert_data[self.PASSED_KEY] = True
+ except Exception as e:
+ download_ca_cert_data[self.PASSED_KEY] = False
+ download_ca_cert_data[self.ERROR_KEY] = "%s" % (e,)
self.download_ca_cert.emit(download_ca_cert_data)
- return True
+ return download_ca_cert_data[self.PASSED_KEY]
try:
res = self._session.get(self._provider_config.get_ca_cert_uri())
@@ -282,6 +290,8 @@ class ProviderBootstrapper(QtCore.QObject):
with open(cert_path, "w") as f:
f.write(res.content)
+ check_and_fix_urw_only(cert_path)
+
download_ca_cert_data[self.PASSED_KEY] = True
except Exception as e:
download_ca_cert_data[self.ERROR_KEY] = "%s" % (e,)
diff --git a/src/leap/util/files.py b/src/leap/util/files.py
new file mode 100644
index 00000000..f7fda39e
--- /dev/null
+++ b/src/leap/util/files.py
@@ -0,0 +1,27 @@
+import os
+import stat
+import logging
+
+logger = logging.getLogger(__name__)
+
+
+def check_and_fix_urw_only(cert):
+ """
+ Test for 600 mode and try to set it if anything different found
+
+ Might raise OSError
+
+ @param cert: Certificate path
+ @type cert: str
+ """
+ mode = stat.S_IMODE(os.stat(cert).st_mode)
+
+ if mode != int('600', 8):
+ try:
+ logger.warning('Bad permission on %s attempting to set 600' %
+ (cert,))
+ os.chmod(cert, stat.S_IRUSR | stat.S_IWUSR)
+ except OSError:
+ logger.error('Error while trying to chmod 600 %s' %
+ cert)
+ raise