1 files changed, 169 insertions, 0 deletions
diff --git a/src/leap/bitmask/util/privilege_policies.py b/src/leap/bitmask/util/privilege_policies.py
new file mode 100644
index 00000000..72442553
--- /dev/null
+++ b/src/leap/bitmask/util/privilege_policies.py
@@ -0,0 +1,169 @@
+# -*- coding: utf-8 -*-
+# privilege_policies.py
+# Copyright (C) 2013 LEAP
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+"""
+Helpers to determine if the needed policies for privilege escalation
+are operative under this client run.
+"""
+import logging
+import os
+import platform
+
+from abc import ABCMeta, abstractmethod
+
+logger = logging.getLogger(__name__)
+
+
+POLICY_TEMPLATE = """<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE policyconfig PUBLIC
+ "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
+<policyconfig>
+
+  <vendor>LEAP Project</vendor>
+  <vendor_url>https://leap.se/</vendor_url>
+
+  <action id="net.openvpn.gui.leap.run-openvpn">
+    <description>Runs the openvpn binary</description>
+    <description xml:lang="es">Ejecuta el binario openvpn</description>
+    <message>OpenVPN needs that you authenticate to start</message>
+    <message xml:lang="es">
+      OpenVPN necesita autorizacion para comenzar
+    </message>
+    <icon_name>package-x-generic</icon_name>
+    <defaults>
+      <allow_any>yes</allow_any>
+      <allow_inactive>yes</allow_inactive>
+      <allow_active>yes</allow_active>
+    </defaults>
+    <annotate key="org.freedesktop.policykit.exec.path">{path}</annotate>
+    <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
+  </action>
+</policyconfig>
+"""
+
+
+def is_missing_policy_permissions():
+    """
+    Returns True if we do not have implemented a policy checker for this
+    platform, or if the policy checker exists but it cannot find the
+    appropriate policy mechanisms in place.
+
+    :rtype: bool
+    """
+    _system = platform.system()
+    platform_checker = _system + "PolicyChecker"
+    policy_checker = globals().get(platform_checker, None)
+    if not policy_checker:
+        # it is true that we miss permission to escalate
+        # privileges without asking for password each time.
+        logger.debug("we could not find a policy checker implementation "
+                     "for %s" % (_system,))
+        return True
+    return policy_checker().is_missing_policy_permissions()
+
+
+def get_policy_contents(openvpn_path):
+    """
+    Returns the contents that the policy file should have.
+
+    :param openvpn_path: the openvpn path to use in the polkit file
+    :type openvpn_path: str
+    :rtype: str
+    """
+    return POLICY_TEMPLATE.format(path=openvpn_path)
+
+
+def is_policy_outdated(path):
+    """
+    Returns if the existing polkit file is outdated, comparing if the path
+    is correct.
+
+    :param path: the path that should have the polkit file.
+    :type path: str.
+    :rtype: bool
+    """
+    _system = platform.system()
+    platform_checker = _system + "PolicyChecker"
+    policy_checker = globals().get(platform_checker, None)
+    if policy_checker is None:
+        logger.debug("we could not find a policy checker implementation "
+                     "for %s" % (_system,))
+        return False
+    return policy_checker().is_outdated(path)
+
+
+class PolicyChecker:
+    """
+    Abstract PolicyChecker class
+    """
+
+    __metaclass__ = ABCMeta
+
+    @abstractmethod
+    def is_missing_policy_permissions(self):
+        """
+        Returns True if we could not find any policy mechanisms that
+        are defined to be in used for this particular platform.
+
+        :rtype: bool
+        """
+        return True
+
+
+class LinuxPolicyChecker(PolicyChecker):
+    """
+    PolicyChecker for Linux
+    """
+    LINUX_POLKIT_FILE = ("/usr/share/polkit-1/actions/"
+                         "net.openvpn.gui.leap.policy")
+
+    @classmethod
+    def get_polkit_path(self):
+        """
+        Returns the polkit file path.
+
+        :rtype: str
+        """
+        return self.LINUX_POLKIT_FILE
+
+    def is_missing_policy_permissions(self):
+        """
+        Returns True if we could not find the appropriate policykit file
+        in place
+
+        :rtype: bool
+        """
+        return not os.path.isfile(self.LINUX_POLKIT_FILE)
+
+    def is_outdated(self, path):
+        """
+        Returns if the existing polkit file is outdated, comparing if the path
+        is correct.
+
+        :param path: the path that should have the polkit file.
+        :type path: str.
+        :rtype: bool
+        """
+        polkit = None
+        try:
+            with open(self.LINUX_POLKIT_FILE) as f:
+                polkit = f.read()
+        except IOError, e:
+            logger.error("Error reading polkit file(%s): %r" % (
+                self.LINUX_POLKIT_FILE, e))
+
+        return get_policy_contents(path) != polkit