summaryrefslogtreecommitdiff
path: root/src/leap/eip
diff options
context:
space:
mode:
Diffstat (limited to 'src/leap/eip')
-rw-r--r--src/leap/eip/checks.py309
-rw-r--r--src/leap/eip/config.py190
-rw-r--r--src/leap/eip/eipconnection.py271
-rw-r--r--src/leap/eip/exceptions.py64
-rw-r--r--src/leap/eip/openvpnconnection.py521
-rw-r--r--src/leap/eip/specs.py69
-rw-r--r--src/leap/eip/tests/data.py40
-rw-r--r--src/leap/eip/tests/test_checks.py43
-rw-r--r--src/leap/eip/tests/test_config.py188
-rw-r--r--src/leap/eip/tests/test_eipconnection.py39
-rw-r--r--src/leap/eip/tests/test_openvpnconnection.py34
11 files changed, 1177 insertions, 591 deletions
diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py
index f739c3e8..9a34a428 100644
--- a/src/leap/eip/checks.py
+++ b/src/leap/eip/checks.py
@@ -1,23 +1,24 @@
import logging
-import ssl
-#import platform
import time
import os
+import sys
-from gnutls import crypto
-#import netifaces
-#import ping
import requests
from leap import __branding as BRANDING
-from leap import certs
+from leap import certs as leapcerts
+from leap.base.auth import srpauth_protected, magick_srpauth
+from leap.base import config as baseconfig
from leap.base import constants as baseconstants
from leap.base import providers
+from leap.crypto import certs
from leap.eip import config as eipconfig
from leap.eip import constants as eipconstants
from leap.eip import exceptions as eipexceptions
from leap.eip import specs as eipspecs
+from leap.util.certs import get_mac_cabundle
from leap.util.fileutil import mkdir_p
+from leap.util.web import get_https_domain_and_port
logger = logging.getLogger(name=__name__)
@@ -42,10 +43,11 @@ reachable and testable as a whole.
"""
-def get_ca_cert():
+def get_branding_ca_cert(domain):
+ # deprecated
ca_file = BRANDING.get('provider_ca_file')
if ca_file:
- return certs.where(ca_file)
+ return leapcerts.where(ca_file)
class ProviderCertChecker(object):
@@ -54,18 +56,29 @@ class ProviderCertChecker(object):
client certs and checking tls connection
with provider.
"""
- def __init__(self, fetcher=requests):
+ def __init__(self, fetcher=requests,
+ domain=None):
+
self.fetcher = fetcher
- self.cacert = get_ca_cert()
+ self.domain = domain
+ #XXX needs some kind of autoinit
+ #right now we set by hand
+ #by loading and reading provider config
+ self.apidomain = None
+ self.cacert = eipspecs.provider_ca_path(domain)
+
+ def run_all(
+ self, checker=None,
+ skip_download=False, skip_verify=False):
- def run_all(self, checker=None, skip_download=False, skip_verify=False):
if not checker:
checker = self
do_verify = not skip_verify
logger.debug('do_verify: %s', do_verify)
- # For MVS+
# checker.download_ca_cert()
+
+ # For MVS+
# checker.download_ca_signature()
# checker.get_ca_signatures()
# checker.is_there_trust_path()
@@ -73,13 +86,44 @@ class ProviderCertChecker(object):
# For MVS
checker.is_there_provider_ca()
- # XXX FAKE IT!!!
- checker.is_https_working(verify=do_verify)
+ checker.is_https_working(verify=do_verify, autocacert=False)
checker.check_new_cert_needed(verify=do_verify)
- def download_ca_cert(self):
- # MVS+
- raise NotImplementedError
+ def download_ca_cert(self, uri=None, verify=True):
+ req = self.fetcher.get(uri, verify=verify)
+ req.raise_for_status()
+
+ # should check domain exists
+ capath = self._get_ca_cert_path(self.domain)
+ with open(capath, 'w') as f:
+ f.write(req.content)
+
+ def check_ca_cert_fingerprint(
+ self, hash_type="SHA256",
+ fingerprint=None):
+ """
+ compares the fingerprint in
+ the ca cert with a string
+ we are passed
+ returns True if they are equal, False if not.
+ @param hash_type: digest function
+ @type hash_type: str
+ @param fingerprint: the fingerprint to compare with.
+ @type fingerprint: str (with : separator)
+ @rtype bool
+ """
+ ca_cert_path = self.ca_cert_path
+ ca_cert_fpr = certs.get_cert_fingerprint(
+ filepath=ca_cert_path)
+ return ca_cert_fpr == fingerprint
+
+ def verify_api_https(self, uri):
+ assert uri.startswith('https://')
+ cacert = self.ca_cert_path
+ verify = cacert and cacert or True
+ req = self.fetcher.get(uri, verify=verify)
+ req.raise_for_status()
+ return True
def download_ca_signature(self):
# MVS+
@@ -94,80 +138,110 @@ class ProviderCertChecker(object):
raise NotImplementedError
def is_there_provider_ca(self):
- from leap import certs
- logger.debug('do we have provider_ca?')
- cacert_path = BRANDING.get('provider_ca_file', None)
- if not cacert_path:
- logger.debug('False')
+ if not self.cacert:
return False
- self.cacert = certs.where(cacert_path)
- logger.debug('True')
- return True
+ cacert_exists = os.path.isfile(self.cacert)
+ if cacert_exists:
+ logger.debug('True')
+ return True
+ logger.debug('False!')
+ return False
- def is_https_working(self, uri=None, verify=True):
+ def is_https_working(
+ self, uri=None, verify=True,
+ autocacert=False):
if uri is None:
uri = self._get_root_uri()
# XXX raise InsecureURI or something better
- assert uri.startswith('https')
- if verify is True and self.cacert is not None:
+ try:
+ assert uri.startswith('https')
+ except AssertionError:
+ raise AssertionError(
+ "uri passed should start with https")
+ if autocacert and verify is True and self.cacert is not None:
logger.debug('verify cert: %s', self.cacert)
verify = self.cacert
- logger.debug('is https working?')
+ if sys.platform == "darwin":
+ verify = get_mac_cabundle()
+ logger.debug('checking https connection')
logger.debug('uri: %s (verify:%s)', uri, verify)
+
try:
self.fetcher.get(uri, verify=verify)
+
except requests.exceptions.SSLError as exc:
- logger.warning('False! CERT VERIFICATION FAILED! '
- '(this should be CRITICAL)')
- logger.warning('SSLError: %s', exc.message)
- # XXX RAISE! See #638
- #raise eipexceptions.EIPBadCertError
- # XXX get requests.exceptions.ConnectionError Errno 110
- # Connection timed out, and raise ours.
+ raise eipexceptions.HttpsBadCertError
+
+ except requests.exceptions.ConnectionError:
+ logger.error('ConnectionError')
+ raise eipexceptions.HttpsNotSupported
+
else:
- logger.debug('True')
return True
def check_new_cert_needed(self, skip_download=False, verify=True):
- logger.debug('is new cert needed?')
+ # XXX add autocacert
if not self.is_cert_valid(do_raise=False):
- logger.debug('True')
+ logger.debug('cert needed: true')
self.download_new_client_cert(
skip_download=skip_download,
verify=verify)
return True
- logger.debug('False')
+ logger.debug('cert needed: false')
return False
def download_new_client_cert(self, uri=None, verify=True,
- skip_download=False):
+ skip_download=False,
+ credentials=None):
logger.debug('download new client cert')
if skip_download:
return True
if uri is None:
uri = self._get_client_cert_uri()
# XXX raise InsecureURI or something better
- assert uri.startswith('https')
+ #assert uri.startswith('https')
+
if verify is True and self.cacert is not None:
verify = self.cacert
+ logger.debug('verify = %s', verify)
+
+ fgetfn = self.fetcher.get
+
+ if credentials:
+ user, passwd = credentials
+ logger.debug('apidomain = %s', self.apidomain)
+
+ @srpauth_protected(user, passwd,
+ server="https://%s" % self.apidomain,
+ verify=verify)
+ def getfn(*args, **kwargs):
+ return fgetfn(*args, **kwargs)
+
+ else:
+ # XXX FIXME fix decorated args
+ @magick_srpauth(verify)
+ def getfn(*args, **kwargs):
+ return fgetfn(*args, **kwargs)
try:
- # XXX FIXME!!!!
- # verify=verify
- # Workaround for #638. return to verification
- # when That's done!!!
-
- # XXX HOOK SRP here...
- # will have to be more generic in the future.
- req = self.fetcher.get(uri, verify=False)
+
+ req = getfn(uri, verify=verify)
req.raise_for_status()
+
except requests.exceptions.SSLError:
logger.warning('SSLError while fetching cert. '
'Look below for stack trace.')
# XXX raise better exception
- raise
+ return self.fail("SSLError")
+ except Exception as exc:
+ return self.fail(exc.message)
+
try:
+ logger.debug('validating cert...')
pemfile_content = req.content
- self.is_valid_pemfile(pemfile_content)
+ valid = self.is_valid_pemfile(pemfile_content)
+ if not valid:
+ logger.warning('invalid cert')
+ return False
cert_path = self._get_client_cert_path()
self.write_cert(pemfile_content, to=cert_path)
except:
@@ -196,11 +270,8 @@ class ProviderCertChecker(object):
def is_cert_not_expired(self, certfile=None, now=time.gmtime):
if certfile is None:
certfile = self._get_client_cert_path()
- with open(certfile) as cf:
- cert_s = cf.read()
- cert = crypto.X509Certificate(cert_s)
- from_ = time.gmtime(cert.activation_time)
- to_ = time.gmtime(cert.expiration_time)
+ from_, to_ = certs.get_time_boundaries(certfile)
+
return from_ < now() < to_
def is_valid_pemfile(self, cert_s=None):
@@ -216,33 +287,39 @@ class ProviderCertChecker(object):
with open(certfile) as cf:
cert_s = cf.read()
try:
- # XXX get a real cert validation
- # so far this is only checking begin/end
- # delimiters :)
- # XXX use gnutls for get proper
- # validation.
- # crypto.X509Certificate(cert_s)
- sep = "-" * 5 + "BEGIN CERTIFICATE" + "-" * 5
- # we might have private key and cert in the same file
- certparts = cert_s.split(sep)
- if len(certparts) > 1:
- cert_s = sep + certparts[1]
- ssl.PEM_cert_to_DER_cert(cert_s)
- except:
- # XXX raise proper exception
- raise
- return True
+ valid = certs.can_load_cert_and_pkey(cert_s)
+ except certs.BadCertError:
+ logger.warning("Not valid pemfile")
+ valid = False
+ return valid
+
+ @property
+ def ca_cert_path(self):
+ return self._get_ca_cert_path(self.domain)
def _get_root_uri(self):
- return u"https://%s/" % baseconstants.DEFAULT_PROVIDER
+ return u"https://%s/" % self.domain
def _get_client_cert_uri(self):
- # XXX get the whole thing from constants
- return "https://%s/1/cert" % (baseconstants.DEFAULT_PROVIDER)
+ return "https://%s/1/cert" % self.apidomain
def _get_client_cert_path(self):
- # MVS+ : get provider path
- return eipspecs.client_cert_path()
+ return eipspecs.client_cert_path(domain=self.domain)
+
+ def _get_ca_cert_path(self, domain):
+ # XXX this folder path will be broken for win
+ # and this should be moved to eipspecs.ca_path
+
+ # XXX use baseconfig.get_provider_path(folder=Foo)
+ # !!!
+
+ capath = baseconfig.get_config_file(
+ 'cacert.pem',
+ folder='providers/%s/keys/ca' % domain)
+ folder, fname = os.path.split(capath)
+ if not os.path.isdir(folder):
+ mkdir_p(folder)
+ return capath
def write_cert(self, pemfile_content, to=None):
folder, filename = os.path.split(to)
@@ -251,6 +328,9 @@ class ProviderCertChecker(object):
with open(to, 'w') as cert_f:
cert_f.write(pemfile_content)
+ def set_api_domain(self, domain):
+ self.apidomain = domain
+
class EIPConfigChecker(object):
"""
@@ -260,16 +340,25 @@ class EIPConfigChecker(object):
use run_all to run all checks.
"""
- def __init__(self, fetcher=requests):
+ def __init__(self, fetcher=requests, domain=None):
# we do not want to accept too many
# argument on init.
# we want tests
# to be explicitely run.
+
self.fetcher = fetcher
- self.eipconfig = eipconfig.EIPConfig()
- self.defaultprovider = providers.LeapProviderDefinition()
- self.eipserviceconfig = eipconfig.EIPServiceConfig()
+ # if not domain, get from config
+ self.domain = domain
+ self.apidomain = None
+ self.cacert = eipspecs.provider_ca_path(domain)
+
+ self.defaultprovider = providers.LeapProviderDefinition(domain=domain)
+ self.defaultprovider.load()
+ self.eipconfig = eipconfig.EIPConfig(domain=domain)
+ self.set_api_domain()
+ self.eipserviceconfig = eipconfig.EIPServiceConfig(domain=domain)
+ self.eipserviceconfig.load()
def run_all(self, checker=None, skip_download=False):
"""
@@ -330,7 +419,9 @@ class EIPConfigChecker(object):
return True
def fetch_definition(self, skip_download=False,
- config=None, uri=None):
+ force_download=False,
+ config=None, uri=None,
+ domain=None):
"""
fetches a definition file from server
"""
@@ -347,27 +438,45 @@ class EIPConfigChecker(object):
if config is None:
config = self.defaultprovider.config
if uri is None:
- domain = config.get('provider', None)
+ if not domain:
+ domain = config.get('provider', None)
uri = self._get_provider_definition_uri(domain=domain)
- # FIXME! Pass ca path verify!!!
+ if sys.platform == "darwin":
+ verify = get_mac_cabundle()
+ else:
+ verify = True
+
self.defaultprovider.load(
from_uri=uri,
fetcher=self.fetcher,
- verify=False)
+ verify=verify)
self.defaultprovider.save()
def fetch_eip_service_config(self, skip_download=False,
- config=None, uri=None):
+ force_download=False,
+ config=None, uri=None, # domain=None,
+ autocacert=True, verify=True):
if skip_download:
return True
if config is None:
+ self.eipserviceconfig.load()
config = self.eipserviceconfig.config
if uri is None:
- domain = config.get('provider', None)
- uri = self._get_eip_service_uri(domain=domain)
+ #XXX
+ #if not domain:
+ #domain = self.domain or config.get('provider', None)
+ uri = self._get_eip_service_uri(
+ domain=self.apidomain)
+
+ if autocacert and self.cacert is not None:
+ verify = self.cacert
- self.eipserviceconfig.load(from_uri=uri, fetcher=self.fetcher)
+ self.eipserviceconfig.load(
+ from_uri=uri,
+ fetcher=self.fetcher,
+ force_download=force_download,
+ verify=verify)
self.eipserviceconfig.save()
def check_complete_eip_config(self, config=None):
@@ -375,7 +484,6 @@ class EIPConfigChecker(object):
if config is None:
config = self.eipconfig.config
try:
- 'trying assertions'
assert 'provider' in config
assert config['provider'] is not None
# XXX assert there is gateway !!
@@ -395,11 +503,11 @@ class EIPConfigChecker(object):
return self.eipconfig.exists()
def _dump_default_eipconfig(self):
- self.eipconfig.save()
+ self.eipconfig.save(force=True)
def _get_provider_definition_uri(self, domain=None, path=None):
if domain is None:
- domain = baseconstants.DEFAULT_PROVIDER
+ domain = self.domain or baseconstants.DEFAULT_PROVIDER
if path is None:
path = baseconstants.DEFINITION_EXPECTED_PATH
uri = u"https://%s/%s" % (domain, path)
@@ -408,9 +516,22 @@ class EIPConfigChecker(object):
def _get_eip_service_uri(self, domain=None, path=None):
if domain is None:
- domain = baseconstants.DEFAULT_PROVIDER
+ domain = self.domain or baseconstants.DEFAULT_PROVIDER
if path is None:
path = eipconstants.EIP_SERVICE_EXPECTED_PATH
uri = "https://%s/%s" % (domain, path)
logger.debug('getting eip service file from %s', uri)
return uri
+
+ def set_api_domain(self):
+ """sets api domain from defaultprovider config object"""
+ api = self.defaultprovider.config.get('api_uri', None)
+ # the caller is responsible for having loaded the config
+ # object at this point
+ if api:
+ api_dom = get_https_domain_and_port(api)
+ self.apidomain = "%s:%s" % api_dom
+
+ def get_api_domain(self):
+ """gets api domain"""
+ return self.apidomain
diff --git a/src/leap/eip/config.py b/src/leap/eip/config.py
index ef0f52b4..917871da 100644
--- a/src/leap/eip/config.py
+++ b/src/leap/eip/config.py
@@ -1,10 +1,12 @@
import logging
import os
import platform
+import re
import tempfile
from leap import __branding as BRANDING
from leap import certs
+from leap.util.misc import null_check
from leap.util.fileutil import (which, mkdir_p, check_and_fix_urw_only)
from leap.base import config as baseconfig
@@ -16,6 +18,8 @@ from leap.eip import specs as eipspecs
logger = logging.getLogger(name=__name__)
provider_ca_file = BRANDING.get('provider_ca_file', None)
+_platform = platform.system()
+
class EIPConfig(baseconfig.JSONLeapConfig):
spec = eipspecs.eipconfig_spec
@@ -35,9 +39,13 @@ class EIPServiceConfig(baseconfig.JSONLeapConfig):
spec = eipspecs.eipservice_config_spec
def _get_slug(self):
+ domain = getattr(self, 'domain', None)
+ if domain:
+ path = baseconfig.get_provider_path(domain)
+ else:
+ path = baseconfig.get_default_provider_path()
return baseconfig.get_config_file(
- 'eip-service.json',
- folder=baseconfig.get_default_provider_path())
+ 'eip-service.json', folder=path)
def _set_slug(self):
raise AttributeError("you cannot set slug")
@@ -49,45 +57,96 @@ def get_socket_path():
socket_path = os.path.join(
tempfile.mkdtemp(prefix="leap-tmp"),
'openvpn.socket')
- logger.debug('socket path: %s', socket_path)
+ #logger.debug('socket path: %s', socket_path)
return socket_path
-def get_eip_gateway():
+def get_eip_gateway(eipconfig=None, eipserviceconfig=None):
"""
return the first host in eip service config
that matches the name defined in the eip.json config
file.
"""
- placeholder = "testprovider.example.org"
- eipconfig = EIPConfig()
- #import ipdb;ipdb.set_trace()
- eipconfig.load()
+ # XXX eventually we should move to a more clever
+ # gateway selection. maybe we could return
+ # all gateways that match our cluster.
+
+ null_check(eipconfig, "eipconfig")
+ null_check(eipserviceconfig, "eipserviceconfig")
+ PLACEHOLDER = "testprovider.example.org"
+
conf = eipconfig.config
+ eipsconf = eipserviceconfig.config
primary_gateway = conf.get('primary_gateway', None)
if not primary_gateway:
- return placeholder
+ return PLACEHOLDER
- eipserviceconfig = EIPServiceConfig()
- eipserviceconfig.load()
- eipsconf = eipserviceconfig.get_config()
gateways = eipsconf.get('gateways', None)
if not gateways:
logger.error('missing gateways in eip service config')
- return placeholder
+ return PLACEHOLDER
+
if len(gateways) > 0:
for gw in gateways:
- if gw['name'] == primary_gateway:
- hosts = gw['hosts']
- if len(hosts) > 0:
- return hosts[0]
- else:
- logger.error('no hosts')
+ clustername = gw.get('cluster', None)
+ if not clustername:
+ logger.error('no cluster name')
+ return
+
+ if clustername == primary_gateway:
+ # XXX at some moment, we must
+ # make this a more generic function,
+ # and return ports, protocols...
+ ipaddress = gw.get('ip_address', None)
+ if not ipaddress:
+ logger.error('no ip_address')
+ return
+ return ipaddress
logger.error('could not find primary gateway in provider'
'gateway list')
+def get_cipher_options(eipserviceconfig=None):
+ """
+ gathers optional cipher options from eip-service config.
+ :param eipserviceconfig: EIPServiceConfig instance
+ """
+ null_check(eipserviceconfig, 'eipserviceconfig')
+ eipsconf = eipserviceconfig.get_config()
+
+ ALLOWED_KEYS = ("auth", "cipher", "tls-cipher")
+ CIPHERS_REGEX = re.compile("[A-Z0-9\-]+")
+ opts = []
+ if 'openvpn_configuration' in eipsconf:
+ config = eipserviceconfig.config.get(
+ "openvpn_configuration", {})
+ for key, value in config.items():
+ if key in ALLOWED_KEYS and value is not None:
+ sanitized_val = CIPHERS_REGEX.findall(value)
+ if len(sanitized_val) != 0:
+ _val = sanitized_val[0]
+ opts.append('--%s' % key)
+ opts.append('%s' % _val)
+ return opts
+
+LINUX_UP_DOWN_SCRIPT = "/etc/leap/resolv-update"
+OPENVPN_DOWN_ROOT = "/usr/lib/openvpn/openvpn-down-root.so"
+
+
+def has_updown_scripts():
+ """
+ checks the existence of the up/down scripts
+ """
+ # XXX should check permissions too
+ is_file = os.path.isfile(LINUX_UP_DOWN_SCRIPT)
+ if not is_file:
+ logger.warning(
+ "Could not find up/down scripts at %s! "
+ "Risk of DNS Leaks!!!")
+ return is_file
+
+
def build_ovpn_options(daemon=False, socket_path=None, **kwargs):
"""
build a list of options
@@ -103,6 +162,12 @@ def build_ovpn_options(daemon=False, socket_path=None, **kwargs):
# since we will need to take some
# things from there if present.
+ provider = kwargs.pop('provider', None)
+ eipconfig = EIPConfig(domain=provider)
+ eipconfig.load()
+ eipserviceconfig = EIPServiceConfig(domain=provider)
+ eipserviceconfig.load()
+
# get user/group name
# also from config.
user = baseconfig.get_username()
@@ -123,18 +188,32 @@ def build_ovpn_options(daemon=False, socket_path=None, **kwargs):
opts.append('--verb')
opts.append("%s" % verbosity)
- # remote
+ # remote ##############################
+ # (server, port, protocol)
+
opts.append('--remote')
- gw = get_eip_gateway()
+
+ gw = get_eip_gateway(eipconfig=eipconfig,
+ eipserviceconfig=eipserviceconfig)
logger.debug('setting eip gateway to %s', gw)
opts.append(str(gw))
+
+ # get port/protocol from eipservice too
opts.append('1194')
+ #opts.append('80')
opts.append('udp')
opts.append('--tls-client')
opts.append('--remote-cert-tls')
opts.append('server')
+ # get ciphers #######################
+
+ ciphers = get_cipher_options(
+ eipserviceconfig=eipserviceconfig)
+ for cipheropt in ciphers:
+ opts.append(str(cipheropt))
+
# set user and group
opts.append('--user')
opts.append('%s' % user)
@@ -149,8 +228,13 @@ def build_ovpn_options(daemon=False, socket_path=None, **kwargs):
# interface. unix sockets or telnet interface for win.
# XXX take them from the config object.
- ourplatform = platform.system()
- if ourplatform in ("Linux", "Mac"):
+ if _platform == "Windows":
+ opts.append('--management')
+ opts.append('localhost')
+ # XXX which is a good choice?
+ opts.append('7777')
+
+ if _platform in ("Linux", "Darwin"):
opts.append('--management')
if socket_path is None:
@@ -158,19 +242,30 @@ def build_ovpn_options(daemon=False, socket_path=None, **kwargs):
opts.append(socket_path)
opts.append('unix')
- if ourplatform == "Windows":
- opts.append('--management')
- opts.append('localhost')
- # XXX which is a good choice?
- opts.append('7777')
+ opts.append('--script-security')
+ opts.append('2')
+
+ if _platform == "Linux":
+ if has_updown_scripts():
+ opts.append("--up")
+ opts.append(LINUX_UP_DOWN_SCRIPT)
+ opts.append("--down")
+ opts.append(LINUX_UP_DOWN_SCRIPT)
+ opts.append("--plugin")
+ opts.append(OPENVPN_DOWN_ROOT)
+ opts.append("'script_type=down %s'" % LINUX_UP_DOWN_SCRIPT)
# certs
+ client_cert_path = eipspecs.client_cert_path(provider)
+ ca_cert_path = eipspecs.provider_ca_path(provider)
+
+ # XXX FIX paths for MAC
opts.append('--cert')
- opts.append(eipspecs.client_cert_path())
+ opts.append(client_cert_path)
opts.append('--key')
- opts.append(eipspecs.client_cert_path())
+ opts.append(client_cert_path)
opts.append('--ca')
- opts.append(eipspecs.provider_ca_path())
+ opts.append(ca_cert_path)
# we cannot run in daemon mode
# with the current subp setting.
@@ -178,7 +273,7 @@ def build_ovpn_options(daemon=False, socket_path=None, **kwargs):
#if daemon is True:
#opts.append('--daemon')
- logger.debug('vpn options: %s', opts)
+ logger.debug('vpn options: %s', ' '.join(opts))
return opts
@@ -198,7 +293,7 @@ def build_ovpn_command(debug=False, do_pkexec_check=True, vpnbin=None,
# XXX get use_pkexec from config instead.
- if platform.system() == "Linux" and use_pkexec and do_pkexec_check:
+ if _platform == "Linux" and use_pkexec and do_pkexec_check:
# check for both pkexec
# AND a suitable authentication
@@ -218,8 +313,16 @@ def build_ovpn_command(debug=False, do_pkexec_check=True, vpnbin=None,
raise eip_exceptions.EIPNoPolkitAuthAgentAvailable
command.append('pkexec')
+
if vpnbin is None:
- ovpn = which('openvpn')
+ if _platform == "Darwin":
+ # XXX Should hardcode our installed path
+ # /Applications/LEAPClient.app/Contents/Resources/openvpn.leap
+ openvpn_bin = "openvpn.leap"
+ else:
+ openvpn_bin = "openvpn"
+ #XXX hardcode for darwin
+ ovpn = which(openvpn_bin)
else:
ovpn = vpnbin
if ovpn:
@@ -235,10 +338,20 @@ def build_ovpn_command(debug=False, do_pkexec_check=True, vpnbin=None,
# XXX check len and raise proper error
- return [command[0], command[1:]]
+ if _platform == "Darwin":
+ OSX_ASADMIN = 'do shell script "%s" with administrator privileges'
+ # XXX fix workaround for Nones
+ _command = [x if x else " " for x in command]
+ # XXX debugging!
+ # XXX get openvpn log path from debug flags
+ _command.append('--log')
+ _command.append('/tmp/leap_openvpn.log')
+ return ["osascript", ["-e", OSX_ASADMIN % ' '.join(_command)]]
+ else:
+ return [command[0], command[1:]]
-def check_vpn_keys():
+def check_vpn_keys(provider=None):
"""
performs an existance and permission check
over the openvpn keys file.
@@ -246,8 +359,9 @@ def check_vpn_keys():
per provider, containing the CA cert,
the provider key, and our client certificate
"""
- provider_ca = eipspecs.provider_ca_path()
- client_cert = eipspecs.client_cert_path()
+ assert provider is not None
+ provider_ca = eipspecs.provider_ca_path(provider)
+ client_cert = eipspecs.client_cert_path(provider)
logger.debug('provider ca = %s', provider_ca)
logger.debug('client cert = %s', client_cert)
diff --git a/src/leap/eip/eipconnection.py b/src/leap/eip/eipconnection.py
index f0e7861e..d012c567 100644
--- a/src/leap/eip/eipconnection.py
+++ b/src/leap/eip/eipconnection.py
@@ -5,6 +5,9 @@ from __future__ import (absolute_import,)
import logging
import Queue
import sys
+import time
+
+from dateutil.parser import parse as dateparse
from leap.eip.checks import ProviderCertChecker
from leap.eip.checks import EIPConfigChecker
@@ -15,20 +18,149 @@ from leap.eip.openvpnconnection import OpenVPNConnection
logger = logging.getLogger(name=__name__)
-class EIPConnection(OpenVPNConnection):
+class StatusMixIn(object):
+
+ # a bunch of methods related with querying the connection
+ # state/status and displaying useful info.
+ # Needs to get clear on what is what, and
+ # separate functions.
+ # Should separate EIPConnectionStatus (self.status)
+ # from the OpenVPN state/status command and parsing.
+
+ ERR_CONNREFUSED = False
+
+ def connection_state(self):
+ """
+ returns the current connection state
+ """
+ return self.status.current
+
+ def get_icon_name(self):
+ """
+ get icon name from status object
+ """
+ return self.status.get_state_icon()
+
+ def get_leap_status(self):
+ return self.status.get_leap_status()
+
+ def poll_connection_state(self):
+ """
+ """
+ try:
+ state = self.get_connection_state()
+ except eip_exceptions.ConnectionRefusedError:
+ # connection refused. might be not ready yet.
+ if not self.ERR_CONNREFUSED:
+ logger.warning('connection refused')
+ self.ERR_CONNREFUSED = True
+ return
+ if not state:
+ #logger.debug('no state')
+ return
+ (ts, status_step,
+ ok, ip, remote) = state
+ self.status.set_vpn_state(status_step)
+ status_step = self.status.get_readable_status()
+ return (ts, status_step, ok, ip, remote)
+
+ def make_error(self):
+ """
+ capture error and wrap it in an
+ understandable format
+ """
+ # mostly a hack to display errors in the debug UI
+ # w/o breaking the polling.
+ #XXX get helpful error codes
+ self.with_errors = True
+ now = int(time.time())
+ return '%s,LAUNCHER ERROR,ERROR,-,-' % now
+
+ def state(self):
+ """
+ Sends OpenVPN command: state
+ """
+ state = self._send_command("state")
+ if not state:
+ return None
+ if isinstance(state, str):
+ return state
+ if isinstance(state, list):
+ if len(state) == 1:
+ return state[0]
+ else:
+ return state[-1]
+
+ def vpn_status(self):
+ """
+ OpenVPN command: status
+ """
+ status = self._send_command("status")
+ return status
+
+ def vpn_status2(self):
+ """
+ OpenVPN command: last 2 statuses
+ """
+ return self._send_command("status 2")
+
+ #
+ # parse info as the UI expects
+ #
+
+ def get_status_io(self):
+ status = self.vpn_status()
+ if isinstance(status, str):
+ lines = status.split('\n')
+ if isinstance(status, list):
+ lines = status
+ try:
+ (header, when, tun_read, tun_write,
+ tcp_read, tcp_write, auth_read) = tuple(lines)
+ except ValueError:
+ return None
+
+ when_ts = dateparse(when.split(',')[1]).timetuple()
+ sep = ','
+ # XXX clean up this!
+ tun_read = tun_read.split(sep)[1]
+ tun_write = tun_write.split(sep)[1]
+ tcp_read = tcp_read.split(sep)[1]
+ tcp_write = tcp_write.split(sep)[1]
+ auth_read = auth_read.split(sep)[1]
+
+ # XXX this could be a named tuple. prettier.
+ return when_ts, (tun_read, tun_write, tcp_read, tcp_write, auth_read)
+
+ def get_connection_state(self):
+ state = self.state()
+ if state is not None:
+ ts, status_step, ok, ip, remote = state.split(',')
+ ts = time.gmtime(float(ts))
+ # XXX this could be a named tuple. prettier.
+ return ts, status_step, ok, ip, remote
+
+
+class EIPConnection(OpenVPNConnection, StatusMixIn):
"""
+ Aka conductor.
Manages the execution of the OpenVPN process, auto starts, monitors the
network connection, handles configuration, fixes leaky hosts, handles
errors, etc.
Status updates (connected, bandwidth, etc) are signaled to the GUI.
"""
+ # XXX change name to EIPConductor ??
+
def __init__(self,
provider_cert_checker=ProviderCertChecker,
config_checker=EIPConfigChecker,
*args, **kwargs):
- self.settingsfile = kwargs.get('settingsfile', None)
- self.logfile = kwargs.get('logfile', None)
+ #self.settingsfile = kwargs.get('settingsfile', None)
+ #self.logfile = kwargs.get('logfile', None)
+ self.provider = kwargs.pop('provider', None)
+ self._providercertchecker = provider_cert_checker
+ self._configchecker = config_checker
self.error_queue = Queue.Queue()
@@ -38,17 +170,51 @@ class EIPConnection(OpenVPNConnection):
checker_signals = kwargs.pop('checker_signals', None)
self.checker_signals = checker_signals
- self.provider_cert_checker = provider_cert_checker()
- self.config_checker = config_checker()
+ self.init_checkers()
host = eipconfig.get_socket_path()
kwargs['host'] = host
super(EIPConnection, self).__init__(*args, **kwargs)
+ def connect(self, **kwargs):
+ """
+ entry point for connection process
+ """
+ # in OpenVPNConnection
+ self.try_openvpn_connection()
+
+ def disconnect(self, shutdown=False):
+ """
+ disconnects client
+ """
+ self.terminate_openvpn_connection(shutdown=shutdown)
+ self.status.change_to(self.status.DISCONNECTED)
+
def has_errors(self):
return True if self.error_queue.qsize() != 0 else False
+ def init_checkers(self):
+ """
+ initialize checkers
+ """
+ self.provider_cert_checker = self._providercertchecker(
+ domain=self.provider)
+ self.config_checker = self._configchecker(domain=self.provider)
+
+ def set_provider_domain(self, domain):
+ """
+ sets the provider domain.
+ used from the first run wizard when we launch the run_checks
+ and connect process after having initialized the conductor.
+ """
+ # This looks convoluted, right.
+ # We have to reinstantiate checkers cause we're passing
+ # the domain param that we did not know at the beginning
+ # (only for the firstrunwizard case)
+ self.provider = domain
+ self.init_checkers()
+
def run_checks(self, skip_download=False, skip_verify=False):
"""
run all eip checks previous to attempting a connection
@@ -80,100 +246,6 @@ class EIPConnection(OpenVPNConnection):
except Exception as exc:
push_err(exc)
- def connect(self):
- """
- entry point for connection process
- """
- #self.forget_errors()
- self._try_connection()
-
- def disconnect(self):
- """
- disconnects client
- """
- self.cleanup()
- logger.debug("disconnect: clicked.")
- self.status.change_to(self.status.DISCONNECTED)
-
- def shutdown(self):
- """
- shutdown and quit
- """
- self.desired_con_state = self.status.DISCONNECTED
-
- def connection_state(self):
- """
- returns the current connection state
- """
- return self.status.current
-
- def poll_connection_state(self):
- """
- """
- # XXX this separation does not
- # make sense anymore after having
- # merged Connection and Manager classes.
- # XXX GET RID OF THIS FUNCTION HERE!
- try:
- state = self.get_connection_state()
- except eip_exceptions.ConnectionRefusedError:
- # connection refused. might be not ready yet.
- logger.warning('connection refused')
- return
- if not state:
- #logger.debug('no state')
- return
- (ts, status_step,
- ok, ip, remote) = state
- self.status.set_vpn_state(status_step)
- status_step = self.status.get_readable_status()
- return (ts, status_step, ok, ip, remote)
-
- def get_icon_name(self):
- """
- get icon name from status object
- """
- return self.status.get_state_icon()
-
- def get_leap_status(self):
- return self.status.get_leap_status()
-
- #
- # private methods
- #
-
- #def _disconnect(self):
- # """
- # private method for disconnecting
- # """
- # if self.subp is not None:
- # logger.debug('disconnecting...')
- # self.subp.terminate()
- # self.subp = None
-
- #def _is_alive(self):
- #"""
- #don't know yet
- #"""
- #pass
-
- def _connect(self):
- """
- entry point for connection cascade methods.
- """
- try:
- conn_result = self._try_connection()
- except eip_exceptions.UnrecoverableError as except_msg:
- logger.error("FATAL: %s" % unicode(except_msg))
- conn_result = self.status.UNRECOVERABLE
-
- # XXX enqueue exceptions themselves instead?
- except Exception as except_msg:
- self.error_queue.append(except_msg)
- logger.error("Failed Connection: %s" %
- unicode(except_msg))
- return conn_result
-
class EIPConnectionStatus(object):
"""
@@ -247,6 +319,7 @@ class EIPConnectionStatus(object):
def get_leap_status(self):
# XXX improve nomenclature
leap_status = {
+ 0: 'disconnected',
1: 'connecting to gateway',
2: 'connecting to gateway',
3: 'authenticating',
diff --git a/src/leap/eip/exceptions.py b/src/leap/eip/exceptions.py
index 11bfd620..b7d398c3 100644
--- a/src/leap/eip/exceptions.py
+++ b/src/leap/eip/exceptions.py
@@ -32,8 +32,11 @@ TODO:
* gettext / i18n for user messages.
"""
+from leap.base.exceptions import LeapException
+from leap.util.translations import translate
+# This should inherit from LeapException
class EIPClientError(Exception):
"""
base EIPClient exception
@@ -60,45 +63,70 @@ class Warning(EIPClientError):
class EIPNoPolkitAuthAgentAvailable(CriticalError):
message = "No polkit authentication agent could be found"
- usermessage = ("We could not find any authentication "
- "agent in your system.<br/>"
- "Make sure you have "
- "<b>polkit-gnome-authentication-agent-1</b> "
- "running and try again.")
+ usermessage = translate(
+ "EIPErrors",
+ "We could not find any authentication "
+ "agent in your system.<br/>"
+ "Make sure you have "
+ "<b>polkit-gnome-authentication-agent-1</b> "
+ "running and try again.")
class EIPNoPkexecAvailable(Warning):
message = "No pkexec binary found"
- usermessage = ("We could not find <b>pkexec</b> in your "
- "system.<br/> Do you want to try "
- "<b>setuid workaround</b>? "
- "(<i>DOES NOTHING YET</i>)")
+ usermessage = translate(
+ "EIPErrors",
+ "We could not find <b>pkexec</b> in your "
+ "system.<br/> Do you want to try "
+ "<b>setuid workaround</b>? "
+ "(<i>DOES NOTHING YET</i>)")
failfirst = True
class EIPNoCommandError(EIPClientError):
message = "no suitable openvpn command found"
- usermessage = ("No suitable openvpn command found. "
- "<br/>(Might be a permissions problem)")
+ usermessage = translate(
+ "EIPErrors",
+ "No suitable openvpn command found. "
+ "<br/>(Might be a permissions problem)")
class EIPBadCertError(Warning):
# XXX this should be critical and fail close
message = "cert verification failed"
- usermessage = "there is a problem with provider certificate"
+ usermessage = translate(
+ "EIPErrors",
+ "there is a problem with provider certificate")
class LeapBadConfigFetchedError(Warning):
message = "provider sent a malformed json file"
- usermessage = "an error occurred during configuratio of leap services"
+ usermessage = translate(
+ "EIPErrors",
+ "an error occurred during configuratio of leap services")
-class OpenVPNAlreadyRunning(EIPClientError):
+class OpenVPNAlreadyRunning(CriticalError):
message = "Another OpenVPN Process is already running."
- usermessage = ("Another OpenVPN Process has been detected."
- "Please close it before starting leap-client")
+ usermessage = translate(
+ "EIPErrors",
+ "Another OpenVPN Process has been detected. "
+ "Please close it before starting leap-client")
+class HttpsNotSupported(LeapException):
+ message = "connection refused while accessing via https"
+ usermessage = translate(
+ "EIPErrors",
+ "Server does not allow secure connections")
+
+
+class HttpsBadCertError(LeapException):
+ message = "verification error on cert"
+ usermessage = translate(
+ "EIPErrors",
+ "Server certificate could not be verified")
+
#
# errors still needing some love
#
@@ -106,7 +134,9 @@ class OpenVPNAlreadyRunning(EIPClientError):
class EIPInitNoKeyFileError(CriticalError):
message = "No vpn keys found in the expected path"
- usermessage = "We could not find your eip certs in the expected path"
+ usermessage = translate(
+ "EIPErrors",
+ "We could not find your eip certs in the expected path")
class EIPInitBadKeyFilePermError(Warning):
diff --git a/src/leap/eip/openvpnconnection.py b/src/leap/eip/openvpnconnection.py
index d93bc40f..455735c8 100644
--- a/src/leap/eip/openvpnconnection.py
+++ b/src/leap/eip/openvpnconnection.py
@@ -2,30 +2,150 @@
OpenVPN Connection
"""
from __future__ import (print_function)
+from functools import partial
import logging
+import os
import psutil
+import shutil
+import select
import socket
-import time
-from functools import partial
+from time import sleep
logger = logging.getLogger(name=__name__)
from leap.base.connection import Connection
+from leap.base.constants import OPENVPN_BIN
from leap.util.coroutines import spawn_and_watch_process
+from leap.util.misc import get_openvpn_pids
from leap.eip.udstelnet import UDSTelnet
from leap.eip import config as eip_config
from leap.eip import exceptions as eip_exceptions
-class OpenVPNConnection(Connection):
+class OpenVPNManagement(object):
+
+ # TODO explain a little bit how management interface works
+ # and our telnet interface with support for unix sockets.
+
+ """
+ for more information, read openvpn management notes.
+ zcat `dpkg -L openvpn | grep management`
+ """
+
+ def _connect_to_management(self):
+ """
+ Connect to openvpn management interface
+ """
+ if hasattr(self, 'tn'):
+ self._close_management_socket()
+ self.tn = UDSTelnet(self.host, self.port)
+
+ # XXX make password optional
+ # specially for win. we should generate
+ # the pass on the fly when invoking manager
+ # from conductor
+
+ #self.tn.read_until('ENTER PASSWORD:', 2)
+ #self.tn.write(self.password + '\n')
+ #self.tn.read_until('SUCCESS:', 2)
+ if self.tn:
+ self._seek_to_eof()
+ return True
+
+ def _close_management_socket(self, announce=True):
+ """
+ Close connection to openvpn management interface
+ """
+ logger.debug('closing socket')
+ if announce:
+ self.tn.write("quit\n")
+ self.tn.read_all()
+ self.tn.get_socket().close()
+ del self.tn
+
+ def _seek_to_eof(self):
+ """
+ Read as much as available. Position seek pointer to end of stream
+ """
+ try:
+ b = self.tn.read_eager()
+ except EOFError:
+ logger.debug("Could not read from socket. Assuming it died.")
+ return
+ while b:
+ try:
+ b = self.tn.read_eager()
+ except EOFError:
+ logger.debug("Could not read from socket. Assuming it died.")
+
+ def _send_command(self, cmd):
+ """
+ Send a command to openvpn and return response as list
+ """
+ if not self.connected():
+ try:
+ self._connect_to_management()
+ except eip_exceptions.MissingSocketError:
+ #logger.warning('missing management socket')
+ return []
+ try:
+ if hasattr(self, 'tn'):
+ self.tn.write(cmd + "\n")
+ except socket.error:
+ logger.error('socket error')
+ self._close_management_socket(announce=False)
+ return []
+ try:
+ buf = self.tn.read_until(b"END", 2)
+ self._seek_to_eof()
+ blist = buf.split('\r\n')
+ if blist[-1].startswith('END'):
+ del blist[-1]
+ return blist
+ else:
+ return []
+ except socket.error as exc:
+ logger.debug('socket error: %s' % exc.message)
+ except select.error as exc:
+ logger.debug('select error: %s' % exc.message)
+
+ def _send_short_command(self, cmd):
+ """
+ parse output from commands that are
+ delimited by "success" instead
+ """
+ if not self.connected():
+ self.connect()
+ self.tn.write(cmd + "\n")
+ # XXX not working?
+ buf = self.tn.read_until(b"SUCCESS", 2)
+ self._seek_to_eof()
+ blist = buf.split('\r\n')
+ return blist
+
+ #
+ # random maybe useful vpn commands
+ #
+
+ def pid(self):
+ #XXX broken
+ return self._send_short_command("pid")
+
+
+class OpenVPNConnection(Connection, OpenVPNManagement):
"""
All related to invocation
- of the openvpn binary
+ of the openvpn binary.
+ It's extended by EIPConnection.
"""
+ # XXX Inheriting from Connection was an early design idea
+ # but currently that's an empty class.
+ # We can get rid of that if we don't use it for sharing
+ # state with other leap modules.
+
def __init__(self,
- #config_file=None,
watcher_cb=None,
debug=False,
host=None,
@@ -33,24 +153,21 @@ class OpenVPNConnection(Connection):
password=None,
*args, **kwargs):
"""
- :param config_file: configuration file to read from
:param watcher_cb: callback to be \
called for each line in watched stdout
:param signal_map: dictionary of signal names and callables \
to be triggered for each one of them.
- :type config_file: str
:type watcher_cb: function
:type signal_map: dict
"""
#XXX FIXME
#change watcher_cb to line_observer
+ # XXX if not host: raise ImproperlyConfigured
logger.debug('init openvpn connection')
self.debug = debug
- # XXX if not host: raise ImproperlyConfigured
self.ovpn_verbosity = kwargs.get('ovpn_verbosity', None)
- #self.config_file = config_file
self.watcher_cb = watcher_cb
#self.signal_maps = signal_maps
@@ -61,21 +178,13 @@ to be triggered for each one of them.
self.port = None
self.proto = None
- #XXX workaround for signaling
- #the ui that we don't know how to
- #manage a connection error
- self.with_errors = False
-
self.command = None
self.args = None
# XXX get autostart from config
self.autostart = True
- #
- # management init methods
- #
-
+ # management interface init
self.host = host
if isinstance(port, str) and port.isdigit():
port = int(port)
@@ -87,15 +196,108 @@ to be triggered for each one of them.
self.password = password
def run_openvpn_checks(self):
+ """
+ runs check needed before launching
+ openvpn subprocess. will raise if errors found.
+ """
logger.debug('running openvpn checks')
+ # XXX I think that "check_if_running" should be called
+ # from try openvpn connection instead. -- kali.
+ # let's prepare tests for that before changing it...
self._check_if_running_instance()
self._set_ovpn_command()
self._check_vpn_keys()
+ def try_openvpn_connection(self):
+ """
+ attempts to connect
+ """
+ # XXX should make public method
+ if self.command is None:
+ raise eip_exceptions.EIPNoCommandError
+ if self.subp is not None:
+ logger.debug('cowardly refusing to launch subprocess again')
+ # XXX this is not returning ???!!
+ # FIXME -- so it's calling it all the same!!
+
+ self._launch_openvpn()
+
+ def connected(self):
+ """
+ Returns True if connected
+ rtype: bool
+ """
+ # XXX make a property
+ return hasattr(self, 'tn')
+
+ def terminate_openvpn_connection(self, shutdown=False):
+ """
+ terminates openvpn child subprocess
+ """
+ if self.subp:
+ try:
+ self._stop_openvpn()
+ except eip_exceptions.ConnectionRefusedError:
+ logger.warning(
+ 'unable to send sigterm signal to openvpn: '
+ 'connection refused.')
+
+ # XXX kali --
+ # XXX review-me
+ # I think this will block if child process
+ # does not return.
+ # Maybe we can .poll() for a given
+ # interval and exit in any case.
+
+ RETCODE = self.subp.wait()
+ if RETCODE:
+ logger.error(
+ 'cannot terminate subprocess! Retcode %s'
+ '(We might have left openvpn running)' % RETCODE)
+
+ if shutdown:
+ self._cleanup_tempfiles()
+
+ def _cleanup_tempfiles(self):
+ """
+ remove all temporal files
+ we might have left behind
+ """
+ # if self.port is 'unix', we have
+ # created a temporal socket path that, under
+ # normal circumstances, we should be able to
+ # delete
+
+ if self.port == "unix":
+ logger.debug('cleaning socket file temp folder')
+
+ tempfolder = os.path.split(self.host)[0]
+ if os.path.isdir(tempfolder):
+ try:
+ shutil.rmtree(tempfolder)
+ except OSError:
+ logger.error('could not delete tmpfolder %s' % tempfolder)
+
+ # checks
+
+ def _check_if_running_instance(self):
+ """
+ check if openvpn is already running
+ """
+ openvpn_pids = get_openvpn_pids()
+ if openvpn_pids:
+ logger.debug('an openvpn instance is already running.')
+ logger.debug('attempting to stop openvpn instance.')
+ if not self._stop_openvpn():
+ raise eip_exceptions.OpenVPNAlreadyRunning
+ return
+ else:
+ logger.debug('no openvpn instance found.')
+
def _set_ovpn_command(self):
- # XXX check also for command-line --command flag
try:
command, args = eip_config.build_ovpn_command(
+ provider=self.provider,
debug=self.debug,
socket_path=self.host,
ovpn_verbosity=self.ovpn_verbosity)
@@ -115,12 +317,14 @@ to be triggered for each one of them.
checks for correct permissions on vpn keys
"""
try:
- eip_config.check_vpn_keys()
+ eip_config.check_vpn_keys(provider=self.provider)
except eip_exceptions.EIPInitBadKeyFilePermError:
logger.error('Bad VPN Keys permission!')
# do nothing now
# and raise the rest ...
+ # starting and stopping openvpn subprocess
+
def _launch_openvpn(self):
"""
invocation of openvpn binaries in a subprocess.
@@ -129,12 +333,13 @@ to be triggered for each one of them.
#deprecate watcher_cb,
#use _only_ signal_maps instead
- logger.debug('_launch_openvpn called')
+ #logger.debug('_launch_openvpn called')
if self.watcher_cb is not None:
linewrite_callback = self.watcher_cb
else:
#XXX get logger instead
- linewrite_callback = lambda line: print('watcher: %s' % line)
+ linewrite_callback = lambda line: logger.debug(
+ 'watcher: %s' % line)
# the partial is not
# being applied now because we're not observing the process
@@ -142,7 +347,8 @@ to be triggered for each one of them.
# here since it will be handy for observing patterns in the
# thru-the-manager updates (with regex)
observers = (linewrite_callback,
- partial(lambda con_status, line: None, self.status))
+ partial(lambda con_status,
+ line: linewrite_callback, self.status))
subp, watcher = spawn_and_watch_process(
self.command,
self.args,
@@ -150,264 +356,55 @@ to be triggered for each one of them.
self.subp = subp
self.watcher = watcher
- def _try_connection(self):
- """
- attempts to connect
- """
- if self.command is None:
- raise eip_exceptions.EIPNoCommandError
- if self.subp is not None:
- logger.debug('cowardly refusing to launch subprocess again')
-
- self._launch_openvpn()
-
- def _check_if_running_instance(self):
- """
- check if openvpn is already running
- """
- for process in psutil.get_process_list():
- if process.name == "openvpn":
- logger.debug('an openvpn instance is already running.')
- logger.debug('attempting to stop openvpn instance.')
- if not self._stop():
- raise eip_exceptions.OpenVPNAlreadyRunning
-
- logger.debug('no openvpn instance found.')
-
- def cleanup(self):
- """
- terminates openvpn child subprocess
- """
- if self.subp:
- self._stop()
- RETCODE = self.subp.wait()
- if RETCODE:
- logger.error('cannot terminate subprocess! '
- '(maybe openvpn still running?)')
-
- def _stop(self):
+ def _stop_openvpn(self):
"""
stop openvpn process
+ by sending SIGTERM to the management
+ interface
"""
- logger.debug("disconnecting...")
- self._send_command("signal SIGTERM\n")
-
- if self.subp:
- return True
+ # XXX method a bit too long, split
+ logger.debug("atempting to terminate openvpn process...")
+ if self.connected():
+ try:
+ self._send_command("signal SIGTERM\n")
+ sleep(1)
+ if not self.subp: # XXX ???
+ return True
+ except socket.error:
+ logger.warning('management socket died')
+ return
#shutting openvpn failured
#try patching in old openvpn host and trying again
+ # XXX could be more than one!
process = self._get_openvpn_process()
if process:
- self.host = \
- process.cmdline[process.cmdline.index("--management") + 1]
- self._send_command("signal SIGTERM\n")
+ logger.debug('process: %s' % process.name)
+ cmdline = process.cmdline
+
+ manag_flag = "--management"
+ if isinstance(cmdline, list) and manag_flag in cmdline:
+ _index = cmdline.index(manag_flag)
+ self.host = cmdline[_index + 1]
+ self._send_command("signal SIGTERM\n")
#make sure the process was terminated
process = self._get_openvpn_process()
if not process:
- logger.debug("Exisiting OpenVPN Process Terminated")
+ logger.debug("Existing OpenVPN Process Terminated")
return True
else:
- logger.error("Unable to terminate exisiting OpenVPN Process.")
+ logger.error("Unable to terminate existing OpenVPN Process.")
return False
return True
def _get_openvpn_process(self):
- for process in psutil.get_process_list():
- if process.name == "openvpn":
+ for process in psutil.process_iter():
+ if OPENVPN_BIN in process.name:
return process
return None
- # management methods
- #
- # XXX REVIEW-ME
- # REFACTOR INFO: (former "manager".
- # Can we move to another
- # base class to test independently?)
- #
-
- #def forget_errors(self):
- #logger.debug('forgetting errors')
- #self.with_errors = False
-
- def connect_to_management(self):
- """Connect to openvpn management interface"""
- #logger.debug('connecting socket')
- if hasattr(self, 'tn'):
- self.close()
- self.tn = UDSTelnet(self.host, self.port)
-
- # XXX make password optional
- # specially for win. we should generate
- # the pass on the fly when invoking manager
- # from conductor
-
- #self.tn.read_until('ENTER PASSWORD:', 2)
- #self.tn.write(self.password + '\n')
- #self.tn.read_until('SUCCESS:', 2)
-
- self._seek_to_eof()
- return True
-
- def _seek_to_eof(self):
- """
- Read as much as available. Position seek pointer to end of stream
- """
- try:
- b = self.tn.read_eager()
- except EOFError:
- logger.debug("Could not read from socket. Assuming it died.")
- return
- while b:
- try:
- b = self.tn.read_eager()
- except EOFError:
- logger.debug("Could not read from socket. Assuming it died.")
-
- def connected(self):
- """
- Returns True if connected
- rtype: bool
- """
- return hasattr(self, 'tn')
-
- def close(self, announce=True):
- """
- Close connection to openvpn management interface
- """
- logger.debug('closing socket')
- if announce:
- self.tn.write("quit\n")
- self.tn.read_all()
- self.tn.get_socket().close()
- del self.tn
-
- def _send_command(self, cmd):
- """
- Send a command to openvpn and return response as list
- """
- if not self.connected():
- try:
- self.connect_to_management()
- except eip_exceptions.MissingSocketError:
- logger.warning('missing management socket')
- # This should only happen briefly during
- # the first invocation. Race condition make
- # the polling begin before management socket
- # is ready
- return []
- #return self.make_error()
- try:
- if hasattr(self, 'tn'):
- self.tn.write(cmd + "\n")
- except socket.error:
- logger.error('socket error')
- self.close(announce=False)
- return []
- buf = self.tn.read_until(b"END", 2)
- self._seek_to_eof()
- blist = buf.split('\r\n')
- if blist[-1].startswith('END'):
- del blist[-1]
- return blist
- else:
- return []
-
- def _send_short_command(self, cmd):
- """
- parse output from commands that are
- delimited by "success" instead
- """
- if not self.connected():
- self.connect()
- self.tn.write(cmd + "\n")
- # XXX not working?
- buf = self.tn.read_until(b"SUCCESS", 2)
- self._seek_to_eof()
- blist = buf.split('\r\n')
- return blist
-
- #
- # useful vpn commands
- #
-
- def pid(self):
- #XXX broken
- return self._send_short_command("pid")
-
- def make_error(self):
- """
- capture error and wrap it in an
- understandable format
- """
- #XXX get helpful error codes
- self.with_errors = True
- now = int(time.time())
- return '%s,LAUNCHER ERROR,ERROR,-,-' % now
-
- def state(self):
- """
- OpenVPN command: state
- """
- state = self._send_command("state")
- if not state:
- return None
- if isinstance(state, str):
- return state
- if isinstance(state, list):
- if len(state) == 1:
- return state[0]
- else:
- return state[-1]
-
- def vpn_status(self):
- """
- OpenVPN command: status
- """
- #logger.debug('status called')
- status = self._send_command("status")
- return status
-
- def vpn_status2(self):
- """
- OpenVPN command: last 2 statuses
- """
- return self._send_command("status 2")
-
- #
- # parse info
- #
-
- def get_status_io(self):
- status = self.vpn_status()
- if isinstance(status, str):
- lines = status.split('\n')
- if isinstance(status, list):
- lines = status
- try:
- (header, when, tun_read, tun_write,
- tcp_read, tcp_write, auth_read) = tuple(lines)
- except ValueError:
- return None
-
- when_ts = time.strptime(when.split(',')[1], "%a %b %d %H:%M:%S %Y")
- sep = ','
- # XXX cleanup!
- tun_read = tun_read.split(sep)[1]
- tun_write = tun_write.split(sep)[1]
- tcp_read = tcp_read.split(sep)[1]
- tcp_write = tcp_write.split(sep)[1]
- auth_read = auth_read.split(sep)[1]
-
- # XXX this could be a named tuple. prettier.
- return when_ts, (tun_read, tun_write, tcp_read, tcp_write, auth_read)
-
- def get_connection_state(self):
- state = self.state()
- if state is not None:
- ts, status_step, ok, ip, remote = state.split(',')
- ts = time.gmtime(float(ts))
- # XXX this could be a named tuple. prettier.
- return ts, status_step, ok, ip, remote
+ def get_log(self, lines=1):
+ log = self._send_command("log %s" % lines)
+ return log
diff --git a/src/leap/eip/specs.py b/src/leap/eip/specs.py
index 1a670b0e..c41fd29b 100644
--- a/src/leap/eip/specs.py
+++ b/src/leap/eip/specs.py
@@ -4,11 +4,20 @@ import os
from leap import __branding
from leap.base import config as baseconfig
+# XXX move provider stuff to base config
+
PROVIDER_CA_CERT = __branding.get(
'provider_ca_file',
- 'testprovider-ca-cert.pem')
+ 'cacert.pem')
+
+provider_ca_path = lambda domain: str(os.path.join(
+ #baseconfig.get_default_provider_path(),
+ baseconfig.get_provider_path(domain),
+ 'keys', 'ca',
+ 'cacert.pem'
+)) if domain else None
-provider_ca_path = lambda: str(os.path.join(
+default_provider_ca_path = lambda: str(os.path.join(
baseconfig.get_default_provider_path(),
'keys', 'ca',
PROVIDER_CA_CERT
@@ -17,7 +26,13 @@ provider_ca_path = lambda: str(os.path.join(
PROVIDER_DOMAIN = __branding.get('provider_domain', 'testprovider.example.org')
-client_cert_path = lambda: unicode(os.path.join(
+client_cert_path = lambda domain: unicode(os.path.join(
+ baseconfig.get_provider_path(domain),
+ 'keys', 'client',
+ 'openvpn.pem'
+)) if domain else None
+
+default_client_cert_path = lambda: unicode(os.path.join(
baseconfig.get_default_provider_path(),
'keys', 'client',
'openvpn.pem'
@@ -46,11 +61,11 @@ eipconfig_spec = {
},
'openvpn_ca_certificate': {
'type': unicode, # path
- 'default': provider_ca_path
+ 'default': default_provider_ca_path
},
'openvpn_client_certificate': {
'type': unicode, # path
- 'default': client_cert_path
+ 'default': default_client_cert_path
},
'connect_on_login': {
'type': bool,
@@ -62,12 +77,12 @@ eipconfig_spec = {
},
'primary_gateway': {
'type': unicode,
- 'default': u"turkey",
+ 'default': u"location_unknown",
#'required': True
},
'secondary_gateway': {
'type': unicode,
- 'default': u"france"
+ 'default': u"location_unknown2"
},
'management_password': {
'type': unicode
@@ -85,25 +100,37 @@ eipservice_config_spec = {
'default': 1
},
'version': {
- 'type': unicode,
+ 'type': int,
'required': True,
- 'default': "0.1.0"
+ 'default': 1
},
- 'capabilities': {
- 'type': dict,
- 'default': {
- "transport": ["openvpn"],
- "ports": ["80", "53"],
- "protocols": ["udp", "tcp"],
- "static_ips": True,
- "adblock": True}
+ 'clusters': {
+ 'type': list,
+ 'default': [
+ {"label": {
+ "en": "Location Unknown"},
+ "name": "location_unknown"}]
},
'gateways': {
'type': list,
- 'default': [{"country_code": "us",
- "label": {"en":"west"},
- "capabilities": {},
- "hosts": ["1.2.3.4", "1.2.3.5"]}]
+ 'default': [
+ {"capabilities": {
+ "adblock": True,
+ "filter_dns": True,
+ "ports": ["80", "53", "443", "1194"],
+ "protocols": ["udp", "tcp"],
+ "transport": ["openvpn"],
+ "user_ips": False},
+ "cluster": "location_unknown",
+ "host": "location.example.org",
+ "ip_address": "127.0.0.1"}]
+ },
+ 'openvpn_configuration': {
+ 'type': dict,
+ 'default': {
+ "auth": None,
+ "cipher": None,
+ "tls-cipher": None}
}
}
}
diff --git a/src/leap/eip/tests/data.py b/src/leap/eip/tests/data.py
index 43df2013..a7fe1853 100644
--- a/src/leap/eip/tests/data.py
+++ b/src/leap/eip/tests/data.py
@@ -1,11 +1,12 @@
from __future__ import unicode_literals
import os
-from leap import __branding
+#from leap import __branding
# sample data used in tests
-PROVIDER = __branding.get('provider_domain')
+#PROVIDER = __branding.get('provider_domain')
+PROVIDER = "testprovider.example.org"
EIP_SAMPLE_CONFIG = {
"provider": "%s" % PROVIDER,
@@ -15,33 +16,36 @@ EIP_SAMPLE_CONFIG = {
"openvpn_ca_certificate": os.path.expanduser(
"~/.config/leap/providers/"
"%s/"
- "keys/ca/testprovider-ca-cert.pem" % PROVIDER),
+ "keys/ca/cacert.pem" % PROVIDER),
"openvpn_client_certificate": os.path.expanduser(
"~/.config/leap/providers/"
"%s/"
"keys/client/openvpn.pem" % PROVIDER),
"connect_on_login": True,
"block_cleartext_traffic": True,
- "primary_gateway": "turkey",
- "secondary_gateway": "france",
+ "primary_gateway": "location_unknown",
+ "secondary_gateway": "location_unknown2",
#"management_password": "oph7Que1othahwiech6J"
}
EIP_SAMPLE_SERVICE = {
"serial": 1,
- "version": "0.1.0",
- "capabilities": {
- "transport": ["openvpn"],
- "ports": ["80", "53"],
- "protocols": ["udp", "tcp"],
- "static_ips": True,
- "adblock": True
- },
+ "version": 1,
+ "clusters": [
+ {"label": {
+ "en": "Location Unknown"},
+ "name": "location_unknown"}
+ ],
"gateways": [
- {"country_code": "tr",
- "name": "turkey",
- "label": {"en":"Ankara, Turkey"},
- "capabilities": {},
- "hosts": ["94.103.43.4"]}
+ {"capabilities": {
+ "adblock": True,
+ "filter_dns": True,
+ "ports": ["80", "53", "443", "1194"],
+ "protocols": ["udp", "tcp"],
+ "transport": ["openvpn"],
+ "user_ips": False},
+ "cluster": "location_unknown",
+ "host": "location.example.org",
+ "ip_address": "192.0.43.10"}
]
}
diff --git a/src/leap/eip/tests/test_checks.py b/src/leap/eip/tests/test_checks.py
index 58ce473f..ab11037a 100644
--- a/src/leap/eip/tests/test_checks.py
+++ b/src/leap/eip/tests/test_checks.py
@@ -25,6 +25,7 @@ from leap.eip.tests import data as testdata
from leap.testing.basetest import BaseLeapTest
from leap.testing.https_server import BaseHTTPSServerTestCase
from leap.testing.https_server import where as where_cert
+from leap.util.fileutil import mkdir_f
class NoLogRequestHandler:
@@ -39,6 +40,8 @@ class NoLogRequestHandler:
class EIPCheckTest(BaseLeapTest):
__name__ = "eip_check_tests"
+ provider = "testprovider.example.org"
+ maxDiff = None
def setUp(self):
pass
@@ -49,7 +52,7 @@ class EIPCheckTest(BaseLeapTest):
# test methods are there, and can be called from run_all
def test_checker_should_implement_check_methods(self):
- checker = eipchecks.EIPConfigChecker()
+ checker = eipchecks.EIPConfigChecker(domain=self.provider)
self.assertTrue(hasattr(checker, "check_default_eipconfig"),
"missing meth")
@@ -62,7 +65,7 @@ class EIPCheckTest(BaseLeapTest):
"missing meth")
def test_checker_should_actually_call_all_tests(self):
- checker = eipchecks.EIPConfigChecker()
+ checker = eipchecks.EIPConfigChecker(domain=self.provider)
mc = Mock()
checker.run_all(checker=mc)
@@ -79,7 +82,7 @@ class EIPCheckTest(BaseLeapTest):
# test individual check methods
def test_check_default_eipconfig(self):
- checker = eipchecks.EIPConfigChecker()
+ checker = eipchecks.EIPConfigChecker(domain=self.provider)
# no eip config (empty home)
eipconfig_path = checker.eipconfig.filename
self.assertFalse(os.path.isfile(eipconfig_path))
@@ -93,15 +96,15 @@ class EIPCheckTest(BaseLeapTest):
# small workaround for evaluating home dirs correctly
EIP_SAMPLE_CONFIG = copy.copy(testdata.EIP_SAMPLE_CONFIG)
EIP_SAMPLE_CONFIG['openvpn_client_certificate'] = \
- eipspecs.client_cert_path()
+ eipspecs.client_cert_path(self.provider)
EIP_SAMPLE_CONFIG['openvpn_ca_certificate'] = \
- eipspecs.provider_ca_path()
+ eipspecs.provider_ca_path(self.provider)
self.assertEqual(deserialized, EIP_SAMPLE_CONFIG)
# TODO: shold ALSO run validation methods.
def test_check_is_there_default_provider(self):
- checker = eipchecks.EIPConfigChecker()
+ checker = eipchecks.EIPConfigChecker(domain=self.provider)
# we do dump a sample eip config, but lacking a
# default provider entry.
# This error will be possible catched in a different
@@ -116,6 +119,7 @@ class EIPCheckTest(BaseLeapTest):
sampleconfig = copy.copy(testdata.EIP_SAMPLE_CONFIG)
sampleconfig['provider'] = None
eipcfg_path = checker.eipconfig.filename
+ mkdir_f(eipcfg_path)
with open(eipcfg_path, 'w') as fp:
json.dump(sampleconfig, fp)
#with self.assertRaises(eipexceptions.EIPMissingDefaultProvider):
@@ -136,6 +140,8 @@ class EIPCheckTest(BaseLeapTest):
def test_fetch_definition(self):
with patch.object(requests, "get") as mocked_get:
mocked_get.return_value.status_code = 200
+ mocked_get.return_value.headers = {
+ 'last-modified': "Wed Dec 12 12:12:12 GMT 2012"}
mocked_get.return_value.json = DEFAULT_PROVIDER_DEFINITION
checker = eipchecks.EIPConfigChecker(fetcher=requests)
sampleconfig = testdata.EIP_SAMPLE_CONFIG
@@ -154,6 +160,8 @@ class EIPCheckTest(BaseLeapTest):
def test_fetch_eip_service_config(self):
with patch.object(requests, "get") as mocked_get:
mocked_get.return_value.status_code = 200
+ mocked_get.return_value.headers = {
+ 'last-modified': "Wed Dec 12 12:12:12 GMT 2012"}
mocked_get.return_value.json = testdata.EIP_SAMPLE_SERVICE
checker = eipchecks.EIPConfigChecker(fetcher=requests)
sampleconfig = testdata.EIP_SAMPLE_CONFIG
@@ -178,6 +186,7 @@ class EIPCheckTest(BaseLeapTest):
class ProviderCertCheckerTest(BaseLeapTest):
__name__ = "provider_cert_checker_tests"
+ provider = "testprovider.example.org"
def setUp(self):
pass
@@ -226,13 +235,20 @@ class ProviderCertCheckerTest(BaseLeapTest):
# test individual check methods
+ @unittest.skip
def test_is_there_provider_ca(self):
+ # XXX commenting out this test.
+ # With the generic client this does not make sense,
+ # we should dump one there.
+ # or test conductor logic.
checker = eipchecks.ProviderCertChecker()
self.assertTrue(
checker.is_there_provider_ca())
class ProviderCertCheckerHTTPSTests(BaseHTTPSServerTestCase, BaseLeapTest):
+ provider = "testprovider.example.org"
+
class request_handler(NoLogRequestHandler, BaseHTTPRequestHandler):
responses = {
'/': ['OK', ''],
@@ -292,12 +308,19 @@ class ProviderCertCheckerHTTPSTests(BaseHTTPSServerTestCase, BaseLeapTest):
# same, but get cacert from leap.custom
# XXX TODO!
+ @unittest.skip
def test_download_new_client_cert(self):
+ # FIXME
+ # Magick srp decorator broken right now...
+ # Have to mock the decorator and inject something that
+ # can bypass the authentication
+
uri = "https://%s/client.cert" % (self.get_server())
cacert = where_cert('cacert.pem')
- checker = eipchecks.ProviderCertChecker()
+ checker = eipchecks.ProviderCertChecker(domain=self.provider)
+ credentials = "testuser", "testpassword"
self.assertTrue(checker.download_new_client_cert(
- uri=uri, verify=cacert))
+ credentials=credentials, uri=uri, verify=cacert))
# now download a malformed cert
uri = "https://%s/badclient.cert" % (self.get_server())
@@ -305,7 +328,7 @@ class ProviderCertCheckerHTTPSTests(BaseHTTPSServerTestCase, BaseLeapTest):
checker = eipchecks.ProviderCertChecker()
with self.assertRaises(ValueError):
self.assertTrue(checker.download_new_client_cert(
- uri=uri, verify=cacert))
+ credentials=credentials, uri=uri, verify=cacert))
# did we write cert to its path?
clientcertfile = eipspecs.client_cert_path()
@@ -339,7 +362,7 @@ class ProviderCertCheckerHTTPSTests(BaseHTTPSServerTestCase, BaseLeapTest):
def test_check_new_cert_needed(self):
# check: missing cert
- checker = eipchecks.ProviderCertChecker()
+ checker = eipchecks.ProviderCertChecker(domain=self.provider)
self.assertTrue(checker.check_new_cert_needed(skip_download=True))
# TODO check: malformed cert
# TODO check: expired cert
diff --git a/src/leap/eip/tests/test_config.py b/src/leap/eip/tests/test_config.py
index 6759b522..72ab3c8e 100644
--- a/src/leap/eip/tests/test_config.py
+++ b/src/leap/eip/tests/test_config.py
@@ -1,3 +1,4 @@
+from collections import OrderedDict
import json
import os
import platform
@@ -10,21 +11,24 @@ except ImportError:
#from leap.base import constants
#from leap.eip import config as eip_config
-from leap import __branding as BRANDING
+#from leap import __branding as BRANDING
from leap.eip import config as eipconfig
from leap.eip.tests.data import EIP_SAMPLE_CONFIG, EIP_SAMPLE_SERVICE
from leap.testing.basetest import BaseLeapTest
-from leap.util.fileutil import mkdir_p
+from leap.util.fileutil import mkdir_p, mkdir_f
_system = platform.system()
-PROVIDER = BRANDING.get('provider_domain')
-PROVIDER_SHORTNAME = BRANDING.get('short_name')
+#PROVIDER = BRANDING.get('provider_domain')
+#PROVIDER_SHORTNAME = BRANDING.get('short_name')
class EIPConfigTest(BaseLeapTest):
__name__ = "eip_config_tests"
+ provider = "testprovider.example.org"
+
+ maxDiff = None
def setUp(self):
pass
@@ -46,11 +50,22 @@ class EIPConfigTest(BaseLeapTest):
open(tfile, 'wb').close()
os.chmod(tfile, stat.S_IRUSR | stat.S_IWUSR | stat.S_IXUSR)
- def write_sample_eipservice(self):
+ def write_sample_eipservice(self, vpnciphers=False, extra_vpnopts=None,
+ gateways=None):
conf = eipconfig.EIPServiceConfig()
- folder, f = os.path.split(conf.filename)
- if not os.path.isdir(folder):
- mkdir_p(folder)
+ mkdir_f(conf.filename)
+ if gateways:
+ EIP_SAMPLE_SERVICE['gateways'] = gateways
+ if vpnciphers:
+ openvpnconfig = OrderedDict({
+ "auth": "SHA1",
+ "cipher": "AES-128-CBC",
+ "tls-cipher": "DHE-RSA-AES128-SHA"})
+ if extra_vpnopts:
+ for k, v in extra_vpnopts.items():
+ openvpnconfig[k] = v
+ EIP_SAMPLE_SERVICE['openvpn_configuration'] = openvpnconfig
+
with open(conf.filename, 'w') as fd:
fd.write(json.dumps(EIP_SAMPLE_SERVICE))
@@ -62,8 +77,17 @@ class EIPConfigTest(BaseLeapTest):
with open(conf.filename, 'w') as fd:
fd.write(json.dumps(EIP_SAMPLE_CONFIG))
- def get_expected_openvpn_args(self):
+ def get_expected_openvpn_args(self, with_openvpn_ciphers=False):
+ """
+ yeah, this is almost as duplicating the
+ code for building the command
+ """
args = []
+ eipconf = eipconfig.EIPConfig(domain=self.provider)
+ eipconf.load()
+ eipsconf = eipconfig.EIPServiceConfig(domain=self.provider)
+ eipsconf.load()
+
username = self.get_username()
groupname = self.get_groupname()
@@ -74,7 +98,10 @@ class EIPConfigTest(BaseLeapTest):
args.append('--persist-tun')
args.append('--persist-key')
args.append('--remote')
- args.append('%s' % eipconfig.get_eip_gateway())
+
+ args.append('%s' % eipconfig.get_eip_gateway(
+ eipconfig=eipconf,
+ eipserviceconfig=eipsconf))
# XXX get port!?
args.append('1194')
# XXX get proto
@@ -83,6 +110,14 @@ class EIPConfigTest(BaseLeapTest):
args.append('--remote-cert-tls')
args.append('server')
+ if with_openvpn_ciphers:
+ CIPHERS = [
+ "--tls-cipher", "DHE-RSA-AES128-SHA",
+ "--cipher", "AES-128-CBC",
+ "--auth", "SHA1"]
+ for opt in CIPHERS:
+ args.append(opt)
+
args.append('--user')
args.append(username)
args.append('--group')
@@ -97,29 +132,43 @@ class EIPConfigTest(BaseLeapTest):
args.append('/tmp/test.socket')
args.append('unix')
+ args.append('--script-security')
+ args.append('2')
+
+ if _system == "Linux":
+ UPDOWN_SCRIPT = "/etc/leap/resolv-update"
+ if os.path.isfile(UPDOWN_SCRIPT):
+ args.append('--up')
+ args.append('/etc/leap/resolv-update')
+ args.append('--down')
+ args.append('/etc/leap/resolv-update')
+ args.append('--plugin')
+ args.append('/usr/lib/openvpn/openvpn-down-root.so')
+ args.append("'script_type=down /etc/leap/resolv-update'")
+
# certs
# XXX get values from specs?
args.append('--cert')
args.append(os.path.join(
self.home,
'.config', 'leap', 'providers',
- '%s' % PROVIDER,
+ '%s' % self.provider,
'keys', 'client',
'openvpn.pem'))
args.append('--key')
args.append(os.path.join(
self.home,
'.config', 'leap', 'providers',
- '%s' % PROVIDER,
+ '%s' % self.provider,
'keys', 'client',
'openvpn.pem'))
args.append('--ca')
args.append(os.path.join(
self.home,
'.config', 'leap', 'providers',
- '%s' % PROVIDER,
+ '%s' % self.provider,
'keys', 'ca',
- '%s-cacert.pem' % PROVIDER_SHORTNAME))
+ 'cacert.pem'))
return args
# build command string
@@ -128,6 +177,55 @@ class EIPConfigTest(BaseLeapTest):
# params in the function call, to disable
# some checks.
+ def test_get_eip_gateway(self):
+ self.write_sample_eipconfig()
+ eipconf = eipconfig.EIPConfig(domain=self.provider)
+
+ # default eipservice
+ self.write_sample_eipservice()
+ eipsconf = eipconfig.EIPServiceConfig(domain=self.provider)
+
+ gateway = eipconfig.get_eip_gateway(
+ eipconfig=eipconf,
+ eipserviceconfig=eipsconf)
+
+ # in spec is local gateway by default
+ self.assertEqual(gateway, '127.0.0.1')
+
+ # change eipservice
+ # right now we only check that cluster == selected primary gw in
+ # eip.json, and pick first matching ip
+ eipconf._config.config['primary_gateway'] = "foo_provider"
+ newgateways = [{"cluster": "foo_provider",
+ "ip_address": "127.0.0.99"}]
+ self.write_sample_eipservice(gateways=newgateways)
+ eipsconf = eipconfig.EIPServiceConfig(domain=self.provider)
+ # load from disk file
+ eipsconf.load()
+
+ gateway = eipconfig.get_eip_gateway(
+ eipconfig=eipconf,
+ eipserviceconfig=eipsconf)
+ self.assertEqual(gateway, '127.0.0.99')
+
+ # change eipservice, several gateways
+ # right now we only check that cluster == selected primary gw in
+ # eip.json, and pick first matching ip
+ eipconf._config.config['primary_gateway'] = "bar_provider"
+ newgateways = [{"cluster": "foo_provider",
+ "ip_address": "127.0.0.99"},
+ {'cluster': "bar_provider",
+ "ip_address": "127.0.0.88"}]
+ self.write_sample_eipservice(gateways=newgateways)
+ eipsconf = eipconfig.EIPServiceConfig(domain=self.provider)
+ # load from disk file
+ eipsconf.load()
+
+ gateway = eipconfig.get_eip_gateway(
+ eipconfig=eipconf,
+ eipserviceconfig=eipsconf)
+ self.assertEqual(gateway, '127.0.0.88')
+
def test_build_ovpn_command_empty_config(self):
self.touch_exec()
self.write_sample_eipservice()
@@ -137,13 +235,63 @@ class EIPConfigTest(BaseLeapTest):
from leap.util.fileutil import which
path = os.environ['PATH']
vpnbin = which('openvpn', path=path)
- print 'path =', path
- print 'vpnbin = ', vpnbin
- command, args = eipconfig.build_ovpn_command(
+ #print 'path =', path
+ #print 'vpnbin = ', vpnbin
+ vpncommand, vpnargs = eipconfig.build_ovpn_command(
+ do_pkexec_check=False, vpnbin=vpnbin,
+ socket_path="/tmp/test.socket",
+ provider=self.provider)
+ self.assertEqual(vpncommand, self.home + '/bin/openvpn')
+ self.assertEqual(vpnargs, self.get_expected_openvpn_args())
+
+ def test_build_ovpn_command_openvpnoptions(self):
+ self.touch_exec()
+
+ from leap.eip import config as eipconfig
+ from leap.util.fileutil import which
+ path = os.environ['PATH']
+ vpnbin = which('openvpn', path=path)
+
+ self.write_sample_eipconfig()
+
+ # regular run, everything normal
+ self.write_sample_eipservice(vpnciphers=True)
+ vpncommand, vpnargs = eipconfig.build_ovpn_command(
+ do_pkexec_check=False, vpnbin=vpnbin,
+ socket_path="/tmp/test.socket",
+ provider=self.provider)
+ self.assertEqual(vpncommand, self.home + '/bin/openvpn')
+ expected = self.get_expected_openvpn_args(
+ with_openvpn_ciphers=True)
+ self.assertEqual(vpnargs, expected)
+
+ # bad options -- illegal options
+ self.write_sample_eipservice(
+ vpnciphers=True,
+ # WE ONLY ALLOW vpn options in auth, cipher, tls-cipher
+ extra_vpnopts={"notallowedconfig": "badvalue"})
+ vpncommand, vpnargs = eipconfig.build_ovpn_command(
+ do_pkexec_check=False, vpnbin=vpnbin,
+ socket_path="/tmp/test.socket",
+ provider=self.provider)
+ self.assertEqual(vpncommand, self.home + '/bin/openvpn')
+ expected = self.get_expected_openvpn_args(
+ with_openvpn_ciphers=True)
+ self.assertEqual(vpnargs, expected)
+
+ # bad options -- illegal chars
+ self.write_sample_eipservice(
+ vpnciphers=True,
+ # WE ONLY ALLOW A-Z09\-
+ extra_vpnopts={"cipher": "AES-128-CBC;FOOTHING"})
+ vpncommand, vpnargs = eipconfig.build_ovpn_command(
do_pkexec_check=False, vpnbin=vpnbin,
- socket_path="/tmp/test.socket")
- self.assertEqual(command, self.home + '/bin/openvpn')
- self.assertEqual(args, self.get_expected_openvpn_args())
+ socket_path="/tmp/test.socket",
+ provider=self.provider)
+ self.assertEqual(vpncommand, self.home + '/bin/openvpn')
+ expected = self.get_expected_openvpn_args(
+ with_openvpn_ciphers=True)
+ self.assertEqual(vpnargs, expected)
if __name__ == "__main__":
diff --git a/src/leap/eip/tests/test_eipconnection.py b/src/leap/eip/tests/test_eipconnection.py
index bb643ae0..163f8d45 100644
--- a/src/leap/eip/tests/test_eipconnection.py
+++ b/src/leap/eip/tests/test_eipconnection.py
@@ -1,6 +1,8 @@
+import glob
import logging
import platform
-import os
+#import os
+import shutil
logging.basicConfig()
logger = logging.getLogger(name=__name__)
@@ -19,6 +21,8 @@ from leap.testing.basetest import BaseLeapTest
_system = platform.system()
+PROVIDER = "testprovider.example.org"
+
class NotImplementedError(Exception):
pass
@@ -27,6 +31,7 @@ class NotImplementedError(Exception):
@patch('OpenVPNConnection._get_or_create_config')
@patch('OpenVPNConnection._set_ovpn_command')
class MockedEIPConnection(EIPConnection):
+
def _set_ovpn_command(self):
self.command = "mock_command"
self.args = [1, 2, 3]
@@ -35,6 +40,7 @@ class MockedEIPConnection(EIPConnection):
class EIPConductorTest(BaseLeapTest):
__name__ = "eip_conductor_tests"
+ provider = PROVIDER
def setUp(self):
# XXX there's a conceptual/design
@@ -51,8 +57,8 @@ class EIPConductorTest(BaseLeapTest):
# XXX change to keys_checker invocation
# (see config_checker)
- keyfiles = (eipspecs.provider_ca_path(),
- eipspecs.client_cert_path())
+ keyfiles = (eipspecs.provider_ca_path(domain=self.provider),
+ eipspecs.client_cert_path(domain=self.provider))
for filepath in keyfiles:
self.touch(filepath)
self.chmod600(filepath)
@@ -61,11 +67,27 @@ class EIPConductorTest(BaseLeapTest):
# some methods mocked
self.manager = Mock(name="openvpnmanager_mock")
self.con = MockedEIPConnection()
+ self.con.provider = self.provider
+
+ # XXX watch out. This sometimes is throwing the following error:
+ # NoSuchProcess: process no longer exists (pid=6571)
+ # because of a bad implementation of _check_if_running_instance
+
self.con.run_openvpn_checks()
def tearDown(self):
+ pass
+
+ def doCleanups(self):
+ super(BaseLeapTest, self).doCleanups()
+ self.cleanupSocketDir()
del self.con
+ def cleanupSocketDir(self):
+ ptt = ('/tmp/leap-tmp*')
+ for tmpdir in glob.glob(ptt):
+ shutil.rmtree(tmpdir)
+
#
# tests
#
@@ -76,6 +98,7 @@ class EIPConductorTest(BaseLeapTest):
"""
con = self.con
self.assertEqual(con.autostart, True)
+ # XXX moar!
def test_ovpn_command(self):
"""
@@ -93,6 +116,7 @@ class EIPConductorTest(BaseLeapTest):
# needed to run tests. (roughly 3 secs for this only)
# We should modularize and inject Mocks on more places.
+ oldcon = self.con
del(self.con)
config_checker = Mock()
self.con = MockedEIPConnection(config_checker=config_checker)
@@ -102,6 +126,7 @@ class EIPConductorTest(BaseLeapTest):
skip_download=False)
# XXX test for cert_checker also
+ self.con = oldcon
# connect/disconnect calls
@@ -118,8 +143,14 @@ class EIPConductorTest(BaseLeapTest):
self.con.status.CONNECTED)
# disconnect
+ self.con.terminate_openvpn_connection = Mock()
self.con.disconnect()
- self.con._disconnect.assert_called_once_with()
+ self.con.terminate_openvpn_connection.assert_called_once_with(
+ shutdown=False)
+ self.con.terminate_openvpn_connection = Mock()
+ self.con.disconnect(shutdown=True)
+ self.con.terminate_openvpn_connection.assert_called_once_with(
+ shutdown=True)
# new status should be disconnected
# XXX this should evolve and check no errors
diff --git a/src/leap/eip/tests/test_openvpnconnection.py b/src/leap/eip/tests/test_openvpnconnection.py
index 61769f04..95bfb2f0 100644
--- a/src/leap/eip/tests/test_openvpnconnection.py
+++ b/src/leap/eip/tests/test_openvpnconnection.py
@@ -58,16 +58,27 @@ class OpenVPNConnectionTest(BaseLeapTest):
def setUp(self):
# XXX this will have to change for win, host=localhost
host = eipconfig.get_socket_path()
+ self.host = host
self.manager = MockedOpenVPNConnection(host=host)
def tearDown(self):
+ pass
+
+ def doCleanups(self):
+ super(BaseLeapTest, self).doCleanups()
+ self.cleanupSocketDir()
+
+ def cleanupSocketDir(self):
# remove the socket folder.
# XXX only if posix. in win, host is localhost, so nothing
# has to be done.
- if self.manager.host:
- folder, fpath = os.path.split(self.manager.host)
- assert folder.startswith('/tmp/leap-tmp') # safety check
- shutil.rmtree(folder)
+ if self.host:
+ folder, fpath = os.path.split(self.host)
+ try:
+ assert folder.startswith('/tmp/leap-tmp') # safety check
+ shutil.rmtree(folder)
+ except:
+ self.fail("could not remove temp file")
del self.manager
@@ -76,13 +87,18 @@ class OpenVPNConnectionTest(BaseLeapTest):
#
def test_detect_vpn(self):
+ # XXX review, not sure if captured all the logic
+ # while fixing. kali.
openvpn_connection = openvpnconnection.OpenVPNConnection()
- with patch.object(psutil, "get_process_list") as mocked_psutil:
+
+ with patch.object(psutil, "process_iter") as mocked_psutil:
+ mocked_process = Mock()
+ mocked_process.name = "openvpn"
+ mocked_process.cmdline = ["openvpn", "-foo", "-bar", "-gaaz"]
+ mocked_psutil.return_value = [mocked_process]
with self.assertRaises(eipexceptions.OpenVPNAlreadyRunning):
- mocked_process = Mock()
- mocked_process.name = "openvpn"
- mocked_psutil.return_value = [mocked_process]
openvpn_connection._check_if_running_instance()
+
openvpn_connection._check_if_running_instance()
@unittest.skipIf(_system == "Windows", "lin/mac only")
@@ -104,12 +120,14 @@ class OpenVPNConnectionTest(BaseLeapTest):
self.assertEqual(self.manager.port, 7777)
def test_port_types_init(self):
+ oldmanager = self.manager
self.manager = MockedOpenVPNConnection(port="42")
self.assertEqual(self.manager.port, 42)
self.manager = MockedOpenVPNConnection()
self.assertEqual(self.manager.port, "unix")
self.manager = MockedOpenVPNConnection(port="bad")
self.assertEqual(self.manager.port, None)
+ self.manager = oldmanager
def test_uds_telnet_called_on_connect(self):
self.manager.connect_to_management()