summaryrefslogtreecommitdiff
path: root/src/leap/eip
diff options
context:
space:
mode:
Diffstat (limited to 'src/leap/eip')
-rw-r--r--src/leap/eip/checks.py111
-rw-r--r--src/leap/eip/config.py51
-rw-r--r--src/leap/eip/eipconnection.py8
-rw-r--r--src/leap/eip/exceptions.py57
-rw-r--r--src/leap/eip/openvpnconnection.py80
5 files changed, 201 insertions, 106 deletions
diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py
index 9ae6e5f5..0d07ef08 100644
--- a/src/leap/eip/checks.py
+++ b/src/leap/eip/checks.py
@@ -1,8 +1,9 @@
import logging
-import ssl
+#import ssl
#import platform
import time
import os
+import sys
import gnutls.crypto
#import netifaces
@@ -20,7 +21,10 @@ from leap.eip import config as eipconfig
from leap.eip import constants as eipconstants
from leap.eip import exceptions as eipexceptions
from leap.eip import specs as eipspecs
+from leap.util.certs import get_mac_cabundle
from leap.util.fileutil import mkdir_p
+from leap.util.web import get_https_domain_and_port
+from leap.util.misc import null_check
logger = logging.getLogger(name=__name__)
@@ -46,7 +50,7 @@ reachable and testable as a whole.
def get_branding_ca_cert(domain):
- # XXX deprecated
+ # deprecated
ca_file = BRANDING.get('provider_ca_file')
if ca_file:
return leapcerts.where(ca_file)
@@ -63,6 +67,10 @@ class ProviderCertChecker(object):
self.fetcher = fetcher
self.domain = domain
+ #XXX needs some kind of autoinit
+ #right now we set by hand
+ #by loading and reading provider config
+ self.apidomain = None
self.cacert = eipspecs.provider_ca_path(domain)
def run_all(
@@ -159,36 +167,33 @@ class ProviderCertChecker(object):
if autocacert and verify is True and self.cacert is not None:
logger.debug('verify cert: %s', self.cacert)
verify = self.cacert
- logger.debug('is https working?')
+ if sys.platform == "darwin":
+ verify = get_mac_cabundle()
+ logger.debug('checking https connection')
logger.debug('uri: %s (verify:%s)', uri, verify)
+
try:
self.fetcher.get(uri, verify=verify)
except requests.exceptions.SSLError as exc:
- logger.error("SSLError")
- # XXX RAISE! See #638
- #raise eipexceptions.HttpsBadCertError
- logger.warning('BUG #638 CERT VERIFICATION FAILED! '
- '(this should be CRITICAL)')
- logger.warning('SSLError: %s', exc.message)
+ raise eipexceptions.HttpsBadCertError
except requests.exceptions.ConnectionError:
logger.error('ConnectionError')
raise eipexceptions.HttpsNotSupported
else:
- logger.debug('True')
return True
def check_new_cert_needed(self, skip_download=False, verify=True):
- logger.debug('is new cert needed?')
+ # XXX add autocacert
if not self.is_cert_valid(do_raise=False):
- logger.debug('True')
+ logger.debug('cert needed: true')
self.download_new_client_cert(
skip_download=skip_download,
verify=verify)
return True
- logger.debug('False')
+ logger.debug('cert needed: false')
return False
def download_new_client_cert(self, uri=None, verify=True,
@@ -200,20 +205,20 @@ class ProviderCertChecker(object):
if uri is None:
uri = self._get_client_cert_uri()
# XXX raise InsecureURI or something better
- assert uri.startswith('https')
+ #assert uri.startswith('https')
if verify is True and self.cacert is not None:
verify = self.cacert
+ logger.debug('verify = %s', verify)
fgetfn = self.fetcher.get
if credentials:
user, passwd = credentials
-
- logger.debug('domain = %s', self.domain)
+ logger.debug('apidomain = %s', self.apidomain)
@srpauth_protected(user, passwd,
- server="https://%s" % self.domain,
+ server="https://%s" % self.apidomain,
verify=verify)
def getfn(*args, **kwargs):
return fgetfn(*args, **kwargs)
@@ -225,23 +230,23 @@ class ProviderCertChecker(object):
return fgetfn(*args, **kwargs)
try:
- # XXX FIXME!!!!
- # verify=verify
- # Workaround for #638. return to verification
- # when That's done!!!
- #req = self.fetcher.get(uri, verify=False)
- req = getfn(uri, verify=False)
+ req = getfn(uri, verify=verify)
req.raise_for_status()
except requests.exceptions.SSLError:
logger.warning('SSLError while fetching cert. '
'Look below for stack trace.')
# XXX raise better exception
- raise
+ return self.fail("SSLError")
+ except Exception as exc:
+ return self.fail(exc.message)
+
try:
+ logger.debug('validating cert...')
pemfile_content = req.content
valid = self.is_valid_pemfile(pemfile_content)
if not valid:
+ logger.warning('invalid cert')
return False
cert_path = self._get_client_cert_path()
self.write_cert(pemfile_content, to=cert_path)
@@ -276,10 +281,7 @@ class ProviderCertChecker(object):
cert = gnutls.crypto.X509Certificate(cert_s)
from_ = time.gmtime(cert.activation_time)
to_ = time.gmtime(cert.expiration_time)
- # FIXME BUG ON LEAP_CLI, certs are not valid on gmtime
- # See #1153
return from_ < now() < to_
- #return now() < to_
def is_valid_pemfile(self, cert_s=None):
"""
@@ -308,8 +310,7 @@ class ProviderCertChecker(object):
return u"https://%s/" % self.domain
def _get_client_cert_uri(self):
- # XXX get the whole thing from constants
- return "https://%s/1/cert" % self.domain
+ return "https://%s/1/cert" % self.apidomain
def _get_client_cert_path(self):
return eipspecs.client_cert_path(domain=self.domain)
@@ -336,6 +337,9 @@ class ProviderCertChecker(object):
with open(to, 'w') as cert_f:
cert_f.write(pemfile_content)
+ def set_api_domain(self, domain):
+ self.apidomain = domain
+
class EIPConfigChecker(object):
"""
@@ -355,10 +359,15 @@ class EIPConfigChecker(object):
# if not domain, get from config
self.domain = domain
+ self.apidomain = None
+ self.cacert = eipspecs.provider_ca_path(domain)
- self.eipconfig = eipconfig.EIPConfig(domain=domain)
self.defaultprovider = providers.LeapProviderDefinition(domain=domain)
+ self.defaultprovider.load()
+ self.eipconfig = eipconfig.EIPConfig(domain=domain)
+ self.set_api_domain()
self.eipserviceconfig = eipconfig.EIPServiceConfig(domain=domain)
+ self.eipserviceconfig.load()
def run_all(self, checker=None, skip_download=False):
"""
@@ -442,31 +451,41 @@ class EIPConfigChecker(object):
domain = config.get('provider', None)
uri = self._get_provider_definition_uri(domain=domain)
- # FIXME! Pass ca path verify!!!
- # BUG #638
- # FIXME FIXME FIXME
+ if sys.platform == "darwin":
+ verify = get_mac_cabundle()
+ else:
+ verify = True
+
self.defaultprovider.load(
from_uri=uri,
fetcher=self.fetcher,
- verify=False)
+ verify=verify)
self.defaultprovider.save()
def fetch_eip_service_config(self, skip_download=False,
force_download=False,
- config=None, uri=None, domain=None):
+ config=None, uri=None, # domain=None,
+ autocacert=True):
if skip_download:
return True
if config is None:
+ self.eipserviceconfig.load()
config = self.eipserviceconfig.config
if uri is None:
- if not domain:
- domain = self.domain or config.get('provider', None)
- uri = self._get_eip_service_uri(domain=domain)
+ #XXX
+ #if not domain:
+ #domain = self.domain or config.get('provider', None)
+ uri = self._get_eip_service_uri(
+ domain=self.apidomain)
+
+ if autocacert and self.cacert is not None:
+ verify = self.cacert
self.eipserviceconfig.load(
from_uri=uri,
fetcher=self.fetcher,
- force_download=force_download)
+ force_download=force_download,
+ verify=verify)
self.eipserviceconfig.save()
def check_complete_eip_config(self, config=None):
@@ -474,7 +493,6 @@ class EIPConfigChecker(object):
if config is None:
config = self.eipconfig.config
try:
- 'trying assertions'
assert 'provider' in config
assert config['provider'] is not None
# XXX assert there is gateway !!
@@ -513,3 +531,16 @@ class EIPConfigChecker(object):
uri = "https://%s/%s" % (domain, path)
logger.debug('getting eip service file from %s', uri)
return uri
+
+ def set_api_domain(self):
+ """sets api domain from defaultprovider config object"""
+ api = self.defaultprovider.config.get('api_uri', None)
+ # the caller is responsible for having loaded the config
+ # object at this point
+ if api:
+ api_dom = get_https_domain_and_port(api)
+ self.apidomain = "%s:%s" % api_dom
+
+ def get_api_domain(self):
+ """gets api domain"""
+ return self.apidomain
diff --git a/src/leap/eip/config.py b/src/leap/eip/config.py
index 48e6e9a7..a60d7ed5 100644
--- a/src/leap/eip/config.py
+++ b/src/leap/eip/config.py
@@ -18,6 +18,8 @@ from leap.eip import specs as eipspecs
logger = logging.getLogger(name=__name__)
provider_ca_file = BRANDING.get('provider_ca_file', None)
+_platform = platform.system()
+
class EIPConfig(baseconfig.JSONLeapConfig):
spec = eipspecs.eipconfig_spec
@@ -210,8 +212,13 @@ def build_ovpn_options(daemon=False, socket_path=None, **kwargs):
# interface. unix sockets or telnet interface for win.
# XXX take them from the config object.
- ourplatform = platform.system()
- if ourplatform in ("Linux", "Mac"):
+ if _platform == "Windows":
+ opts.append('--management')
+ opts.append('localhost')
+ # XXX which is a good choice?
+ opts.append('7777')
+
+ if _platform in ("Linux", "Darwin"):
opts.append('--management')
if socket_path is None:
@@ -219,16 +226,20 @@ def build_ovpn_options(daemon=False, socket_path=None, **kwargs):
opts.append(socket_path)
opts.append('unix')
- if ourplatform == "Windows":
- opts.append('--management')
- opts.append('localhost')
- # XXX which is a good choice?
- opts.append('7777')
+ opts.append('--script-security')
+ opts.append('2')
+
+ if _platform == "Linux":
+ opts.append("--up")
+ opts.append("/etc/openvpn/update-resolv-conf")
+ opts.append("--down")
+ opts.append("/etc/openvpn/update-resolv-conf")
# certs
client_cert_path = eipspecs.client_cert_path(provider)
ca_cert_path = eipspecs.provider_ca_path(provider)
+ # XXX FIX paths for MAC
opts.append('--cert')
opts.append(client_cert_path)
opts.append('--key')
@@ -242,7 +253,7 @@ def build_ovpn_options(daemon=False, socket_path=None, **kwargs):
#if daemon is True:
#opts.append('--daemon')
- logger.debug('vpn options: %s', opts)
+ logger.debug('vpn options: %s', ' '.join(opts))
return opts
@@ -262,7 +273,7 @@ def build_ovpn_command(debug=False, do_pkexec_check=True, vpnbin=None,
# XXX get use_pkexec from config instead.
- if platform.system() == "Linux" and use_pkexec and do_pkexec_check:
+ if _platform == "Linux" and use_pkexec and do_pkexec_check:
# check for both pkexec
# AND a suitable authentication
@@ -282,8 +293,16 @@ def build_ovpn_command(debug=False, do_pkexec_check=True, vpnbin=None,
raise eip_exceptions.EIPNoPolkitAuthAgentAvailable
command.append('pkexec')
+
if vpnbin is None:
- ovpn = which('openvpn')
+ if _platform == "Darwin":
+ # XXX Should hardcode our installed path
+ # /Applications/LEAPClient.app/Contents/Resources/openvpn.leap
+ openvpn_bin = "openvpn.leap"
+ else:
+ openvpn_bin = "openvpn"
+ #XXX hardcode for darwin
+ ovpn = which(openvpn_bin)
else:
ovpn = vpnbin
if ovpn:
@@ -299,7 +318,17 @@ def build_ovpn_command(debug=False, do_pkexec_check=True, vpnbin=None,
# XXX check len and raise proper error
- return [command[0], command[1:]]
+ if _platform == "Darwin":
+ OSX_ASADMIN = 'do shell script "%s" with administrator privileges'
+ # XXX fix workaround for Nones
+ _command = [x if x else " " for x in command]
+ # XXX debugging!
+ # XXX get openvpn log path from debug flags
+ _command.append('--log')
+ _command.append('/tmp/leap_openvpn.log')
+ return ["osascript", ["-e", OSX_ASADMIN % ' '.join(_command)]]
+ else:
+ return [command[0], command[1:]]
def check_vpn_keys(provider=None):
diff --git a/src/leap/eip/eipconnection.py b/src/leap/eip/eipconnection.py
index 27734f80..20b45e36 100644
--- a/src/leap/eip/eipconnection.py
+++ b/src/leap/eip/eipconnection.py
@@ -27,6 +27,8 @@ class StatusMixIn(object):
# Should separate EIPConnectionStatus (self.status)
# from the OpenVPN state/status command and parsing.
+ ERR_CONNREFUSED = False
+
def connection_state(self):
"""
returns the current connection state
@@ -49,10 +51,12 @@ class StatusMixIn(object):
state = self.get_connection_state()
except eip_exceptions.ConnectionRefusedError:
# connection refused. might be not ready yet.
- logger.warning('connection refused')
+ if not self.ERR_CONNREFUSED:
+ logger.warning('connection refused')
+ self.ERR_CONNREFUSED = True
return
if not state:
- logger.debug('no state')
+ #logger.debug('no state')
return
(ts, status_step,
ok, ip, remote) = state
diff --git a/src/leap/eip/exceptions.py b/src/leap/eip/exceptions.py
index 41eed77a..b7d398c3 100644
--- a/src/leap/eip/exceptions.py
+++ b/src/leap/eip/exceptions.py
@@ -33,6 +33,7 @@ TODO:
"""
from leap.base.exceptions import LeapException
+from leap.util.translations import translate
# This should inherit from LeapException
@@ -62,53 +63,69 @@ class Warning(EIPClientError):
class EIPNoPolkitAuthAgentAvailable(CriticalError):
message = "No polkit authentication agent could be found"
- usermessage = ("We could not find any authentication "
- "agent in your system.<br/>"
- "Make sure you have "
- "<b>polkit-gnome-authentication-agent-1</b> "
- "running and try again.")
+ usermessage = translate(
+ "EIPErrors",
+ "We could not find any authentication "
+ "agent in your system.<br/>"
+ "Make sure you have "
+ "<b>polkit-gnome-authentication-agent-1</b> "
+ "running and try again.")
class EIPNoPkexecAvailable(Warning):
message = "No pkexec binary found"
- usermessage = ("We could not find <b>pkexec</b> in your "
- "system.<br/> Do you want to try "
- "<b>setuid workaround</b>? "
- "(<i>DOES NOTHING YET</i>)")
+ usermessage = translate(
+ "EIPErrors",
+ "We could not find <b>pkexec</b> in your "
+ "system.<br/> Do you want to try "
+ "<b>setuid workaround</b>? "
+ "(<i>DOES NOTHING YET</i>)")
failfirst = True
class EIPNoCommandError(EIPClientError):
message = "no suitable openvpn command found"
- usermessage = ("No suitable openvpn command found. "
- "<br/>(Might be a permissions problem)")
+ usermessage = translate(
+ "EIPErrors",
+ "No suitable openvpn command found. "
+ "<br/>(Might be a permissions problem)")
class EIPBadCertError(Warning):
# XXX this should be critical and fail close
message = "cert verification failed"
- usermessage = "there is a problem with provider certificate"
+ usermessage = translate(
+ "EIPErrors",
+ "there is a problem with provider certificate")
class LeapBadConfigFetchedError(Warning):
message = "provider sent a malformed json file"
- usermessage = "an error occurred during configuratio of leap services"
+ usermessage = translate(
+ "EIPErrors",
+ "an error occurred during configuratio of leap services")
-class OpenVPNAlreadyRunning(EIPClientError):
+class OpenVPNAlreadyRunning(CriticalError):
message = "Another OpenVPN Process is already running."
- usermessage = ("Another OpenVPN Process has been detected."
- "Please close it before starting leap-client")
+ usermessage = translate(
+ "EIPErrors",
+ "Another OpenVPN Process has been detected. "
+ "Please close it before starting leap-client")
class HttpsNotSupported(LeapException):
message = "connection refused while accessing via https"
- usermessage = "Server does not allow secure connections."
+ usermessage = translate(
+ "EIPErrors",
+ "Server does not allow secure connections")
class HttpsBadCertError(LeapException):
message = "verification error on cert"
- usermessage = "Server certificate could not be verified."
+ usermessage = translate(
+ "EIPErrors",
+ "Server certificate could not be verified")
#
# errors still needing some love
@@ -117,7 +134,9 @@ class HttpsBadCertError(LeapException):
class EIPInitNoKeyFileError(CriticalError):
message = "No vpn keys found in the expected path"
- usermessage = "We could not find your eip certs in the expected path"
+ usermessage = translate(
+ "EIPErrors",
+ "We could not find your eip certs in the expected path")
class EIPInitBadKeyFilePermError(Warning):
diff --git a/src/leap/eip/openvpnconnection.py b/src/leap/eip/openvpnconnection.py
index c2dc71a6..05979ff7 100644
--- a/src/leap/eip/openvpnconnection.py
+++ b/src/leap/eip/openvpnconnection.py
@@ -2,17 +2,21 @@
OpenVPN Connection
"""
from __future__ import (print_function)
+from functools import partial
import logging
import os
import psutil
import shutil
+import select
import socket
-from functools import partial
+from time import sleep
logger = logging.getLogger(name=__name__)
from leap.base.connection import Connection
+from leap.base.constants import OPENVPN_BIN
from leap.util.coroutines import spawn_and_watch_process
+from leap.util.misc import get_openvpn_pids
from leap.eip.udstelnet import UDSTelnet
from leap.eip import config as eip_config
@@ -83,7 +87,7 @@ class OpenVPNManagement(object):
try:
self._connect_to_management()
except eip_exceptions.MissingSocketError:
- logger.warning('missing management socket')
+ #logger.warning('missing management socket')
return []
try:
if hasattr(self, 'tn'):
@@ -92,14 +96,19 @@ class OpenVPNManagement(object):
logger.error('socket error')
self._close_management_socket(announce=False)
return []
- buf = self.tn.read_until(b"END", 2)
- self._seek_to_eof()
- blist = buf.split('\r\n')
- if blist[-1].startswith('END'):
- del blist[-1]
- return blist
- else:
- return []
+ try:
+ buf = self.tn.read_until(b"END", 2)
+ self._seek_to_eof()
+ blist = buf.split('\r\n')
+ if blist[-1].startswith('END'):
+ del blist[-1]
+ return blist
+ else:
+ return []
+ except socket.error as exc:
+ logger.debug('socket error: %s' % exc.message)
+ except select.error as exc:
+ logger.debug('select error: %s' % exc.message)
def _send_short_command(self, cmd):
"""
@@ -271,22 +280,20 @@ to be triggered for each one of them.
# checks
+
def _check_if_running_instance(self):
"""
check if openvpn is already running
"""
- try:
- for process in psutil.get_process_list():
- if process.name == "openvpn":
- logger.debug('an openvpn instance is already running.')
- logger.debug('attempting to stop openvpn instance.')
- if not self._stop_openvpn():
- raise eip_exceptions.OpenVPNAlreadyRunning
-
- except psutil.error.NoSuchProcess:
- logger.debug('detected a process which died. passing.')
-
- logger.debug('no openvpn instance found.')
+ openvpn_pids = get_openvpn_pids()
+ if openvpn_pids:
+ logger.debug('an openvpn instance is already running.')
+ logger.debug('attempting to stop openvpn instance.')
+ if not self._stop_openvpn():
+ raise eip_exceptions.OpenVPNAlreadyRunning
+ return
+ else:
+ logger.debug('no openvpn instance found.')
def _set_ovpn_command(self):
try:
@@ -327,12 +334,13 @@ to be triggered for each one of them.
#deprecate watcher_cb,
#use _only_ signal_maps instead
- logger.debug('_launch_openvpn called')
+ #logger.debug('_launch_openvpn called')
if self.watcher_cb is not None:
linewrite_callback = self.watcher_cb
else:
#XXX get logger instead
- linewrite_callback = lambda line: print('watcher: %s' % line)
+ linewrite_callback = lambda line: logger.debug(
+ 'watcher: %s' % line)
# the partial is not
# being applied now because we're not observing the process
@@ -340,7 +348,8 @@ to be triggered for each one of them.
# here since it will be handy for observing patterns in the
# thru-the-manager updates (with regex)
observers = (linewrite_callback,
- partial(lambda con_status, line: None, self.status))
+ partial(lambda con_status,
+ line: linewrite_callback, self.status))
subp, watcher = spawn_and_watch_process(
self.command,
self.args,
@@ -355,23 +364,24 @@ to be triggered for each one of them.
interface
"""
# XXX method a bit too long, split
- logger.debug("terminating openvpn process...")
+ logger.debug("atempting to terminate openvpn process...")
if self.connected():
try:
self._send_command("signal SIGTERM\n")
+ sleep(1)
+ if not self.subp: # XXX ???
+ return True
except socket.error:
logger.warning('management socket died')
return
- if self.subp:
- # ???
- return True
#shutting openvpn failured
#try patching in old openvpn host and trying again
+ # XXX could be more than one!
process = self._get_openvpn_process()
if process:
- logger.debug('process :%s' % process)
+ logger.debug('process: %s' % process.name)
cmdline = process.cmdline
manag_flag = "--management"
@@ -392,9 +402,11 @@ to be triggered for each one of them.
return True
def _get_openvpn_process(self):
- # plist = [p for p in psutil.get_process_list() if p.name == "openvpn"]
- # return plist[0] if plist else None
- for process in psutil.get_process_list():
- if process.name == "openvpn":
+ for process in psutil.process_iter():
+ if OPENVPN_BIN in process.name:
return process
return None
+
+ def get_log(self, lines=1):
+ log = self._send_command("log %s" % lines)
+ return log