summaryrefslogtreecommitdiff
path: root/src/leap/services/eip
diff options
context:
space:
mode:
Diffstat (limited to 'src/leap/services/eip')
-rw-r--r--src/leap/services/eip/vpnlaunchers.py96
1 files changed, 73 insertions, 23 deletions
diff --git a/src/leap/services/eip/vpnlaunchers.py b/src/leap/services/eip/vpnlaunchers.py
index 952d3618..d15aed82 100644
--- a/src/leap/services/eip/vpnlaunchers.py
+++ b/src/leap/services/eip/vpnlaunchers.py
@@ -29,6 +29,7 @@ except ImportError:
pass # ignore, probably windows
from abc import ABCMeta, abstractmethod
+from functools import partial
from leap.common.check import leap_assert, leap_assert_type
from leap.common.files import which
@@ -105,22 +106,37 @@ def get_platform_launcher():
def _is_pkexec_in_system():
+ """
+ Checks the existence of the pkexec binary in system.
+ """
pkexec_path = which('pkexec')
if len(pkexec_path) == 0:
return False
return True
-def _has_updown_scripts(path):
+def _has_updown_scripts(path, warn=True):
"""
- Checks the existence of the up/down scripts
+ Checks the existence of the up/down scripts.
+
+ :param path: the path to be checked
+ :type path: str
+
+ :param warn: whether we should log the absence
+ :type warn: bool
+
+ :rtype: bool
"""
- # XXX should check permissions too
is_file = os.path.isfile(path)
- if not is_file:
- logger.error("Could not find up/down scripts. " +
- "Might produce DNS leaks.")
- return is_file
+ if warn and not is_file:
+ logger.error("Could not find up/down script %s. "
+ "Might produce DNS leaks." % (path,))
+
+ is_exe = os.access(path, os.X_OK)
+ if warn and not is_exe:
+ logger.error("Up/down script %s is not executable. "
+ "Might produce DNS leaks." % (path,))
+ return is_file and is_exe
def _is_auth_agent_running():
@@ -229,7 +245,6 @@ class LinuxVPNLauncher(VPNLauncher):
openvpn_configuration = eipconfig.get_openvpn_configuration()
- # FIXME: sanitize this! --
for key, value in openvpn_configuration.items():
args += ['--%s' % (key,), value]
@@ -294,15 +309,40 @@ class DarwinVPNLauncher(VPNLauncher):
OSASCRIPT_BIN = '/usr/bin/osascript'
OSX_ASADMIN = "do shell script \"%s\" with administrator privileges"
- OPENVPN_BIN = 'openvpn.leap'
- INSTALL_PATH = "/Applications/LEAPClient.app/"
+
+ INSTALL_PATH = "/Applications/LEAP\ Client.app"
# OPENVPN_BIN = "/%s/Contents/Resources/openvpn.leap" % (
# self.INSTALL_PATH,)
- UP_SCRIPT = "/%s/client.up.sh" % (INSTALL_PATH,)
- DOWN_SCRIPT = "/%s/client.down.sh" % (INSTALL_PATH,)
+ OPENVPN_BIN = 'openvpn.leap'
+ OPENVPN_PATH = "%s/Contents/Resources/openvpn" % (INSTALL_PATH,)
+
+ UP_SCRIPT = "%s/client.up.sh" % (OPENVPN_PATH,)
+ DOWN_SCRIPT = "%s/client.down.sh" % (OPENVPN_PATH,)
+ OPENVPN_DOWN_PLUGIN = '%s/openvpn-down-root.so' % (OPENVPN_PATH,)
+
+ UPDOWN_FILES = (UP_SCRIPT, DOWN_SCRIPT, OPENVPN_DOWN_PLUGIN)
- # TODO: Add
- # OPENVPN_DOWN_ROOT = "/usr/lib/openvpn/openvpn-down-root.so"
+ @classmethod
+ def missing_updown_scripts(kls):
+ """
+ Returns what updown scripts are missing.
+ :rtype: list
+ """
+ file_exist = partial(_has_updown_scripts, warn=False)
+ zipped = zip(kls.UPDOWN_FILES, map(file_exist, kls.UPDOWN_FILES))
+ missing = filter(lambda (path, exists): exists is False, zipped)
+ return [path for path, exists in missing]
+
+ @classmethod
+ def cmd_for_missing_scripts(kls, frompath):
+ """
+ Returns a command that can copy the missing scripts.
+ :rtype: str
+ """
+ to = kls.OPENVPN_PATH
+ cmd = "#!/bin/sh\nmkdir -p %s\ncp \"%s/\"* %s" % (to, frompath, to)
+ #return kls.OSX_ASADMIN % cmd
+ return cmd
def get_vpn_command(self, eipconfig=None, providerconfig=None,
socket_host=None, socket_port="unix"):
@@ -365,20 +405,19 @@ class DarwinVPNLauncher(VPNLauncher):
'server'
]
- # FIXME: sanitize this! --
-
openvpn_configuration = eipconfig.get_openvpn_configuration()
for key, value in openvpn_configuration.items():
args += ['--%s' % (key,), value]
+ user = getpass.getuser()
args += [
- '--user', getpass.getuser(),
+ '--user', user,
'--group', grp.getgrgid(os.getgroups()[-1]).gr_name
]
if socket_port == "unix":
args += [
- '--management-client-user', getpass.getuser()
+ '--management-client-user', user
]
args += [
@@ -391,13 +430,21 @@ class DarwinVPNLauncher(VPNLauncher):
args += [
'--up', self.UP_SCRIPT,
]
+
if _has_updown_scripts(self.DOWN_SCRIPT):
args += [
- '--down', self.DOWN_SCRIPT,
- # FIXME add down-plugin
- # '--plugin', self.OPENVPN_DOWN_ROOT,
- # '\'script_type=down %s\'' % self.DOWN_SCRIPT
- ]
+ '--down', self.DOWN_SCRIPT]
+
+ # should have the down script too
+ if _has_updown_scripts(self.OPENVPN_DOWN_PLUGIN):
+ args += [
+ '--plugin', self.OPENVPN_DOWN_PLUGIN,
+ '\'%s\'' % self.DOWN_SCRIPT
+ ]
+
+ # we set user to be passed to the up/down scripts
+ args += [
+ '--setenv', "LEAPUSER", "%s" % (user,)]
args += [
'--cert', eipconfig.get_client_cert_path(providerconfig),
@@ -405,6 +452,9 @@ class DarwinVPNLauncher(VPNLauncher):
'--ca', providerconfig.get_ca_cert_path()
]
+ # We are using osascript until we can write a proper wrapper
+ # for privilege escalation.
+
command = self.OSASCRIPT_BIN
cmd_args = ["-e", self.OSX_ASADMIN % (' '.join(args),)]