From 23502b72f8cd8a9ec2fd28387f7788aeef54c2d1 Mon Sep 17 00:00:00 2001
From: kali <kali@leap.se>
Date: Thu, 2 Aug 2012 02:21:45 +0900
Subject: create config file if not exist.

also locate openvpn binary when building eip
configparser defaults.
implement half of feature #356
---
 src/leap/eip/config.py | 72 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 72 insertions(+)
 create mode 100644 src/leap/eip/config.py

(limited to 'src/leap/eip/config.py')

diff --git a/src/leap/eip/config.py b/src/leap/eip/config.py
new file mode 100644
index 00000000..d8ffeb28
--- /dev/null
+++ b/src/leap/eip/config.py
@@ -0,0 +1,72 @@
+import ConfigParser
+import os
+
+from leap.util.fileutil import which, mkdir_p
+
+
+def get_sensible_defaults():
+    """
+    gathers a dict of sensible defaults,
+    platform sensitive,
+    to be used to initialize the config parser
+    """
+    defaults = dict()
+    defaults['openvpn_binary'] = which('openvpn')
+    return defaults
+
+
+def get_config(config_file=None):
+    """
+    temporary method for getting configs,
+    mainly for early stage development process.
+    in the future we will get preferences
+    from the storage api
+    """
+    # TODO
+    # - refactor out common things and get
+    # them to util/ or baseapp/
+
+    defaults = get_sensible_defaults()
+    config = ConfigParser.ConfigParser(defaults)
+
+    if not config_file:
+        fpath = os.path.expanduser('~/.config/leap/eip.cfg')
+        if not os.path.isfile(fpath):
+            dpath, cfile = os.path.split(fpath)
+            if not os.path.isdir(dpath):
+                mkdir_p(dpath)
+            with open(fpath, 'wb') as configfile:
+                config.write(configfile)
+        config_file = open(fpath)
+
+    #TODO
+    # - get a more sensible path for win/mac
+    # - convert config_file to list;
+    #   look in places like /etc/leap/eip.cfg
+    #   for global settings.
+    # - raise warnings/error if bad options.
+
+    try:
+        config.readfp(config_file)
+    except:
+        # XXX no file exists?
+        raise
+    return config
+
+
+# XXX wrapper around config? to get default values
+def get_with_defaults(config, section, option):
+    # XXX REMOVE ME
+    if config.has_option(section, option):
+        return config.get(section, option)
+    else:
+        # XXX lookup in defaults dict???
+        pass
+
+
+def get_vpn_stdout_mockup():
+    # XXX REMOVE ME
+    command = "python"
+    args = ["-u", "-c", "from eip_client import fakeclient;\
+fakeclient.write_output()"]
+    return command, args
-- 
cgit v1.2.3


From b9c9b5536f9d1648a196e741cdf4570f64c3fb11 Mon Sep 17 00:00:00 2001
From: kali <kali@leap.se>
Date: Fri, 3 Aug 2012 07:32:47 +0900
Subject: build default invocation command + options

if not found in config file.
fix #182 and #356
---
 src/leap/eip/config.py | 144 ++++++++++++++++++++++++++++++++++++++++++-------
 1 file changed, 126 insertions(+), 18 deletions(-)

(limited to 'src/leap/eip/config.py')

diff --git a/src/leap/eip/config.py b/src/leap/eip/config.py
index d8ffeb28..3fca329c 100644
--- a/src/leap/eip/config.py
+++ b/src/leap/eip/config.py
@@ -1,17 +1,132 @@
 import ConfigParser
+import grp
 import os
+import platform
 
 from leap.util.fileutil import which, mkdir_p
 
 
+def build_ovpn_options():
+    """
+    build a list of options
+    to be passed in the
+    openvpn invocation
+    @rtype: list
+    @rparam: options
+    """
+    # XXX review which of the
+    # options we don't need.
+
+    # TODO pass also the config file,
+    # since we will need to take some
+    # things from there if present.
+
+    # get user/group name
+    # also from config.
+    user = os.getlogin()
+    gid = os.getgroups()[-1]
+    group = grp.getgrgid(gid).gr_name
+
+    opts = []
+    opts.append('--persist-tun')
+
+    # set user and group
+    opts.append('--user')
+    opts.append('%s' % user)
+    opts.append('--group')
+    opts.append('%s' % group)
+
+    opts.append('--management-client-user')
+    opts.append('%s' % user)
+    opts.append('--management-signal')
+
+    # set default options for management
+    # interface. unix sockets or telnet interface for win.
+    # XXX take them from the config object.
+
+    ourplatform = platform.system()
+    if ourplatform in ("Linux", "Mac"):
+        opts.append('--management')
+        opts.append('/tmp/.eip.sock')
+        opts.append('unix')
+    if ourplatform == "Windows":
+        opts.append('--management')
+        opts.append('localhost')
+        # XXX which is a good choice?
+        opts.append('7777')
+
+    # remaining config options, in a file
+    # NOTE: we will build this file from
+    # the service definition file.
+    ovpncnf = os.path.expanduser(
+        '~/.config/leap/openvpn.conf')
+    opts.append('--config')
+    opts.append(ovpncnf)
+
+    return opts
+
+
+def build_ovpn_command(config):
+    """
+    build a string with the
+    complete openvpn invocation
+
+    @param config: config object
+    @type config: ConfigParser instance
+
+    @rtype [string, [list of strings]]
+    @rparam: a list containing the command string
+        and a list of options.
+    """
+    command = []
+    use_pkexec = False
+    ovpn = None
+
+    if config.has_option('openvpn', 'openvpn_binary'):
+        ovpn = config.get('openvpn', 'openvpn_binary')
+    if not ovpn and config.has_option('DEFAULT', 'openvpn_binary'):
+        ovpn = config.get('DEFAULT', 'openvpn_binary')
+
+    if config.has_option('openvpn', 'use_pkexec'):
+        use_pkexec = config.get('openvpn', 'use_pkexec')
+
+    if use_pkexec:
+        command.append('pkexec')
+    if ovpn:
+        command.append(ovpn)
+
+    for opt in build_ovpn_options():
+        command.append(opt)
+
+    # XXX check len and raise proper error
+
+    return [command[0], command[1:]]
+
+
 def get_sensible_defaults():
     """
     gathers a dict of sensible defaults,
     platform sensitive,
     to be used to initialize the config parser
+    @rtype: dict
+    @rparam: default options.
     """
+
+    # this way we're passing a simple dict
+    # that will initialize the configparser
+    # and will get written to "DEFAULTS" section,
+    # which is fine for now.
+    # if we want to write to a particular section
+    # we can better pass a tuple of triples
+    # (('section1', 'foo', '23'),)
+    # and config.set them
+
     defaults = dict()
     defaults['openvpn_binary'] = which('openvpn')
+    defaults['autostart'] = 'true'
+
+    # TODO
+    # - management.
     return defaults
 
 
@@ -21,6 +136,9 @@ def get_config(config_file=None):
     mainly for early stage development process.
     in the future we will get preferences
     from the storage api
+
+    @rtype: ConfigParser instance
+    @rparam: a config object
     """
     # TODO
     # - refactor out common things and get
@@ -30,7 +148,8 @@ def get_config(config_file=None):
     config = ConfigParser.ConfigParser(defaults)
 
     if not config_file:
-        fpath = os.path.expanduser('~/.config/leap/eip.cfg')
+        fpath = os.path.expanduser(
+            '~/.config/leap/eip.cfg')
         if not os.path.isfile(fpath):
             dpath, cfile = os.path.split(fpath)
             if not os.path.isdir(dpath):
@@ -46,27 +165,16 @@ def get_config(config_file=None):
     #   for global settings.
     # - raise warnings/error if bad options.
 
-    try:
-        config.readfp(config_file)
-    except:
-        # XXX no file exists?
-        raise
-    return config
-
+    # at this point, the file should exist.
+    # errors would have been raised above.
+    config.readfp(config_file)
 
-# XXX wrapper around config? to get default values
-def get_with_defaults(config, section, option):
-    # XXX REMOVE ME
-    if config.has_option(section, option):
-        return config.get(section, option)
-    else:
-        # XXX lookup in defaults dict???
-        pass
+    return config
 
 
 def get_vpn_stdout_mockup():
     # XXX REMOVE ME
     command = "python"
-    args = ["-u", "-c", "from eip_client import fakeclient;\
-fakeclient.write_output()"]
+    args = ["-u", "-c", ("from eip_client import fakeclient;"
+                         "fakeclient.write_output()")]
     return command, args
-- 
cgit v1.2.3


From 81613b2ef70e5d73b7c34eb4b78ee63189b45ab6 Mon Sep 17 00:00:00 2001
From: kali <kali@leap.se>
Date: Fri, 3 Aug 2012 09:42:14 +0900
Subject: pkexec check

---
 src/leap/eip/config.py | 35 ++++++++++++++++++++++++++++-------
 1 file changed, 28 insertions(+), 7 deletions(-)

(limited to 'src/leap/eip/config.py')

diff --git a/src/leap/eip/config.py b/src/leap/eip/config.py
index 3fca329c..c632ba40 100644
--- a/src/leap/eip/config.py
+++ b/src/leap/eip/config.py
@@ -4,6 +4,11 @@ import os
 import platform
 
 from leap.util.fileutil import which, mkdir_p
+from leap.baseapp.permcheck import is_pkexec_in_system
+
+
+class EIPNoPkexecAvailable(Exception):
+    pass
 
 
 def build_ovpn_options():
@@ -79,19 +84,35 @@ def build_ovpn_command(config):
         and a list of options.
     """
     command = []
-    use_pkexec = False
+    use_pkexec = True
     ovpn = None
 
-    if config.has_option('openvpn', 'openvpn_binary'):
-        ovpn = config.get('openvpn', 'openvpn_binary')
-    if not ovpn and config.has_option('DEFAULT', 'openvpn_binary'):
-        ovpn = config.get('DEFAULT', 'openvpn_binary')
-
     if config.has_option('openvpn', 'use_pkexec'):
         use_pkexec = config.get('openvpn', 'use_pkexec')
+    if platform.system() == "Linux" and use_pkexec:
+
+        # XXX check for both pkexec (done)
+        # AND a suitable authentication
+        # agent running.
+
+        if not is_pkexec_in_system():
+            raise EIPNoPkexecAvailable
+
+        #TBD --
+        #if not is_auth_agent_running()
+        # raise EIPNoPolkitAuthAgentAvailable
 
-    if use_pkexec:
         command.append('pkexec')
+
+    if config.has_option('openvpn',
+                         'openvpn_binary'):
+        ovpn = config.get('openvpn',
+                          'openvpn_binary')
+    if not ovpn and config.has_option('DEFAULT',
+                                      'openvpn_binary'):
+        ovpn = config.get('DEFAULT',
+                          'openvpn_binary')
+
     if ovpn:
         command.append(ovpn)
 
-- 
cgit v1.2.3


From 5c34052ef9261a47947e3e03616fe34b099b9fa4 Mon Sep 17 00:00:00 2001
From: kali <kali@leap.se>
Date: Fri, 3 Aug 2012 10:18:50 +0900
Subject: stub for daemon mode; disabled by now until #383 is fixed

---
 src/leap/eip/config.py | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

(limited to 'src/leap/eip/config.py')

diff --git a/src/leap/eip/config.py b/src/leap/eip/config.py
index c632ba40..4577837a 100644
--- a/src/leap/eip/config.py
+++ b/src/leap/eip/config.py
@@ -11,7 +11,7 @@ class EIPNoPkexecAvailable(Exception):
     pass
 
 
-def build_ovpn_options():
+def build_ovpn_options(daemon=False):
     """
     build a list of options
     to be passed in the
@@ -68,10 +68,16 @@ def build_ovpn_options():
     opts.append('--config')
     opts.append(ovpncnf)
 
+    # we cannot run in daemon mode
+    # with the current subp setting.
+    # see: https://leap.se/code/issues/383
+    #if daemon is True:
+    #    opts.append('--daemon')
+
     return opts
 
 
-def build_ovpn_command(config):
+def build_ovpn_command(config, debug=False):
     """
     build a string with the
     complete openvpn invocation
@@ -116,7 +122,9 @@ def build_ovpn_command(config):
     if ovpn:
         command.append(ovpn)
 
-    for opt in build_ovpn_options():
+    daemon_mode = not debug
+
+    for opt in build_ovpn_options(daemon=daemon_mode):
         command.append(opt)
 
     # XXX check len and raise proper error
@@ -191,11 +199,3 @@ def get_config(config_file=None):
     config.readfp(config_file)
 
     return config
-
-
-def get_vpn_stdout_mockup():
-    # XXX REMOVE ME
-    command = "python"
-    args = ["-u", "-c", ("from eip_client import fakeclient;"
-                         "fakeclient.write_output()")]
-    return command, args
-- 
cgit v1.2.3


From 0bb8cca027ab32a54f6792ab1b1368e2f1845368 Mon Sep 17 00:00:00 2001
From: kali <kali@leap.se>
Date: Fri, 3 Aug 2012 10:46:22 +0900
Subject: check also for a suitable polkit-authentication-agent running

fix #382.
---
 src/leap/eip/config.py | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

(limited to 'src/leap/eip/config.py')

diff --git a/src/leap/eip/config.py b/src/leap/eip/config.py
index 4577837a..9583720e 100644
--- a/src/leap/eip/config.py
+++ b/src/leap/eip/config.py
@@ -4,13 +4,18 @@ import os
 import platform
 
 from leap.util.fileutil import which, mkdir_p
-from leap.baseapp.permcheck import is_pkexec_in_system
+from leap.baseapp.permcheck import (is_pkexec_in_system,
+                                    is_auth_agent_running)
 
 
 class EIPNoPkexecAvailable(Exception):
     pass
 
 
+class EIPNoPolkitAuthAgentAvailable(Exception):
+    pass
+
+
 def build_ovpn_options(daemon=False):
     """
     build a list of options
@@ -34,6 +39,7 @@ def build_ovpn_options(daemon=False):
 
     opts = []
     opts.append('--persist-tun')
+    opts.append('--persist-key')
 
     # set user and group
     opts.append('--user')
@@ -104,9 +110,8 @@ def build_ovpn_command(config, debug=False):
         if not is_pkexec_in_system():
             raise EIPNoPkexecAvailable
 
-        #TBD --
-        #if not is_auth_agent_running()
-        # raise EIPNoPolkitAuthAgentAvailable
+        if not is_auth_agent_running():
+            raise EIPNoPolkitAuthAgentAvailable
 
         command.append('pkexec')
 
-- 
cgit v1.2.3


From a6416bd5e4dc57390ba0748878d229098aeca42e Mon Sep 17 00:00:00 2001
From: kali <kali@leap.se>
Date: Fri, 3 Aug 2012 11:17:04 +0900
Subject: added log info for polkit checks

---
 src/leap/eip/config.py | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'src/leap/eip/config.py')

diff --git a/src/leap/eip/config.py b/src/leap/eip/config.py
index 9583720e..f0cf1d86 100644
--- a/src/leap/eip/config.py
+++ b/src/leap/eip/config.py
@@ -1,5 +1,6 @@
 import ConfigParser
 import grp
+import logging
 import os
 import platform
 
@@ -7,6 +8,8 @@ from leap.util.fileutil import which, mkdir_p
 from leap.baseapp.permcheck import (is_pkexec_in_system,
                                     is_auth_agent_running)
 
+logger = logging.getLogger(name=__name__)
+
 
 class EIPNoPkexecAvailable(Exception):
     pass
@@ -106,11 +109,18 @@ def build_ovpn_command(config, debug=False):
         # XXX check for both pkexec (done)
         # AND a suitable authentication
         # agent running.
+        logger.info('use_pkexec set to True')
 
         if not is_pkexec_in_system():
+            logger.error('no pkexec in system')
             raise EIPNoPkexecAvailable
 
         if not is_auth_agent_running():
+            logger.warning(
+                "no polkit auth agent found. "
+                "pkexec will use its own text "
+                "based authentication agent. "
+                "that's probably a bad idea")
             raise EIPNoPolkitAuthAgentAvailable
 
         command.append('pkexec')
-- 
cgit v1.2.3


From 36b0dfacca794e9cb899b5dde2dae3b8bbc6cc43 Mon Sep 17 00:00:00 2001
From: kali <kali@leap.se>
Date: Tue, 7 Aug 2012 04:14:06 +0900
Subject: build default provider openvpn config.

preparation for completion of #356, #355, #354, #182
if no default openvpn config is present, we build one
with a preset template and the remote_ip of the eip
service as the only input. right now we're taking it from
the eip.cfg file.
---
 src/leap/eip/config.py | 149 ++++++++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 140 insertions(+), 9 deletions(-)

(limited to 'src/leap/eip/config.py')

diff --git a/src/leap/eip/config.py b/src/leap/eip/config.py
index f0cf1d86..9af6f57a 100644
--- a/src/leap/eip/config.py
+++ b/src/leap/eip/config.py
@@ -9,6 +9,7 @@ from leap.baseapp.permcheck import (is_pkexec_in_system,
                                     is_auth_agent_running)
 
 logger = logging.getLogger(name=__name__)
+logger.setLevel('DEBUG')
 
 
 class EIPNoPkexecAvailable(Exception):
@@ -19,6 +20,129 @@ class EIPNoPolkitAuthAgentAvailable(Exception):
     pass
 
 
+OPENVPN_CONFIG_TEMPLATE = """#Autogenerated by eip-client wizard
+remote {VPN_REMOTE_HOST} {VPN_REMOTE_PORT}
+
+client
+dev tun
+persist-tun
+persist-key
+proto udp
+tls-client
+remote-cert-tls server
+
+cert {LEAP_EIP_KEYS}
+key {LEAP_EIP_KEYS}
+ca {LEAP_EIP_KEYS}
+"""
+
+
+def get_config_dir():
+    """
+    get the base dir for all leap config
+    @rparam: config path
+    @rtype: string
+    """
+    # TODO
+    # check for $XDG_CONFIG_HOME var?
+    # get a more sensible path for win/mac
+    # kclair: opinion? ^^
+    return os.path.expanduser(
+        os.path.join('~',
+                     '.config',
+                     'leap'))
+
+
+def get_config_file(filename, folder=None):
+    """
+    concatenates the given filename
+    with leap config dir.
+    @param filename: name of the file
+    @type filename: string
+    @rparam: full path to config file
+    """
+    path = []
+    path.append(get_config_dir())
+    if folder is not None:
+        path.append(folder)
+    path.append(filename)
+    return os.path.join(*path)
+
+
+def get_default_provider_path():
+    default_subpath = os.path.join("providers",
+                                   "default")
+    default_provider_path = get_config_file(
+        '',
+        folder=default_subpath)
+    return default_provider_path
+
+
+def check_or_create_default_vpnconf(config):
+    """
+    checks that a vpn config file
+    exists for a default provider,
+    or creates one if it does not.
+    ATM REQURES A [provider] section in
+    eip.cfg with _at least_ a remote_ip value
+    """
+    default_provider_path = get_default_provider_path()
+
+    if not os.path.isdir(default_provider_path):
+        mkdir_p(default_provider_path)
+
+    conf_file = get_config_file(
+        'openvpn.conf',
+        folder=default_provider_path)
+
+    if os.path.isfile(conf_file):
+        return
+    else:
+        logger.debug(
+            'missing default openvpn config\n'
+            'creating one...')
+
+    # We're getting provider from eip.cfg
+    # by now. Get it from a list of gateways
+    # instead.
+
+    remote_ip = config.get('provider',
+                           'remote_ip')
+
+    # XXX check that IT LOOKS LIKE AN IP!!!
+    if config.has_option('provider', 'remote_port'):
+        remote_port = config.get('provider',
+                                 'remote_port')
+    else:
+        remote_port = 1194
+
+    default_subpath = os.path.join("providers",
+                                   "default")
+    default_provider_path = get_config_file(
+        '',
+        folder=default_subpath)
+
+    if not os.path.isdir(default_provider_path):
+        mkdir_p(default_provider_path)
+
+    conf_file = get_config_file(
+        'openvpn.conf',
+        folder=default_provider_path)
+
+    # XXX keys have to be manually placed by now
+    keys_file = get_config_file(
+        'openvpn.keys',
+        folder=default_provider_path)
+
+    ovpn_config = OPENVPN_CONFIG_TEMPLATE.format(
+        VPN_REMOTE_HOST=remote_ip,
+        VPN_REMOTE_PORT=remote_port,
+        LEAP_EIP_KEYS=keys_file)
+
+    with open(conf_file, 'wb') as f:
+        f.write(ovpn_config)
+
+
 def build_ovpn_options(daemon=False):
     """
     build a list of options
@@ -41,8 +165,10 @@ def build_ovpn_options(daemon=False):
     group = grp.getgrgid(gid).gr_name
 
     opts = []
-    opts.append('--persist-tun')
-    opts.append('--persist-key')
+
+    #moved to config files
+    #opts.append('--persist-tun')
+    #opts.append('--persist-key')
 
     # set user and group
     opts.append('--user')
@@ -69,19 +195,25 @@ def build_ovpn_options(daemon=False):
         # XXX which is a good choice?
         opts.append('7777')
 
-    # remaining config options, in a file
+    # remaining config options will go in a file
+
     # NOTE: we will build this file from
     # the service definition file.
-    ovpncnf = os.path.expanduser(
-        '~/.config/leap/openvpn.conf')
+    # XXX override from --with-openvpn-config
+
     opts.append('--config')
+
+    default_provider_path = get_default_provider_path()
+    ovpncnf = get_config_file(
+        'openvpn.conf',
+        folder=default_provider_path)
     opts.append(ovpncnf)
 
     # we cannot run in daemon mode
     # with the current subp setting.
     # see: https://leap.se/code/issues/383
     #if daemon is True:
-    #    opts.append('--daemon')
+        #opts.append('--daemon')
 
     return opts
 
@@ -192,8 +324,7 @@ def get_config(config_file=None):
     config = ConfigParser.ConfigParser(defaults)
 
     if not config_file:
-        fpath = os.path.expanduser(
-            '~/.config/leap/eip.cfg')
+        fpath = get_config_file('eip.cfg')
         if not os.path.isfile(fpath):
             dpath, cfile = os.path.split(fpath)
             if not os.path.isdir(dpath):
@@ -203,7 +334,6 @@ def get_config(config_file=None):
         config_file = open(fpath)
 
     #TODO
-    # - get a more sensible path for win/mac
     # - convert config_file to list;
     #   look in places like /etc/leap/eip.cfg
     #   for global settings.
@@ -211,6 +341,7 @@ def get_config(config_file=None):
 
     # at this point, the file should exist.
     # errors would have been raised above.
+
     config.readfp(config_file)
 
     return config
-- 
cgit v1.2.3


From 530e10214a6f018909714b288d997df13ab4f9df Mon Sep 17 00:00:00 2001
From: kali <kali@leap.se>
Date: Wed, 8 Aug 2012 06:53:10 +0900
Subject: check for bad permissions on vpn key files

---
 src/leap/eip/config.py | 56 +++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 55 insertions(+), 1 deletion(-)

(limited to 'src/leap/eip/config.py')

diff --git a/src/leap/eip/config.py b/src/leap/eip/config.py
index 9af6f57a..91c3953b 100644
--- a/src/leap/eip/config.py
+++ b/src/leap/eip/config.py
@@ -4,13 +4,17 @@ import logging
 import os
 import platform
 
-from leap.util.fileutil import which, mkdir_p
+from leap.util.fileutil import (which, mkdir_p,
+                                check_and_fix_urw_only)
 from leap.baseapp.permcheck import (is_pkexec_in_system,
                                     is_auth_agent_running)
 
 logger = logging.getLogger(name=__name__)
 logger.setLevel('DEBUG')
 
+# XXX move exceptions to
+# from leap.eip import exceptions as eip_exceptions
+
 
 class EIPNoPkexecAvailable(Exception):
     pass
@@ -20,6 +24,14 @@ class EIPNoPolkitAuthAgentAvailable(Exception):
     pass
 
 
+class EIPInitNoKeyFileError(Exception):
+    pass
+
+
+class EIPInitBadKeyFilePermError(Exception):
+    pass
+
+
 OPENVPN_CONFIG_TEMPLATE = """#Autogenerated by eip-client wizard
 remote {VPN_REMOTE_HOST} {VPN_REMOTE_PORT}
 
@@ -345,3 +357,45 @@ def get_config(config_file=None):
     config.readfp(config_file)
 
     return config
+
+
+def check_vpn_keys(config):
+    """
+    performs an existance and permission check
+    over the openvpn keys file.
+    Currently we're expecting a single file
+    per provider, containing the CA cert,
+    the provider key, and our client certificate
+    """
+
+    keyopt = ('provider', 'keyfile')
+
+    # XXX at some point,
+    # should separate between CA, provider cert
+    # and our certificate.
+    # make changes in the default provider template
+    # accordingly.
+
+    # get vpn keys
+    if config.has_option(*keyopt):
+        keyfile = config.get(*keyopt)
+    else:
+        keyfile = get_config_file(
+            'openvpn.keys',
+            folder=get_default_provider_path())
+        logger.debug('keyfile = %s', keyfile)
+
+    # if no keys, raise error.
+    # should be catched by the ui and signal user.
+
+    if not os.path.isfile(keyfile):
+        logger.error('key file %s not found. aborting.',
+                     keyfile)
+        raise EIPInitNoKeyFileError
+
+    # check proper permission on keys
+    # bad perms? try to fix them
+    try:
+        check_and_fix_urw_only(keyfile)
+    except OSError:
+        raise EIPInitBadKeyFilePermError
-- 
cgit v1.2.3


From c217bd1f1456cf10ceabf698ea6f4dd8f636f454 Mon Sep 17 00:00:00 2001
From: kali <kali@leap.se>
Date: Wed, 8 Aug 2012 07:22:36 +0900
Subject: check for validity of the remote_ip entry (is ip?)

---
 src/leap/eip/config.py | 31 ++++++++++++++++++++++++++++---
 1 file changed, 28 insertions(+), 3 deletions(-)

(limited to 'src/leap/eip/config.py')

diff --git a/src/leap/eip/config.py b/src/leap/eip/config.py
index 91c3953b..6118c9de 100644
--- a/src/leap/eip/config.py
+++ b/src/leap/eip/config.py
@@ -3,6 +3,7 @@ import grp
 import logging
 import os
 import platform
+import socket
 
 from leap.util.fileutil import (which, mkdir_p,
                                 check_and_fix_urw_only)
@@ -24,6 +25,14 @@ class EIPNoPolkitAuthAgentAvailable(Exception):
     pass
 
 
+class EIPInitNoProviderError(Exception):
+    pass
+
+
+class EIPInitBadProviderError(Exception):
+    pass
+
+
 class EIPInitNoKeyFileError(Exception):
     pass
 
@@ -90,6 +99,14 @@ def get_default_provider_path():
     return default_provider_path
 
 
+def validate_ip(ip_str):
+    """
+    raises exception if the ip_str is
+    not a valid representation of an ip
+    """
+    socket.inet_aton(ip_str)
+
+
 def check_or_create_default_vpnconf(config):
     """
     checks that a vpn config file
@@ -118,10 +135,18 @@ def check_or_create_default_vpnconf(config):
     # by now. Get it from a list of gateways
     # instead.
 
-    remote_ip = config.get('provider',
-                           'remote_ip')
+    try:
+        remote_ip = config.get('provider',
+                               'remote_ip')
+        validate_ip(remote_ip)
+
+    except ConfigParser.NoOptionError:
+        raise EIPInitNoProviderError
+
+    except socket.error:
+        # this does not look like an ip, dave
+        raise EIPInitBadProviderError
 
-    # XXX check that IT LOOKS LIKE AN IP!!!
     if config.has_option('provider', 'remote_port'):
         remote_port = config.get('provider',
                                  'remote_port')
-- 
cgit v1.2.3


From 738b4bf8c6b75a1d73b7fa3e1a5edb69adf9d8a0 Mon Sep 17 00:00:00 2001
From: kali <kali@leap.se>
Date: Tue, 21 Aug 2012 04:58:05 +0900
Subject: fix out-of-sync refactor.

manually merge changes from the develop branch that were lost due
to having branched a previous state when refactored former "conductor"
class.

also, moved more exceptions to its own file.
---
 src/leap/eip/config.py | 38 ++++++++------------------------------
 1 file changed, 8 insertions(+), 30 deletions(-)

(limited to 'src/leap/eip/config.py')

diff --git a/src/leap/eip/config.py b/src/leap/eip/config.py
index 6118c9de..8e55d789 100644
--- a/src/leap/eip/config.py
+++ b/src/leap/eip/config.py
@@ -9,37 +9,15 @@ from leap.util.fileutil import (which, mkdir_p,
                                 check_and_fix_urw_only)
 from leap.baseapp.permcheck import (is_pkexec_in_system,
                                     is_auth_agent_running)
+from leap.eip import exceptions as eip_exceptions
 
 logger = logging.getLogger(name=__name__)
 logger.setLevel('DEBUG')
 
-# XXX move exceptions to
-# from leap.eip import exceptions as eip_exceptions
-
-
-class EIPNoPkexecAvailable(Exception):
-    pass
-
-
-class EIPNoPolkitAuthAgentAvailable(Exception):
-    pass
-
-
-class EIPInitNoProviderError(Exception):
-    pass
-
-
-class EIPInitBadProviderError(Exception):
-    pass
-
-
-class EIPInitNoKeyFileError(Exception):
-    pass
-
-
-class EIPInitBadKeyFilePermError(Exception):
-    pass
-
+# XXX this has to be REMOVED
+# and all these options passed in the
+# command line --> move to build_ovpn_command
+# issue #447
 
 OPENVPN_CONFIG_TEMPLATE = """#Autogenerated by eip-client wizard
 remote {VPN_REMOTE_HOST} {VPN_REMOTE_PORT}
@@ -278,11 +256,12 @@ def build_ovpn_command(config, debug=False):
         # XXX check for both pkexec (done)
         # AND a suitable authentication
         # agent running.
+        # (until we implement setuid helper)
         logger.info('use_pkexec set to True')
 
         if not is_pkexec_in_system():
             logger.error('no pkexec in system')
-            raise EIPNoPkexecAvailable
+            raise eip_exceptions.EIPNoPkexecAvailable
 
         if not is_auth_agent_running():
             logger.warning(
@@ -290,7 +269,7 @@ def build_ovpn_command(config, debug=False):
                 "pkexec will use its own text "
                 "based authentication agent. "
                 "that's probably a bad idea")
-            raise EIPNoPolkitAuthAgentAvailable
+            raise eip_exceptions.EIPNoPolkitAuthAgentAvailable
 
         command.append('pkexec')
 
@@ -312,7 +291,6 @@ def build_ovpn_command(config, debug=False):
         command.append(opt)
 
     # XXX check len and raise proper error
-
     return [command[0], command[1:]]
 
 
-- 
cgit v1.2.3


From ac00ec313a142e910447857c0e46e6d36c7f2ab2 Mon Sep 17 00:00:00 2001
From: antialias <antialias@leap.se>
Date: Tue, 21 Aug 2012 10:12:22 -0700
Subject: Error fixes and json commit.

---
 src/leap/eip/config.py | 31 ++++++++++++++++++++++++++++---
 1 file changed, 28 insertions(+), 3 deletions(-)

(limited to 'src/leap/eip/config.py')

diff --git a/src/leap/eip/config.py b/src/leap/eip/config.py
index 8e55d789..a219fedb 100644
--- a/src/leap/eip/config.py
+++ b/src/leap/eip/config.py
@@ -2,6 +2,7 @@ import ConfigParser
 import grp
 import logging
 import os
+import json
 import platform
 import socket
 
@@ -118,8 +119,8 @@ def check_or_create_default_vpnconf(config):
                                'remote_ip')
         validate_ip(remote_ip)
 
-    except ConfigParser.NoOptionError:
-        raise EIPInitNoProviderError
+    except ConfigParser.NoSectionError:
+        raise eip_exceptions.EIPInitNoProviderError
 
     except socket.error:
         # this does not look like an ip, dave
@@ -394,7 +395,7 @@ def check_vpn_keys(config):
     if not os.path.isfile(keyfile):
         logger.error('key file %s not found. aborting.',
                      keyfile)
-        raise EIPInitNoKeyFileError
+        raise eip_exceptions.EIPInitNoKeyFileError
 
     # check proper permission on keys
     # bad perms? try to fix them
@@ -402,3 +403,27 @@ def check_vpn_keys(config):
         check_and_fix_urw_only(keyfile)
     except OSError:
         raise EIPInitBadKeyFilePermError
+        
+        
+def get_config_json(config_file=None):
+    """
+    will replace get_config function be developing them
+    in parralel for branch purposes.
+    @param: configuration file
+    @type: file 
+    @rparam: configuration turples
+    @rtype: dictionary
+    """
+    if not config_file:
+        fpath = get_config_file('eip.json')
+        if not os.path.isfile(fpath):
+            dpath, cfile = os.path.split(fpath)
+            if not os.path.isdir(dpath):
+                mkdir_p(dpath)
+            with open(fpath, 'wb') as configfile:
+                configfile.write()
+        config_file = open(fpath)
+
+    config = json.load(config_file)
+
+    return config
-- 
cgit v1.2.3


From 5f6064b9dfa102b1115d5e3a6ecfb22cdcf82d14 Mon Sep 17 00:00:00 2001
From: kali <kali@leap.se>
Date: Wed, 22 Aug 2012 04:47:14 +0900
Subject: config tests

---
 src/leap/eip/config.py | 72 +++++++++++++++++++++++++++++++++++++-------------
 1 file changed, 54 insertions(+), 18 deletions(-)

(limited to 'src/leap/eip/config.py')

diff --git a/src/leap/eip/config.py b/src/leap/eip/config.py
index 8e55d789..8c67a258 100644
--- a/src/leap/eip/config.py
+++ b/src/leap/eip/config.py
@@ -9,15 +9,37 @@ from leap.util.fileutil import (which, mkdir_p,
                                 check_and_fix_urw_only)
 from leap.baseapp.permcheck import (is_pkexec_in_system,
                                     is_auth_agent_running)
-from leap.eip import exceptions as eip_exceptions
 
 logger = logging.getLogger(name=__name__)
 logger.setLevel('DEBUG')
 
-# XXX this has to be REMOVED
-# and all these options passed in the
-# command line --> move to build_ovpn_command
-# issue #447
+# XXX move exceptions:
+# from leap.eip import exceptions as eip_exceptions
+
+
+class EIPNoPkexecAvailable(Exception):
+    pass
+
+
+class EIPNoPolkitAuthAgentAvailable(Exception):
+    pass
+
+
+class EIPInitNoProviderError(Exception):
+    pass
+
+
+class EIPInitBadProviderError(Exception):
+    pass
+
+
+class EIPInitNoKeyFileError(Exception):
+    pass
+
+
+class EIPInitBadKeyFilePermError(Exception):
+    pass
+
 
 OPENVPN_CONFIG_TEMPLATE = """#Autogenerated by eip-client wizard
 remote {VPN_REMOTE_HOST} {VPN_REMOTE_PORT}
@@ -114,6 +136,10 @@ def check_or_create_default_vpnconf(config):
     # instead.
 
     try:
+        # XXX by now, we're expecting
+        # only IP format for remote.
+        # We should allow also domain names,
+        # and make a reverse resolv.
         remote_ip = config.get('provider',
                                'remote_ip')
         validate_ip(remote_ip)
@@ -158,6 +184,15 @@ def check_or_create_default_vpnconf(config):
         f.write(ovpn_config)
 
 
+def get_username():
+    return os.getlogin()
+
+
+def get_groupname():
+    gid = os.getgroups()[-1]
+    return grp.getgrgid(gid).gr_name
+
+
 def build_ovpn_options(daemon=False):
     """
     build a list of options
@@ -175,16 +210,11 @@ def build_ovpn_options(daemon=False):
 
     # get user/group name
     # also from config.
-    user = os.getlogin()
-    gid = os.getgroups()[-1]
-    group = grp.getgrgid(gid).gr_name
+    user = get_username()
+    group = get_groupname()
 
     opts = []
 
-    #moved to config files
-    #opts.append('--persist-tun')
-    #opts.append('--persist-key')
-
     # set user and group
     opts.append('--user')
     opts.append('%s' % user)
@@ -219,6 +249,8 @@ def build_ovpn_options(daemon=False):
     opts.append('--config')
 
     default_provider_path = get_default_provider_path()
+
+    # XXX get rid of config_file at all
     ovpncnf = get_config_file(
         'openvpn.conf',
         folder=default_provider_path)
@@ -233,7 +265,7 @@ def build_ovpn_options(daemon=False):
     return opts
 
 
-def build_ovpn_command(config, debug=False):
+def build_ovpn_command(config, debug=False, do_pkexec_check=True):
     """
     build a string with the
     complete openvpn invocation
@@ -251,17 +283,16 @@ def build_ovpn_command(config, debug=False):
 
     if config.has_option('openvpn', 'use_pkexec'):
         use_pkexec = config.get('openvpn', 'use_pkexec')
-    if platform.system() == "Linux" and use_pkexec:
+    if platform.system() == "Linux" and use_pkexec and do_pkexec_check:
 
         # XXX check for both pkexec (done)
         # AND a suitable authentication
         # agent running.
-        # (until we implement setuid helper)
         logger.info('use_pkexec set to True')
 
         if not is_pkexec_in_system():
             logger.error('no pkexec in system')
-            raise eip_exceptions.EIPNoPkexecAvailable
+            raise EIPNoPkexecAvailable
 
         if not is_auth_agent_running():
             logger.warning(
@@ -269,7 +300,7 @@ def build_ovpn_command(config, debug=False):
                 "pkexec will use its own text "
                 "based authentication agent. "
                 "that's probably a bad idea")
-            raise eip_exceptions.EIPNoPolkitAuthAgentAvailable
+            raise EIPNoPolkitAuthAgentAvailable
 
         command.append('pkexec')
 
@@ -283,7 +314,11 @@ def build_ovpn_command(config, debug=False):
                           'openvpn_binary')
 
     if ovpn:
-        command.append(ovpn)
+        vpn_command = ovpn
+    else:
+        vpn_command = "openvpn"
+
+    command.append(vpn_command)
 
     daemon_mode = not debug
 
@@ -291,6 +326,7 @@ def build_ovpn_command(config, debug=False):
         command.append(opt)
 
     # XXX check len and raise proper error
+
     return [command[0], command[1:]]
 
 
-- 
cgit v1.2.3


From 6ce22c7ebd293550473bfa5453a2f720dffad3e8 Mon Sep 17 00:00:00 2001
From: antialias <antialias@leap.se>
Date: Tue, 21 Aug 2012 13:46:01 -0700
Subject: minor pep8 clean up.

---
 src/leap/eip/config.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'src/leap/eip/config.py')

diff --git a/src/leap/eip/config.py b/src/leap/eip/config.py
index a219fedb..e0151e87 100644
--- a/src/leap/eip/config.py
+++ b/src/leap/eip/config.py
@@ -403,14 +403,14 @@ def check_vpn_keys(config):
         check_and_fix_urw_only(keyfile)
     except OSError:
         raise EIPInitBadKeyFilePermError
-        
-        
+
+
 def get_config_json(config_file=None):
     """
     will replace get_config function be developing them
     in parralel for branch purposes.
     @param: configuration file
-    @type: file 
+    @type: file
     @rparam: configuration turples
     @rtype: dictionary
     """
@@ -421,7 +421,7 @@ def get_config_json(config_file=None):
             if not os.path.isdir(dpath):
                 mkdir_p(dpath)
             with open(fpath, 'wb') as configfile:
-                configfile.write()
+                configfile.flush()
         config_file = open(fpath)
 
     config = json.load(config_file)
-- 
cgit v1.2.3


From 3bd45c8e1e020bebf041bc266c5092a41f944130 Mon Sep 17 00:00:00 2001
From: kali <kali@leap.se>
Date: Wed, 22 Aug 2012 07:05:39 +0900
Subject: removed dup exceptions

---
 src/leap/eip/config.py | 28 ----------------------------
 1 file changed, 28 deletions(-)

(limited to 'src/leap/eip/config.py')

diff --git a/src/leap/eip/config.py b/src/leap/eip/config.py
index 8c67a258..a1dc2764 100644
--- a/src/leap/eip/config.py
+++ b/src/leap/eip/config.py
@@ -13,34 +13,6 @@ from leap.baseapp.permcheck import (is_pkexec_in_system,
 logger = logging.getLogger(name=__name__)
 logger.setLevel('DEBUG')
 
-# XXX move exceptions:
-# from leap.eip import exceptions as eip_exceptions
-
-
-class EIPNoPkexecAvailable(Exception):
-    pass
-
-
-class EIPNoPolkitAuthAgentAvailable(Exception):
-    pass
-
-
-class EIPInitNoProviderError(Exception):
-    pass
-
-
-class EIPInitBadProviderError(Exception):
-    pass
-
-
-class EIPInitNoKeyFileError(Exception):
-    pass
-
-
-class EIPInitBadKeyFilePermError(Exception):
-    pass
-
-
 OPENVPN_CONFIG_TEMPLATE = """#Autogenerated by eip-client wizard
 remote {VPN_REMOTE_HOST} {VPN_REMOTE_PORT}
 
-- 
cgit v1.2.3


From 83ac2efaa10de68f7fd35189f6cf272b03d60a30 Mon Sep 17 00:00:00 2001
From: kali <kali@leap.se>
Date: Wed, 22 Aug 2012 07:46:51 +0900
Subject: fix exceptions location

---
 src/leap/eip/config.py | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

(limited to 'src/leap/eip/config.py')

diff --git a/src/leap/eip/config.py b/src/leap/eip/config.py
index c77bb142..f38268e2 100644
--- a/src/leap/eip/config.py
+++ b/src/leap/eip/config.py
@@ -10,6 +10,7 @@ from leap.util.fileutil import (which, mkdir_p,
                                 check_and_fix_urw_only)
 from leap.baseapp.permcheck import (is_pkexec_in_system,
                                     is_auth_agent_running)
+from leap.eip import exceptions as eip_exceptions
 
 logger = logging.getLogger(name=__name__)
 logger.setLevel('DEBUG')
@@ -122,7 +123,7 @@ def check_or_create_default_vpnconf(config):
 
     except socket.error:
         # this does not look like an ip, dave
-        raise EIPInitBadProviderError
+        raise eip_exceptions.EIPInitBadProviderError
 
     if config.has_option('provider', 'remote_port'):
         remote_port = config.get('provider',
@@ -265,7 +266,7 @@ def build_ovpn_command(config, debug=False, do_pkexec_check=True):
 
         if not is_pkexec_in_system():
             logger.error('no pkexec in system')
-            raise EIPNoPkexecAvailable
+            raise eip_exceptions.EIPNoPkexecAvailable
 
         if not is_auth_agent_running():
             logger.warning(
@@ -273,7 +274,7 @@ def build_ovpn_command(config, debug=False, do_pkexec_check=True):
                 "pkexec will use its own text "
                 "based authentication agent. "
                 "that's probably a bad idea")
-            raise EIPNoPolkitAuthAgentAvailable
+            raise eip_exceptions.EIPNoPolkitAuthAgentAvailable
 
         command.append('pkexec')
 
@@ -410,7 +411,7 @@ def check_vpn_keys(config):
     try:
         check_and_fix_urw_only(keyfile)
     except OSError:
-        raise EIPInitBadKeyFilePermError
+        raise eip_exceptions.EIPInitBadKeyFilePermError
 
 
 def get_config_json(config_file=None):
-- 
cgit v1.2.3


From 97ea8ee2fa43d345cf3f1013c87569155680625b Mon Sep 17 00:00:00 2001
From: antialias <antialias@leap.se>
Date: Wed, 22 Aug 2012 14:01:22 -0700
Subject: moved help functions from eip/config.py to base/configuration.py.
 (cherry picked from get-definition.json branch)

solve merge conflict since antialias was working in
a version in which baseconfig was still at `configuration` file.

Conflicts:
	src/leap/base/configuration.py
---
 src/leap/eip/config.py | 89 +++-----------------------------------------------
 1 file changed, 5 insertions(+), 84 deletions(-)

(limited to 'src/leap/eip/config.py')

diff --git a/src/leap/eip/config.py b/src/leap/eip/config.py
index f38268e2..8d5c19da 100644
--- a/src/leap/eip/config.py
+++ b/src/leap/eip/config.py
@@ -1,13 +1,16 @@
 import ConfigParser
-import grp
 import logging
 import os
-import json
 import platform
 import socket
 
 from leap.util.fileutil import (which, mkdir_p,
                                 check_and_fix_urw_only)
+from leap.base.config import (get_default_provider_path,
+                              get_config_file,
+                              get_username,
+                              get_groupname,
+                              validate_ip)
 from leap.baseapp.permcheck import (is_pkexec_in_system,
                                     is_auth_agent_running)
 from leap.eip import exceptions as eip_exceptions
@@ -32,55 +35,6 @@ ca {LEAP_EIP_KEYS}
 """
 
 
-def get_config_dir():
-    """
-    get the base dir for all leap config
-    @rparam: config path
-    @rtype: string
-    """
-    # TODO
-    # check for $XDG_CONFIG_HOME var?
-    # get a more sensible path for win/mac
-    # kclair: opinion? ^^
-    return os.path.expanduser(
-        os.path.join('~',
-                     '.config',
-                     'leap'))
-
-
-def get_config_file(filename, folder=None):
-    """
-    concatenates the given filename
-    with leap config dir.
-    @param filename: name of the file
-    @type filename: string
-    @rparam: full path to config file
-    """
-    path = []
-    path.append(get_config_dir())
-    if folder is not None:
-        path.append(folder)
-    path.append(filename)
-    return os.path.join(*path)
-
-
-def get_default_provider_path():
-    default_subpath = os.path.join("providers",
-                                   "default")
-    default_provider_path = get_config_file(
-        '',
-        folder=default_subpath)
-    return default_provider_path
-
-
-def validate_ip(ip_str):
-    """
-    raises exception if the ip_str is
-    not a valid representation of an ip
-    """
-    socket.inet_aton(ip_str)
-
-
 def check_or_create_default_vpnconf(config):
     """
     checks that a vpn config file
@@ -158,15 +112,6 @@ def check_or_create_default_vpnconf(config):
         f.write(ovpn_config)
 
 
-def get_username():
-    return os.getlogin()
-
-
-def get_groupname():
-    gid = os.getgroups()[-1]
-    return grp.getgrgid(gid).gr_name
-
-
 def build_ovpn_options(daemon=False):
     """
     build a list of options
@@ -412,27 +357,3 @@ def check_vpn_keys(config):
         check_and_fix_urw_only(keyfile)
     except OSError:
         raise eip_exceptions.EIPInitBadKeyFilePermError
-
-
-def get_config_json(config_file=None):
-    """
-    will replace get_config function be developing them
-    in parralel for branch purposes.
-    @param: configuration file
-    @type: file
-    @rparam: configuration turples
-    @rtype: dictionary
-    """
-    if not config_file:
-        fpath = get_config_file('eip.json')
-        if not os.path.isfile(fpath):
-            dpath, cfile = os.path.split(fpath)
-            if not os.path.isdir(dpath):
-                mkdir_p(dpath)
-            with open(fpath, 'wb') as configfile:
-                configfile.flush()
-        config_file = open(fpath)
-
-    config = json.load(config_file)
-
-    return config
-- 
cgit v1.2.3


From 4a46723219e5284bec21b9dccd6589a670babc63 Mon Sep 17 00:00:00 2001
From: kali <kali@leap.se>
Date: Mon, 27 Aug 2012 23:21:43 +0900
Subject: add test_dump_default_eipconfig to eip.test_checks

plus a little bit of cleaning around (created constants file).
added some notes about inminent deprecation *work in progress*
---
 src/leap/eip/config.py | 37 +++++++++++++++++++++----------------
 1 file changed, 21 insertions(+), 16 deletions(-)

(limited to 'src/leap/eip/config.py')

diff --git a/src/leap/eip/config.py b/src/leap/eip/config.py
index 8d5c19da..2694ca61 100644
--- a/src/leap/eip/config.py
+++ b/src/leap/eip/config.py
@@ -1,4 +1,5 @@
-import ConfigParser
+import ConfigParser  # to be deprecated
+import json
 import logging
 import os
 import platform
@@ -6,6 +7,8 @@ import socket
 
 from leap.util.fileutil import (which, mkdir_p,
                                 check_and_fix_urw_only)
+
+# from leap.base import config as baseconfig
 from leap.base.config import (get_default_provider_path,
                               get_config_file,
                               get_username,
@@ -14,6 +17,7 @@ from leap.base.config import (get_default_provider_path,
 from leap.baseapp.permcheck import (is_pkexec_in_system,
                                     is_auth_agent_running)
 from leap.eip import exceptions as eip_exceptions
+from leap.eip import constants as eipconstants
 
 logger = logging.getLogger(name=__name__)
 logger.setLevel('DEBUG')
@@ -276,6 +280,8 @@ def get_sensible_defaults():
     return defaults
 
 
+# XXX to be deprecated. see dump_default_eipconfig
+# and the new JSONConfig classes.
 def get_config(config_file=None):
     """
     temporary method for getting configs,
@@ -286,10 +292,6 @@ def get_config(config_file=None):
     @rtype: ConfigParser instance
     @rparam: a config object
     """
-    # TODO
-    # - refactor out common things and get
-    # them to util/ or baseapp/
-
     defaults = get_sensible_defaults()
     config = ConfigParser.ConfigParser(defaults)
 
@@ -302,21 +304,24 @@ def get_config(config_file=None):
             with open(fpath, 'wb') as configfile:
                 config.write(configfile)
         config_file = open(fpath)
-
-    #TODO
-    # - convert config_file to list;
-    #   look in places like /etc/leap/eip.cfg
-    #   for global settings.
-    # - raise warnings/error if bad options.
-
-    # at this point, the file should exist.
-    # errors would have been raised above.
-
     config.readfp(config_file)
-
     return config
 
 
+def dump_default_eipconfig(filepath):
+    """
+    writes a sample eip config
+    in the given location
+    """
+    # XXX TODO:
+    # use EIPConfigSpec istead
+    folder, filename = os.path.split(filepath)
+    if not os.path.isdir(folder):
+        mkdir_p(folder)
+    with open(filepath, 'w') as fp:
+        json.dump(eipconstants.EIP_SAMPLE_JSON, fp)
+
+
 def check_vpn_keys(config):
     """
     performs an existance and permission check
-- 
cgit v1.2.3


From ed4ad3a392caf0211e51a48d2d7b6c5a2f7bb17a Mon Sep 17 00:00:00 2001
From: kali <kali@leap.se>
Date: Wed, 29 Aug 2012 23:05:38 +0900
Subject: add eipconfig spec and config object

---
 src/leap/eip/config.py | 47 ++++++++++++++++++++++++++++-------------------
 1 file changed, 28 insertions(+), 19 deletions(-)

(limited to 'src/leap/eip/config.py')

diff --git a/src/leap/eip/config.py b/src/leap/eip/config.py
index 2694ca61..34f05070 100644
--- a/src/leap/eip/config.py
+++ b/src/leap/eip/config.py
@@ -8,20 +8,17 @@ import socket
 from leap.util.fileutil import (which, mkdir_p,
                                 check_and_fix_urw_only)
 
-# from leap.base import config as baseconfig
-from leap.base.config import (get_default_provider_path,
-                              get_config_file,
-                              get_username,
-                              get_groupname,
-                              validate_ip)
+from leap.base import config as baseconfig
 from leap.baseapp.permcheck import (is_pkexec_in_system,
                                     is_auth_agent_running)
 from leap.eip import exceptions as eip_exceptions
 from leap.eip import constants as eipconstants
+from leap.eip import specs as eipspecs
 
 logger = logging.getLogger(name=__name__)
 logger.setLevel('DEBUG')
 
+# XXX deprecate per #447
 OPENVPN_CONFIG_TEMPLATE = """#Autogenerated by eip-client wizard
 remote {VPN_REMOTE_HOST} {VPN_REMOTE_PORT}
 
@@ -39,6 +36,18 @@ ca {LEAP_EIP_KEYS}
 """
 
 
+class EIPConfig(baseconfig.JSONLeapConfig):
+    spec = eipspecs.eipconfig_spec
+
+    def _get_slug(self):
+        return baseconfig.get_config_file('eip.json')
+
+    def _set_slug(self, *args, **kwargs):
+        raise AttributeError("you cannot set slug")
+
+    slug = property(_get_slug, _set_slug)
+
+
 def check_or_create_default_vpnconf(config):
     """
     checks that a vpn config file
@@ -47,12 +56,12 @@ def check_or_create_default_vpnconf(config):
     ATM REQURES A [provider] section in
     eip.cfg with _at least_ a remote_ip value
     """
-    default_provider_path = get_default_provider_path()
+    default_provider_path = baseconfig.get_default_provider_path()
 
     if not os.path.isdir(default_provider_path):
         mkdir_p(default_provider_path)
 
-    conf_file = get_config_file(
+    conf_file = baseconfig.get_config_file(
         'openvpn.conf',
         folder=default_provider_path)
 
@@ -74,7 +83,7 @@ def check_or_create_default_vpnconf(config):
         # and make a reverse resolv.
         remote_ip = config.get('provider',
                                'remote_ip')
-        validate_ip(remote_ip)
+        baseconfig.validate_ip(remote_ip)
 
     except ConfigParser.NoSectionError:
         raise eip_exceptions.EIPInitNoProviderError
@@ -91,19 +100,19 @@ def check_or_create_default_vpnconf(config):
 
     default_subpath = os.path.join("providers",
                                    "default")
-    default_provider_path = get_config_file(
+    default_provider_path = baseconfig.get_config_file(
         '',
         folder=default_subpath)
 
     if not os.path.isdir(default_provider_path):
         mkdir_p(default_provider_path)
 
-    conf_file = get_config_file(
+    conf_file = baseconfig.get_config_file(
         'openvpn.conf',
         folder=default_provider_path)
 
     # XXX keys have to be manually placed by now
-    keys_file = get_config_file(
+    keys_file = baseconfig.get_config_file(
         'openvpn.keys',
         folder=default_provider_path)
 
@@ -133,8 +142,8 @@ def build_ovpn_options(daemon=False):
 
     # get user/group name
     # also from config.
-    user = get_username()
-    group = get_groupname()
+    user = baseconfig.get_username()
+    group = baseconfig.get_groupname()
 
     opts = []
 
@@ -171,10 +180,10 @@ def build_ovpn_options(daemon=False):
 
     opts.append('--config')
 
-    default_provider_path = get_default_provider_path()
+    default_provider_path = baseconfig.get_default_provider_path()
 
     # XXX get rid of config_file at all
-    ovpncnf = get_config_file(
+    ovpncnf = baseconfig.get_config_file(
         'openvpn.conf',
         folder=default_provider_path)
     opts.append(ovpncnf)
@@ -296,7 +305,7 @@ def get_config(config_file=None):
     config = ConfigParser.ConfigParser(defaults)
 
     if not config_file:
-        fpath = get_config_file('eip.cfg')
+        fpath = baseconfig.get_config_file('eip.cfg')
         if not os.path.isfile(fpath):
             dpath, cfile = os.path.split(fpath)
             if not os.path.isdir(dpath):
@@ -343,9 +352,9 @@ def check_vpn_keys(config):
     if config.has_option(*keyopt):
         keyfile = config.get(*keyopt)
     else:
-        keyfile = get_config_file(
+        keyfile = baseconfig.get_config_file(
             'openvpn.keys',
-            folder=get_default_provider_path())
+            folder=baseconfig.get_default_provider_path())
         logger.debug('keyfile = %s', keyfile)
 
     # if no keys, raise error.
-- 
cgit v1.2.3


From 1263cd7a3cfca81ae3e6976a489e2d3d4013d64b Mon Sep 17 00:00:00 2001
From: kali <kali@leap.se>
Date: Thu, 30 Aug 2012 00:36:50 +0900
Subject: add lazy evaluation to config specs

now callables are allowed in specs *only at one level depth*
to allow for last-minute evaluation on context-sensitive data,
like paths affected by os.environ

also some minor modifications to make check tests pass after
putting the new jsonconfig-based eipconfig in place.

aaaaaall green again :)
---
 src/leap/eip/config.py | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'src/leap/eip/config.py')

diff --git a/src/leap/eip/config.py b/src/leap/eip/config.py
index 34f05070..a7b24f9b 100644
--- a/src/leap/eip/config.py
+++ b/src/leap/eip/config.py
@@ -15,6 +15,7 @@ from leap.eip import exceptions as eip_exceptions
 from leap.eip import constants as eipconstants
 from leap.eip import specs as eipspecs
 
+logging.basicConfig()
 logger = logging.getLogger(name=__name__)
 logger.setLevel('DEBUG')
 
@@ -262,6 +263,7 @@ def build_ovpn_command(config, debug=False, do_pkexec_check=True):
     return [command[0], command[1:]]
 
 
+# XXX deprecate
 def get_sensible_defaults():
     """
     gathers a dict of sensible defaults,
-- 
cgit v1.2.3


From d69976caa5070403f81799c79be974241cff7f70 Mon Sep 17 00:00:00 2001
From: kali <kali@leap.se>
Date: Thu, 30 Aug 2012 03:43:05 +0900
Subject: fetcher moved to baseconfig + eipchecker using eipservice config.

---
 src/leap/eip/config.py | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

(limited to 'src/leap/eip/config.py')

diff --git a/src/leap/eip/config.py b/src/leap/eip/config.py
index a7b24f9b..b6c38a77 100644
--- a/src/leap/eip/config.py
+++ b/src/leap/eip/config.py
@@ -49,6 +49,20 @@ class EIPConfig(baseconfig.JSONLeapConfig):
     slug = property(_get_slug, _set_slug)
 
 
+class EIPServiceConfig(baseconfig.JSONLeapConfig):
+    spec = eipspecs.eipservice_config_spec
+
+    def _get_slug(self):
+        return baseconfig.get_config_file(
+            'eip-service.json',
+            folder=baseconfig.get_default_provider_path())
+
+    def _set_slug(self):
+        raise AttributeError("you cannot set slug")
+
+    slug = property(_get_slug, _set_slug)
+
+
 def check_or_create_default_vpnconf(config):
     """
     checks that a vpn config file
-- 
cgit v1.2.3


From b79a08b84e52871b1e1254f65ff774a6f0857608 Mon Sep 17 00:00:00 2001
From: kali <kali@leap.se>
Date: Thu, 30 Aug 2012 05:37:44 +0900
Subject: move extra options from config template to cl opts

---
 src/leap/eip/config.py | 44 +++++++++++++++++++++++++++++---------------
 1 file changed, 29 insertions(+), 15 deletions(-)

(limited to 'src/leap/eip/config.py')

diff --git a/src/leap/eip/config.py b/src/leap/eip/config.py
index b6c38a77..a9de60b2 100644
--- a/src/leap/eip/config.py
+++ b/src/leap/eip/config.py
@@ -63,6 +63,7 @@ class EIPServiceConfig(baseconfig.JSONLeapConfig):
     slug = property(_get_slug, _set_slug)
 
 
+# XXX deprecate by #447
 def check_or_create_default_vpnconf(config):
     """
     checks that a vpn config file
@@ -162,6 +163,26 @@ def build_ovpn_options(daemon=False):
 
     opts = []
 
+    opts.append('--mode')
+    opts.append('client')
+
+    opts.append('--dev')
+    # XXX same in win?
+    opts.append('tun')
+    opts.append('--persist-tun')
+    opts.append('--persist-key')
+
+    # remote
+    # XXX get remote from eip.json
+    opts.append('--remote')
+    opts.append('testprovider.example.org')
+    opts.append('1194')
+    opts.append('udp')
+
+    opts.append('--tls-client')
+    opts.append('--remote-cert-tls')
+    opts.append('server')
+
     # set user and group
     opts.append('--user')
     opts.append('%s' % user)
@@ -179,6 +200,7 @@ def build_ovpn_options(daemon=False):
     ourplatform = platform.system()
     if ourplatform in ("Linux", "Mac"):
         opts.append('--management')
+        # XXX get a different sock each time ...
         opts.append('/tmp/.eip.sock')
         opts.append('unix')
     if ourplatform == "Windows":
@@ -187,21 +209,13 @@ def build_ovpn_options(daemon=False):
         # XXX which is a good choice?
         opts.append('7777')
 
-    # remaining config options will go in a file
-
-    # NOTE: we will build this file from
-    # the service definition file.
-    # XXX override from --with-openvpn-config
-
-    opts.append('--config')
-
-    default_provider_path = baseconfig.get_default_provider_path()
-
-    # XXX get rid of config_file at all
-    ovpncnf = baseconfig.get_config_file(
-        'openvpn.conf',
-        folder=default_provider_path)
-    opts.append(ovpncnf)
+    # certs
+    opts.append('--cert')
+    opts.append(eipspecs.client_cert_path())
+    opts.append('--key')
+    opts.append(eipspecs.client_cert_path())
+    opts.append('--ca')
+    opts.append(eipspecs.provider_ca_path())
 
     # we cannot run in daemon mode
     # with the current subp setting.
-- 
cgit v1.2.3


From 396d815e318d03df4e21269aa8c3e6c0e6f7fad0 Mon Sep 17 00:00:00 2001
From: kali <kali@leap.se>
Date: Thu, 30 Aug 2012 06:00:03 +0900
Subject: working with options only from cli

---
 src/leap/eip/config.py | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

(limited to 'src/leap/eip/config.py')

diff --git a/src/leap/eip/config.py b/src/leap/eip/config.py
index a9de60b2..70108a1d 100644
--- a/src/leap/eip/config.py
+++ b/src/leap/eip/config.py
@@ -163,8 +163,7 @@ def build_ovpn_options(daemon=False):
 
     opts = []
 
-    opts.append('--mode')
-    opts.append('client')
+    opts.append('--client')
 
     opts.append('--dev')
     # XXX same in win?
-- 
cgit v1.2.3


From d4de193b52881590c07468bdfece5f82fa48840d Mon Sep 17 00:00:00 2001
From: kali <kali@leap.se>
Date: Thu, 30 Aug 2012 06:05:49 +0900
Subject: remove unused function

---
 src/leap/eip/config.py | 95 --------------------------------------------------
 1 file changed, 95 deletions(-)

(limited to 'src/leap/eip/config.py')

diff --git a/src/leap/eip/config.py b/src/leap/eip/config.py
index 70108a1d..c0819628 100644
--- a/src/leap/eip/config.py
+++ b/src/leap/eip/config.py
@@ -19,23 +19,6 @@ logging.basicConfig()
 logger = logging.getLogger(name=__name__)
 logger.setLevel('DEBUG')
 
-# XXX deprecate per #447
-OPENVPN_CONFIG_TEMPLATE = """#Autogenerated by eip-client wizard
-remote {VPN_REMOTE_HOST} {VPN_REMOTE_PORT}
-
-client
-dev tun
-persist-tun
-persist-key
-proto udp
-tls-client
-remote-cert-tls server
-
-cert {LEAP_EIP_KEYS}
-key {LEAP_EIP_KEYS}
-ca {LEAP_EIP_KEYS}
-"""
-
 
 class EIPConfig(baseconfig.JSONLeapConfig):
     spec = eipspecs.eipconfig_spec
@@ -63,84 +46,6 @@ class EIPServiceConfig(baseconfig.JSONLeapConfig):
     slug = property(_get_slug, _set_slug)
 
 
-# XXX deprecate by #447
-def check_or_create_default_vpnconf(config):
-    """
-    checks that a vpn config file
-    exists for a default provider,
-    or creates one if it does not.
-    ATM REQURES A [provider] section in
-    eip.cfg with _at least_ a remote_ip value
-    """
-    default_provider_path = baseconfig.get_default_provider_path()
-
-    if not os.path.isdir(default_provider_path):
-        mkdir_p(default_provider_path)
-
-    conf_file = baseconfig.get_config_file(
-        'openvpn.conf',
-        folder=default_provider_path)
-
-    if os.path.isfile(conf_file):
-        return
-    else:
-        logger.debug(
-            'missing default openvpn config\n'
-            'creating one...')
-
-    # We're getting provider from eip.cfg
-    # by now. Get it from a list of gateways
-    # instead.
-
-    try:
-        # XXX by now, we're expecting
-        # only IP format for remote.
-        # We should allow also domain names,
-        # and make a reverse resolv.
-        remote_ip = config.get('provider',
-                               'remote_ip')
-        baseconfig.validate_ip(remote_ip)
-
-    except ConfigParser.NoSectionError:
-        raise eip_exceptions.EIPInitNoProviderError
-
-    except socket.error:
-        # this does not look like an ip, dave
-        raise eip_exceptions.EIPInitBadProviderError
-
-    if config.has_option('provider', 'remote_port'):
-        remote_port = config.get('provider',
-                                 'remote_port')
-    else:
-        remote_port = 1194
-
-    default_subpath = os.path.join("providers",
-                                   "default")
-    default_provider_path = baseconfig.get_config_file(
-        '',
-        folder=default_subpath)
-
-    if not os.path.isdir(default_provider_path):
-        mkdir_p(default_provider_path)
-
-    conf_file = baseconfig.get_config_file(
-        'openvpn.conf',
-        folder=default_provider_path)
-
-    # XXX keys have to be manually placed by now
-    keys_file = baseconfig.get_config_file(
-        'openvpn.keys',
-        folder=default_provider_path)
-
-    ovpn_config = OPENVPN_CONFIG_TEMPLATE.format(
-        VPN_REMOTE_HOST=remote_ip,
-        VPN_REMOTE_PORT=remote_port,
-        LEAP_EIP_KEYS=keys_file)
-
-    with open(conf_file, 'wb') as f:
-        f.write(ovpn_config)
-
-
 def build_ovpn_options(daemon=False):
     """
     build a list of options
-- 
cgit v1.2.3


From 6c4012fc128c5af1b75cf33eef00590cf0e82438 Mon Sep 17 00:00:00 2001
From: kali <kali@leap.se>
Date: Fri, 31 Aug 2012 04:39:13 +0900
Subject: deprecated configparser. closes #500

---
 src/leap/eip/config.py | 151 +++++++++----------------------------------------
 1 file changed, 28 insertions(+), 123 deletions(-)

(limited to 'src/leap/eip/config.py')

diff --git a/src/leap/eip/config.py b/src/leap/eip/config.py
index c0819628..810a5a8d 100644
--- a/src/leap/eip/config.py
+++ b/src/leap/eip/config.py
@@ -1,18 +1,13 @@
-import ConfigParser  # to be deprecated
-import json
 import logging
 import os
 import platform
-import socket
 
-from leap.util.fileutil import (which, mkdir_p,
-                                check_and_fix_urw_only)
+from leap.util.fileutil import (which, check_and_fix_urw_only)
 
 from leap.base import config as baseconfig
 from leap.baseapp.permcheck import (is_pkexec_in_system,
                                     is_auth_agent_running)
 from leap.eip import exceptions as eip_exceptions
-from leap.eip import constants as eipconstants
 from leap.eip import specs as eipspecs
 
 logging.basicConfig()
@@ -104,7 +99,9 @@ def build_ovpn_options(daemon=False):
     ourplatform = platform.system()
     if ourplatform in ("Linux", "Mac"):
         opts.append('--management')
+
         # XXX get a different sock each time ...
+        # XXX #505
         opts.append('/tmp/.eip.sock')
         opts.append('unix')
     if ourplatform == "Windows":
@@ -130,14 +127,11 @@ def build_ovpn_options(daemon=False):
     return opts
 
 
-def build_ovpn_command(config, debug=False, do_pkexec_check=True):
+def build_ovpn_command(debug=False, do_pkexec_check=True, vpnbin=None):
     """
     build a string with the
     complete openvpn invocation
 
-    @param config: config object
-    @type config: ConfigParser instance
-
     @rtype [string, [list of strings]]
     @rparam: a list containing the command string
         and a list of options.
@@ -146,11 +140,11 @@ def build_ovpn_command(config, debug=False, do_pkexec_check=True):
     use_pkexec = True
     ovpn = None
 
-    if config.has_option('openvpn', 'use_pkexec'):
-        use_pkexec = config.get('openvpn', 'use_pkexec')
+    # XXX get use_pkexec from config instead.
+
     if platform.system() == "Linux" and use_pkexec and do_pkexec_check:
 
-        # XXX check for both pkexec (done)
+        # check for both pkexec
         # AND a suitable authentication
         # agent running.
         logger.info('use_pkexec set to True')
@@ -168,23 +162,15 @@ def build_ovpn_command(config, debug=False, do_pkexec_check=True):
             raise eip_exceptions.EIPNoPolkitAuthAgentAvailable
 
         command.append('pkexec')
-
-    if config.has_option('openvpn',
-                         'openvpn_binary'):
-        ovpn = config.get('openvpn',
-                          'openvpn_binary')
-    if not ovpn and config.has_option('DEFAULT',
-                                      'openvpn_binary'):
-        ovpn = config.get('DEFAULT',
-                          'openvpn_binary')
-
+    if vpnbin is None:
+        ovpn = which('openvpn')
+    else:
+        ovpn = vpnbin
     if ovpn:
         vpn_command = ovpn
     else:
         vpn_command = "openvpn"
-
     command.append(vpn_command)
-
     daemon_mode = not debug
 
     for opt in build_ovpn_options(daemon=daemon_mode):
@@ -195,77 +181,7 @@ def build_ovpn_command(config, debug=False, do_pkexec_check=True):
     return [command[0], command[1:]]
 
 
-# XXX deprecate
-def get_sensible_defaults():
-    """
-    gathers a dict of sensible defaults,
-    platform sensitive,
-    to be used to initialize the config parser
-    @rtype: dict
-    @rparam: default options.
-    """
-
-    # this way we're passing a simple dict
-    # that will initialize the configparser
-    # and will get written to "DEFAULTS" section,
-    # which is fine for now.
-    # if we want to write to a particular section
-    # we can better pass a tuple of triples
-    # (('section1', 'foo', '23'),)
-    # and config.set them
-
-    defaults = dict()
-    defaults['openvpn_binary'] = which('openvpn')
-    defaults['autostart'] = 'true'
-
-    # TODO
-    # - management.
-    return defaults
-
-
-# XXX to be deprecated. see dump_default_eipconfig
-# and the new JSONConfig classes.
-def get_config(config_file=None):
-    """
-    temporary method for getting configs,
-    mainly for early stage development process.
-    in the future we will get preferences
-    from the storage api
-
-    @rtype: ConfigParser instance
-    @rparam: a config object
-    """
-    defaults = get_sensible_defaults()
-    config = ConfigParser.ConfigParser(defaults)
-
-    if not config_file:
-        fpath = baseconfig.get_config_file('eip.cfg')
-        if not os.path.isfile(fpath):
-            dpath, cfile = os.path.split(fpath)
-            if not os.path.isdir(dpath):
-                mkdir_p(dpath)
-            with open(fpath, 'wb') as configfile:
-                config.write(configfile)
-        config_file = open(fpath)
-    config.readfp(config_file)
-    return config
-
-
-def dump_default_eipconfig(filepath):
-    """
-    writes a sample eip config
-    in the given location
-    """
-    # XXX TODO:
-    # use EIPConfigSpec istead
-    folder, filename = os.path.split(filepath)
-    if not os.path.isdir(folder):
-        mkdir_p(folder)
-    with open(filepath, 'w') as fp:
-        json.dump(eipconstants.EIP_SAMPLE_JSON, fp)
-
-
-def check_vpn_keys(config):
+def check_vpn_keys():
     """
     performs an existance and permission check
     over the openvpn keys file.
@@ -273,35 +189,24 @@ def check_vpn_keys(config):
     per provider, containing the CA cert,
     the provider key, and our client certificate
     """
+    provider_ca = eipspecs.provider_ca_path()
+    client_cert = eipspecs.client_cert_path()
 
-    keyopt = ('provider', 'keyfile')
-
-    # XXX at some point,
-    # should separate between CA, provider cert
-    # and our certificate.
-    # make changes in the default provider template
-    # accordingly.
-
-    # get vpn keys
-    if config.has_option(*keyopt):
-        keyfile = config.get(*keyopt)
-    else:
-        keyfile = baseconfig.get_config_file(
-            'openvpn.keys',
-            folder=baseconfig.get_default_provider_path())
-        logger.debug('keyfile = %s', keyfile)
+    logger.debug('provider ca = %s', provider_ca)
+    logger.debug('client cert = %s', client_cert)
 
     # if no keys, raise error.
     # should be catched by the ui and signal user.
 
-    if not os.path.isfile(keyfile):
-        logger.error('key file %s not found. aborting.',
-                     keyfile)
-        raise eip_exceptions.EIPInitNoKeyFileError
-
-    # check proper permission on keys
-    # bad perms? try to fix them
-    try:
-        check_and_fix_urw_only(keyfile)
-    except OSError:
-        raise eip_exceptions.EIPInitBadKeyFilePermError
+    for keyfile in (provider_ca, client_cert):
+        if not os.path.isfile(keyfile):
+            logger.error('key file %s not found. aborting.',
+                         keyfile)
+            raise eip_exceptions.EIPInitNoKeyFileError
+
+        # check proper permission on keys
+        # bad perms? try to fix them
+        try:
+            check_and_fix_urw_only(keyfile)
+        except OSError:
+            raise eip_exceptions.EIPInitBadKeyFilePermError
-- 
cgit v1.2.3


From a2804c3de1470db98d8c6aa8a01e2de1aa1718a1 Mon Sep 17 00:00:00 2001
From: kali <kali@leap.se>
Date: Wed, 5 Sep 2012 07:42:10 +0900
Subject: app wide logging handler

---
 src/leap/eip/config.py | 2 --
 1 file changed, 2 deletions(-)

(limited to 'src/leap/eip/config.py')

diff --git a/src/leap/eip/config.py b/src/leap/eip/config.py
index 810a5a8d..f4b979ce 100644
--- a/src/leap/eip/config.py
+++ b/src/leap/eip/config.py
@@ -10,9 +10,7 @@ from leap.baseapp.permcheck import (is_pkexec_in_system,
 from leap.eip import exceptions as eip_exceptions
 from leap.eip import specs as eipspecs
 
-logging.basicConfig()
 logger = logging.getLogger(name=__name__)
-logger.setLevel('DEBUG')
 
 
 class EIPConfig(baseconfig.JSONLeapConfig):
-- 
cgit v1.2.3


From fc8a54a40645412e9c738723e54159bfda40cfde Mon Sep 17 00:00:00 2001
From: kali <kali@leap.se>
Date: Thu, 6 Sep 2012 04:18:27 +0900
Subject: openvpn management socket is a temp path on each run

---
 src/leap/eip/config.py | 23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

(limited to 'src/leap/eip/config.py')

diff --git a/src/leap/eip/config.py b/src/leap/eip/config.py
index f4b979ce..833519ee 100644
--- a/src/leap/eip/config.py
+++ b/src/leap/eip/config.py
@@ -1,6 +1,7 @@
 import logging
 import os
 import platform
+import tempfile
 
 from leap.util.fileutil import (which, check_and_fix_urw_only)
 
@@ -39,7 +40,15 @@ class EIPServiceConfig(baseconfig.JSONLeapConfig):
     slug = property(_get_slug, _set_slug)
 
 
-def build_ovpn_options(daemon=False):
+def get_socket_path():
+    socket_path = os.path.join(
+        tempfile.mkdtemp(prefix="leap-tmp"),
+        'openvpn.socket')
+    logger.debug('socket path: %s', socket_path)
+    return socket_path
+
+
+def build_ovpn_options(daemon=False, socket_path=None):
     """
     build a list of options
     to be passed in the
@@ -98,10 +107,11 @@ def build_ovpn_options(daemon=False):
     if ourplatform in ("Linux", "Mac"):
         opts.append('--management')
 
-        # XXX get a different sock each time ...
-        # XXX #505
-        opts.append('/tmp/.eip.sock')
+        if socket_path is None:
+            socket_path = get_socket_path()
+        opts.append(socket_path)
         opts.append('unix')
+
     if ourplatform == "Windows":
         opts.append('--management')
         opts.append('localhost')
@@ -125,7 +135,8 @@ def build_ovpn_options(daemon=False):
     return opts
 
 
-def build_ovpn_command(debug=False, do_pkexec_check=True, vpnbin=None):
+def build_ovpn_command(debug=False, do_pkexec_check=True, vpnbin=None,
+                       socket_path=None):
     """
     build a string with the
     complete openvpn invocation
@@ -171,7 +182,7 @@ def build_ovpn_command(debug=False, do_pkexec_check=True, vpnbin=None):
     command.append(vpn_command)
     daemon_mode = not debug
 
-    for opt in build_ovpn_options(daemon=daemon_mode):
+    for opt in build_ovpn_options(daemon=daemon_mode, socket_path=socket_path):
         command.append(opt)
 
     # XXX check len and raise proper error
-- 
cgit v1.2.3


From 99058b9f6536a3717ab82a9d77b09d5489334eb5 Mon Sep 17 00:00:00 2001
From: kali <kali@leap.se>
Date: Wed, 12 Sep 2012 10:32:22 +0900
Subject: add openvpn-verb option to cli.

Closes #534. accepts int [1-6] that get passed to openvpn invocation.
We should filter out the polling "state"/"status" commands from the log if
we want it to be real useful.
---
 src/leap/eip/config.py | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

(limited to 'src/leap/eip/config.py')

diff --git a/src/leap/eip/config.py b/src/leap/eip/config.py
index 833519ee..c0e17a19 100644
--- a/src/leap/eip/config.py
+++ b/src/leap/eip/config.py
@@ -48,7 +48,7 @@ def get_socket_path():
     return socket_path
 
 
-def build_ovpn_options(daemon=False, socket_path=None):
+def build_ovpn_options(daemon=False, socket_path=None, **kwargs):
     """
     build a list of options
     to be passed in the
@@ -78,6 +78,11 @@ def build_ovpn_options(daemon=False, socket_path=None):
     opts.append('--persist-tun')
     opts.append('--persist-key')
 
+    verbosity = kwargs.get('ovpn_verbosity', None)
+    if verbosity and 1 <= verbosity <= 6:
+        opts.append('--verb')
+        opts.append("%s" % verbosity)
+
     # remote
     # XXX get remote from eip.json
     opts.append('--remote')
@@ -136,7 +141,7 @@ def build_ovpn_options(daemon=False, socket_path=None):
 
 
 def build_ovpn_command(debug=False, do_pkexec_check=True, vpnbin=None,
-                       socket_path=None):
+                       socket_path=None, **kwargs):
     """
     build a string with the
     complete openvpn invocation
@@ -182,7 +187,8 @@ def build_ovpn_command(debug=False, do_pkexec_check=True, vpnbin=None,
     command.append(vpn_command)
     daemon_mode = not debug
 
-    for opt in build_ovpn_options(daemon=daemon_mode, socket_path=socket_path):
+    for opt in build_ovpn_options(daemon=daemon_mode, socket_path=socket_path,
+                                  **kwargs):
         command.append(opt)
 
     # XXX check len and raise proper error
-- 
cgit v1.2.3


From 68b1a4a987b85540d2f13cfc800cbdf5efc27805 Mon Sep 17 00:00:00 2001
From: kali <kali@leap.se>
Date: Wed, 19 Sep 2012 05:16:57 +0900
Subject: copy cacert to local config dir

---
 src/leap/eip/config.py | 34 ++++++++++++++++++++++++++--------
 1 file changed, 26 insertions(+), 8 deletions(-)

(limited to 'src/leap/eip/config.py')

diff --git a/src/leap/eip/config.py b/src/leap/eip/config.py
index c0e17a19..c3e830dd 100644
--- a/src/leap/eip/config.py
+++ b/src/leap/eip/config.py
@@ -3,7 +3,9 @@ import os
 import platform
 import tempfile
 
-from leap.util.fileutil import (which, check_and_fix_urw_only)
+from leap import __branding as BRANDING
+from leap import certs
+from leap.util.fileutil import (which, mkdir_p, check_and_fix_urw_only)
 
 from leap.base import config as baseconfig
 from leap.baseapp.permcheck import (is_pkexec_in_system,
@@ -12,6 +14,7 @@ from leap.eip import exceptions as eip_exceptions
 from leap.eip import specs as eipspecs
 
 logger = logging.getLogger(name=__name__)
+provider_ca_file = BRANDING.get('provider_ca_file', None)
 
 
 class EIPConfig(baseconfig.JSONLeapConfig):
@@ -211,15 +214,30 @@ def check_vpn_keys():
     logger.debug('client cert = %s', client_cert)
 
     # if no keys, raise error.
-    # should be catched by the ui and signal user.
+    # it's catched by the ui and signal user.
+
+    if not os.path.isfile(provider_ca):
+        # not there. let's try to copy.
+        folder, filename = os.path.split(provider_ca)
+        if not os.path.isdir(folder):
+            mkdir_p(folder)
+        if provider_ca_file:
+            cacert = certs.where(provider_ca_file)
+        with open(provider_ca, 'w') as pca:
+            with open(cacert, 'r') as cac:
+                pca.write(cac.read())
+
+    if not os.path.isfile(provider_ca):
+        logger.error('key file %s not found. aborting.',
+                     provider_ca)
+        raise eip_exceptions.EIPInitNoKeyFileError
+
+    if not os.path.isfile(client_cert):
+        logger.error('key file %s not found. aborting.',
+                     client_cert)
+        raise eip_exceptions.EIPInitNoKeyFileError
 
     for keyfile in (provider_ca, client_cert):
-        if not os.path.isfile(keyfile):
-            logger.error('key file %s not found. aborting.',
-                         keyfile)
-            raise eip_exceptions.EIPInitNoKeyFileError
-
-        # check proper permission on keys
         # bad perms? try to fix them
         try:
             check_and_fix_urw_only(keyfile)
-- 
cgit v1.2.3


From 6a9523b0e83aca75bbfde5a8939ee612c5a78f9a Mon Sep 17 00:00:00 2001
From: kali <kali@leap.se>
Date: Wed, 19 Sep 2012 05:52:16 +0900
Subject: openvpn options come from eip.json

---
 src/leap/eip/config.py | 31 ++++++++++++++++++++++++++++---
 1 file changed, 28 insertions(+), 3 deletions(-)

(limited to 'src/leap/eip/config.py')

diff --git a/src/leap/eip/config.py b/src/leap/eip/config.py
index c3e830dd..e5fcd164 100644
--- a/src/leap/eip/config.py
+++ b/src/leap/eip/config.py
@@ -21,7 +21,11 @@ class EIPConfig(baseconfig.JSONLeapConfig):
     spec = eipspecs.eipconfig_spec
 
     def _get_slug(self):
-        return baseconfig.get_config_file('eip.json')
+        dppath = baseconfig.get_default_provider_path()
+        eipjsonpath = baseconfig.get_config_file(
+            'eip-service.json',
+            folder=dppath)
+        return eipjsonpath
 
     def _set_slug(self, *args, **kwargs):
         raise AttributeError("you cannot set slug")
@@ -51,6 +55,25 @@ def get_socket_path():
     return socket_path
 
 
+def get_eip_gateway():
+    """
+    return the first host in the list of hosts
+    under gateways list
+    """
+    eipconfig = EIPConfig()
+    eipconfig.load()
+    conf = eipconfig.get_config()
+    gateways = conf.get('gateways', None)
+    if len(gateways) > 0:
+        # we just pick first
+        gw = gateways[0]
+    hosts = gw['hosts']
+    if len(hosts) > 0:
+        return hosts[0]
+    else:
+        return "testprovider.example.org"
+
+
 def build_ovpn_options(daemon=False, socket_path=None, **kwargs):
     """
     build a list of options
@@ -87,9 +110,10 @@ def build_ovpn_options(daemon=False, socket_path=None, **kwargs):
         opts.append("%s" % verbosity)
 
     # remote
-    # XXX get remote from eip.json
     opts.append('--remote')
-    opts.append('testprovider.example.org')
+    gw = get_eip_gateway()
+    logger.debug('setting eip gateway to %s', gw)
+    opts.append(str(gw))
     opts.append('1194')
     opts.append('udp')
 
@@ -140,6 +164,7 @@ def build_ovpn_options(daemon=False, socket_path=None, **kwargs):
     #if daemon is True:
         #opts.append('--daemon')
 
+    logger.debug('vpn options: %s', opts)
     return opts
 
 
-- 
cgit v1.2.3


From ecd8696e6e009826523b62a508cdf2202eaa2411 Mon Sep 17 00:00:00 2001
From: kali <kali@leap.se>
Date: Thu, 20 Sep 2012 02:29:19 +0900
Subject: tests pass after branding changes

---
 src/leap/eip/config.py | 1 +
 1 file changed, 1 insertion(+)

(limited to 'src/leap/eip/config.py')

diff --git a/src/leap/eip/config.py b/src/leap/eip/config.py
index e5fcd164..44922310 100644
--- a/src/leap/eip/config.py
+++ b/src/leap/eip/config.py
@@ -112,6 +112,7 @@ def build_ovpn_options(daemon=False, socket_path=None, **kwargs):
     # remote
     opts.append('--remote')
     gw = get_eip_gateway()
+    #gw = "springbokvpn.org"
     logger.debug('setting eip gateway to %s', gw)
     opts.append(str(gw))
     opts.append('1194')
-- 
cgit v1.2.3


From f2749fa3ff1df5875d3bc0b932a408031fee9874 Mon Sep 17 00:00:00 2001
From: kali <kali@leap.se>
Date: Thu, 20 Sep 2012 04:39:50 +0900
Subject: toggle connection on/off

---
 src/leap/eip/config.py | 1 -
 1 file changed, 1 deletion(-)

(limited to 'src/leap/eip/config.py')

diff --git a/src/leap/eip/config.py b/src/leap/eip/config.py
index 44922310..e5fcd164 100644
--- a/src/leap/eip/config.py
+++ b/src/leap/eip/config.py
@@ -112,7 +112,6 @@ def build_ovpn_options(daemon=False, socket_path=None, **kwargs):
     # remote
     opts.append('--remote')
     gw = get_eip_gateway()
-    #gw = "springbokvpn.org"
     logger.debug('setting eip gateway to %s', gw)
     opts.append(str(gw))
     opts.append('1194')
-- 
cgit v1.2.3


From 5c32cc7b5e00853b3cc28b5003b92ab009418dff Mon Sep 17 00:00:00 2001
From: kali <kali@leap.se>
Date: Mon, 24 Sep 2012 22:01:53 +0900
Subject: fix slug for eip config

(was taking the one for eip-service)
also correct the path (should be in root leap config folder).
---
 src/leap/eip/config.py | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

(limited to 'src/leap/eip/config.py')

diff --git a/src/leap/eip/config.py b/src/leap/eip/config.py
index e5fcd164..24e837d0 100644
--- a/src/leap/eip/config.py
+++ b/src/leap/eip/config.py
@@ -21,10 +21,8 @@ class EIPConfig(baseconfig.JSONLeapConfig):
     spec = eipspecs.eipconfig_spec
 
     def _get_slug(self):
-        dppath = baseconfig.get_default_provider_path()
         eipjsonpath = baseconfig.get_config_file(
-            'eip-service.json',
-            folder=dppath)
+            'eip.json')
         return eipjsonpath
 
     def _set_slug(self, *args, **kwargs):
-- 
cgit v1.2.3


From f4f5fc21e186bcd94d39f78333f758ed906f5b98 Mon Sep 17 00:00:00 2001
From: kali <kali@leap.se>
Date: Mon, 24 Sep 2012 22:01:53 +0900
Subject: fix slug for eip config

(was taking the one for eip-service)
also correct the path (should be in root leap config folder).
---
 src/leap/eip/config.py | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

(limited to 'src/leap/eip/config.py')

diff --git a/src/leap/eip/config.py b/src/leap/eip/config.py
index e5fcd164..24e837d0 100644
--- a/src/leap/eip/config.py
+++ b/src/leap/eip/config.py
@@ -21,10 +21,8 @@ class EIPConfig(baseconfig.JSONLeapConfig):
     spec = eipspecs.eipconfig_spec
 
     def _get_slug(self):
-        dppath = baseconfig.get_default_provider_path()
         eipjsonpath = baseconfig.get_config_file(
-            'eip-service.json',
-            folder=dppath)
+            'eip.json')
         return eipjsonpath
 
     def _set_slug(self, *args, **kwargs):
-- 
cgit v1.2.3


From 5173c0ee937696782a2f62078a860246ec388c39 Mon Sep 17 00:00:00 2001
From: kali <kali@leap.se>
Date: Tue, 25 Sep 2012 05:48:06 +0900
Subject: workaround for #638 and fix for eip config check for gateways

(we were picking gateway in a wrong way)
Closes #610.
---
 src/leap/eip/config.py | 34 ++++++++++++++++++++++++----------
 1 file changed, 24 insertions(+), 10 deletions(-)

(limited to 'src/leap/eip/config.py')

diff --git a/src/leap/eip/config.py b/src/leap/eip/config.py
index 24e837d0..082cc24d 100644
--- a/src/leap/eip/config.py
+++ b/src/leap/eip/config.py
@@ -55,21 +55,35 @@ def get_socket_path():
 
 def get_eip_gateway():
     """
-    return the first host in the list of hosts
-    under gateways list
+    return the first host in eip service config
+    that matches the name defined in the eip.json config
+    file.
     """
+    placeholder = "testprovider.example.org"
     eipconfig = EIPConfig()
     eipconfig.load()
     conf = eipconfig.get_config()
-    gateways = conf.get('gateways', None)
+    primary_gateway = conf.get('primary_gateway', None)
+    if not primary_gateway:
+        return placeholder
+
+    eipserviceconfig = EIPServiceConfig()
+    eipserviceconfig.load()
+    eipsconf = eipserviceconfig.get_config()
+    gateways = eipsconf.get('gateways', None)
+    if not gateways:
+        logger.error('missing gateways in eip service config')
+        return placeholder
     if len(gateways) > 0:
-        # we just pick first
-        gw = gateways[0]
-    hosts = gw['hosts']
-    if len(hosts) > 0:
-        return hosts[0]
-    else:
-        return "testprovider.example.org"
+        for gw in gateways:
+            if gw['name'] == primary_gateway:
+                hosts = gw['hosts']
+                if len(hosts) > 0:
+                    return hosts[0]
+                else:
+                    logger.error('no hosts')
+    logger.error('could not find primary gateway in provider'
+                 'gateway list')
 
 
 def build_ovpn_options(daemon=False, socket_path=None, **kwargs):
-- 
cgit v1.2.3


From abf481cab381a86d8a9c5607a131b56636081382 Mon Sep 17 00:00:00 2001
From: kali <kali@leap.se>
Date: Tue, 25 Sep 2012 05:48:06 +0900
Subject: refactored jsonconfig, included jsonschema validation

and type casting.
---
 src/leap/eip/config.py | 39 ++++++++++++++++++++++++++++-----------
 1 file changed, 28 insertions(+), 11 deletions(-)

(limited to 'src/leap/eip/config.py')

diff --git a/src/leap/eip/config.py b/src/leap/eip/config.py
index 24e837d0..7c9bf335 100644
--- a/src/leap/eip/config.py
+++ b/src/leap/eip/config.py
@@ -55,21 +55,38 @@ def get_socket_path():
 
 def get_eip_gateway():
     """
-    return the first host in the list of hosts
-    under gateways list
+    return the first host in eip service config
+    that matches the name defined in the eip.json config
+    file.
     """
+    placeholder = "testprovider.example.org"
+
     eipconfig = EIPConfig()
+    #import ipdb;ipdb.set_trace()
     eipconfig.load()
-    conf = eipconfig.get_config()
-    gateways = conf.get('gateways', None)
+    conf = eipconfig.config
+
+    primary_gateway = conf.get('primary_gateway', None)
+    if not primary_gateway:
+        return placeholder
+
+    eipserviceconfig = EIPServiceConfig()
+    eipserviceconfig.load()
+    eipsconf = eipserviceconfig.get_config()
+    gateways = eipsconf.get('gateways', None)
+    if not gateways:
+        logger.error('missing gateways in eip service config')
+        return placeholder
     if len(gateways) > 0:
-        # we just pick first
-        gw = gateways[0]
-    hosts = gw['hosts']
-    if len(hosts) > 0:
-        return hosts[0]
-    else:
-        return "testprovider.example.org"
+        for gw in gateways:
+            if gw['name'] == primary_gateway:
+                hosts = gw['hosts']
+                if len(hosts) > 0:
+                    return hosts[0]
+                else:
+                    logger.error('no hosts')
+    logger.error('could not find primary gateway in provider'
+                 'gateway list')
 
 
 def build_ovpn_options(daemon=False, socket_path=None, **kwargs):
-- 
cgit v1.2.3


From a85e488ed323ba35b9d12c5cc344bf06337a9a00 Mon Sep 17 00:00:00 2001
From: kali <kali@leap.se>
Date: Sat, 20 Oct 2012 07:13:22 +0900
Subject: add bypass for already trusted fingerprints

---
 src/leap/eip/config.py | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

(limited to 'src/leap/eip/config.py')

diff --git a/src/leap/eip/config.py b/src/leap/eip/config.py
index ef0f52b4..1ce4a54e 100644
--- a/src/leap/eip/config.py
+++ b/src/leap/eip/config.py
@@ -78,8 +78,15 @@ def get_eip_gateway():
         return placeholder
     if len(gateways) > 0:
         for gw in gateways:
-            if gw['name'] == primary_gateway:
-                hosts = gw['hosts']
+            name = gw.get('name', None)
+            if not name:
+                return
+
+            if name == primary_gateway:
+                hosts = gw.get('hosts', None)
+                if not hosts:
+                    logger.error('no hosts')
+                    return
                 if len(hosts) > 0:
                     return hosts[0]
                 else:
-- 
cgit v1.2.3


From 0060d3c74adce19fab7215b3788c5197cc05a9ae Mon Sep 17 00:00:00 2001
From: kali <kali@leap.se>
Date: Wed, 24 Oct 2012 04:05:19 +0900
Subject: sign up branch ends by triggering eip connection

still need to bind signals properly, and block on the validation
process until we receive the "connected" signal. but the basic flow
is working again, i.e, user should be able to remove the .config/leap
folder and get all the needed info from the provider.
---
 src/leap/eip/config.py | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

(limited to 'src/leap/eip/config.py')

diff --git a/src/leap/eip/config.py b/src/leap/eip/config.py
index 1ce4a54e..57e15c9e 100644
--- a/src/leap/eip/config.py
+++ b/src/leap/eip/config.py
@@ -110,6 +110,8 @@ def build_ovpn_options(daemon=False, socket_path=None, **kwargs):
     # since we will need to take some
     # things from there if present.
 
+    provider = kwargs.pop('provider', None)
+
     # get user/group name
     # also from config.
     user = baseconfig.get_username()
@@ -136,6 +138,7 @@ def build_ovpn_options(daemon=False, socket_path=None, **kwargs):
     logger.debug('setting eip gateway to %s', gw)
     opts.append(str(gw))
     opts.append('1194')
+    #opts.append('80')
     opts.append('udp')
 
     opts.append('--tls-client')
@@ -172,12 +175,15 @@ def build_ovpn_options(daemon=False, socket_path=None, **kwargs):
         opts.append('7777')
 
     # certs
+    client_cert_path = eipspecs.client_cert_path(provider)
+    ca_cert_path = eipspecs.provider_ca_path(provider)
+
     opts.append('--cert')
-    opts.append(eipspecs.client_cert_path())
+    opts.append(client_cert_path)
     opts.append('--key')
-    opts.append(eipspecs.client_cert_path())
+    opts.append(client_cert_path)
     opts.append('--ca')
-    opts.append(eipspecs.provider_ca_path())
+    opts.append(ca_cert_path)
 
     # we cannot run in daemon mode
     # with the current subp setting.
@@ -245,7 +251,7 @@ def build_ovpn_command(debug=False, do_pkexec_check=True, vpnbin=None,
     return [command[0], command[1:]]
 
 
-def check_vpn_keys():
+def check_vpn_keys(provider=None):
     """
     performs an existance and permission check
     over the openvpn keys file.
@@ -253,8 +259,9 @@ def check_vpn_keys():
     per provider, containing the CA cert,
     the provider key, and our client certificate
     """
-    provider_ca = eipspecs.provider_ca_path()
-    client_cert = eipspecs.client_cert_path()
+    assert provider is not None
+    provider_ca = eipspecs.provider_ca_path(provider)
+    client_cert = eipspecs.client_cert_path(provider)
 
     logger.debug('provider ca = %s', provider_ca)
     logger.debug('client cert = %s', client_cert)
-- 
cgit v1.2.3


From d2dcf5a1060d60c451570349a6a06ad102d6924c Mon Sep 17 00:00:00 2001
From: kali <kali@leap.se>
Date: Tue, 13 Nov 2012 21:54:04 +0900
Subject: fix missing provider parameter in leapconfig objects chain

---
 src/leap/eip/config.py | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

(limited to 'src/leap/eip/config.py')

diff --git a/src/leap/eip/config.py b/src/leap/eip/config.py
index 57e15c9e..42c00380 100644
--- a/src/leap/eip/config.py
+++ b/src/leap/eip/config.py
@@ -35,9 +35,13 @@ class EIPServiceConfig(baseconfig.JSONLeapConfig):
     spec = eipspecs.eipservice_config_spec
 
     def _get_slug(self):
+        domain = getattr(self, 'domain', None)
+        if domain:
+            path = baseconfig.get_provider_path(domain)
+        else:
+            path = baseconfig.get_default_provider_path()
         return baseconfig.get_config_file(
-            'eip-service.json',
-            folder=baseconfig.get_default_provider_path())
+            'eip-service.json', folder=path)
 
     def _set_slug(self):
         raise AttributeError("you cannot set slug")
@@ -53,15 +57,16 @@ def get_socket_path():
     return socket_path
 
 
-def get_eip_gateway():
+def get_eip_gateway(provider=None):
     """
     return the first host in eip service config
     that matches the name defined in the eip.json config
     file.
     """
     placeholder = "testprovider.example.org"
-    eipconfig = EIPConfig()
-    #import ipdb;ipdb.set_trace()
+    # XXX check for null on provider??
+
+    eipconfig = EIPConfig(domain=provider)
     eipconfig.load()
     conf = eipconfig.config
 
@@ -69,7 +74,7 @@ def get_eip_gateway():
     if not primary_gateway:
         return placeholder
 
-    eipserviceconfig = EIPServiceConfig()
+    eipserviceconfig = EIPServiceConfig(domain=provider)
     eipserviceconfig.load()
     eipsconf = eipserviceconfig.get_config()
     gateways = eipsconf.get('gateways', None)
@@ -134,7 +139,7 @@ def build_ovpn_options(daemon=False, socket_path=None, **kwargs):
 
     # remote
     opts.append('--remote')
-    gw = get_eip_gateway()
+    gw = get_eip_gateway(provider=provider)
     logger.debug('setting eip gateway to %s', gw)
     opts.append(str(gw))
     opts.append('1194')
-- 
cgit v1.2.3


From 38cc1758240a3c64db387b0437dcf1517b52da15 Mon Sep 17 00:00:00 2001
From: kali <kali@leap.se>
Date: Mon, 10 Dec 2012 19:51:53 +0900
Subject: cleanup and rewrite eipconnection/openvpnconnection classes

---
 src/leap/eip/config.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src/leap/eip/config.py')

diff --git a/src/leap/eip/config.py b/src/leap/eip/config.py
index 42c00380..8e687bda 100644
--- a/src/leap/eip/config.py
+++ b/src/leap/eip/config.py
@@ -53,7 +53,7 @@ def get_socket_path():
     socket_path = os.path.join(
         tempfile.mkdtemp(prefix="leap-tmp"),
         'openvpn.socket')
-    logger.debug('socket path: %s', socket_path)
+    #logger.debug('socket path: %s', socket_path)
     return socket_path
 
 
-- 
cgit v1.2.3


From 53fa2c134ab2c96376276aa1c0ed74db0aaba218 Mon Sep 17 00:00:00 2001
From: kali <kali@leap.se>
Date: Mon, 10 Dec 2012 23:20:09 +0900
Subject: get cipher config from eip-service

---
 src/leap/eip/config.py | 57 ++++++++++++++++++++++++++++++++++++++++----------
 1 file changed, 46 insertions(+), 11 deletions(-)

(limited to 'src/leap/eip/config.py')

diff --git a/src/leap/eip/config.py b/src/leap/eip/config.py
index 8e687bda..1fe0530a 100644
--- a/src/leap/eip/config.py
+++ b/src/leap/eip/config.py
@@ -5,6 +5,7 @@ import tempfile
 
 from leap import __branding as BRANDING
 from leap import certs
+from leap.util.misc import null_check
 from leap.util.fileutil import (which, mkdir_p, check_and_fix_urw_only)
 
 from leap.base import config as baseconfig
@@ -57,30 +58,30 @@ def get_socket_path():
     return socket_path
 
 
-def get_eip_gateway(provider=None):
+def get_eip_gateway(eipconfig=None, eipserviceconfig=None):
     """
     return the first host in eip service config
     that matches the name defined in the eip.json config
     file.
     """
-    placeholder = "testprovider.example.org"
-    # XXX check for null on provider??
+    null_check(eipconfig, "eipconfig")
+    null_check(eipserviceconfig, "eipserviceconfig")
+
+    PLACEHOLDER = "testprovider.example.org"
 
-    eipconfig = EIPConfig(domain=provider)
-    eipconfig.load()
     conf = eipconfig.config
+    eipsconf = eipserviceconfig.config
 
     primary_gateway = conf.get('primary_gateway', None)
     if not primary_gateway:
-        return placeholder
+        return PLACEHOLDER
 
-    eipserviceconfig = EIPServiceConfig(domain=provider)
-    eipserviceconfig.load()
-    eipsconf = eipserviceconfig.get_config()
     gateways = eipsconf.get('gateways', None)
+
     if not gateways:
         logger.error('missing gateways in eip service config')
-        return placeholder
+        return PLACEHOLDER
+
     if len(gateways) > 0:
         for gw in gateways:
             name = gw.get('name', None)
@@ -100,6 +101,26 @@ def get_eip_gateway(provider=None):
                  'gateway list')
 
 
+def get_cipher_options(eipserviceconfig=None):
+    """
+    gathers optional cipher options from eip-service config.
+    :param eipserviceconfig: EIPServiceConfig instance
+    """
+    null_check(eipserviceconfig, 'eipserviceconfig')
+    eipsconf = eipserviceconfig.get_config()
+
+    ALLOWED_KEYS = ("auth", "cipher", "tls-cipher")
+    opts = []
+    if 'openvpn_configuration' in eipsconf:
+        config = eipserviceconfig.openvpn_configuration
+        for key, value in config.items():
+            if key in ALLOWED_KEYS and value is not None:
+                # I humbly think we should sanitize this
+                # input against `valid` openvpn settings. -- kali.
+                opts.append(['--%s' % key, value])
+    return opts
+
+
 def build_ovpn_options(daemon=False, socket_path=None, **kwargs):
     """
     build a list of options
@@ -116,6 +137,10 @@ def build_ovpn_options(daemon=False, socket_path=None, **kwargs):
     # things from there if present.
 
     provider = kwargs.pop('provider', None)
+    eipconfig = EIPConfig(domain=provider)
+    eipconfig.load()
+    eipserviceconfig = EIPServiceConfig(domain=provider)
+    eipserviceconfig.load()
 
     # get user/group name
     # also from config.
@@ -139,9 +164,19 @@ def build_ovpn_options(daemon=False, socket_path=None, **kwargs):
 
     # remote
     opts.append('--remote')
-    gw = get_eip_gateway(provider=provider)
+
+    gw = get_eip_gateway(eipconfig=eipconfig,
+                         eipserviceconfig=eipserviceconfig)
     logger.debug('setting eip gateway to %s', gw)
     opts.append(str(gw))
+
+    # get ciphers
+    ciphers = get_cipher_options(
+        eipserviceconfig=eipserviceconfig)
+    for cipheropt in ciphers:
+        opts.append(str(cipheropt))
+
+    # get port/protocol from eipservice too
     opts.append('1194')
     #opts.append('80')
     opts.append('udp')
-- 
cgit v1.2.3


From 04d423e2a89034dfb86fe305108162fd2a696079 Mon Sep 17 00:00:00 2001
From: kali <kali@leap.se>
Date: Wed, 12 Dec 2012 03:29:31 +0900
Subject: tests for openvpn options

and make the rest of tests pass after some changes
in this branch (dirtyness in config files)
---
 src/leap/eip/config.py | 30 +++++++++++++++++++-----------
 1 file changed, 19 insertions(+), 11 deletions(-)

(limited to 'src/leap/eip/config.py')

diff --git a/src/leap/eip/config.py b/src/leap/eip/config.py
index 1fe0530a..e40d2785 100644
--- a/src/leap/eip/config.py
+++ b/src/leap/eip/config.py
@@ -1,6 +1,7 @@
 import logging
 import os
 import platform
+import re
 import tempfile
 
 from leap import __branding as BRANDING
@@ -110,14 +111,18 @@ def get_cipher_options(eipserviceconfig=None):
     eipsconf = eipserviceconfig.get_config()
 
     ALLOWED_KEYS = ("auth", "cipher", "tls-cipher")
+    CIPHERS_REGEX = re.compile("[A-Z0-9\-]+")
     opts = []
     if 'openvpn_configuration' in eipsconf:
-        config = eipserviceconfig.openvpn_configuration
+        config = eipserviceconfig.config.get(
+            "openvpn_configuration", {})
         for key, value in config.items():
             if key in ALLOWED_KEYS and value is not None:
-                # I humbly think we should sanitize this
-                # input against `valid` openvpn settings. -- kali.
-                opts.append(['--%s' % key, value])
+                sanitized_val = CIPHERS_REGEX.findall(value)
+                if len(sanitized_val) != 0:
+                    _val = sanitized_val[0]
+                    opts.append('--%s' % key)
+                    opts.append('%s' % _val)
     return opts
 
 
@@ -162,7 +167,9 @@ def build_ovpn_options(daemon=False, socket_path=None, **kwargs):
         opts.append('--verb')
         opts.append("%s" % verbosity)
 
-    # remote
+    # remote ##############################
+    # (server, port, protocol)
+
     opts.append('--remote')
 
     gw = get_eip_gateway(eipconfig=eipconfig,
@@ -170,12 +177,6 @@ def build_ovpn_options(daemon=False, socket_path=None, **kwargs):
     logger.debug('setting eip gateway to %s', gw)
     opts.append(str(gw))
 
-    # get ciphers
-    ciphers = get_cipher_options(
-        eipserviceconfig=eipserviceconfig)
-    for cipheropt in ciphers:
-        opts.append(str(cipheropt))
-
     # get port/protocol from eipservice too
     opts.append('1194')
     #opts.append('80')
@@ -185,6 +186,13 @@ def build_ovpn_options(daemon=False, socket_path=None, **kwargs):
     opts.append('--remote-cert-tls')
     opts.append('server')
 
+    # get ciphers #######################
+
+    ciphers = get_cipher_options(
+        eipserviceconfig=eipserviceconfig)
+    for cipheropt in ciphers:
+        opts.append(str(cipheropt))
+
     # set user and group
     opts.append('--user')
     opts.append('%s' % user)
-- 
cgit v1.2.3


From f671412ebd4f2ce0dd9948cb8821f1d6d8ac7d9b Mon Sep 17 00:00:00 2001
From: kali <kali@leap.se>
Date: Wed, 12 Dec 2012 07:21:51 +0900
Subject: parse new service format

---
 src/leap/eip/config.py | 27 +++++++++++++++------------
 1 file changed, 15 insertions(+), 12 deletions(-)

(limited to 'src/leap/eip/config.py')

diff --git a/src/leap/eip/config.py b/src/leap/eip/config.py
index e40d2785..48e6e9a7 100644
--- a/src/leap/eip/config.py
+++ b/src/leap/eip/config.py
@@ -65,9 +65,12 @@ def get_eip_gateway(eipconfig=None, eipserviceconfig=None):
     that matches the name defined in the eip.json config
     file.
     """
+    # XXX eventually we should move to a more clever
+    # gateway selection. maybe we could return
+    # all gateways that match our cluster.
+
     null_check(eipconfig, "eipconfig")
     null_check(eipserviceconfig, "eipserviceconfig")
-
     PLACEHOLDER = "testprovider.example.org"
 
     conf = eipconfig.config
@@ -78,26 +81,26 @@ def get_eip_gateway(eipconfig=None, eipserviceconfig=None):
         return PLACEHOLDER
 
     gateways = eipsconf.get('gateways', None)
-
     if not gateways:
         logger.error('missing gateways in eip service config')
         return PLACEHOLDER
 
     if len(gateways) > 0:
         for gw in gateways:
-            name = gw.get('name', None)
-            if not name:
+            clustername = gw.get('cluster', None)
+            if not clustername:
+                logger.error('no cluster name')
                 return
 
-            if name == primary_gateway:
-                hosts = gw.get('hosts', None)
-                if not hosts:
-                    logger.error('no hosts')
+            if clustername == primary_gateway:
+                # XXX at some moment, we must
+                # make this a more generic function,
+                # and return ports, protocols...
+                ipaddress = gw.get('ip_address', None)
+                if not ipaddress:
+                    logger.error('no ip_address')
                     return
-                if len(hosts) > 0:
-                    return hosts[0]
-                else:
-                    logger.error('no hosts')
+                return ipaddress
     logger.error('could not find primary gateway in provider'
                  'gateway list')
 
-- 
cgit v1.2.3


From e35eb606faef1ccd06201a0b38a462375426cedd Mon Sep 17 00:00:00 2001
From: kali <kali@leap.se>
Date: Mon, 7 Jan 2013 21:10:41 +0900
Subject: Working OSX installer workflow.

Using platypus for installer.
Working installer at 17.6MB compressed.
---
 src/leap/eip/config.py | 31 +++++++++++++++++++++++++++----
 1 file changed, 27 insertions(+), 4 deletions(-)

(limited to 'src/leap/eip/config.py')

diff --git a/src/leap/eip/config.py b/src/leap/eip/config.py
index 48e6e9a7..f82049d3 100644
--- a/src/leap/eip/config.py
+++ b/src/leap/eip/config.py
@@ -211,7 +211,7 @@ def build_ovpn_options(daemon=False, socket_path=None, **kwargs):
     # XXX take them from the config object.
 
     ourplatform = platform.system()
-    if ourplatform in ("Linux", "Mac"):
+    if ourplatform in ("Linux", "Darwin"):
         opts.append('--management')
 
         if socket_path is None:
@@ -229,6 +229,7 @@ def build_ovpn_options(daemon=False, socket_path=None, **kwargs):
     client_cert_path = eipspecs.client_cert_path(provider)
     ca_cert_path = eipspecs.provider_ca_path(provider)
 
+    # XXX FIX paths for MAC
     opts.append('--cert')
     opts.append(client_cert_path)
     opts.append('--key')
@@ -260,9 +261,11 @@ def build_ovpn_command(debug=False, do_pkexec_check=True, vpnbin=None,
     use_pkexec = True
     ovpn = None
 
+    _plat = platform.system()
+
     # XXX get use_pkexec from config instead.
 
-    if platform.system() == "Linux" and use_pkexec and do_pkexec_check:
+    if _plat == "Linux" and use_pkexec and do_pkexec_check:
 
         # check for both pkexec
         # AND a suitable authentication
@@ -282,8 +285,17 @@ def build_ovpn_command(debug=False, do_pkexec_check=True, vpnbin=None,
             raise eip_exceptions.EIPNoPolkitAuthAgentAvailable
 
         command.append('pkexec')
+
+
     if vpnbin is None:
-        ovpn = which('openvpn')
+        if _plat == "Darwin":
+            # XXX Should hardcode our installed path
+            # /Applications/LEAPClient.app/Contents/Resources/openvpn.leap
+            openvpn_bin = "openvpn.leap"
+        else:
+            openvpn_bin = "openvpn"
+        #XXX hardcode for darwin
+        ovpn = which(openvpn_bin)
     else:
         ovpn = vpnbin
     if ovpn:
@@ -299,7 +311,18 @@ def build_ovpn_command(debug=False, do_pkexec_check=True, vpnbin=None,
 
     # XXX check len and raise proper error
 
-    return [command[0], command[1:]]
+    if _plat == "Darwin":
+        OSX_ASADMIN = 'do shell script "%s" with administrator privileges'
+        # XXX fix workaround for Nones
+        _command = [x if x else " " for x in command]
+        # XXX debugging!
+        #import ipdb;ipdb.set_trace() 
+        #XXX get openvpn log path from debug flags 
+        _command.append('--log')
+        _command.append('/tmp/leap_openvpn.log')
+        return ["osascript", ["-e", OSX_ASADMIN % ' '.join(_command)]]
+    else:
+        return [command[0], command[1:]]
 
 
 def check_vpn_keys(provider=None):
-- 
cgit v1.2.3


From 289722fe0eda46c8f5fbbecb84c8a0fbbe36a15f Mon Sep 17 00:00:00 2001
From: kali <kali@leap.se>
Date: Wed, 9 Jan 2013 05:41:12 +0900
Subject: add resolvconf option

---
 src/leap/eip/config.py | 36 +++++++++++++++++++++---------------
 1 file changed, 21 insertions(+), 15 deletions(-)

(limited to 'src/leap/eip/config.py')

diff --git a/src/leap/eip/config.py b/src/leap/eip/config.py
index f82049d3..6a19633d 100644
--- a/src/leap/eip/config.py
+++ b/src/leap/eip/config.py
@@ -18,6 +18,8 @@ from leap.eip import specs as eipspecs
 logger = logging.getLogger(name=__name__)
 provider_ca_file = BRANDING.get('provider_ca_file', None)
 
+_platform = platform.system()
+
 
 class EIPConfig(baseconfig.JSONLeapConfig):
     spec = eipspecs.eipconfig_spec
@@ -210,8 +212,13 @@ def build_ovpn_options(daemon=False, socket_path=None, **kwargs):
     # interface. unix sockets or telnet interface for win.
     # XXX take them from the config object.
 
-    ourplatform = platform.system()
-    if ourplatform in ("Linux", "Darwin"):
+    if _platform == "Windows":
+        opts.append('--management')
+        opts.append('localhost')
+        # XXX which is a good choice?
+        opts.append('7777')
+
+    if _platform in ("Linux", "Darwin"):
         opts.append('--management')
 
         if socket_path is None:
@@ -219,11 +226,14 @@ def build_ovpn_options(daemon=False, socket_path=None, **kwargs):
         opts.append(socket_path)
         opts.append('unix')
 
-    if ourplatform == "Windows":
-        opts.append('--management')
-        opts.append('localhost')
-        # XXX which is a good choice?
-        opts.append('7777')
+        opts.append('--script-security')
+        opts.append('2')
+
+    if _platform == "Linux":
+        opts.append("--up")
+        opts.append("/etc/openvpn/update-resolv-conf")
+        opts.append("--down")
+        opts.append("/etc/openvpn/update-resolv-conf")
 
     # certs
     client_cert_path = eipspecs.client_cert_path(provider)
@@ -261,11 +271,9 @@ def build_ovpn_command(debug=False, do_pkexec_check=True, vpnbin=None,
     use_pkexec = True
     ovpn = None
 
-    _plat = platform.system()
-
     # XXX get use_pkexec from config instead.
 
-    if _plat == "Linux" and use_pkexec and do_pkexec_check:
+    if _platform == "Linux" and use_pkexec and do_pkexec_check:
 
         # check for both pkexec
         # AND a suitable authentication
@@ -286,9 +294,8 @@ def build_ovpn_command(debug=False, do_pkexec_check=True, vpnbin=None,
 
         command.append('pkexec')
 
-
     if vpnbin is None:
-        if _plat == "Darwin":
+        if _platform == "Darwin":
             # XXX Should hardcode our installed path
             # /Applications/LEAPClient.app/Contents/Resources/openvpn.leap
             openvpn_bin = "openvpn.leap"
@@ -311,13 +318,12 @@ def build_ovpn_command(debug=False, do_pkexec_check=True, vpnbin=None,
 
     # XXX check len and raise proper error
 
-    if _plat == "Darwin":
+    if _platform == "Darwin":
         OSX_ASADMIN = 'do shell script "%s" with administrator privileges'
         # XXX fix workaround for Nones
         _command = [x if x else " " for x in command]
         # XXX debugging!
-        #import ipdb;ipdb.set_trace() 
-        #XXX get openvpn log path from debug flags 
+        # XXX get openvpn log path from debug flags
         _command.append('--log')
         _command.append('/tmp/leap_openvpn.log')
         return ["osascript", ["-e", OSX_ASADMIN % ' '.join(_command)]]
-- 
cgit v1.2.3


From d6c8cb0f12e8924820c296a8114a7899f61e5180 Mon Sep 17 00:00:00 2001
From: kali <kali@leap.se>
Date: Thu, 17 Jan 2013 05:54:16 +0900
Subject: (osx) detect which interface is traffic going thru

---
 src/leap/eip/config.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src/leap/eip/config.py')

diff --git a/src/leap/eip/config.py b/src/leap/eip/config.py
index 6a19633d..a60d7ed5 100644
--- a/src/leap/eip/config.py
+++ b/src/leap/eip/config.py
@@ -253,7 +253,7 @@ def build_ovpn_options(daemon=False, socket_path=None, **kwargs):
     #if daemon is True:
         #opts.append('--daemon')
 
-    logger.debug('vpn options: %s', opts)
+    logger.debug('vpn options: %s', ' '.join(opts))
     return opts
 
 
-- 
cgit v1.2.3


From 8226d6032b6db0c15ff70e377f87f4acfdd21787 Mon Sep 17 00:00:00 2001
From: kali <kali@leap.se>
Date: Wed, 23 Jan 2013 07:02:58 +0900
Subject: working up/down resolv-conf script

---
 src/leap/eip/config.py | 28 ++++++++++++++++++++++++----
 1 file changed, 24 insertions(+), 4 deletions(-)

(limited to 'src/leap/eip/config.py')

diff --git a/src/leap/eip/config.py b/src/leap/eip/config.py
index a60d7ed5..917871da 100644
--- a/src/leap/eip/config.py
+++ b/src/leap/eip/config.py
@@ -130,6 +130,22 @@ def get_cipher_options(eipserviceconfig=None):
                     opts.append('%s' % _val)
     return opts
 
+LINUX_UP_DOWN_SCRIPT = "/etc/leap/resolv-update"
+OPENVPN_DOWN_ROOT = "/usr/lib/openvpn/openvpn-down-root.so"
+
+
+def has_updown_scripts():
+    """
+    checks the existence of the up/down scripts
+    """
+    # XXX should check permissions too
+    is_file = os.path.isfile(LINUX_UP_DOWN_SCRIPT)
+    if not is_file:
+        logger.warning(
+            "Could not find up/down scripts at %s! "
+            "Risk of DNS Leaks!!!")
+    return is_file
+
 
 def build_ovpn_options(daemon=False, socket_path=None, **kwargs):
     """
@@ -230,10 +246,14 @@ def build_ovpn_options(daemon=False, socket_path=None, **kwargs):
         opts.append('2')
 
     if _platform == "Linux":
-        opts.append("--up")
-        opts.append("/etc/openvpn/update-resolv-conf")
-        opts.append("--down")
-        opts.append("/etc/openvpn/update-resolv-conf")
+        if has_updown_scripts():
+            opts.append("--up")
+            opts.append(LINUX_UP_DOWN_SCRIPT)
+            opts.append("--down")
+            opts.append(LINUX_UP_DOWN_SCRIPT)
+            opts.append("--plugin")
+            opts.append(OPENVPN_DOWN_ROOT)
+            opts.append("'script_type=down %s'" % LINUX_UP_DOWN_SCRIPT)
 
     # certs
     client_cert_path = eipspecs.client_cert_path(provider)
-- 
cgit v1.2.3