From 2da60cd0f78378fdcb8f6364a798720281b34b4d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1s=20Touceda?= Date: Tue, 12 Mar 2013 09:56:05 -0300 Subject: Check and try to fix certificate permissions --- src/leap/gui/mainwindow.py | 31 +++++++++++++++++---------- src/leap/services/eip/eipbootstrapper.py | 12 +++++++++-- src/leap/services/eip/providerbootstrapper.py | 14 ++++++++++-- src/leap/util/files.py | 27 +++++++++++++++++++++++ 4 files changed, 69 insertions(+), 15 deletions(-) create mode 100644 src/leap/util/files.py (limited to 'src') diff --git a/src/leap/gui/mainwindow.py b/src/leap/gui/mainwindow.py index 08b8f08b..aa9b4ffd 100644 --- a/src/leap/gui/mainwindow.py +++ b/src/leap/gui/mainwindow.py @@ -395,13 +395,15 @@ class MainWindow(QtGui.QMainWindow): status = "%s" % (status,) self.ui.lblStatus.setText(status) - def _set_eip_status(self, status): + def _set_eip_status(self, status, error=False): """ Sets the status label at the VPN stage to status @param status: status message @type status: str """ + if error: + status = "%s" % (status,) self.ui.lblEIPStatus.setText(status) def _login_set_enabled(self, enabled=False): @@ -579,7 +581,7 @@ class MainWindow(QtGui.QMainWindow): self.ui.btnEipStartStop.clicked.connect( self._stop_eip) except VPNLauncherException as e: - self._set_eip_status("%s" % (e,)) + self._set_eip_status("%s" % (e,), error=True) self.ui.btnEipStartStop.setEnabled(True) def _stop_eip(self): @@ -609,7 +611,8 @@ class MainWindow(QtGui.QMainWindow): download_if_needed=True) else: self._set_eip_status(self.tr("%s does not support EIP") % - (self._provider_config.get_domain(),)) + (self._provider_config.get_domain(),), + error=True) def _set_eip_status_icon(self, status): """ @@ -681,15 +684,21 @@ class MainWindow(QtGui.QMainWindow): leap_assert(self._eip_config, "We need an eip config!") leap_assert(self._provider_config, "We need a provider config!") - if self._eip_config.loaded() or \ - self._eip_config.load(os.path.join("leap", - "providers", - self._provider_config - .get_domain(), - "eip-service.json")): + if data[self._eip_bootstrapper.PASSED_KEY] and \ + (self._eip_config.loaded() or + self._eip_config.load(os.path.join("leap", + "providers", + self._provider_config + .get_domain(), + "eip-service.json"))): self._start_eip() - # TODO: display a message if the EIP configuration cannot be - # loaded + else: + if data[self._eip_bootstrapper.PASSED_KEY]: + self._set_eip_status(self.tr("Could not load EIP " + "Configuration"), error=True) + else: + self._set_eip_status(data[self._eip_bootstrapper.ERROR_KEY], + error=True) def _logout(self): """ diff --git a/src/leap/services/eip/eipbootstrapper.py b/src/leap/services/eip/eipbootstrapper.py index bd6ab715..79ff28d6 100644 --- a/src/leap/services/eip/eipbootstrapper.py +++ b/src/leap/services/eip/eipbootstrapper.py @@ -30,6 +30,7 @@ from leap.config.providerconfig import ProviderConfig from leap.services.eip.eipconfig import EIPConfig from leap.util.check import leap_assert, leap_assert_type from leap.util.checkerthread import CheckerThread +from leap.util.files import check_and_fix_urw_only logger = logging.getLogger(__name__) @@ -147,9 +148,14 @@ class EIPBootstrapper(QtCore.QObject): if self._download_if_needed and \ os.path.exists(client_cert_path): - download_cert[self.PASSED_KEY] = True + try: + check_and_fix_urw_only(client_cert_path) + download_cert[self.PASSED_KEY] = True + except Exception as e: + download_cert[self.PASSED_KEY] = False + download_cert[self.ERROR_KEY] = "%s" % (e,) self.download_client_certificate.emit(download_cert) - return True + return download_cert[self.PASSED_KEY] try: res = self._session.get("%s/%s/%s/" % @@ -176,6 +182,8 @@ class EIPBootstrapper(QtCore.QObject): with open(client_cert_path, "w") as f: f.write(client_cert) + check_and_fix_urw_only(client_cert_path) + download_cert[self.PASSED_KEY] = True except Exception as e: download_cert[self.ERROR_KEY] = "%s" % (e,) diff --git a/src/leap/services/eip/providerbootstrapper.py b/src/leap/services/eip/providerbootstrapper.py index ecdc4e07..0e9f8563 100644 --- a/src/leap/services/eip/providerbootstrapper.py +++ b/src/leap/services/eip/providerbootstrapper.py @@ -31,6 +31,7 @@ from PySide import QtGui, QtCore from leap.config.providerconfig import ProviderConfig from leap.util.check import leap_assert, leap_assert_type from leap.util.checkerthread import CheckerThread +from leap.util.files import check_and_fix_urw_only logger = logging.getLogger(__name__) @@ -258,9 +259,16 @@ class ProviderBootstrapper(QtCore.QObject): } if not self._should_proceed_cert(): - download_ca_cert_data[self.PASSED_KEY] = True + try: + check_and_fix_urw_only( + self._provider_config + .get_ca_cert_path(about_to_download=True)) + download_ca_cert_data[self.PASSED_KEY] = True + except Exception as e: + download_ca_cert_data[self.PASSED_KEY] = False + download_ca_cert_data[self.ERROR_KEY] = "%s" % (e,) self.download_ca_cert.emit(download_ca_cert_data) - return True + return download_ca_cert_data[self.PASSED_KEY] try: res = self._session.get(self._provider_config.get_ca_cert_uri()) @@ -282,6 +290,8 @@ class ProviderBootstrapper(QtCore.QObject): with open(cert_path, "w") as f: f.write(res.content) + check_and_fix_urw_only(cert_path) + download_ca_cert_data[self.PASSED_KEY] = True except Exception as e: download_ca_cert_data[self.ERROR_KEY] = "%s" % (e,) diff --git a/src/leap/util/files.py b/src/leap/util/files.py new file mode 100644 index 00000000..f7fda39e --- /dev/null +++ b/src/leap/util/files.py @@ -0,0 +1,27 @@ +import os +import stat +import logging + +logger = logging.getLogger(__name__) + + +def check_and_fix_urw_only(cert): + """ + Test for 600 mode and try to set it if anything different found + + Might raise OSError + + @param cert: Certificate path + @type cert: str + """ + mode = stat.S_IMODE(os.stat(cert).st_mode) + + if mode != int('600', 8): + try: + logger.warning('Bad permission on %s attempting to set 600' % + (cert,)) + os.chmod(cert, stat.S_IRUSR | stat.S_IWUSR) + except OSError: + logger.error('Error while trying to chmod 600 %s' % + cert) + raise -- cgit v1.2.3