diff options
| -rw-r--r-- | setup.py | 6 | ||||
| -rw-r--r-- | src/leap/bitmask/cli/eip.py | 6 | ||||
| -rw-r--r-- | src/leap/bitmask/core/dispatcher.py | 10 | ||||
| -rw-r--r-- | src/leap/bitmask/vpn/README.rst | 6 | ||||
| -rw-r--r-- | src/leap/bitmask/vpn/_checks.py | 9 | ||||
| -rw-r--r-- | src/leap/bitmask/vpn/_config.py | 14 | ||||
| -rw-r--r-- | src/leap/bitmask/vpn/helpers/__init__.py | 35 | ||||
| -rw-r--r-- | src/leap/bitmask/vpn/helpers/linux/__init__.py | 0 | ||||
| -rwxr-xr-x | src/leap/bitmask/vpn/helpers/linux/bitmask-root (renamed from src/leap/bitmask/vpn/fw/bitmask-root) | 0 | ||||
| -rw-r--r-- | src/leap/bitmask/vpn/helpers/linux/se.leap.bitmask.bundle.policy | 23 | ||||
| -rw-r--r-- | src/leap/bitmask/vpn/helpers/linux/se.leap.bitmask.policy | 23 | ||||
| -rw-r--r-- | src/leap/bitmask/vpn/privilege.py | 8 | ||||
| -rw-r--r-- | src/leap/bitmask/vpn/process.py | 2 | ||||
| -rw-r--r-- | src/leap/bitmask/vpn/service.py | 19 |
14 files changed, 145 insertions, 16 deletions
@@ -62,6 +62,7 @@ DOWNLOAD_URL = DOWNLOAD_BASE % VERSION # Entry points gui_launcher = 'bitmask=leap.bitmask.gui.app:start_app' bitmask_cli = 'bitmaskctl=leap.bitmask.cli.bitmask_cli:main' +bitmask_helpers = 'bitmask_helpers=leap.bitmask.vpn.helpers:main' bitmaskd = 'bitmaskd=leap.bitmask.core.launcher:run_bitmaskd' @@ -87,7 +88,10 @@ setup( include_package_data=True, zip_safe=False, entry_points={ - 'console_scripts': [gui_launcher, bitmask_cli, bitmaskd] + 'console_scripts': [ + gui_launcher, bitmask_cli, + bitmaskd, + bitmask_helpers] }, install_requires=required, extras_require=extras, diff --git a/src/leap/bitmask/cli/eip.py b/src/leap/bitmask/cli/eip.py index b7016ef..f5c9795 100644 --- a/src/leap/bitmask/cli/eip.py +++ b/src/leap/bitmask/cli/eip.py @@ -35,8 +35,10 @@ SUBCOMMANDS: status Display status about service check Check whether EIP service is properly configured get_cert Get EIP Certificate from provider - install Install helpers (need superuser) + install Install helpers (needs root) + uninstall Uninstall helpers (needs root) '''.format(name=command.appname) - commands = ['start', 'stop', 'status', 'check', 'get_cert'] + commands = ['start', 'stop', 'status', 'check', + 'get_cert', 'install', 'uninstall'] diff --git a/src/leap/bitmask/core/dispatcher.py b/src/leap/bitmask/core/dispatcher.py index a93c3ec..36ae1b2 100644 --- a/src/leap/bitmask/core/dispatcher.py +++ b/src/leap/bitmask/core/dispatcher.py @@ -224,6 +224,16 @@ class EIPCmd(SubCommand): d = eip.do_get_cert(provider) return d + @register_method('install') + def do_INSTALL(self, eip, *parts): + d = eip.do_install() + return d + + @register_method('install') + def do_UNINSTALL(self, eip, *parts): + d = eip.do_uninstall() + return d + class MailCmd(SubCommand): diff --git a/src/leap/bitmask/vpn/README.rst b/src/leap/bitmask/vpn/README.rst deleted file mode 100644 index 50310c0..0000000 --- a/src/leap/bitmask/vpn/README.rst +++ /dev/null @@ -1,6 +0,0 @@ -To be migrated --------------- -Here we should expect the vpn parts under the legacy bitmask_client project. -However, it would be nice to move all the fail-close boilerplate to an -independent project (leap.fw), and declare that as an extra dependency in the -setup.py diff --git a/src/leap/bitmask/vpn/_checks.py b/src/leap/bitmask/vpn/_checks.py index 3a1914f..f4d4ed3 100644 --- a/src/leap/bitmask/vpn/_checks.py +++ b/src/leap/bitmask/vpn/_checks.py @@ -3,18 +3,21 @@ import os from leap.common.config import get_path_prefix +# TODO use privilege.py module, plenty of checks in there for pkexec and +# friends. + class ImproperlyConfigured(Exception): pass def is_service_ready(provider): - valid_cert = _has_valid_cert(provider) + _has_valid_cert(provider) return True def get_eip_cert_path(provider): return os.path.join(get_path_prefix(), - 'leap', 'providers', provider, + 'leap', 'providers', provider, 'keys', 'client', 'openvpn.pem') @@ -23,5 +26,3 @@ def _has_valid_cert(provider): has_file = os.path.isfile(cert_path) if not has_file: raise ImproperlyConfigured('Missing EIP certificate') - - diff --git a/src/leap/bitmask/vpn/_config.py b/src/leap/bitmask/vpn/_config.py index 7dfabf7..267f61e 100644 --- a/src/leap/bitmask/vpn/_config.py +++ b/src/leap/bitmask/vpn/_config.py @@ -1,3 +1,17 @@ +import pkg_resources +from .constants import IS_LINUX + + +if IS_LINUX: + + def get_bitmask_helper_path(): + return pkg_resources.resource_filename( + 'leap.bitmask.vpn.helpers.linux', 'bitmask-root') + + def get_bitmask_polkit_policy_path(): + return pkg_resources.resource_filename( + 'leap.bitmask.vpn.helpers.linux', 'se.leap.bitmask.bundle.policy') + class _TempEIPConfig(object): """Current EIP code on bitmask depends on EIPConfig object, this temporary diff --git a/src/leap/bitmask/vpn/helpers/__init__.py b/src/leap/bitmask/vpn/helpers/__init__.py new file mode 100644 index 0000000..1f46fd7 --- /dev/null +++ b/src/leap/bitmask/vpn/helpers/__init__.py @@ -0,0 +1,35 @@ +from os import remove +from shutil import copyfile +import sys + +from leap.bitmask.vpn.constants import IS_LINUX +from leap.bitmask.vpn import _config + +if IS_LINUX: + + helper_to = '/usr/local/sbin/bitmask-root' + polkit_to = '/usr/share/polkit-1/actions/se.bitmask.bundle.policy' + + def install(): + helper_from = _config.get_bitmask_helper_path() + polkit_from = _config.get_bitmask_polkit_policy_path() + copyfile(helper_from, helper_to) + copyfile(polkit_from, polkit_to) + + def uninstall(): + try: + remove(helper_to) + remove(polkit_to) + except: + raise + + +def main(): + if sys.argv[-1] == 'install': + install() + if sys.argv[-1] == 'uninstall': + uninstall() + + +if __name__ == "__main__": + main() diff --git a/src/leap/bitmask/vpn/helpers/linux/__init__.py b/src/leap/bitmask/vpn/helpers/linux/__init__.py new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/src/leap/bitmask/vpn/helpers/linux/__init__.py diff --git a/src/leap/bitmask/vpn/fw/bitmask-root b/src/leap/bitmask/vpn/helpers/linux/bitmask-root index 80ac12e..80ac12e 100755 --- a/src/leap/bitmask/vpn/fw/bitmask-root +++ b/src/leap/bitmask/vpn/helpers/linux/bitmask-root diff --git a/src/leap/bitmask/vpn/helpers/linux/se.leap.bitmask.bundle.policy b/src/leap/bitmask/vpn/helpers/linux/se.leap.bitmask.bundle.policy new file mode 100644 index 0000000..58fcaaa --- /dev/null +++ b/src/leap/bitmask/vpn/helpers/linux/se.leap.bitmask.bundle.policy @@ -0,0 +1,23 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE policyconfig PUBLIC + "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN" + "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd"> +<policyconfig> + + <vendor>LEAP Project</vendor> + <vendor_url>http://leap.se/</vendor_url> + + <action id="se.leap.bitmask.bundle.policy"> + <description>Runs bitmask helper to launch firewall and openvpn (bundle version)</description> + <description xml:lang="es">Ejecuta el asistente de bitmask para lanzar el firewall y openvpn (version bundle)</description> + <message>Bitmask needs that you authenticate to start</message> + <message xml:lang="es">Bitmask necesita autorizacion para comenzar</message> + <icon_name>package-x-generic</icon_name> + <defaults> + <allow_any>yes</allow_any> + <allow_inactive>yes</allow_inactive> + <allow_active>yes</allow_active> + </defaults> + <annotate key="org.freedesktop.policykit.exec.path">/usr/local/sbin/bitmask-root</annotate> + </action> +</policyconfig> diff --git a/src/leap/bitmask/vpn/helpers/linux/se.leap.bitmask.policy b/src/leap/bitmask/vpn/helpers/linux/se.leap.bitmask.policy new file mode 100644 index 0000000..c66f470 --- /dev/null +++ b/src/leap/bitmask/vpn/helpers/linux/se.leap.bitmask.policy @@ -0,0 +1,23 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE policyconfig PUBLIC + "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN" + "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd"> +<policyconfig> + + <vendor>LEAP Project</vendor> + <vendor_url>http://leap.se/</vendor_url> + + <action id="se.leap.bitmask.policy"> + <description>Runs bitmask helper to launch firewall and openvpn</description> + <description xml:lang="es">Ejecuta el asistente de bitmask para lanzar el firewall y openvpn</description> + <message>Bitmask needs that you authenticate to start</message> + <message xml:lang="es">Bitmask necesita autorizacion para comenzar</message> + <icon_name>package-x-generic</icon_name> + <defaults> + <allow_any>yes</allow_any> + <allow_inactive>yes</allow_inactive> + <allow_active>yes</allow_active> + </defaults> + <annotate key="org.freedesktop.policykit.exec.path">/usr/sbin/bitmask-root</annotate> + </action> +</policyconfig> diff --git a/src/leap/bitmask/vpn/privilege.py b/src/leap/bitmask/vpn/privilege.py index e8ed557..097f5f8 100644 --- a/src/leap/bitmask/vpn/privilege.py +++ b/src/leap/bitmask/vpn/privilege.py @@ -37,6 +37,14 @@ logger = Logger() flags_STANDALONE = False +def install_helpers(): + commands.getoutput('pkexec bitmask_helpers install') + + +def uninstall_helpers(): + commands.getoutput('pkexec bitmask_helpers uninstall') + + class NoPolkitAuthAgentAvailable(Exception): pass diff --git a/src/leap/bitmask/vpn/process.py b/src/leap/bitmask/vpn/process.py index ef5ee37..813025d 100644 --- a/src/leap/bitmask/vpn/process.py +++ b/src/leap/bitmask/vpn/process.py @@ -38,7 +38,7 @@ from leap.bitmask.vpn.constants import IS_MAC from leap.bitmask.vpn.utils import first, force_eval from leap.bitmask.vpn.utils import get_vpn_launcher from leap.bitmask.vpn.launchers import linux -from leap.bitmask.vpn.udstelnet import UDSTelnet +from leap.bitmask.vpn._telnet import UDSTelnet from leap.bitmask.vpn import _observer from leap.bitmask.vpn import _management diff --git a/src/leap/bitmask/vpn/service.py b/src/leap/bitmask/vpn/service.py index 3550b4b..72fd2bb 100644 --- a/src/leap/bitmask/vpn/service.py +++ b/src/leap/bitmask/vpn/service.py @@ -27,6 +27,9 @@ from twisted.internet import defer from leap.bitmask.hooks import HookableService from leap.bitmask.vpn.eip import EIPManager from leap.bitmask.vpn._checks import is_service_ready, get_eip_cert_path +from leap.bitmask.vpn._config import get_bitmask_helper_path +from leap.bitmask.vpn._config import get_bitmask_polkit_policy_path +from leap.bitmask.vpn import privilege from leap.common.config import get_path_prefix from leap.common.files import check_and_fix_urw_only @@ -81,7 +84,11 @@ class EIPService(HookableService): and can be started""" # TODO either pass a provider, or set a given provider _ready = is_service_ready('demo.bitmask.net') - return {'eip_ready': 'ok'} + if _ready: + result = 'ok' + else: + result = 'no' + return {'eip_ready': result} @defer.inlineCallbacks def do_get_cert(self, provider): @@ -98,13 +105,21 @@ class EIPService(HookableService): check_and_fix_urw_only(cert_path) defer.returnValue({'get_cert': 'ok'}) + def do_install(self): + ask = privilege.install_helpers() + return {'install': 'ok'} + + def do_uninstall(self): + ask = privilege.uninstall_helpers() + return {'uninstall': 'ok'} + def _setup(self, provider): """Set up EIPManager for a specified provider. :param provider: the provider to use, e.g. 'demo.bitmask.net' :type provider: str""" - # FIXME + # FIXME --------------------------------------------------------- # XXX picked manually from eip-service.json remotes = ( ("198.252.153.84", "1194"), |