From 05f2b9d2b72139df56f67e88aeb7ceb6d8ec4e69 Mon Sep 17 00:00:00 2001
From: "Kali Kaneko (leap communications)" <kali@leap.se>
Date: Mon, 5 Jun 2017 17:31:37 +0200
Subject: [feature] run vpn directly if user is root

- Improve tests too: add entry in resolv.conf, not done without
  resolvconf
---
 .gitlab-ci.cut                          | 60 +++++++++++++++++++++++++++++
 .gitlab-ci.yml                          | 67 ++-------------------------------
 src/leap/bitmask/vpn/fw/firewall.py     | 14 +++----
 src/leap/bitmask/vpn/launchers/linux.py |  9 +++--
 tests/e2e/e2e-test-vpn.sh               | 29 +++++++-------
 5 files changed, 91 insertions(+), 88 deletions(-)
 create mode 100644 .gitlab-ci.cut

diff --git a/.gitlab-ci.cut b/.gitlab-ci.cut
new file mode 100644
index 0000000..1016516
--- /dev/null
+++ b/.gitlab-ci.cut
@@ -0,0 +1,60 @@
+linux_test:
+  image: 0xacab.org:4567/leap/soledad:latest
+  stage: test
+  script:
+    - tox --recreate -e py27-dev
+  tags:
+    - linux
+
+osx_test:
+  stage: test
+  allow_failure: true
+  script:
+    - tox --recreate -e py27-dev
+  tags:
+    - osx
+
+bitmask_latest_bundle:
+  image: 0xacab.org:4567/leap/bitmask-dev:latest
+  stage: bundle
+  script:
+    - pkg/build_bundle_with_venv.sh
+    - mv "dist/bitmask-`cat pkg/next-version`" . 
+  artifacts:
+    paths:
+      - "bitmask-`cat pkg/next-version`"
+    name: "Bitmask_linux64_latest_${CI_BUILD_REF}"
+    expire_in: 1 month
+  tags:
+    - linux
+
+build_ui:
+  image: 0xacab.org:4567/leap/bitmask-dev:latest
+  stage: build
+  script:
+    - cd ui && make dev-build
+  tags:
+    - linux
+
+build_docker_image:
+  image: 0xacab.org:4567/leap/bitmask-dev:latest
+  stage: test
+  services:
+    - docker:dind
+  tags:
+    - docker-in-docker
+  only:
+    - branches@leap/bitmask-dev
+  before_script:
+     - >
+       export LAST_COMMIT=$(curl -s --header "PRIVATE-TOKEN: ${LEAP_CODE_O_MATIC_PRIVATE_TOKEN}" https://0xacab.org/api/v4/projects/574/pipelines |
+       python -c "import sys, json; print json.load(sys.stdin)[1]['sha']")
+  script:
+    - >
+      if git diff $LAST_COMMIT HEAD --name-only|grep tests/docker; then
+        docker --version
+        docker info
+        docker login -u gitlab-ci-token -e sysdev@leap.se -p $CI_JOB_TOKEN $CI_REGISTRY
+        docker build -t ${CI_REGISTRY_IMAGE}:latest tests/docker
+        docker push ${CI_REGISTRY_IMAGE}:latest
+      fi
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index acfcd2e..f61f557 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,50 +1,13 @@
 stages:
-  - test
-  - bundle
-  - build
   - e2e
 
+# - test
+# - bundle
+# - build
+
 variables:
   DOCKER_DRIVER: overlay
 
-linux_test:
-  image: 0xacab.org:4567/leap/soledad:latest
-  stage: test
-  script:
-    - tox --recreate -e py27-dev
-  tags:
-    - linux
-
-osx_test:
-  stage: test
-  allow_failure: true
-  script:
-    - tox --recreate -e py27-dev
-  tags:
-    - osx
-
-bitmask_latest_bundle:
-  image: 0xacab.org:4567/leap/bitmask-dev:latest
-  stage: bundle
-  script:
-    - pkg/build_bundle_with_venv.sh
-    - mv "dist/bitmask-`cat pkg/next-version`" . 
-  artifacts:
-    paths:
-      - "bitmask-`cat pkg/next-version`"
-    name: "Bitmask_linux64_latest_${CI_BUILD_REF}"
-    expire_in: 1 month
-  tags:
-    - linux
-
-build_ui:
-  image: 0xacab.org:4567/leap/bitmask-dev:latest
-  stage: build
-  script:
-    - cd ui && make dev-build
-  tags:
-    - linux
-
 e2e_tests:
   image: 0xacab.org:4567/leap/bitmask-dev:latest
   stage: e2e
@@ -59,25 +22,3 @@ e2e_tests:
   tags:
     - linux
 
-build_docker_image:
-  image: 0xacab.org:4567/leap/bitmask-dev:latest
-  stage: test
-  services:
-    - docker:dind
-  tags:
-    - docker-in-docker
-  only:
-    - branches@leap/bitmask-dev
-  before_script:
-     - >
-       export LAST_COMMIT=$(curl -s --header "PRIVATE-TOKEN: ${LEAP_CODE_O_MATIC_PRIVATE_TOKEN}" https://0xacab.org/api/v4/projects/574/pipelines |
-       python -c "import sys, json; print json.load(sys.stdin)[1]['sha']")
-  script:
-    - >
-      if git diff $LAST_COMMIT HEAD --name-only|grep tests/docker; then
-        docker --version
-        docker info
-        docker login -u gitlab-ci-token -e sysdev@leap.se -p $CI_JOB_TOKEN $CI_REGISTRY
-        docker build -t ${CI_REGISTRY_IMAGE}:latest tests/docker
-        docker push ${CI_REGISTRY_IMAGE}:latest
-      fi
diff --git a/src/leap/bitmask/vpn/fw/firewall.py b/src/leap/bitmask/vpn/fw/firewall.py
index 95130b2..73eccb9 100644
--- a/src/leap/bitmask/vpn/fw/firewall.py
+++ b/src/leap/bitmask/vpn/fw/firewall.py
@@ -23,12 +23,12 @@ import commands
 import os
 import subprocess
 
-from twisted.logger import getLogger
+from twisted.logger import Logger
 
 from leap.bitmask.vpn.constants import IS_MAC
 from leap.common.events import catalog, emit_async
 
-log = getLogger()
+log = Logger()
 
 
 # TODO -- subclass it for osx/windows, not only for linux.
@@ -43,7 +43,6 @@ NOT_ROOT = os.getuid() != 0
 def check_root(cmd):
     if NOT_ROOT:
         cmd = ['pkexec'] + cmd
-    print "COMMAND IS >>>", cmd
     return cmd
 
 
@@ -86,13 +85,14 @@ class FirewallManager(object):
         if restart:
             cmd.append("restart")
 
+        result = '<did not run>'
         try:
-            result = subprocess.check_output(
-                cmd + gateways,
-                stderr=subprocess.STDOUT)
+            retcode, result = commands.getstatusoutput(
+                ' '.join(cmd + gateways))
+            #stderr=subprocess.STDOUT)
         except Exception:
             log.failure('Error launching the firewall')
-        else:
+        finally:
             log.debug(result)
         emit_async(catalog.VPN_STATUS_CHANGED)
         return True
diff --git a/src/leap/bitmask/vpn/launchers/linux.py b/src/leap/bitmask/vpn/launchers/linux.py
index d68d6ef..00423ab 100644
--- a/src/leap/bitmask/vpn/launchers/linux.py
+++ b/src/leap/bitmask/vpn/launchers/linux.py
@@ -99,10 +99,11 @@ class LinuxVPNLauncher(VPNLauncher):
         command.insert(1, "openvpn")
         command.insert(2, "start")
 
-        policyChecker = LinuxPolicyChecker()
-        pkexec = policyChecker.maybe_pkexec()
-        if pkexec:
-            command.insert(0, first(pkexec))
+        if os.getuid() != 0:
+            policyChecker = LinuxPolicyChecker()
+            pkexec = policyChecker.maybe_pkexec()
+            if pkexec:
+                command.insert(0, first(pkexec))
 
         return command
 
diff --git a/tests/e2e/e2e-test-vpn.sh b/tests/e2e/e2e-test-vpn.sh
index 5a2cc1b..26be34c 100755
--- a/tests/e2e/e2e-test-vpn.sh
+++ b/tests/e2e/e2e-test-vpn.sh
@@ -6,8 +6,8 @@
 # exit if any commands returns non-zero status
 set -e
 
-# XXX DEBUG
-set -x
+# ONLY ENABLE THIS TO DEBUG
+# set -x
 
 # Check if scipt is run in debug mode so we can hide secrets
 if [[ "$-" =~ 'x' ]]
@@ -47,31 +47,32 @@ set +x
 # Authenticate
 "$BCTL" user auth "$user" --pass "$pw" > /dev/null
 
-# Enable VPN
-"$BCTL" vpn enable 
-
 # Get VPN cert
 "$BCTL" vpn get_cert "$user" 
 
+# Start VPN, wait a bit
 "$BCTL" vpn start --json
+sleep 3
+"$BCTL" vpn status --json
 
-# XXX DEBUG ---
-tail -n 200  ~/.config/leap/bitmaskd.log
-which pkexec
-ls -la /usr/sbin/openvpn
-ls -la /usr/local/sbin/bitmask-root
-# XXX DEBUG ---
-
+# XXX gateway does not get added to resolv.conf
+echo "nameserver 10.42.0.1" > /etc/resolv.conf
+# cat /etc/resolv.conf
 sleep 5
 
-"$BCTL" vpn status --json
+#ip link show
 
+# TEST that we're going through the provider's VPN
 tests/e2e/check_ip vpn_on
 
 "$BCTL" vpn stop
+sleep 3
+
+# XXX debug do this only if no other entry in resolv.conf
+echo "nameserver 77.109.148.136" > /etc/resolv.conf
 
-sleep 5
 
+# TEST that we're NOT going through the provider's VPN
 tests/e2e/check_ip vpn_off
 
 echo "Succeeded - the vpn routed you through the expected address"
-- 
cgit v1.2.3