summaryrefslogtreecommitdiff
path: root/src/leap/eip
diff options
context:
space:
mode:
Diffstat (limited to 'src/leap/eip')
-rw-r--r--src/leap/eip/checks.py29
-rw-r--r--src/leap/eip/config.py27
-rw-r--r--src/leap/eip/specs.py37
-rw-r--r--src/leap/eip/tests/data.py33
-rw-r--r--src/leap/eip/tests/test_config.py64
5 files changed, 122 insertions, 68 deletions
diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py
index 8d615b94..d7f4402b 100644
--- a/src/leap/eip/checks.py
+++ b/src/leap/eip/checks.py
@@ -160,7 +160,6 @@ class ProviderCertChecker(object):
if autocacert and verify is True and self.cacert is not None:
logger.debug('verify cert: %s', self.cacert)
verify = self.cacert
- #import pdb4qt; pdb4qt.set_trace()
logger.debug('is https working?')
logger.debug('uri: %s (verify:%s)', uri, verify)
try:
@@ -242,7 +241,9 @@ class ProviderCertChecker(object):
raise
try:
pemfile_content = req.content
- self.is_valid_pemfile(pemfile_content)
+ valid = self.is_valid_pemfile(pemfile_content)
+ if not valid:
+ return False
cert_path = self._get_client_cert_path()
self.write_cert(pemfile_content, to=cert_path)
except:
@@ -276,7 +277,10 @@ class ProviderCertChecker(object):
cert = gnutls.crypto.X509Certificate(cert_s)
from_ = time.gmtime(cert.activation_time)
to_ = time.gmtime(cert.expiration_time)
- return from_ < now() < to_
+ # FIXME BUG ON LEAP_CLI, certs are not valid on gmtime
+ # See #1153
+ #return from_ < now() < to_
+ return now() < to_
def is_valid_pemfile(self, cert_s=None):
"""
@@ -290,23 +294,8 @@ class ProviderCertChecker(object):
certfile = self._get_client_cert_path()
with open(certfile) as cf:
cert_s = cf.read()
- try:
- # XXX get a real cert validation
- # so far this is only checking begin/end
- # delimiters :)
- # XXX use gnutls for get proper
- # validation.
- # crypto.X509Certificate(cert_s)
- sep = "-" * 5 + "BEGIN CERTIFICATE" + "-" * 5
- # we might have private key and cert in the same file
- certparts = cert_s.split(sep)
- if len(certparts) > 1:
- cert_s = sep + certparts[1]
- ssl.PEM_cert_to_DER_cert(cert_s)
- except:
- # XXX raise proper exception
- raise
- return True
+ valid = certs.can_load_cert_and_pkey(cert_s)
+ return valid
@property
def ca_cert_path(self):
diff --git a/src/leap/eip/config.py b/src/leap/eip/config.py
index e40d2785..48e6e9a7 100644
--- a/src/leap/eip/config.py
+++ b/src/leap/eip/config.py
@@ -65,9 +65,12 @@ def get_eip_gateway(eipconfig=None, eipserviceconfig=None):
that matches the name defined in the eip.json config
file.
"""
+ # XXX eventually we should move to a more clever
+ # gateway selection. maybe we could return
+ # all gateways that match our cluster.
+
null_check(eipconfig, "eipconfig")
null_check(eipserviceconfig, "eipserviceconfig")
-
PLACEHOLDER = "testprovider.example.org"
conf = eipconfig.config
@@ -78,26 +81,26 @@ def get_eip_gateway(eipconfig=None, eipserviceconfig=None):
return PLACEHOLDER
gateways = eipsconf.get('gateways', None)
-
if not gateways:
logger.error('missing gateways in eip service config')
return PLACEHOLDER
if len(gateways) > 0:
for gw in gateways:
- name = gw.get('name', None)
- if not name:
+ clustername = gw.get('cluster', None)
+ if not clustername:
+ logger.error('no cluster name')
return
- if name == primary_gateway:
- hosts = gw.get('hosts', None)
- if not hosts:
- logger.error('no hosts')
+ if clustername == primary_gateway:
+ # XXX at some moment, we must
+ # make this a more generic function,
+ # and return ports, protocols...
+ ipaddress = gw.get('ip_address', None)
+ if not ipaddress:
+ logger.error('no ip_address')
return
- if len(hosts) > 0:
- return hosts[0]
- else:
- logger.error('no hosts')
+ return ipaddress
logger.error('could not find primary gateway in provider'
'gateway list')
diff --git a/src/leap/eip/specs.py b/src/leap/eip/specs.py
index cf5d5359..c41fd29b 100644
--- a/src/leap/eip/specs.py
+++ b/src/leap/eip/specs.py
@@ -77,12 +77,12 @@ eipconfig_spec = {
},
'primary_gateway': {
'type': unicode,
- 'default': u"turkey",
+ 'default': u"location_unknown",
#'required': True
},
'secondary_gateway': {
'type': unicode,
- 'default': u"france"
+ 'default': u"location_unknown2"
},
'management_password': {
'type': unicode
@@ -100,25 +100,30 @@ eipservice_config_spec = {
'default': 1
},
'version': {
- 'type': unicode,
+ 'type': int,
'required': True,
- 'default': "0.1.0"
+ 'default': 1
},
- 'capabilities': {
- 'type': dict,
- 'default': {
- "transport": ["openvpn"],
- "ports": ["80", "53"],
- "protocols": ["udp", "tcp"],
- "static_ips": True,
- "adblock": True}
+ 'clusters': {
+ 'type': list,
+ 'default': [
+ {"label": {
+ "en": "Location Unknown"},
+ "name": "location_unknown"}]
},
'gateways': {
'type': list,
- 'default': [{"country_code": "us",
- "label": {"en":"west"},
- "capabilities": {},
- "hosts": ["1.2.3.4", "1.2.3.5"]}]
+ 'default': [
+ {"capabilities": {
+ "adblock": True,
+ "filter_dns": True,
+ "ports": ["80", "53", "443", "1194"],
+ "protocols": ["udp", "tcp"],
+ "transport": ["openvpn"],
+ "user_ips": False},
+ "cluster": "location_unknown",
+ "host": "location.example.org",
+ "ip_address": "127.0.0.1"}]
},
'openvpn_configuration': {
'type': dict,
diff --git a/src/leap/eip/tests/data.py b/src/leap/eip/tests/data.py
index cadf720e..a7fe1853 100644
--- a/src/leap/eip/tests/data.py
+++ b/src/leap/eip/tests/data.py
@@ -23,26 +23,29 @@ EIP_SAMPLE_CONFIG = {
"keys/client/openvpn.pem" % PROVIDER),
"connect_on_login": True,
"block_cleartext_traffic": True,
- "primary_gateway": "turkey",
- "secondary_gateway": "france",
+ "primary_gateway": "location_unknown",
+ "secondary_gateway": "location_unknown2",
#"management_password": "oph7Que1othahwiech6J"
}
EIP_SAMPLE_SERVICE = {
"serial": 1,
- "version": "0.1.0",
- "capabilities": {
- "transport": ["openvpn"],
- "ports": ["80", "53"],
- "protocols": ["udp", "tcp"],
- "static_ips": True,
- "adblock": True
- },
+ "version": 1,
+ "clusters": [
+ {"label": {
+ "en": "Location Unknown"},
+ "name": "location_unknown"}
+ ],
"gateways": [
- {"country_code": "tr",
- "name": "turkey",
- "label": {"en":"Ankara, Turkey"},
- "capabilities": {},
- "hosts": ["192.0.43.10"]}
+ {"capabilities": {
+ "adblock": True,
+ "filter_dns": True,
+ "ports": ["80", "53", "443", "1194"],
+ "protocols": ["udp", "tcp"],
+ "transport": ["openvpn"],
+ "user_ips": False},
+ "cluster": "location_unknown",
+ "host": "location.example.org",
+ "ip_address": "192.0.43.10"}
]
}
diff --git a/src/leap/eip/tests/test_config.py b/src/leap/eip/tests/test_config.py
index 404d543f..5977ef3c 100644
--- a/src/leap/eip/tests/test_config.py
+++ b/src/leap/eip/tests/test_config.py
@@ -15,7 +15,7 @@ except ImportError:
from leap.eip import config as eipconfig
from leap.eip.tests.data import EIP_SAMPLE_CONFIG, EIP_SAMPLE_SERVICE
from leap.testing.basetest import BaseLeapTest
-from leap.util.fileutil import mkdir_p
+from leap.util.fileutil import mkdir_p, mkdir_f
_system = platform.system()
@@ -48,11 +48,12 @@ class EIPConfigTest(BaseLeapTest):
open(tfile, 'wb').close()
os.chmod(tfile, stat.S_IRUSR | stat.S_IWUSR | stat.S_IXUSR)
- def write_sample_eipservice(self, vpnciphers=False, extra_vpnopts=None):
+ def write_sample_eipservice(self, vpnciphers=False, extra_vpnopts=None,
+ gateways=None):
conf = eipconfig.EIPServiceConfig()
- folder, f = os.path.split(conf.filename)
- if not os.path.isdir(folder):
- mkdir_p(folder)
+ mkdir_f(conf.filename)
+ if gateways:
+ EIP_SAMPLE_SERVICE['gateways'] = gateways
if vpnciphers:
openvpnconfig = OrderedDict({
"auth": "SHA1",
@@ -75,6 +76,10 @@ class EIPConfigTest(BaseLeapTest):
fd.write(json.dumps(EIP_SAMPLE_CONFIG))
def get_expected_openvpn_args(self, with_openvpn_ciphers=False):
+ """
+ yeah, this is almost as duplicating the
+ code for building the command
+ """
args = []
eipconf = eipconfig.EIPConfig(domain=self.provider)
eipconf.load()
@@ -156,6 +161,55 @@ class EIPConfigTest(BaseLeapTest):
# params in the function call, to disable
# some checks.
+ def test_get_eip_gateway(self):
+ self.write_sample_eipconfig()
+ eipconf = eipconfig.EIPConfig(domain=self.provider)
+
+ # default eipservice
+ self.write_sample_eipservice()
+ eipsconf = eipconfig.EIPServiceConfig(domain=self.provider)
+
+ gateway = eipconfig.get_eip_gateway(
+ eipconfig=eipconf,
+ eipserviceconfig=eipsconf)
+
+ # in spec is local gateway by default
+ self.assertEqual(gateway, '127.0.0.1')
+
+ # change eipservice
+ # right now we only check that cluster == selected primary gw in
+ # eip.json, and pick first matching ip
+ eipconf._config.config['primary_gateway'] = "foo_provider"
+ newgateways = [{"cluster": "foo_provider",
+ "ip_address": "127.0.0.99"}]
+ self.write_sample_eipservice(gateways=newgateways)
+ eipsconf = eipconfig.EIPServiceConfig(domain=self.provider)
+ # load from disk file
+ eipsconf.load()
+
+ gateway = eipconfig.get_eip_gateway(
+ eipconfig=eipconf,
+ eipserviceconfig=eipsconf)
+ self.assertEqual(gateway, '127.0.0.99')
+
+ # change eipservice, several gateways
+ # right now we only check that cluster == selected primary gw in
+ # eip.json, and pick first matching ip
+ eipconf._config.config['primary_gateway'] = "bar_provider"
+ newgateways = [{"cluster": "foo_provider",
+ "ip_address": "127.0.0.99"},
+ {'cluster': "bar_provider",
+ "ip_address": "127.0.0.88"}]
+ self.write_sample_eipservice(gateways=newgateways)
+ eipsconf = eipconfig.EIPServiceConfig(domain=self.provider)
+ # load from disk file
+ eipsconf.load()
+
+ gateway = eipconfig.get_eip_gateway(
+ eipconfig=eipconf,
+ eipserviceconfig=eipsconf)
+ self.assertEqual(gateway, '127.0.0.88')
+
def test_build_ovpn_command_empty_config(self):
self.touch_exec()
self.write_sample_eipservice()