From 530e10214a6f018909714b288d997df13ab4f9df Mon Sep 17 00:00:00 2001
From: kali <kali@leap.se>
Date: Wed, 8 Aug 2012 06:53:10 +0900
Subject: check for bad permissions on vpn key files

---
 src/leap/eip/config.py | 56 +++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 55 insertions(+), 1 deletion(-)

(limited to 'src/leap/eip/config.py')

diff --git a/src/leap/eip/config.py b/src/leap/eip/config.py
index 9af6f57a..91c3953b 100644
--- a/src/leap/eip/config.py
+++ b/src/leap/eip/config.py
@@ -4,13 +4,17 @@ import logging
 import os
 import platform
 
-from leap.util.fileutil import which, mkdir_p
+from leap.util.fileutil import (which, mkdir_p,
+                                check_and_fix_urw_only)
 from leap.baseapp.permcheck import (is_pkexec_in_system,
                                     is_auth_agent_running)
 
 logger = logging.getLogger(name=__name__)
 logger.setLevel('DEBUG')
 
+# XXX move exceptions to
+# from leap.eip import exceptions as eip_exceptions
+
 
 class EIPNoPkexecAvailable(Exception):
     pass
@@ -20,6 +24,14 @@ class EIPNoPolkitAuthAgentAvailable(Exception):
     pass
 
 
+class EIPInitNoKeyFileError(Exception):
+    pass
+
+
+class EIPInitBadKeyFilePermError(Exception):
+    pass
+
+
 OPENVPN_CONFIG_TEMPLATE = """#Autogenerated by eip-client wizard
 remote {VPN_REMOTE_HOST} {VPN_REMOTE_PORT}
 
@@ -345,3 +357,45 @@ def get_config(config_file=None):
     config.readfp(config_file)
 
     return config
+
+
+def check_vpn_keys(config):
+    """
+    performs an existance and permission check
+    over the openvpn keys file.
+    Currently we're expecting a single file
+    per provider, containing the CA cert,
+    the provider key, and our client certificate
+    """
+
+    keyopt = ('provider', 'keyfile')
+
+    # XXX at some point,
+    # should separate between CA, provider cert
+    # and our certificate.
+    # make changes in the default provider template
+    # accordingly.
+
+    # get vpn keys
+    if config.has_option(*keyopt):
+        keyfile = config.get(*keyopt)
+    else:
+        keyfile = get_config_file(
+            'openvpn.keys',
+            folder=get_default_provider_path())
+        logger.debug('keyfile = %s', keyfile)
+
+    # if no keys, raise error.
+    # should be catched by the ui and signal user.
+
+    if not os.path.isfile(keyfile):
+        logger.error('key file %s not found. aborting.',
+                     keyfile)
+        raise EIPInitNoKeyFileError
+
+    # check proper permission on keys
+    # bad perms? try to fix them
+    try:
+        check_and_fix_urw_only(keyfile)
+    except OSError:
+        raise EIPInitBadKeyFilePermError
-- 
cgit v1.2.3