def bitmask_root_vpn_down(self):
"""
Bring openvpn down using the privileged wrapper.
"""
if IS_MAC:
# We don't support Mac so far
return True
BM_ROOT = force_eval(linuxvpnlauncher.LinuxVPNLauncher.BITMASK_ROOT)
exitCode = subprocess.call(["pkexec", BM_ROOT, "openvpn", "stop"])
return True if exitCode is 0 else False
def bitmask_root_vpn_down(self):
"""
Bring openvpn down using the privileged wrapper.
"""
if IS_MAC:
# We don't support Mac so far
return True
BM_ROOT = force_eval(linuxvpnlauncher.LinuxVPNLauncher.BITMASK_ROOT)
exitCode = subprocess.call(["pkexec",
BM_ROOT, "openvpn", "stop"])
return True if exitCode is 0 else False
def is_fw_down(self):
"""
Return whether the firewall is down or not.
:rtype: bool
"""
return True
BM_ROOT = force_eval(linuxvpnlauncher.LinuxVPNLauncher.BITMASK_ROOT)
fw_up_cmd = "pkexec {0} firewall isup".format(BM_ROOT)
fw_is_down = lambda: commands.getstatusoutput(fw_up_cmd)[0] == 256
return fw_is_down()
def tear_down_firewall(self):
"""
Tear the firewall down using the privileged wrapper.
"""
return True
if IS_MAC:
# We don't support Mac so far
return True
BM_ROOT = force_eval(linuxvpnlauncher.LinuxVPNLauncher.BITMASK_ROOT)
exitCode = subprocess.call(["pkexec", BM_ROOT, "firewall", "stop"])
return True if exitCode is 0 else False
def is_fw_down(self):
"""
Return whether the firewall is down or not.
:rtype: bool
"""
return True
BM_ROOT = force_eval(linuxvpnlauncher.LinuxVPNLauncher.BITMASK_ROOT)
fw_up_cmd = "pkexec {0} firewall isup".format(BM_ROOT)
fw_is_down = lambda: commands.getstatusoutput(fw_up_cmd)[0] == 256
return fw_is_down()
def tear_down_firewall(self):
"""
Tear the firewall down using the privileged wrapper.
"""
return True
if IS_MAC:
# We don't support Mac so far
return True
BM_ROOT = force_eval(linuxvpnlauncher.LinuxVPNLauncher.BITMASK_ROOT)
exitCode = subprocess.call(["pkexec",
BM_ROOT, "firewall", "stop"])
return True if exitCode is 0 else False
def missing_other_files(kls):
"""
Return what other important files are missing during startup.
Same as missing_updown_scripts but does not check for exec bit.
:rtype: list
"""
# leap_assert(kls.OTHER_FILES is not None,
# "Need to define OTHER_FILES for this particular "
# "auncher before calling this method")
# TODO assert vs except?
if kls.OTHER_FILES is None:
raise Exception(
"Need to define OTHER_FILES for this particular "
"auncher before calling this method")
other = force_eval(kls.OTHER_FILES)
file_exist = partial(_has_other_files, warn=False)
if flags_STANDALONE:
try:
from leap.bitmask import _binaries
except ImportError:
raise RuntimeError(
"Could not find binary hash info in this bundle!")
_, bitmask_root_path, openvpn_bin_path = other
check_hash = _has_expected_binary_hash
openvpn_hash = _binaries.OPENVPN_BIN
bitmask_root_hash = _binaries.BITMASK_ROOT
correct_hash = (
True, # we do not check the polkit file
check_hash(bitmask_root_path, bitmask_root_hash),
check_hash(openvpn_bin_path, openvpn_hash))
zipped = zip(other, map(file_exist, other), correct_hash)
missing = filter(
lambda (path, exists, hash_ok): (
exists is False or hash_ok is False),
zipped)
return [path for path, exists, hash_ok in missing]
else:
zipped = zip(other, map(file_exist, other))
missing = filter(lambda (path, exists): exists is False, zipped)
return [path for path, exists in missing]
def get_vpn_command(kls, eipconfig, providerconfig, socket_host,
remotes, socket_port="unix", openvpn_verb=1):
"""
Returns the Linux implementation for the vpn launching command.
Might raise:
EIPNoPkexecAvailable,
EIPNoPolkitAuthAgentAvailable,
OpenVPNNotFoundException,
VPNLauncherException.
:param eipconfig: eip configuration object
:type eipconfig: EIPConfig
:param providerconfig: provider specific configuration
:type providerconfig: ProviderConfig
:param socket_host: either socket path (unix) or socket IP
:type socket_host: str
:param socket_port: either string "unix" if it's a unix socket,
or port otherwise
:type socket_port: str
:param openvpn_verb: the openvpn verbosity wanted
:type openvpn_verb: int
:return: A VPN command ready to be launched.
:rtype: list
"""
# we use `super` in order to send the class to use
command = super(LinuxVPNLauncher, kls).get_vpn_command(
eipconfig, providerconfig, socket_host, socket_port, remotes,
openvpn_verb)
command.insert(0, force_eval(kls.BITMASK_ROOT))
command.insert(1, "openvpn")
command.insert(2, "start")
policyChecker = LinuxPolicyChecker()
try:
pkexec = policyChecker.maybe_pkexec()
except NoPolkitAuthAgentAvailable:
raise EIPNoPolkitAuthAgentAvailable()
except NoPkexecAvailable:
raise EIPNoPkexecAvailable()
if pkexec:
command.insert(0, first(pkexec))
return command
def cmd_for_missing_scripts(kls, frompath):
"""
Returns a sh script that can copy the missing files.
:param frompath: The path where the helper files live
:type frompath: str
:rtype: str
"""
bin_paths = force_eval(
(LinuxVPNLauncher.POLKIT_PATH,
LinuxVPNLauncher.OPENVPN_BIN_PATH,
LinuxVPNLauncher.BITMASK_ROOT))
polkit_path, openvpn_bin_path, bitmask_root = bin_paths
# no system config for now
# sys_config = kls.SYSTEM_CONFIG
(polkit_file, openvpn_bin_file,
bitmask_root_file) = map(
lambda p: os.path.split(p)[-1],
bin_paths)
cmd = '#!/bin/sh\n'
cmd += 'mkdir -p /usr/local/sbin\n'
cmd += 'cp "%s" "%s"\n' % (os.path.join(frompath, polkit_file),
polkit_path)
cmd += 'chmod 644 "%s"\n' % (polkit_path, )
cmd += 'cp "%s" "%s"\n' % (os.path.join(frompath, bitmask_root_file),
bitmask_root)
cmd += 'chmod 744 "%s"\n' % (bitmask_root, )
if flags_STANDALONE:
cmd += 'cp "%s" "%s"\n' % (
os.path.join(frompath, openvpn_bin_file),
openvpn_bin_path)
cmd += 'chmod 744 "%s"\n' % (openvpn_bin_path, )
return cmd
def _launch_firewall(self, gateways, restart=False):
"""
Launch the firewall using the privileged wrapper.
:param gateways:
:type gateways: list
:returns: True if the exitcode of calling the root helper in a
subprocess is 0.
:rtype: bool
"""
return True
# XXX could check for wrapper existence, check it's root owned etc.
# XXX could check that the iptables rules are in place.
gateways = [gateway for gateway, port in gateways]
BM_ROOT = force_eval(linuxvpnlauncher.LinuxVPNLauncher.BITMASK_ROOT)
cmd = ["pkexec", BM_ROOT, "firewall", "start"]
if restart:
cmd.append("restart")
exitCode = subprocess.call(cmd + gateways)
return True if exitCode is 0 else False
def _launch_firewall(self, gateways, restart=False):
"""
Launch the firewall using the privileged wrapper.
:param gateways:
:type gateways: list
:returns: True if the exitcode of calling the root helper in a
subprocess is 0.
:rtype: bool
"""
return True
# XXX could check for wrapper existence, check it's root owned etc.
# XXX could check that the iptables rules are in place.
gateways = [gateway for gateway, port in gateways]
BM_ROOT = force_eval(linuxvpnlauncher.LinuxVPNLauncher.BITMASK_ROOT)
cmd = ["pkexec", BM_ROOT, "firewall", "start"]
if restart:
cmd.append("restart")
exitCode = subprocess.call(cmd + gateways)
return True if exitCode is 0 else False
def get_vpn_command(kls, eipconfig, providerconfig,
socket_host, socket_port, remotes, openvpn_verb=1):
"""
Return the platform-dependant vpn command for launching openvpn.
Might raise:
OpenVPNNotFoundException,
VPNLauncherException.
:param eipconfig: eip configuration object
:type eipconfig: EIPConfig
:param providerconfig: provider specific configuration
:type providerconfig: ProviderConfig
:param socket_host: either socket path (unix) or socket IP
:type socket_host: str
:param socket_port: either string "unix" if it's a unix socket,
or port otherwise
:type socket_port: str
:param openvpn_verb: the openvpn verbosity wanted
:type openvpn_verb: int
:return: A VPN command ready to be launched.
:rtype: list
"""
# leap_assert_type(eipconfig, EIPConfig)
# leap_assert_type(providerconfig, ProviderConfig)
# XXX this still has to be changed on osx and windows accordingly
# kwargs = {}
# openvpn_possibilities = which(kls.OPENVPN_BIN, **kwargs)
# if not openvpn_possibilities:
# raise OpenVPNNotFoundException()
# openvpn = first(openvpn_possibilities)
# -----------------------------------------
openvpn_path = force_eval(kls.OPENVPN_BIN_PATH)
if not os.path.isfile(openvpn_path):
logger.warning("Could not find openvpn bin in path %s" % (
openvpn_path))
raise OpenVPNNotFoundException()
args = []
args += [
'--setenv', "LEAPOPENVPN", "1",
'--nobind'
]
if openvpn_verb is not None:
args += ['--verb', '%d' % (openvpn_verb,)]
# gateways = kls.get_gateways(eipconfig, providerconfig)
gateways = remotes
for ip, port in gateways:
args += ['--remote', ip, port, 'udp']
args += [
'--client',
'--dev', 'tun',
'--persist-key',
'--tls-client',
'--remote-cert-tls',
'server'
]
openvpn_configuration = eipconfig.get_openvpn_configuration()
for key, value in openvpn_configuration.items():
args += ['--%s' % (key,), value]
user = getpass.getuser()
if socket_port == "unix": # that's always the case for linux
args += [
'--management-client-user', user
]
args += [
'--management-signal',
'--management', socket_host, socket_port,
'--script-security', '2'
]
if kls.UP_SCRIPT is not None:
if _has_updown_scripts(kls.UP_SCRIPT):
args += [
'--up', '\"%s\"' % (kls.UP_SCRIPT,),
]
if kls.DOWN_SCRIPT is not None:
if _has_updown_scripts(kls.DOWN_SCRIPT):
args += [
'--down', '\"%s\"' % (kls.DOWN_SCRIPT,)
]
args += [
'--cert', eipconfig.get_client_cert_path(providerconfig),
'--key', eipconfig.get_client_cert_path(providerconfig),
'--ca', providerconfig.get_ca_cert_path()
]
args += [
'--ping', '10',
'--ping-restart', '30']
command_and_args = [openvpn_path] + args
return command_and_args
