Commit 6f7177f3 authored by Tomás Touceda's avatar Tomás Touceda
Browse files

Merge branch 'release-0.7.0'

parents e8c028f3 0db3d5a4
[main]
host = https://www.transifex.com
[bitmask.bitmask]
[bitmask.bitmask_client]
file_filter = data/translations/<lang>.ts
source_file = data/ts/en_US.ts
......
......@@ -6,6 +6,34 @@ History
2014
====
0.7.0 September 26 -- the "one time download, all time updates" release:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
- Select current provider on EIP preferences. Closes #5815.
- Handle logout correctly when we stop_services to launch the
wizard. Related to #5815.
- Properly remove /tmp/bitmask.lock. Closes #5866.
- Hide EIP Start button and display correct warning on missing helpers
files. Closes #5945.
- Save default provider if changed on the combo box. Closes #5995.
- Update the EIP status on provider change. Closes #5996.
- Update and get ready to start a provider on change. Closes #5997.
- Use python2 to run bitmask-root to work fine on systems with python3
as default. Closes #6048.
- Use python2.7 in bitmask-root shebang since is the common name for
python 2 in Ubuntu, Debian, Arch. Related to #6048.
- Remove dict comprenension in util, for 2.6 compat.
- Login shall not wait for eip to finish if eip is not able to
start. Closes #5994
- Properly send the token for querying the EIP certificate. Fixes
#6060.
- Code cleanup and logging improvements.
- Add email firewall blocking other users to access bitmask imap &
smtp. Closes #6040
- Remove the Advanced Key Management since we don't support stable
mail yet. Closes #6087.
- Single combined preferences window. Closes #4704, #4119, #5885.
0.6.1 August 15 -- the "knock knock knocking on beta's door" release:
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
......
......@@ -19,9 +19,19 @@ TRANSLAT_DIR = data/translations
#Project file, used for translations
PROJFILE = data/bitmask.pro
#UI files to compile
UI_FILES = loggerwindow.ui mainwindow.ui wizard.ui login.ui preferences.ui eip_status.ui mail_status.ui eippreferences.ui advanced_key_management.ui
#Qt resource files to compile
# UI files to compile
UI_FILES = \
loggerwindow.ui \
wizard.ui \
mainwindow.ui login.ui eip_status.ui mail_status.ui \
preferences.ui \
preferences_account_page.ui \
preferences_vpn_page.ui \
preferences_email_page.ui \
password_change.ui \
advanced_key_management.ui
# Qt resource files to compile
RESOURCES = icons.qrc flags.qrc locale.qrc loggerwindow.qrc
#pyuic4 and pyrcc4 binaries
......@@ -95,5 +105,19 @@ resource_graph:
./pkg/scripts/monitor_resource.zsh `pgrep bitmask` $(RESOURCE_TIME)
display bitmask-resources.png
get_wheels:
pip install --upgrade setuptools
pip install --upgrade pip
pip install wheel
gather_wheels:
pip wheel --wheel-dir=../wheelhouse pyzmq --build-option "--zmq=bundled"
# because fuck u1db externals, that's why...
pip wheel --wheel-dir=../wheelhouse --allow-external dirspec --allow-unverified dirspec --allow-external u1db --allow-unverified u1db -r pkg/requirements.pip
install_wheel:
# if it's the first time, you'll need to get_wheels first
pip install --pre --use-wheel --no-index --find-links=../wheelhouse -r pkg/requirements.pip
clean :
$(RM) $(COMPILED_UI) $(COMPILED_RESOURCES) $(COMPILED_UI:.py=.pyc) $(COMPILED_RESOURCES:.py=.pyc)
......@@ -58,6 +58,7 @@
<file>../images/countries/us.png</file>
<file>../images/countries/ve.png</file>
<file>../images/countries/vn.png</file>
<file>../images/countries/xx.png</file>
<file>../images/countries/za.png</file>
</qresource>
</RCC>
\ No newline at end of file
......@@ -2,5 +2,6 @@
<qresource>
<file>../translations/vi.qm</file>
<file>../translations/en_GB.qm</file>
<file>../translations/es.qm</file>
</qresource>
</RCC>
This diff is collapsed.
......@@ -49,6 +49,19 @@ firewall
**stop** Stops the firewall.
**isup** Check if the firewall is up.
fw-email
---------
**start** UID Starts the email firewall. UID is the user name or unix
id that will have access to the email.
**stop** Stops the email firewall.
**isup** Check if the email firewall is up.
version
--------
......
#!/usr/bin/python
#!/usr/bin/python2.7
# -*- coding: utf-8 -*-
#
# Copyright (C) 2014 LEAP
......@@ -25,6 +25,8 @@ USAGE:
bitmask-root firewall start [restart] GATEWAY1 GATEWAY2 ...
bitmask-root openvpn stop
bitmask-root openvpn start CONFIG1 CONFIG1 ...
bitmask-root fw-email stop
bitmask-root fw-email start uid
All actions return exit code 0 for success, non-zero otherwise.
......@@ -49,12 +51,17 @@ cmdcheck = subprocess.check_output
# CONSTANTS
#
VERSION = "2"
VERSION = "3"
SCRIPT = "bitmask-root"
NAMESERVER = "10.42.0.1"
BITMASK_CHAIN = "bitmask"
BITMASK_CHAIN_NAT_OUT = "bitmask"
BITMASK_CHAIN_NAT_POST = "bitmask_postrouting"
BITMASK_CHAIN_EMAIL = "bitmask_email"
BITMASK_CHAIN_EMAIL_OUT = "bitmask_email_output"
LOCAL_INTERFACE = "lo"
IMAP_PORT = "1984"
SMTP_PORT = "2013"
IP = "/bin/ip"
IPTABLES = "/sbin/iptables"
......@@ -101,7 +108,8 @@ PARAM_FORMATS = {
"^[a-zA-Z0-9_\.\@][a-zA-Z0-9_\-\.\@]*\$?$", s), # IEEE Std 1003.1-2001
"FILE": lambda s: os.path.isfile(s),
"DIR": lambda s: os.path.isdir(os.path.split(s)[0]),
"UNIXSOCKET": lambda s: s == "unix"
"UNIXSOCKET": lambda s: s == "unix",
"UID": lambda s: re.match("^[a-zA-Z0-9]+$", s)
}
......@@ -740,6 +748,119 @@ def firewall_stop():
"Please try `firewall stop` again.")
def fw_email_start(args):
"""
Bring up the email firewall.
:param args: the user uid of the bitmask process
:type args: list
"""
# add custom chain "bitmask_email" to front of INPUT chain
if not ipv4_chain_exists(BITMASK_CHAIN_EMAIL):
ip4tables("--new-chain", BITMASK_CHAIN_EMAIL)
if not ipv6_chain_exists(BITMASK_CHAIN_EMAIL):
ip6tables("--new-chain", BITMASK_CHAIN_EMAIL)
iptables("--insert", "INPUT", "--jump", BITMASK_CHAIN_EMAIL)
# add custom chain "bitmask_email_output" to front of OUTPUT chain
if not ipv4_chain_exists(BITMASK_CHAIN_EMAIL_OUT):
ip4tables("--new-chain", BITMASK_CHAIN_EMAIL_OUT)
if not ipv6_chain_exists(BITMASK_CHAIN_EMAIL_OUT):
ip6tables("--new-chain", BITMASK_CHAIN_EMAIL_OUT)
iptables("--insert", "OUTPUT", "--jump", BITMASK_CHAIN_EMAIL_OUT)
# Disable the access to imap and smtp from outside
iptables("--append", BITMASK_CHAIN_EMAIL,
"--in-interface", LOCAL_INTERFACE, "--protocol", "tcp",
"--dport", IMAP_PORT, "--jump", "ACCEPT")
iptables("--append", BITMASK_CHAIN_EMAIL,
"--in-interface", LOCAL_INTERFACE, "--protocol", "tcp",
"--dport", SMTP_PORT, "--jump", "ACCEPT")
iptables("--append", BITMASK_CHAIN_EMAIL,
"--protocol", "tcp", "--dport", IMAP_PORT, "--jump", "REJECT")
iptables("--append", BITMASK_CHAIN_EMAIL,
"--protocol", "tcp", "--dport", SMTP_PORT, "--jump", "REJECT")
if not args or not PARAM_FORMATS["UID"](args[0]):
raise Exception("No uid given")
uid = args[0]
# Only the unix 'uid' have access to the email imap and smtp ports
iptables("--append", BITMASK_CHAIN_EMAIL_OUT,
"--out-interface", LOCAL_INTERFACE,
"--match", "owner", "--uid-owner", uid, "--protocol", "tcp",
"--dport", IMAP_PORT, "--jump", "ACCEPT")
iptables("--append", BITMASK_CHAIN_EMAIL_OUT,
"--out-interface", LOCAL_INTERFACE,
"--match", "owner", "--uid-owner", uid, "--protocol", "tcp",
"--dport", SMTP_PORT, "--jump", "ACCEPT")
iptables("--append", BITMASK_CHAIN_EMAIL_OUT,
"--out-interface", LOCAL_INTERFACE,
"--protocol", "tcp", "--dport", IMAP_PORT, "--jump", "REJECT")
iptables("--append", BITMASK_CHAIN_EMAIL_OUT,
"--out-interface", LOCAL_INTERFACE,
"--protocol", "tcp", "--dport", SMTP_PORT, "--jump", "REJECT")
def fw_email_stop():
"""
Stop the email firewall.
"""
ok = True
try:
iptables("--delete", "INPUT", "--jump", BITMASK_CHAIN_EMAIL,
throw=True)
except subprocess.CalledProcessError as exc:
debug("INFO: not able to remove bitmask email firewall from INPUT "
"chain (maybe it is already removed?)", exc)
ok = False
try:
iptables("--delete", "OUTPUT", "--jump", BITMASK_CHAIN_EMAIL_OUT,
throw=True)
except subprocess.CalledProcessError as exc:
debug("INFO: not able to remove bitmask email firewall from OUTPUT "
"chain (maybe it is already removed?)", exc)
ok = False
try:
ip4tables("--flush", BITMASK_CHAIN_EMAIL, throw=True)
ip4tables("--delete-chain", BITMASK_CHAIN_EMAIL, throw=True)
except subprocess.CalledProcessError as exc:
debug("INFO: not able to flush and delete bitmask ipv4 email firewall "
"chain (maybe it is already destroyed?)", exc)
ok = False
try:
ip6tables("--flush", BITMASK_CHAIN_EMAIL, throw=True)
ip6tables("--delete-chain", BITMASK_CHAIN_EMAIL, throw=True)
except subprocess.CalledProcessError as exc:
debug("INFO: not able to flush and delete bitmask ipv6 email firewall "
"chain (maybe it is already destroyed?)", exc)
ok = False
try:
ip4tables("--flush", BITMASK_CHAIN_EMAIL_OUT, throw=True)
ip4tables("--delete-chain", BITMASK_CHAIN_EMAIL_OUT, throw=True)
except subprocess.CalledProcessError as exc:
debug("INFO: not able to flush and delete bitmask ipv4 email firewall "
"chain (maybe it is already destroyed?)", exc)
ok = False
try:
ip6tables("--flush", BITMASK_CHAIN_EMAIL_OUT, throw=True)
ip6tables("--delete-chain", BITMASK_CHAIN_EMAIL_OUT, throw=True)
except subprocess.CalledProcessError as exc:
debug("INFO: not able to flush and delete bitmask ipv6 email firewall "
"chain (maybe it is already destroyed?)", exc)
ok = False
if not (ok or ipv4_chain_exists or ipv6_chain_exists):
raise Exception("email firewall might still be left up. "
"Please try `fw-email stop` again.")
#
# MAIN
#
......@@ -793,6 +914,26 @@ def main():
else:
bail("INFO: bitmask firewall is down")
elif command == "fw-email_start":
try:
fw_email_start(args)
except Exception as ex:
if not is_restart:
fw_email_stop()
bail("ERROR: could not start email firewall", ex)
elif command == "fw-email_stop":
try:
fw_email_stop()
except Exception as ex:
bail("ERROR: could not stop email firewall", ex)
elif command == "fw-email_isup":
if ipv4_chain_exists(BITMASK_CHAIN_EMAIL):
log("%s: INFO: bitmask email firewall is up" % (SCRIPT,))
else:
bail("INFO: bitmask email firewall is down")
else:
bail("ERROR: No such command")
else:
......
......@@ -27,7 +27,13 @@ LIB_VIRTUALENV_PATH=$(python -c "$GET_PYTHON_LIB_CMD")
if [[ $platform == 'linux' ]]; then
LIB_SYSTEM_PATH=$(${VAR[-1]} -c "$GET_PYTHON_LIB_CMD")
elif [[ $platform == 'darwin' ]]; then
LIB_SYSTEM_PATH=$(/opt/local/bin/python2.6 -c "$GET_PYTHON_LIB_CMD")
ORIGINAL_PATH=$PATH
#change first colon of path to | because path substitution is greedy
PATH=${PATH/:/|}
#remove everything up to | from path
PATH=${PATH/*|/}
LIB_SYSTEM_PATH=$(python -c "$GET_PYTHON_LIB_CMD")
PATH=$ORIGINAL_PATH
else
echo "unsupported platform; not doing symlinks"
fi
......
......@@ -10,8 +10,12 @@
# NOTE: you have to run pip install -r pkg/requirements.pip for pip
# to install it. (do it after python setup.py develop and it
# will only install this)
#
wheel
sphinx
ipdb
-e git+https://github.com/leapcode/leap_pycommon.git@develop#egg=leap.common
-e git+https://github.com/leapcode/soledad.git@develop#egg=leap.soledad
# in case you want to install a package from a git source, you can use this:
# Useful to test pre-release branches together.
#-e git+https://github.com/leapcode/leap_pycommon.git@develop#egg=leap.common
#-e git+https://github.com/leapcode/soledad.git@develop#egg=leap.soledad
......@@ -9,7 +9,10 @@ argparse
requests>=1.1.0
srp>=1.0.2
pyopenssl
python-dateutil
# This won't be needed after we refactor leap.common.events
# to use zmq.
python-dateutil==1.4 # See https://leap.se/code/issues/6099
psutil
......@@ -19,6 +22,8 @@ python-daemon # this should not be needed for Windows.
keyring
zope.proxy
# You will want to install this bundled if you don't have sodium in your system:
# pip install pyzmq --install-option="--zmq=bundled"
pyzmq
leap.common>=0.3.7
......
......@@ -159,6 +159,32 @@ update() {
finish
}
helpers() {
if [[ "$1" == "cleanup" ]]; then
status="removing helper files"
echo "${cc_green}Status: $status...${cc_normal}"
set -x
sudo rm -f /usr/sbin/bitmask-root
sudo rm -f /usr/share/polkit-1/actions/se.leap.bitmask.policy
set +x
else
status="installing helper files"
echo "${cc_green}Status: $status...${cc_normal}"
set -x
sudo cp bitmask_client/pkg/linux/bitmask-root /usr/sbin/
sudo cp bitmask_client/pkg/linux/polkit/se.leap.bitmask.policy /usr/share/polkit-1/actions/
set +x
fi
}
install_dependencies() {
status="installing system dependencies"
echo "${cc_green}Status: $status...${cc_normal}"
set -x
sudo apt-get install -y git python-dev python-setuptools python-virtualenv python-pip libssl-dev python-openssl libsqlite3-dev g++ openvpn pyside-tools python-pyside libffi-dev
set +x
}
run() {
shift # remove 'run' from arg list
passthrough_args=$@
......@@ -174,13 +200,17 @@ help() {
echo "Bootstraps the environment to start developing the bitmask client"
echo "with all the needed repositories and dependencies."
echo
echo "Usage: $0 {init | update | run | help}"
echo "Usage: $0 {init | update | run | help | deps | helpers}"
echo
echo " init : Initialize repositories, create virtualenv and \`python setup.py develop\` all."
echo " You can use \`init ro\` in order to use the https remotes if you don't have rw access."
echo " update : Update the repositories and install new deps (if needed)."
echo " run : Runs the client (any extra parameters will be sent to the app)."
echo " help : Show this help"
echo " init : Initialize repositories, create virtualenv and \`python setup.py develop\` all."
echo " You can use \`init ro\` in order to use the https remotes if you don't have rw access."
echo " update : Update the repositories and install new deps (if needed)."
echo " run : Runs the client (any extra parameters will be sent to the app)."
echo " help : Show this help"
echo " -- system helpers --"
echo " deps : Install the system dependencies needed for bitmask dev (Debian based Linux only)."
echo " helpers : Install the helper files needed to use bitmask (Linux only)."
echo " You can use \`helpers cleanup\` to remove those files."
echo
}
......@@ -191,6 +221,12 @@ case "$1" in
update)
update
;;
helpers)
helpers $2
;;
deps)
install_dependencies
;;
run)
run "$@"
;;
......
ANNOUNCING Bitmask, the Internet Encryption Toolkit, release 0.6.1
ANNOUNCING Bitmask, the Internet Encryption Toolkit, release 0.7.0
The LEAP team is pleased to announce the immediate availability of
version 0.6.1 of Bitmask, the Internet Encryption Toolkit, codename
"knock knock knocking on beta's door".
"one time download, all time updates".
https://downloads.leap.se/client/
......@@ -17,15 +17,6 @@ The Encrypted Internet Proxy provides circumvention, location
anonymization, and traffic encryption in a hassle-free, automatically
self-configuring fashion.
WARNING (LINUX ONLY): If you ever run into the situation where you
cannot access internet, open the terminal and run the following
command:
$ pkexec /usr/local/sbin/bitmask-root firewall stop
If for some reason that doesn't work, you will need to reboot your
computer.
Encrypted Mail offers automatic encryption and decryption for both
outgoing and incoming email, adding public key cryptography to your
mail without you ever having to worry about key distribution or
......@@ -43,17 +34,15 @@ NOT trust your life to it.
WHAT CAN THIS VERSION OF BITMASK DO FOR ME?
Bitmask 0.6.1 is the new stable version of the client after the big
refactor, with a little face lift of the UI while we were at
it. Encrypted Email is still not stable though, so don't use it for
high security. Encrypted Internet is the first service we are calling
stable, although its security level is just a bit higher than plain
OpenSSL, so use accordingly. You can refer to the CHANGELOG for the
meat.
Bitmask 0.7.0 brings with tremendous joy automatic and secure updates
through The Update Framework. Right beside TUF there are some bug
fixes and a new settings panel.
Encrypted Internet on Linux now helps you don't shoot yourself in the
foot by leaking traffic outside of the secure connection it
establishes. This will be added to other platforms in the future.
You can read more about TUF in http://theupdateframework.com/
Encrypted Internet on Linux avoids leaking traffic outside of the
secure connection it establishes. This will be added to other
platforms in the future.
The Encrypted Mail services will run local SMTP and IMAP proxies that,
once you configure the mail client of your choice, will automatically
......@@ -89,8 +78,8 @@ repository to your apt sources:
deb http://deb.leap.se/debian wheezy main
We will love to hear if you are interested in help making packages
available for any other system.
We will love to hear if you want to make packages available for any
other system.
BUGS
......@@ -98,6 +87,16 @@ You can send the bugs our way by pointing your telnet session to port
443 on https://leap.se/code. We will do our best to make them follow
our intensive bug-reeducation program.
LINUX ONLY: If you ever run into the situation where you cannot
access internet, open the terminal and run the following command:
$ pkexec /usr/local/sbin/bitmask-root firewall stop
If for some reason that doesn't work, you will need to reboot your
computer.
HACKING
You can find us in the #leap channel on the freenode network.
......@@ -108,6 +107,6 @@ beyond any border.
The LEAP team,
August 15, 2014
Setptember 26, 2014
Somewhere in the middle of the intertubes.
EOF
......@@ -452,20 +452,14 @@ class EIP(object):
else:
logger.debug('EIP: no errors')
def _do_stop(self, shutdown=False, restart=False):
def stop(self, shutdown=False, restart=False):
"""
Stop the service. This is run in a thread to avoid blocking.
Stop the service.
"""
self._vpn.terminate(shutdown, restart)
if IS_LINUX:
self._wait_for_firewall_down()
def stop(self, shutdown=False, restart=False):
"""
Stop the service.
"""
return threads.deferToThread(self._do_stop, shutdown, restart)
def _wait_for_firewall_down(self):
"""
Wait for the firewall to come down.
......@@ -665,7 +659,7 @@ class EIP(object):
return False
client_cert_path = eip_config.\
get_client_cert_path(provider_config, about_to_download=False)
get_client_cert_path(provider_config, about_to_download=True)
if leap_certs.should_redownload(client_cert_path):
logger.error("The client should redownload the certificate,"
......
......@@ -46,19 +46,27 @@ def download_client_cert(provider_config, path, session):
# again.
srp_auth = SRPAuth(provider_config)
session_id = srp_auth.get_session_id()
token = srp_auth.get_token()
cookies = None
if session_id:
if session_id is not None:
cookies = {"_session_id": session_id}
cert_uri = "%s/%s/cert" % (
provider_config.get_api_uri(),
provider_config.get_api_version())
logger.debug('getting cert from uri: %s' % cert_uri)
headers = {}
# API v2 will only support token auth, but in v1 we can send both
if token is not None:
headers["Authorization"] = 'Token token="{0}"'.format(token)
res = session.get(cert_uri,
verify=provider_config
.get_ca_cert_path(),
cookies=cookies,
timeout=REQUEST_TIMEOUT)
timeout=REQUEST_TIMEOUT,
headers=headers)
res.raise_for_status()
client_cert = res.content
......
......@@ -76,15 +76,24 @@ def run_frontend(options, flags_dict, backend_pid):
qApp = QtGui.QApplication(sys.argv)
# To test:
# $ LANG=es ./app.py
locale = QtCore.QLocale.system().name()
qtTranslator = QtCore.QTranslator()
if qtTranslator.load("qt_%s" % locale, ":/translations"):
qApp.installTranslator(qtTranslator)
appTranslator = QtCore.QTranslator()
if appTranslator.load("%s.qm" % locale[:2], ":/translations"):
qApp.installTranslator(appTranslator)
# To test the app in other language you can do:
# shell> LANG=es bitmask
# or in some rare case if the code above didn't work:
# shell> LC_ALL=es LANG=es bitmask
locale = QtCore.QLocale.system().name() # en_US, es_AR, ar_SA, etc
locale_short = locale[:2] # en, es, ar, etc
rtl_languages = ('ar', ) # right now tested on 'arabic' only.
systemQtTranslator = QtCore.QTranslator()
if systemQtTranslator.load("qt_%s" % locale, ":/translations"):
qApp.installTranslator(systemQtTranslator)
bitmaskQtTranslator = QtCore.QTranslator()
if bitmaskQtTranslator.load("%s.qm" % locale_short, ":/translations"):
qApp.installTranslator(bitmaskQtTranslator)
if locale_short in rtl_languages:
qApp.setLayoutDirection(QtCore.Qt.LayoutDirection.RightToLeft)
# Needed for initializing qsettings it will write
# .config/leap/leap.conf top level app settings in a platform
......
# -*- coding: utf-8 -*-
# Copyright (C) 2014 LEAP
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or