mirrors/opensnitch
1
0
Fork 0
mirror of https://github.com/evilsocket/opensnitch.git synced 2025-03-04 00:24:40 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

ui,prefs: allow to configure CA cert for TLS comms

Browse source 
TLS simple: server cert + key
TLS mutual: CA cert + server cert + server key
This commit is contained in:
Gustavo Iñiguez Goia 2023-06-25 13:56:05 +02:00
parent b1e85da2f7
commit f63d9dce72
Failed to generate hash of commit
5 changed files with 55 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
ui/bin/opensnitch-ui
View file

@ -74,6 +74,7 @@ Examples:
- Listening on port 50051, all interfaces: opensnitch-ui --socket "[::]:50051"
''', metavar="FILE")
parser.add_argument("--socket-auth", dest="socket_auth", help="Auth type: simple, tls-simple, tls-mutual")
parser.add_argument("--tls-ca-cert", dest="tls_ca_cert", help="path to the CA cert")
parser.add_argument("--tls-cert", dest="tls_cert", help="path to the server cert")
parser.add_argument("--tls-key", dest="tls_key", help="path to the server key")
parser.add_argument("--max-clients", dest="serverWorkers", default=10, help="Max number of allowed clients (incoming connections).")
@ -175,14 +176,17 @@ Examples:
if auth_type == auth.Simple or auth_type == "":
server.add_insecure_port(args.socket)
else:
auth_ca_cert = args.tls_ca_cert
auth_cert = args.tls_cert
auth_certkey = args.tls_key
if auth_cert == None:
auth_cert = cfg.getSettings(Config.AUTH_CERT)
if auth_certkey == None:
auth_certkey = cfg.getSettings(Config.AUTH_CERTKEY)
if auth_ca_cert == None:
auth_ca_cert = cfg.getSettings(Config.AUTH_CA_CERT)
tls_creds = auth.get_tls_credentials(auth_cert, auth_certkey)
tls_creds = auth.get_tls_credentials(auth_ca_cert, auth_cert, auth_certkey)
if tls_creds == None:
raise Exception("Invalid TLS credentials. Review the server key and cert files.")
server.add_secure_port(args.socket, tls_creds)

15
ui/opensnitch/auth/__init__.py
View file

@ -12,23 +12,24 @@ def load_file(file_path):
return f.read()
except Exception as e:
print("auth: error loading {0}: {1}".format(file_path, e))
return None
return None
def get_tls_credentials(server_cert, server_key):
def get_tls_credentials(ca_cert, server_cert, server_key):
"""return a new gRPC credentials object given a server cert and key file.
https://grpc.io/docs/guides/auth/#python
"""
try:
cacert = load_file(ca_cert)
cert = load_file(server_cert)
cert_key = load_file(server_key)
auth_nodes = False if cacert == None else True
return grpc.ssl_server_credentials(
(
(
cert_key, cert,
),
)
((cert_key, cert),),
cacert,
auth_nodes
)
except Exception as e:
print("get_tls_credentials error:", e)

4
ui/opensnitch/config.py
View file

@ -138,6 +138,10 @@ class Config:
INFOWIN_GEOMETRY = "infoWindow/geometry"
AUTH_TYPE = "auth/type"
AUTH_CA_CERT = "auth/cacert"
AUTH_CERT = "auth/cert"
AUTH_CERTKEY = "auth/certkey"
# don't translate
@staticmethod

34
ui/opensnitch/dialogs/preferences.py
View file

@ -32,6 +32,10 @@ class PreferencesDialog(QtWidgets.QDialog, uic.loadUiType(DIALOG_UI_PATH)[0]):
SUM = 1
REST = 0
AUTH_SIMPLE = 0
AUTH_TLS_SIMPLE = 1
AUTH_TLS_MUTUAL = 2
def __init__(self, parent=None, appicon=None):
QtWidgets.QDialog.__init__(self, parent, QtCore.Qt.WindowStaysOnTopHint)
@ -75,9 +79,10 @@ class PreferencesDialog(QtWidgets.QDialog, uic.loadUiType(DIALOG_UI_PATH)[0]):
self.helpButton.setToolTipDuration(30 * 1000)
self.comboAuthType.currentIndexChanged.connect(self._cb_combo_auth_type_changed)
self.comboAuthType.setItemData(0, auth.Simple)
self.comboAuthType.setItemData(1, auth.TLSSimple)
self.comboAuthType.setItemData(2, auth.TLSMutual)
self.comboAuthType.setItemData(PreferencesDialog.AUTH_SIMPLE, auth.Simple)
self.comboAuthType.setItemData(PreferencesDialog.AUTH_TLS_SIMPLE, auth.TLSSimple)
self.comboAuthType.setItemData(PreferencesDialog.AUTH_TLS_MUTUAL, auth.TLSMutual)
self.lineCACertFile.textChanged.connect(self._cb_line_certs_changed)
self.lineCertFile.textChanged.connect(self._cb_line_certs_changed)
self.lineCertKeyFile.textChanged.connect(self._cb_line_certs_changed)
@ -225,11 +230,13 @@ class PreferencesDialog(QtWidgets.QDialog, uic.loadUiType(DIALOG_UI_PATH)[0]):
else:
self.comboGrpcMsgSize.setCurrentIndex(0)
self.lineCACertFile.setText(self._cfg.getSettings(Config.AUTH_CA_CERT))
self.lineCertFile.setText(self._cfg.getSettings(Config.AUTH_CERT))
self.lineCertKeyFile.setText(self._cfg.getSettings(Config.AUTH_CERTKEY))
authtype_idx = self.comboAuthType.findData(self._cfg.getSettings(Config.AUTH_TYPE))
if authtype_idx <= 0:
authtype_idx = 0
self.lineCACertFile.setEnabled(False)
self.lineCertFile.setEnabled(False)
self.lineCertKeyFile.setEnabled(False)
self.comboAuthType.setCurrentIndex(authtype_idx)
@ -472,14 +479,17 @@ class PreferencesDialog(QtWidgets.QDialog, uic.loadUiType(DIALOG_UI_PATH)[0]):
savedauthtype = self._cfg.getSettings(Config.AUTH_TYPE)
authtype = self.comboAuthType.itemData(self.comboAuthType.currentIndex())
cacert = self._cfg.getSettings(Config.AUTH_CA_CERT)
cert = self._cfg.getSettings(Config.AUTH_CERT)
certkey = self._cfg.getSettings(Config.AUTH_CERTKEY)
if not self._validate_certs():
return
if savedauthtype != authtype or self.lineCertFile.text() != cert or self.lineCertKeyFile.text() != certkey:
if savedauthtype != authtype or self.lineCertFile.text() != cert or \
self.lineCertKeyFile.text() != certkey or self.lineCACertFile.text() != cacert:
self._changes_needs_restart = QC.translate("preferences", "Certificates changed")
self._cfg.setSettings(Config.AUTH_TYPE, authtype)
self._cfg.setSettings(Config.AUTH_CA_CERT, self.lineCACertFile.text())
self._cfg.setSettings(Config.AUTH_CERT, self.lineCertFile.text())
self._cfg.setSettings(Config.AUTH_CERTKEY, self.lineCertKeyFile.text())
@ -577,7 +587,7 @@ class PreferencesDialog(QtWidgets.QDialog, uic.loadUiType(DIALOG_UI_PATH)[0]):
def _validate_certs(self):
try:
if self.comboAuthType.currentIndex() == 0:
if self.comboAuthType.currentIndex() == PreferencesDialog.AUTH_SIMPLE:
return True
if self.comboAuthType.currentIndex() > 0 and (self.lineCertFile.text() == "" or self.lineCertKeyFile.text() == ""):
@ -592,10 +602,16 @@ class PreferencesDialog(QtWidgets.QDialog, uic.loadUiType(DIALOG_UI_PATH)[0]):
QC.translate("preferences", "cert key file has excessive permissions, it should have 0600")
)
if self.comboAuthType.currentIndex() == PreferencesDialog.AUTH_TLS_MUTUAL:
if oct(stat.S_IMODE(os.lstat(self.lineCACertFile.text()).st_mode)) != "0o600":
self._set_status_message(
QC.translate("preferences", "CA cert file has excessive permissions, it should have 0600")
)
return True
except Exception as e:
self._changes_needs_restart = None
self._set_status_error(str(e))
self._set_status_error("certs error: {0}".format(e))
return False
def _needs_restart(self):
@ -719,8 +735,10 @@ class PreferencesDialog(QtWidgets.QDialog, uic.loadUiType(DIALOG_UI_PATH)[0]):
savedtype = self._cfg.getSettings(Config.AUTH_TYPE)
if curtype != savedtype:
self._changes_needs_restart = QC.translate("preferences", "Auth type changed")
self.lineCertFile.setEnabled(index > 0)
self.lineCertKeyFile.setEnabled(index > 0)
self.lineCACertFile.setEnabled(index == PreferencesDialog.AUTH_TLS_MUTUAL)
self.lineCertFile.setEnabled(index >= PreferencesDialog.AUTH_TLS_SIMPLE)
self.lineCertKeyFile.setEnabled(index >= PreferencesDialog.AUTH_TLS_SIMPLE)
def _cb_db_max_days_toggled(self, state):
self._enable_db_cleaner_options(state, 1)

17
ui/opensnitch/res/preferences.ui
View file

@ -26,7 +26,7 @@
<enum>QTabWidget::North</enum>
</property>
<property name="currentIndex">
<number>0</number>
<number>1</number>
</property>
<widget class="QWidget" name="tab">
<property name="sizePolicy">
@ -490,7 +490,7 @@
<item row="1" column="0" colspan="2">
<widget class="QToolBox" name="toolBox_2">
<property name="currentIndex">
<number>0</number>
<number>1</number>
</property>
<widget class="QWidget" name="page_5">
<attribute name="label">
@ -617,6 +617,13 @@
</item>
</widget>
</item>
<item row="3" column="0" colspan="2">
<widget class="QLineEdit" name="lineCertFile">
<property name="placeholderText">
<string>Absolute path to the cert file</string>
</property>
</widget>
</item>
<item row="0" column="0">
<widget class="QLabel" name="label_20">
<property name="toolTip">
@ -627,7 +634,7 @@
</property>
</widget>
</item>
<item row="3" column="0" colspan="2">
<item row="4" column="0" colspan="2">
<widget class="QLineEdit" name="lineCertKeyFile">
<property name="placeholderText">
<string>Absolute path to the cert key file</string>
@ -645,9 +652,9 @@
</widget>
</item>
<item row="2" column="0" colspan="2">
<widget class="QLineEdit" name="lineCertFile">
<widget class="QLineEdit" name="lineCACertFile">
<property name="placeholderText">
<string>Absolute path to the cert file</string>
<string>Absolute path to the CA cert file</string>
</property>
</widget>
</item>