spior 0.1.5 → 0.2.8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 52ad58e21c256642931525e2625cb10e14a74ad17ea95825940b87f6d667fdac
-  data.tar.gz: 143940314f5a3e3387f094cdeb6c371a0e34a2227b803f9cb0eaeebc8ebb512d
+  metadata.gz: 57323a089d6067de5bd331a14a2471bd5b5f266135d23fa08e54df4bd23dbb4f
+  data.tar.gz: 63b77a80284704c7798b954a3b121862d214c369fd1784e70470b9f34fa91783
 SHA512:
-  metadata.gz: eadbf46e6b47eb820fbd88fd3d71c31183ca49a611ac0c6e0576724abc6357d6409fbf2edc9f69d38441889f262102af47f6fecadc2fe82bcbeea856d0557dc1
-  data.tar.gz: f774d5a4bec3474eccaf71e8495fc813cf71681fe609e7f7d1b6bf8e386d46c525bb138b4538f23cb4634706a578cbca96bac80fc85bb37c9700c99aff984ef1
+  metadata.gz: 81fee9fa3884a93d3465c5344156a8daa142c5e6274041f349a8cdddb5c6d51b0d0b2a71f2c16a670058510f398be22e4300038fde61848e2cc756b1a9cd4459
+  data.tar.gz: f1e26ab4d457c04071fe43543e4c83c6f0cfbc76eb06616e7f8ef8bdb6aea9defb1bd23e07a12ba571e8566a02b2048688e68f9ba1a7f82bb5e00d665efc66fb

data/.github/workflows/rubocop-analysis.yml

@@ -0,0 +1,47 @@
+# pulled from repo
+name: "Rubocop"
+
+on:
+  push:
+    branches: [ develop ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ develop ]
+  schedule:
+    - cron: '42 4 * * 6'
+
+jobs:
+  rubocop:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v1
+
+    # If running on a self-hosted runner, check it meets the requirements
+    # listed at https://github.com/ruby/setup-ruby#using-self-hosted-runners
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: 2.6
+
+    # This step is not necessary if you add the gem to your Gemfile
+    - name: Install Code Scanning integration
+      run: bundle add code-scanning-rubocop --skip-install
+
+    - name: Install dependencies
+      run: bundle install
+
+    - name: Rubocop run
+      run: |
+        bash -c "
+          bundle exec rubocop --require code_scanning --format CodeScanning::SarifFormatter -o rubocop.sarif
+          [[ $? -ne 2 ]]
+        "
+
+    - name: Upload Sarif output
+      uses: github/codeql-action/upload-sarif@v2
+      with:
+        sarif_file: rubocop.sarif

data/.gitignore

@@ -38,6 +38,7 @@ build-iPhoneSimulator/
 /_yardoc/
 /doc/
 /rdoc/
+/html/
 
 ## Environment normalization:
 /.bundle/

data/CHANGELOG.md

@@ -1,3 +1,24 @@
+## 0.2.8, release 2022-09-16
+* Spior used with `--clearnet` try to restore iptables rules found on your system, e.g: `/etc/iptables/iptables.rules` and `/etc/iptables/iptables.rules-backup` for Archlinux or use `Spior::Iptables::Default`.
+* Stdout enhanced.
+* Enhance `Spior::Dep` for install the dependencies.
+* Make `Spior::Persist` work for Archlinux.
+* Update `Spior::Menu`.
+* Start documenting code.
+* `spior --reload` make a new IP each time it called, `Spior::Service` was rewritten.
+* Spior can be configured with `Spior::CONFIG` if used as library.
+* Spior look options from the `/etc/tor/torrc` and use them if any.
+* Add Rubocop style, fix ~300 code reports.
+* Spior no longer backup/restore the file `/etc/tor/torrc`.
+* Certificate update `certs/szorfein.pem`.
+
+## 0.1.6, release 2021-12-30
+* Make it work for Voidlinux.
+* Add a man page.
+* Support init script (but not yet very well).
+* Stop changing /etc/resolv.conf.
+* Dependencies are checked before start anything. Spior exit(1) if fail.
+
 ## 0.1.5, release 2020-11-01
 * Simplify lib/spior/copy, lib/spior/clear
 * Write iptables rules for --clearnet and --tor

data/Gemfile

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
+
+gem 'code-scanning-rubocop'

data/README.md

@@ -1,15 +1,36 @@
-# spior
-(Spider|Tor) A tool to make TOR your default gateway.
+# Spior
+
+<div align="center">
+<br/>
+
+[![Gem Version](https://badge.fury.io/rb/spior.svg)](https://badge.fury.io/rb/spior)
+![GitHub Workflow Status (branch)](https://img.shields.io/github/workflow/status/szorfein/spior/Rubocop/develop)
+[![Ruby Style Guide](https://img.shields.io/badge/code_style-rubocop-brightgreen.svg)](https://github.com/rubocop/rubocop)
+![GitHub](https://img.shields.io/github/license/szorfein/spior)
+
+</div>
+
+
+(Spider|Tor) A tool to redirect all your local traffic to the [Tor](https://www.torproject.org/) network.
 
 ## Install
 Spior is cryptographically signed, so add my public key (if you haven’t already) as a trusted certificate.
 
     $ gem cert --add <(curl -Ls https://raw.githubusercontent.com/szorfein/spior/master/certs/szorfein.pem)
 
-And install the gem
+And install the gem:
 
     $ gem install spior -P MediumSecurity
 
+Or user wide (Spior will use `sudo`, `doas` will be supported in next release)
+
+    $ gem install --user-install spior
+
+## Requirements
+Spior use `iptables` and `tor`, which can be installed with (if your distro is supported):
+
+    $ spior --install
+
 ## Usage
 
     $ spior -h
@@ -38,4 +59,6 @@ For any questions, comments, feedback or issues, submit a [new issue](https://gi
 
 ### links
 + https://rubyreferences.github.io/rubyref
-+ https://rubystyle.guide/
++ https://rubystyle.guide/
++ https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TransparentProxy
++ https://github.com/epidemics-scepticism/writing/blob/master/misconception.md

data/Rakefile

@@ -1,20 +1,31 @@
+# frozen_string_literal: true
+
 # https://github.com/seattlerb/minitest#running-your-tests-
-require "rake/testtask"
-require File.dirname(__FILE__) + "/lib/spior/version"
+require 'rake/testtask'
+require 'rdoc/task'
+require File.dirname(__FILE__) + '/lib/spior/version'
+
+# rake rdoc
+Rake::RDocTask.new('rdoc') do |rdoc|
+  rdoc.title = 'spior'
+  rdoc.options << '--line-numbers'
+  rdoc.main = 'README.md'
+  rdoc.rdoc_files.include 'lib/**/*.rb', 'README.md'
+end
 
 Rake::TestTask.new(:test) do |t|
-  t.libs << "test"
-  t.libs << "lib"
-  t.test_files = FileList["test/test_*.rb"]
+  t.libs << 'test'
+  t.libs << 'lib'
+  t.test_files = FileList['test/test_*.rb']
 end
 
 namespace :gem do
-  desc "build the gem"
+  desc 'build the gem'
   task :build do
-    Dir["spior*.gem"].each {|f| File.unlink(f) }
-    system("gem build spior.gemspec")
-    system("gem install spior-#{Spior::VERSION}.gem -P MediumSecurity")
+    Dir['spior*.gem'].each { |f| File.unlink(f) }
+    system('gem build spior.gemspec')
+    system("gem install --user-install spior-#{Spior::VERSION}.gem -P MediumSecurity")
   end
 end
 
-task :default => :test
+task default: :test

data/lib/spior/dep.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+require 'nomansland'
+require 'tty-which'
+
+module Spior
+  # Dep: install all dependencies for Spior
+  module Dep
+    extend self
+
+    def looking
+      case Nomansland.distro?
+      when :archlinux
+        Msg.p 'Looking dependencies for Archlinux...'
+        installing_deps(%w[iptables tor])
+      when :debian
+        Msg.p 'Looking dependencies for Debian...'
+        installing_deps(%w[iptables tor])
+      when :gentoo
+        Msg.p 'Looking dependencies for Gentoo...'
+        installing_deps(%w[iptables tor])
+      when :void
+        Msg.p 'Looking dependencies for Voidlinux...'
+        installing_deps(%w[iptables tor])
+      else
+        Msg.report 'Install for your distro is not yet supported.'
+      end
+    end
+
+    protected
+
+    def installing_deps(names)
+      names.map do |n|
+        install(n) unless search_dep(n)
+      end
+      Msg.p 'Dependencies are OK.'
+    end
+
+    def install(name)
+      Msg.p "Installing #{name}..."
+      case Nomansland.installer?
+      when :apt_get
+        Helpers::Exec.new('apt-get').run("install #{name}")
+      when :emerge
+        Helpers::Exec.new('emerge').run("-av #{name}")
+      when :pacman
+        Helpers::Exec.new('pacman').run("-S #{name}")
+      when :void
+        Helpers::Exec.new('xbps-install').run("-y #{name}")
+      when :yum
+        Helpers::Exec.new('yum').run("install #{name}")
+      end
+    end
+
+    def search_dep(name)
+      TTY::Which.exist?(name) ? true : false
+    end
+  end
+end

data/lib/spior/helpers.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'fileutils'
 require 'tempfile'
 require 'open3'
@@ -10,8 +12,8 @@ module Helpers
     end
 
     def run(args)
-      cmd = @search_uid == '0' ? @name : "sudo #{@name}"
-      Open3.popen2e("#{cmd} #{args}") do |stdin, stdout_err, wait_thr|
+      cmd = (@search_uid == '0' ? @name : "sudo #{@name}")
+      Open3.popen2e("#{cmd} #{args}") do |_, stdout_err, wait_thr|
         while line = stdout_err.gets
           puts line
         end
@@ -38,27 +40,25 @@ module Helpers
     # * _string_ = string for the whole file
     # * _name_ = name of the file (e.g: resolv.conf)
     # * _dest_ = path (e.g: /etc)
-    def initialize(string, name, dest = "/tmp")
+    def initialize(string, name, dest = '/tmp')
       @string = string
       @name = name
-      @dest = dest + "/" + @name
+      @dest = "#{dest}/#{@name}"
     end
 
     # Method #add
     # Add the file at @dest
     def add
-      @mv = Helpers::Exec.new("mv")
+      @mv = Helpers::Exec.new('mv')
       tmp = Tempfile.new(@name)
-      File.open(tmp.path, 'w') do |file|
-        file.puts @string
-      end
+      File.write tmp.path, "#{@string}\n"
       puts "move #{tmp.path} to #{@dest}"
       @mv.run("#{tmp.path} #{@dest}")
     end
 
     def perm(user, perm)
-      chown = Helpers::Exec.new("chown")
-      chmod = Helpers::Exec.new("chmod")
+      chown = Helpers::Exec.new('chown')
+      chmod = Helpers::Exec.new('chmod')
       chown.run("#{user}:#{user} #{@dest}")
       chmod.run("#{perm} #{@dest}")
     end
@@ -88,30 +88,30 @@ module Helpers
     def initialize(string, name)
       super
       @systemd_dir = search_systemd_dir
-      @dest = @systemd_dir + "/" + @name
+      @dest = "#{@systemd_dir}/#{@name}"
     end
 
     # Method #add
     # Create a temporary file and move
     # the service @name to the systemd directory
     def add
-      @systemctl = Helpers::Exec.new("systemctl")
+      @systemctl = Helpers::Exec.new('systemctl')
       super
-      @systemctl.run("daemon-reload")
+      @systemctl.run('daemon-reload')
     end
 
     private
+
     # Method search_systemd_dir
     # Search the current directory for systemd services
     # + Gentoo can install at /lib/systemd/system or /usr/lib/systemd/system
     def search_systemd_dir
-      if Dir.exist? "/lib/systemd/system"
-        "/lib/systemd/system"
-      elsif Dir.exist? "/usr/lib/systemd/system"
-        "/usr/lib/systemd/system"
+      if Dir.exist? '/lib/systemd/system'
+        '/lib/systemd/system'
+      elsif Dir.exist? '/usr/lib/systemd/system'
+        '/usr/lib/systemd/system'
       else
-        raise "No directory systemd found"
-        exit
+        raise 'No directory systemd found'
       end
     end
   end

data/lib/spior/iptables/default.rb

@@ -1,37 +1,43 @@
+# frozen_string_literal: true
+
 module Spior
   module Iptables
+    # Default and generic Iptables rules when Tor is not used.
+    #
+    # Allowed ports:
+    # * Input 22: for ssh connection
     class Default < Iptables::Root
       private
-      
+
       def input
         # SSH
-        ipt "-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT"
+        ipt '-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT'
         # Allow loopback, rules
         ipt "-A INPUT -i #{@lo} -j ACCEPT"
         # Accept related
-        ipt "-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT"
+        ipt '-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT'
       end
 
       def output
-        ipt "-A OUTPUT -m conntrack --ctstate INVALID -j DROP"
-        ipt "-A OUTPUT -m state --state ESTABLISHED -j ACCEPT"
+        ipt '-A OUTPUT -m conntrack --ctstate INVALID -j DROP'
+        ipt '-A OUTPUT -m state --state ESTABLISHED -j ACCEPT'
 
         # Allow SSH
-        ipt "-A OUTPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT"
+        ipt '-A OUTPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT'
 
         # Allow Loopback
         ipt "-A OUTPUT -d #{@lo_addr}/8 -o #{@lo} -j ACCEPT"
 
         # Default
-        ipt "-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT"
+        ipt '-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT'
       end
-      
+
       def all
-        ipt "-t filter -A OUTPUT -p udp -j ACCEPT"
-        ipt "-t filter -A OUTPUT -p icmp -j REJECT"
-        ipt "-P INPUT ACCEPT"
-        ipt "-P FORWARD ACCEPT"
-        ipt "-P OUTPUT ACCEPT"
+        ipt '-t filter -A OUTPUT -p udp -j ACCEPT'
+        ipt '-t filter -A OUTPUT -p icmp -j REJECT'
+        ipt '-P INPUT ACCEPT'
+        ipt '-P FORWARD ACCEPT'
+        ipt '-P OUTPUT ACCEPT'
       end
     end
   end

data/lib/spior/iptables/root.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'interfacez'
 
 module Spior
@@ -6,11 +8,12 @@ module Spior
       def initialize
         @lo      = Interfacez.loopback
         @lo_addr = Interfacez.ipv4_address_of(@lo)
-        @i = Helpers::Exec.new("iptables")
-        Spior::Copy.new.save
+        @i = Helpers::Exec.new('iptables')
+        @debug = false
       end
 
       def run!
+        stop!
         bogus_tcp_flags
         bad_packets
         spoofing
@@ -20,69 +23,61 @@ module Spior
         all
       end
 
-      def restart!
-        stop!
-        run!
-      end
-
       def stop!
-        ipt "-F"
-        ipt "-X"
-        ipt "-t nat -F"
-        ipt "-t nat -X"
-        ipt "-t mangle -F"
-        ipt "-t mangle -X"
+        Msg.p 'Clearing Iptables rules...'
+        ipt '-F'
+        ipt '-X'
+        ipt '-t nat -F'
+        ipt '-t nat -X'
+        ipt '-t mangle -F'
+        ipt '-t mangle -X'
       end
 
       private
 
       def ipt(line)
         @i.run("#{line}")
-        puts "added - #{@i} #{line}"
+        puts "Added - iptables #{line}" if @debug
       end
 
-      def redirect
-      end
+      def redirect; end
 
-      def input
-      end
+      def input; end
 
-      def output
-      end
+      def output; end
 
-      def all
-      end
+      def all; end
 
       def bogus_tcp_flags
-        ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP"
-        ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP"
-        ipt "-t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP"
-        ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP"
-        ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP"
-        ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP"
-        ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP"
-        ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP"
-        ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP"
-        ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP"
-        ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP"
-        ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP"
-        ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP"
+        ipt '-t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP'
+        ipt '-t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP'
+        ipt '-t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP'
+        ipt '-t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP'
+        ipt '-t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP'
+        ipt '-t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP'
+        ipt '-t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP'
+        ipt '-t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP'
+        ipt '-t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP'
+        ipt '-t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP'
+        ipt '-t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP'
+        ipt '-t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP'
+        ipt '-t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP'
       end
 
       def bad_packets
         # new packet not syn
-        ipt "-t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP"
+        ipt '-t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP'
         # fragment  packet
-        ipt "-A INPUT -f -j DROP"
+        ipt '-A INPUT -f -j DROP'
         # XMAS
-        ipt "-A INPUT -p tcp --tcp-flags ALL ALL -j DROP"
+        ipt '-A INPUT -p tcp --tcp-flags ALL ALL -j DROP'
         # null packet
-        ipt "-A INPUT -p tcp --tcp-flags ALL NONE -j DROP"
+        ipt '-A INPUT -p tcp --tcp-flags ALL NONE -j DROP'
       end
 
       def spoofing
-        subs=["224.0.0.0/3", "169.254.0.0/16", "172.16.0.0/12", "192.0.2.0/24", "0.0.0.0/8", "240.0.0.0/5"]
-        subs.each do |sub|
+        subs = %w[224.0.0.0/3 169.254.0.0/16 172.16.0.0/12 192.0.2.0/24 0.0.0.0/8 240.0.0.0/5]
+        subs.map do |sub|
           ipt "-t mangle -A PREROUTING -s #{sub} -j DROP"
         end
         ipt "-t mangle -A PREROUTING -s #{@lo_addr}/8 ! -i #{@lo} -j DROP"

data/lib/spior/iptables/rules.rb

@@ -0,0 +1,103 @@
+# frozen_string_literal: true
+
+require 'tempfile'
+require 'fileutils'
+require 'nomansland'
+
+module Spior
+  module Iptables
+    class Rules
+      def initialize
+        @tmp_iptables_rules = Tempfile.new('iptables_rules')
+        @tmp_spior_rules = Tempfile.new('spior_rules')
+        @rules_path = search_iptables_config
+      end
+
+      def backup
+        save_rules(@tmp_iptables_rules)
+        insert_comment(@tmp_spior_rules, @tmp_iptables_rules)
+        create_file(@tmp_spior_rules, @rules_path)
+      end
+
+      def restore
+        unless restoring_older_rules(@rules_path)
+          Msg.p 'Adding clearnet navigation...'
+          Iptables::Default.new.run!
+        end
+      end
+
+      protected
+
+      def save_rules(tmp_file)
+        Msg.p 'Saving Iptables rules...'
+        Helpers::Exec.new('iptables-save').run("> #{tmp_file.path}")
+      end
+
+      def insert_comment(spior_file, iptable_file)
+        outfile = File.open(spior_file.path, 'w')
+        outfile.puts '# Rules saved by Spior.'
+        outfile.puts(File.read(iptable_file.path))
+        outfile.close
+      end
+
+      def search_for_comment(filename)
+        File.open(filename) do |f|
+          f.each do |line|
+            return true if line.match(/saved by Spior/)
+          end
+        end
+        false
+      end
+
+      def move(src, dest)
+        if Process::Sys.getuid == '0'
+          FileUtils.mv(src, dest)
+        else
+          Helpers::Exec.new('mv').run("#{src} #{dest}")
+        end
+      end
+
+      def create_file(tmpfile, dest)
+        if File.exist? dest
+          if search_for_comment(dest)
+            Msg.p "Older Spior rules found #{dest}, erasing..."
+          else
+            Msg.p "File exist #{dest}, create backup #{dest}-backup..."
+            move(dest, "#{dest}-backup")
+          end
+        end
+        move(tmpfile.path, dest)
+      end
+
+      def restoring_older_rules(filename)
+        files = %W[#{filename} #{filename}-backup]
+        files.each do |f|
+          next unless File.exist? f
+
+          unless search_for_comment(f)
+            Iptables::Root.new.stop!
+            Msg.p "Found older rules #{f}, restoring..."
+            Helpers::Exec.new('iptables-restore').run(f)
+            return true
+          end
+        end
+        false
+      end
+
+      private
+
+      def search_iptables_config
+        case Nomansland.distro?
+        when :archlinux || :void
+          '/etc/iptables/iptables.rules'
+        when :debian
+          '/etc/iptables.up.rules'
+        when :gentoo
+          '/var/lib/iptables/rules-save'
+        else
+          Msg.report 'I don`t know where you distro save the rules for iptables yet'
+        end
+      end
+    end
+  end
+end