Add openvpn-status.log support

2024-12-22 16:25:17 +00:00 · 2017-01-26 21:59:12 +00:00 · 2017-01-26 21:59:12 +00:00 · 1ec5ad3b7c
commit 1ec5ad3b7c
parent 1925207a6d
4 changed files with 44 additions and 7 deletions
--- a/certidude/api/init.py
+++ b/certidude/api/init.py
@ -75,7 +75,7 @@ class SessionResource(object):
            ) if req.context.get("user").is_admin() else None,
            features=dict(
                tagging=config.TAGGING_BACKEND,
-                leases=False, #config.LEASES_BACKEND,
+                leases=config.LEASES_BACKEND,
                logging=config.LOGGING_BACKEND))


@ -122,7 +122,7 @@ def certidude_app():
    from .revoked import RevocationListResource
    from .signed import SignedCertificateListResource, SignedCertificateDetailResource
    from .request import RequestListResource, RequestDetailResource
-    from .lease import LeaseResource
+    from .lease import LeaseResource, StatusFileLeaseResource
    from .whois import WhoisResource
    from .tag import TagResource, TagDetailResource
    from .cfg import ConfigResource, ScriptResource
@ -140,8 +140,11 @@ def certidude_app():
    app.add_route("/api/", SessionResource())

    # Gateway API calls, should this be moved to separate project?
-    app.add_route("/api/lease/", LeaseResource())
-    app.add_route("/api/whois/", WhoisResource())
+    if config.LEASES_BACKEND == "openvpn-status":
+        app.add_route("/api/lease/", StatusFileLeaseResource(config.OPENVPN_STATUS_URI))
+    elif config.LEASES_BACKEND == "sql":
+        app.add_route("/api/lease/", LeaseResource())
+        app.add_route("/api/whois/", WhoisResource())

    # Optional user enrollment API call
    if config.USER_CERTIFICATE_ENROLLMENT:
--- a/certidude/api/lease.py
+++ b/certidude/api/lease.py
@ -28,6 +28,27 @@ def parse_dn(data):
    return ", ".join(generate())


+class StatusFileLeaseResource(object):
+    def __init__(self, uri):
+        self.uri = uri
+
+    @serialize
+    @login_required
+    @authorize_admin
+    def on_get(self, req, resp):
+        from openvpn_status import parse_status
+        from urllib import urlopen
+        fh = urlopen(self.uri)
+        status = parse_status(fh.read())
+        for cn, e in status.routing_table.items():
+            yield {
+                "acquired": status.client_list[cn].connected_since,
+                "released": None,
+                "address":  e.virtual_address,
+                "identity": "CN=%s" % cn, # BUGBUG
+            }
+
+
 class LeaseResource(object):
    @serialize
    @login_required
--- a/certidude/config.py
+++ b/certidude/config.py
@ -68,6 +68,8 @@ TAGGING_BACKEND = cp.get("tagging", "backend")
 LOGGING_BACKEND = cp.get("logging", "backend")
 LEASES_BACKEND = cp.get("leases", "backend")

+OPENVPN_STATUS_URI = cp.get("leases", "openvpn status uri")
+

 if "whitelist" == AUTHORIZATION_BACKEND:
    USERS_WHITELIST = set([j for j in  cp.get("authorization", "users whitelist").split(" ") if j])
--- a/certidude/templates/certidude-server.conf
+++ b/certidude/templates/certidude-server.conf
@ -60,9 +60,20 @@ backend = sql
 database = sqlite://{{ directory }}/db.sqlite

 [leases]
-backend = sql
-schema = strongswan
-database = sqlite://{{ directory }}/db.sqlite
+
+[leases]
+backend =
+
+;backend = sql
+;schema = strongswan
+;database = sqlite://{{ directory }}/db.sqlite
+
+# Following was used on an OpenWrt router
+# uci set openvpn.s2c.status=/www/status.log
+# uci commit; touch /www/status.log; chmod 755 /www/status.log
+;backend = openvpn-status
+;openvpn status uri = /var/log/openvpn-status.log
+openvpn status uri = http://router.example.com/status.log

 [signature]
 certificate lifetime = {{ certificate_lifetime }}