Add openvpn-status.log support

certidude/api/__init__.py

@@ -75,7 +75,7 @@ class SessionResource(object):
             ) if req.context.get("user").is_admin() else None,
             features=dict(
                 tagging=config.TAGGING_BACKEND,
-                leases=False, #config.LEASES_BACKEND,
+                leases=config.LEASES_BACKEND,
                 logging=config.LOGGING_BACKEND))
 
 
@@ -122,7 +122,7 @@ def certidude_app():
     from .revoked import RevocationListResource
     from .signed import SignedCertificateListResource, SignedCertificateDetailResource
     from .request import RequestListResource, RequestDetailResource
-    from .lease import LeaseResource
+    from .lease import LeaseResource, StatusFileLeaseResource
     from .whois import WhoisResource
     from .tag import TagResource, TagDetailResource
     from .cfg import ConfigResource, ScriptResource
@@ -140,8 +140,11 @@ def certidude_app():
     app.add_route("/api/", SessionResource())
 
     # Gateway API calls, should this be moved to separate project?
-    app.add_route("/api/lease/", LeaseResource())
-    app.add_route("/api/whois/", WhoisResource())
+    if config.LEASES_BACKEND == "openvpn-status":
+        app.add_route("/api/lease/", StatusFileLeaseResource(config.OPENVPN_STATUS_URI))
+    elif config.LEASES_BACKEND == "sql":
+        app.add_route("/api/lease/", LeaseResource())
+        app.add_route("/api/whois/", WhoisResource())
 
     # Optional user enrollment API call
     if config.USER_CERTIFICATE_ENROLLMENT:

certidude/api/lease.py

@@ -28,6 +28,27 @@ def parse_dn(data):
     return ", ".join(generate())
 
 
+class StatusFileLeaseResource(object):
+    def __init__(self, uri):
+        self.uri = uri
+
+    @serialize
+    @login_required
+    @authorize_admin
+    def on_get(self, req, resp):
+        from openvpn_status import parse_status
+        from urllib import urlopen
+        fh = urlopen(self.uri)
+        status = parse_status(fh.read())
+        for cn, e in status.routing_table.items():
+            yield {
+                "acquired": status.client_list[cn].connected_since,
+                "released": None,
+                "address":  e.virtual_address,
+                "identity": "CN=%s" % cn, # BUGBUG
+            }
+
+
 class LeaseResource(object):
     @serialize
     @login_required

certidude/config.py

@@ -68,6 +68,8 @@ TAGGING_BACKEND = cp.get("tagging", "backend")
 LOGGING_BACKEND = cp.get("logging", "backend")
 LEASES_BACKEND = cp.get("leases", "backend")
 
+OPENVPN_STATUS_URI = cp.get("leases", "openvpn status uri")
+
 
 if "whitelist" == AUTHORIZATION_BACKEND:
     USERS_WHITELIST = set([j for j in  cp.get("authorization", "users whitelist").split(" ") if j])

certidude/templates/certidude-server.conf

@@ -60,9 +60,20 @@ backend = sql
 database = sqlite://{{ directory }}/db.sqlite
 
 [leases]
-backend = sql
-schema = strongswan
-database = sqlite://{{ directory }}/db.sqlite
+
+[leases]
+backend =
+
+;backend = sql
+;schema = strongswan
+;database = sqlite://{{ directory }}/db.sqlite
+
+# Following was used on an OpenWrt router
+# uci set openvpn.s2c.status=/www/status.log
+# uci commit; touch /www/status.log; chmod 755 /www/status.log
+;backend = openvpn-status
+;openvpn status uri = /var/log/openvpn-status.log
+openvpn status uri = http://router.example.com/status.log
 
 [signature]
 certificate lifetime = {{ certificate_lifetime }}