mirror of
https://github.com/laurivosandi/certidude
synced 2024-12-23 00:25:18 +00:00
api: Submit inner and outer IP address when updating lease
This commit is contained in:
parent
dfb90689db
commit
b77a427949
@ -63,7 +63,8 @@ class SessionResource(object):
|
|||||||
try:
|
try:
|
||||||
last_seen = datetime.strptime(xattr.getxattr(path, "user.lease.last_seen"), "%Y-%m-%dT%H:%M:%S.%fZ")
|
last_seen = datetime.strptime(xattr.getxattr(path, "user.lease.last_seen"), "%Y-%m-%dT%H:%M:%S.%fZ")
|
||||||
lease = dict(
|
lease = dict(
|
||||||
address = xattr.getxattr(path, "user.lease.address"),
|
inner_address = xattr.getxattr(path, "user.lease.inner_address"),
|
||||||
|
outer_address = xattr.getxattr(path, "user.lease.outer_address"),
|
||||||
last_seen = last_seen,
|
last_seen = last_seen,
|
||||||
age = datetime.utcnow() - last_seen
|
age = datetime.utcnow() - last_seen
|
||||||
)
|
)
|
||||||
|
@ -22,7 +22,7 @@ class AttributeResource(object):
|
|||||||
raise falcon.HTTPNotFound()
|
raise falcon.HTTPNotFound()
|
||||||
else:
|
else:
|
||||||
try:
|
try:
|
||||||
whitelist = ip_address(attribs.get("user").get("lease").get("address").decode("ascii"))
|
whitelist = ip_address(attribs.get("user").get("lease").get("inner_address").decode("ascii"))
|
||||||
except AttributeError: # TODO: probably race condition
|
except AttributeError: # TODO: probably race condition
|
||||||
raise falcon.HTTPForbidden("Forbidden",
|
raise falcon.HTTPForbidden("Forbidden",
|
||||||
"Attributes only accessible to the machine")
|
"Attributes only accessible to the machine")
|
||||||
|
@ -21,7 +21,8 @@ class LeaseDetailResource(object):
|
|||||||
path, buf, cert = authority.get_signed(cn)
|
path, buf, cert = authority.get_signed(cn)
|
||||||
return dict(
|
return dict(
|
||||||
last_seen = xattr.getxattr(path, "user.lease.last_seen"),
|
last_seen = xattr.getxattr(path, "user.lease.last_seen"),
|
||||||
address = xattr.getxattr(path, "user.lease.address").decode("ascii")
|
inner_address = xattr.getxattr(path, "user.lease.inner_address").decode("ascii"),
|
||||||
|
outer_address = xattr.getxattr(path, "user.lease.outer_address").decode("ascii")
|
||||||
)
|
)
|
||||||
except EnvironmentError: # Certificate or attribute not found
|
except EnvironmentError: # Certificate or attribute not found
|
||||||
raise falcon.HTTPNotFound()
|
raise falcon.HTTPNotFound()
|
||||||
@ -35,7 +36,8 @@ class LeaseResource(object):
|
|||||||
if req.get_param("serial") and cert.serial != req.get_param_as_int("serial"): # OCSP-ish solution for OpenVPN, not exposed for StrongSwan
|
if req.get_param("serial") and cert.serial != req.get_param_as_int("serial"): # OCSP-ish solution for OpenVPN, not exposed for StrongSwan
|
||||||
raise falcon.HTTPForbidden("Forbidden", "Invalid serial number supplied")
|
raise falcon.HTTPForbidden("Forbidden", "Invalid serial number supplied")
|
||||||
|
|
||||||
xattr.setxattr(path, "user.lease.address", req.get_param("address", required=True).encode("ascii"))
|
xattr.setxattr(path, "user.lease.outer_address", req.get_param("outer_address", required=True).encode("ascii"))
|
||||||
|
xattr.setxattr(path, "user.lease.inner_address", req.get_param("inner_address", required=True).encode("ascii"))
|
||||||
xattr.setxattr(path, "user.lease.last_seen", datetime.utcnow().strftime("%Y-%m-%dT%H:%M:%S.%f")[:-3] + "Z")
|
xattr.setxattr(path, "user.lease.last_seen", datetime.utcnow().strftime("%Y-%m-%dT%H:%M:%S.%f")[:-3] + "Z")
|
||||||
push.publish("lease-update", common_name)
|
push.publish("lease-update", common_name)
|
||||||
|
|
||||||
|
@ -5,10 +5,13 @@
|
|||||||
</svg>
|
</svg>
|
||||||
{% if certificate.lease.age > session.authority.lease.offline %}
|
{% if certificate.lease.age > session.authority.lease.offline %}
|
||||||
Last seen <time class="timeago" datetime="{{ certificate.lease.last_seen }}">{{ certificate.lease.last_seen }}</time>
|
Last seen <time class="timeago" datetime="{{ certificate.lease.last_seen }}">{{ certificate.lease.last_seen }}</time>
|
||||||
at {{ certificate.lease.address }}
|
at {{ certificate.lease.inner_address }}
|
||||||
{% else %}
|
{% else %}
|
||||||
Online since <time class="timeago" datetime="{{ certificate.lease.last_seen }}">{{ certificate.lease.last_seen }}</time> at
|
Online since <time class="timeago" datetime="{{ certificate.lease.last_seen }}">{{ certificate.lease.last_seen }}</time> at
|
||||||
<a target="{{ certificate.lease.address }}" href="http://{{ certificate.lease.address }}">{{ certificate.lease.address }}</a>
|
<a target="{{ certificate.lease.inner_address }}" href="http://{{ certificate.lease.inner_address }}">{{ certificate.lease.inner_address }}</a>
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
via
|
||||||
|
<a target="{{ certificate.lease.outer_address }}"
|
||||||
|
href="http://geoiplookup.net/ip/{{ certificate.lease.outer_address }}">{{ certificate.lease.outer_address }}</a>
|
||||||
{% endif %}
|
{% endif %}
|
||||||
</span>
|
</span>
|
||||||
|
@ -258,6 +258,8 @@ def test_cli_setup_authority():
|
|||||||
|
|
||||||
sleep(1) # Wait for serve to start up
|
sleep(1) # Wait for serve to start up
|
||||||
|
|
||||||
|
# TODO: check that port 8080 is listening, otherwise app probably crashed
|
||||||
|
|
||||||
import requests
|
import requests
|
||||||
|
|
||||||
# Test CA certificate fetch
|
# Test CA certificate fetch
|
||||||
@ -477,7 +479,7 @@ def test_cli_setup_authority():
|
|||||||
|
|
||||||
# Insert lease
|
# Insert lease
|
||||||
r = client().simulate_post("/api/lease/",
|
r = client().simulate_post("/api/lease/",
|
||||||
query_string = "client=test&address=127.0.0.1",
|
query_string = "client=test&inner_address=127.0.0.1&outer_address=8.8.8.8",
|
||||||
headers={"Authorization":admintoken})
|
headers={"Authorization":admintoken})
|
||||||
assert r.status_code == 200, r.text # lease update ok
|
assert r.status_code == 200, r.text # lease update ok
|
||||||
r = client().simulate_get("/api/signed/nonexistant/script/")
|
r = client().simulate_get("/api/signed/nonexistant/script/")
|
||||||
@ -487,13 +489,13 @@ def test_cli_setup_authority():
|
|||||||
assert "uci set " in r.text, r.text
|
assert "uci set " in r.text, r.text
|
||||||
|
|
||||||
r = client().simulate_post("/api/lease/",
|
r = client().simulate_post("/api/lease/",
|
||||||
query_string = "client=test&address=127.0.0.1&serial=0",
|
query_string = "client=test&inner_address=127.0.0.1&outer_address=8.8.8.8&serial=0",
|
||||||
headers={"Authorization":admintoken})
|
headers={"Authorization":admintoken})
|
||||||
assert r.status_code == 403, r.text # invalid serial number supplied
|
assert r.status_code == 403, r.text # invalid serial number supplied
|
||||||
r = client().simulate_get("/api/signed/test/attr/")
|
r = client().simulate_get("/api/signed/test/attr/")
|
||||||
assert r.status_code == 200, r.text # read okay from own address
|
assert r.status_code == 200, r.text # read okay from own address
|
||||||
r = client().simulate_post("/api/lease/",
|
r = client().simulate_post("/api/lease/",
|
||||||
query_string = "client=test&address=1.2.3.4",
|
query_string = "client=test&inner_address=1.2.3.4&outer_address=8.8.8.8",
|
||||||
headers={"Authorization":admintoken})
|
headers={"Authorization":admintoken})
|
||||||
assert r.status_code == 200, r.text # lease update ok
|
assert r.status_code == 200, r.text # lease update ok
|
||||||
r = client().simulate_get("/api/signed/test/attr/")
|
r = client().simulate_get("/api/signed/test/attr/")
|
||||||
|
Loading…
Reference in New Issue
Block a user