1
0
mirror of https://github.com/laurivosandi/certidude synced 2024-12-23 00:25:18 +00:00

api: Submit inner and outer IP address when updating lease

This commit is contained in:
Lauri Võsandi 2017-05-08 20:33:20 +00:00
parent dfb90689db
commit b77a427949
5 changed files with 18 additions and 10 deletions

View File

@ -63,7 +63,8 @@ class SessionResource(object):
try: try:
last_seen = datetime.strptime(xattr.getxattr(path, "user.lease.last_seen"), "%Y-%m-%dT%H:%M:%S.%fZ") last_seen = datetime.strptime(xattr.getxattr(path, "user.lease.last_seen"), "%Y-%m-%dT%H:%M:%S.%fZ")
lease = dict( lease = dict(
address = xattr.getxattr(path, "user.lease.address"), inner_address = xattr.getxattr(path, "user.lease.inner_address"),
outer_address = xattr.getxattr(path, "user.lease.outer_address"),
last_seen = last_seen, last_seen = last_seen,
age = datetime.utcnow() - last_seen age = datetime.utcnow() - last_seen
) )

View File

@ -22,7 +22,7 @@ class AttributeResource(object):
raise falcon.HTTPNotFound() raise falcon.HTTPNotFound()
else: else:
try: try:
whitelist = ip_address(attribs.get("user").get("lease").get("address").decode("ascii")) whitelist = ip_address(attribs.get("user").get("lease").get("inner_address").decode("ascii"))
except AttributeError: # TODO: probably race condition except AttributeError: # TODO: probably race condition
raise falcon.HTTPForbidden("Forbidden", raise falcon.HTTPForbidden("Forbidden",
"Attributes only accessible to the machine") "Attributes only accessible to the machine")

View File

@ -20,8 +20,9 @@ class LeaseDetailResource(object):
try: try:
path, buf, cert = authority.get_signed(cn) path, buf, cert = authority.get_signed(cn)
return dict( return dict(
last_seen = xattr.getxattr(path, "user.lease.last_seen"), last_seen = xattr.getxattr(path, "user.lease.last_seen"),
address = xattr.getxattr(path, "user.lease.address").decode("ascii") inner_address = xattr.getxattr(path, "user.lease.inner_address").decode("ascii"),
outer_address = xattr.getxattr(path, "user.lease.outer_address").decode("ascii")
) )
except EnvironmentError: # Certificate or attribute not found except EnvironmentError: # Certificate or attribute not found
raise falcon.HTTPNotFound() raise falcon.HTTPNotFound()
@ -35,7 +36,8 @@ class LeaseResource(object):
if req.get_param("serial") and cert.serial != req.get_param_as_int("serial"): # OCSP-ish solution for OpenVPN, not exposed for StrongSwan if req.get_param("serial") and cert.serial != req.get_param_as_int("serial"): # OCSP-ish solution for OpenVPN, not exposed for StrongSwan
raise falcon.HTTPForbidden("Forbidden", "Invalid serial number supplied") raise falcon.HTTPForbidden("Forbidden", "Invalid serial number supplied")
xattr.setxattr(path, "user.lease.address", req.get_param("address", required=True).encode("ascii")) xattr.setxattr(path, "user.lease.outer_address", req.get_param("outer_address", required=True).encode("ascii"))
xattr.setxattr(path, "user.lease.inner_address", req.get_param("inner_address", required=True).encode("ascii"))
xattr.setxattr(path, "user.lease.last_seen", datetime.utcnow().strftime("%Y-%m-%dT%H:%M:%S.%f")[:-3] + "Z") xattr.setxattr(path, "user.lease.last_seen", datetime.utcnow().strftime("%Y-%m-%dT%H:%M:%S.%f")[:-3] + "Z")
push.publish("lease-update", common_name) push.publish("lease-update", common_name)

View File

@ -5,10 +5,13 @@
</svg> </svg>
{% if certificate.lease.age > session.authority.lease.offline %} {% if certificate.lease.age > session.authority.lease.offline %}
Last seen <time class="timeago" datetime="{{ certificate.lease.last_seen }}">{{ certificate.lease.last_seen }}</time> Last seen <time class="timeago" datetime="{{ certificate.lease.last_seen }}">{{ certificate.lease.last_seen }}</time>
at {{ certificate.lease.address }} at {{ certificate.lease.inner_address }}
{% else %} {% else %}
Online since <time class="timeago" datetime="{{ certificate.lease.last_seen }}">{{ certificate.lease.last_seen }}</time> at Online since <time class="timeago" datetime="{{ certificate.lease.last_seen }}">{{ certificate.lease.last_seen }}</time> at
<a target="{{ certificate.lease.address }}" href="http://{{ certificate.lease.address }}">{{ certificate.lease.address }}</a> <a target="{{ certificate.lease.inner_address }}" href="http://{{ certificate.lease.inner_address }}">{{ certificate.lease.inner_address }}</a>
{% endif %} {% endif %}
via
<a target="{{ certificate.lease.outer_address }}"
href="http://geoiplookup.net/ip/{{ certificate.lease.outer_address }}">{{ certificate.lease.outer_address }}</a>
{% endif %} {% endif %}
</span> </span>

View File

@ -258,6 +258,8 @@ def test_cli_setup_authority():
sleep(1) # Wait for serve to start up sleep(1) # Wait for serve to start up
# TODO: check that port 8080 is listening, otherwise app probably crashed
import requests import requests
# Test CA certificate fetch # Test CA certificate fetch
@ -477,7 +479,7 @@ def test_cli_setup_authority():
# Insert lease # Insert lease
r = client().simulate_post("/api/lease/", r = client().simulate_post("/api/lease/",
query_string = "client=test&address=127.0.0.1", query_string = "client=test&inner_address=127.0.0.1&outer_address=8.8.8.8",
headers={"Authorization":admintoken}) headers={"Authorization":admintoken})
assert r.status_code == 200, r.text # lease update ok assert r.status_code == 200, r.text # lease update ok
r = client().simulate_get("/api/signed/nonexistant/script/") r = client().simulate_get("/api/signed/nonexistant/script/")
@ -487,13 +489,13 @@ def test_cli_setup_authority():
assert "uci set " in r.text, r.text assert "uci set " in r.text, r.text
r = client().simulate_post("/api/lease/", r = client().simulate_post("/api/lease/",
query_string = "client=test&address=127.0.0.1&serial=0", query_string = "client=test&inner_address=127.0.0.1&outer_address=8.8.8.8&serial=0",
headers={"Authorization":admintoken}) headers={"Authorization":admintoken})
assert r.status_code == 403, r.text # invalid serial number supplied assert r.status_code == 403, r.text # invalid serial number supplied
r = client().simulate_get("/api/signed/test/attr/") r = client().simulate_get("/api/signed/test/attr/")
assert r.status_code == 200, r.text # read okay from own address assert r.status_code == 200, r.text # read okay from own address
r = client().simulate_post("/api/lease/", r = client().simulate_post("/api/lease/",
query_string = "client=test&address=1.2.3.4", query_string = "client=test&inner_address=1.2.3.4&outer_address=8.8.8.8",
headers={"Authorization":admintoken}) headers={"Authorization":admintoken})
assert r.status_code == 200, r.text # lease update ok assert r.status_code == 200, r.text # lease update ok
r = client().simulate_get("/api/signed/test/attr/") r = client().simulate_get("/api/signed/test/attr/")