api: Submit inner and outer IP address when updating lease

2025-10-31 01:19:11 +00:00 · 2017-05-08 20:33:20 +00:00
parent dfb90689db
commit b77a427949
5 changed files with 18 additions and 10 deletions
--- a/certidude/api/init.py
+++ b/certidude/api/init.py
@@ -63,7 +63,8 @@ class SessionResource(object):
                try:
                    last_seen = datetime.strptime(xattr.getxattr(path, "user.lease.last_seen"), "%Y-%m-%dT%H:%M:%S.%fZ")
                    lease = dict(
-                        address = xattr.getxattr(path, "user.lease.address"),
+                        inner_address = xattr.getxattr(path, "user.lease.inner_address"),
+                        outer_address = xattr.getxattr(path, "user.lease.outer_address"),
                        last_seen = last_seen,
                        age = datetime.utcnow() - last_seen
                    )
--- a/certidude/api/attrib.py
+++ b/certidude/api/attrib.py
@@ -22,7 +22,7 @@ class AttributeResource(object):
            raise falcon.HTTPNotFound()
        else:
            try:
-                whitelist = ip_address(attribs.get("user").get("lease").get("address").decode("ascii"))
+                whitelist = ip_address(attribs.get("user").get("lease").get("inner_address").decode("ascii"))
            except AttributeError: # TODO: probably race condition
                raise falcon.HTTPForbidden("Forbidden",
                    "Attributes only accessible to the machine")
--- a/certidude/api/lease.py
+++ b/certidude/api/lease.py
@@ -20,8 +20,9 @@ class LeaseDetailResource(object):
        try:
            path, buf, cert = authority.get_signed(cn)
            return dict(
-                last_seen = xattr.getxattr(path, "user.lease.last_seen"),
-                address = xattr.getxattr(path, "user.lease.address").decode("ascii")
+                last_seen =     xattr.getxattr(path, "user.lease.last_seen"),
+                inner_address = xattr.getxattr(path, "user.lease.inner_address").decode("ascii"),
+                outer_address = xattr.getxattr(path, "user.lease.outer_address").decode("ascii")
            )
        except EnvironmentError: # Certificate or attribute not found
            raise falcon.HTTPNotFound()
@@ -35,7 +36,8 @@ class LeaseResource(object):
        if req.get_param("serial") and cert.serial != req.get_param_as_int("serial"): # OCSP-ish solution for OpenVPN, not exposed for StrongSwan
            raise falcon.HTTPForbidden("Forbidden", "Invalid serial number supplied")

-        xattr.setxattr(path, "user.lease.address", req.get_param("address", required=True).encode("ascii"))
+        xattr.setxattr(path, "user.lease.outer_address", req.get_param("outer_address", required=True).encode("ascii"))
+        xattr.setxattr(path, "user.lease.inner_address", req.get_param("inner_address", required=True).encode("ascii"))
        xattr.setxattr(path, "user.lease.last_seen", datetime.utcnow().strftime("%Y-%m-%dT%H:%M:%S.%f")[:-3] + "Z")
        push.publish("lease-update", common_name)

--- a/certidude/static/views/status.html
+++ b/certidude/static/views/status.html
@@ -5,10 +5,13 @@
    </svg>
    {% if certificate.lease.age > session.authority.lease.offline %}
      Last seen <time class="timeago" datetime="{{ certificate.lease.last_seen }}">{{ certificate.lease.last_seen }}</time>
-      at {{ certificate.lease.address }}
+      at {{ certificate.lease.inner_address }}
    {% else %}
      Online since <time class="timeago" datetime="{{ certificate.lease.last_seen }}">{{ certificate.lease.last_seen }}</time> at
-      <a target="{{ certificate.lease.address }}" href="http://{{ certificate.lease.address }}">{{ certificate.lease.address }}</a>
+      <a target="{{ certificate.lease.inner_address }}" href="http://{{ certificate.lease.inner_address }}">{{ certificate.lease.inner_address }}</a>
    {% endif %}
+    via
+    <a target="{{ certificate.lease.outer_address }}"
+        href="http://geoiplookup.net/ip/{{ certificate.lease.outer_address }}">{{ certificate.lease.outer_address }}</a>
  {% endif %}
 </span>
--- a/tests/test_cli.py
+++ b/tests/test_cli.py
@@ -258,6 +258,8 @@ def test_cli_setup_authority():

    sleep(1) # Wait for serve to start up

+    # TODO: check that port 8080 is listening, otherwise app probably crashed
+
    import requests

    # Test CA certificate fetch
@@ -477,7 +479,7 @@ def test_cli_setup_authority():

    # Insert lease
    r = client().simulate_post("/api/lease/",
-        query_string = "client=test&address=127.0.0.1",
+        query_string = "client=test&inner_address=127.0.0.1&outer_address=8.8.8.8",
        headers={"Authorization":admintoken})
    assert r.status_code == 200, r.text # lease update ok
    r = client().simulate_get("/api/signed/nonexistant/script/")
@@ -487,13 +489,13 @@ def test_cli_setup_authority():
    assert "uci set " in r.text, r.text

    r = client().simulate_post("/api/lease/",
-        query_string = "client=test&address=127.0.0.1&serial=0",
+        query_string = "client=test&inner_address=127.0.0.1&outer_address=8.8.8.8&serial=0",
        headers={"Authorization":admintoken})
    assert r.status_code == 403, r.text # invalid serial number supplied
    r = client().simulate_get("/api/signed/test/attr/")
    assert r.status_code == 200, r.text # read okay from own address
    r = client().simulate_post("/api/lease/",
-        query_string = "client=test&address=1.2.3.4",
+        query_string = "client=test&inner_address=1.2.3.4&outer_address=8.8.8.8",
        headers={"Authorization":admintoken})
    assert r.status_code == 200, r.text # lease update ok
    r = client().simulate_get("/api/signed/test/attr/")