api: Update last seen status for VPN gateway during client update

2024-12-22 08:15:18 +00:00 · 2018-01-02 09:27:39 +00:00 · 2018-01-02 09:27:39 +00:00 · e594371ee3
commit e594371ee3
parent 40d84918eb
4 changed files with 17 additions and 22 deletions
--- a/certidude/api/lease.py
+++ b/certidude/api/lease.py
@ -2,6 +2,7 @@
 import click
 import falcon
 import logging
+import os
 import xattr
 from datetime import datetime
 from certidude import config, authority, push
@ -31,15 +32,23 @@ class LeaseDetailResource(object):
 class LeaseResource(object):
    @authorize_server
    def on_post(self, req, resp):
-        common_name = req.get_param("client", required=True)
-        path, buf, cert, signed, expires = authority.get_signed(common_name) # TODO: catch exceptions
+        client_common_name = req.get_param("client", required=True)
+        path, buf, cert, signed, expires = authority.get_signed(client_common_name) # TODO: catch exceptions
        if req.get_param("serial") and cert.serial_number != req.get_param_as_int("serial"): # OCSP-ish solution for OpenVPN, not exposed for StrongSwan
            raise falcon.HTTPForbidden("Forbidden", "Invalid serial number supplied")
+        now = datetime.utcnow().strftime("%Y-%m-%dT%H:%M:%S.%f")[:-3] + "Z"

        xattr.setxattr(path, "user.lease.outer_address", req.get_param("outer_address", required=True).encode("ascii"))
        xattr.setxattr(path, "user.lease.inner_address", req.get_param("inner_address", required=True).encode("ascii"))
-        xattr.setxattr(path, "user.lease.last_seen", datetime.utcnow().strftime("%Y-%m-%dT%H:%M:%S.%f")[:-3] + "Z")
-        push.publish("lease-update", common_name)
+        xattr.setxattr(path, "user.lease.last_seen", now)
+        push.publish("lease-update", client_common_name)
+
+        server_common_name = req.context.get("machine")
+        path = os.path.join(config.SIGNED_DIR, server_common_name + ".pem")
+        xattr.setxattr(path, "user.lease.outer_address", "")
+        xattr.setxattr(path, "user.lease.inner_address", "%s" % req.context.get("remote_addr"))
+        xattr.setxattr(path, "user.lease.last_seen", now)
+        push.publish("lease-update", server_common_name)

        # client-disconnect is pretty much unusable:
        # - Android Connect Client results "IP packet with unknown IP version=2" on gateway
--- a/certidude/auth.py
+++ b/certidude/auth.py
@ -199,6 +199,7 @@ def authorize_server(func):
        for extension in cert["tbs_certificate"]["extensions"]:
            if extension["extn_id"].native == "extended_key_usage":
                if "server_auth" in extension["extn_value"].native:
+                    req.context["machine"] = cert.subject.native["common_name"]
                    return func(resource, req, resp, *args, **kwargs)
        logger.info("TLS authenticated machine '%s' not authorized to access administrative API", cert.subject.native["common_name"])
        raise falcon.HTTPForbidden("Forbidden", "Machine not authorized to perform the operation")
--- a/certidude/static/views/lease.html
+++ b/certidude/static/views/lease.html
@ -2,5 +2,7 @@
 Last seen
 <time class="timeago" datetime="{{ certificate.lease.last_seen }}">{{ certificate.lease.last_seen }}</time>
 at
-<a href="http://{{ certificate.lease.inner_address }}">{{ certificate.lease.inner_address }}</a>.
+<a href="http://{{ certificate.lease.inner_address }}">{{ certificate.lease.inner_address }}</a>{% if certificate.lease.outer_address %}
+from
+<a target="{{ certificate.lease.outer_address }}" href="http://geoiplookup.net/ip/{{ certificate.lease.outer_address }}">{{ certificate.lease.outer_address }}</a>{% endif %}.

--- a/certidude/static/views/status.html
+++ b/certidude/static/views/status.html
@ -1,17 +0,0 @@
-<span>
-  {% if certificate.lease %}
-    <svg height="32" width="32">
-      <circle cx="16" cy="16" r="13" stroke="black" stroke-width="3" fill="{% if certificate.lease %}{% if certificate.lease.age > session.authority.lease.offline %}#0072CF{% elif certificate.lease.age > session.authority.lease.dead %}#D6083B{%else %}#55A51C{% endif %}{% endif %}"/>
-    </svg>
-    {% if certificate.lease.age > session.authority.lease.offline %}
-      Last seen <time class="timeago" datetime="{{ certificate.lease.last_seen }}">{{ certificate.lease.last_seen }}</time>
-      at {{ certificate.lease.inner_address }}
-    {% else %}
-      Online since <time class="timeago" datetime="{{ certificate.lease.last_seen }}">{{ certificate.lease.last_seen }}</time> at
-      <a target="{{ certificate.lease.inner_address }}" href="http://{{ certificate.lease.inner_address }}">{{ certificate.lease.inner_address }}</a>
-    {% endif %}
-    via
-    <a target="{{ certificate.lease.outer_address }}"
-        href="http://geoiplookup.net/ip/{{ certificate.lease.outer_address }}">{{ certificate.lease.outer_address }}</a>
-  {% endif %}
-</span>