From e594371ee3c56ee97a728f8283bc1ce171e3b321 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lauri=20V=C3=B5sandi?= Date: Tue, 2 Jan 2018 09:27:39 +0000 Subject: [PATCH] api: Update last seen status for VPN gateway during client update --- certidude/api/lease.py | 17 +++++++++++++---- certidude/auth.py | 1 + certidude/static/views/lease.html | 4 +++- certidude/static/views/status.html | 17 ----------------- 4 files changed, 17 insertions(+), 22 deletions(-) delete mode 100644 certidude/static/views/status.html diff --git a/certidude/api/lease.py b/certidude/api/lease.py index ef07e86..a20ea08 100644 --- a/certidude/api/lease.py +++ b/certidude/api/lease.py @@ -2,6 +2,7 @@ import click import falcon import logging +import os import xattr from datetime import datetime from certidude import config, authority, push @@ -31,15 +32,23 @@ class LeaseDetailResource(object): class LeaseResource(object): @authorize_server def on_post(self, req, resp): - common_name = req.get_param("client", required=True) - path, buf, cert, signed, expires = authority.get_signed(common_name) # TODO: catch exceptions + client_common_name = req.get_param("client", required=True) + path, buf, cert, signed, expires = authority.get_signed(client_common_name) # TODO: catch exceptions if req.get_param("serial") and cert.serial_number != req.get_param_as_int("serial"): # OCSP-ish solution for OpenVPN, not exposed for StrongSwan raise falcon.HTTPForbidden("Forbidden", "Invalid serial number supplied") + now = datetime.utcnow().strftime("%Y-%m-%dT%H:%M:%S.%f")[:-3] + "Z" xattr.setxattr(path, "user.lease.outer_address", req.get_param("outer_address", required=True).encode("ascii")) xattr.setxattr(path, "user.lease.inner_address", req.get_param("inner_address", required=True).encode("ascii")) - xattr.setxattr(path, "user.lease.last_seen", datetime.utcnow().strftime("%Y-%m-%dT%H:%M:%S.%f")[:-3] + "Z") - push.publish("lease-update", common_name) + xattr.setxattr(path, "user.lease.last_seen", now) + push.publish("lease-update", client_common_name) + + server_common_name = req.context.get("machine") + path = os.path.join(config.SIGNED_DIR, server_common_name + ".pem") + xattr.setxattr(path, "user.lease.outer_address", "") + xattr.setxattr(path, "user.lease.inner_address", "%s" % req.context.get("remote_addr")) + xattr.setxattr(path, "user.lease.last_seen", now) + push.publish("lease-update", server_common_name) # client-disconnect is pretty much unusable: # - Android Connect Client results "IP packet with unknown IP version=2" on gateway diff --git a/certidude/auth.py b/certidude/auth.py index 7d74a8d..e57208d 100644 --- a/certidude/auth.py +++ b/certidude/auth.py @@ -199,6 +199,7 @@ def authorize_server(func): for extension in cert["tbs_certificate"]["extensions"]: if extension["extn_id"].native == "extended_key_usage": if "server_auth" in extension["extn_value"].native: + req.context["machine"] = cert.subject.native["common_name"] return func(resource, req, resp, *args, **kwargs) logger.info("TLS authenticated machine '%s' not authorized to access administrative API", cert.subject.native["common_name"]) raise falcon.HTTPForbidden("Forbidden", "Machine not authorized to perform the operation") diff --git a/certidude/static/views/lease.html b/certidude/static/views/lease.html index e9d2835..2795e77 100644 --- a/certidude/static/views/lease.html +++ b/certidude/static/views/lease.html @@ -2,5 +2,7 @@ Last seen at -{{ certificate.lease.inner_address }}. +{{ certificate.lease.inner_address }}{% if certificate.lease.outer_address %} +from +{{ certificate.lease.outer_address }}{% endif %}. diff --git a/certidude/static/views/status.html b/certidude/static/views/status.html deleted file mode 100644 index 6fe2ad1..0000000 --- a/certidude/static/views/status.html +++ /dev/null @@ -1,17 +0,0 @@ - - {% if certificate.lease %} - - - - {% if certificate.lease.age > session.authority.lease.offline %} - Last seen - at {{ certificate.lease.inner_address }} - {% else %} - Online since at - {{ certificate.lease.inner_address }} - {% endif %} - via - {{ certificate.lease.outer_address }} - {% endif %} -