mirror of
https://github.com/laurivosandi/certidude
synced 2024-12-23 00:25:18 +00:00
api: Update last seen status for VPN gateway during client update
This commit is contained in:
parent
40d84918eb
commit
e594371ee3
@ -2,6 +2,7 @@
|
|||||||
import click
|
import click
|
||||||
import falcon
|
import falcon
|
||||||
import logging
|
import logging
|
||||||
|
import os
|
||||||
import xattr
|
import xattr
|
||||||
from datetime import datetime
|
from datetime import datetime
|
||||||
from certidude import config, authority, push
|
from certidude import config, authority, push
|
||||||
@ -31,15 +32,23 @@ class LeaseDetailResource(object):
|
|||||||
class LeaseResource(object):
|
class LeaseResource(object):
|
||||||
@authorize_server
|
@authorize_server
|
||||||
def on_post(self, req, resp):
|
def on_post(self, req, resp):
|
||||||
common_name = req.get_param("client", required=True)
|
client_common_name = req.get_param("client", required=True)
|
||||||
path, buf, cert, signed, expires = authority.get_signed(common_name) # TODO: catch exceptions
|
path, buf, cert, signed, expires = authority.get_signed(client_common_name) # TODO: catch exceptions
|
||||||
if req.get_param("serial") and cert.serial_number != req.get_param_as_int("serial"): # OCSP-ish solution for OpenVPN, not exposed for StrongSwan
|
if req.get_param("serial") and cert.serial_number != req.get_param_as_int("serial"): # OCSP-ish solution for OpenVPN, not exposed for StrongSwan
|
||||||
raise falcon.HTTPForbidden("Forbidden", "Invalid serial number supplied")
|
raise falcon.HTTPForbidden("Forbidden", "Invalid serial number supplied")
|
||||||
|
now = datetime.utcnow().strftime("%Y-%m-%dT%H:%M:%S.%f")[:-3] + "Z"
|
||||||
|
|
||||||
xattr.setxattr(path, "user.lease.outer_address", req.get_param("outer_address", required=True).encode("ascii"))
|
xattr.setxattr(path, "user.lease.outer_address", req.get_param("outer_address", required=True).encode("ascii"))
|
||||||
xattr.setxattr(path, "user.lease.inner_address", req.get_param("inner_address", required=True).encode("ascii"))
|
xattr.setxattr(path, "user.lease.inner_address", req.get_param("inner_address", required=True).encode("ascii"))
|
||||||
xattr.setxattr(path, "user.lease.last_seen", datetime.utcnow().strftime("%Y-%m-%dT%H:%M:%S.%f")[:-3] + "Z")
|
xattr.setxattr(path, "user.lease.last_seen", now)
|
||||||
push.publish("lease-update", common_name)
|
push.publish("lease-update", client_common_name)
|
||||||
|
|
||||||
|
server_common_name = req.context.get("machine")
|
||||||
|
path = os.path.join(config.SIGNED_DIR, server_common_name + ".pem")
|
||||||
|
xattr.setxattr(path, "user.lease.outer_address", "")
|
||||||
|
xattr.setxattr(path, "user.lease.inner_address", "%s" % req.context.get("remote_addr"))
|
||||||
|
xattr.setxattr(path, "user.lease.last_seen", now)
|
||||||
|
push.publish("lease-update", server_common_name)
|
||||||
|
|
||||||
# client-disconnect is pretty much unusable:
|
# client-disconnect is pretty much unusable:
|
||||||
# - Android Connect Client results "IP packet with unknown IP version=2" on gateway
|
# - Android Connect Client results "IP packet with unknown IP version=2" on gateway
|
||||||
|
@ -199,6 +199,7 @@ def authorize_server(func):
|
|||||||
for extension in cert["tbs_certificate"]["extensions"]:
|
for extension in cert["tbs_certificate"]["extensions"]:
|
||||||
if extension["extn_id"].native == "extended_key_usage":
|
if extension["extn_id"].native == "extended_key_usage":
|
||||||
if "server_auth" in extension["extn_value"].native:
|
if "server_auth" in extension["extn_value"].native:
|
||||||
|
req.context["machine"] = cert.subject.native["common_name"]
|
||||||
return func(resource, req, resp, *args, **kwargs)
|
return func(resource, req, resp, *args, **kwargs)
|
||||||
logger.info("TLS authenticated machine '%s' not authorized to access administrative API", cert.subject.native["common_name"])
|
logger.info("TLS authenticated machine '%s' not authorized to access administrative API", cert.subject.native["common_name"])
|
||||||
raise falcon.HTTPForbidden("Forbidden", "Machine not authorized to perform the operation")
|
raise falcon.HTTPForbidden("Forbidden", "Machine not authorized to perform the operation")
|
||||||
|
@ -2,5 +2,7 @@
|
|||||||
Last seen
|
Last seen
|
||||||
<time class="timeago" datetime="{{ certificate.lease.last_seen }}">{{ certificate.lease.last_seen }}</time>
|
<time class="timeago" datetime="{{ certificate.lease.last_seen }}">{{ certificate.lease.last_seen }}</time>
|
||||||
at
|
at
|
||||||
<a href="http://{{ certificate.lease.inner_address }}">{{ certificate.lease.inner_address }}</a>.
|
<a href="http://{{ certificate.lease.inner_address }}">{{ certificate.lease.inner_address }}</a>{% if certificate.lease.outer_address %}
|
||||||
|
from
|
||||||
|
<a target="{{ certificate.lease.outer_address }}" href="http://geoiplookup.net/ip/{{ certificate.lease.outer_address }}">{{ certificate.lease.outer_address }}</a>{% endif %}.
|
||||||
|
|
||||||
|
@ -1,17 +0,0 @@
|
|||||||
<span>
|
|
||||||
{% if certificate.lease %}
|
|
||||||
<svg height="32" width="32">
|
|
||||||
<circle cx="16" cy="16" r="13" stroke="black" stroke-width="3" fill="{% if certificate.lease %}{% if certificate.lease.age > session.authority.lease.offline %}#0072CF{% elif certificate.lease.age > session.authority.lease.dead %}#D6083B{%else %}#55A51C{% endif %}{% endif %}"/>
|
|
||||||
</svg>
|
|
||||||
{% if certificate.lease.age > session.authority.lease.offline %}
|
|
||||||
Last seen <time class="timeago" datetime="{{ certificate.lease.last_seen }}">{{ certificate.lease.last_seen }}</time>
|
|
||||||
at {{ certificate.lease.inner_address }}
|
|
||||||
{% else %}
|
|
||||||
Online since <time class="timeago" datetime="{{ certificate.lease.last_seen }}">{{ certificate.lease.last_seen }}</time> at
|
|
||||||
<a target="{{ certificate.lease.inner_address }}" href="http://{{ certificate.lease.inner_address }}">{{ certificate.lease.inner_address }}</a>
|
|
||||||
{% endif %}
|
|
||||||
via
|
|
||||||
<a target="{{ certificate.lease.outer_address }}"
|
|
||||||
href="http://geoiplookup.net/ip/{{ certificate.lease.outer_address }}">{{ certificate.lease.outer_address }}</a>
|
|
||||||
{% endif %}
|
|
||||||
</span>
|
|
Loading…
Reference in New Issue
Block a user