1
0
mirror of https://github.com/laurivosandi/certidude synced 2024-12-23 00:25:18 +00:00

api: Update last seen status for VPN gateway during client update

This commit is contained in:
Lauri Võsandi 2018-01-02 09:27:39 +00:00
parent 40d84918eb
commit e594371ee3
4 changed files with 17 additions and 22 deletions

View File

@ -2,6 +2,7 @@
import click import click
import falcon import falcon
import logging import logging
import os
import xattr import xattr
from datetime import datetime from datetime import datetime
from certidude import config, authority, push from certidude import config, authority, push
@ -31,15 +32,23 @@ class LeaseDetailResource(object):
class LeaseResource(object): class LeaseResource(object):
@authorize_server @authorize_server
def on_post(self, req, resp): def on_post(self, req, resp):
common_name = req.get_param("client", required=True) client_common_name = req.get_param("client", required=True)
path, buf, cert, signed, expires = authority.get_signed(common_name) # TODO: catch exceptions path, buf, cert, signed, expires = authority.get_signed(client_common_name) # TODO: catch exceptions
if req.get_param("serial") and cert.serial_number != req.get_param_as_int("serial"): # OCSP-ish solution for OpenVPN, not exposed for StrongSwan if req.get_param("serial") and cert.serial_number != req.get_param_as_int("serial"): # OCSP-ish solution for OpenVPN, not exposed for StrongSwan
raise falcon.HTTPForbidden("Forbidden", "Invalid serial number supplied") raise falcon.HTTPForbidden("Forbidden", "Invalid serial number supplied")
now = datetime.utcnow().strftime("%Y-%m-%dT%H:%M:%S.%f")[:-3] + "Z"
xattr.setxattr(path, "user.lease.outer_address", req.get_param("outer_address", required=True).encode("ascii")) xattr.setxattr(path, "user.lease.outer_address", req.get_param("outer_address", required=True).encode("ascii"))
xattr.setxattr(path, "user.lease.inner_address", req.get_param("inner_address", required=True).encode("ascii")) xattr.setxattr(path, "user.lease.inner_address", req.get_param("inner_address", required=True).encode("ascii"))
xattr.setxattr(path, "user.lease.last_seen", datetime.utcnow().strftime("%Y-%m-%dT%H:%M:%S.%f")[:-3] + "Z") xattr.setxattr(path, "user.lease.last_seen", now)
push.publish("lease-update", common_name) push.publish("lease-update", client_common_name)
server_common_name = req.context.get("machine")
path = os.path.join(config.SIGNED_DIR, server_common_name + ".pem")
xattr.setxattr(path, "user.lease.outer_address", "")
xattr.setxattr(path, "user.lease.inner_address", "%s" % req.context.get("remote_addr"))
xattr.setxattr(path, "user.lease.last_seen", now)
push.publish("lease-update", server_common_name)
# client-disconnect is pretty much unusable: # client-disconnect is pretty much unusable:
# - Android Connect Client results "IP packet with unknown IP version=2" on gateway # - Android Connect Client results "IP packet with unknown IP version=2" on gateway

View File

@ -199,6 +199,7 @@ def authorize_server(func):
for extension in cert["tbs_certificate"]["extensions"]: for extension in cert["tbs_certificate"]["extensions"]:
if extension["extn_id"].native == "extended_key_usage": if extension["extn_id"].native == "extended_key_usage":
if "server_auth" in extension["extn_value"].native: if "server_auth" in extension["extn_value"].native:
req.context["machine"] = cert.subject.native["common_name"]
return func(resource, req, resp, *args, **kwargs) return func(resource, req, resp, *args, **kwargs)
logger.info("TLS authenticated machine '%s' not authorized to access administrative API", cert.subject.native["common_name"]) logger.info("TLS authenticated machine '%s' not authorized to access administrative API", cert.subject.native["common_name"])
raise falcon.HTTPForbidden("Forbidden", "Machine not authorized to perform the operation") raise falcon.HTTPForbidden("Forbidden", "Machine not authorized to perform the operation")

View File

@ -2,5 +2,7 @@
Last seen Last seen
<time class="timeago" datetime="{{ certificate.lease.last_seen }}">{{ certificate.lease.last_seen }}</time> <time class="timeago" datetime="{{ certificate.lease.last_seen }}">{{ certificate.lease.last_seen }}</time>
at at
<a href="http://{{ certificate.lease.inner_address }}">{{ certificate.lease.inner_address }}</a>. <a href="http://{{ certificate.lease.inner_address }}">{{ certificate.lease.inner_address }}</a>{% if certificate.lease.outer_address %}
from
<a target="{{ certificate.lease.outer_address }}" href="http://geoiplookup.net/ip/{{ certificate.lease.outer_address }}">{{ certificate.lease.outer_address }}</a>{% endif %}.

View File

@ -1,17 +0,0 @@
<span>
{% if certificate.lease %}
<svg height="32" width="32">
<circle cx="16" cy="16" r="13" stroke="black" stroke-width="3" fill="{% if certificate.lease %}{% if certificate.lease.age > session.authority.lease.offline %}#0072CF{% elif certificate.lease.age > session.authority.lease.dead %}#D6083B{%else %}#55A51C{% endif %}{% endif %}"/>
</svg>
{% if certificate.lease.age > session.authority.lease.offline %}
Last seen <time class="timeago" datetime="{{ certificate.lease.last_seen }}">{{ certificate.lease.last_seen }}</time>
at {{ certificate.lease.inner_address }}
{% else %}
Online since <time class="timeago" datetime="{{ certificate.lease.last_seen }}">{{ certificate.lease.last_seen }}</time> at
<a target="{{ certificate.lease.inner_address }}" href="http://{{ certificate.lease.inner_address }}">{{ certificate.lease.inner_address }}</a>
{% endif %}
via
<a target="{{ certificate.lease.outer_address }}"
href="http://geoiplookup.net/ip/{{ certificate.lease.outer_address }}">{{ certificate.lease.outer_address }}</a>
{% endif %}
</span>