def audit_event(self, event_type, event_msg, remote_addr=None):
if settings.app.auditing != ALL:
return
timestamp = utils.now()
self.audit_collection.insert({
'user_id': self.id,
'timestamp': timestamp,
'type': event_type,
'remote_addr': remote_addr,
'message': event_msg,
})
plugins.event(
'audit_event',
host_id=settings.local.host_id,
host_name=settings.local.host.name,
user_id=self.id,
org_id=None,
timestamp=timestamp,
type=event_type,
remote_addr=remote_addr,
message=event_msg,
)
def audit_event(self, event_type, event_msg, remote_addr=None):
if settings.app.auditing != ALL:
return
timestamp = utils.now()
self.audit_collection.insert({
'user_id': self.id,
'org_id': self.org_id,
'timestamp': timestamp,
'type': event_type,
'remote_addr': remote_addr,
'message': event_msg,
})
plugins.event(
'audit_event',
host_id=settings.local.host_id,
host_name=settings.local.host.name,
user_id=self.id,
org_id=self.org_id,
timestamp=timestamp,
type=event_type,
remote_addr=remote_addr,
message=event_msg,
)
def callback(allow, reason=None):
try:
if allow:
self.allow_client(client_data, org, user, reauth)
if settings.vpn.stress_test:
self._connected(client_id)
else:
self.instance_com.send_client_deny(
client_id, key_id, reason, auth.challenge)
plugins.event(
'user_connection',
host_id=settings.local.host_id,
server_id=self.server.id,
org_id=org.id,
user_id=user.id,
host_name=settings.local.host.name,
server_name=self.server.name,
org_name=org.name,
user_name=user.name,
platform=platform,
device_id=device_id,
device_name=device_name,
remote_ip=remote_ip,
mac_addr=mac_addr,
password=password,
allow=allow,
reason=reason
)
except:
logger.exception('Error in authorizer callback', 'server',
server_id=self.server.id,
instance_id=self.instance.id,
)
def audit_event(self, event_type, event_msg, remote_addr=None, **kwargs):
if settings.app.auditing != ALL:
return
timestamp = utils.now()
org_name = None
if self.org:
org_name = self.org.name
self.audit_collection.insert({
'user_id': self.id,
'user_name': self.name,
'org_id': self.org_id,
'org_name': org_name,
'timestamp': timestamp,
'type': event_type,
'remote_addr': remote_addr,
'message': event_msg,
})
plugins.event(
'audit_event',
host_id=settings.local.host_id,
host_name=settings.local.host.name,
user_id=self.id,
user_name=self.name,
org_id=self.org_id,
org_name=org_name,
timestamp=timestamp,
type=event_type,
remote_addr=remote_addr,
message=event_msg,
**kwargs
)
logger.info(
'Audit event',
'audit',
user_id=self.id,
user_name=self.name,
org_id=self.org_id,
org_name=org_name,
timestamp=timestamp,
type=event_type,
remote_addr=remote_addr,
message=event_msg,
**kwargs
)
def audit_event(self, event_type, event_msg, remote_addr=None, **kwargs):
if settings.app.auditing != ALL:
return
timestamp = utils.now()
org_name = None
if self.org:
org_name = self.org.name
self.audit_collection.insert({
'user_id': self.id,
'user_name': self.name,
'org_id': self.org_id,
'org_name': org_name,
'timestamp': timestamp,
'type': event_type,
'remote_addr': remote_addr,
'message': event_msg,
})
plugins.event(
'audit_event',
host_id=settings.local.host_id,
host_name=settings.local.host.name,
user_id=self.id,
user_name=self.name,
org_id=self.org_id,
org_name=org_name,
timestamp=timestamp,
type=event_type,
remote_addr=remote_addr,
message=event_msg,
**kwargs
)
logger.info(
'Audit event',
'audit',
user_id=self.id,
user_name=self.name,
org_id=self.org_id,
org_name=org_name,
timestamp=timestamp,
type=event_type,
remote_addr=remote_addr,
message=event_msg,
**kwargs
)
def _disconnected(self, client):
org_id = client['org_id']
user_id = client['user_id']
remote_ip = client['real_address']
org = self.get_org(org_id)
if org:
user = org.get_user(user_id, fields=('_id', 'name'))
if user:
user.audit_event(
'user_connection',
'User disconnected from "%s"' % self.server.name,
remote_addr=remote_ip,
)
monitoring.insert_point('user_disconnections', {
'host': settings.local.host.name,
'server': self.server.name,
}, {
'user': user.name,
'remote_ip': remote_ip,
})
plugins.event(
'user_disconnected',
host_id=settings.local.host_id,
server_id=self.server.id,
org_id=org.id,
user_id=user.id,
host_name=settings.local.host.name,
server_name=self.server.name,
org_name=org.name,
user_name=user.name,
remote_ip=remote_ip,
)
if self.route_clients:
messenger.publish(
'client', {
'state': False,
'server_id': self.server.id,
'virt_address': client['virt_address'],
'virt_address6': client['virt_address6'],
'host_address': settings.local.host.local_addr,
'host_address6': settings.local.host.local_addr6,
})
self.instance_com.push_output('User disconnected user_id=%s' %
client['user_id'])
self.send_event()
def _disconnected(self, client):
org_id = client['org_id']
user_id = client['user_id']
remote_ip = client['real_address']
org = self.get_org(org_id)
if org:
user = org.get_user(user_id, fields=('_id', 'name'))
if user:
user.audit_event(
'user_connection',
'User disconnected from "%s"' % self.server.name,
remote_addr=remote_ip,
)
monitoring.insert_point('user_disconnections', {
'host': settings.local.host.name,
'server': self.server.name,
}, {
'user': user.name,
'remote_ip': remote_ip,
})
plugins.event(
'user_disconnected',
host_id=settings.local.host_id,
server_id=self.server.id,
org_id=org.id,
user_id=user.id,
host_name=settings.local.host.name,
server_name=self.server.name,
org_name=org.name,
user_name=user.name,
remote_ip=remote_ip,
)
if self.route_clients:
messenger.publish('client', {
'state': False,
'server_id': self.server.id,
'virt_address': client['virt_address'],
'virt_address6': client['virt_address6'],
'host_address': settings.local.host.local_addr,
'host_address6': settings.local.host.local_addr6,
})
self.instance_com.push_output(
'User disconnected user_id=%s' % client['user_id'])
self.send_event()
def allow_client(self, client_data, org, user, reauth=False):
client_id = client_data['client_id']
key_id = client_data['key_id']
org_id = client_data['org_id']
user_id = client_data['user_id']
device_id = client_data.get('device_id')
device_name = client_data.get('device_name')
platform = client_data.get('platform')
mac_addr = client_data.get('mac_addr')
remote_ip = client_data.get('remote_ip')
address_dynamic = False
if reauth:
doc = self.clients.find_id(client_id)
if not doc:
self.instance_com.send_client_deny(client_id, key_id,
'Client connection info timed out')
return
virt_address = doc['virt_address']
virt_address6 = doc['virt_address6']
else:
user.audit_event(
'user_connection',
'User connected to "%s"' % self.server.name,
remote_addr=remote_ip,
)
monitoring.insert_point('user_connections', {
'host': settings.local.host.name,
'server': self.server.name,
}, {
'user': user.name,
'platform': platform,
'remote_ip': remote_ip,
})
virt_address = self.server.get_ip_addr(org_id, user_id)
if not virt_address:
logger.error('User missing ip address',
'clients',
server_id=self.server.id,
instance_id=self.instance.id,
user_id=user.id,
multi_device=self.server.multi_device,
network=self.server.network,
user_count=self.server.user_count,
)
if not self.server.multi_device:
for clnt in self.clients.find({'user_id': user_id}):
time.sleep(3)
self.instance_com.client_kill(clnt['id'])
elif virt_address:
if mac_addr:
for clnt in self.clients.find({
'user_id': user_id,
'mac_addr': mac_addr,
}):
self.instance_com.client_kill(clnt['id'])
if self.clients.find({'virt_address': virt_address}):
virt_address = None
if not virt_address:
while True:
try:
ip_addr = self.ip_pool.pop()
except IndexError:
break
ip_addr = '%s/%s' % (ip_addr, self.ip_network.prefixlen)
if not self.clients.find({'virt_address': ip_addr}):
virt_address = ip_addr
address_dynamic = True
break
if not virt_address:
logger.error('Unable to assign ip address, pool full',
'clients',
server_id=self.server.id,
instance_id=self.instance.id,
user_id=user.id,
multi_device=self.server.multi_device,
network=self.server.network,
user_count=self.server.user_count,
)
if not virt_address:
self.instance_com.send_client_deny(client_id, key_id,
'Unable to assign ip address')
return
virt_address6 = self.server.ip4to6(virt_address)
dns_servers = []
if user.dns_servers:
for dns_server in user.dns_servers:
if dns_server == '127.0.0.1':
dns_server = virt_address
dns_servers.append(dns_server)
rules, rules6 = self.generate_iptables_rules(
user, virt_address, virt_address6)
self.clients.insert({
'id': client_id,
'org_id': org_id,
'org_name': org.name,
'user_id': user_id,
'user_name': user.name,
'user_type': user.type,
'dns_servers': dns_servers,
'dns_suffix': user.dns_suffix,
'device_id': device_id,
'device_name': device_name,
'platform': platform,
'mac_addr': mac_addr,
'virt_address': virt_address,
'virt_address6': virt_address6,
'real_address': remote_ip,
'address_dynamic': address_dynamic,
'iptables_rules': rules,
'ip6tables_rules': rules6,
})
if user.type == CERT_CLIENT:
plugins.event(
'user_connected',
host_id=settings.local.host_id,
server_id=self.server.id,
org_id=org.id,
user_id=user.id,
host_name=settings.local.host.name,
server_name=self.server.name,
org_name=org.name,
user_name=user.name,
platform=platform,
device_id=device_id,
device_name=device_name,
virtual_ip=virt_address,
virtual_ip6=virt_address6,
remote_ip=remote_ip,
mac_addr=mac_addr,
)
host.global_clients.insert({
'instance_id': self.instance.id,
'client_id': client_id,
})
client_conf = self.generate_client_conf(platform, client_id,
virt_address, user, reauth)
client_conf += 'ifconfig-push %s %s\n' % utils.parse_network(
virt_address)
if self.server.ipv6:
client_conf += 'ifconfig-ipv6-push %s\n' % virt_address6
if self.server.debug:
self.instance_com.push_output('Client conf %s:' % user_id)
for conf_line in client_conf.split('\n'):
if conf_line:
self.instance_com.push_output(' ' + conf_line)
self.instance_com.send_client_auth(client_id, key_id, client_conf)
def format(self, record):
from pritunl import plugins
try:
host_name = settings.local.host.name
except AttributeError:
host_name = 'undefined'
try:
host_id = settings.local.host_id
except AttributeError:
host_id = 'undefined'
formatted_record = '[' + host_name + ']'
try:
formatted_record += logging.Formatter.format(self, record)
except:
try:
record.msg = record.msg.encode('string_escape')
formatted_record += logging.Formatter.format(self, record)
except:
record.msg = 'Unreadable'
formatted_record += logging.Formatter.format(self, record)
kwargs = {
'message': formatted_record,
'host_id': host_id,
'host_name': host_name,
}
if hasattr(record, 'data') and record.data:
kwargs.update(record.data)
traceback = record.data.pop('traceback', None)
stdout = record.data.pop('stdout', None)
stderr = record.data.pop('stderr', None)
if record.data:
width = len(max(record.data, key=len))
for key, val in record.data.items():
formatted_record += '\n %s = %s' % (
key.ljust(width),
json.dumps(val, default=lambda x: str(x)),
)
if stdout:
formatted_record += '\nProcess stdout:'
stdout_lines = stdout.split('\n')
if stdout_lines and not stdout_lines[-1]:
stdout_lines.pop()
for line in stdout_lines:
formatted_record += '\n ' + line
if stderr:
formatted_record += '\nProcess stderr:'
stderr_lines = stderr.split('\n')
if stderr_lines and not stderr_lines[-1]:
stderr_lines.pop()
for line in stderr_lines:
formatted_record += '\n ' + line.decode('utf-8')
if traceback:
formatted_record += \
'\nTraceback (most recent call last):\n'
formatted_record += ''.join(traceback).rstrip('\n')
plugins.event(
'log_entry',
**kwargs
)
return formatted_record
def format(self, record):
from pritunl import plugins
try:
host_name = settings.local.host.name
except AttributeError:
host_name = 'undefined'
try:
host_id = settings.local.host_id
except AttributeError:
host_id = 'undefined'
formatted_record = '[' + host_name + ']'
try:
formatted_record += logging.Formatter.format(self, record)
except:
try:
record.msg = record.msg.encode('string_escape')
formatted_record += logging.Formatter.format(self, record)
except:
record.msg = 'Unreadable'
formatted_record += logging.Formatter.format(self, record)
kwargs = {
'message': formatted_record,
'host_id': host_id,
'host_name': host_name,
}
if hasattr(record, 'data') and record.data:
kwargs.update(record.data)
traceback = record.data.pop('traceback', None)
stdout = record.data.pop('stdout', None)
stderr = record.data.pop('stderr', None)
if record.data:
width = len(max(record.data, key=len))
for key, val in list(record.data.items()):
formatted_record += '\n %s = %s' % (
key.ljust(width),
json.dumps(val, default=lambda x: str(x)),
)
if stdout:
formatted_record += '\nProcess stdout:'
stdout_lines = stdout.split('\n')
if stdout_lines and not stdout_lines[-1]:
stdout_lines.pop()
for line in stdout_lines:
formatted_record += '\n ' + line
if stderr:
formatted_record += '\nProcess stderr:'
stderr_lines = stderr.split('\n')
if stderr_lines and not stderr_lines[-1]:
stderr_lines.pop()
for line in stderr_lines:
formatted_record += '\n ' + line.decode()
if traceback:
formatted_record += \
'\nTraceback (most recent call last):\n'
formatted_record += ''.join(traceback).rstrip('\n')
plugins.event('log_entry', **kwargs)
return formatted_record
def allow_client(self, client_data, org, user, reauth=False):
client_id = client_data['client_id']
key_id = client_data['key_id']
org_id = client_data['org_id']
user_id = client_data['user_id']
device_id = client_data.get('device_id')
device_name = client_data.get('device_name')
platform = client_data.get('platform')
mac_addr = client_data.get('mac_addr')
remote_ip = client_data.get('remote_ip')
address_dynamic = False
if reauth:
doc = self.clients.find_id(client_id)
if not doc:
self.instance_com.send_client_deny(client_id, key_id,
'Client connection info timed out')
return
virt_address = doc['virt_address']
virt_address6 = doc['virt_address6']
else:
user.audit_event(
'user_connection',
'User connected to "%s"' % self.server.name,
remote_addr=remote_ip,
)
monitoring.insert_point('user_connections', {
'host': settings.local.host.name,
'server': self.server.name,
}, {
'user': user.name,
'platform': platform,
'remote_ip': remote_ip,
})
virt_address = self.server.get_ip_addr(org_id, user_id)
if not virt_address:
logger.error('User missing ip address',
'clients',
server_id=self.server.id,
instance_id=self.instance.id,
user_id=user.id,
multi_device=self.server.multi_device,
network=self.server.network,
user_count=self.server.user_count,
)
if not self.server.multi_device:
for clnt in self.clients.find({'user_id': user_id}):
time.sleep(3)
self.instance_com.client_kill(clnt['id'])
elif virt_address:
if mac_addr:
for clnt in self.clients.find({
'user_id': user_id,
'mac_addr': mac_addr,
}):
self.instance_com.client_kill(clnt['id'])
if self.clients.find({'virt_address': virt_address}):
virt_address = None
if not virt_address:
while True:
try:
ip_addr = self.ip_pool.pop()
except IndexError:
break
ip_addr = '%s/%s' % (ip_addr, self.ip_network.prefixlen)
if not self.clients.find({'virt_address': ip_addr}):
virt_address = ip_addr
address_dynamic = True
break
if not virt_address:
logger.error('Unable to assign ip address, pool full',
'clients',
server_id=self.server.id,
instance_id=self.instance.id,
user_id=user.id,
multi_device=self.server.multi_device,
network=self.server.network,
user_count=self.server.user_count,
)
if not virt_address:
self.instance_com.send_client_deny(client_id, key_id,
'Unable to assign ip address')
return
virt_address6 = self.server.ip4to6(virt_address)
dns_servers = []
if user.dns_servers:
for dns_server in user.dns_servers:
if dns_server == '127.0.0.1':
dns_server = virt_address
dns_servers.append(dns_server)
rules, rules6 = self.generate_iptables_rules(
user, virt_address, virt_address6)
self.clients.insert({
'id': client_id,
'org_id': org_id,
'org_name': org.name,
'user_id': user_id,
'user_name': user.name,
'user_type': user.type,
'dns_servers': dns_servers,
'dns_suffix': user.dns_suffix,
'device_id': device_id,
'device_name': device_name,
'platform': platform,
'mac_addr': mac_addr,
'virt_address': virt_address,
'virt_address6': virt_address6,
'real_address': remote_ip,
'address_dynamic': address_dynamic,
'iptables_rules': rules,
'ip6tables_rules': rules6,
})
if user.type == CERT_CLIENT:
plugins.event(
'user_connected',
host_id=settings.local.host_id,
server_id=self.server.id,
org_id=org.id,
user_id=user.id,
host_name=settings.local.host.name,
server_name=self.server.name,
org_name=org.name,
user_name=user.name,
platform=platform,
device_id=device_id,
device_name=device_name,
virtual_ip=virt_address,
virtual_ip6=virt_address6,
remote_ip=remote_ip,
mac_addr=mac_addr,
)
host.global_clients.insert({
'instance_id': self.instance.id,
'client_id': client_id,
})
client_conf = self.generate_client_conf(platform, client_id,
virt_address, user, reauth)
client_conf += 'ifconfig-push %s %s\n' % utils.parse_network(
virt_address)
if self.server.ipv6:
client_conf += 'ifconfig-ipv6-push %s\n' % virt_address6
if self.server.debug:
self.instance_com.push_output('Client conf %s:' % user_id)
for conf_line in client_conf.split('\n'):
if conf_line:
self.instance_com.push_output(' ' + conf_line)
self.instance_com.send_client_auth(client_id, key_id, client_conf)
def allow_client(self, client_data, org, user, reauth=False):
client_id = client_data['client_id']
key_id = client_data['key_id']
org_id = client_data['org_id']
user_id = client_data['user_id']
device_id = client_data.get('device_id')
device_name = client_data.get('device_name')
platform = client_data.get('platform')
mac_addr = client_data.get('mac_addr')
remote_ip = client_data.get('remote_ip')
doc_id = utils.ObjectId()
if reauth:
doc = self.clients.find_id(client_id)
if not doc:
self.instance_com.send_client_deny(client_id, key_id,
'Client connection info timed out')
return
virt_address = doc['virt_address']
virt_address6 = doc['virt_address6']
else:
user.audit_event(
'user_connection',
'User connected to "%s"' % self.server.name,
remote_addr=remote_ip,
)
monitoring.insert_point('user_connections', {
'host': settings.local.host.name,
'server': self.server.name,
}, {
'user': user.name,
'platform': platform,
'remote_ip': remote_ip,
})
virt_address, address_dynamic = self.get_virt_addr(
org_id, user_id, mac_addr, doc_id)
if not self.server.multi_device:
if self.server.replicating:
# if self.server.route_clients:
# docs = self.collection.find({
# 'user_id': user_id,
# 'server_id': self.server.id,
# })
#
# for doc in docs:
# messenger.publish('client', {
# 'state': False,
# 'server_id': self.server.id,
# 'virt_address': doc['virt_address'],
# 'virt_address6': doc['virt_address6'],
# 'host_address': doc['host_address'],
# 'host_address6': doc['host_address6'],
# })
messenger.publish('instance', [
'user_reconnect',
user_id,
settings.local.host_id,
])
for clnt in self.clients.find({'user_id': user_id}):
time.sleep(2)
self.instance_com.client_kill(clnt['id'])
if not virt_address:
self.instance_com.send_client_deny(client_id, key_id,
'Unable to assign ip address')
return
virt_address6 = self.server.ip4to6(virt_address)
dns_servers = []
if user.dns_servers:
for dns_server in user.dns_servers:
if dns_server == '127.0.0.1':
dns_server = virt_address
dns_servers.append(dns_server)
rules, rules6 = self.generate_iptables_rules(
user, virt_address, virt_address6)
self.clients.insert({
'id': client_id,
'doc_id': doc_id,
'org_id': org_id,
'org_name': org.name,
'user_id': user_id,
'user_name': user.name,
'user_type': user.type,
'dns_servers': dns_servers,
'dns_suffix': user.dns_suffix,
'device_id': device_id,
'device_name': device_name,
'platform': platform,
'mac_addr': mac_addr,
'virt_address': virt_address,
'virt_address6': virt_address6,
'real_address': remote_ip,
'address_dynamic': address_dynamic,
'iptables_rules': rules,
'ip6tables_rules': rules6,
})
if user.type == CERT_CLIENT:
plugins.event(
'user_connected',
host_id=settings.local.host_id,
server_id=self.server.id,
org_id=org.id,
user_id=user.id,
host_name=settings.local.host.name,
server_name=self.server.name,
org_name=org.name,
user_name=user.name,
platform=platform,
device_id=device_id,
device_name=device_name,
virtual_ip=virt_address,
virtual_ip6=virt_address6,
remote_ip=remote_ip,
mac_addr=mac_addr,
)
host.global_clients.insert({
'instance_id': self.instance.id,
'client_id': client_id,
})
client_conf = self.generate_client_conf(platform, client_id,
virt_address, user, reauth)
client_conf += 'ifconfig-push %s %s\n' % utils.parse_network(
virt_address)
if self.server.ipv6:
client_conf += 'ifconfig-ipv6-push %s\n' % virt_address6
if self.server.debug:
self.instance_com.push_output('Client conf %s:' % user_id)
for conf_line in client_conf.split('\n'):
if conf_line:
self.instance_com.push_output(' ' + conf_line)
self.instance_com.send_client_auth(client_id, key_id, client_conf)
