def sync_record(self, record):
if (not record.tenant.id):
raise DeferredException("Privilege waiting on VPN Tenant ID")
certificate = self.get_certificate_name(record)
tenant = OpenVPNTenant.get_tenant_objects().filter(pk=record.tenant.id)[0]
if (not tenant):
raise DeferredException("Privilege waiting on VPN Tenant")
# Only add a certificate if ones does not yet exist
pki_dir = OpenVPNService.get_pki_dir(tenant)
if (not os.path.isfile(pki_dir + "/issued/" + certificate + ".crt")):
OpenVPNService.execute_easyrsa_command(
pki_dir, "build-client-full " + certificate + " nopass")
tenant.save()
record.save()
def sync_record(self, record):
if (not record.tenant.id):
raise DeferredException("Privilege waiting on VPN Tenant ID")
certificate = self.get_certificate_name(record)
tenant = OpenVPNTenant.get_tenant_objects().filter(
pk=record.tenant.id)[0]
if (not tenant):
raise DeferredException("Privilege waiting on VPN Tenant")
# Only add a certificate if ones does not yet exist
pki_dir = OpenVPNService.get_pki_dir(tenant)
if (not os.path.isfile(pki_dir + "/issued/" + certificate + ".crt")):
OpenVPNService.execute_easyrsa_command(
pki_dir, "build-client-full " + certificate + " nopass")
tenant.save()
record.save()
def get_script_text(self, obj):
"""Gets the text of the client script for the requesting user.
Parameters:
obj (services.openvpn.models.OpenVPNTenant): The OpenVPNTenant to connect to.
Returns:
str: The client script as a str.
"""
env = jinja2.Environment(
loader=jinja2.FileSystemLoader("/opt/xos/services/openvpn/templates"))
template = env.get_template("connect.vpn.j2")
client_name = self.context['request'].user.email + "-" + str(obj.id)
remote_ids = list(obj.failover_server_ids)
remote_ids.insert(0, obj.id)
remotes = OpenVPNTenant.get_tenant_objects().filter(pk__in=remote_ids)
pki_dir = OpenVPNService.get_pki_dir(obj)
fields = {"client_name": client_name,
"remotes": remotes,
"is_persistent": obj.is_persistent,
"ca_crt": obj.get_ca_crt(pki_dir),
"client_crt": obj.get_client_cert(client_name, pki_dir),
"client_key": obj.get_client_key(client_name, pki_dir)
}
return template.render(fields)
def get_script_text(self, obj):
"""Gets the text of the client script for the requesting user.
Parameters:
obj (services.openvpn.models.OpenVPNTenant): The OpenVPNTenant to connect to.
Returns:
str: The client script as a str.
"""
env = jinja2.Environment(loader=jinja2.FileSystemLoader(
"/opt/xos/services/openvpn/templates"))
template = env.get_template("connect.vpn.j2")
client_name = self.context['request'].user.email + "-" + str(obj.id)
remote_ids = list(obj.failover_server_ids)
remote_ids.insert(0, obj.id)
remotes = OpenVPNTenant.get_tenant_objects().filter(pk__in=remote_ids)
pki_dir = OpenVPNService.get_pki_dir(obj)
fields = {
"client_name": client_name,
"remotes": remotes,
"is_persistent": obj.is_persistent,
"ca_crt": obj.get_ca_crt(pki_dir),
"client_crt": obj.get_client_cert(client_name, pki_dir),
"client_key": obj.get_client_key(client_name, pki_dir)
}
return template.render(fields)
def get_extra_attributes(self, tenant):
return {
"is_persistent": tenant.is_persistent,
"vpn_subnet": tenant.vpn_subnet,
"server_network": tenant.server_network,
"clients_can_see_each_other": (tenant.clients_can_see_each_other),
"port_number": tenant.port_number,
"protocol": tenant.protocol,
"pki_dir": OpenVPNService.get_pki_dir(tenant)
}
def get_extra_attributes(self, tenant):
return {"is_persistent": tenant.is_persistent,
"vpn_subnet": tenant.vpn_subnet,
"server_network": tenant.server_network,
"clients_can_see_each_other": (
tenant.clients_can_see_each_other),
"port_number": tenant.port_number,
"protocol": tenant.protocol,
"pki_dir": OpenVPNService.get_pki_dir(tenant)
}
def __init__(self, *args, **kwargs):
super(OpenVPNTenantForm, self).__init__(*args, **kwargs)
self.fields['kind'].widget.attrs['readonly'] = True
self.fields['failover_servers'].widget.attrs['rows'] = 300
self.fields['provider_service'].queryset = (
OpenVPNService.get_service_objects().all())
self.fields['kind'].initial = OPENVPN_KIND
if self.instance:
self.fields['creator'].initial = self.instance.creator
self.fields['vpn_subnet'].initial = self.instance.vpn_subnet
self.fields[
'server_network'].initial = self.instance.server_network
self.fields['clients_can_see_each_other'].initial = (
self.instance.clients_can_see_each_other)
self.fields['is_persistent'].initial = self.instance.is_persistent
self.initial['protocol'] = self.instance.protocol
self.fields['failover_servers'].queryset = (
OpenVPNTenant.get_tenant_objects().exclude(
pk=self.instance.pk))
self.initial[
'failover_servers'] = OpenVPNTenant.get_tenant_objects(
).filter(pk__in=self.instance.failover_server_ids)
self.fields['use_ca_from'].queryset = (
OpenVPNTenant.get_tenant_objects().exclude(
pk=self.instance.pk))
if (self.instance.use_ca_from_id):
self.initial['use_ca_from'] = (
OpenVPNTenant.get_tenant_objects().filter(
pk=self.instance.use_ca_from_id)[0])
if (not self.instance) or (not self.instance.pk):
self.fields['creator'].initial = get_request().user
self.fields['vpn_subnet'].initial = "255.255.255.0"
self.fields['server_network'].initial = "10.66.77.0"
self.fields['clients_can_see_each_other'].initial = True
self.fields['is_persistent'].initial = True
self.fields['failover_servers'].queryset = (
OpenVPNTenant.get_tenant_objects())
if OpenVPNService.get_service_objects().exists():
self.fields["provider_service"].initial = (
OpenVPNService.get_service_objects().all()[0])
def __init__(self, *args, **kwargs):
super(OpenVPNTenantForm, self).__init__(*args, **kwargs)
self.fields['kind'].widget.attrs['readonly'] = True
self.fields['failover_servers'].widget.attrs['rows'] = 300
self.fields[
'provider_service'].queryset = (
OpenVPNService.get_service_objects().all())
self.fields['kind'].initial = OPENVPN_KIND
if self.instance:
self.fields['creator'].initial = self.instance.creator
self.fields['vpn_subnet'].initial = self.instance.vpn_subnet
self.fields[
'server_network'].initial = self.instance.server_network
self.fields[
'clients_can_see_each_other'].initial = (
self.instance.clients_can_see_each_other)
self.fields['is_persistent'].initial = self.instance.is_persistent
self.initial['protocol'] = self.instance.protocol
self.fields['failover_servers'].queryset = (
OpenVPNTenant.get_tenant_objects().exclude(pk=self.instance.pk))
self.initial['failover_servers'] = OpenVPNTenant.get_tenant_objects().filter(
pk__in=self.instance.failover_server_ids)
self.fields['use_ca_from'].queryset = (
OpenVPNTenant.get_tenant_objects().exclude(pk=self.instance.pk))
if (self.instance.use_ca_from_id):
self.initial['use_ca_from'] = (
OpenVPNTenant.get_tenant_objects().filter(pk=self.instance.use_ca_from_id)[0])
if (not self.instance) or (not self.instance.pk):
self.fields['creator'].initial = get_request().user
self.fields['vpn_subnet'].initial = "255.255.255.0"
self.fields['server_network'].initial = "10.66.77.0"
self.fields['clients_can_see_each_other'].initial = True
self.fields['is_persistent'].initial = True
self.fields['failover_servers'].queryset = (
OpenVPNTenant.get_tenant_objects())
if OpenVPNService.get_service_objects().exists():
self.fields["provider_service"].initial = (
OpenVPNService.get_service_objects().all()[0])
def delete_record(self, record):
if (not record.tenant.id):
return
certificate = self.get_certificate_name(record)
tenant = OpenVPNTenant.get_tenant_objects().filter(pk=record.tenant.id)[0]
if (not tenant):
return
# If the client has already been reovked don't do it again
pki_dir = OpenVPNService.get_pki_dir(tenant)
if (os.path.isfile(pki_dir + "/issued/" + certificate + ".crt")):
OpenVPNService.execute_easyrsa_command(
pki_dir, "revoke " + certificate)
# Revoking a client cert does not delete any of the files
# to make sure that we can add this user again we need to
# delete all of the files created by easyrsa
os.remove(pki_dir + "/issued/" + certificate + ".crt")
os.remove(pki_dir + "/private/" + certificate + ".key")
os.remove(pki_dir + "/reqs/" + certificate + ".req")
tenant.save()
record.delete()
def delete_record(self, record):
if (not record.tenant.id):
return
certificate = self.get_certificate_name(record)
tenant = OpenVPNTenant.get_tenant_objects().filter(
pk=record.tenant.id)[0]
if (not tenant):
return
# If the client has already been reovked don't do it again
pki_dir = OpenVPNService.get_pki_dir(tenant)
if (os.path.isfile(pki_dir + "/issued/" + certificate + ".crt")):
OpenVPNService.execute_easyrsa_command(pki_dir,
"revoke " + certificate)
# Revoking a client cert does not delete any of the files
# to make sure that we can add this user again we need to
# delete all of the files created by easyrsa
os.remove(pki_dir + "/issued/" + certificate + ".crt")
os.remove(pki_dir + "/private/" + certificate + ".key")
os.remove(pki_dir + "/reqs/" + certificate + ".req")
tenant.save()
record.delete()
def get_default_openvpn_service():
openvpn_services = OpenVPNService.get_service_objects().all()
if openvpn_services:
return openvpn_services[0].id
return None
def sync_fields(self, o, fields):
pki_dir = OpenVPNService.get_pki_dir(o)
if (not os.path.isdir(pki_dir)):
OpenVPNService.execute_easyrsa_command(pki_dir, "init-pki")
OpenVPNService.execute_easyrsa_command(
pki_dir, "--req-cn=XOS build-ca nopass")
# Very hacky way to handle VPNs that need to share CAs
if (o.use_ca_from_id):
tenant = OpenVPNTenant.get_tenant_objects().filter(
pk=o.use_ca_from_id)[0]
other_pki_dir = OpenVPNService.get_pki_dir(tenant)
shutil.copy2(other_pki_dir + "/ca.crt", pki_dir)
shutil.copy2(other_pki_dir + "/private/ca.key",
pki_dir + "/private")
# If the server has to be built then we need to build it
if (not os.path.isfile(pki_dir + "/issued/server.crt")):
OpenVPNService.execute_easyrsa_command(
pki_dir, "build-server-full server nopass")
OpenVPNService.execute_easyrsa_command(pki_dir, "gen-dh")
# Get the most recent list of revoked clients
OpenVPNService.execute_easyrsa_command(pki_dir, "gen-crl")
# Super runs the playbook
super(SyncOpenVPNTenant, self).sync_fields(o, fields)
def get_default_openvpn_service():
openvpn_services = OpenVPNService.get_service_objects().all()
if openvpn_services:
return openvpn_services[0].id
return None
def sync_fields(self, o, fields):
pki_dir = OpenVPNService.get_pki_dir(o)
if (not os.path.isdir(pki_dir)):
OpenVPNService.execute_easyrsa_command(pki_dir, "init-pki")
OpenVPNService.execute_easyrsa_command(
pki_dir, "--req-cn=XOS build-ca nopass")
# Very hacky way to handle VPNs that need to share CAs
if (o.use_ca_from_id):
tenant = OpenVPNTenant.get_tenant_objects().filter(
pk=o.use_ca_from_id)[0]
other_pki_dir = OpenVPNService.get_pki_dir(tenant)
shutil.copy2(other_pki_dir + "/ca.crt", pki_dir)
shutil.copy2(other_pki_dir + "/private/ca.key",
pki_dir + "/private")
# If the server has to be built then we need to build it
if (not os.path.isfile(pki_dir + "/issued/server.crt")):
OpenVPNService.execute_easyrsa_command(
pki_dir, "build-server-full server nopass")
OpenVPNService.execute_easyrsa_command(pki_dir, "gen-dh")
# Get the most recent list of revoked clients
OpenVPNService.execute_easyrsa_command(pki_dir, "gen-crl")
# Super runs the playbook
super(SyncOpenVPNTenant, self).sync_fields(o, fields)
def queryset(self, request):
return OpenVPNService.get_service_objects_by_user(request.user)
def queryset(self, request):
return OpenVPNService.get_service_objects_by_user(request.user)
