def get_org(self, org_id):
if org_id in self.organizations:
org = Organization.get_org(id=org_id)
try:
org.load()
except IOError:
logger.exception('Failed to load org conf. %r' % {
'org_id': org_id,
})
return
return org
def iter_orgs(self):
orgs_dict = {}
orgs_sort = []
for org_id in self.organizations:
org = Organization.get_org(id=org_id)
if not org:
continue
name_id = '%s_%s' % (org.name, org.id)
orgs_dict[name_id] = org
orgs_sort.append(name_id)
for name_id in sorted(orgs_sort):
yield orgs_dict[name_id]
def _remove_primary_user(self):
logger.debug('Removing primary user. %r' % {
'server_id': self.id,
})
if not self.primary_organization or not self.primary_user:
return
org = Organization.get_org(id=self.primary_organization)
if org:
user = org.get_user(id=self.primary_user)
if user:
user.remove()
self.primary_organization = None
self.primary_user = None
def add_org(self, org_id):
logger.debug('Adding organization to server. %r' % {
'server_id': self.id,
'org_id': org_id,
})
org = Organization.get_org(id=org_id)
if org.id in self.organizations:
logger.debug('Organization already on server, skipping. %r' % {
'server_id': self.id,
'org_id': org.id,
})
return org
self.organizations.append(org.id)
self.commit()
Event(type=SERVERS_UPDATED)
Event(type=SERVER_ORGS_UPDATED, resource_id=self.id)
Event(type=USERS_UPDATED, resource_id=org_id)
return org
def _remove_primary_user(self):
logger.debug('Removing primary user. %r' % {
'server_id': self.id,
})
primary_organization = self.primary_organization
primary_user = self.primary_user
self.primary_organization = None
self.primary_user = None
if not primary_organization or not primary_user:
return
org = Organization.get_org(id=primary_organization)
user = org.get_user(primary_user)
if not user:
logger.debug('Primary user not found, skipping remove. %r' % {
'server_id': self.id,
'org_id': org.id,
})
return
if user:
user.remove()
def _generate_ovpn_conf(self):
if not self.org_count:
raise ServerMissingOrg('Ovpn conf cannot be generated without ' + \
'any organizations', {
'server_id': self.id,
})
logger.debug('Generating node server ovpn conf. %r' % {
'server_id': self.id,
})
if not self.primary_organization or not self.primary_user:
self._create_primary_user()
if not os.path.isfile(self.dh_param_path):
self._generate_dh_param()
primary_org = Organization.get_org(id=self.primary_organization)
primary_user = primary_org.get_user(self.primary_user)
self.generate_ca_cert()
push = ''
if self.local_networks:
for network in self.local_networks:
push += 'push "route %s %s"\n' % self._parse_network(network)
else:
push += 'push "redirect-gateway"\n'
for dns_server in self.dns_servers:
push += 'push "dhcp-option DNS %s"\n' % dns_server
push = push.rstrip()
server_conf = OVPN_INLINE_SERVER_CONF % (
self.port,
self.protocol,
self.interface,
'%s',
'%s',
'%s',
'%s %s' % self._parse_network(self.network),
'%s',
push,
'%s',
4 if self.debug else 1,
8 if self.debug else 3,
)
if self.otp_auth:
server_conf += 'auth-user-pass-verify ' + \
'<%= user_pass_verify_path %> via-file\n'
if self.lzo_compression:
server_conf += 'comp-lzo\npush "comp-lzo"\n'
if self.local_networks:
server_conf += 'client-to-client\n'
server_conf += '<ca>\n%s\n</ca>\n' % utils.get_cert_block(
self.ca_cert_path)
server_conf += '<cert>\n%s\n</cert>\n' % utils.get_cert_block(
primary_user.cert_path)
server_conf += '<key>\n%s\n</key>\n' % open(
primary_user.key_path).read().strip()
server_conf += '<dh>\n%s\n</dh>\n' % open(
self.dh_param_path).read().strip()
return server_conf
def _generate_ovpn_conf(self, temp_path):
logger.debug('Generating server ovpn conf. %r' % {
'server_id': self.id,
})
if not self.primary_organization or not self.primary_user:
self._create_primary_user()
primary_org = Organization.get_org(id=self.primary_organization)
if not primary_org:
self._create_primary_user()
primary_org = Organization.get_org(id=self.primary_organization)
primary_user = primary_org.get_user(self.primary_user)
if not primary_user:
self._create_primary_user()
primary_org = Organization.get_org(id=self.primary_organization)
primary_user = primary_org.get_user(self.primary_user)
tls_verify_path = os.path.join(temp_path,
TLS_VERIFY_NAME)
user_pass_verify_path = os.path.join(temp_path,
USER_PASS_VERIFY_NAME)
client_connect_path = os.path.join(temp_path,
CLIENT_CONNECT_NAME)
client_disconnect_path = os.path.join(temp_path,
CLIENT_DISCONNECT_NAME)
ovpn_status_path = os.path.join(temp_path,
OVPN_STATUS_NAME)
ovpn_conf_path = os.path.join(temp_path,
OVPN_CONF_NAME)
auth_host = app_server.bind_addr
if auth_host == '0.0.0.0':
auth_host = 'localhost'
for script, script_path in (
(TLS_VERIFY_SCRIPT, tls_verify_path),
(USER_PASS_VERIFY_SCRIPT, user_pass_verify_path),
(CLIENT_CONNECT_SCRIPT, client_connect_path),
(CLIENT_DISCONNECT_SCRIPT, client_disconnect_path),
):
with open(script_path, 'w') as script_file:
os.chmod(script_path, 0755) # TODO
script_file.write(script % (
app_server.local_api_key,
'/dev/null', # TODO
app_server.web_protocol,
auth_host,
app_server.port,
self.id,
))
push = ''
if self.mode == LOCAL_TRAFFIC:
for network in self.local_networks:
push += 'push "route %s %s"\n' % self._parse_network(network)
elif self.mode == VPN_TRAFFIC:
pass
else:
push += 'push "redirect-gateway"\n'
for dns_server in self.dns_servers:
push += 'push "dhcp-option DNS %s"\n' % dns_server
if self.search_domain:
push += 'push "dhcp-option DOMAIN %s"\n' % self.search_domain
server_conf = OVPN_INLINE_SERVER_CONF % (
self.port,
self.protocol,
self.interface,
tls_verify_path,
client_connect_path,
client_disconnect_path,
'%s %s' % self._parse_network(self.network),
ovpn_status_path,
4 if self.debug else 1,
8 if self.debug else 3,
)
if self.otp_auth:
server_conf += 'auth-user-pass-verify %s via-file\n' % (
user_pass_verify_path)
if self.lzo_compression:
server_conf += 'comp-lzo\npush "comp-lzo"\n'
if self.mode in (LOCAL_TRAFFIC, VPN_TRAFFIC):
server_conf += 'client-to-client\n'
if push:
server_conf += push
server_conf += '<ca>\n%s\n</ca>\n' % utils.get_cert_block(
self.ca_certificate)
server_conf += '<cert>\n%s\n</cert>\n' % utils.get_cert_block(
primary_user.certificate)
server_conf += '<key>\n%s\n</key>\n' % primary_user.private_key
server_conf += '<dh>\n%s\n</dh>\n' % self.dh_params
with open(ovpn_conf_path, 'w') as ovpn_conf:
os.chmod(ovpn_conf_path, 0600)
ovpn_conf.write(server_conf)
def get_org(self, org_id):
if org_id in self.organizations:
return Organization.get_org(id=org_id)
def iter_orgs(self):
for org_id in self.organizations:
org = Organization.get_org(id=org_id)
if org:
yield org
def _generate_ovpn_conf(self, inline=False):
if not self.org_count:
raise ServerMissingOrg('Ovpn conf cannot be generated without ' + \
'any organizations', {
'server_id': self.id,
})
logger.debug('Generating server ovpn conf. %r' % {
'server_id': self.id,
})
if not self.primary_organization or not self.primary_user:
self._create_primary_user()
if not os.path.isfile(self.dh_param_path):
self._generate_dh_param()
primary_org = Organization.get_org(id=self.primary_organization)
if not primary_org:
self._create_primary_user()
primary_org = Organization.get_org(id=self.primary_organization)
primary_user = primary_org.get_user(self.primary_user)
if not primary_user:
self._create_primary_user()
primary_user = primary_org.get_user(self.primary_user)
self.generate_ca_cert()
self._generate_scripts()
push = ''
if self.mode == LOCAL_TRAFFIC:
for network in self.local_networks:
push += 'push "route %s %s"\n' % self._parse_network(network)
elif self.mode == VPN_TRAFFIC:
pass
else:
push += 'push "redirect-gateway"\n'
for dns_server in self.dns_servers:
push += 'push "dhcp-option DNS %s"\n' % dns_server
if self.search_domain:
push += 'push "dhcp-option DOMAIN %s"\n' % self.search_domain
if not inline:
server_conf = OVPN_SERVER_CONF % (
self.port,
self.protocol,
self.interface,
self.ca_cert_path,
primary_user.cert_path,
primary_user.key_path,
self.tls_verify_path,
self.client_connect_path,
self.client_disconnect_path,
self.dh_param_path,
'%s %s' % self._parse_network(self.network),
self.ovpn_status_path,
4 if self.debug else 1,
8 if self.debug else 3,
)
else:
server_conf = OVPN_INLINE_SERVER_CONF % (
self.port,
self.protocol,
self.interface,
self.tls_verify_path,
self.client_connect_path,
self.client_disconnect_path,
'%s %s' % self._parse_network(self.network),
self.ovpn_status_path,
4 if self.debug else 1,
8 if self.debug else 3,
)
if self.otp_auth:
server_conf += 'auth-user-pass-verify %s via-file\n' % (
self.user_pass_verify_path)
if self.lzo_compression:
server_conf += 'comp-lzo\npush "comp-lzo"\n'
if self.mode in (LOCAL_TRAFFIC, VPN_TRAFFIC):
server_conf += 'client-to-client\n'
if push:
server_conf += push
if inline:
server_conf += '<ca>\n%s\n</ca>\n' % utils.get_cert_block(
self.ca_cert_path)
server_conf += '<cert>\n%s\n</cert>\n' % utils.get_cert_block(
primary_user.cert_path)
server_conf += '<key>\n%s\n</key>\n' % open(
primary_user.key_path).read().strip()
server_conf += '<dh>\n%s\n</dh>\n' % open(
self.dh_param_path).read().strip()
with open(self.ovpn_conf_path, 'w') as ovpn_conf:
if inline:
os.chmod(self.ovpn_conf_path, 0600)
ovpn_conf.write(server_conf)
