djsundog
/
wg-portal
mirror of https://github.com/DJSundog/wg-portal.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

wip: create/update/...

This commit is contained in:
Christoph Haas 2020-11-09 11:06:02 +01:00
parent a617cb1059
commit 5a933f20c9
8 changed files with 391 additions and 160 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
assets/tpl/admin_create_clients.html
View File

@ -18,7 +18,7 @@
{{template "prt_nav.html" .}} {{template "prt_nav.html" .}}
<div class="container"> <div class="container">
<h1>Create new clients</h1> <h1>Create new clients</h1>
<h2>Enter valid LDAP user email addresses to quickly create new accounts.</h2>
{{if $.Alerts.HasAlert}} {{if $.Alerts.HasAlert}}
<div class="row"> <div class="row">
<div class="form-row"> <div class="form-row">
@ -35,13 +35,13 @@
<div class="form-row"> <div class="form-row">
<div class="form-group col-md-12"> <div class="form-group col-md-12">
<label for="inputEmail">Email Addresses</label> <label for="inputEmail">Email Addresses</label>
<input type="text" name="email" class="form-control" id="inputEmail"> <input type="text" name="email" class="form-control" id="inputEmail" value="{{.FormData.Emails}}">
</div> </div>
</div> </div>
<div class="form-row"> <div class="form-row">
<div class="form-group col-md-12"> <div class="form-group col-md-12">
<label for="inputIdentifier">Client Friendly Name (will be added as suffix to the name of the user)</label> <label for="inputIdentifier">Client Friendly Name (will be added as suffix to the name of the user)</label>
<input type="text" name="identifier" class="form-control" id="inputIdentifier" value="Default"> <input type="text" name="identifier" class="form-control" id="inputIdentifier" value="{{.FormData.Identifier}}">
</div> </div>
</div> </div>

2
assets/tpl/admin_edit_client.html
View File

@ -14,7 +14,7 @@
<body id="page-top"> <body id="page-top">
{{template "prt_nav.html" .}} {{template "prt_nav.html" .}}
<div class="container"> <div class="container">
{{if eq .Peer.UID ""}} {{if .Peer.IsNew}}
<h1>Create a new client</h1> <h1>Create a new client</h1>
{{else}} {{else}}
<h1>Edit client <strong>{{.Peer.Identifier}}</strong></h1> <h1>Edit client <strong>{{.Peer.Identifier}}</strong></h1>

6
assets/tpl/admin_index.html
View File

@ -137,7 +137,7 @@
<a class="nav-link" data-toggle="tab" href="#t2{{$p.UID}}">Configuration</a> <a class="nav-link" data-toggle="tab" href="#t2{{$p.UID}}">Configuration</a>
</li> </li>
<li class="nav-item"> <li class="nav-item">
<a class="nav-link" data-toggle="tab" href="#t3{{$p.UID}}">Other</a> <a class="nav-link" data-toggle="tab" href="#t3{{$p.UID}}">Danger Zone</a>
</li> </li>
</ul> </ul>
<div class="tab-content" id="tabContent{{$p.UID}}"> <div class="tab-content" id="tabContent{{$p.UID}}">
@ -158,9 +158,7 @@
<pre>{{$p.Config}}</pre> <pre>{{$p.Config}}</pre>
</div> </div>
<div id="t3{{$p.UID}}" class="tab-pane fade"> <div id="t3{{$p.UID}}" class="tab-pane fade">
<ul> <a href="/admin/peer/delete?pkey={{$p.PublicKey}}" class="btn btn-danger" title="Delete peer">Delete</a>
<li>2</li>
</ul>
</div> </div>
</div> </div>
</div> </div>

4
assets/tpl/index.html
View File

@ -5,8 +5,8 @@
<head> <head>
<meta charset="utf-8"> <meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0, shrink-to-fit=no"> <meta name="viewport" content="width=device-width, initial-scale=1.0, shrink-to-fit=no">
<title>{{ .static.WebsiteTitle }}</title> <title>{{ .Static.WebsiteTitle }}</title>
<meta name="description" content="{{ .static.WebsiteTitle }}"> <meta name="description" content="{{ .Static.WebsiteTitle }}">
<link rel="stylesheet" href="/css/bootstrap.min.css"> <link rel="stylesheet" href="/css/bootstrap.min.css">
<!--link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Nunito:200,200i,300,300i,400,400i,600,600i,700,700i,800,800i,900,900i"--> <!--link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Nunito:200,200i,300,300i,400,400i,600,600i,700,700i,800,800i,900,900i"-->
<link rel="stylesheet" href="/fonts/fontawesome-all.min.css"> <link rel="stylesheet" href="/fonts/fontawesome-all.min.css">

3
internal/server/core.go
View File

@ -24,6 +24,9 @@ const CacheRefreshDuration = 5 * time.Minute
func init() { func init() {
gob.Register(SessionData{}) gob.Register(SessionData{})
gob.Register(User{})
gob.Register(Device{})
gob.Register(LdapCreateForm{})
} }
type SessionData struct { type SessionData struct {

286
internal/server/handlers.go
View File

@ -1,8 +1,6 @@
package server package server
import ( import (
"crypto/md5"
"fmt"
"net/http" "net/http"
"net/url" "net/url"
"strconv" "strconv"
@ -15,16 +13,27 @@ import (
"github.com/h44z/wg-portal/internal/common" "github.com/h44z/wg-portal/internal/common"
"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
"github.com/gin-gonic/gin" "github.com/gin-gonic/gin"
) )
type LdapCreateForm struct {
Emails string `form:"email" binding:"required"`
Identifier string `form:"identifier" binding:"required,lte=20"`
}
func (s *Server) GetIndex(c *gin.Context) { func (s *Server) GetIndex(c *gin.Context) {
c.HTML(http.StatusOK, "index.html", gin.H{ c.HTML(http.StatusOK, "index.html", struct {
"route": c.Request.URL.Path, Route string
"session": s.getSessionData(c), Alerts AlertData
"static": s.getStaticData(), Session SessionData
Static StaticData
Device Device
}{
Route: c.Request.URL.Path,
Alerts: s.getAlertData(c),
Session: s.getSessionData(c),
Static: s.getStaticData(),
Device: s.users.GetDevice(),
}) })
} }
@ -67,6 +76,12 @@ func (s *Server) GetAdminEditInterface(c *gin.Context) {
device := s.users.GetDevice() device := s.users.GetDevice()
users := s.users.GetAllUsers() users := s.users.GetAllUsers()
currentSession, err := s.setFormInSession(c, device)
if err != nil {
s.HandleError(c, http.StatusInternalServerError, "Session error", err.Error())
return
}
c.HTML(http.StatusOK, "admin_edit_interface.html", struct { c.HTML(http.StatusOK, "admin_edit_interface.html", struct {
Route string Route string
Alerts AlertData Alerts AlertData
@ -77,18 +92,23 @@ func (s *Server) GetAdminEditInterface(c *gin.Context) {
}{ }{
Route: c.Request.URL.Path, Route: c.Request.URL.Path,
Alerts: s.getAlertData(c), Alerts: s.getAlertData(c),
Session: s.getSessionData(c), Session: currentSession,
Static: s.getStaticData(), Static: s.getStaticData(),
Peers: users, Peers: users,
Device: device, Device: currentSession.FormData.(Device),
}) })
} }
func (s *Server) PostAdminEditInterface(c *gin.Context) { func (s *Server) PostAdminEditInterface(c *gin.Context) {
currentSession := s.getSessionData(c)
var formDevice Device var formDevice Device
if currentSession.FormData != nil {
formDevice = currentSession.FormData.(Device)
}
if err := c.ShouldBind(&formDevice); err != nil { if err := c.ShouldBind(&formDevice); err != nil {
_ = s.updateFormInSession(c, formDevice)
s.setAlert(c, "failed to bind form data: "+err.Error(), "danger") s.setAlert(c, "failed to bind form data: "+err.Error(), "danger")
c.Redirect(http.StatusSeeOther, "/admin/device/edit") c.Redirect(http.StatusSeeOther, "/admin/device/edit?formerr=bind")
return return
} }
// Clean list input // Clean list input
@ -102,16 +122,18 @@ func (s *Server) PostAdminEditInterface(c *gin.Context) {
// Update WireGuard device // Update WireGuard device
err := s.wg.UpdateDevice(formDevice.DeviceName, formDevice.GetDeviceConfig()) err := s.wg.UpdateDevice(formDevice.DeviceName, formDevice.GetDeviceConfig())
if err != nil { if err != nil {
_ = s.updateFormInSession(c, formDevice)
s.setAlert(c, "failed to update device in WireGuard: "+err.Error(), "danger") s.setAlert(c, "failed to update device in WireGuard: "+err.Error(), "danger")
c.Redirect(http.StatusSeeOther, "/admin/device/edit") c.Redirect(http.StatusSeeOther, "/admin/device/edit?formerr=wg")
return return
} }
// Update in database // Update in database
err = s.users.UpdateDevice(formDevice) err = s.users.UpdateDevice(formDevice)
if err != nil { if err != nil {
_ = s.updateFormInSession(c, formDevice)
s.setAlert(c, "failed to update device in database: "+err.Error(), "danger") s.setAlert(c, "failed to update device in database: "+err.Error(), "danger")
c.Redirect(http.StatusSeeOther, "/admin/device/edit") c.Redirect(http.StatusSeeOther, "/admin/device/edit?formerr=update")
return return
} }
@ -123,6 +145,12 @@ func (s *Server) GetAdminEditPeer(c *gin.Context) {
device := s.users.GetDevice() device := s.users.GetDevice()
user := s.users.GetUserByKey(c.Query("pkey")) user := s.users.GetUserByKey(c.Query("pkey"))
currentSession, err := s.setFormInSession(c, user)
if err != nil {
s.HandleError(c, http.StatusInternalServerError, "Session error", err.Error())
return
}
c.HTML(http.StatusOK, "admin_edit_client.html", struct { c.HTML(http.StatusOK, "admin_edit_client.html", struct {
Route string Route string
Alerts AlertData Alerts AlertData
@ -133,9 +161,9 @@ func (s *Server) GetAdminEditPeer(c *gin.Context) {
}{ }{
Route: c.Request.URL.Path, Route: c.Request.URL.Path,
Alerts: s.getAlertData(c), Alerts: s.getAlertData(c),
Session: s.getSessionData(c), Session: currentSession,
Static: s.getStaticData(), Static: s.getStaticData(),
Peer: user, Peer: currentSession.FormData.(User),
Device: device, Device: device,
}) })
} }
@ -144,10 +172,15 @@ func (s *Server) PostAdminEditPeer(c *gin.Context) {
currentUser := s.users.GetUserByKey(c.Query("pkey")) currentUser := s.users.GetUserByKey(c.Query("pkey"))
urlEncodedKey := url.QueryEscape(c.Query("pkey")) urlEncodedKey := url.QueryEscape(c.Query("pkey"))
currentSession := s.getSessionData(c)
var formUser User var formUser User
if currentSession.FormData != nil {
formUser = currentSession.FormData.(User)
}
if err := c.ShouldBind(&formUser); err != nil { if err := c.ShouldBind(&formUser); err != nil {
_ = s.updateFormInSession(c, formUser)
s.setAlert(c, "failed to bind form data: "+err.Error(), "danger") s.setAlert(c, "failed to bind form data: "+err.Error(), "danger")
c.Redirect(http.StatusSeeOther, "/admin/peer/edit?pkey="+urlEncodedKey) c.Redirect(http.StatusSeeOther, "/admin/peer/edit?pkey="+urlEncodedKey+"&formerr=bind")
return return
} }
@ -165,35 +198,11 @@ func (s *Server) PostAdminEditPeer(c *gin.Context) {
formUser.DeactivatedAt = nil formUser.DeactivatedAt = nil
} }
// Update WireGuard device
if formUser.DeactivatedAt == &now {
err := s.wg.RemovePeer(formUser.PublicKey)
if err != nil {
s.setAlert(c, "failed to remove peer in WireGuard: "+err.Error(), "danger")
c.Redirect(http.StatusSeeOther, "/admin/peer/edit?pkey="+urlEncodedKey)
return
}
} else if formUser.DeactivatedAt == nil && currentUser.Peer != nil {
err := s.wg.UpdatePeer(formUser.GetPeerConfig())
if err != nil {
s.setAlert(c, "failed to update peer in WireGuard: "+err.Error(), "danger")
c.Redirect(http.StatusSeeOther, "/admin/peer/edit?pkey="+urlEncodedKey)
return
}
} else if formUser.DeactivatedAt == nil && currentUser.Peer == nil {
err := s.wg.AddPeer(formUser.GetPeerConfig())
if err != nil {
s.setAlert(c, "failed to add peer in WireGuard: "+err.Error(), "danger")
c.Redirect(http.StatusSeeOther, "/admin/peer/edit?pkey="+urlEncodedKey)
return
}
}
// Update in database // Update in database
err := s.users.UpdateUser(formUser) if err := s.UpdateUser(formUser, now); err != nil {
if err != nil { _ = s.updateFormInSession(c, formUser)
s.setAlert(c, "failed to update user in database: "+err.Error(), "danger") s.setAlert(c, "failed to update user: "+err.Error(), "danger")
c.Redirect(http.StatusSeeOther, "/admin/peer/edit?pkey="+urlEncodedKey) c.Redirect(http.StatusSeeOther, "/admin/peer/edit?pkey="+urlEncodedKey+"&formerr=update")
return return
} }
@ -203,24 +212,12 @@ func (s *Server) PostAdminEditPeer(c *gin.Context) {
func (s *Server) GetAdminCreatePeer(c *gin.Context) { func (s *Server) GetAdminCreatePeer(c *gin.Context) {
device := s.users.GetDevice() device := s.users.GetDevice()
user := User{}
user.AllowedIPsStr = device.AllowedIPsStr
user.IPsStr = "" // TODO: add a valid ip here
psk, err := wgtypes.GenerateKey()
if err != nil {
s.HandleError(c, http.StatusInternalServerError, "Preshared key generation error", err.Error())
return
}
key, err := wgtypes.GeneratePrivateKey()
if err != nil {
s.HandleError(c, http.StatusInternalServerError, "Private key generation error", err.Error())
return
}
user.PresharedKey = psk.String()
user.PrivateKey = key.String()
user.PublicKey = key.PublicKey().String()
user.UID = fmt.Sprintf("u%x", md5.Sum([]byte(user.PublicKey)))
currentSession, err := s.setNewUserFormInSession(c)
if err != nil {
s.HandleError(c, http.StatusInternalServerError, "Session error", err.Error())
return
}
c.HTML(http.StatusOK, "admin_edit_client.html", struct { c.HTML(http.StatusOK, "admin_edit_client.html", struct {
Route string Route string
Alerts AlertData Alerts AlertData
@ -231,18 +228,23 @@ func (s *Server) GetAdminCreatePeer(c *gin.Context) {
}{ }{
Route: c.Request.URL.Path, Route: c.Request.URL.Path,
Alerts: s.getAlertData(c), Alerts: s.getAlertData(c),
Session: s.getSessionData(c), Session: currentSession,
Static: s.getStaticData(), Static: s.getStaticData(),
Peer: user, Peer: currentSession.FormData.(User),
Device: device, Device: device,
}) })
} }
func (s *Server) PostAdminCreatePeer(c *gin.Context) { func (s *Server) PostAdminCreatePeer(c *gin.Context) {
currentSession := s.getSessionData(c)
var formUser User var formUser User
if currentSession.FormData != nil {
formUser = currentSession.FormData.(User)
}
if err := c.ShouldBind(&formUser); err != nil { if err := c.ShouldBind(&formUser); err != nil {
_ = s.updateFormInSession(c, formUser)
s.setAlert(c, "failed to bind form data: "+err.Error(), "danger") s.setAlert(c, "failed to bind form data: "+err.Error(), "danger")
c.Redirect(http.StatusSeeOther, "/admin/peer/create") c.Redirect(http.StatusSeeOther, "/admin/peer/create?formerr=bind")
return return
} }
@ -258,21 +260,10 @@ func (s *Server) PostAdminCreatePeer(c *gin.Context) {
formUser.DeactivatedAt = &now formUser.DeactivatedAt = &now
} }
// Update WireGuard device if err := s.CreateUser(formUser); err != nil {
if formUser.DeactivatedAt == nil { _ = s.updateFormInSession(c, formUser)
err := s.wg.AddPeer(formUser.GetPeerConfig()) s.setAlert(c, "failed to add user: "+err.Error(), "danger")
if err != nil { c.Redirect(http.StatusSeeOther, "/admin/peer/create?formerr=create")
s.setAlert(c, "failed to add peer in WireGuard: "+err.Error(), "danger")
c.Redirect(http.StatusSeeOther, "/admin/peer/create")
return
}
}
// Create in database
err := s.users.CreateUser(formUser)
if err != nil {
s.setAlert(c, "failed to add user in database: "+err.Error(), "danger")
c.Redirect(http.StatusSeeOther, "/admin/peer/create")
return return
} }
@ -281,84 +272,62 @@ func (s *Server) PostAdminCreatePeer(c *gin.Context) {
} }
func (s *Server) GetAdminCreateLdapPeers(c *gin.Context) { func (s *Server) GetAdminCreateLdapPeers(c *gin.Context) {
device := s.users.GetDevice() currentSession, err := s.setFormInSession(c, LdapCreateForm{Identifier: "Default"})
if err != nil {
s.HandleError(c, http.StatusInternalServerError, "Session error", err.Error())
return
}
c.HTML(http.StatusOK, "admin_create_clients.html", struct { c.HTML(http.StatusOK, "admin_create_clients.html", struct {
Route string Route string
Alerts AlertData Alerts AlertData
Session SessionData Session SessionData
Static StaticData Static StaticData
Users []*ldap.UserCacheHolderEntry Users []*ldap.UserCacheHolderEntry
Device Device FormData LdapCreateForm
Device Device
}{ }{
Route: c.Request.URL.Path, Route: c.Request.URL.Path,
Alerts: s.getAlertData(c), Alerts: s.getAlertData(c),
Session: s.getSessionData(c), Session: currentSession,
Static: s.getStaticData(), Static: s.getStaticData(),
Users: s.ldapUsers.GetSortedUsers("sn", "asc"), Users: s.ldapUsers.GetSortedUsers("sn", "asc"),
Device: device, FormData: currentSession.FormData.(LdapCreateForm),
Device: s.users.GetDevice(),
}) })
} }
func (s *Server) PostAdminCreateLdapPeers(c *gin.Context) { func (s *Server) PostAdminCreateLdapPeers(c *gin.Context) {
email := c.PostForm("email") currentSession := s.getSessionData(c)
identifier := c.PostForm("identifier") var formData LdapCreateForm
if identifier == "" { if currentSession.FormData != nil {
identifier = "Default" formData = currentSession.FormData.(LdapCreateForm)
} }
if email == "" { if err := c.ShouldBind(&formData); err != nil {
s.setAlert(c, "missing email address", "danger") _ = s.updateFormInSession(c, formData)
c.Redirect(http.StatusSeeOther, "/admin/peer/createldap") s.setAlert(c, "failed to bind form data: "+err.Error(), "danger")
c.Redirect(http.StatusSeeOther, "/admin/peer/createldap?formerr=bind")
return return
} }
emails := common.ParseStringList(email)
emails := common.ParseStringList(formData.Emails)
for i := range emails { for i := range emails {
// TODO: also check email addr for validity? // TODO: also check email addr for validity?
if !strings.ContainsRune(emails[i], '@') || s.ldapUsers.GetUserDNByMail(emails[i]) == "" { if !strings.ContainsRune(emails[i], '@') || s.ldapUsers.GetUserDNByMail(emails[i]) == "" {
_ = s.updateFormInSession(c, formData)
s.setAlert(c, "invalid email address: "+emails[i], "danger") s.setAlert(c, "invalid email address: "+emails[i], "danger")
c.Redirect(http.StatusSeeOther, "/admin/peer/createldap") c.Redirect(http.StatusSeeOther, "/admin/peer/createldap?formerr=mail")
return return
} }
} }
log.Infof("creating %d ldap peers", len(emails)) log.Infof("creating %d ldap peers", len(emails))
device := s.users.GetDevice()
for i := range emails { for i := range emails {
ldapUser := s.ldapUsers.GetUserData(s.ldapUsers.GetUserDNByMail(emails[i])) if err := s.CreateUserByEmail(emails[i], formData.Identifier, false); err != nil {
user := User{} _ = s.updateFormInSession(c, formData)
user.AllowedIPsStr = device.AllowedIPsStr s.setAlert(c, "failed to add user: "+err.Error(), "danger")
user.IPsStr = "" // TODO: add a valid ip here c.Redirect(http.StatusSeeOther, "/admin/peer/createldap?formerr=create")
psk, err := wgtypes.GenerateKey()
if err != nil {
s.HandleError(c, http.StatusInternalServerError, "Preshared key generation error", err.Error())
return
}
key, err := wgtypes.GeneratePrivateKey()
if err != nil {
s.HandleError(c, http.StatusInternalServerError, "Private key generation error", err.Error())
return
}
user.PresharedKey = psk.String()
user.PrivateKey = key.String()
user.PublicKey = key.PublicKey().String()
user.UID = fmt.Sprintf("u%x", md5.Sum([]byte(user.PublicKey)))
user.Email = emails[i]
user.Identifier = fmt.Sprintf("%s %s (%s)", ldapUser.Firstname, ldapUser.Lastname, identifier)
// Create wireguard interface
err = s.wg.AddPeer(user.GetPeerConfig())
if err != nil {
s.setAlert(c, "failed to add peer in WireGuard: "+err.Error(), "danger")
c.Redirect(http.StatusSeeOther, "/admin/peer/createldap")
return
}
// Create in database
err = s.users.CreateUser(user)
if err != nil {
s.setAlert(c, "failed to add user in database: "+err.Error(), "danger")
c.Redirect(http.StatusSeeOther, "/admin/peer/createldap")
return return
} }
} }
@ -377,3 +346,48 @@ func (s *Server) GetUserQRCode(c *gin.Context) {
c.Data(http.StatusOK, "image/png", png) c.Data(http.StatusOK, "image/png", png)
return return
} }
func (s *Server) updateFormInSession(c *gin.Context, formData interface{}) error {
currentSession := s.getSessionData(c)
currentSession.FormData = formData
if err := s.updateSessionData(c, currentSession); err != nil {
return err
}
return nil
}
func (s *Server) setNewUserFormInSession(c *gin.Context) (SessionData, error) {
currentSession := s.getSessionData(c)
// If session does not contain a user form ignore update
// If url contains a formerr parameter reset the form
if currentSession.FormData == nil || c.Query("formerr") == "" {
user, err := s.PrepareNewUser()
if err != nil {
return currentSession, err
}
currentSession.FormData = user
}
if err := s.updateSessionData(c, currentSession); err != nil {
return currentSession, err
}
return currentSession, nil
}
func (s *Server) setFormInSession(c *gin.Context, formData interface{}) (SessionData, error) {
currentSession := s.getSessionData(c)
// If session does not contain a form ignore update
// If url contains a formerr parameter reset the form
if currentSession.FormData == nil || c.Query("formerr") == "" {
currentSession.FormData = formData
}
if err := s.updateSessionData(c, currentSession); err != nil {
return currentSession, err
}
return currentSession, nil
}

149
internal/server/helper.go Normal file
View File

@ -0,0 +1,149 @@
package server
import (
"crypto/md5"
"errors"
"fmt"
"time"
"github.com/h44z/wg-portal/internal/common"
"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
)
func (s *Server) PrepareNewUser() (User, error) {
device := s.users.GetDevice()
user := User{}
user.IsNew = true
user.AllowedIPsStr = device.AllowedIPsStr
user.IPs = make([]string, len(device.IPs))
for i := range device.IPs {
freeIP, err := s.users.GetAvailableIp(device.IPs[i])
if err != nil {
return User{}, err
}
user.IPs[i] = freeIP
}
user.IPsStr = common.ListToString(user.IPs)
psk, err := wgtypes.GenerateKey()
if err != nil {
return User{}, err
}
key, err := wgtypes.GeneratePrivateKey()
if err != nil {
return User{}, err
}
user.PresharedKey = psk.String()
user.PrivateKey = key.String()
user.PublicKey = key.PublicKey().String()
user.UID = fmt.Sprintf("u%x", md5.Sum([]byte(user.PublicKey)))
return user, nil
}
func (s *Server) CreateUserByEmail(email, identifierSuffix string, disabled bool) error {
ldapUser := s.ldapUsers.GetUserData(s.ldapUsers.GetUserDNByMail(email))
if ldapUser.DN == "" {
return errors.New("no user with email " + email + " found")
}
device := s.users.GetDevice()
user := User{}
user.AllowedIPsStr = device.AllowedIPsStr
user.IPsStr = "" // TODO: add a valid ip here
psk, err := wgtypes.GenerateKey()
if err != nil {
return err
}
key, err := wgtypes.GeneratePrivateKey()
if err != nil {
return err
}
user.PresharedKey = psk.String()
user.PrivateKey = key.String()
user.PublicKey = key.PublicKey().String()
user.UID = fmt.Sprintf("u%x", md5.Sum([]byte(user.PublicKey)))
user.Email = email
user.Identifier = fmt.Sprintf("%s %s (%s)", ldapUser.Firstname, ldapUser.Lastname, identifierSuffix)
now := time.Now()
if disabled {
user.DeactivatedAt = &now
}
return s.CreateUser(user)
}
func (s *Server) CreateUser(user User) error {
device := s.users.GetDevice()
user.AllowedIPsStr = device.AllowedIPsStr
user.IPsStr = "" // TODO: add a valid ip here
if user.PrivateKey == "" { // if private key is empty create a new one
psk, err := wgtypes.GenerateKey()
if err != nil {
return err
}
key, err := wgtypes.GeneratePrivateKey()
if err != nil {
return err
}
user.PresharedKey = psk.String()
user.PrivateKey = key.String()
user.PublicKey = key.PublicKey().String()
}
user.UID = fmt.Sprintf("u%x", md5.Sum([]byte(user.PublicKey)))
// Create wireguard interface
if user.DeactivatedAt == nil {
if err := s.wg.AddPeer(user.GetPeerConfig()); err != nil {
return err
}
}
// Create in database
if err := s.users.CreateUser(user); err != nil {
return err
}
return nil
}
func (s *Server) UpdateUser(user User, updateTime time.Time) error {
currentUser := s.users.GetUserByKey(user.PublicKey)
// Update WireGuard device
var err error
switch {
case user.DeactivatedAt == &updateTime:
err = s.wg.RemovePeer(user.PublicKey)
case user.DeactivatedAt == nil && currentUser.Peer != nil:
err = s.wg.UpdatePeer(user.GetPeerConfig())
case user.DeactivatedAt == nil && currentUser.Peer == nil:
err = s.wg.AddPeer(user.GetPeerConfig())
}
if err != nil {
return err
}
// Update in database
if err := s.users.UpdateUser(user); err != nil {
return err
}
return nil
}
func (s *Server) DeleteUser(user User) error {
// Delete WireGuard peer
if err := s.wg.RemovePeer(user.PublicKey); err != nil {
return err
}
// Delete in database
if err := s.users.DeleteUser(user); err != nil {
return err
}
return nil
}

95
internal/server/usermanager.go
View File

@ -6,6 +6,7 @@ import (
"errors" "errors"
"fmt" "fmt"
"net" "net"
"reflect"
"strings" "strings"
"text/template" "text/template"
"time" "time"
@ -73,6 +74,7 @@ type User struct {
UID string `form:"uid" binding:"alphanum"` // uid for html identification UID string `form:"uid" binding:"alphanum"` // uid for html identification
IsOnline bool `gorm:"-"` IsOnline bool `gorm:"-"`
IsNew bool `gorm:"-"`
Identifier string `form:"identifier" binding:"required,lt=64"` // Identifier AND Email make a WireGuard peer unique Identifier string `form:"identifier" binding:"required,lt=64"` // Identifier AND Email make a WireGuard peer unique
Email string `gorm:"index" form:"mail" binding:"required,email"` Email string `gorm:"index" form:"mail" binding:"required,email"`
@ -161,6 +163,26 @@ func (u User) IsValid() bool {
return true return true
} }
func (u User) ToMap() map[string]string {
out := make(map[string]string)
v := reflect.ValueOf(u)
if v.Kind() == reflect.Ptr {
v = v.Elem()
}
typ := v.Type()
for i := 0; i < v.NumField(); i++ {
// gets us a StructField
fi := typ.Field(i)
if tagv := fi.Tag.Get("form"); tagv != "" {
// set key of map to value in struct field
out[tagv] = v.Field(i).String()
}
}
return out
}
// //
// DEVICE -------------------------------------------------------------------------------------- // DEVICE --------------------------------------------------------------------------------------
// //
@ -417,6 +439,16 @@ func (u *UserManager) UpdateUser(user User) error {
return nil return nil
} }
func (u *UserManager) DeleteUser(user User) error {
res := u.db.Delete(&user)
if res.Error != nil {
log.Errorf("failed to delete user: %v", res.Error)
return res.Error
}
return nil
}
func (u *UserManager) UpdateDevice(device Device) error { func (u *UserManager) UpdateDevice(device Device) error {
device.UpdatedAt = time.Now() device.UpdatedAt = time.Now()
device.AllowedIPsStr = strings.Join(device.AllowedIPs, ", ") device.AllowedIPsStr = strings.Join(device.AllowedIPs, ", ")
@ -437,36 +469,67 @@ func (u *UserManager) GetAllReservedIps() ([]string, error) {
users := u.GetAllUsers() users := u.GetAllUsers()
for _, user := range users { for _, user := range users {
for _, cidr := range user.IPs { for _, cidr := range user.IPs {
if cidr == "" {
continue
}
ip, _, err := net.ParseCIDR(cidr) ip, _, err := net.ParseCIDR(cidr)
if err != nil { if err != nil {
log.WithFields(log.Fields{ return nil, err
"err": err,
"cidr": cidr,
}).Error("failed to ip from cidr")
} else {
reservedIps = append(reservedIps, ip.String())
} }
reservedIps = append(reservedIps, ip.String())
} }
} }
device := u.GetDevice() device := u.GetDevice()
for _, cidr := range device.IPs { for _, cidr := range device.IPs {
if cidr == "" {
continue
}
ip, _, err := net.ParseCIDR(cidr) ip, _, err := net.ParseCIDR(cidr)
if err != nil { if err != nil {
log.WithFields(log.Fields{ return nil, err
"err": err,
"cidr": cidr,
}).Error("failed to ip from cidr")
} else {
reservedIps = append(reservedIps, ip.String())
} }
reservedIps = append(reservedIps, ip.String())
} }
return reservedIps, nil return reservedIps, nil
} }
func (u *UserManager) IsIPReserved(cidr string) bool {
reserved, err := u.GetAllReservedIps()
if err != nil {
return true // in case something failed, assume the ip is reserved
}
ip, ipnet, err := net.ParseCIDR(cidr)
if err != nil {
return true
}
// this two addresses are not usable
broadcastAddr := common.BroadcastAddr(ipnet).String()
networkAddr := ipnet.IP.String()
address := ip.String()
if address == broadcastAddr || address == networkAddr {
return true
}
for _, r := range reserved {
if address == r {
return true
}
}
return false
}
// GetAvailableIp search for an available ip in cidr against a list of reserved ips // GetAvailableIp search for an available ip in cidr against a list of reserved ips
func (u *UserManager) GetAvailableIp(cidr string, reserved []string) (string, error) { func (u *UserManager) GetAvailableIp(cidr string) (string, error) {
reserved, err := u.GetAllReservedIps()
if err != nil {
return "", err
}
ip, ipnet, err := net.ParseCIDR(cidr) ip, ipnet, err := net.ParseCIDR(cidr)
if err != nil { if err != nil {
return "", err return "", err
@ -486,7 +549,11 @@ func (u *UserManager) GetAvailableIp(cidr string, reserved []string) (string, er
} }
} }
if ok && address != networkAddr && address != broadcastAddr { if ok && address != networkAddr && address != broadcastAddr {
return address, nil netMask := "/32"
if common.IsIPv6(address) {
netMask = "/128"
}
return address + netMask, nil
} }
} }