vpnmanager/manager/views.py

from django.shortcuts import render, get_object_or_404, redirect
from django.http import HttpResponse
from django.contrib.auth.forms import AuthenticationForm, PasswordChangeForm, AdminPasswordChangeForm
from django.db.models import Q
from django.views.decorators.csrf import csrf_exempt
from django.utils import timezone
from django.core.files import File
from django.db.models.fields.files import FieldFile
from django.contrib.auth.models import User
from django.contrib.auth.decorators import login_required, user_passes_test
from django.db.models.signals import post_save
from django.dispatch import receiver
from django.conf import settings
from django.contrib.auth.forms import PasswordResetForm

from .models import Device, Organization, Network, Model, Wifi, UserStatus
from .signals import *
from .forms import *
from .device import makewificonfig, heartbeathandler

from distutils.dir_util import copy_tree

import glob
import sys
import subprocess
import os
import socket
import tempfile
import crypt
import tarfile
import datetime
import time
import uuid

def is_superuser(user):
    return user.is_superuser

def is_staff(user):
    return user.is_staff

@login_required
def index(request):
    return redirect("/devices/")

@csrf_exempt
def heartbeat(request):
    device = get_object_or_404(Device, secret=request.POST.get("secret", ""))
    ip = request.POST.get("ip", "")

    return HttpResponse(heartbeathandler(device, ip))

@csrf_exempt
def wireless(request):
    device = get_object_or_404(Device, secret=request.POST.get("secret", ""))
    device.wireless = timezone.now()
    device.save()
    return HttpResponse(makewificonfig(device))


@csrf_exempt
def hosts(request):
    device = get_object_or_404(Device, secret=request.POST.get("secret", ""))
    sigRebootDevice(device.serial, None, False)
    device.reboot = False
    device.save()
    return render(request, "manager/hosts", {"device": device})

def mkfirmware(device, path):
    if device.firmware and device.firmware > device.model.firmware and device.firmware > device.changed and glob.glob("%s/%s.bin" % (path, device.id)):
        return True

    BEFORE = os.getcwd()
    DEVICEDIR = "/opt/vpnmanager/device-config/%i/" % device.model.id
    SRCDIR = "/opt/vpnmanager/imagebuilder/%i/" % device.model.id

    if glob.glob(SRCDIR + "/.kumilock"):
        return False

    with open(SRCDIR + "/.kumilock", "w") as lock:
        lock.write("")

    tempdir = tempfile.TemporaryDirectory()

    copy_tree(DEVICEDIR, tempdir.name)

    # Write OpenVPN config

    with open(tempdir.name + "/etc/openvpn/client.conf", "w") as vpnconf:
        vpnconf.write(device.vpnconfig)

    # Write secret

    with open(tempdir.name + "/etc/vpnsecret", "w") as secret:
        secret.write('SECRET="%s"' % device.secret)

    # Write password

    with open(tempdir.name + "/etc/shadow", "r") as shadow:
        password = crypt.crypt(device.password, crypt.mksalt(crypt.METHOD_MD5))
        shadowin = shadow.read()

    with open(tempdir.name + "/etc/shadow", "w") as shadowout:
        shadowout.write(shadowin.replace("$PASSWORD", password))

    # Write Wireless config

    with open(tempdir.name + "/etc/config/wireless", "r") as wireless:
        wirein = wireless.read()

    with open(tempdir.name + "/etc/config/wireless", "w") as wireout:
        wire = wirein.replace("$SSID", device.serial)
        wireout.write(wire + "\n" + makewificonfig(device))

    # Create compilation environment

    os.system("rm -rf " + SRCDIR + "/files/")
    os.mkdir(SRCDIR + "/files/")
    os.system("cp -r " + tempdir.name + "/* " + SRCDIR + "/files/")

    tempdir.cleanup()

    os.system("rm " + SRCDIR + "/bin/targets/ar71xx/generic/*")

    # Build image

    os.chdir(SRCDIR)

    try:
        subprocess.call(["/usr/bin/make"])
    except:
        os.remove(SRCDIR + "/.kumilock")
        os.chdir(BEFORE)
        return False

    os.chdir(BEFORE)

    os.rename(glob.glob(SRCDIR + "/bin/targets/ar71xx/generic/*squashfs-sysupgrade.bin")[0], "%s/%s.bin" % (path, device.id))
    os.remove(SRCDIR + "/.kumilock")
    os.system("rm -rf " + SRCDIR + "/files/")
    os.system("rm " + SRCDIR + "/bin/targets/ar71xx/generic/*")
    device.firmware = datetime.datetime.now()
    device.save()
    return True

@csrf_exempt
def update(request):
    FWDIR = "/opt/vpnmanager/images/"

    device = get_object_or_404(Device, secret=request.POST.get("secret", ""))

    if not mkfirmware(device, FWDIR):
        return HttpResponse(status=503)

    sigUpdateDevice(device.serial, None, False)
    device.update = False
    device.save()

    with open("%s/%s.bin" % (FWDIR, device.id), "rb") as download:
        response = HttpResponse(download.read(), content_type="application/octet-stream")
        response['Content-Disposition'] = 'inline; filename=%s.bin' % device.serial
        return response

def ping(request, device_id):
    if request.user.is_authenticated:
        device = None
        ajax = '{\n "status": '

        for organization in Organization.objects.filter(users=request.user):
            device = device or Device.objects.filter(id=device_id, organization=organization)

        if not device:
            ajax += "-1"

        else:
            try:
                socket.inet_aton(device[0].curip)
                ajax += str(1 if not os.WEXITSTATUS(os.system("ping -c1 -w1 " + device[0].curip + " > /dev/null 2>&1")) else 2 if (timezone.now() - device[0].lasttime).total_seconds() > 120 and (timezone.now() - device[0].lastbeat).total_seconds() < 60 else 0)
                ajax += ',\n "serial": "%s"' % device[0].serial
                ajax += ',\n "name": "%s"' % device[0].name if device[0].name else ""
                ajax += ',\n "ip": "%s"' % device[0].curip
                ajax += ',\n "time": "%i"' % (int(time.mktime(timezone.make_naive(device[0].lasttime, timezone.get_current_timezone()).timetuple())) * 1000)
                ajax += ',\n "lastbeat": "%s"' % (int(time.mktime(timezone.make_naive(device[0].lastbeat, timezone.get_current_timezone()).timetuple())) * 1000)
                ajax += ',\n "reboot": %i' % (1 if device[0].reboot else 0)
                ajax += ',\n "update": %i' % (1 if device[0].update else 0)

                ajax += ',\n "network": {'
                ajax += '\n  "intip": "%s"' % device[0].network.intip
                ajax += ',\n  "extip": "%s"' % device[0].network.extip
                ajax += ',\n  "name": "%s"' % (device[0].network.name if device[0].network.name else "") 
                ajax += '\n }'

            except Exception as e:
                ajax += "-3"

    else:
        ajax += "-2"

    ajax += "\n}"
    return HttpResponse(ajax, content_type="application/json")

@login_required
def devices(request):
    return render(request, "manager/index.html", {"title": "Device Administration"})

@login_required
def editdevice(request, device_id):
   device = get_object_or_404(Device, id=device_id, organization__in=request.user.organization_set.all())
   subnets = Network.objects.filter(organization=device.organization)
   wifis = Wifi.objects.filter(organization=device.organization)

   if request.POST.get("subnet", ""):
       subnet = Network.objects.get(intip=request.POST.get("subnet", device.network.intip if device.network else "No VPN"))

       if subnet[0] in subnets:
           newname = request.POST.get("name", "")
           if newname != device.name:
            sigRenameDevice(device.serial, request.user.username, device[0].name, newname)
            device.name = newname

           if subnet != device.network:
            sigNetDevice(device.serial, request.user.username, str(device.network), str(subnet))
            device.network = subnet
            
           newreboot = True if request.POST.get("reboot", "0") == "True" else False
           if newreboot != device.reboot:
            sigRebootDevice(device.serial, request.user.username, newreboot)
            device.reboot = newreboot

           newupdate = True if request.POST.get("update", "0") == "True" else False
           if newupdate != device.update:
            sigUpdateDevice(device.serial, request.user.username, newupdate)
            device.update = newupdate

           newwifis = set(request.POST.getlist("wifi", []))
           oldwifis = set(device.wifi.all())
           if newwifis != oldwifis:
            sigWifiDevice(device.serial, request.user.username, oldwifis, newwifis)
            device.wifi.set(newwifis)

           device.changed = timezone.now()
           device.save()

           return redirect("/devices/")

   return render(request, "manager/edit.html",
           {
               "title": "Edit Device",
               "device": device,
               "subnets": subnets,
               "wifis": wifis,
               "curfis": Wifi.objects.filter(device=device)
               }
           )

@user_passes_test(is_superuser)
def makeuser(request):
    if request.POST.get("username", ""):
       username = request.POST.get("username", "")
       first = request.POST.get("firstname", "")
       last = request.POST.get("lastname", "")
       staff = request.POST.get("staff", "0") == "True"
       suser = request.POST.get("superuser", "0") == "True"
       orgas = set(request.POST.getlist("orga", []))
       mail = request.POST.get("email", "")
       user = User.objects.create_user(
               username=username, 
               password=str(uuid.uuid4().hex), 
               first_name=first, 
               last_name=last, 
               is_staff=staff, 
               is_superuser=suser, 
               email=mail
               )
       user.organization_set.set(orgas)

       form = PasswordResetForm({"email": user.email})

       if form.is_valid():
        form.save(
            request=request,
            use_https=True,
            email_template_name='registration/password_reset_email.html')

       return redirect("/users/")

    else:
       return render(request, "manager/adduser.html", {"title": "Add User"})


@login_required
def edituser(request, user_id):
   if request.user.is_staff or request.user.id == user_id:
       orgas = request.user.organization_set.all()
       user = User.objects.distinct().get(id=user_id, organization__in=orgas)

       if not user:
           return redirect("/users/")

       if request.POST.get("form", ""):
           newfirst = request.POST.get("firstname", "")
           newlast = request.POST.get("lastname", "")
           if newlast != user.last_name or newfirst != user.first_name:
            sigRenameUser(user.username, request.user.username, "%s %s" % (user.first_name, user.last_name), "%s %s" % (newfirst, newlast))
            user.first_name = request.POST.get("firstname", "")
            user.last_name = request.POST.get("lastname", "")

           if request.user.is_staff or request.user.is_superuser:
               newstaff = request.POST.get("staff", "0") == "True"
               if newstaff != user.is_staff:
                sigStaffUser(user.username, request.user.username, newstaff)
                user.is_staff = newstaff

           if request.user.is_superuser:
               newsuper = request.POST.get("superuser", "0") == "True"
               if newsuper != user.is_superuser:
                sigSuperUser(user.username, request.user.username, newsuper)
                user.is_superuser = newsuper

               neworgas = set(request.POST.getlist("orga", []))
               oldorgas = set(user.organization_set.all())
               if neworgas != oldorgas:
                   sigOrgaUser(user.username, request.user.username, oldorgas, neworgas)
                   user.organization_set.set(neworgas)

           newmail = request.POST.get("email", "")
           if newmail != user.email:
            sigMailUser(user.username, request.user.username, user.email, newmail)
            user.email = newmail

           user.save()

           return redirect("/users/")

       return render(request, "manager/edituser.html",
               {   
                   "title": "Edit User",
                   "auser": user
                   }
               )

   else:
       return redirect('/account/login/?next=%s' % request.path)

@login_required
def editwifi(request, wifi_id):
    wifi = None

    for organization in Organization.objects.filter(users=request.user):
        wifi = wifi or Wifi.objects.filter(id=wifi_id, organization=organization)

    if not wifi:
        return redirect("/wifi/")

    if request.POST.get("serial", ""):
        newserial = request.POST.get("serial", "")
        if newserial != wifi[0].serial:
            sigRenameWifi(wifi[0].serial, request.user.username, wifi[0].serial, newserial)
            wifi[0].serial = newserial

        newssid = request.POST.get("ssid", "")
        if newssid != wifi[0].ssid:
            sigSSIDWifi(wifi[0].serial, request.user.username, wifi[0].ssid, newssid)
            wifi[0].ssid = newssid

        newkey = request.POST.get("key", "")
        if newkey != wifi[0].key:
            sigKeyWifi(wifi[0].serial, request.user.username, wifi[0].key, newkey)
            wifi[0].key = newkey

        wifi[0].save()

        return redirect("/wifi/")

    return render(request, "manager/editwifi.html",
            {
                "title": "Edit WiFi",
                "wifi": wifi[0]
                }
            )

@user_passes_test(is_superuser)
def getconfig(request, device_id):
    FWDIR = "/opt/vpnmanager/images/"

    device = get_object_or_404(Device, id=device_id)

    if not mkfirmware(device, FWDIR):
        return HttpResponse("Something went wrong generating the firmware image. The server may be busy, please try again later.")

    sigUpdateDevice(device.serial, None, False)
    device.update = False
    device.save()

    with open("%s/%s.bin" % (FWDIR, device.id), "rb") as download:
        response = HttpResponse(download.read(), content_type="application/octet-stream")
        response['Content-Disposition'] = 'inline; filename=%s.bin' % device.serial
        return response

@login_required
def rebootdevice(request, device_id):
    device = None
    for organization in Organization.objects.filter(users=request.user):
       device = device or Device.objects.filter(id=device_id, organization=organization)

    if device and not device[0].reboot:
       sigRebootDevice(device[0].serial, request.user.username, True)
       device[0].reboot = True
       device[0].save()

    return redirect("/devices/")

@user_passes_test(is_staff)
def updatedevice(request, device_id):
    device = None

    for organization in Organization.objects.filter(users=request.user):
        device = device or Device.objects.filter(id=device_id, organization=organization)

    if device and not device[0].update:
        sigUpdateDevice(device[0].serial, request.user.username, True)
        device[0].update = True
        device[0].save()

    return redirect("/devices/")

@user_passes_test(is_superuser)
def deletedevice(request, device_id):
    CADIR = "/etc/openvpn/ca/"
    BEFORE = os.getcwd()

    device = get_object_or_404(Device, id=device_id)

    os.chdir(CADIR)

    subprocess.call(CADIR + "/revoke " + device.serial, shell=True)
    os.system("rm " + CADIR + "/keys/" + device.serial + ".{crt,csr,key}")

    os.chdir(BEFORE)

    device.delete()

    return redirect("/devices/")

@user_passes_test(is_staff)
def deletewifi(request, wifi_id):
    wifi = get_object_or_404(Wifi, id=wifi_id, organization__in=request.user.organization_set.all())
    wifi.delete()
    return redirect("/wifi/")

@user_passes_test(is_superuser)
def deleteuser(request, user_id):
    user = get_object_or_404(User, id=user_id)
    user.delete()
    return redirect("/users/")

@user_passes_test(is_superuser)
def deletenetwork(request, network_id):
    network = get_object_or_404(Network, id=network_id)
    network.delete()
    return redirect("/networks/")

@user_passes_test(is_superuser)
def deleteorga(request, orga_id):
    orga = get_object_or_404(Organization, id=orga_id)
    orga.delete()
    return redirect("/organizations/")

@user_passes_test(is_staff)
def makewifi(request):
    wifi_serial = request.POST.get("serial", "")
    wifi_ssid = request.POST.get("ssid", "")
    wifi_key = request.POST.get("key", "")
    wifi_organization = request.POST.get("organization", "")

    if not (wifi_serial and wifi_organization):
        return render(request, "manager/addwifi.html",
                {
                    "title": "Add WiFi"
                    }
                )

    wifi = Wifi.objects.create(
                serial = wifi_serial,
                ssid = wifi_ssid,
                key = wifi_key,
                organization = Organization.objects.filter(id=wifi_organization)[0]
                )

    return redirect("/wifi/")

@user_passes_test(is_superuser)
def makenetwork(request):
    if request.method == "POST":
        form = NetworkForm(request.POST)
        if form.is_valid():
            data = form.cleaned_data
            network = Network.objects.create(name=data["name"], intip=data["intip"], extip=data["extip"])
            network.organization.set(data["orgas"])
            return redirect("/networks/")

    else:
        form = NetworkForm()

    return render(request, "manager/form.html", { "title": "Add Network", "form": form })

@user_passes_test(is_superuser)
def makeorganization(request):
    if request.method == "POST":
        form = OrgaForm(request.POST)
        if form.is_valid():
            data = form.cleaned_data
            orga = Organization.objects.create(name=data["name"], userlimit=data["users"])
            request.user.organization_set.add(orga)
            return redirect("/organizations/")

    else:
        form = OrgaForm()

    return render(request, "manager/form.html", { "title": "Add Organization", "form": form })

@user_passes_test(is_superuser)
def editorganization(request, orga_id):
    orga = get_object_or_404(Organization, id=orga_id)
    if request.method == "POST":
        form = OrgaForm(request.POST)
        if form.is_valid():
            data = form.cleaned_data
            orga.name = data["name"]
            orga.userlimit = data["users"]
            orga.save()
            return redirect("/organizations/")

    else:
        form = OrgaForm(initial={ "name": orga.name, "users": orga.userlimit })

    return render(request, "manager/form.html", { "title": "Change Organization", "form": form })

@user_passes_test(is_superuser)
def makedevice(request):
   CADIR = "/etc/openvpn/ca/"
   CONFIGDIR = "/etc/openvpn/client-configs/"
   BEFORE = os.getcwd()

   device_serial = request.POST.get("serial", "")
   device_name = request.POST.get("name", "")
   device_organization = request.POST.get("organization", "")
   device_model = request.POST.get("model", "")

   if not request.user.is_superuser:
       return redirect("/devices/")

   if not device_serial:
       orga = Organization.objects.all()
       models = Model.objects.all()

       return render(request, "manager/add.html",
                {
                    "title": "Add Device",
                    "organizations": orga,
                    "models": models
                    }
                )

   if glob.glob(CADIR + "/keys/" + device_serial + "*"):
       return HttpResponse("This key already exists.")

   os.chdir(CADIR)

   if subprocess.call(CADIR + "/generate-key " + device_serial, shell=True):
       os.chdir(BEFORE)
       return HttpResponse("Something went wrong trying to generate the key.")

   if glob.glob(CONFIGDIR + "/files/" + device_serial + "*"):
       os.chdir(BEFORE)
       return HttpResponse("This configuration file already exists.")

   os.chdir(CONFIGDIR)

   if subprocess.call(CONFIGDIR + "/make_config " + device_serial, shell=True):
       os.chdir(BEFORE)
       return HttpResponse("Something went wrong trying to generate the config file.")

   os.chdir(BEFORE)

   device = Device.objects.create(
           serial=device_serial,
           name=device_name,
           model=Model.objects.filter(id=device_model)[0],
           network=Network.objects.filter(intip="No VPN")[0],
           organization=Organization.objects.filter(id=device_organization)[0],
           vpnconfig = open(CONFIGDIR + "/files/" + device_serial + ".ovpn").read(),
           changed = timezone.now()
           )

   return redirect("/devices/")

@receiver(post_save, sender=settings.AUTH_USER_MODEL)
def createUserStatus(sender, instance, created, **kwargs):
    if created:
        UserStatus.objects.create(user=instance)

@receiver(post_save, sender=settings.AUTH_USER_MODEL)
def saveUserStatus(sender, instance, **kwargs):
    try:
        instance.userstatus.save()
    except:
        UserStatus.objects.create(user=instance)