from django.shortcuts import render, get_object_or_404, redirect from django.http import HttpResponse from django.contrib.auth.forms import AuthenticationForm, PasswordChangeForm, AdminPasswordChangeForm from django.db.models import Q from django.views.decorators.csrf import csrf_exempt from django.utils import timezone from django.core.files import File from django.db.models.fields.files import FieldFile from django.contrib.auth.models import User from django.contrib.auth.decorators import login_required, user_passes_test from django.db.models.signals import post_save from django.dispatch import receiver from django.conf import settings from django.contrib.auth.forms import PasswordResetForm from .models import Device, Organization, Network, Model, Wifi, UserStatus from .signals import * from .device import makewificonfig, heartbeathandler from distutils.dir_util import copy_tree import glob import sys import subprocess import os import socket import tempfile import crypt import tarfile import datetime import time import uuid def is_superuser(user): return user.is_superuser def is_staff(user): return user.is_staff @login_required def index(request): return redirect("/devices/") @csrf_exempt def heartbeat(request): device = get_object_or_404(Device, secret=request.POST.get("secret", "")) ip = request.POST.get("ip", "") return HttpResponse(heartbeathandler(device, ip)) @csrf_exempt def wireless(request): device = get_object_or_404(Device, secret=request.POST.get("secret", "")) device.wireless = timezone.now() device.save() return HttpResponse(makewificonfig(device)) @csrf_exempt def hosts(request): device = get_object_or_404(Device, secret=request.POST.get("secret", "")) sigRebootDevice(device.serial, None, False) device.reboot = False device.save() return render(request, "manager/hosts", {"device": device}) def mkfirmware(device, path): if device.firmware and device.firmware > device.model.firmware and device.firmware > device.changed and glob.glob("%s/%s.bin" % (path, device.id)): return True BEFORE = os.getcwd() DEVICEDIR = "/opt/vpnmanager/device-config/%i/" % device.model.id SRCDIR = "/opt/vpnmanager/imagebuilder/%i/" % device.model.id if glob.glob(SRCDIR + "/.kumilock"): return False with open(SRCDIR + "/.kumilock", "w") as lock: lock.write("") tempdir = tempfile.TemporaryDirectory() copy_tree(DEVICEDIR, tempdir.name) # Write OpenVPN config with open(tempdir.name + "/etc/openvpn/client.conf", "w") as vpnconf: vpnconf.write(device.vpnconfig) # Write secret with open(tempdir.name + "/etc/vpnsecret", "w") as secret: secret.write('SECRET="%s"' % device.secret) # Write password with open(tempdir.name + "/etc/shadow", "r") as shadow: password = crypt.crypt(device.password, crypt.mksalt(crypt.METHOD_MD5)) shadowin = shadow.read() with open(tempdir.name + "/etc/shadow", "w") as shadowout: shadowout.write(shadowin.replace("$PASSWORD", password)) # Write Wireless config with open(tempdir.name + "/etc/config/wireless", "r") as wireless: wirein = wireless.read() with open(tempdir.name + "/etc/config/wireless", "w") as wireout: wire = wirein.replace("$SSID", device.serial) wireout.write(wire + "\n" + makewificonfig(device)) # Create compilation environment os.system("rm -rf " + SRCDIR + "/files/") os.mkdir(SRCDIR + "/files/") os.system("cp -r " + tempdir.name + "/* " + SRCDIR + "/files/") tempdir.cleanup() os.system("rm " + SRCDIR + "/bin/targets/ar71xx/generic/*") # Build image os.chdir(SRCDIR) try: subprocess.call(["/usr/bin/make"]) except: os.remove(SRCDIR + "/.kumilock") os.chdir(BEFORE) return False os.chdir(BEFORE) os.rename(glob.glob(SRCDIR + "/bin/targets/ar71xx/generic/*squashfs-sysupgrade.bin")[0], "%s/%s.bin" % (path, device.id)) os.remove(SRCDIR + "/.kumilock") os.system("rm -rf " + SRCDIR + "/files/") os.system("rm " + SRCDIR + "/bin/targets/ar71xx/generic/*") device.firmware = datetime.datetime.now() device.save() return True @csrf_exempt def update(request): FWDIR = "/opt/vpnmanager/images/" device = get_object_or_404(Device, secret=request.POST.get("secret", "")) if not mkfirmware(device, FWDIR): return HttpResponse(status=503) sigUpdateDevice(device.serial, None, False) device.update = False device.save() with open("%s/%s.bin" % (FWDIR, device.id), "rb") as download: response = HttpResponse(download.read(), content_type="application/octet-stream") response['Content-Disposition'] = 'inline; filename=%s.bin' % device.serial return response def ping(request, device_id): if request.user.is_authenticated: device = None ajax = '{\n "status": ' for organization in Organization.objects.filter(users=request.user): device = device or Device.objects.filter(id=device_id, organization=organization) if not device: ajax += "-1" else: try: socket.inet_aton(device[0].curip) ajax += str(1 if not os.WEXITSTATUS(os.system("ping -c1 -w1 " + device[0].curip + " > /dev/null 2>&1")) else 2 if (timezone.now() - device[0].lasttime).total_seconds() > 120 and (timezone.now() - device[0].lastbeat).total_seconds() < 60 else 0) ajax += ',\n "serial": "%s"' % device[0].serial ajax += ',\n "name": "%s"' % device[0].name if device[0].name else "" ajax += ',\n "ip": "%s"' % device[0].curip ajax += ',\n "time": "%i"' % (int(time.mktime(timezone.make_naive(device[0].lasttime, timezone.get_current_timezone()).timetuple())) * 1000) ajax += ',\n "lastbeat": "%s"' % (int(time.mktime(timezone.make_naive(device[0].lastbeat, timezone.get_current_timezone()).timetuple())) * 1000) ajax += ',\n "reboot": %i' % (1 if device[0].reboot else 0) ajax += ',\n "update": %i' % (1 if device[0].update else 0) ajax += ',\n "network": {' ajax += '\n "intip": "%s"' % device[0].network.intip ajax += ',\n "extip": "%s"' % device[0].network.extip ajax += ',\n "name": "%s"' % (device[0].network.name if device[0].network.name else "") ajax += '\n }' except Exception as e: ajax += "-3" else: ajax += "-2" ajax += "\n}" return HttpResponse(ajax, content_type="application/json") @login_required def devices(request): return render(request, "manager/index.html", {"title": "Device Administration"}) @login_required def editdevice(request, device_id): device = None subnets = set() wifis = set() for organization in Organization.objects.filter(users=request.user): device = device or Device.objects.filter(id=device_id, organization=organization) if not device: return redirect("/devices/") for subnet in Network.objects.filter(organizations=device[0].organization): subnets.add(subnet) for wifi in Wifi.objects.filter(organization=device[0].organization): wifis.add(wifi) if request.POST.get("subnet", ""): subnet = Network.objects.filter(intip=request.POST.get("subnet", device[0].network.intip if device[0].network else "No VPN")) if subnet[0] in subnets: newname = request.POST.get("name", "") if newname != device[0].name: sigRenameDevice(device[0].serial, request.user.username, device[0].name, newname) device[0].name = newname if subnet[0] != device[0].network: sigNetDevice(device[0].serial, request.user.username, str(device[0].network), str(subnet[0])) device[0].network = subnet[0] newreboot = True if request.POST.get("reboot", "0") == "True" else False if newreboot != device[0].reboot: sigRebootDevice(device[0].serial, request.user.username, newreboot) device[0].reboot = newreboot newupdate = True if request.POST.get("update", "0") == "True" else False if newupdate != device[0].update: sigUpdateDevice(device[0].serial, request.user.username, newupdate) device[0].update = newupdate newwifis = set(request.POST.getlist("wifi", [])) oldwifis = set(device[0].wifi.all()) if newwifis != oldwifis: sigWifiDevice(device[0].serial, request.user.username, oldwifis, newwifis) device[0].wifi.set(newwifis) device[0].changed = timezone.now() device[0].save() return redirect("/devices/") return render(request, "manager/edit.html", { "title": "Edit Device", "device": device[0], "subnets": subnets, "wifis": wifis, "curfis": Wifi.objects.filter(device=device[0]) } ) @user_passes_test(is_superuser) def makeuser(request): if request.POST.get("username", ""): username = request.POST.get("username", "") first = request.POST.get("firstname", "") last = request.POST.get("lastname", "") staff = request.POST.get("staff", "0") == "True" suser = request.POST.get("superuser", "0") == "True" orgas = set(request.POST.getlist("orga", [])) mail = request.POST.get("email", "") user = User.objects.create_user( username=username, password=str(uuid.uuid4().hex), first_name=first, last_name=last, is_staff=staff, is_superuser=suser, email=mail ) user.organization_set.set(orgas) form = PasswordResetForm({"email": user.email}) if form.is_valid(): form.save( request=request, use_https=True, email_template_name='registration/password_reset_email.html') return redirect("/users/") else: return render(request, "manager/adduser.html", {"title": "Add User"}) @login_required def edituser(request, user_id): if request.user.is_staff or request.user.id == user_id: orgas = request.user.organization_set.all() user = User.objects.distinct().get(id=user_id, organization__in=orgas) if not user: return redirect("/users/") if request.POST.get("form", ""): newfirst = request.POST.get("firstname", "") newlast = request.POST.get("lastname", "") if newlast != user.last_name or newfirst != user.first_name: sigRenameUser(user.username, request.user.username, "%s %s" % (user.first_name, user.last_name), "%s %s" % (newfirst, newlast)) user.first_name = request.POST.get("firstname", "") user.last_name = request.POST.get("lastname", "") if request.user.is_staff or request.user.is_superuser: newstaff = request.POST.get("staff", "0") == "True" if newstaff != user.is_staff: sigStaffUser(user.username, request.user.username, newstaff) user.is_staff = newstaff if request.user.is_superuser: newsuper = request.POST.get("superuser", "0") == "True" if newsuper != user.is_superuser: sigSuperUser(user.username, request.user.username, newsuper) user.is_superuser = newsuper neworgas = set(request.POST.getlist("orga", [])) oldorgas = set(user.organization_set.all()) if neworgas != oldorgas: sigOrgaUser(user.username, request.user.username, oldorgas, neworgas) user.organization_set.set(neworgas) newmail = request.POST.get("email", "") if newmail != user.email: sigMailUser(user.username, request.user.username, user.email, newmail) user.email = newmail user.save() return redirect("/users/") return render(request, "manager/edituser.html", { "title": "Edit User", "auser": user } ) else: return redirect('/account/login/?next=%s' % request.path) @login_required def editwifi(request, wifi_id): wifi = None for organization in Organization.objects.filter(users=request.user): wifi = wifi or Wifi.objects.filter(id=wifi_id, organization=organization) if not wifi: return redirect("/wifi/") if request.POST.get("serial", ""): newserial = request.POST.get("serial", "") if newserial != wifi[0].serial: sigRenameWifi(wifi[0].serial, request.user.username, wifi[0].serial, newserial) wifi[0].serial = newserial newssid = request.POST.get("ssid", "") if newssid != wifi[0].ssid: sigSSIDWifi(wifi[0].serial, request.user.username, wifi[0].ssid, newssid) wifi[0].ssid = newssid newkey = request.POST.get("key", "") if newkey != wifi[0].key: sigKeyWifi(wifi[0].serial, request.user.username, wifi[0].key, newkey) wifi[0].key = newkey wifi[0].save() return redirect("/wifi/") return render(request, "manager/editwifi.html", { "title": "Edit WiFi", "wifi": wifi[0] } ) @user_passes_test(is_superuser) def getconfig(request, device_id): FWDIR = "/opt/vpnmanager/images/" device = get_object_or_404(Device, id=device_id) if not mkfirmware(device, FWDIR): return HttpResponse("Something went wrong generating the firmware image. The server may be busy, please try again later.") sigUpdateDevice(device.serial, None, False) device.update = False device.save() with open("%s/%s.bin" % (FWDIR, device.id), "rb") as download: response = HttpResponse(download.read(), content_type="application/octet-stream") response['Content-Disposition'] = 'inline; filename=%s.bin' % device.serial return response @login_required def rebootdevice(request, device_id): device = None for organization in Organization.objects.filter(users=request.user): device = device or Device.objects.filter(id=device_id, organization=organization) if device and not device[0].reboot: sigRebootDevice(device[0].serial, request.user.username, True) device[0].reboot = True device[0].save() return redirect("/devices/") @user_passes_test(is_staff) def updatedevice(request, device_id): device = None for organization in Organization.objects.filter(users=request.user): device = device or Device.objects.filter(id=device_id, organization=organization) if device and not device[0].update: sigUpdateDevice(device[0].serial, request.user.username, True) device[0].update = True device[0].save() return redirect("/devices/") @user_passes_test(is_superuser) def deletedevice(request, device_id): CADIR = "/etc/openvpn/ca/" BEFORE = os.getcwd() device = get_object_or_404(Device, id=device_id) os.chdir(CADIR) subprocess.call(CADIR + "/revoke " + device.serial, shell=True) os.system("rm " + CADIR + "/keys/" + device.serial + ".{crt,csr,key}") os.chdir(BEFORE) device.delete() return redirect("/devices/") @user_passes_test(is_staff) def deletewifi(request, wifi_id): wifi = get_object_or_404(Wifi, id=wifi_id) for organization in Organization.objects.filter(users=request.user): if organization == wifi.organization: wifi.delete() break return redirect("/wifi/") @user_passes_test(is_staff) def makewifi(request): wifi_serial = request.POST.get("serial", "") wifi_ssid = request.POST.get("ssid", "") wifi_key = request.POST.get("key", "") wifi_organization = request.POST.get("organization", "") if not (wifi_serial and wifi_organization): return render(request, "manager/addwifi.html", { "title": "Add WiFi" } ) wifi = Wifi.objects.create( serial = wifi_serial, ssid = wifi_ssid, key = wifi_key, organization = Organization.objects.filter(id=wifi_organization)[0] ) return redirect("/wifi/") @user_passes_test(is_superuser) def makedevice(request): CADIR = "/etc/openvpn/ca/" CONFIGDIR = "/etc/openvpn/client-configs/" BEFORE = os.getcwd() device_serial = request.POST.get("serial", "") device_name = request.POST.get("name", "") device_organization = request.POST.get("organization", "") device_model = request.POST.get("model", "") if not request.user.is_superuser: return redirect("/devices/") if not device_serial: orga = Organization.objects.all() models = Model.objects.all() return render(request, "manager/add.html", { "title": "Add Device", "organizations": orga, "models": models } ) if glob.glob(CADIR + "/keys/" + device_serial + "*"): return HttpResponse("This key already exists.") os.chdir(CADIR) if subprocess.call(CADIR + "/generate-key " + device_serial, shell=True): os.chdir(BEFORE) return HttpResponse("Something went wrong trying to generate the key.") if glob.glob(CONFIGDIR + "/files/" + device_serial + "*"): os.chdir(BEFORE) return HttpResponse("This configuration file already exists.") os.chdir(CONFIGDIR) if subprocess.call(CONFIGDIR + "/make_config " + device_serial, shell=True): os.chdir(BEFORE) return HttpResponse("Something went wrong trying to generate the config file.") os.chdir(BEFORE) device = Device.objects.create( serial=device_serial, name=device_name, model=Model.objects.filter(id=device_model)[0], network=Network.objects.filter(intip="No VPN")[0], organization=Organization.objects.filter(id=device_organization)[0], vpnconfig = open(CONFIGDIR + "/files/" + device_serial + ".ovpn").read() ) return redirect("/devices/") @receiver(post_save, sender=settings.AUTH_USER_MODEL) def createUserStatus(sender, instance, created, **kwargs): if created: UserStatus.objects.create(user=instance) @receiver(post_save, sender=settings.AUTH_USER_MODEL) def saveUserStatus(sender, instance, **kwargs): try: instance.userstatus.save() except: UserStatus.objects.create(user=instance)