vpnmanager/manager/views.py

504 lines
18 KiB
Python

from django.shortcuts import render, get_object_or_404, redirect
from django.http import HttpResponse
from django.contrib.auth.forms import AuthenticationForm, PasswordChangeForm, AdminPasswordChangeForm
from django.db.models import Q
from django.views.decorators.csrf import csrf_exempt
from django.utils import timezone
from django.core.files import File
from django.db.models.fields.files import FieldFile
from django.contrib.auth.models import User
from django.contrib.auth.decorators import login_required, user_passes_test
from django.db.models.signals import post_save
from django.dispatch import receiver
from django.conf import settings
from django.contrib.auth.forms import PasswordResetForm
from django.urls import reverse
from .models import Device, Organization, Network, Model, Wifi, UserStatus
from .signals import *
from .forms import *
from .device import makewificonfig, heartbeathandler
from .tasks import mkfirmware
from distutils.dir_util import copy_tree
from celery.exceptions import TimeoutError
import glob
import sys
import subprocess
import os
import socket
import tempfile
import crypt
import tarfile
import datetime
import time
import uuid
def is_superuser(user):
return user.is_superuser
def is_staff(user):
return user.is_staff
@login_required
def index(request):
return redirect(reverse("devices"))
@csrf_exempt
def heartbeat(request):
device = get_object_or_404(Device, secret=request.POST.get("secret", ""))
ip = request.POST.get("ip", "")
return HttpResponse(heartbeathandler(device, ip))
@csrf_exempt
def wireless(request):
device = get_object_or_404(Device, secret=request.POST.get("secret", ""))
device.wireless = timezone.now()
device.save()
return HttpResponse(makewificonfig(device))
@csrf_exempt
def hosts(request):
device = get_object_or_404(Device, secret=request.POST.get("secret", ""))
sigRebootDevice(device.serial, None, False)
device.reboot = False
device.save()
return render(request, "manager/hosts", {"device": device})
@csrf_exempt
def update(request):
FWDIR = "/opt/vpnmanager/images/"
device = get_object_or_404(Device, secret=request.POST.get("secret", ""))
try:
if not mkfirmware.apply_async((device, FWDIR), serializer='pickle').get(timeout=300):
return HttpResponse(status=503)
except TimeoutError:
return HttpResponse(status=503)
sigUpdateDevice(device.serial, None, False)
device.update = False
device.save()
with open("%s/%s.bin" % (FWDIR, device.id), "rb") as download:
response = HttpResponse(download.read(), content_type="application/octet-stream")
response['Content-Disposition'] = 'inline; filename=%s.bin' % device.serial
return response
def ping(request, device_id):
if request.user.is_authenticated:
try:
device = Device.objects.get(id=device_id, organization__in=request.user.organization_set.all())
except:
device = None
ajax = '{\n "status": '
if not device:
ajax += "-1"
else:
try:
if device.curip:
socket.inet_aton(device.curip)
except Exception as e:
ajax += "-3"
else:
try:
ajax += str(1 if (device.curip and (timezone.now() - device.lasttime).total_seconds() < 300 and not os.WEXITSTATUS(os.system("ping -c1 -w1 " + device.curip + " > /dev/null 2>&1"))) else 2 if (True if not device.lasttime else (timezone.now() - device.lasttime).total_seconds() > 120) and (timezone.now() - device.lastbeat).total_seconds() < 60 else 0)
except Exception as e:
ajax += str(e)
ajax += "-4"
else:
ajax += ',\n "serial": "%s"' % device.serial
ajax += ',\n "name": "%s"' % device.name if device.name else ""
ajax += ',\n "ip": "%s"' % device.curip if device.curip else ""
ajax += ',\n "time": "%s"' % (None if not device.lasttime else str(int(time.mktime(timezone.make_naive(device.lasttime, timezone.get_current_timezone()).timetuple())) * 1000))
ajax += ',\n "lastbeat": "%s"' % (None if not device.lastbeat else str(int(time.mktime(timezone.make_naive(device.lastbeat, timezone.get_current_timezone()).timetuple())) * 1000))
ajax += ',\n "reboot": %i' % (1 if device.reboot else 0)
ajax += ',\n "update": %i' % (1 if device.update else 0)
ajax += ',\n "network": {'
ajax += '\n "intip": "%s"' % device.network.intip
ajax += ',\n "extip": "%s"' % device.network.extip
ajax += ',\n "name": "%s"' % (device.network.name if device.network.name else "")
ajax += '\n }'
else:
ajax += "-2"
ajax += "\n}"
return HttpResponse(ajax, content_type="application/json")
@login_required
def devices(request, code=200, exception=None):
return render(request, "manager/index.html", {"title": "Device Administration", "exception": exception}, status=code)
@login_required
def editdevice(request, device_id):
device = get_object_or_404(Device, id=device_id, organization__in=request.user.organization_set.all())
subnets = Network.objects.filter(organization=device.organization)
wifis = Wifi.objects.filter(organization=device.organization)
form = DeviceForm(request.POST if request.method == "POST" else None, instance=device)
form.fields["mac"].disabled = True
form.fields["serial"].disabled = True
form.fields["secret"].disabled = True
form.fields["model"].disabled = True
form.fields["password"].disabled = True
if request.method == "POST" and form.is_valid():
form.save()
return redirect(reverse("devices"))
return render(request, "manager/form.html", { "title": "Edit Device", "form": form })
@user_passes_test(is_superuser)
def makeuser(request):
if request.POST.get("username", ""):
user = User.objects.create_user(
username=request.POST.get("username", ""),
password=str(uuid.uuid4().hex),
first_name=request.POST.get("firstname", ""),
last_name=request.POST.get("lastname", ""),
is_staff=request.POST.get("staff", "0") == "True",
is_superuser=request.POST.get("superuser", "0") == "True",
email=request.POST.get("email", "")
)
user.organization_set.set(set(request.POST.getlist("orga", [])))
form = PasswordResetForm({"email": user.email})
if form.is_valid():
form.save(
request=request,
use_https=True,
email_template_name='registration/add_user.html')
return redirect(reverse("users"))
else:
return render(request, "manager/adduser.html", {"title": "Add User"})
@login_required
def edituser(request, user_id):
if request.user.is_staff or request.user.id == user_id:
orgas = request.user.organization_set.all()
user = request.user if request.user.id == user_id else User.objects.distinct().get(id=user_id, organization__in=orgas)
if not user:
return redirect(reverse("users"))
if request.POST.get("form", ""):
newfirst = request.POST.get("firstname", "")
newlast = request.POST.get("lastname", "")
if newlast != user.last_name or newfirst != user.first_name:
sigRenameUser(user.username, request.user.username, "%s %s" % (user.first_name, user.last_name), "%s %s" % (newfirst, newlast))
user.first_name = request.POST.get("firstname", "")
user.last_name = request.POST.get("lastname", "")
if request.user.is_staff or request.user.is_superuser:
newstaff = request.POST.get("staff", "0") == "True"
if newstaff != user.is_staff:
sigStaffUser(user.username, request.user.username, newstaff)
user.is_staff = newstaff
if request.user.is_superuser:
newsuper = request.POST.get("superuser", "0") == "True"
if newsuper != user.is_superuser:
sigSuperUser(user.username, request.user.username, newsuper)
user.is_superuser = newsuper
neworgas = set(request.POST.getlist("orga", []))
oldorgas = set(user.organization_set.all())
if neworgas != oldorgas:
sigOrgaUser(user.username, request.user.username, oldorgas, neworgas)
user.organization_set.set(neworgas)
newmail = request.POST.get("email", "")
if newmail != user.email:
sigMailUser(user.username, request.user.username, user.email, newmail)
user.email = newmail
user.save()
return redirect(reverse("users"))
return render(request, "manager/edituser.html",
{
"title": "Edit User",
"auser": user
}
)
else:
return redirect(reverse("two_factor:login", kwargs={'next': request.path}))
@login_required
def editwifi(request, wifi_id):
wifi = get_object_or_404(Wifi, id=wifi_id, organization__in=request.user.organization_set.all())
form = WifiForm(request.POST if request.method == "POST" else None, instance=wifi)
form.fields["organization"].queryset = request.user.organization_set.all()
if request.method == "POST" and form.is_valid():
form.save()
return redirect(reverse("wifi"))
return render(request, "manager/form.html", { "title": "Edit WiFi", "form": form })
@user_passes_test(is_superuser)
def getconfig(request, device_id):
FWDIR = "/opt/vpnmanager/images/"
device = get_object_or_404(Device, id=device_id)
files = glob.glob("%s/%s.bin" % (FWDIR, device_id))
if not ((files and datetime.datetime.fromtimestamp(os.path.getmtime(files[0]), timezone.get_current_timezone()) > device.model.firmware) or mkfirmware.apply_async((device, FWDIR), serializer='pickle').get(timeout=300)):
return HttpResponse(status=503)
sigUpdateDevice(device.serial, None, False)
device.update = False
device.save()
with open("%s/%s.bin" % (FWDIR, device.id), "rb") as download:
response = HttpResponse(download.read(), content_type="application/octet-stream")
response['Content-Disposition'] = 'inline; filename=%s.bin' % device.serial
return response
@login_required
def rebootdevice(request, device_id):
device = get_object_or_404(Device, id=device_id, organization__in=request.user.organization_set.all())
if not device.reboot:
sigRebootDevice(device.serial, request.user.username, True)
device.reboot = True
device.save()
return redirect(reverse("devices"))
@user_passes_test(is_staff)
def updatedevice(request, device_id):
device = get_object_or_404(Device, id=device_id, organization__in=request.user.organization_set.all())
if not device.update:
sigUpdateDevice(device.serial, request.user.username, True)
device.update = True
device.save()
return redirect(reverse("devices"))
@user_passes_test(is_superuser)
def deletedevice(request, device_id):
CADIR = "/etc/openvpn/ca/"
BEFORE = os.getcwd()
device = get_object_or_404(Device, id=device_id)
os.chdir(CADIR)
subprocess.call(CADIR + "/revoke " + device.serial, shell=True)
os.system("rm " + CADIR + "/keys/" + device.serial + ".{crt,csr,key}")
os.chdir(BEFORE)
device.delete()
return redirect(reverse("devices"))
@user_passes_test(is_staff)
def deletewifi(request, wifi_id):
wifi = get_object_or_404(Wifi, id=wifi_id, organization__in=request.user.organization_set.all())
wifi.delete()
return redirect(reverse("wifi"))
@user_passes_test(is_superuser)
def deleteuser(request, user_id):
user = get_object_or_404(User, id=user_id)
user.delete()
return redirect(reverse("users"))
@user_passes_test(is_superuser)
def deletenetwork(request, network_id):
network = get_object_or_404(Network, id=network_id)
network.delete()
return redirect(reverse("networks"))
@user_passes_test(is_superuser)
def deleteorga(request, orga_id):
orga = get_object_or_404(Organization, id=orga_id)
orga.delete()
return redirect(reverse("organizations"))
@login_required
def makewifi(request):
form = WifiForm(request.POST if request.method == "POST" else None, initial={"organization": request.user.userstatus.orga} if request.method == "GET" else None)
form.fields["organization"].queryset = request.user.organization_set.all()
if request.method == "POST" and form.is_valid():
form.save()
return redirect(reverse("wifi"))
return render(request, "manager/form.html", { "title": "Add WiFi", "form": form })
@user_passes_test(is_superuser)
def makenetwork(request):
if request.method == "POST":
form = NetworkForm(request.POST)
if form.is_valid():
form.save()
return redirect(reverse("networks"))
else:
form = NetworkForm()
return render(request, "manager/form.html", { "title": "Add Network", "form": form })
@user_passes_test(is_superuser)
def editnetwork(request, network_id):
net = get_object_or_404(Network, id=network_id)
form = NetworkForm(request.POST if request.method == "POST" else None, instance=net)
form.fields["intip"].disabled = True
form.fields["extip"].disabled = True
if request.method == "POST" and form.is_valid():
form.save()
return redirect(reverse("networks"))
return render(request, "manager/form.html", { "title": "Edit Network", "form": form })
@login_required
def setactiveorga(request, orga_id):
request.user.userstatus.orga = get_object_or_404(Organization, id=orga_id, users=request.user)
request.user.userstatus.save()
return HttpResponse("")
@user_passes_test(is_superuser)
def makeorganization(request):
if request.method == "POST":
form = OrgaForm(request.POST)
if form.is_valid():
orga = form.save()
request.user.organization_set.add(orga)
Network.objects.get(intip="No VPN").organization.add(orga)
return redirect(reverse("organizations"))
else:
form = OrgaForm()
return render(request, "manager/form.html", { "title": "Add Organization", "form": form })
@user_passes_test(is_superuser)
def editorganization(request, orga_id):
orga = get_object_or_404(Organization, id=orga_id)
if request.method == "POST":
form = OrgaForm(request.POST, instance=orga)
if form.is_valid():
form.save()
return redirect(reverse("organizations"))
else:
form = OrgaForm(instance=orga)
return render(request, "manager/form.html", { "title": "Change Organization", "form": form })
@user_passes_test(is_superuser)
def makedevice(request):
CADIR = "/etc/openvpn/ca/"
CONFIGDIR = "/etc/openvpn/client-configs/"
BEFORE = os.getcwd()
device_serial = request.POST.get("serial", "").replace(" ", "_")
device_name = request.POST.get("name", "")
device_organization = request.POST.get("organization", "")
device_model = request.POST.get("model", "")
device_ssid = request.POST.get("ssid", device_serial)
device_key = request.POST.get("key", "")
device_mac = request.POST.get("mac", "")
if not device_serial:
orga = Organization.objects.all()
models = Model.objects.all()
return render(request, "manager/add.html",
{
"title": "Add Device",
"organizations": orga,
"models": models
}
)
if glob.glob(CADIR + "/keys/" + device_serial + "*"):
return HttpResponse("This key already exists.")
os.chdir(CADIR)
if subprocess.call(CADIR + "/generate-key " + device_serial, shell=True):
os.chdir(BEFORE)
return HttpResponse("Something went wrong trying to generate the key.")
if glob.glob(CONFIGDIR + "/files/" + device_serial + "*"):
os.chdir(BEFORE)
return HttpResponse("This configuration file already exists.")
os.chdir(CONFIGDIR)
if subprocess.call(CONFIGDIR + "/make_config " + device_serial, shell=True):
os.chdir(BEFORE)
return HttpResponse("Something went wrong trying to generate the config file.")
os.chdir(BEFORE)
device = Device.objects.create(
serial=device_serial,
name=device_name,
ssid=device_ssid,
key=device_key,
model=Model.objects.filter(id=device_model)[0],
network=Network.objects.filter(intip="No VPN")[0],
organization=Organization.objects.filter(id=device_organization)[0],
vpnconfig = open(CONFIGDIR + "/files/" + device_serial + ".ovpn").read(),
mac = device_mac or None,
changed = timezone.now()
)
return redirect(reverse("devices"))
@receiver(post_save, sender=settings.AUTH_USER_MODEL)
def createUserStatus(sender, instance, created, **kwargs):
if created:
UserStatus.objects.create(user=instance)
@receiver(post_save, sender=settings.AUTH_USER_MODEL)
def saveUserStatus(sender, instance, **kwargs):
try:
instance.userstatus.save()
except:
UserStatus.objects.create(user=instance)
def errorhandler(request, code, exception):
if code == 403:
exception.human = "You have no permission to access the requested page."
elif code == 400:
exception.human = "Something seems to be wrong with the request you sent. Please try again."
elif code == 404:
exception.human = "Sorry, we were unable to find the page you requested. Please check the address and try again."
elif code == 500:
exception.human = "Sorry, something seems to be wrong on our end. Please try again later or contact support if the problem persists."
return devices(request, code=code, exception=exception)
def handler400(request, exception):
return errorhandler(request, 400, exception)
def handler403(request, exception):
return errorhandler(request, 403, exception)
def handler404(request, exception):
return errorhandler(request, 404, exception)
def handler500(request):
return errorhandler(request, 500, Exception("Please check the server logs for additional information."))