Gitiles
Code Review Sign In
gerrit.lfbroadband.org / xos / 71ebcd77b7a6e9ee499252c70841f1d6333a98ae / . / xos / services / vpn / models.py
blob: 1c7af1b911a9515d971c7369f7bc165647e99b4b [file] [log] [blame]
Jeremy Mowery8b664f72015-12-04 11:52:16 -0700[diff] [blame]1from core.models import Service, TenantWithContainer
2from django.db import transaction
3
4VPN_KIND = "vpn"
5
Jeremy Mowery82760822016-01-08 16:36:22 -0700[diff] [blame]6
Jeremy Mowery8b664f72015-12-04 11:52:16 -0700[diff] [blame]7class VPNService(Service):
Jeremy Mowery82760822016-01-08 16:36:22 -0700[diff] [blame]8 """Defines the Service for creating VPN servers."""
Jeremy Mowery8b664f72015-12-04 11:52:16 -0700[diff] [blame]9 KIND = VPN_KIND
10
11 class Meta:
12 proxy = True
13 # The name used to find this service, all directories are named this
14 app_label = "vpn"
15 verbose_name = "VPN Service"
16
Jeremy Mowery82760822016-01-08 16:36:22 -0700[diff] [blame]17
Jeremy Mowery7ced7382015-12-04 23:58:38 -0700[diff] [blame]18class VPNTenant(TenantWithContainer):
Jeremy Mowery82760822016-01-08 16:36:22 -0700[diff] [blame]19 """Defines the Tenant for creating VPN servers."""
Jeremy Mowery8b664f72015-12-04 11:52:16 -0700[diff] [blame]20
21 class Meta:
22 proxy = True
23 verbose_name = "VPN Tenant"
24
25 KIND = VPN_KIND
26
27 sync_attributes = ("nat_ip", "nat_mac",)
28
Jeremy Mowery3f6adcd2016-02-21 15:36:32 -0700[diff] [blame]29 default_attributes = {'vpn_subnet': None,
Jeremy Moweryfd081292016-02-07 17:07:55 -0700[diff] [blame]30 'server_network': None,
31 'clients_can_see_each_other': True,
Jeremy Mowerye02d4b62016-01-10 15:21:52 -0700[diff] [blame]32 'is_persistent': True,
Jeremy Mowery290714e2016-02-25 14:36:29 -0700[diff] [blame]33 'ca_crt': None,
Jeremy Mowery47c93742016-03-02 00:01:25 -0700[diff] [blame]34 'port': None,
Jeremy Mowery65c60702016-03-16 11:22:02 -0700[diff] [blame]35 'script_text': None,
36 'failover_servers': []}
Jeremy Mowery8b664f72015-12-04 11:52:16 -0700[diff] [blame]37
38 def __init__(self, *args, **kwargs):
39 vpn_services = VPNService.get_service_objects().all()
40 if vpn_services:
41 self._meta.get_field(
42 "provider_service").default = vpn_services[0].id
43 super(VPNTenant, self).__init__(*args, **kwargs)
44
45 def save(self, *args, **kwargs):
46 super(VPNTenant, self).save(*args, **kwargs)
47 model_policy_vpn_tenant(self.pk)
48
49 def delete(self, *args, **kwargs):
50 self.cleanup_container()
51 super(VPNTenant, self).delete(*args, **kwargs)
52
53 @property
Jeremy Mowery8b664f72015-12-04 11:52:16 -0700[diff] [blame]54 def addresses(self):
Jeremy Mowery5055c7b2016-01-08 17:25:33 -0700[diff] [blame]55 """Mapping[str, str]: The ip, mac address, and subnet of the NAT network of this Tenant."""
Jeremy Mowery8b664f72015-12-04 11:52:16 -0700[diff] [blame]56 if (not self.id) or (not self.instance):
57 return {}
58
59 addresses = {}
Jeremy Mowery8b664f72015-12-04 11:52:16 -0700[diff] [blame]60 for ns in self.instance.ports.all():
61 if "nat" in ns.network.name.lower():
Jeremy Mowery5055c7b2016-01-08 17:25:33 -0700[diff] [blame]62 addresses["ip"] = ns.ip
63 addresses["mac"] = ns.mac
Jeremy Mowery5055c7b2016-01-08 17:25:33 -0700[diff] [blame]64 break
65
Jeremy Mowery8b664f72015-12-04 11:52:16 -0700[diff] [blame]66 return addresses
67
68 # This getter is necessary because nat_ip is a sync_attribute
69 @property
70 def nat_ip(self):
Jeremy Mowery82760822016-01-08 16:36:22 -0700[diff] [blame]71 """str: The IP of this Tenant on the NAT network."""
Jeremy Mowery5055c7b2016-01-08 17:25:33 -0700[diff] [blame]72 return self.addresses.get("ip", None)
Jeremy Mowery8b664f72015-12-04 11:52:16 -0700[diff] [blame]73
74 # This getter is necessary because nat_mac is a sync_attribute
75 @property
76 def nat_mac(self):
Jeremy Mowery82760822016-01-08 16:36:22 -0700[diff] [blame]77 """str: The MAC address of this Tenant on the NAT network."""
Jeremy Mowery5055c7b2016-01-08 17:25:33 -0700[diff] [blame]78 return self.addresses.get("mac", None)
Jeremy Mowerya9b673b2016-01-07 21:25:50 -0700[diff] [blame]79
80 @property
Jeremy Moweryfd081292016-02-07 17:07:55 -0700[diff] [blame]81 def server_network(self):
Jeremy Mowery82760822016-01-08 16:36:22 -0700[diff] [blame]82 """str: The IP address of the server on the VPN."""
Jeremy Mowerybd2ed3a2016-01-05 16:52:43 -0700[diff] [blame]83 return self.get_attribute(
Jeremy Moweryfd081292016-02-07 17:07:55 -0700[diff] [blame]84 'server_network',
85 self.default_attributes['server_network'])
Jeremy Mowerybd2ed3a2016-01-05 16:52:43 -0700[diff] [blame]86
Jeremy Moweryfd081292016-02-07 17:07:55 -0700[diff] [blame]87 @server_network.setter
88 def server_network(self, value):
89 self.set_attribute("server_network", value)
Jeremy Mowerybd2ed3a2016-01-05 16:52:43 -0700[diff] [blame]90
91 @property
Jeremy Moweryfd081292016-02-07 17:07:55 -0700[diff] [blame]92 def vpn_subnet(self):
Jeremy Mowery82760822016-01-08 16:36:22 -0700[diff] [blame]93 """str: The IP address of the client on the VPN."""
Jeremy Mowerybd2ed3a2016-01-05 16:52:43 -0700[diff] [blame]94 return self.get_attribute(
Jeremy Moweryfd081292016-02-07 17:07:55 -0700[diff] [blame]95 'vpn_subnet',
96 self.default_attributes['vpn_subnet'])
Jeremy Mowerybd2ed3a2016-01-05 16:52:43 -0700[diff] [blame]97
Jeremy Moweryfd081292016-02-07 17:07:55 -0700[diff] [blame]98 @vpn_subnet.setter
99 def vpn_subnet(self, value):
100 self.set_attribute("vpn_subnet", value)
Jeremy Mowerybd2ed3a2016-01-05 16:52:43 -0700[diff] [blame]101
102 @property
Jeremy Mowery4a23e7d2016-01-06 15:16:33 -0700[diff] [blame]103 def is_persistent(self):
Jeremy Mowery82760822016-01-08 16:36:22 -0700[diff] [blame]104 """bool: True if the VPN connection is persistence, false otherwise."""
Jeremy Mowery4a23e7d2016-01-06 15:16:33 -0700[diff] [blame]105 return self.get_attribute(
106 "is_persistent",
107 self.default_attributes['is_persistent'])
108
109 @is_persistent.setter
110 def is_persistent(self, value):
111 self.set_attribute("is_persistent", value)
112
113 @property
Jeremy Mowery65c60702016-03-16 11:22:02 -0700[diff] [blame]114 def failover_servers(self):
115 self.get_attribute("failover_servers", self.default_attributes["failover_servers"])
116
117 @failover_servers.setter
118 def failover_servers(self, value):
119 self.set_attribute("failover_servers", value)
120
121 @property
Jeremy Moweryfd081292016-02-07 17:07:55 -0700[diff] [blame]122 def clients_can_see_each_other(self):
Jeremy Mowery82760822016-01-08 16:36:22 -0700[diff] [blame]123 """bool: True if the client can see the subnet of the server, false otherwise."""
Jeremy Mowery4a23e7d2016-01-06 15:16:33 -0700[diff] [blame]124 return self.get_attribute(
Jeremy Moweryfd081292016-02-07 17:07:55 -0700[diff] [blame]125 "clients_can_see_each_other",
126 self.default_attributes['clients_can_see_each_other'])
Jeremy Mowery4a23e7d2016-01-06 15:16:33 -0700[diff] [blame]127
Jeremy Moweryfd081292016-02-07 17:07:55 -0700[diff] [blame]128 @clients_can_see_each_other.setter
129 def clients_can_see_each_other(self, value):
130 self.set_attribute("clients_can_see_each_other", value)
Jeremy Mowery4a23e7d2016-01-06 15:16:33 -0700[diff] [blame]131
Jeremy Mowerye02d4b62016-01-10 15:21:52 -0700[diff] [blame]132 @property
Jeremy Mowery3b1caba2016-02-02 23:53:50 -0700[diff] [blame]133 def ca_crt(self):
Jeremy Mowery1eab4fa2016-02-02 17:17:20 -0700[diff] [blame]134 """str: the string for the ca certificate"""
Jeremy Mowery3b1caba2016-02-02 23:53:50 -0700[diff] [blame]135 return self.get_attribute("ca_crt", self.default_attributes['ca_crt'])
Jeremy Mowery1eab4fa2016-02-02 17:17:20 -0700[diff] [blame]136
Jeremy Mowery3b1caba2016-02-02 23:53:50 -0700[diff] [blame]137 @ca_crt.setter
138 def ca_crt(self, value):
139 self.set_attribute("ca_crt", value)
140
Jeremy Mowery290714e2016-02-25 14:36:29 -0700[diff] [blame]141 @property
142 def port_number(self):
143 """int: the integer representing the port number for this server"""
144 return self.get_attribute("port", self.default_attributes['port'])
145
146 @port_number.setter
147 def port_number(self, value):
148 self.set_attribute("port", value)
149
Jeremy Mowery47c93742016-03-02 00:01:25 -0700[diff] [blame]150 @property
151 def script_text(self):
152 return self.get_attribute("script_text", self.default_attributes['script_text'])
153
154 @script_text.setter
155 def script_text(self, value):
156 self.set_attribute("script_text", value)
157
Jeremy Mowerycf1c5192016-03-15 20:28:04 -0700[diff] [blame]158 def create_client_script(self, client_certificate):
Jeremy Mowerybd3dfae2016-03-01 19:15:40 -0700[diff] [blame]159 script = ""
Jeremy Mowery01e3a5b2016-02-25 14:50:58 -0700[diff] [blame]160 # write the configuration portion
Jeremy Mowerybd3dfae2016-03-01 19:15:40 -0700[diff] [blame]161 script += ("printf \"%b\" \"")
Jeremy Mowerycf1c5192016-03-15 20:28:04 -0700[diff] [blame]162 script += self.generate_client_conf(client_certificate)
Jeremy Mowerybd3dfae2016-03-01 19:15:40 -0700[diff] [blame]163 script += ("\" > client.conf\n")
164 script += ("printf \"%b\" \"")
Jeremy Mowery01e3a5b2016-02-25 14:50:58 -0700[diff] [blame]165 for line in self.ca_crt:
Jeremy Mowerybd3dfae2016-03-01 19:15:40 -0700[diff] [blame]166 script += (line.rstrip() + r"\n")
167 script += ("\" > ca.crt\n")
Jeremy Mowerycf1c5192016-03-15 20:28:04 -0700[diff] [blame]168 script += ("printf \"%b\" \"")
169 for line in self.generate_client_cert(client_certificate):
170 script += (line.rstrip() + r"\n")
171 script += ("\" > " + client_certificate + ".crt\n")
172 for line in self.generate_client_key(client_certificate):
173 script += (line.rstrip() + r"\n")
174 script += ("\" > " + client_certificate + ".key\n")
Jeremy Mowery01e3a5b2016-02-25 14:50:58 -0700[diff] [blame]175 # make sure openvpn is installed
Jeremy Mowerybd3dfae2016-03-01 19:15:40 -0700[diff] [blame]176 script += ("apt-get update\n")
177 script += ("apt-get install openvpn\n")
178 script += ("openvpn client.conf &\n")
Jeremy Mowery01e3a5b2016-02-25 14:50:58 -0700[diff] [blame]179 # close the script
Jeremy Mowerybd3dfae2016-03-01 19:15:40 -0700[diff] [blame]180 return script;
Jeremy Mowery01e3a5b2016-02-25 14:50:58 -0700[diff] [blame]181
Jeremy Mowerycf1c5192016-03-15 20:28:04 -0700[diff] [blame]182 def generate_client_cert(self, client_certificate):
183 return open("/opt/openvpn/easyrsa3/pki/issued/" + client_certificate + ".crt").readlines()
Jeremy Mowery01e3a5b2016-02-25 14:50:58 -0700[diff] [blame]184
Jeremy Mowerycf1c5192016-03-15 20:28:04 -0700[diff] [blame]185 def generate_client_key(self, client_certificate):
186 return open("/opt/openvpn/easyrsa3/pki/private/" + client_certificate + ".key").readlines()
187
188 def generate_client_conf(self, client_certificate):
Jeremy Mowery01e3a5b2016-02-25 14:50:58 -0700[diff] [blame]189 """str: Generates the client configuration to use to connect to this VPN server.
190 """
191 conf = ("client\n" +
Jeremy Mowery01e3a5b2016-02-25 14:50:58 -0700[diff] [blame]192 "dev tun\n" +
193 "proto udp\n" +
194 "remote " + str(self.nat_ip) + " " + str(self.port_number) + "\n" +
195 "resolv-retry infinite\n" +
196 "nobind\n" +
197 "ca ca.crt\n" +
Jeremy Mowerycf1c5192016-03-15 20:28:04 -0700[diff] [blame]198 "cert " + client_certificate + ".crt\n" +
199 "key " + client_certificate + ".key\n" +
Jeremy Mowery01e3a5b2016-02-25 14:50:58 -0700[diff] [blame]200 "comp-lzo\n" +
201 "verb 3\n")
202
203 if self.is_persistent:
204 conf += "persist-tun\n"
205 conf += "persist-key\n"
206
207 return conf
208
Jeremy Mowery290714e2016-02-25 14:36:29 -0700[diff] [blame]209
Jeremy Mowery8b664f72015-12-04 11:52:16 -0700[diff] [blame]210
211def model_policy_vpn_tenant(pk):
Jeremy Mowery82760822016-01-08 16:36:22 -0700[diff] [blame]212 """Manages the contain for the VPN Tenant."""
Jeremy Mowery8b664f72015-12-04 11:52:16 -0700[diff] [blame]213 # This section of code is atomic to prevent race conditions
214 with transaction.atomic():
215 # We find all of the tenants that are waiting to update
216 tenant = VPNTenant.objects.select_for_update().filter(pk=pk)
217 if not tenant:
218 return
219 # Since this code is atomic it is safe to always use the first tenant
220 tenant = tenant[0]
221 tenant.manage_container()