Gitiles
Code Review Sign In
gerrit.lfbroadband.org / xos / bfda8be41d42d9c1886bd0dee5a22eb5bec40527 / . / xos / synchronizers / openvpn / steps / sync_tenantprivilege.py
blob: 51ee6dfd2e6a23dfe5a75fe02683ada4a1c9c4aa [file] [log] [blame]
Jeremy Mowerya49e8ac2016-04-12 23:26:11 -0700[diff] [blame]1import os
2import sys
3
Jeremy Mowery5acf7b92016-04-12 23:31:51 -0700[diff] [blame]4from core.models import TenantPrivilege
Jeremy Mowery81e84cc2016-04-19 17:01:48 -0700[diff] [blame]5from services.openvpn.models import OPENVPN_KIND, OpenVPNService, OpenVPNTenant
Jeremy Mowery53605442016-04-14 20:07:54 -0700[diff] [blame]6from synchronizers.base.syncstep import DeferredException, SyncStep
Jeremy Mowerya49e8ac2016-04-12 23:26:11 -0700[diff] [blame]7
8parentdir = os.path.join(os.path.dirname(__file__), "..")
9sys.path.insert(0, parentdir)
10
11
12class SyncTenantPrivilege(SyncStep):
Jeremy Mowery81e84cc2016-04-19 17:01:48 -0700[diff] [blame]13 """Class for syncing a TenantPrivilege for a OpenVPNTenant.
Jeremy Mowery98e97d72016-04-15 00:05:27 -0700[diff] [blame]14
Jeremy Mowery81e84cc2016-04-19 17:01:48 -0700[diff] [blame]15 This SyncStep isolates the updated TenantPrivileges that are for OpenVPNTenants and performs
Jeremy Mowery98e97d72016-04-15 00:05:27 -0700[diff] [blame]16 actions if the TenantPrivilege has been added or deleted. For added privileges a new client
Jeremy Mowery81e84cc2016-04-19 17:01:48 -0700[diff] [blame]17 certificate and key are made, signed with the ca.crt file used by this OpenVPNTenant. For deleted
Jeremy Mowery98e97d72016-04-15 00:05:27 -0700[diff] [blame]18 privileges the client certificate is revoked and the files associated are deleted. In both
Jeremy Mowery81e84cc2016-04-19 17:01:48 -0700[diff] [blame]19 cases the associated OpenVPNTenant is saved causing the OpenVPNTenant synchronizer to run.
Jeremy Mowery98e97d72016-04-15 00:05:27 -0700[diff] [blame]20 """
Jeremy Mowerya49e8ac2016-04-12 23:26:11 -0700[diff] [blame]21 provides = [TenantPrivilege]
22 observes = TenantPrivilege
23 requested_interval = 0
24
25 def fetch_pending(self, deleted):
26 privs = super(SyncTenantPrivilege, self).fetch_pending(deleted)
Jeremy Mowery81e84cc2016-04-19 17:01:48 -0700[diff] [blame]27 # Get only the TenantPrivileges that relate to OpenVPNTenants
28 privs = [priv for priv in privs if priv.tenant.kind == OPENVPN_KIND]
Jeremy Mowerya49e8ac2016-04-12 23:26:11 -0700[diff] [blame]29 return privs
30
31 def sync_record(self, record):
Jeremy Mowery53605442016-04-14 20:07:54 -0700[diff] [blame]32 if (not record.tenant.id):
33 raise DeferredException("Privilege waiting on VPN Tenant ID")
Jeremy Mowerya49e8ac2016-04-12 23:26:11 -0700[diff] [blame]34 certificate = self.get_certificate_name(record)
Jeremy Mowery81e84cc2016-04-19 17:01:48 -0700[diff] [blame]35 tenant = OpenVPNTenant.get_tenant_objects().filter(pk=record.tenant.id)[0]
Jeremy Mowery53605442016-04-14 20:07:54 -0700[diff] [blame]36 if (not tenant):
37 raise DeferredException("Privilege waiting on VPN Tenant")
Jeremy Mowerya49e8ac2016-04-12 23:26:11 -0700[diff] [blame]38 # Only add a certificate if ones does not yet exist
Jeremy Mowery81e84cc2016-04-19 17:01:48 -0700[diff] [blame]39 pki_dir = OpenVPNService.get_pki_dir(tenant)
Jeremy Mowery53605442016-04-14 20:07:54 -0700[diff] [blame]40 if (not os.path.isfile(pki_dir + "/issued/" + certificate + ".crt")):
Jeremy Mowery81e84cc2016-04-19 17:01:48 -0700[diff] [blame]41 OpenVPNService.execute_easyrsa_command(
Jeremy Mowery53605442016-04-14 20:07:54 -0700[diff] [blame]42 pki_dir, "build-client-full " + certificate + " nopass")
Jeremy Mowerya49e8ac2016-04-12 23:26:11 -0700[diff] [blame]43 tenant.save()
44 record.save()
45
46 def delete_record(self, record):
Jeremy Mowery53605442016-04-14 20:07:54 -0700[diff] [blame]47 if (not record.tenant.id):
48 return
Jeremy Mowerya49e8ac2016-04-12 23:26:11 -0700[diff] [blame]49 certificate = self.get_certificate_name(record)
Jeremy Mowery81e84cc2016-04-19 17:01:48 -0700[diff] [blame]50 tenant = OpenVPNTenant.get_tenant_objects().filter(pk=record.tenant.id)[0]
Jeremy Mowery53605442016-04-14 20:07:54 -0700[diff] [blame]51 if (not tenant):
52 return
Jeremy Mowerya49e8ac2016-04-12 23:26:11 -0700[diff] [blame]53 # If the client has already been reovked don't do it again
Jeremy Mowery81e84cc2016-04-19 17:01:48 -0700[diff] [blame]54 pki_dir = OpenVPNService.get_pki_dir(tenant)
Jeremy Mowery53605442016-04-14 20:07:54 -0700[diff] [blame]55 if (os.path.isfile(pki_dir + "/issued/" + certificate + ".crt")):
Jeremy Mowery81e84cc2016-04-19 17:01:48 -0700[diff] [blame]56 OpenVPNService.execute_easyrsa_command(
Jeremy Mowery53605442016-04-14 20:07:54 -0700[diff] [blame]57 pki_dir, "revoke " + certificate)
Jeremy Mowerya49e8ac2016-04-12 23:26:11 -0700[diff] [blame]58 # Revoking a client cert does not delete any of the files
59 # to make sure that we can add this user again we need to
60 # delete all of the files created by easyrsa
Jeremy Mowery53605442016-04-14 20:07:54 -0700[diff] [blame]61 os.remove(pki_dir + "/issued/" + certificate + ".crt")
62 os.remove(pki_dir + "/private/" + certificate + ".key")
63 os.remove(pki_dir + "/reqs/" + certificate + ".req")
Jeremy Mowerya49e8ac2016-04-12 23:26:11 -0700[diff] [blame]64 tenant.save()
65
66 record.delete()
67
68 def get_certificate_name(self, tenant_privilege):
Jeremy Mowery98e97d72016-04-15 00:05:27 -0700[diff] [blame]69 """Gets the name of a certificate for the given TenantPrivilege
70
71 Parameters:
72 tenant_privilege (core.models.TenantPrivilege): The TenantPrivilege to use to generate
73 the certificate name.
74
75 Returns:
76 str: The certificate name.
Jeremy Mowery0ee0bfc2016-04-15 16:13:45 -0700[diff] [blame]77 """
Jeremy Mowerya49e8ac2016-04-12 23:26:11 -0700[diff] [blame]78 return (str(tenant_privilege.user.email) +
79 "-" + str(tenant_privilege.tenant.id))