Mirrors/wg-portal
1
0
Fork 0
mirror of https://github.com/h44z/wg-portal.git synced 2025-09-13 14:31:15 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

wip: create/update/...

Browse Source
This commit is contained in:
Christoph Haas
2020-11-07 10:31:48 +01:00
parent 461a339ada
commit e084a8aa66
9 changed files with 762 additions and 127 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
internal/server/core.go
View File

@@ -90,12 +90,12 @@ func (s *Server) Setup() error {
}
// Setup user manager
s.users = NewUserManager()
if s.users == nil {
if s.users = NewUserManager(s.wg, s.ldapUsers); s.users == nil {
return errors.New("unable to setup user manager")
}
s.users.InitWithDevice(s.wg.GetDeviceInfo())
s.users.InitWithPeers(s.wg.GetPeerList())
if err := s.users.InitFromCurrentInterface(); err != nil {
return errors.New("unable to initialize user manager")
}
dir := s.getExecutableDirectory()
rDir, _ := filepath.Abs(filepath.Dir(os.Args[0]))

346
internal/server/handlers.go
View File

@@ -2,7 +2,10 @@ package server
import (
"net/http"
"net/url"
"strconv"
"strings"
"time"
"github.com/gin-gonic/gin"
)
@@ -32,24 +35,9 @@ func (s *Server) HandleError(c *gin.Context, code int, message, details string)
}
func (s *Server) GetAdminIndex(c *gin.Context) {
dev, err := s.wg.GetDeviceInfo()
if err != nil {
s.HandleError(c, http.StatusInternalServerError, "WireGuard error", err.Error())
return
}
peers, err := s.wg.GetPeerList()
if err != nil {
s.HandleError(c, http.StatusInternalServerError, "WireGuard error", err.Error())
return
}
device := s.users.GetDevice()
device.Interface = dev
users := s.users.GetAllUsers()
users := make([]User, len(peers))
for i, peer := range peers {
users[i] = s.users.GetOrCreateUserForPeer(peer)
}
c.HTML(http.StatusOK, "admin_index.html", struct {
Route string
Session SessionData
@@ -65,8 +53,332 @@ func (s *Server) GetAdminIndex(c *gin.Context) {
})
}
func (s *Server) GetAdminEditInterface(c *gin.Context) {
device := s.users.GetDevice()
users := s.users.GetAllUsers()
c.HTML(http.StatusOK, "admin_edit_interface.html", struct {
Route string
Alerts AlertData
Session SessionData
Static StaticData
Peers []User
Device Device
}{
Route: c.Request.URL.Path,
Alerts: s.getAlertData(c),
Session: s.getSessionData(c),
Static: s.getStaticData(),
Peers: users,
Device: device,
})
}
func (s *Server) PostAdminEditInterface(c *gin.Context) {
device := s.users.GetDevice()
var err error
device.ListenPort, err = strconv.Atoi(c.PostForm("port"))
if err != nil {
s.setAlert(c, "invalid port: "+err.Error(), "danger")
c.Redirect(http.StatusSeeOther, "/admin/device/edit")
return
}
ipField := c.PostForm("ip")
ips := strings.Split(ipField, ",")
validatedIPs := make([]string, 0, len(ips))
for i := range ips {
ips[i] = strings.TrimSpace(ips[i])
if ips[i] != "" {
validatedIPs = append(validatedIPs, ips[i])
}
}
if len(validatedIPs) == 0 {
s.setAlert(c, "invalid ip address", "danger")
c.Redirect(http.StatusSeeOther, "/admin/device/edit")
return
}
device.IPs = validatedIPs
device.Endpoint = c.PostForm("endpoint")
dnsField := c.PostForm("dns")
dns := strings.Split(dnsField, ",")
validatedDNS := make([]string, 0, len(dns))
for i := range dns {
dns[i] = strings.TrimSpace(dns[i])
if dns[i] != "" {
validatedDNS = append(validatedDNS, dns[i])
}
}
device.DNS = validatedDNS
allowedIPField := c.PostForm("allowedip")
allowedIP := strings.Split(allowedIPField, ",")
validatedAllowedIP := make([]string, 0, len(allowedIP))
for i := range allowedIP {
allowedIP[i] = strings.TrimSpace(allowedIP[i])
if allowedIP[i] != "" {
validatedAllowedIP = append(validatedAllowedIP, allowedIP[i])
}
}
device.AllowedIPs = validatedAllowedIP
device.Mtu, err = strconv.Atoi(c.PostForm("mtu"))
if err != nil {
s.setAlert(c, "invalid MTU: "+err.Error(), "danger")
c.Redirect(http.StatusSeeOther, "/admin/device/edit")
return
}
device.PersistentKeepalive, err = strconv.Atoi(c.PostForm("keepalive"))
if err != nil {
s.setAlert(c, "invalid PersistentKeepalive: "+err.Error(), "danger")
c.Redirect(http.StatusSeeOther, "/admin/device/edit")
return
}
// Update WireGuard device
err = s.wg.UpdateDevice(device.DeviceName, device.GetDeviceConfig())
if err != nil {
s.setAlert(c, "failed to update device in WireGuard: "+err.Error(), "danger")
c.Redirect(http.StatusSeeOther, "/admin/device/edit")
return
}
// Update in database
err = s.users.UpdateDevice(device)
if err != nil {
s.setAlert(c, "failed to update device in database: "+err.Error(), "danger")
c.Redirect(http.StatusSeeOther, "/admin/device/edit")
return
}
s.setAlert(c, "changes applied successfully", "success")
c.Redirect(http.StatusSeeOther, "/admin/device/edit")
}
func (s *Server) GetAdminEditPeer(c *gin.Context) {
device := s.users.GetDevice()
user := s.users.GetUserByKey(c.Query("pkey"))
c.HTML(http.StatusOK, "admin_edit_client.html", struct {
Route string
Alerts AlertData
Session SessionData
Static StaticData
Peer User
Device Device
}{
Route: c.Request.URL.Path,
Alerts: s.getAlertData(c),
Session: s.getSessionData(c),
Static: s.getStaticData(),
Peer: user,
Device: device,
})
}
func (s *Server) PostAdminEditPeer(c *gin.Context) {
user := s.users.GetUserByKey(c.Query("pkey"))
urlEncodedKey := url.QueryEscape(c.Query("pkey"))
var err error
user.Identifier = c.PostForm("identifier")
if user.Identifier == "" {
s.setAlert(c, "invalid identifier, must not be empty", "danger")
c.Redirect(http.StatusSeeOther, "/admin/peer/edit?pkey="+urlEncodedKey)
return
}
user.Email = c.PostForm("mail")
if user.Email == "" {
s.setAlert(c, "invalid email, must not be empty", "danger")
c.Redirect(http.StatusSeeOther, "/admin/peer/edit?pkey="+urlEncodedKey)
return
}
ipField := c.PostForm("ip")
ips := strings.Split(ipField, ",")
validatedIPs := make([]string, 0, len(ips))
for i := range ips {
ips[i] = strings.TrimSpace(ips[i])
if ips[i] != "" {
validatedIPs = append(validatedIPs, ips[i])
}
}
if len(validatedIPs) == 0 {
s.setAlert(c, "invalid ip address", "danger")
c.Redirect(http.StatusSeeOther, "/admin/peer/edit?pkey="+urlEncodedKey)
return
}
user.IPs = validatedIPs
allowedIPField := c.PostForm("allowedip")
allowedIP := strings.Split(allowedIPField, ",")
validatedAllowedIP := make([]string, 0, len(allowedIP))
for i := range allowedIP {
allowedIP[i] = strings.TrimSpace(allowedIP[i])
if allowedIP[i] != "" {
validatedAllowedIP = append(validatedAllowedIP, allowedIP[i])
}
}
user.AllowedIPs = validatedAllowedIP
user.IgnorePersistentKeepalive = c.PostForm("ignorekeepalive") != ""
disabled := c.PostForm("isdisabled") != ""
now := time.Now()
if disabled && user.DeactivatedAt == nil {
user.DeactivatedAt = &now
} else if !disabled {
user.DeactivatedAt = nil
}
// Update WireGuard device
if user.DeactivatedAt == &now {
err = s.wg.RemovePeer(user.PublicKey)
if err != nil {
s.setAlert(c, "failed to remove peer in WireGuard: "+err.Error(), "danger")
c.Redirect(http.StatusSeeOther, "/admin/peer/edit?pkey="+urlEncodedKey)
return
}
} else if user.DeactivatedAt == nil && user.Peer != nil {
err = s.wg.UpdatePeer(user.GetPeerConfig())
if err != nil {
s.setAlert(c, "failed to update peer in WireGuard: "+err.Error(), "danger")
c.Redirect(http.StatusSeeOther, "/admin/peer/edit?pkey="+urlEncodedKey)
return
}
} else if user.DeactivatedAt == nil && user.Peer == nil {
err = s.wg.AddPeer(user.GetPeerConfig())
if err != nil {
s.setAlert(c, "failed to add peer in WireGuard: "+err.Error(), "danger")
c.Redirect(http.StatusSeeOther, "/admin/peer/edit?pkey="+urlEncodedKey)
return
}
}
// Update in database
err = s.users.UpdateUser(user)
if err != nil {
s.setAlert(c, "failed to update user in database: "+err.Error(), "danger")
c.Redirect(http.StatusSeeOther, "/admin/peer/edit?pkey="+urlEncodedKey)
return
}
s.setAlert(c, "changes applied successfully", "success")
c.Redirect(http.StatusSeeOther, "/admin/peer/edit?pkey="+urlEncodedKey)
}
func (s *Server) GetAdminCreatePeer(c *gin.Context) {
device := s.users.GetDevice()
user := s.users.GetUserByKey(c.Query("pkey"))
c.HTML(http.StatusOK, "admin_edit_client.html", struct {
Route string
Alerts AlertData
Session SessionData
Static StaticData
Peer User
Device Device
}{
Route: c.Request.URL.Path,
Alerts: s.getAlertData(c),
Session: s.getSessionData(c),
Static: s.getStaticData(),
Peer: user,
Device: device,
})
}
func (s *Server) PostAdminCreatePeer(c *gin.Context) {
device := s.users.GetDevice()
var err error
device.ListenPort, err = strconv.Atoi(c.PostForm("port"))
if err != nil {
s.setAlert(c, "invalid port: "+err.Error(), "danger")
c.Redirect(http.StatusSeeOther, "/admin/device/edit")
return
}
ipField := c.PostForm("ip")
ips := strings.Split(ipField, ",")
validatedIPs := make([]string, 0, len(ips))
for i := range ips {
ips[i] = strings.TrimSpace(ips[i])
if ips[i] != "" {
validatedIPs = append(validatedIPs, ips[i])
}
}
if len(validatedIPs) == 0 {
s.setAlert(c, "invalid ip address", "danger")
c.Redirect(http.StatusSeeOther, "/admin/device/edit")
return
}
device.IPs = validatedIPs
device.Endpoint = c.PostForm("endpoint")
dnsField := c.PostForm("dns")
dns := strings.Split(dnsField, ",")
validatedDNS := make([]string, 0, len(dns))
for i := range dns {
dns[i] = strings.TrimSpace(dns[i])
if dns[i] != "" {
validatedDNS = append(validatedDNS, dns[i])
}
}
device.DNS = validatedDNS
allowedIPField := c.PostForm("allowedip")
allowedIP := strings.Split(allowedIPField, ",")
validatedAllowedIP := make([]string, 0, len(allowedIP))
for i := range allowedIP {
allowedIP[i] = strings.TrimSpace(allowedIP[i])
if allowedIP[i] != "" {
validatedAllowedIP = append(validatedAllowedIP, allowedIP[i])
}
}
device.AllowedIPs = validatedAllowedIP
device.Mtu, err = strconv.Atoi(c.PostForm("mtu"))
if err != nil {
s.setAlert(c, "invalid MTU: "+err.Error(), "danger")
c.Redirect(http.StatusSeeOther, "/admin/device/edit")
return
}
device.PersistentKeepalive, err = strconv.Atoi(c.PostForm("keepalive"))
if err != nil {
s.setAlert(c, "invalid PersistentKeepalive: "+err.Error(), "danger")
c.Redirect(http.StatusSeeOther, "/admin/device/edit")
return
}
// Update WireGuard device
err = s.wg.UpdateDevice(device.DeviceName, device.GetDeviceConfig())
if err != nil {
s.setAlert(c, "failed to update device in WireGuard: "+err.Error(), "danger")
c.Redirect(http.StatusSeeOther, "/admin/device/edit")
return
}
// Update in database
err = s.users.UpdateDevice(device)
if err != nil {
s.setAlert(c, "failed to update device in database: "+err.Error(), "danger")
c.Redirect(http.StatusSeeOther, "/admin/device/edit")
return
}
s.setAlert(c, "changes applied successfully", "success")
c.Redirect(http.StatusSeeOther, "/admin/device/edit")
}
func (s *Server) GetUserQRCode(c *gin.Context) {
user := s.users.GetUser(c.Param("pkey"))
user := s.users.GetUserByKey(c.Query("pkey"))
png, err := user.GetQRCode()
if err != nil {
s.HandleError(c, http.StatusInternalServerError, "QRCode error", err.Error())

6
internal/server/routes.go
View File

@@ -20,6 +20,12 @@ func SetupRoutes(s *Server) {
admin := s.server.Group("/admin")
admin.Use(s.RequireAuthentication(s.config.AdminLdapGroup))
admin.GET("/", s.GetAdminIndex)
admin.GET("/device/edit", s.GetAdminEditInterface)
admin.POST("/device/edit", s.PostAdminEditInterface)
admin.GET("/peer/edit", s.GetAdminEditPeer)
admin.POST("/peer/edit", s.PostAdminEditPeer)
admin.GET("/peer/create", s.GetAdminCreatePeer)
admin.POST("/peer/create", s.PostAdminCreatePeer)
// User routes
user := s.server.Group("/user")

273
internal/server/usermanager.go
View File

@@ -22,10 +22,14 @@ import (
"gorm.io/gorm"
)
//
// USER ----------------------------------------------------------------------------------------
//
type User struct {
Peer wgtypes.Peer `gorm:"-"`
User *ldap.UserCacheHolderEntry `gorm:"-"` // optional, it is still possible to have users without ldap
Config string `gorm:"-"`
Peer *wgtypes.Peer `gorm:"-"`
LdapUser *ldap.UserCacheHolderEntry `gorm:"-"` // optional, it is still possible to have users without ldap
Config string `gorm:"-"`
UID string // uid for html identification
IsOnline bool `gorm:"-"`
@@ -48,6 +52,28 @@ type User struct {
UpdatedAt time.Time
}
func (u User) GetClientConfigFile(device Device) ([]byte, error) {
tpl, err := template.New("client").Funcs(template.FuncMap{"StringsJoin": strings.Join}).Parse(wireguard.ClientCfgTpl)
if err != nil {
return nil, err
}
var tplBuff bytes.Buffer
err = tpl.Execute(&tplBuff, struct {
Client User
Server Device
}{
Client: u,
Server: device,
})
if err != nil {
return nil, err
}
return tplBuff.Bytes(), nil
}
func (u User) GetPeerConfig() wgtypes.PeerConfig {
publicKey, _ := wgtypes.ParseKey(u.PublicKey)
var presharedKey *wgtypes.Key
@@ -87,6 +113,18 @@ func (u User) GetQRCode() ([]byte, error) {
return png, nil
}
func (u User) IsValid() bool {
if u.PublicKey == "" {
return false
}
return true
}
//
// DEVICE --------------------------------------------------------------------------------------
//
type Device struct {
Interface *wgtypes.Device `gorm:"-"`
@@ -112,6 +150,9 @@ type Device struct {
}
func (d Device) IsValid() bool {
if d.PublicKey == "" {
return false
}
if len(d.IPs) == 0 {
return false
}
@@ -122,12 +163,33 @@ func (d Device) IsValid() bool {
return true
}
type UserManager struct {
db *gorm.DB
func (d Device) GetDeviceConfig() wgtypes.Config {
var privateKey *wgtypes.Key
if d.PrivateKey != "" {
pKey, _ := wgtypes.ParseKey(d.PrivateKey)
privateKey = &pKey
}
cfg := wgtypes.Config{
PrivateKey: privateKey,
ListenPort: &d.ListenPort,
}
return cfg
}
func NewUserManager() *UserManager {
um := &UserManager{}
//
// USER-MANAGER --------------------------------------------------------------------------------
//
type UserManager struct {
db *gorm.DB
wg *wireguard.Manager
ldapUsers *ldap.SynchronizedUserCacheHolder
}
func NewUserManager(wg *wireguard.Manager, ldapUsers *ldap.SynchronizedUserCacheHolder) *UserManager {
um := &UserManager{wg: wg, ldapUsers: ldapUsers}
var err error
um.db, err = gorm.Open(sqlite.Open("wg_portal.db"), &gorm.Config{})
if err != nil {
@@ -144,52 +206,32 @@ func NewUserManager() *UserManager {
return um
}
func (u *UserManager) InitWithPeers(peers []wgtypes.Peer, err error) {
func (u *UserManager) InitFromCurrentInterface() error {
peers, err := u.wg.GetPeerList()
if err != nil {
log.Errorf("failed to init user-manager from peers: %v", err)
return
return err
}
for _, peer := range peers {
u.GetOrCreateUserForPeer(peer)
}
}
func (u *UserManager) InitWithDevice(dev *wgtypes.Device, err error) {
device, err := u.wg.GetDeviceInfo()
if err != nil {
log.Errorf("failed to init user-manager from device: %v", err)
return
}
u.GetOrCreateDevice(*dev)
}
func (u *UserManager) GetAllUsers() []User {
users := make([]User, 0)
u.db.Find(&users)
for i := range users {
users[i].AllowedIPs = strings.Split(users[i].AllowedIPsStr, ", ")
users[i].IPs = strings.Split(users[i].IPsStr, ", ")
tmpCfg, _ := u.GetPeerConfigFile(users[i])
users[i].Config = string(tmpCfg)
return err
}
return users
}
func (u *UserManager) GetDevice() Device {
devices := make([]Device, 0, 1)
u.db.Find(&devices)
for i := range devices {
devices[i].AllowedIPs = strings.Split(devices[i].AllowedIPsStr, ", ")
devices[i].IPs = strings.Split(devices[i].IPsStr, ", ")
devices[i].DNS = strings.Split(devices[i].DNSStr, ", ")
// Check if entries already exist in database, if not create them
for _, peer := range peers {
if err := u.validateOrCreateUserForPeer(peer); err != nil {
return err
}
}
if err := u.validateOrCreateDevice(*device); err != nil {
return err
}
return devices[0]
return nil
}
func (u *UserManager) GetOrCreateUserForPeer(peer wgtypes.Peer) User {
func (u *UserManager) validateOrCreateUserForPeer(peer wgtypes.Peer) error {
user := User{}
u.db.Where("public_key = ?", peer.PublicKey.String()).FirstOrInit(&user)
@@ -215,25 +257,92 @@ func (u *UserManager) GetOrCreateUserForPeer(peer wgtypes.Peer) User {
res := u.db.Create(&user)
if res.Error != nil {
log.Errorf("failed to create autodetected peer: %v", res.Error)
return res.Error
}
}
user.IPs = strings.Split(user.IPsStr, ", ")
return nil
}
func (u *UserManager) validateOrCreateDevice(dev wgtypes.Device) error {
device := Device{}
u.db.Where("device_name = ?", dev.Name).FirstOrInit(&device)
if device.PublicKey == "" { // device not found, create
device.PublicKey = dev.PublicKey.String()
device.PrivateKey = dev.PrivateKey.String()
device.DeviceName = dev.Name
device.ListenPort = dev.ListenPort
device.Mtu = 0
device.PersistentKeepalive = 16 // Default
res := u.db.Create(&device)
if res.Error != nil {
log.Errorf("failed to create autodetected device: %v", res.Error)
return res.Error
}
}
return nil
}
func (u *UserManager) populateUserData(user *User) {
user.AllowedIPs = strings.Split(user.AllowedIPsStr, ", ")
tmpCfg, _ := u.GetPeerConfigFile(user)
user.IPs = strings.Split(user.IPsStr, ", ")
// Set config file
tmpCfg, _ := user.GetClientConfigFile(u.GetDevice())
user.Config = string(tmpCfg)
// set data from WireGuard interface
user.Peer, _ = u.wg.GetPeer(user.PublicKey)
user.IsOnline = false // todo: calculate online status
// set ldap data
user.LdapUser = u.ldapUsers.GetUserData(u.ldapUsers.GetUserDNByMail(user.Email))
}
func (u *UserManager) populateDeviceData(device *Device) {
device.AllowedIPs = strings.Split(device.AllowedIPsStr, ", ")
device.IPs = strings.Split(device.IPsStr, ", ")
device.DNS = strings.Split(device.DNSStr, ", ")
// set data from WireGuard interface
device.Interface, _ = u.wg.GetDeviceInfo()
}
func (u *UserManager) GetAllUsers() []User {
users := make([]User, 0)
u.db.Find(&users)
for i := range users {
u.populateUserData(&users[i])
}
return users
}
func (u *UserManager) GetDevice() Device {
devices := make([]Device, 0, 1)
u.db.Find(&devices)
for i := range devices {
u.populateDeviceData(&devices[i])
}
return devices[0] // use first device for now... more to come?
}
func (u *UserManager) GetUserByKey(publicKey string) User {
user := User{}
u.db.Where("public_key = ?", publicKey).FirstOrInit(&user)
u.populateUserData(&user)
return user
}
func (u *UserManager) GetUser(publicKey string) User {
func (u *UserManager) GetUserByMail(mail string) User {
user := User{}
u.db.Where("public_key = ?", publicKey).FirstOrInit(&user)
user.IPs = strings.Split(user.IPsStr, ", ")
user.AllowedIPs = strings.Split(user.AllowedIPsStr, ", ")
tmpCfg, _ := u.GetPeerConfigFile(user)
user.Config = string(tmpCfg)
u.db.Where("email = ?", mail).FirstOrInit(&user)
u.populateUserData(&user)
return user
}
@@ -268,6 +377,21 @@ func (u *UserManager) UpdateUser(user User) error {
return nil
}
func (u *UserManager) UpdateDevice(device Device) error {
device.UpdatedAt = time.Now()
device.AllowedIPsStr = strings.Join(device.AllowedIPs, ", ")
device.IPsStr = strings.Join(device.IPs, ", ")
device.DNSStr = strings.Join(device.DNS, ", ")
res := u.db.Save(&device)
if res.Error != nil {
log.Errorf("failed to update device: %v", res.Error)
return res.Error
}
return nil
}
func (u *UserManager) GetAllReservedIps() ([]string, error) {
reservedIps := make([]string, 0)
users := u.GetAllUsers()
@@ -328,50 +452,3 @@ func (u *UserManager) GetAvailableIp(cidr string, reserved []string) (string, er
return "", errors.New("no more available address from cidr")
}
func (u *UserManager) GetOrCreateDevice(dev wgtypes.Device) Device {
device := Device{}
u.db.Where("device_name = ?", dev.Name).FirstOrInit(&device)
if device.PublicKey == "" { // device not found, create
device.PublicKey = dev.PublicKey.String()
device.PrivateKey = dev.PrivateKey.String()
device.DeviceName = dev.Name
device.ListenPort = dev.ListenPort
device.Mtu = 0
device.PersistentKeepalive = 16 // Default
res := u.db.Create(&device)
if res.Error != nil {
log.Errorf("failed to create autodetected device: %v", res.Error)
}
}
device.IPs = strings.Split(device.IPsStr, ", ")
device.AllowedIPs = strings.Split(device.AllowedIPsStr, ", ")
device.DNS = strings.Split(device.DNSStr, ", ")
return device
}
func (u *UserManager) GetPeerConfigFile(user User) ([]byte, error) {
tpl, err := template.New("client").Funcs(template.FuncMap{"StringsJoin": strings.Join}).Parse(wireguard.ClientCfgTpl)
if err != nil {
return nil, err
}
var tplBuff bytes.Buffer
err = tpl.Execute(&tplBuff, struct {
Client User
Server Device
}{
Client: user,
Server: u.GetDevice(),
})
if err != nil {
return nil, err
}
return tplBuff.Bytes(), nil
}