chenxixian
/
ovpm
tükrözi: https://github.com/cad/ovpm.git


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510
							//go:generate go-bindata -pkg bindata -o bindata/bindata.go template/

package ovpm

import (
	"bytes"
	"fmt"
	"math/big"
	"net"
	"os"
	"os/exec"
	"strings"
	"text/template"

	"github.com/Sirupsen/logrus"
	"github.com/asaskevich/govalidator"
	"github.com/cad/ovpm/bindata"
	"github.com/google/uuid"
	"github.com/jinzhu/gorm"
)

// DBNetwork is database model for external networks on the VPN server.
type DBNetwork struct {
	gorm.Model
	ServerID uint
	Server   DBServer

	Name        string
	NetworkCIDR string
}

// DBServer is database model for storing VPN server related stuff.
type DBServer struct {
	gorm.Model
	Name         string `gorm:"unique_index"` // Server name.
	SerialNumber string

	Hostname string // Server's ip address or FQDN
	Port     string // Server's listening port
	Cert     string // Server RSA certificate.
	Key      string // Server RSA private key.
	CACert   string // Root CA RSA certificate.
	CAKey    string // Root CA RSA key.
	Net      string // VPN network.
	Mask     string // VPN network mask.
	CRL      string // Certificate Revocation List
}

// CheckSerial takes a serial number and checks it against the current server's serial number.
func (s *DBServer) CheckSerial(serialNo string) bool {
	return serialNo == s.SerialNumber
}

type _VPNServerConfig struct {
	CertPath     string
	KeyPath      string
	CACertPath   string
	CAKeyPath    string
	CCDPath      string
	CRLPath      string
	DHParamsPath string
	Net          string
	Mask         string
	Port         string
}

// Initialize regenerates keys and certs for a Root CA, and saves them in the database.
func Initialize(serverName string, hostname string, port string) error {
	if IsInitialized() {
		if err := DeInitialize("default"); err != nil {
			logrus.Errorf("server can not be deleted: %v", err)
			return err
		}
	}

	if !govalidator.IsHost(hostname) {
		return fmt.Errorf("validation error: hostname:`%s` should be either an ip address or a FQDN", hostname)
	}

	ca, err := NewCA()
	if err != nil {
		return fmt.Errorf("can not create ca creds: %s", err)
	}

	srv, err := NewServerCertHolder(ca)
	if err != nil {
		return fmt.Errorf("can not create server cert creds: %s", err)
	}
	serialNumber := uuid.New().String()
	serverInstance := DBServer{
		Name: serverName,

		SerialNumber: serialNumber,
		Hostname:     hostname,
		Port:         port,
		Cert:         srv.Cert,
		Key:          srv.Key,
		CACert:       ca.Cert,
		CAKey:        ca.Key,
		Net:          DefaultServerNetwork,
		Mask:         DefaultServerNetMask,
	}

	db.Create(&serverInstance)

	if db.NewRecord(&serverInstance) {
		return fmt.Errorf("can not create server instance on database")
	}

	users, err := GetAllUsers()
	if err != nil {
		return err
	}
	// Sign all users in the db with the new server
	for _, user := range users {
		err := user.Sign()
		logrus.Infof("user certificate changed for %s, you should run: $ ovpm user export-config --user %s", user.Username, user.Username)
		if err != nil {
			logrus.Errorf("can not sign user %s: %v", user.Username, err)
			continue
		}
	}
	return nil
}

// DeInitialize deletes the server with the given serverName from the database and frees the allocated resources.
func DeInitialize(serverName string) error {
	if !IsInitialized() {
		return fmt.Errorf("server not found")
	}

	db.Unscoped().Delete(&DBServer{})
	db.Unscoped().Delete(&DBRevoked{})
	return nil
}

// DumpsClientConfig generates .ovpn file for the given vpn user and returns it as a string.
func DumpsClientConfig(username string) (string, error) {
	var result bytes.Buffer
	user, err := GetUser(username)
	if err != nil {
		return "", err
	}

	server, err := GetServerInstance()
	if err != nil {
		return "", err
	}

	params := struct {
		Hostname string
		Port     string
		CA       string
		Key      string
		Cert     string
	}{
		Hostname: server.Hostname,
		Port:     server.Port,
		CA:       server.CACert,
		Key:      user.Key,
		Cert:     user.Cert,
	}
	data, err := bindata.Asset("template/client.ovpn.tmpl")
	if err != nil {
		return "", err
	}

	t, err := template.New("client.ovpn").Parse(string(data))
	if err != nil {
		return "", fmt.Errorf("can not parse client.ovpn.tmpl template: %s", err)
	}

	err = t.Execute(&result, params)
	if err != nil {
		return "", fmt.Errorf("can not render client.ovpn: %s", err)
	}

	return result.String(), nil
}

// DumpClientConfig generates .ovpn file for the given vpn user and dumps it to outPath.
func DumpClientConfig(username, outPath string) error {
	result, err := DumpsClientConfig(username)
	if err != nil {
		return err
	}
	// Wite rendered content into openvpn server conf.
	return emitToFile(outPath, result, 0)

}

// GetSystemCA returns the system CA from the database if available.
func GetSystemCA() (*CA, error) {
	server := DBServer{}
	db.First(&server)
	if db.NewRecord(&server) {
		return nil, fmt.Errorf("server record does not exists in db")
	}
	return &CA{
		CertHolder: CertHolder{
			Cert: server.CACert,
			Key:  server.CAKey,
		},
	}, nil

}

// Emit generates all needed files for the OpenVPN server and dumps them to their corresponding paths defined in the config.
func Emit() error {
	// Check dependencies
	if !checkOpenVPNExecutable() {
		return fmt.Errorf("openvpn executable can not be found! you should install OpenVPN on this machine")
	}

	if !checkOpenSSLExecutable() {
		return fmt.Errorf("openssl executable can not be found! you should install openssl on this machine")

	}

	if !checkIptablesExecutable() {
		return fmt.Errorf("iptables executable can not be found")
	}

	if !IsInitialized() {
		return fmt.Errorf("you should create a server first. e.g. $ ovpm vpn create-server")
	}

	if err := emitServerConf(); err != nil {
		return fmt.Errorf("can not emit server conf: %s", err)
	}

	if err := emitServerCert(); err != nil {
		return fmt.Errorf("can not emit server cert: %s", err)
	}

	if err := emitServerKey(); err != nil {
		return fmt.Errorf("can not emit server key: %s", err)
	}

	if err := emitCACert(); err != nil {
		return fmt.Errorf("can not emit ca cert : %s", err)
	}

	if err := emitCAKey(); err != nil {
		return fmt.Errorf("can not emit ca key: %s", err)
	}

	if err := emitDHParams(); err != nil {
		return fmt.Errorf("can not emit dhparams: %s", err)
	}

	if err := emitCCD(); err != nil {
		return fmt.Errorf("can not emit ccd: %s", err)
	}

	if err := emitIptables(); err != nil {
		return fmt.Errorf("can not emit iptables conf: %s", err)
	}

	if err := emitCRL(); err != nil {
		return fmt.Errorf("can not emit crl: %s", err)
	}

	logrus.Info("changes are applied to the filesystem")

	return nil
}

func emitToFile(filePath, content string, mode uint) error {
	file, err := os.Create(filePath)
	if err != nil {
		return fmt.Errorf("Cannot create file %s: %v", filePath, err)

	}
	if mode != 0 {
		file.Chmod(os.FileMode(mode))
	}
	defer file.Close()
	fmt.Fprintf(file, content)
	return nil
}

func emitServerConf() error {
	serverInstance, err := GetServerInstance()
	if err != nil {
		return fmt.Errorf("can not retrieve server: %v", err)
	}
	port := DefaultVPNPort
	if serverInstance.Port != "" {
		port = serverInstance.Port
	}

	var result bytes.Buffer

	server := _VPNServerConfig{
		CertPath:     DefaultCertPath,
		KeyPath:      DefaultKeyPath,
		CACertPath:   DefaultCACertPath,
		CAKeyPath:    DefaultCAKeyPath,
		CCDPath:      DefaultVPNCCDPath,
		CRLPath:      DefaultCRLPath,
		DHParamsPath: DefaultDHParamsPath,
		Net:          DefaultServerNetwork,
		Mask:         DefaultServerNetMask,
		Port:         port,
	}
	data, err := bindata.Asset("template/server.conf.tmpl")
	if err != nil {
		return err
	}

	t, err := template.New("server.conf").Parse(string(data))
	if err != nil {
		return fmt.Errorf("can not parse server.conf.tmpl template: %s", err)
	}

	err = t.Execute(&result, server)
	if err != nil {
		return fmt.Errorf("can not render server.conf: %s", err)
	}

	// Wite rendered content into openvpn server conf.
	return emitToFile(DefaultVPNConfPath, result.String(), 0)
}

// GetServerInstance returns the default server from the database.
func GetServerInstance() (*DBServer, error) {
	var server DBServer
	db.First(&server)
	if db.NewRecord(server) {
		return nil, fmt.Errorf("can not retrieve server from db")
	}
	return &server, nil
}

// IsInitialized checks if there is a default server in the database or not.
func IsInitialized() bool {
	var server DBServer
	db.First(&server)
	if db.NewRecord(server) {
		return false
	}
	return true
}

func emitServerKey() error {
	server, err := GetServerInstance()
	if err != nil {
		return err
	}

	// Write rendered content into key file.
	return emitToFile(DefaultKeyPath, server.Key, 0600)
}

func emitServerCert() error {
	server, err := GetServerInstance()
	if err != nil {
		return err
	}

	// Write rendered content into the cert file.
	return emitToFile(DefaultCertPath, server.Cert, 0)
}

func emitCRL() error {
	var revokedDBItems []*DBRevoked
	db.Find(&revokedDBItems)
	var revokedCertSerials []*big.Int
	for _, item := range revokedDBItems {
		bi := big.NewInt(0)
		bi.SetString(item.SerialNumber, 16)
		revokedCertSerials = append(revokedCertSerials, bi)
	}
	systemCA, err := GetSystemCA()
	if err != nil {
		return fmt.Errorf("can not emit CRL: %v", err)
	}
	crl, err := NewCRL(revokedCertSerials, systemCA)
	if err != nil {
		return fmt.Errorf("can not emit crl: %v", err)
	}

	return emitToFile(DefaultCRLPath, crl, 0)
}

func emitCACert() error {
	server, err := GetServerInstance()
	if err != nil {
		return err
	}

	// Write rendered content into the ca cert file.
	return emitToFile(DefaultCACertPath, server.CACert, 0)
}

func emitCAKey() error {
	server, err := GetServerInstance()
	if err != nil {
		return err
	}

	// Write rendered content into the ca key file.
	return emitToFile(DefaultCAKeyPath, server.CAKey, 0600)
}

func emitCCD() error {
	users, err := GetAllUsers()
	if err != nil {
		return err
	}

	// Create and write rendered ccd data.
	os.Mkdir(DefaultVPNCCDPath, 0755)
	clientsNetMask := net.IPMask(net.ParseIP(DefaultServerNetMask))
	clientsNetPrefix := net.ParseIP(DefaultServerNetwork)
	clientNet := clientsNetPrefix.Mask(clientsNetMask).To4()

	counter := 2
	for _, user := range users {
		var result bytes.Buffer
		clientNet[3] = byte(counter)
		params := struct {
			IP      string
			NetMask string
		}{IP: clientNet.String(), NetMask: DefaultServerNetMask}

		data, err := bindata.Asset("template/ccd.file.tmpl")
		if err != nil {
			return err
		}
		t, err := template.New("ccd.file.tmpl").Parse(string(data))
		if err != nil {
			return fmt.Errorf("can not parse ccd.file.tmpl template: %s", err)
		}

		err = t.Execute(&result, params)
		if err != nil {
			return fmt.Errorf("can not render ccd file %s: %s", user.Username, err)
		}

		err = emitToFile(DefaultVPNCCDPath+user.Username, result.String(), 0)
		if err != nil {
			return err
		}
		counter++
	}
	return nil
}

func emitDHParams() error {
	var result bytes.Buffer
	data, err := bindata.Asset("template/dh4096.pem.tmpl")
	if err != nil {
		return err
	}

	t, err := template.New("dh4096.pem.tmpl").Parse(string(data))
	if err != nil {
		return fmt.Errorf("can not parse dh4096.pem template: %s", err)
	}

	err = t.Execute(&result, nil)
	if err != nil {
		return fmt.Errorf("can not render dh4096.pem file: %s", err)
	}

	err = emitToFile(DefaultDHParamsPath, result.String(), 0)
	if err != nil {
		return err
	}
	return nil
}

func emitIptables() error {
	return nil
}

func checkOpenVPNExecutable() bool {
	cmd := exec.Command("which", "openvpn")
	output, err := cmd.Output()
	if err != nil {
		logrus.Errorf("openvpn is not installed: %s  ✘", err)
		return false
	}
	logrus.Infof("openvpn executable detected: %s  ✔", strings.TrimSpace(string(output[:])))
	return true
}

func checkOpenSSLExecutable() bool {
	cmd := exec.Command("which", "openssl")
	output, err := cmd.Output()
	if err != nil {
		logrus.Errorf("openssl is not installed: %s  ✘", err)
		return false
	}
	logrus.Infof("openssl executable detected: %s  ✔", strings.TrimSpace(string(output[:])))
	return true
}

func checkIptablesExecutable() bool {
	cmd := exec.Command("which", "iptables")
	output, err := cmd.Output()
	if err != nil {
		logrus.Errorf("iptables is not installed: %s  ✘", err)
		return false
	}
	logrus.Infof("iptables executable detected: %s  ✔", strings.TrimSpace(string(output[:])))
	return true
}