public function init(Service $service) { $service->get('/client_connections', function (Request $request, array $hookData) { Utils::requireUser($hookData, ['vpn-admin-portal']); return new ApiResponse('client_connections', $this->serverManager->connections()); }); $service->post('/kill_client', function (Request $request, array $hookData) { Utils::requireUser($hookData, ['vpn-admin-portal', 'vpn-user-portal']); $commonName = $request->getPostParameter('common_name'); InputValidation::commonName($commonName); return new ApiResponse('kill_client', $this->serverManager->kill($commonName)); }); }
public function init(Service $service) { $service->get('/user_groups', function (Request $request, array $hookData) { Utils::requireUser($hookData, ['vpn-user-portal']); $userId = $request->getQueryParameter('user_id'); InputValidation::userId($userId); $groupMembership = []; foreach ($this->groupProviders as $groupProvider) { $groupMembership = array_merge($groupMembership, $groupProvider->getGroups($userId)); } return new ApiResponse('user_groups', $groupMembership); }); }
public function init(Service $service) { $service->get('/log', function (Request $request, array $hookData) { Utils::requireUser($hookData, ['vpn-admin-portal']); $dateTime = $request->getQueryParameter('date_time'); InputValidation::dateTime($dateTime); $dateTimeUnix = strtotime($dateTime); $ipAddress = $request->getQueryParameter('ip_address'); InputValidation::ipAddress($ipAddress); return new ApiResponse('log', $this->get($dateTimeUnix, $ipAddress)); }); $service->get('/stats', function (Request $request, array $hookData) { Utils::requireUser($hookData, ['vpn-admin-portal']); $statsFile = sprintf('%s/stats.json', $this->dataDir); return new ApiResponse('stats', FileIO::readJsonFile($statsFile)); }); }
public function init(Service $service) { $service->get('/server_pools', function (Request $request, array $hookData) { Utils::requireUser($hookData, ['vpn-admin-portal', 'vpn-user-portal']); $responseData = []; foreach (array_keys($this->instanceConfig->v('vpnPools')) as $poolId) { $poolConfig = new PoolConfig($this->instanceConfig->v('vpnPools', $poolId)); $responseData[$poolId] = $poolConfig->v(); } return new ApiResponse('server_pools', $responseData); }); $service->get('/server_pool', function (Request $request, array $hookData) { Utils::requireUser($hookData, ['vpn-admin-portal', 'vpn-user-portal']); $poolId = $request->getQueryParameter('pool_id'); InputValidation::poolId($poolId); $poolConfig = new PoolConfig($this->instanceConfig->v('vpnPools', $poolId)); return new ApiResponse('server_pool', $poolConfig->v()); }); }
public function init(Service $service) { $service->get('/disabled_common_names', function (Request $request, array $hookData) { Utils::requireUser($hookData, ['vpn-admin-portal', 'vpn-user-portal']); return new ApiResponse('disabled_common_names', $this->commonNames->getDisabled()); }); $service->post('/disable_common_name', function (Request $request, array $hookData) { Utils::requireUser($hookData, ['vpn-admin-portal', 'vpn-user-portal']); $commonName = $request->getPostParameter('common_name'); InputValidation::commonName($commonName); $this->logger->info(sprintf('disabling common_name "%s"', $commonName)); return new ApiResponse('disable_common_name', $this->commonNames->setDisabled($commonName)); }); $service->post('/enable_common_name', function (Request $request, array $hookData) { Utils::requireUser($hookData, ['vpn-admin-portal']); $commonName = $request->getPostParameter('common_name'); InputValidation::commonName($commonName); $this->logger->info(sprintf('enabling common_name "%s"', $commonName)); return new ApiResponse('enable_common_name', $this->commonNames->setEnabled($commonName)); }); }
public function init(Service $service) { // DISABLED $service->get('/disabled_users', function (Request $request, array $hookData) { Utils::requireUser($hookData, ['vpn-admin-portal']); return new ApiResponse('disabled_users', $this->users->getDisabled()); }); $service->get('/is_disabled_user', function (Request $request, array $hookData) { Utils::requireUser($hookData, ['vpn-admin-portal', 'vpn-user-portal']); $userId = $request->getQueryParameter('user_id'); InputValidation::userId($userId); return new ApiResponse('is_disabled_user', $this->users->isDisabled($userId)); }); $service->post('/disable_user', function (Request $request, array $hookData) { Utils::requireUser($hookData, ['vpn-admin-portal']); $userId = $request->getPostParameter('user_id'); InputValidation::userId($userId); $this->logger->info(sprintf('disabling user "%s"', $userId)); return new ApiResponse('disable_user', $this->users->setDisabled($userId)); }); $service->post('/enable_user', function (Request $request, array $hookData) { Utils::requireUser($hookData, ['vpn-admin-portal']); $userId = $request->getPostParameter('user_id'); InputValidation::userId($userId); $this->logger->info(sprintf('enabling user "%s"', $userId)); return new ApiResponse('enable_user', $this->users->setEnabled($userId)); }); // OTP_SECRETS $service->get('/has_otp_secret', function (Request $request, array $hookData) { Utils::requireUser($hookData, ['vpn-admin-portal', 'vpn-user-portal']); $userId = $request->getQueryParameter('user_id'); InputValidation::userId($userId); return new ApiResponse('has_otp_secret', $this->users->hasOtpSecret($userId)); }); $service->post('/set_otp_secret', function (Request $request, array $hookData) { Utils::requireUser($hookData, ['vpn-user-portal']); $userId = $request->getPostParameter('user_id'); InputValidation::userId($userId); $otpSecret = $request->getPostParameter('otp_secret'); InputValidation::otpSecret($otpSecret); return new ApiResponse('set_otp_secret', $this->users->setOtpSecret($userId, $otpSecret)); }); $service->post('/delete_otp_secret', function (Request $request, array $hookData) { Utils::requireUser($hookData, ['vpn-admin-portal']); $userId = $request->getPostParameter('user_id'); InputValidation::userId($userId); return new ApiResponse('delete_otp_secret', $this->users->deleteOtpSecret($userId)); }); // VOOT_TOKENS $service->get('/has_voot_token', function (Request $request, array $hookData) { Utils::requireUser($hookData, ['vpn-user-portal', 'vpn-admin-portal']); $userId = $request->getQueryParameter('user_id'); InputValidation::userId($userId); return new ApiResponse('has_voot_token', $this->users->hasVootToken($userId)); }); $service->post('/set_voot_token', function (Request $request, array $hookData) { Utils::requireUser($hookData, ['vpn-user-portal']); $userId = $request->getPostParameter('user_id'); InputValidation::userId($userId); $vootToken = $request->getPostParameter('voot_token'); InputValidation::vootToken($vootToken); return new ApiResponse('set_voot_token', $this->users->setVootToken($userId, $vootToken)); }); }
public function init(Service $service) { $service->get('/', function (Request $request) { return new RedirectResponse($request->getRootUri() . 'connections', 302); }); $service->get('/connections', function () { // get the fancy profile name $profileList = $this->serverClient->get('profile_list'); $idNameMapping = []; foreach ($profileList as $profileId => $profileData) { $idNameMapping[$profileId] = $profileData['displayName']; } return new HtmlResponse($this->tpl->render('vpnConnections', ['idNameMapping' => $idNameMapping, 'connections' => $this->serverClient->get('client_connections')])); }); $service->get('/info', function () { return new HtmlResponse($this->tpl->render('vpnInfo', ['profileList' => $this->serverClient->get('profile_list')])); }); $service->get('/users', function () { $userList = $this->serverClient->get('user_list'); return new HtmlResponse($this->tpl->render('vpnUserList', ['userList' => $userList])); }); $service->get('/user', function (Request $request) { $userId = $request->getQueryParameter('user_id'); InputValidation::userId($userId); $clientCertificateList = $this->serverClient->get('client_certificate_list', ['user_id' => $userId]); $userMessages = $this->serverClient->get('user_messages', ['user_id' => $userId]); return new HtmlResponse($this->tpl->render('vpnUserConfigList', ['userId' => $userId, 'userMessages' => $userMessages, 'clientCertificateList' => $clientCertificateList, 'hasOtpSecret' => $this->serverClient->get('has_totp_secret', ['user_id' => $userId]), 'isDisabled' => $this->serverClient->get('is_disabled_user', ['user_id' => $userId])])); }); $service->post('/user', function (Request $request) { $userId = $request->getPostParameter('user_id'); InputValidation::userId($userId); $userAction = $request->getPostParameter('user_action'); // no need to explicitly validate userAction, as we will have // switch below with whitelisted acceptable values switch ($userAction) { case 'disableUser': $this->serverClient->post('disable_user', ['user_id' => $userId]); // kill all active connections for this user $clientConnections = $this->serverClient->get('client_connections'); foreach ($clientConnections as $profile) { foreach ($profile['connections'] as $connection) { if ($connection['user_id'] === $userId) { $this->serverClient->post('kill_client', ['common_name' => $connection['common_name']]); } } } break; case 'enableUser': $this->serverClient->post('enable_user', ['user_id' => $userId]); break; case 'deleteOtpSecret': $this->serverClient->post('delete_totp_secret', ['user_id' => $userId]); break; default: throw new HttpException('unsupported "user_action"', 400); } $returnUrl = sprintf('%susers', $request->getRootUri()); return new RedirectResponse($returnUrl); }); $service->post('/setCertificateStatus', function (Request $request, array $hookData) { $commonName = $request->getPostParameter('commonName'); InputValidation::commonName($commonName); $newState = $request->getPostParameter('newState'); if ('enable' === $newState) { $this->serverClient->post('enable_client_certificate', ['common_name' => $commonName]); } else { $this->serverClient->post('disable_client_certificate', ['common_name' => $commonName]); $this->serverClient->post('kill_client', ['common_name' => $commonName]); } return new RedirectResponse($request->getHeader('HTTP_REFERER'), 302); }); $service->get('/log', function () { return new HtmlResponse($this->tpl->render('vpnLog', ['date_time' => null, 'ip_address' => null])); }); $service->get('/stats', function () { return new HtmlResponse($this->tpl->render('vpnStats', ['stats' => $this->serverClient->get('stats')])); }); $service->get('/messages', function () { $motdMessages = $this->serverClient->get('system_messages', ['message_type' => 'motd']); // we only want the first one if (0 === count($motdMessages)) { $motdMessage = false; } else { $motdMessage = $motdMessages[0]; } return new HtmlResponse($this->tpl->render('vpnMessages', ['motdMessage' => $motdMessage])); }); $service->post('/messages', function (Request $request) { $messageAction = $request->getPostParameter('message_action'); switch ($messageAction) { case 'set': // we can only have one "motd", so remove the ones that // already exist $motdMessages = $this->serverClient->get('system_messages', ['message_type' => 'motd']); foreach ($motdMessages as $motdMessage) { $this->serverClient->post('delete_system_message', ['message_id' => $motdMessage['id']]); } // no need to validate, we accept everything $messageBody = $request->getPostParameter('message_body'); $this->serverClient->post('add_system_message', ['message_type' => 'motd', 'message_body' => $messageBody]); break; case 'delete': $messageId = InputValidation::messageId($request->getPostParameter('message_id')); $this->serverClient->post('delete_system_message', ['message_id' => $messageId]); break; default: throw new HttpException('unsupported "message_action"', 400); } $returnUrl = sprintf('%smessages', $request->getRootUri()); return new RedirectResponse($returnUrl); }); $service->post('/log', function (Request $request) { $dateTime = $request->getPostParameter('date_time'); InputValidation::dateTime($dateTime); $ipAddress = $request->getPostParameter('ip_address'); InputValidation::ipAddress($ipAddress); return new HtmlResponse($this->tpl->render('vpnLog', ['date_time' => $dateTime, 'ip_address' => $ipAddress, 'results' => $this->serverClient->get('log', ['date_time' => $dateTime, 'ip_address' => $ipAddress])])); }); }
private function makeRequest($requestMethod, $pathInfo, array $getData = [], array $postData = []) { $response = $this->service->run(new Request(['SERVER_PORT' => 80, 'SERVER_NAME' => 'vpn.example', 'REQUEST_METHOD' => $requestMethod, 'REQUEST_URI' => sprintf('/%s', $pathInfo), 'SCRIPT_NAME' => '/index.php'], $getData, $postData)); return json_decode($response->getBody(), true); }
$dataDir = sprintf('%s/data/%s', dirname(__DIR__), $instanceId); if (!file_exists($dataDir)) { if (false === @mkdir($dataDir, 0700, true)) { throw new RuntimeException(sprintf('unable to create folder "%s"', $dataDir)); } } $config = Config::fromFile(sprintf('%s/config/%s/config.yaml', dirname(__DIR__), $instanceId)); $templateDirs = [sprintf('%s/views', dirname(__DIR__)), sprintf('%s/config/%s/views', dirname(__DIR__), $instanceId)]; $templateCache = null; if ($config->v('enableTemplateCache')) { $templateCache = sprintf('%s/tpl', $dataDir); } $tpl = new TwigTpl($templateDirs, $templateCache); $tpl->addFilter(TwigFilters::sizeToHuman()); $tpl->setDefault(['requestUri' => $request->getUri(), 'requestRoot' => $request->getRoot(), 'requestRootUri' => $request->getRootUri()]); $service = new Service($tpl); $service->addBeforeHook('referrer_check', new ReferrerCheckHook()); $service->addAfterHook('no_cache', new NoCacheHook()); // Authentication $authMethod = $config->v('authMethod'); $tpl->addDefault(['authMethod' => $authMethod]); $session = new Session($request->getServerName(), $request->getRoot(), $config->v('secureCookie')); switch ($authMethod) { case 'MellonAuthentication': $service->addBeforeHook('auth', new MellonAuthenticationHook($config->v('MellonAuthentication', 'attribute'))); break; case 'FormAuthentication': $tpl->addDefault(['_show_logout' => true]); $service->addBeforeHook('auth', new FormAuthenticationHook($session, $tpl)); $service->addModule(new FormAuthenticationModule($config->v('FormAuthentication'), $session, $tpl)); break;
use SURFnet\VPN\Common\Http\Service; use SURFnet\VPN\Server\Api\Users; use SURFnet\VPN\Server\Api\UsersModule; use SURFnet\VPN\Server\InstanceConfig; use SURFnet\VPN\Common\Logger; use SURFnet\VPN\Server\OpenVpn\ManagementSocket; use SURFnet\VPN\Server\OpenVpn\ServerManager; $logger = new Logger('vpn-server-api'); try { // this is provided by Apache, using CanonicalName $request = new Request($_SERVER, $_GET, $_POST); $instanceId = $request->getServerName(); $dataDir = sprintf('%s/data/%s', dirname(__DIR__), $instanceId); $configDir = sprintf('%s/config/%s', dirname(__DIR__), $instanceId); $config = InstanceConfig::fromFile(sprintf('%s/config.yaml', $configDir)); $service = new Service(); $basicAuthentication = new BasicAuthenticationHook($config->v('apiConsumers'), 'vpn-server-api'); $service->addBeforeHook('auth', $basicAuthentication); $service->addModule(new LogModule($dataDir)); $service->addModule(new OpenVpnModule(new ServerManager($config, new ManagementSocket(), $logger))); $service->addModule(new CommonNamesModule(new CommonNames(sprintf('%s/common_names', $dataDir)), $logger)); $service->addModule(new UsersModule(new Users(sprintf('%s/users', $dataDir)), $logger)); $groupProviders = []; if ($config->e('groupProviders')) { foreach (array_keys($config->v('groupProviders')) as $groupProviderId) { $groupProviderClass = sprintf('SURFnet\\VPN\\Server\\GroupProvider\\%s', $groupProviderId); $groupProviders[] = new $groupProviderClass($dataDir, $config); } } $service->addModule(new GroupsModule($groupProviders, $logger)); $service->addModule(new InfoModule($config));