public function init(Service $service)
{
$service->get('/client_connections', function (Request $request, array $hookData) {
Utils::requireUser($hookData, ['vpn-admin-portal']);
return new ApiResponse('client_connections', $this->serverManager->connections());
});
$service->post('/kill_client', function (Request $request, array $hookData) {
Utils::requireUser($hookData, ['vpn-admin-portal', 'vpn-user-portal']);
$commonName = $request->getPostParameter('common_name');
InputValidation::commonName($commonName);
return new ApiResponse('kill_client', $this->serverManager->kill($commonName));
});
}
public function init(Service $service)
{
$service->get('/user_groups', function (Request $request, array $hookData) {
Utils::requireUser($hookData, ['vpn-user-portal']);
$userId = $request->getQueryParameter('user_id');
InputValidation::userId($userId);
$groupMembership = [];
foreach ($this->groupProviders as $groupProvider) {
$groupMembership = array_merge($groupMembership, $groupProvider->getGroups($userId));
}
return new ApiResponse('user_groups', $groupMembership);
});
}
public function init(Service $service)
{
$service->get('/log', function (Request $request, array $hookData) {
Utils::requireUser($hookData, ['vpn-admin-portal']);
$dateTime = $request->getQueryParameter('date_time');
InputValidation::dateTime($dateTime);
$dateTimeUnix = strtotime($dateTime);
$ipAddress = $request->getQueryParameter('ip_address');
InputValidation::ipAddress($ipAddress);
return new ApiResponse('log', $this->get($dateTimeUnix, $ipAddress));
});
$service->get('/stats', function (Request $request, array $hookData) {
Utils::requireUser($hookData, ['vpn-admin-portal']);
$statsFile = sprintf('%s/stats.json', $this->dataDir);
return new ApiResponse('stats', FileIO::readJsonFile($statsFile));
});
}
public function init(Service $service)
{
$service->get('/server_pools', function (Request $request, array $hookData) {
Utils::requireUser($hookData, ['vpn-admin-portal', 'vpn-user-portal']);
$responseData = [];
foreach (array_keys($this->instanceConfig->v('vpnPools')) as $poolId) {
$poolConfig = new PoolConfig($this->instanceConfig->v('vpnPools', $poolId));
$responseData[$poolId] = $poolConfig->v();
}
return new ApiResponse('server_pools', $responseData);
});
$service->get('/server_pool', function (Request $request, array $hookData) {
Utils::requireUser($hookData, ['vpn-admin-portal', 'vpn-user-portal']);
$poolId = $request->getQueryParameter('pool_id');
InputValidation::poolId($poolId);
$poolConfig = new PoolConfig($this->instanceConfig->v('vpnPools', $poolId));
return new ApiResponse('server_pool', $poolConfig->v());
});
}
public function init(Service $service)
{
$service->get('/disabled_common_names', function (Request $request, array $hookData) {
Utils::requireUser($hookData, ['vpn-admin-portal', 'vpn-user-portal']);
return new ApiResponse('disabled_common_names', $this->commonNames->getDisabled());
});
$service->post('/disable_common_name', function (Request $request, array $hookData) {
Utils::requireUser($hookData, ['vpn-admin-portal', 'vpn-user-portal']);
$commonName = $request->getPostParameter('common_name');
InputValidation::commonName($commonName);
$this->logger->info(sprintf('disabling common_name "%s"', $commonName));
return new ApiResponse('disable_common_name', $this->commonNames->setDisabled($commonName));
});
$service->post('/enable_common_name', function (Request $request, array $hookData) {
Utils::requireUser($hookData, ['vpn-admin-portal']);
$commonName = $request->getPostParameter('common_name');
InputValidation::commonName($commonName);
$this->logger->info(sprintf('enabling common_name "%s"', $commonName));
return new ApiResponse('enable_common_name', $this->commonNames->setEnabled($commonName));
});
}
public function init(Service $service)
{
// DISABLED
$service->get('/disabled_users', function (Request $request, array $hookData) {
Utils::requireUser($hookData, ['vpn-admin-portal']);
return new ApiResponse('disabled_users', $this->users->getDisabled());
});
$service->get('/is_disabled_user', function (Request $request, array $hookData) {
Utils::requireUser($hookData, ['vpn-admin-portal', 'vpn-user-portal']);
$userId = $request->getQueryParameter('user_id');
InputValidation::userId($userId);
return new ApiResponse('is_disabled_user', $this->users->isDisabled($userId));
});
$service->post('/disable_user', function (Request $request, array $hookData) {
Utils::requireUser($hookData, ['vpn-admin-portal']);
$userId = $request->getPostParameter('user_id');
InputValidation::userId($userId);
$this->logger->info(sprintf('disabling user "%s"', $userId));
return new ApiResponse('disable_user', $this->users->setDisabled($userId));
});
$service->post('/enable_user', function (Request $request, array $hookData) {
Utils::requireUser($hookData, ['vpn-admin-portal']);
$userId = $request->getPostParameter('user_id');
InputValidation::userId($userId);
$this->logger->info(sprintf('enabling user "%s"', $userId));
return new ApiResponse('enable_user', $this->users->setEnabled($userId));
});
// OTP_SECRETS
$service->get('/has_otp_secret', function (Request $request, array $hookData) {
Utils::requireUser($hookData, ['vpn-admin-portal', 'vpn-user-portal']);
$userId = $request->getQueryParameter('user_id');
InputValidation::userId($userId);
return new ApiResponse('has_otp_secret', $this->users->hasOtpSecret($userId));
});
$service->post('/set_otp_secret', function (Request $request, array $hookData) {
Utils::requireUser($hookData, ['vpn-user-portal']);
$userId = $request->getPostParameter('user_id');
InputValidation::userId($userId);
$otpSecret = $request->getPostParameter('otp_secret');
InputValidation::otpSecret($otpSecret);
return new ApiResponse('set_otp_secret', $this->users->setOtpSecret($userId, $otpSecret));
});
$service->post('/delete_otp_secret', function (Request $request, array $hookData) {
Utils::requireUser($hookData, ['vpn-admin-portal']);
$userId = $request->getPostParameter('user_id');
InputValidation::userId($userId);
return new ApiResponse('delete_otp_secret', $this->users->deleteOtpSecret($userId));
});
// VOOT_TOKENS
$service->get('/has_voot_token', function (Request $request, array $hookData) {
Utils::requireUser($hookData, ['vpn-user-portal', 'vpn-admin-portal']);
$userId = $request->getQueryParameter('user_id');
InputValidation::userId($userId);
return new ApiResponse('has_voot_token', $this->users->hasVootToken($userId));
});
$service->post('/set_voot_token', function (Request $request, array $hookData) {
Utils::requireUser($hookData, ['vpn-user-portal']);
$userId = $request->getPostParameter('user_id');
InputValidation::userId($userId);
$vootToken = $request->getPostParameter('voot_token');
InputValidation::vootToken($vootToken);
return new ApiResponse('set_voot_token', $this->users->setVootToken($userId, $vootToken));
});
}
public function init(Service $service)
{
$service->get('/', function (Request $request) {
return new RedirectResponse($request->getRootUri() . 'connections', 302);
});
$service->get('/connections', function () {
// get the fancy profile name
$profileList = $this->serverClient->get('profile_list');
$idNameMapping = [];
foreach ($profileList as $profileId => $profileData) {
$idNameMapping[$profileId] = $profileData['displayName'];
}
return new HtmlResponse($this->tpl->render('vpnConnections', ['idNameMapping' => $idNameMapping, 'connections' => $this->serverClient->get('client_connections')]));
});
$service->get('/info', function () {
return new HtmlResponse($this->tpl->render('vpnInfo', ['profileList' => $this->serverClient->get('profile_list')]));
});
$service->get('/users', function () {
$userList = $this->serverClient->get('user_list');
return new HtmlResponse($this->tpl->render('vpnUserList', ['userList' => $userList]));
});
$service->get('/user', function (Request $request) {
$userId = $request->getQueryParameter('user_id');
InputValidation::userId($userId);
$clientCertificateList = $this->serverClient->get('client_certificate_list', ['user_id' => $userId]);
$userMessages = $this->serverClient->get('user_messages', ['user_id' => $userId]);
return new HtmlResponse($this->tpl->render('vpnUserConfigList', ['userId' => $userId, 'userMessages' => $userMessages, 'clientCertificateList' => $clientCertificateList, 'hasOtpSecret' => $this->serverClient->get('has_totp_secret', ['user_id' => $userId]), 'isDisabled' => $this->serverClient->get('is_disabled_user', ['user_id' => $userId])]));
});
$service->post('/user', function (Request $request) {
$userId = $request->getPostParameter('user_id');
InputValidation::userId($userId);
$userAction = $request->getPostParameter('user_action');
// no need to explicitly validate userAction, as we will have
// switch below with whitelisted acceptable values
switch ($userAction) {
case 'disableUser':
$this->serverClient->post('disable_user', ['user_id' => $userId]);
// kill all active connections for this user
$clientConnections = $this->serverClient->get('client_connections');
foreach ($clientConnections as $profile) {
foreach ($profile['connections'] as $connection) {
if ($connection['user_id'] === $userId) {
$this->serverClient->post('kill_client', ['common_name' => $connection['common_name']]);
}
}
}
break;
case 'enableUser':
$this->serverClient->post('enable_user', ['user_id' => $userId]);
break;
case 'deleteOtpSecret':
$this->serverClient->post('delete_totp_secret', ['user_id' => $userId]);
break;
default:
throw new HttpException('unsupported "user_action"', 400);
}
$returnUrl = sprintf('%susers', $request->getRootUri());
return new RedirectResponse($returnUrl);
});
$service->post('/setCertificateStatus', function (Request $request, array $hookData) {
$commonName = $request->getPostParameter('commonName');
InputValidation::commonName($commonName);
$newState = $request->getPostParameter('newState');
if ('enable' === $newState) {
$this->serverClient->post('enable_client_certificate', ['common_name' => $commonName]);
} else {
$this->serverClient->post('disable_client_certificate', ['common_name' => $commonName]);
$this->serverClient->post('kill_client', ['common_name' => $commonName]);
}
return new RedirectResponse($request->getHeader('HTTP_REFERER'), 302);
});
$service->get('/log', function () {
return new HtmlResponse($this->tpl->render('vpnLog', ['date_time' => null, 'ip_address' => null]));
});
$service->get('/stats', function () {
return new HtmlResponse($this->tpl->render('vpnStats', ['stats' => $this->serverClient->get('stats')]));
});
$service->get('/messages', function () {
$motdMessages = $this->serverClient->get('system_messages', ['message_type' => 'motd']);
// we only want the first one
if (0 === count($motdMessages)) {
$motdMessage = false;
} else {
$motdMessage = $motdMessages[0];
}
return new HtmlResponse($this->tpl->render('vpnMessages', ['motdMessage' => $motdMessage]));
});
$service->post('/messages', function (Request $request) {
$messageAction = $request->getPostParameter('message_action');
switch ($messageAction) {
case 'set':
// we can only have one "motd", so remove the ones that
// already exist
$motdMessages = $this->serverClient->get('system_messages', ['message_type' => 'motd']);
foreach ($motdMessages as $motdMessage) {
$this->serverClient->post('delete_system_message', ['message_id' => $motdMessage['id']]);
}
// no need to validate, we accept everything
$messageBody = $request->getPostParameter('message_body');
$this->serverClient->post('add_system_message', ['message_type' => 'motd', 'message_body' => $messageBody]);
break;
case 'delete':
$messageId = InputValidation::messageId($request->getPostParameter('message_id'));
$this->serverClient->post('delete_system_message', ['message_id' => $messageId]);
break;
default:
throw new HttpException('unsupported "message_action"', 400);
}
$returnUrl = sprintf('%smessages', $request->getRootUri());
return new RedirectResponse($returnUrl);
});
$service->post('/log', function (Request $request) {
$dateTime = $request->getPostParameter('date_time');
InputValidation::dateTime($dateTime);
$ipAddress = $request->getPostParameter('ip_address');
InputValidation::ipAddress($ipAddress);
return new HtmlResponse($this->tpl->render('vpnLog', ['date_time' => $dateTime, 'ip_address' => $ipAddress, 'results' => $this->serverClient->get('log', ['date_time' => $dateTime, 'ip_address' => $ipAddress])]));
});
}
private function makeRequest($requestMethod, $pathInfo, array $getData = [], array $postData = [])
{
$response = $this->service->run(new Request(['SERVER_PORT' => 80, 'SERVER_NAME' => 'vpn.example', 'REQUEST_METHOD' => $requestMethod, 'REQUEST_URI' => sprintf('/%s', $pathInfo), 'SCRIPT_NAME' => '/index.php'], $getData, $postData));
return json_decode($response->getBody(), true);
}
$dataDir = sprintf('%s/data/%s', dirname(__DIR__), $instanceId);
if (!file_exists($dataDir)) {
if (false === @mkdir($dataDir, 0700, true)) {
throw new RuntimeException(sprintf('unable to create folder "%s"', $dataDir));
}
}
$config = Config::fromFile(sprintf('%s/config/%s/config.yaml', dirname(__DIR__), $instanceId));
$templateDirs = [sprintf('%s/views', dirname(__DIR__)), sprintf('%s/config/%s/views', dirname(__DIR__), $instanceId)];
$templateCache = null;
if ($config->v('enableTemplateCache')) {
$templateCache = sprintf('%s/tpl', $dataDir);
}
$tpl = new TwigTpl($templateDirs, $templateCache);
$tpl->addFilter(TwigFilters::sizeToHuman());
$tpl->setDefault(['requestUri' => $request->getUri(), 'requestRoot' => $request->getRoot(), 'requestRootUri' => $request->getRootUri()]);
$service = new Service($tpl);
$service->addBeforeHook('referrer_check', new ReferrerCheckHook());
$service->addAfterHook('no_cache', new NoCacheHook());
// Authentication
$authMethod = $config->v('authMethod');
$tpl->addDefault(['authMethod' => $authMethod]);
$session = new Session($request->getServerName(), $request->getRoot(), $config->v('secureCookie'));
switch ($authMethod) {
case 'MellonAuthentication':
$service->addBeforeHook('auth', new MellonAuthenticationHook($config->v('MellonAuthentication', 'attribute')));
break;
case 'FormAuthentication':
$tpl->addDefault(['_show_logout' => true]);
$service->addBeforeHook('auth', new FormAuthenticationHook($session, $tpl));
$service->addModule(new FormAuthenticationModule($config->v('FormAuthentication'), $session, $tpl));
break;
use SURFnet\VPN\Common\Http\Service;
use SURFnet\VPN\Server\Api\Users;
use SURFnet\VPN\Server\Api\UsersModule;
use SURFnet\VPN\Server\InstanceConfig;
use SURFnet\VPN\Common\Logger;
use SURFnet\VPN\Server\OpenVpn\ManagementSocket;
use SURFnet\VPN\Server\OpenVpn\ServerManager;
$logger = new Logger('vpn-server-api');
try {
// this is provided by Apache, using CanonicalName
$request = new Request($_SERVER, $_GET, $_POST);
$instanceId = $request->getServerName();
$dataDir = sprintf('%s/data/%s', dirname(__DIR__), $instanceId);
$configDir = sprintf('%s/config/%s', dirname(__DIR__), $instanceId);
$config = InstanceConfig::fromFile(sprintf('%s/config.yaml', $configDir));
$service = new Service();
$basicAuthentication = new BasicAuthenticationHook($config->v('apiConsumers'), 'vpn-server-api');
$service->addBeforeHook('auth', $basicAuthentication);
$service->addModule(new LogModule($dataDir));
$service->addModule(new OpenVpnModule(new ServerManager($config, new ManagementSocket(), $logger)));
$service->addModule(new CommonNamesModule(new CommonNames(sprintf('%s/common_names', $dataDir)), $logger));
$service->addModule(new UsersModule(new Users(sprintf('%s/users', $dataDir)), $logger));
$groupProviders = [];
if ($config->e('groupProviders')) {
foreach (array_keys($config->v('groupProviders')) as $groupProviderId) {
$groupProviderClass = sprintf('SURFnet\\VPN\\Server\\GroupProvider\\%s', $groupProviderId);
$groupProviders[] = new $groupProviderClass($dataDir, $config);
}
}
$service->addModule(new GroupsModule($groupProviders, $logger));
$service->addModule(new InfoModule($config));
