2022-03-29 00:01:12 +00:00
|
|
|
"""
|
|
|
|
/device endpoints.
|
|
|
|
"""
|
|
|
|
|
|
|
|
from fastapi import APIRouter, Depends, HTTPException, status
|
|
|
|
|
2022-04-05 01:55:35 +00:00
|
|
|
from ..db import Device, DeviceCreate, DeviceRead, User
|
2022-04-05 22:39:09 +00:00
|
|
|
from ..easyrsa import EASYRSA, DistinguishedName
|
2022-03-29 23:36:23 +00:00
|
|
|
from ._common import (Responses, get_current_user, get_device_by_id,
|
|
|
|
get_user_by_name)
|
2022-03-29 00:01:12 +00:00
|
|
|
|
|
|
|
router = APIRouter(prefix="/device", tags=["device"])
|
|
|
|
|
|
|
|
|
|
|
|
@router.post(
|
2022-03-29 23:36:23 +00:00
|
|
|
"/{user_name}",
|
2022-03-29 00:01:12 +00:00
|
|
|
responses={
|
2022-04-01 06:35:28 +00:00
|
|
|
status.HTTP_201_CREATED: Responses.ENTRY_ADDED,
|
2022-03-29 00:01:12 +00:00
|
|
|
status.HTTP_400_BAD_REQUEST: Responses.NOT_INSTALLED,
|
|
|
|
status.HTTP_401_UNAUTHORIZED: Responses.NEEDS_USER,
|
2022-03-30 02:02:45 +00:00
|
|
|
status.HTTP_403_FORBIDDEN: Responses.NEEDS_PERMISSION,
|
2022-03-29 00:01:12 +00:00
|
|
|
status.HTTP_404_NOT_FOUND: Responses.ENTRY_DOESNT_EXIST,
|
|
|
|
status.HTTP_409_CONFLICT: Responses.ENTRY_EXISTS,
|
|
|
|
},
|
|
|
|
response_model=DeviceRead,
|
2022-04-01 06:35:28 +00:00
|
|
|
status_code=status.HTTP_201_CREATED,
|
2022-03-29 00:01:12 +00:00
|
|
|
)
|
|
|
|
async def add_device(
|
|
|
|
device: DeviceCreate,
|
2022-03-29 23:36:23 +00:00
|
|
|
current_user: User = Depends(get_current_user),
|
|
|
|
owner: User = Depends(get_user_by_name),
|
2022-03-29 00:01:12 +00:00
|
|
|
) -> Device:
|
|
|
|
"""
|
|
|
|
POST ./: Create a new device in the database.
|
|
|
|
"""
|
|
|
|
|
2022-03-29 23:36:23 +00:00
|
|
|
# check permission
|
2022-03-30 01:51:43 +00:00
|
|
|
if not current_user.can_create(Device, owner):
|
2022-03-29 23:36:23 +00:00
|
|
|
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)
|
|
|
|
|
2022-03-29 00:01:12 +00:00
|
|
|
# create the new device
|
|
|
|
new_device = Device.create(
|
2022-03-31 16:48:52 +00:00
|
|
|
owner=owner,
|
2022-03-29 00:01:12 +00:00
|
|
|
device=device,
|
|
|
|
)
|
|
|
|
|
|
|
|
# fail if creation was unsuccessful
|
|
|
|
if new_device is None:
|
|
|
|
raise HTTPException(status_code=status.HTTP_409_CONFLICT)
|
|
|
|
|
|
|
|
# return the created device on success
|
|
|
|
return new_device
|
2022-03-29 15:56:12 +00:00
|
|
|
|
|
|
|
|
|
|
|
@router.delete(
|
|
|
|
"/{device_id}",
|
|
|
|
responses={
|
|
|
|
status.HTTP_200_OK: Responses.OK,
|
|
|
|
status.HTTP_400_BAD_REQUEST: Responses.NOT_INSTALLED,
|
|
|
|
status.HTTP_401_UNAUTHORIZED: Responses.NEEDS_USER,
|
2022-03-30 02:07:22 +00:00
|
|
|
status.HTTP_403_FORBIDDEN: Responses.NEEDS_PERMISSION,
|
2022-03-29 15:56:12 +00:00
|
|
|
},
|
|
|
|
response_model=User,
|
|
|
|
)
|
|
|
|
async def remove_device(
|
2022-03-29 23:36:23 +00:00
|
|
|
current_user: User = Depends(get_current_user),
|
|
|
|
device: Device = Depends(get_device_by_id),
|
2022-03-29 15:56:12 +00:00
|
|
|
):
|
|
|
|
"""
|
|
|
|
DELETE ./{device_id}: Remove a device from the database.
|
|
|
|
"""
|
|
|
|
|
2022-03-29 23:36:23 +00:00
|
|
|
# check permission
|
2022-03-30 01:51:43 +00:00
|
|
|
if not current_user.can_edit(device):
|
2022-03-29 23:36:23 +00:00
|
|
|
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)
|
|
|
|
|
2022-03-29 15:56:12 +00:00
|
|
|
# delete device
|
|
|
|
device.delete()
|
2022-04-01 17:51:01 +00:00
|
|
|
|
|
|
|
|
|
|
|
@router.post(
|
2022-04-05 01:55:35 +00:00
|
|
|
"/{device_id}/issue",
|
2022-04-01 17:51:01 +00:00
|
|
|
responses={
|
|
|
|
status.HTTP_200_OK: Responses.OK,
|
|
|
|
status.HTTP_400_BAD_REQUEST: Responses.NOT_INSTALLED,
|
|
|
|
status.HTTP_401_UNAUTHORIZED: Responses.NEEDS_USER,
|
|
|
|
status.HTTP_403_FORBIDDEN: Responses.NEEDS_PERMISSION,
|
|
|
|
status.HTTP_404_NOT_FOUND: Responses.ENTRY_DOESNT_EXIST,
|
2022-04-05 01:55:35 +00:00
|
|
|
status.HTTP_409_CONFLICT: Responses.ENTRY_EXISTS,
|
2022-04-01 17:51:01 +00:00
|
|
|
},
|
2022-04-05 01:55:35 +00:00
|
|
|
response_model=DeviceRead,
|
2022-04-01 17:51:01 +00:00
|
|
|
)
|
2022-04-05 22:34:25 +00:00
|
|
|
async def request_certificate_issuance(
|
2022-04-01 17:51:01 +00:00
|
|
|
current_user: User = Depends(get_current_user),
|
|
|
|
device: Device = Depends(get_device_by_id),
|
2022-04-05 01:55:35 +00:00
|
|
|
) -> Device:
|
2022-04-01 17:51:01 +00:00
|
|
|
"""
|
2022-04-05 22:34:25 +00:00
|
|
|
POST ./{device_id}/issue: Request certificate issuance for a device.
|
2022-04-01 17:51:01 +00:00
|
|
|
"""
|
|
|
|
|
|
|
|
# check permission
|
|
|
|
if not current_user.can_edit(device):
|
|
|
|
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)
|
|
|
|
|
2022-04-05 22:34:25 +00:00
|
|
|
# can only request for a newly created device
|
2022-04-05 01:55:35 +00:00
|
|
|
if device.approved is not None:
|
|
|
|
raise HTTPException(status_code=status.HTTP_409_CONFLICT)
|
2022-04-02 21:24:44 +00:00
|
|
|
|
2022-04-05 01:55:35 +00:00
|
|
|
# check if we must wait for approval
|
|
|
|
device.approved = current_user.can_issue
|
2022-04-02 21:24:44 +00:00
|
|
|
|
2022-04-05 01:55:35 +00:00
|
|
|
if device.approved:
|
|
|
|
# issue the certificate immediately
|
2022-04-05 22:39:09 +00:00
|
|
|
if (certificate := EASYRSA.issue(
|
2022-04-05 01:55:35 +00:00
|
|
|
dn=DistinguishedName.build(device)
|
|
|
|
)) is not None:
|
|
|
|
device.expiry = certificate.not_valid_after
|
2022-04-02 21:24:44 +00:00
|
|
|
|
2022-04-05 01:55:35 +00:00
|
|
|
# return updated device
|
|
|
|
device.update()
|
|
|
|
return device
|
2022-04-06 00:34:37 +00:00
|
|
|
|
|
|
|
|
|
|
|
@router.post(
|
|
|
|
"/{device_id}/renew",
|
|
|
|
responses={
|
|
|
|
status.HTTP_200_OK: Responses.OK,
|
|
|
|
status.HTTP_400_BAD_REQUEST: Responses.NOT_INSTALLED,
|
|
|
|
status.HTTP_401_UNAUTHORIZED: Responses.NEEDS_USER,
|
|
|
|
status.HTTP_403_FORBIDDEN: Responses.NEEDS_PERMISSION,
|
|
|
|
status.HTTP_404_NOT_FOUND: Responses.ENTRY_DOESNT_EXIST,
|
|
|
|
status.HTTP_409_CONFLICT: Responses.ENTRY_EXISTS,
|
|
|
|
},
|
|
|
|
response_model=DeviceRead,
|
|
|
|
)
|
|
|
|
async def request_certificate_renewal(
|
|
|
|
current_user: User = Depends(get_current_user),
|
|
|
|
device: Device = Depends(get_device_by_id),
|
|
|
|
) -> Device:
|
|
|
|
"""
|
|
|
|
POST ./{device_id}/renew: Request certificate renewal for a device.
|
|
|
|
"""
|
|
|
|
|
|
|
|
# check permission
|
|
|
|
if not current_user.can_edit(device):
|
|
|
|
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)
|
|
|
|
|
|
|
|
# can only renew an already certified device
|
|
|
|
if device.approved is not True:
|
|
|
|
raise HTTPException(status_code=status.HTTP_409_CONFLICT)
|
|
|
|
|
|
|
|
# check if we must wait for approval
|
|
|
|
device.approved = current_user.can_renew
|
|
|
|
|
|
|
|
if device.approved:
|
|
|
|
# renew the certificate immediately
|
|
|
|
if (certificate := EASYRSA.renew(
|
|
|
|
dn=DistinguishedName.build(device)
|
|
|
|
)) is not None:
|
|
|
|
device.expiry = certificate.not_valid_after
|
|
|
|
|
|
|
|
# return updated device
|
|
|
|
device.update()
|
|
|
|
return device
|