2022-03-29 00:01:12 +00:00
|
|
|
"""
|
|
|
|
/device endpoints.
|
|
|
|
"""
|
|
|
|
|
|
|
|
from fastapi import APIRouter, Depends, HTTPException, status
|
2022-04-07 08:00:41 +00:00
|
|
|
from kiwi_vpn_api.db.device import DeviceStatus
|
2022-03-29 00:01:12 +00:00
|
|
|
|
2022-04-05 01:55:35 +00:00
|
|
|
from ..db import Device, DeviceCreate, DeviceRead, User
|
2022-04-05 22:39:09 +00:00
|
|
|
from ..easyrsa import EASYRSA, DistinguishedName
|
2022-03-29 23:36:23 +00:00
|
|
|
from ._common import (Responses, get_current_user, get_device_by_id,
|
|
|
|
get_user_by_name)
|
2022-03-29 00:01:12 +00:00
|
|
|
|
|
|
|
router = APIRouter(prefix="/device", tags=["device"])
|
|
|
|
|
|
|
|
|
|
|
|
@router.post(
|
2022-03-29 23:36:23 +00:00
|
|
|
"/{user_name}",
|
2022-03-29 00:01:12 +00:00
|
|
|
responses={
|
2022-04-01 06:35:28 +00:00
|
|
|
status.HTTP_201_CREATED: Responses.ENTRY_ADDED,
|
2022-03-29 00:01:12 +00:00
|
|
|
status.HTTP_400_BAD_REQUEST: Responses.NOT_INSTALLED,
|
|
|
|
status.HTTP_401_UNAUTHORIZED: Responses.NEEDS_USER,
|
2022-03-30 02:02:45 +00:00
|
|
|
status.HTTP_403_FORBIDDEN: Responses.NEEDS_PERMISSION,
|
2022-03-29 00:01:12 +00:00
|
|
|
status.HTTP_409_CONFLICT: Responses.ENTRY_EXISTS,
|
|
|
|
},
|
|
|
|
response_model=DeviceRead,
|
2022-04-01 06:35:28 +00:00
|
|
|
status_code=status.HTTP_201_CREATED,
|
2022-03-29 00:01:12 +00:00
|
|
|
)
|
|
|
|
async def add_device(
|
|
|
|
device: DeviceCreate,
|
2022-03-29 23:36:23 +00:00
|
|
|
current_user: User = Depends(get_current_user),
|
|
|
|
owner: User = Depends(get_user_by_name),
|
2022-03-29 00:01:12 +00:00
|
|
|
) -> Device:
|
|
|
|
"""
|
|
|
|
POST ./: Create a new device in the database.
|
2022-04-07 06:23:09 +00:00
|
|
|
|
|
|
|
Status:
|
|
|
|
|
|
|
|
- 403: no user permission to create device
|
|
|
|
- 409: device creation unsuccessful
|
2022-03-29 00:01:12 +00:00
|
|
|
"""
|
|
|
|
|
2022-04-07 08:53:54 +00:00
|
|
|
# check permissions
|
|
|
|
try:
|
|
|
|
current_user.check_create(Device, owner)
|
|
|
|
|
|
|
|
except PermissionError as e:
|
|
|
|
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN) from e
|
2022-03-29 23:36:23 +00:00
|
|
|
|
2022-03-29 00:01:12 +00:00
|
|
|
# create the new device
|
|
|
|
new_device = Device.create(
|
2022-03-31 16:48:52 +00:00
|
|
|
owner=owner,
|
2022-03-29 00:01:12 +00:00
|
|
|
device=device,
|
|
|
|
)
|
|
|
|
|
|
|
|
# fail if creation was unsuccessful
|
|
|
|
if new_device is None:
|
|
|
|
raise HTTPException(status_code=status.HTTP_409_CONFLICT)
|
|
|
|
|
|
|
|
# return the created device on success
|
|
|
|
return new_device
|
2022-03-29 15:56:12 +00:00
|
|
|
|
|
|
|
|
|
|
|
@router.delete(
|
|
|
|
"/{device_id}",
|
|
|
|
responses={
|
|
|
|
status.HTTP_200_OK: Responses.OK,
|
|
|
|
status.HTTP_400_BAD_REQUEST: Responses.NOT_INSTALLED,
|
|
|
|
status.HTTP_401_UNAUTHORIZED: Responses.NEEDS_USER,
|
2022-03-30 02:07:22 +00:00
|
|
|
status.HTTP_403_FORBIDDEN: Responses.NEEDS_PERMISSION,
|
2022-04-07 06:23:09 +00:00
|
|
|
status.HTTP_404_NOT_FOUND: Responses.ENTRY_DOESNT_EXIST,
|
2022-03-29 15:56:12 +00:00
|
|
|
},
|
|
|
|
response_model=User,
|
|
|
|
)
|
|
|
|
async def remove_device(
|
2022-03-29 23:36:23 +00:00
|
|
|
current_user: User = Depends(get_current_user),
|
|
|
|
device: Device = Depends(get_device_by_id),
|
2022-03-29 15:56:12 +00:00
|
|
|
):
|
|
|
|
"""
|
|
|
|
DELETE ./{device_id}: Remove a device from the database.
|
2022-04-07 06:23:09 +00:00
|
|
|
|
|
|
|
Status:
|
|
|
|
|
|
|
|
- 403: no user permission to edit device
|
2022-03-29 15:56:12 +00:00
|
|
|
"""
|
|
|
|
|
2022-04-07 08:53:54 +00:00
|
|
|
# check permissions
|
|
|
|
try:
|
|
|
|
current_user.check_edit(device)
|
|
|
|
|
|
|
|
except PermissionError as e:
|
|
|
|
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN) from e
|
2022-03-29 23:36:23 +00:00
|
|
|
|
2022-03-29 15:56:12 +00:00
|
|
|
# delete device
|
|
|
|
device.delete()
|
2022-04-01 17:51:01 +00:00
|
|
|
|
|
|
|
|
|
|
|
@router.post(
|
2022-04-05 01:55:35 +00:00
|
|
|
"/{device_id}/issue",
|
2022-04-01 17:51:01 +00:00
|
|
|
responses={
|
|
|
|
status.HTTP_200_OK: Responses.OK,
|
|
|
|
status.HTTP_400_BAD_REQUEST: Responses.NOT_INSTALLED,
|
|
|
|
status.HTTP_401_UNAUTHORIZED: Responses.NEEDS_USER,
|
|
|
|
status.HTTP_403_FORBIDDEN: Responses.NEEDS_PERMISSION,
|
|
|
|
status.HTTP_404_NOT_FOUND: Responses.ENTRY_DOESNT_EXIST,
|
2022-04-05 01:55:35 +00:00
|
|
|
status.HTTP_409_CONFLICT: Responses.ENTRY_EXISTS,
|
2022-04-01 17:51:01 +00:00
|
|
|
},
|
2022-04-05 01:55:35 +00:00
|
|
|
response_model=DeviceRead,
|
2022-04-01 17:51:01 +00:00
|
|
|
)
|
2022-04-05 22:34:25 +00:00
|
|
|
async def request_certificate_issuance(
|
2022-04-01 17:51:01 +00:00
|
|
|
current_user: User = Depends(get_current_user),
|
|
|
|
device: Device = Depends(get_device_by_id),
|
2022-04-05 01:55:35 +00:00
|
|
|
) -> Device:
|
2022-04-01 17:51:01 +00:00
|
|
|
"""
|
2022-04-05 22:34:25 +00:00
|
|
|
POST ./{device_id}/issue: Request certificate issuance for a device.
|
2022-04-07 06:23:09 +00:00
|
|
|
|
|
|
|
Status:
|
|
|
|
|
|
|
|
- 403: no user permission to edit device
|
|
|
|
- 409: device certificate cannot be "issued"
|
2022-04-01 17:51:01 +00:00
|
|
|
"""
|
|
|
|
|
2022-04-07 08:53:54 +00:00
|
|
|
# check permissions
|
|
|
|
try:
|
|
|
|
current_user.check_edit(device)
|
|
|
|
|
|
|
|
except PermissionError as e:
|
|
|
|
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN) from e
|
2022-04-01 17:51:01 +00:00
|
|
|
|
2022-04-07 08:00:41 +00:00
|
|
|
# can only "request" on an uncertified device
|
|
|
|
if device.status is not DeviceStatus.uncertified:
|
2022-04-05 01:55:35 +00:00
|
|
|
raise HTTPException(status_code=status.HTTP_409_CONFLICT)
|
2022-04-02 21:24:44 +00:00
|
|
|
|
2022-04-07 08:00:41 +00:00
|
|
|
device.set_status(DeviceStatus.pending)
|
2022-04-02 21:24:44 +00:00
|
|
|
|
2022-04-07 08:00:41 +00:00
|
|
|
# check if we can issue the certificate immediately
|
|
|
|
if current_user.can_issue:
|
2022-04-05 22:39:09 +00:00
|
|
|
if (certificate := EASYRSA.issue(
|
2022-04-05 01:55:35 +00:00
|
|
|
dn=DistinguishedName.build(device)
|
|
|
|
)) is not None:
|
2022-04-07 08:00:41 +00:00
|
|
|
device.set_status(DeviceStatus.certified)
|
2022-04-05 01:55:35 +00:00
|
|
|
device.expiry = certificate.not_valid_after
|
2022-04-02 21:24:44 +00:00
|
|
|
|
2022-04-05 01:55:35 +00:00
|
|
|
# return updated device
|
|
|
|
device.update()
|
|
|
|
return device
|
2022-04-06 00:34:37 +00:00
|
|
|
|
|
|
|
|
|
|
|
@router.post(
|
|
|
|
"/{device_id}/renew",
|
|
|
|
responses={
|
|
|
|
status.HTTP_200_OK: Responses.OK,
|
|
|
|
status.HTTP_400_BAD_REQUEST: Responses.NOT_INSTALLED,
|
|
|
|
status.HTTP_401_UNAUTHORIZED: Responses.NEEDS_USER,
|
|
|
|
status.HTTP_403_FORBIDDEN: Responses.NEEDS_PERMISSION,
|
|
|
|
status.HTTP_404_NOT_FOUND: Responses.ENTRY_DOESNT_EXIST,
|
|
|
|
status.HTTP_409_CONFLICT: Responses.ENTRY_EXISTS,
|
|
|
|
},
|
|
|
|
response_model=DeviceRead,
|
|
|
|
)
|
|
|
|
async def request_certificate_renewal(
|
|
|
|
current_user: User = Depends(get_current_user),
|
|
|
|
device: Device = Depends(get_device_by_id),
|
|
|
|
) -> Device:
|
|
|
|
"""
|
|
|
|
POST ./{device_id}/renew: Request certificate renewal for a device.
|
2022-04-07 06:23:09 +00:00
|
|
|
|
|
|
|
Status:
|
|
|
|
|
|
|
|
- 403: no user permission to edit device
|
|
|
|
- 409: device certificate cannot be "renewed"
|
2022-04-06 00:34:37 +00:00
|
|
|
"""
|
|
|
|
|
2022-04-07 08:53:54 +00:00
|
|
|
# check permissions
|
|
|
|
try:
|
|
|
|
current_user.check_edit(device)
|
|
|
|
|
|
|
|
except PermissionError as e:
|
|
|
|
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN) from e
|
2022-04-06 00:34:37 +00:00
|
|
|
|
2022-04-07 08:00:41 +00:00
|
|
|
# can only "renew" on an already certified device
|
|
|
|
if device.status is not DeviceStatus.certified:
|
2022-04-06 00:34:37 +00:00
|
|
|
raise HTTPException(status_code=status.HTTP_409_CONFLICT)
|
|
|
|
|
2022-04-07 08:00:41 +00:00
|
|
|
device.set_status(DeviceStatus.pending)
|
2022-04-06 00:34:37 +00:00
|
|
|
|
2022-04-07 08:00:41 +00:00
|
|
|
# check if we can renew the certificate immediately
|
|
|
|
if current_user.can_renew:
|
2022-04-06 00:34:37 +00:00
|
|
|
if (certificate := EASYRSA.renew(
|
|
|
|
dn=DistinguishedName.build(device)
|
|
|
|
)) is not None:
|
2022-04-07 08:00:41 +00:00
|
|
|
device.set_status(DeviceStatus.certified)
|
2022-04-06 00:34:37 +00:00
|
|
|
device.expiry = certificate.not_valid_after
|
|
|
|
|
|
|
|
# return updated device
|
|
|
|
device.update()
|
|
|
|
return device
|
2022-04-07 05:44:42 +00:00
|
|
|
|
|
|
|
|
|
|
|
@router.post(
|
|
|
|
"/{device_id}/revoke",
|
|
|
|
responses={
|
|
|
|
status.HTTP_200_OK: Responses.OK,
|
|
|
|
status.HTTP_400_BAD_REQUEST: Responses.NOT_INSTALLED,
|
|
|
|
status.HTTP_401_UNAUTHORIZED: Responses.NEEDS_USER,
|
|
|
|
status.HTTP_403_FORBIDDEN: Responses.NEEDS_PERMISSION,
|
|
|
|
status.HTTP_404_NOT_FOUND: Responses.ENTRY_DOESNT_EXIST,
|
|
|
|
status.HTTP_409_CONFLICT: Responses.ENTRY_EXISTS,
|
|
|
|
},
|
|
|
|
response_model=DeviceRead,
|
|
|
|
)
|
|
|
|
async def revoke_certificate(
|
|
|
|
current_user: User = Depends(get_current_user),
|
|
|
|
device: Device = Depends(get_device_by_id),
|
|
|
|
) -> Device:
|
|
|
|
"""
|
|
|
|
POST ./{device_id}/revoke: Revoke a device certificate.
|
2022-04-07 06:23:09 +00:00
|
|
|
|
|
|
|
Status:
|
|
|
|
|
|
|
|
- 403: no user permission to edit device
|
|
|
|
- 409: device certificate cannot be "revoked"
|
2022-04-07 05:44:42 +00:00
|
|
|
"""
|
|
|
|
|
2022-04-07 08:53:54 +00:00
|
|
|
# check permissions
|
|
|
|
try:
|
|
|
|
current_user.check_edit(device)
|
|
|
|
|
|
|
|
except PermissionError as e:
|
|
|
|
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN) from e
|
2022-04-07 05:44:42 +00:00
|
|
|
|
2022-04-07 08:00:41 +00:00
|
|
|
# can only "revoke" on a currently certified device
|
|
|
|
if device.status is not DeviceStatus.certified:
|
2022-04-07 05:44:42 +00:00
|
|
|
raise HTTPException(status_code=status.HTTP_409_CONFLICT)
|
|
|
|
|
|
|
|
# revoke the device certificate
|
|
|
|
EASYRSA.revoke(dn=DistinguishedName.build(device))
|
|
|
|
|
|
|
|
# reset the device
|
2022-04-07 08:00:41 +00:00
|
|
|
device.set_status(DeviceStatus.uncertified)
|
2022-04-07 05:44:42 +00:00
|
|
|
device.expiry = None
|
|
|
|
|
|
|
|
# return updated device
|
|
|
|
device.update()
|
|
|
|
return device
|