kiwi-vpn/api/kiwi_vpn_api/routers/device.py

229 lines
6.5 KiB
Python
Raw Normal View History

2022-03-29 00:01:12 +00:00
"""
/device endpoints.
"""
from fastapi import APIRouter, Depends, HTTPException, status
2022-04-05 01:55:35 +00:00
from ..db import Device, DeviceCreate, DeviceRead, User
2022-04-05 22:39:09 +00:00
from ..easyrsa import EASYRSA, DistinguishedName
2022-03-29 23:36:23 +00:00
from ._common import (Responses, get_current_user, get_device_by_id,
get_user_by_name)
2022-03-29 00:01:12 +00:00
router = APIRouter(prefix="/device", tags=["device"])
@router.post(
2022-03-29 23:36:23 +00:00
"/{user_name}",
2022-03-29 00:01:12 +00:00
responses={
2022-04-01 06:35:28 +00:00
status.HTTP_201_CREATED: Responses.ENTRY_ADDED,
2022-03-29 00:01:12 +00:00
status.HTTP_400_BAD_REQUEST: Responses.NOT_INSTALLED,
status.HTTP_401_UNAUTHORIZED: Responses.NEEDS_USER,
2022-03-30 02:02:45 +00:00
status.HTTP_403_FORBIDDEN: Responses.NEEDS_PERMISSION,
2022-03-29 00:01:12 +00:00
status.HTTP_409_CONFLICT: Responses.ENTRY_EXISTS,
},
response_model=DeviceRead,
2022-04-01 06:35:28 +00:00
status_code=status.HTTP_201_CREATED,
2022-03-29 00:01:12 +00:00
)
async def add_device(
device: DeviceCreate,
2022-03-29 23:36:23 +00:00
current_user: User = Depends(get_current_user),
owner: User = Depends(get_user_by_name),
2022-03-29 00:01:12 +00:00
) -> Device:
"""
POST ./: Create a new device in the database.
2022-04-07 06:23:09 +00:00
Status:
- 403: no user permission to create device
- 409: device creation unsuccessful
2022-03-29 00:01:12 +00:00
"""
2022-03-29 23:36:23 +00:00
# check permission
2022-03-30 01:51:43 +00:00
if not current_user.can_create(Device, owner):
2022-03-29 23:36:23 +00:00
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)
2022-03-29 00:01:12 +00:00
# create the new device
new_device = Device.create(
2022-03-31 16:48:52 +00:00
owner=owner,
2022-03-29 00:01:12 +00:00
device=device,
)
# fail if creation was unsuccessful
if new_device is None:
raise HTTPException(status_code=status.HTTP_409_CONFLICT)
# return the created device on success
return new_device
2022-03-29 15:56:12 +00:00
@router.delete(
"/{device_id}",
responses={
status.HTTP_200_OK: Responses.OK,
status.HTTP_400_BAD_REQUEST: Responses.NOT_INSTALLED,
status.HTTP_401_UNAUTHORIZED: Responses.NEEDS_USER,
2022-03-30 02:07:22 +00:00
status.HTTP_403_FORBIDDEN: Responses.NEEDS_PERMISSION,
2022-04-07 06:23:09 +00:00
status.HTTP_404_NOT_FOUND: Responses.ENTRY_DOESNT_EXIST,
2022-03-29 15:56:12 +00:00
},
response_model=User,
)
async def remove_device(
2022-03-29 23:36:23 +00:00
current_user: User = Depends(get_current_user),
device: Device = Depends(get_device_by_id),
2022-03-29 15:56:12 +00:00
):
"""
DELETE ./{device_id}: Remove a device from the database.
2022-04-07 06:23:09 +00:00
Status:
- 403: no user permission to edit device
2022-03-29 15:56:12 +00:00
"""
2022-03-29 23:36:23 +00:00
# check permission
2022-03-30 01:51:43 +00:00
if not current_user.can_edit(device):
2022-03-29 23:36:23 +00:00
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)
2022-03-29 15:56:12 +00:00
# delete device
device.delete()
@router.post(
2022-04-05 01:55:35 +00:00
"/{device_id}/issue",
responses={
status.HTTP_200_OK: Responses.OK,
status.HTTP_400_BAD_REQUEST: Responses.NOT_INSTALLED,
status.HTTP_401_UNAUTHORIZED: Responses.NEEDS_USER,
status.HTTP_403_FORBIDDEN: Responses.NEEDS_PERMISSION,
status.HTTP_404_NOT_FOUND: Responses.ENTRY_DOESNT_EXIST,
2022-04-05 01:55:35 +00:00
status.HTTP_409_CONFLICT: Responses.ENTRY_EXISTS,
},
2022-04-05 01:55:35 +00:00
response_model=DeviceRead,
)
2022-04-05 22:34:25 +00:00
async def request_certificate_issuance(
current_user: User = Depends(get_current_user),
device: Device = Depends(get_device_by_id),
2022-04-05 01:55:35 +00:00
) -> Device:
"""
2022-04-05 22:34:25 +00:00
POST ./{device_id}/issue: Request certificate issuance for a device.
2022-04-07 06:23:09 +00:00
Status:
- 403: no user permission to edit device
- 409: device certificate cannot be "issued"
"""
# check permission
if not current_user.can_edit(device):
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)
2022-04-05 22:34:25 +00:00
# can only request for a newly created device
2022-04-05 01:55:35 +00:00
if device.approved is not None:
raise HTTPException(status_code=status.HTTP_409_CONFLICT)
2022-04-02 21:24:44 +00:00
2022-04-05 01:55:35 +00:00
# check if we must wait for approval
device.approved = current_user.can_issue
2022-04-02 21:24:44 +00:00
2022-04-05 01:55:35 +00:00
if device.approved:
# issue the certificate immediately
2022-04-05 22:39:09 +00:00
if (certificate := EASYRSA.issue(
2022-04-05 01:55:35 +00:00
dn=DistinguishedName.build(device)
)) is not None:
device.expiry = certificate.not_valid_after
2022-04-02 21:24:44 +00:00
2022-04-05 01:55:35 +00:00
# return updated device
device.update()
return device
2022-04-06 00:34:37 +00:00
@router.post(
"/{device_id}/renew",
responses={
status.HTTP_200_OK: Responses.OK,
status.HTTP_400_BAD_REQUEST: Responses.NOT_INSTALLED,
status.HTTP_401_UNAUTHORIZED: Responses.NEEDS_USER,
status.HTTP_403_FORBIDDEN: Responses.NEEDS_PERMISSION,
status.HTTP_404_NOT_FOUND: Responses.ENTRY_DOESNT_EXIST,
status.HTTP_409_CONFLICT: Responses.ENTRY_EXISTS,
},
response_model=DeviceRead,
)
async def request_certificate_renewal(
current_user: User = Depends(get_current_user),
device: Device = Depends(get_device_by_id),
) -> Device:
"""
POST ./{device_id}/renew: Request certificate renewal for a device.
2022-04-07 06:23:09 +00:00
Status:
- 403: no user permission to edit device
- 409: device certificate cannot be "renewed"
2022-04-06 00:34:37 +00:00
"""
# check permission
if not current_user.can_edit(device):
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)
# can only renew an already certified device
if device.approved is not True:
raise HTTPException(status_code=status.HTTP_409_CONFLICT)
# check if we must wait for approval
device.approved = current_user.can_renew
if device.approved:
# renew the certificate immediately
if (certificate := EASYRSA.renew(
dn=DistinguishedName.build(device)
)) is not None:
device.expiry = certificate.not_valid_after
# return updated device
device.update()
return device
2022-04-07 05:44:42 +00:00
@router.post(
"/{device_id}/revoke",
responses={
status.HTTP_200_OK: Responses.OK,
status.HTTP_400_BAD_REQUEST: Responses.NOT_INSTALLED,
status.HTTP_401_UNAUTHORIZED: Responses.NEEDS_USER,
status.HTTP_403_FORBIDDEN: Responses.NEEDS_PERMISSION,
status.HTTP_404_NOT_FOUND: Responses.ENTRY_DOESNT_EXIST,
status.HTTP_409_CONFLICT: Responses.ENTRY_EXISTS,
},
response_model=DeviceRead,
)
async def revoke_certificate(
current_user: User = Depends(get_current_user),
device: Device = Depends(get_device_by_id),
) -> Device:
"""
POST ./{device_id}/revoke: Revoke a device certificate.
2022-04-07 06:23:09 +00:00
Status:
- 403: no user permission to edit device
- 409: device certificate cannot be "revoked"
2022-04-07 05:44:42 +00:00
"""
# check permission
if not current_user.can_edit(device):
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)
# can only revoke a currently certified device
if device.approved is not True:
raise HTTPException(status_code=status.HTTP_409_CONFLICT)
# revoke the device certificate
EASYRSA.revoke(dn=DistinguishedName.build(device))
# reset the device
device.approved = None
device.expiry = None
# return updated device
device.update()
return device