kiwi-vpn/api/kiwi_vpn_api/routers/device.py

"""
/device endpoints.
"""

from fastapi import APIRouter, Depends, HTTPException, status
from kiwi_vpn_api.db.device import DeviceStatus

from ..db import Device, DeviceCreate, DeviceRead, User
from ..easyrsa import EASYRSA, DistinguishedName
from ._common import (Responses, get_current_user, get_device_by_id,
                      get_user_by_name)

router = APIRouter(prefix="/device", tags=["device"])


@router.post(
    "/{user_name}",
    responses={
        status.HTTP_201_CREATED: Responses.ENTRY_ADDED,
        status.HTTP_400_BAD_REQUEST: Responses.NOT_INSTALLED,
        status.HTTP_401_UNAUTHORIZED: Responses.NEEDS_USER,
        status.HTTP_403_FORBIDDEN: Responses.NEEDS_PERMISSION,
        status.HTTP_409_CONFLICT: Responses.ENTRY_EXISTS,
    },
    response_model=DeviceRead,
    status_code=status.HTTP_201_CREATED,
)
async def add_device(
    device: DeviceCreate,
    current_user: User = Depends(get_current_user),
    owner: User = Depends(get_user_by_name),
) -> Device:
    """
    POST ./: Create a new device in the database.

    Status:

    - 403: no user permission to create device
    - 409: device creation unsuccessful
    """

    # check permission
    if not current_user.can_create(Device, owner):
        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)

    # create the new device
    new_device = Device.create(
        owner=owner,
        device=device,
    )

    # fail if creation was unsuccessful
    if new_device is None:
        raise HTTPException(status_code=status.HTTP_409_CONFLICT)

    # return the created device on success
    return new_device


@router.delete(
    "/{device_id}",
    responses={
        status.HTTP_200_OK: Responses.OK,
        status.HTTP_400_BAD_REQUEST: Responses.NOT_INSTALLED,
        status.HTTP_401_UNAUTHORIZED: Responses.NEEDS_USER,
        status.HTTP_403_FORBIDDEN: Responses.NEEDS_PERMISSION,
        status.HTTP_404_NOT_FOUND: Responses.ENTRY_DOESNT_EXIST,
    },
    response_model=User,
)
async def remove_device(
    current_user: User = Depends(get_current_user),
    device: Device = Depends(get_device_by_id),
):
    """
    DELETE ./{device_id}: Remove a device from the database.

    Status:

    - 403: no user permission to edit device
    """

    # check permission
    if not current_user.can_edit(device):
        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)

    # delete device
    device.delete()


@router.post(
    "/{device_id}/issue",
    responses={
        status.HTTP_200_OK: Responses.OK,
        status.HTTP_400_BAD_REQUEST: Responses.NOT_INSTALLED,
        status.HTTP_401_UNAUTHORIZED: Responses.NEEDS_USER,
        status.HTTP_403_FORBIDDEN: Responses.NEEDS_PERMISSION,
        status.HTTP_404_NOT_FOUND: Responses.ENTRY_DOESNT_EXIST,
        status.HTTP_409_CONFLICT: Responses.ENTRY_EXISTS,
    },
    response_model=DeviceRead,
)
async def request_certificate_issuance(
    current_user: User = Depends(get_current_user),
    device: Device = Depends(get_device_by_id),
) -> Device:
    """
    POST ./{device_id}/issue: Request certificate issuance for a device.

    Status:

    - 403: no user permission to edit device
    - 409: device certificate cannot be "issued"
    """

    # check permission
    if not current_user.can_edit(device):
        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)

    # can only "request" on an uncertified device
    if device.status is not DeviceStatus.uncertified:
        raise HTTPException(status_code=status.HTTP_409_CONFLICT)

    device.set_status(DeviceStatus.pending)

    # check if we can issue the certificate immediately
    if current_user.can_issue:
        if (certificate := EASYRSA.issue(
            dn=DistinguishedName.build(device)
        )) is not None:
            device.set_status(DeviceStatus.certified)
            device.expiry = certificate.not_valid_after

    # return updated device
    device.update()
    return device


@router.post(
    "/{device_id}/renew",
    responses={
        status.HTTP_200_OK: Responses.OK,
        status.HTTP_400_BAD_REQUEST: Responses.NOT_INSTALLED,
        status.HTTP_401_UNAUTHORIZED: Responses.NEEDS_USER,
        status.HTTP_403_FORBIDDEN: Responses.NEEDS_PERMISSION,
        status.HTTP_404_NOT_FOUND: Responses.ENTRY_DOESNT_EXIST,
        status.HTTP_409_CONFLICT: Responses.ENTRY_EXISTS,
    },
    response_model=DeviceRead,
)
async def request_certificate_renewal(
    current_user: User = Depends(get_current_user),
    device: Device = Depends(get_device_by_id),
) -> Device:
    """
    POST ./{device_id}/renew: Request certificate renewal for a device.

    Status:

    - 403: no user permission to edit device
    - 409: device certificate cannot be "renewed"
    """

    # check permission
    if not current_user.can_edit(device):
        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)

    # can only "renew" on an already certified device
    if device.status is not DeviceStatus.certified:
        raise HTTPException(status_code=status.HTTP_409_CONFLICT)

    device.set_status(DeviceStatus.pending)

    # check if we can renew the certificate immediately
    if current_user.can_renew:
        if (certificate := EASYRSA.renew(
            dn=DistinguishedName.build(device)
        )) is not None:
            device.set_status(DeviceStatus.certified)
            device.expiry = certificate.not_valid_after

    # return updated device
    device.update()
    return device


@router.post(
    "/{device_id}/revoke",
    responses={
        status.HTTP_200_OK: Responses.OK,
        status.HTTP_400_BAD_REQUEST: Responses.NOT_INSTALLED,
        status.HTTP_401_UNAUTHORIZED: Responses.NEEDS_USER,
        status.HTTP_403_FORBIDDEN: Responses.NEEDS_PERMISSION,
        status.HTTP_404_NOT_FOUND: Responses.ENTRY_DOESNT_EXIST,
        status.HTTP_409_CONFLICT: Responses.ENTRY_EXISTS,
    },
    response_model=DeviceRead,
)
async def revoke_certificate(
    current_user: User = Depends(get_current_user),
    device: Device = Depends(get_device_by_id),
) -> Device:
    """
    POST ./{device_id}/revoke: Revoke a device certificate.

    Status:

    - 403: no user permission to edit device
    - 409: device certificate cannot be "revoked"
    """

    # check permission
    if not current_user.can_edit(device):
        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)

    # can only "revoke" on a currently certified device
    if device.status is not DeviceStatus.certified:
        raise HTTPException(status_code=status.HTTP_409_CONFLICT)

    # revoke the device certificate
    EASYRSA.revoke(dn=DistinguishedName.build(device))

    # reset the device
    device.set_status(DeviceStatus.uncertified)
    device.expiry = None

    # return updated device
    device.update()
    return device
POST /device route 2022-03-29 00:01:12 +00:00			`"""`
			`/device endpoints.`
			`"""`

			`from fastapi import APIRouter, Depends, HTTPException, status`
"approved: bool \| None" -> "status: DeviceStatus" 2022-04-07 08:00:41 +00:00			`from kiwi_vpn_api.db.device import DeviceStatus`
POST /device route 2022-03-29 00:01:12 +00:00
/{device_id}/issue mostly done 2022-04-05 01:55:35 +00:00			`from ..db import Device, DeviceCreate, DeviceRead, User`
EASYRSA global object 2022-04-05 22:39:09 +00:00			`from ..easyrsa import EASYRSA, DistinguishedName`
basic permissions system 2022-03-29 23:36:23 +00:00			`from ._common import (Responses, get_current_user, get_device_by_id,`
			`get_user_by_name)`
POST /device route 2022-03-29 00:01:12 +00:00
			`router = APIRouter(prefix="/device", tags=["device"])`


			`@router.post(`
basic permissions system 2022-03-29 23:36:23 +00:00			`"/{user_name}",`
POST /device route 2022-03-29 00:01:12 +00:00			`responses={`
HTTP 201 2022-04-01 06:35:28 +00:00			`status.HTTP_201_CREATED: Responses.ENTRY_ADDED,`
POST /device route 2022-03-29 00:01:12 +00:00			`status.HTTP_400_BAD_REQUEST: Responses.NOT_INSTALLED,`
			`status.HTTP_401_UNAUTHORIZED: Responses.NEEDS_USER,`
remove get_current_user_if_admin 2022-03-30 02:02:45 +00:00			`status.HTTP_403_FORBIDDEN: Responses.NEEDS_PERMISSION,`
POST /device route 2022-03-29 00:01:12 +00:00			`status.HTTP_409_CONFLICT: Responses.ENTRY_EXISTS,`
			`},`
			`response_model=DeviceRead,`
HTTP 201 2022-04-01 06:35:28 +00:00			`status_code=status.HTTP_201_CREATED,`
POST /device route 2022-03-29 00:01:12 +00:00			`)`
			`async def add_device(`
			`device: DeviceCreate,`
basic permissions system 2022-03-29 23:36:23 +00:00			`current_user: User = Depends(get_current_user),`
			`owner: User = Depends(get_user_by_name),`
POST /device route 2022-03-29 00:01:12 +00:00			`) -> Device:`
			`"""`
			`POST ./: Create a new device in the database.`
HTTP status codes and documentation 2022-04-07 06:23:09 +00:00
			`Status:`

			`- 403: no user permission to create device`
			`- 409: device creation unsuccessful`
POST /device route 2022-03-29 00:01:12 +00:00			`"""`

basic permissions system 2022-03-29 23:36:23 +00:00			`# check permission`
rework User methods 2022-03-30 01:51:43 +00:00			`if not current_user.can_create(Device, owner):`
basic permissions system 2022-03-29 23:36:23 +00:00			`raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)`

POST /device route 2022-03-29 00:01:12 +00:00			`# create the new device`
			`new_device = Device.create(`
fix: device creation 2022-03-31 16:48:52 +00:00			`owner=owner,`
POST /device route 2022-03-29 00:01:12 +00:00			`device=device,`
			`)`

			`# fail if creation was unsuccessful`
			`if new_device is None:`
			`raise HTTPException(status_code=status.HTTP_409_CONFLICT)`

			`# return the created device on success`
			`return new_device`
deleting a device 2022-03-29 15:56:12 +00:00

			`@router.delete(`
			`"/{device_id}",`
			`responses={`
			`status.HTTP_200_OK: Responses.OK,`
			`status.HTTP_400_BAD_REQUEST: Responses.NOT_INSTALLED,`
			`status.HTTP_401_UNAUTHORIZED: Responses.NEEDS_USER,`
remove NEEDS_ADMIN 2022-03-30 02:07:22 +00:00			`status.HTTP_403_FORBIDDEN: Responses.NEEDS_PERMISSION,`
HTTP status codes and documentation 2022-04-07 06:23:09 +00:00			`status.HTTP_404_NOT_FOUND: Responses.ENTRY_DOESNT_EXIST,`
deleting a device 2022-03-29 15:56:12 +00:00			`},`
			`response_model=User,`
			`)`
			`async def remove_device(`
basic permissions system 2022-03-29 23:36:23 +00:00			`current_user: User = Depends(get_current_user),`
			`device: Device = Depends(get_device_by_id),`
deleting a device 2022-03-29 15:56:12 +00:00			`):`
			`"""`
			`DELETE ./{device_id}: Remove a device from the database.`
HTTP status codes and documentation 2022-04-07 06:23:09 +00:00
			`Status:`

			`- 403: no user permission to edit device`
deleting a device 2022-03-29 15:56:12 +00:00			`"""`

basic permissions system 2022-03-29 23:36:23 +00:00			`# check permission`
rework User methods 2022-03-30 01:51:43 +00:00			`if not current_user.can_edit(device):`
basic permissions system 2022-03-29 23:36:23 +00:00			`raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)`

deleting a device 2022-03-29 15:56:12 +00:00			`# delete device`
			`device.delete()`
device: request_certificate (no "approval" check) 2022-04-01 17:51:01 +00:00

			`@router.post(`
/{device_id}/issue mostly done 2022-04-05 01:55:35 +00:00			`"/{device_id}/issue",`
device: request_certificate (no "approval" check) 2022-04-01 17:51:01 +00:00			`responses={`
			`status.HTTP_200_OK: Responses.OK,`
			`status.HTTP_400_BAD_REQUEST: Responses.NOT_INSTALLED,`
			`status.HTTP_401_UNAUTHORIZED: Responses.NEEDS_USER,`
			`status.HTTP_403_FORBIDDEN: Responses.NEEDS_PERMISSION,`
			`status.HTTP_404_NOT_FOUND: Responses.ENTRY_DOESNT_EXIST,`
/{device_id}/issue mostly done 2022-04-05 01:55:35 +00:00			`status.HTTP_409_CONFLICT: Responses.ENTRY_EXISTS,`
device: request_certificate (no "approval" check) 2022-04-01 17:51:01 +00:00			`},`
/{device_id}/issue mostly done 2022-04-05 01:55:35 +00:00			`response_model=DeviceRead,`
device: request_certificate (no "approval" check) 2022-04-01 17:51:01 +00:00			`)`
few renames 2022-04-05 22:34:25 +00:00			`async def request_certificate_issuance(`
device: request_certificate (no "approval" check) 2022-04-01 17:51:01 +00:00			`current_user: User = Depends(get_current_user),`
			`device: Device = Depends(get_device_by_id),`
/{device_id}/issue mostly done 2022-04-05 01:55:35 +00:00			`) -> Device:`
device: request_certificate (no "approval" check) 2022-04-01 17:51:01 +00:00			`"""`
few renames 2022-04-05 22:34:25 +00:00			`POST ./{device_id}/issue: Request certificate issuance for a device.`
HTTP status codes and documentation 2022-04-07 06:23:09 +00:00
			`Status:`

			`- 403: no user permission to edit device`
			`- 409: device certificate cannot be "issued"`
device: request_certificate (no "approval" check) 2022-04-01 17:51:01 +00:00			`"""`

			`# check permission`
			`if not current_user.can_edit(device):`
			`raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)`

"approved: bool \| None" -> "status: DeviceStatus" 2022-04-07 08:00:41 +00:00			`# can only "request" on an uncertified device`
			`if device.status is not DeviceStatus.uncertified:`
/{device_id}/issue mostly done 2022-04-05 01:55:35 +00:00			`raise HTTPException(status_code=status.HTTP_409_CONFLICT)`
check issue permission 2022-04-02 21:24:44 +00:00
"approved: bool \| None" -> "status: DeviceStatus" 2022-04-07 08:00:41 +00:00			`device.set_status(DeviceStatus.pending)`
check issue permission 2022-04-02 21:24:44 +00:00
"approved: bool \| None" -> "status: DeviceStatus" 2022-04-07 08:00:41 +00:00			`# check if we can issue the certificate immediately`
			`if current_user.can_issue:`
EASYRSA global object 2022-04-05 22:39:09 +00:00			`if (certificate := EASYRSA.issue(`
/{device_id}/issue mostly done 2022-04-05 01:55:35 +00:00			`dn=DistinguishedName.build(device)`
			`)) is not None:`
"approved: bool \| None" -> "status: DeviceStatus" 2022-04-07 08:00:41 +00:00			`device.set_status(DeviceStatus.certified)`
/{device_id}/issue mostly done 2022-04-05 01:55:35 +00:00			`device.expiry = certificate.not_valid_after`
check issue permission 2022-04-02 21:24:44 +00:00
/{device_id}/issue mostly done 2022-04-05 01:55:35 +00:00			`# return updated device`
			`device.update()`
			`return device`
certificate renewal 2022-04-06 00:34:37 +00:00

			`@router.post(`
			`"/{device_id}/renew",`
			`responses={`
			`status.HTTP_200_OK: Responses.OK,`
			`status.HTTP_400_BAD_REQUEST: Responses.NOT_INSTALLED,`
			`status.HTTP_401_UNAUTHORIZED: Responses.NEEDS_USER,`
			`status.HTTP_403_FORBIDDEN: Responses.NEEDS_PERMISSION,`
			`status.HTTP_404_NOT_FOUND: Responses.ENTRY_DOESNT_EXIST,`
			`status.HTTP_409_CONFLICT: Responses.ENTRY_EXISTS,`
			`},`
			`response_model=DeviceRead,`
			`)`
			`async def request_certificate_renewal(`
			`current_user: User = Depends(get_current_user),`
			`device: Device = Depends(get_device_by_id),`
			`) -> Device:`
			`"""`
			`POST ./{device_id}/renew: Request certificate renewal for a device.`
HTTP status codes and documentation 2022-04-07 06:23:09 +00:00
			`Status:`

			`- 403: no user permission to edit device`
			`- 409: device certificate cannot be "renewed"`
certificate renewal 2022-04-06 00:34:37 +00:00			`"""`

			`# check permission`
			`if not current_user.can_edit(device):`
			`raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)`

"approved: bool \| None" -> "status: DeviceStatus" 2022-04-07 08:00:41 +00:00			`# can only "renew" on an already certified device`
			`if device.status is not DeviceStatus.certified:`
certificate renewal 2022-04-06 00:34:37 +00:00			`raise HTTPException(status_code=status.HTTP_409_CONFLICT)`

"approved: bool \| None" -> "status: DeviceStatus" 2022-04-07 08:00:41 +00:00			`device.set_status(DeviceStatus.pending)`
certificate renewal 2022-04-06 00:34:37 +00:00
"approved: bool \| None" -> "status: DeviceStatus" 2022-04-07 08:00:41 +00:00			`# check if we can renew the certificate immediately`
			`if current_user.can_renew:`
certificate renewal 2022-04-06 00:34:37 +00:00			`if (certificate := EASYRSA.renew(`
			`dn=DistinguishedName.build(device)`
			`)) is not None:`
"approved: bool \| None" -> "status: DeviceStatus" 2022-04-07 08:00:41 +00:00			`device.set_status(DeviceStatus.certified)`
certificate renewal 2022-04-06 00:34:37 +00:00			`device.expiry = certificate.not_valid_after`

			`# return updated device`
			`device.update()`
			`return device`
device revoke endpoint 2022-04-07 05:44:42 +00:00

			`@router.post(`
			`"/{device_id}/revoke",`
			`responses={`
			`status.HTTP_200_OK: Responses.OK,`
			`status.HTTP_400_BAD_REQUEST: Responses.NOT_INSTALLED,`
			`status.HTTP_401_UNAUTHORIZED: Responses.NEEDS_USER,`
			`status.HTTP_403_FORBIDDEN: Responses.NEEDS_PERMISSION,`
			`status.HTTP_404_NOT_FOUND: Responses.ENTRY_DOESNT_EXIST,`
			`status.HTTP_409_CONFLICT: Responses.ENTRY_EXISTS,`
			`},`
			`response_model=DeviceRead,`
			`)`
			`async def revoke_certificate(`
			`current_user: User = Depends(get_current_user),`
			`device: Device = Depends(get_device_by_id),`
			`) -> Device:`
			`"""`
			`POST ./{device_id}/revoke: Revoke a device certificate.`
HTTP status codes and documentation 2022-04-07 06:23:09 +00:00
			`Status:`

			`- 403: no user permission to edit device`
			`- 409: device certificate cannot be "revoked"`
device revoke endpoint 2022-04-07 05:44:42 +00:00			`"""`

			`# check permission`
			`if not current_user.can_edit(device):`
			`raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)`

"approved: bool \| None" -> "status: DeviceStatus" 2022-04-07 08:00:41 +00:00			`# can only "revoke" on a currently certified device`
			`if device.status is not DeviceStatus.certified:`
device revoke endpoint 2022-04-07 05:44:42 +00:00			`raise HTTPException(status_code=status.HTTP_409_CONFLICT)`

			`# revoke the device certificate`
			`EASYRSA.revoke(dn=DistinguishedName.build(device))`

			`# reset the device`
"approved: bool \| None" -> "status: DeviceStatus" 2022-04-07 08:00:41 +00:00			`device.set_status(DeviceStatus.uncertified)`
device revoke endpoint 2022-04-07 05:44:42 +00:00			`device.expiry = None`

			`# return updated device`
			`device.update()`
			`return device`