1
0
Fork 0
mirror of synced 2024-11-25 10:15:35 -05:00

logs, gofmt

This commit is contained in:
Vitaliy Snurnitsin 2021-12-30 11:24:44 +03:00
parent 5af16605d2
commit 9b1b34d4c4
2 changed files with 266 additions and 205 deletions

View file

@ -3,17 +3,18 @@ package main
import ( import (
"fmt" "fmt"
"io/ioutil" "io/ioutil"
"log"
"net/http" "net/http"
"os" "os"
"os/exec" "os/exec"
"time" "time"
log "github.com/sirupsen/logrus"
) )
func parseDate(layout,datetime string) time.Time { func parseDate(layout,datetime string) time.Time {
t, err := time.Parse(layout, datetime) t, err := time.Parse(layout, datetime)
if err != nil { if err != nil {
log.Println(err) log.Errorln(err)
} }
return t return t
} }
@ -27,9 +28,7 @@ func parseDateToUnix(layout,datetime string) int64 {
} }
func runBash(script string) string { func runBash(script string) string {
if *debug { log.Debugln(script)
log.Println(script)
}
cmd := exec.Command("bash", "-c", script) cmd := exec.Command("bash", "-c", script)
stdout, err := cmd.CombinedOutput() stdout, err := cmd.CombinedOutput()
if err != nil { if err != nil {
@ -65,7 +64,7 @@ func fCreate(path string) bool {
if os.IsNotExist(err) { if os.IsNotExist(err) {
var file, err = os.Create(path) var file, err = os.Create(path)
if err != nil { if err != nil {
log.Println(err) log.Errorln(err)
return false return false
} }
defer file.Close() defer file.Close()
@ -100,7 +99,7 @@ func fDownload(path, url string, basicAuth bool) error {
} }
if resp.StatusCode != 200 { if resp.StatusCode != 200 {
log.Printf("WARNING: Download file operation for url %s finished with status code %d\n", url, resp.StatusCode ) log.Warnf("WARNING: Download file operation for url %s finished with status code %d\n", url, resp.StatusCode )
} }
defer resp.Body.Close() defer resp.Body.Close()

318
main.go
View file

@ -6,7 +6,6 @@ import (
"context" "context"
"encoding/json" "encoding/json"
"fmt" "fmt"
"log"
"net" "net"
"net/http" "net/http"
"os" "os"
@ -23,6 +22,7 @@ import (
"github.com/gobuffalo/packr/v2" "github.com/gobuffalo/packr/v2"
"github.com/prometheus/client_golang/prometheus" "github.com/prometheus/client_golang/prometheus"
"github.com/prometheus/client_golang/prometheus/promhttp" "github.com/prometheus/client_golang/prometheus/promhttp"
log "github.com/sirupsen/logrus"
"gopkg.in/alecthomas/kingpin.v2" "gopkg.in/alecthomas/kingpin.v2"
) )
@ -44,30 +44,30 @@ const (
) )
var ( var (
listenHost = kingpin.Flag("listen.host","host for ovpn-admin").Default("0.0.0.0").Envar("OVPN_LISTEN_HOST").String() listenHost = kingpin.Flag("listen.host", "host for ovpn-admin").Default("0.0.0.0").Envar("OVPN_LISTEN_HOST").String()
listenPort = kingpin.Flag("listen.port","port for ovpn-admin").Default("8080").Envar("OVPN_LISTEN_PORT").String() listenPort = kingpin.Flag("listen.port", "port for ovpn-admin").Default("8080").Envar("OVPN_LISTEN_PORT").String()
serverRole = kingpin.Flag("role","server role, master or slave").Default("master").Envar("OVPN_ROLE").HintOptions("master", "slave").String() serverRole = kingpin.Flag("role", "server role, master or slave").Default("master").Envar("OVPN_ROLE").HintOptions("master", "slave").String()
masterHost = kingpin.Flag("master.host","URL for the master server").Default("http://127.0.0.1").Envar("OVPN_MASTER_HOST").String() masterHost = kingpin.Flag("master.host", "URL for the master server").Default("http://127.0.0.1").Envar("OVPN_MASTER_HOST").String()
masterBasicAuthUser = kingpin.Flag("master.basic-auth.user","user for master server's Basic Auth").Default("").Envar("OVPN_MASTER_USER").String() masterBasicAuthUser = kingpin.Flag("master.basic-auth.user", "user for master server's Basic Auth").Default("").Envar("OVPN_MASTER_USER").String()
masterBasicAuthPassword = kingpin.Flag("master.basic-auth.password","password for master server's Basic Auth").Default("").Envar("OVPN_MASTER_PASSWORD").String() masterBasicAuthPassword = kingpin.Flag("master.basic-auth.password", "password for master server's Basic Auth").Default("").Envar("OVPN_MASTER_PASSWORD").String()
masterSyncFrequency = kingpin.Flag("master.sync-frequency", "master host data sync frequency in seconds").Default("600").Envar("OVPN_MASTER_SYNC_FREQUENCY").Int() masterSyncFrequency = kingpin.Flag("master.sync-frequency", "master host data sync frequency in seconds").Default("600").Envar("OVPN_MASTER_SYNC_FREQUENCY").Int()
masterSyncToken = kingpin.Flag("master.sync-token", "master host data sync security token").Default("VerySecureToken").Envar("OVPN_MASTER_TOKEN").PlaceHolder("TOKEN").String() masterSyncToken = kingpin.Flag("master.sync-token", "master host data sync security token").Default("VerySecureToken").Envar("OVPN_MASTER_TOKEN").PlaceHolder("TOKEN").String()
openvpnNetwork = kingpin.Flag("ovpn.network","NETWORK/MASK_PREFIX for OpenVPN server").Default("172.16.100.0/24").Envar("OVPN_NETWORK").String() openvpnNetwork = kingpin.Flag("ovpn.network", "NETWORK/MASK_PREFIX for OpenVPN server").Default("172.16.100.0/24").Envar("OVPN_NETWORK").String()
openvpnServer = kingpin.Flag("ovpn.server","HOST:PORT:PROTOCOL for OpenVPN server; can have multiple values").Default("127.0.0.1:7777:tcp").Envar("OVPN_SERVER").PlaceHolder("HOST:PORT:PROTOCOL").Strings() openvpnServer = kingpin.Flag("ovpn.server", "HOST:PORT:PROTOCOL for OpenVPN server; can have multiple values").Default("127.0.0.1:7777:tcp").Envar("OVPN_SERVER").PlaceHolder("HOST:PORT:PROTOCOL").Strings()
openvpnServerBehindLB = kingpin.Flag("ovpn.server.behindLB","enable if your OpenVPN server is behind Kubernetes Service having the LoadBalancer type").Default("false").Envar("OVPN_LB").Bool() openvpnServerBehindLB = kingpin.Flag("ovpn.server.behindLB", "enable if your OpenVPN server is behind Kubernetes Service having the LoadBalancer type").Default("false").Envar("OVPN_LB").Bool()
openvpnServiceName = kingpin.Flag("ovpn.service","the name of Kubernetes Service having the LoadBalancer type if your OpenVPN server is behind it").Default("openvpn-external").Envar("OVPN_LB_SERVICE").String() openvpnServiceName = kingpin.Flag("ovpn.service", "the name of Kubernetes Service having the LoadBalancer type if your OpenVPN server is behind it").Default("openvpn-external").Envar("OVPN_LB_SERVICE").String()
mgmtAddress = kingpin.Flag("mgmt","ALIAS=HOST:PORT for OpenVPN server mgmt interface; can have multiple values").Default("main=127.0.0.1:8989").Envar("OVPN_MGMT").Strings() mgmtAddress = kingpin.Flag("mgmt", "ALIAS=HOST:PORT for OpenVPN server mgmt interface; can have multiple values").Default("main=127.0.0.1:8989").Envar("OVPN_MGMT").Strings()
metricsPath = kingpin.Flag("metrics.path", "URL path for exposing collected metrics").Default("/metrics").Envar("OVPN_METRICS_PATH").String() metricsPath = kingpin.Flag("metrics.path", "URL path for exposing collected metrics").Default("/metrics").Envar("OVPN_METRICS_PATH").String()
easyrsaDirPath = kingpin.Flag("easyrsa.path", "path to easyrsa dir").Default("./easyrsa/").Envar("EASYRSA_PATH").String() easyrsaDirPath = kingpin.Flag("easyrsa.path", "path to easyrsa dir").Default("./easyrsa").Envar("EASYRSA_PATH").String()
indexTxtPath = kingpin.Flag("easyrsa.index-path", "path to easyrsa index file").Default("./easyrsa/pki/index.txt").Envar("OVPN_INDEX_PATH").String() indexTxtPath = kingpin.Flag("easyrsa.index-path", "path to easyrsa index file").Default("").Envar("OVPN_INDEX_PATH").String()
ccdEnabled = kingpin.Flag("ccd", "enable client-config-dir").Default("false").Envar("OVPN_CCD").Bool() ccdEnabled = kingpin.Flag("ccd", "enable client-config-dir").Default("false").Envar("OVPN_CCD").Bool()
ccdDir = kingpin.Flag("ccd.path", "path to client-config-dir").Default("./ccd").Envar("OVPN_CCD_PATH").String() ccdDir = kingpin.Flag("ccd.path", "path to client-config-dir").Default("./ccd").Envar("OVPN_CCD_PATH").String()
clientConfigTemplatePath = kingpin.Flag("templates.clientconfig-path", "path to custom client.conf.tpl").Default("").Envar("OVPN_TEMPLATES_CC_PATH").String() clientConfigTemplatePath = kingpin.Flag("templates.clientconfig-path", "path to custom client.conf.tpl").Default("").Envar("OVPN_TEMPLATES_CC_PATH").String()
ccdTemplatePath = kingpin.Flag("templates.ccd-path", "path to custom ccd.tpl").Default("").Envar("OVPN_TEMPLATES_CCD_PATH").String() ccdTemplatePath = kingpin.Flag("templates.ccd-path", "path to custom ccd.tpl").Default("").Envar("OVPN_TEMPLATES_CCD_PATH").String()
authByPassword = kingpin.Flag("auth.password", "enable additional password authentication").Default("false").Envar("OVPN_AUTH").Bool() authByPassword = kingpin.Flag("auth.password", "enable additional password authentication").Default("false").Envar("OVPN_AUTH").Bool()
authDatabase = kingpin.Flag("auth.db", "database path for password authentication").Default("./easyrsa/pki/users.db").Envar("OVPN_AUTH_DB_PATH").String() authDatabase = kingpin.Flag("auth.db", "database path for password authentication").Default("./easyrsa/pki/users.db").Envar("OVPN_AUTH_DB_PATH").String()
debug = kingpin.Flag("debug", "enable debug mode").Default("false").Envar("OVPN_DEBUG").Bool() logLevel = kingpin.Flag("log.level", "set log level (debug, info, warn, error)").Default("info").Envar("LOG_LEVEL").String()
verbose = kingpin.Flag("verbose", "enable verbose mode").Default("false").Envar("OVPN_VERBOSE").Bool() kubernetesBackend = kingpin.Flag("kubernetes.backend", "use kubernetes secrets for store certificates").Bool()
certsArchivePath = "/tmp/" + certsArchiveFileName certsArchivePath = "/tmp/" + certsArchiveFileName
ccdArchivePath = "/tmp/" + ccdArchiveFileName ccdArchivePath = "/tmp/" + ccdArchiveFileName
@ -75,6 +75,13 @@ var (
version = "1.7.5" version = "1.7.5"
) )
var logLevels = map[string]log.Level{
"debug": log.DebugLevel,
"info": log.InfoLevel,
"warn": log.WarnLevel,
"error": log.ErrorLevel,
}
var ( var (
ovpnServerCertExpire = prometheus.NewGauge(prometheus.GaugeOpts{ ovpnServerCertExpire = prometheus.NewGauge(prometheus.GaugeOpts{
Name: "ovpn_server_cert_expire", Name: "ovpn_server_cert_expire",
@ -178,14 +185,12 @@ type openvpnClientConfig struct {
} }
type OpenvpnClient struct { type OpenvpnClient struct {
Identity string `json:"Identity"` Identity string `json:"Identity"`
AccountStatus string `json:"AccountStatus"` AccountStatus string `json:"AccountStatus"`
ExpirationDate string `json:"ExpirationDate"` ExpirationDate string `json:"ExpirationDate"`
RevocationDate string `json:"RevocationDate"` RevocationDate string `json:"RevocationDate"`
ConnectionStatus string `json:"ConnectionStatus"` ConnectionStatus string `json:"ConnectionStatus"`
ConnectionServer string `json:"ConnectionServer"` ConnectionServer string `json:"ConnectionServer"`
} }
type ccdRoute struct { type ccdRoute struct {
@ -229,7 +234,7 @@ func (oAdmin *OvpnAdmin) userListHandler(w http.ResponseWriter, r *http.Request)
} }
func (oAdmin *OvpnAdmin) userStatisticHandler(w http.ResponseWriter, r *http.Request) { func (oAdmin *OvpnAdmin) userStatisticHandler(w http.ResponseWriter, r *http.Request) {
r.ParseForm() _ = r.ParseForm()
userStatistic, _ := json.Marshal(oAdmin.getUserStatistic(r.FormValue("username"))) userStatistic, _ := json.Marshal(oAdmin.getUserStatistic(r.FormValue("username")))
fmt.Fprintf(w, "%s", userStatistic) fmt.Fprintf(w, "%s", userStatistic)
} }
@ -239,7 +244,7 @@ func (oAdmin *OvpnAdmin) userCreateHandler(w http.ResponseWriter, r *http.Reques
http.Error(w, `{"status":"error"}`, http.StatusLocked) http.Error(w, `{"status":"error"}`, http.StatusLocked)
return return
} }
r.ParseForm() _ = r.ParseForm()
userCreated, userCreateStatus := oAdmin.userCreate(r.FormValue("username"), r.FormValue("password")) userCreated, userCreateStatus := oAdmin.userCreate(r.FormValue("username"), r.FormValue("password"))
if userCreated { if userCreated {
@ -256,7 +261,7 @@ func (oAdmin *OvpnAdmin) userRevokeHandler(w http.ResponseWriter, r *http.Reques
http.Error(w, `{"status":"error"}`, http.StatusLocked) http.Error(w, `{"status":"error"}`, http.StatusLocked)
return return
} }
r.ParseForm() _ = r.ParseForm()
fmt.Fprintf(w, "%s", oAdmin.userRevoke(r.FormValue("username"))) fmt.Fprintf(w, "%s", oAdmin.userRevoke(r.FormValue("username")))
} }
@ -266,12 +271,12 @@ func (oAdmin *OvpnAdmin) userUnrevokeHandler(w http.ResponseWriter, r *http.Requ
return return
} }
r.ParseForm() _ = r.ParseForm()
fmt.Fprintf(w, "%s", oAdmin.userUnrevoke(r.FormValue("username"))) fmt.Fprintf(w, "%s", oAdmin.userUnrevoke(r.FormValue("username")))
} }
func (oAdmin *OvpnAdmin) userChangePasswordHandler(w http.ResponseWriter, r *http.Request) { func (oAdmin *OvpnAdmin) userChangePasswordHandler(w http.ResponseWriter, r *http.Request) {
r.ParseForm() _ = r.ParseForm()
if *authByPassword { if *authByPassword {
passwordChanged, passwordChangeMessage := oAdmin.userChangePassword(r.FormValue("username"), r.FormValue("password")) passwordChanged, passwordChangeMessage := oAdmin.userChangePassword(r.FormValue("username"), r.FormValue("password"))
if passwordChanged { if passwordChanged {
@ -290,18 +295,18 @@ func (oAdmin *OvpnAdmin) userChangePasswordHandler(w http.ResponseWriter, r *htt
} }
func (oAdmin *OvpnAdmin) userShowConfigHandler(w http.ResponseWriter, r *http.Request) { func (oAdmin *OvpnAdmin) userShowConfigHandler(w http.ResponseWriter, r *http.Request) {
r.ParseForm() _ = r.ParseForm()
fmt.Fprintf(w, "%s", oAdmin.renderClientConfig(r.FormValue("username"))) fmt.Fprintf(w, "%s", oAdmin.renderClientConfig(r.FormValue("username")))
} }
func (oAdmin *OvpnAdmin) userDisconnectHandler(w http.ResponseWriter, r *http.Request) { func (oAdmin *OvpnAdmin) userDisconnectHandler(w http.ResponseWriter, r *http.Request) {
r.ParseForm() _ = r.ParseForm()
// fmt.Fprintf(w, "%s", userDisconnect(r.FormValue("username"))) // fmt.Fprintf(w, "%s", userDisconnect(r.FormValue("username")))
fmt.Fprintf(w, "%s", r.FormValue("username")) fmt.Fprintf(w, "%s", r.FormValue("username"))
} }
func (oAdmin *OvpnAdmin) userShowCcdHandler(w http.ResponseWriter, r *http.Request) { func (oAdmin *OvpnAdmin) userShowCcdHandler(w http.ResponseWriter, r *http.Request) {
r.ParseForm() _ = r.ParseForm()
ccd, _ := json.Marshal(oAdmin.getCcd(r.FormValue("username"))) ccd, _ := json.Marshal(oAdmin.getCcd(r.FormValue("username")))
fmt.Fprintf(w, "%s", ccd) fmt.Fprintf(w, "%s", ccd)
} }
@ -319,7 +324,7 @@ func (oAdmin *OvpnAdmin) userApplyCcdHandler(w http.ResponseWriter, r *http.Requ
err := json.NewDecoder(r.Body).Decode(&ccd) err := json.NewDecoder(r.Body).Decode(&ccd)
if err != nil { if err != nil {
log.Println(err) log.Errorln(err)
} }
ccdApplied, applyStatus := oAdmin.modifyCcd(ccd) ccdApplied, applyStatus := oAdmin.modifyCcd(ccd)
@ -336,7 +341,7 @@ func (oAdmin *OvpnAdmin) userApplyCcdHandler(w http.ResponseWriter, r *http.Requ
func (oAdmin *OvpnAdmin) serverSettingsHandler(w http.ResponseWriter, r *http.Request) { func (oAdmin *OvpnAdmin) serverSettingsHandler(w http.ResponseWriter, r *http.Request) {
enabledModules, enabledModulesErr := json.Marshal(oAdmin.modules) enabledModules, enabledModulesErr := json.Marshal(oAdmin.modules)
if enabledModulesErr != nil { if enabledModulesErr != nil {
log.Printf("ERROR: %s\n", enabledModulesErr) log.Errorln(enabledModulesErr)
} }
fmt.Fprintf(w, `{"status":"ok", "serverRole": "%s", "modules": %s }`, oAdmin.role, string(enabledModules)) fmt.Fprintf(w, `{"status":"ok", "serverRole": "%s", "modules": %s }`, oAdmin.role, string(enabledModules))
} }
@ -354,7 +359,7 @@ func (oAdmin *OvpnAdmin) downloadCertsHandler(w http.ResponseWriter, r *http.Req
http.Error(w, `{"status":"error"}`, http.StatusLocked) http.Error(w, `{"status":"error"}`, http.StatusLocked)
return return
} }
r.ParseForm() _ = r.ParseForm()
token := r.Form.Get("token") token := r.Form.Get("token")
if token != oAdmin.masterSyncToken { if token != oAdmin.masterSyncToken {
@ -372,7 +377,7 @@ func (oAdmin *OvpnAdmin) downloadCcdHandler(w http.ResponseWriter, r *http.Reque
http.Error(w, `{"status":"error"}`, http.StatusLocked) http.Error(w, `{"status":"error"}`, http.StatusLocked)
return return
} }
r.ParseForm() _ = r.ParseForm()
token := r.Form.Get("token") token := r.Form.Get("token")
if token != oAdmin.masterSyncToken { if token != oAdmin.masterSyncToken {
@ -385,10 +390,26 @@ func (oAdmin *OvpnAdmin) downloadCcdHandler(w http.ResponseWriter, r *http.Reque
http.ServeFile(w, r, ccdArchivePath) http.ServeFile(w, r, ccdArchivePath)
} }
var app OpenVPNPKI
func main() { func main() {
kingpin.Version(version) kingpin.Version(version)
kingpin.Parse() kingpin.Parse()
log.SetLevel(logLevels[*logLevel])
log.SetFormatter(&log.JSONFormatter{})
if *kubernetesBackend {
err := app.run()
if err != nil {
log.Error(err)
}
}
if *indexTxtPath == "" {
*indexTxtPath = *easyrsaDirPath + "/pki/index.txt"
}
ovpnAdmin := new(OvpnAdmin) ovpnAdmin := new(OvpnAdmin)
ovpnAdmin.lastSyncTime = "unknown" ovpnAdmin.lastSyncTime = "unknown"
ovpnAdmin.role = *serverRole ovpnAdmin.role = *serverRole
@ -430,14 +451,6 @@ func main() {
go ovpnAdmin.syncWithMaster() go ovpnAdmin.syncWithMaster()
} }
if *debug {
log.Println("Runnnig in debug mode")
}
if *verbose {
log.Println("Runnnig in verbose mode")
}
ovpnAdmin.templates = packr.New("template", "./templates") ovpnAdmin.templates = packr.New("template", "./templates")
staticBox := packr.New("static", "./frontend/static") staticBox := packr.New("static", "./frontend/static")
@ -550,7 +563,7 @@ func (oAdmin *OvpnAdmin) getClientConfigTemplate() *template.Template {
} else { } else {
clientConfigTpl, clientConfigTplErr := oAdmin.templates.FindString("client.conf.tpl") clientConfigTpl, clientConfigTplErr := oAdmin.templates.FindString("client.conf.tpl")
if clientConfigTplErr != nil { if clientConfigTplErr != nil {
log.Println("ERROR: clientConfigTpl not found in templates box") log.Errorln("clientConfigTpl not found in templates box")
} }
return template.Must(template.New("client-config").Parse(clientConfigTpl)) return template.Must(template.New("client-config").Parse(clientConfigTpl))
} }
@ -564,20 +577,43 @@ func (oAdmin *OvpnAdmin) renderClientConfig(username string) string {
parts := strings.SplitN(server, ":", 3) parts := strings.SplitN(server, ":", 3)
hosts = append(hosts, OpenvpnServer{Host: parts[0], Port: parts[1], Protocol: parts[2]}) hosts = append(hosts, OpenvpnServer{Host: parts[0], Port: parts[1], Protocol: parts[2]})
} }
if *openvpnServerBehindLB { if *openvpnServerBehindLB {
hosts = getOvpnServerHostsFromKubeApi() var err error
hosts, err = getOvpnServerHostsFromKubeApi()
if err != nil {
log.Error(err)
}
} }
if *debug { externalHost := os.Getenv("EXTERNAL_HOST")
log.Printf("WARNING: hosts for %s\n %v", username, hosts) externalPort := os.Getenv("EXTERNAL_PORT")
if externalHost != "" {
hosts[0].Host = externalHost
} }
if externalPort != "" {
hosts[0].Port = externalPort
}
log.Debugf("hosts for %s\n %v", username, hosts)
conf := openvpnClientConfig{} conf := openvpnClientConfig{}
conf.Hosts = hosts conf.Hosts = hosts
conf.CA = fRead(*easyrsaDirPath + "/pki/ca.crt") conf.CA = fRead(*easyrsaDirPath + "/pki/ca.crt")
conf.TLS = fRead(*easyrsaDirPath + "/pki/ta.key")
if *kubernetesBackend {
clientCert := app.easyrsaGetClientCert(username)
conf.Cert = clientCert.CertPEM.String()
conf.Key = clientCert.PrivKeyPEM.String()
} else {
conf.Cert = fRead(*easyrsaDirPath + "/pki/issued/" + username + ".crt") conf.Cert = fRead(*easyrsaDirPath + "/pki/issued/" + username + ".crt")
conf.Key = fRead(*easyrsaDirPath + "/pki/private/" + username + ".key") conf.Key = fRead(*easyrsaDirPath + "/pki/private/" + username + ".key")
conf.TLS = fRead(*easyrsaDirPath + "/pki/ta.key")
}
conf.PasswdAuth = *authByPassword conf.PasswdAuth = *authByPassword
t := oAdmin.getClientConfigTemplate() t := oAdmin.getClientConfigTemplate()
@ -585,19 +621,17 @@ func (oAdmin *OvpnAdmin) renderClientConfig(username string) string {
var tmp bytes.Buffer var tmp bytes.Buffer
err := t.Execute(&tmp, conf) err := t.Execute(&tmp, conf)
if err != nil { if err != nil {
log.Printf("ERROR: something goes wrong during rendering config for %s\n", username ) log.Errorf("ERROR: something goes wrong during rendering config for %s\n", username)
if *debug { log.Debugf("DEBUG: rendering config for %s failed with error %v\n", username, err)
log.Printf("DEBUG: rendering config for %s failed with error %v\n", username, err )
}
} }
hosts = nil hosts = nil
if *verbose {
log.Printf("INFO: Rendered config for user %s: %+v\n", username, tmp.String()) log.Debugf("INFO: Rendered config for user %s: %+v\n", username, tmp.String())
}
return fmt.Sprintf("%+v\n", tmp.String()) return fmt.Sprintf("%+v\n", tmp.String())
} }
log.Printf("WARNING: User \"%s\" not found", username) log.Warnf("WARNING: User \"%s\" not found", username)
return fmt.Sprintf("User \"%s\" not found", username) return fmt.Sprintf("User \"%s\" not found", username)
} }
@ -607,7 +641,7 @@ func (oAdmin *OvpnAdmin) getCcdTemplate() *template.Template {
} else { } else {
ccdTpl, ccdTplErr := oAdmin.templates.FindString("ccd.tpl") ccdTpl, ccdTplErr := oAdmin.templates.FindString("ccd.tpl")
if ccdTplErr != nil { if ccdTplErr != nil {
log.Printf("ERROR: ccdTpl not found in templates box") log.Errorf("ccdTpl not found in templates box")
} }
return template.Must(template.New("ccd").Parse(ccdTpl)) return template.Must(template.New("ccd").Parse(ccdTpl))
} }
@ -650,7 +684,7 @@ func (oAdmin *OvpnAdmin) modifyCcd(ccd Ccd) (bool, string) {
var tmp bytes.Buffer var tmp bytes.Buffer
tplErr := t.Execute(&tmp, ccd) tplErr := t.Execute(&tmp, ccd)
if tplErr != nil { if tplErr != nil {
log.Println(tplErr) log.Errorln(tplErr)
} }
fWrite(*ccdDir+"/"+ccd.User, tmp.String()) fWrite(*ccdDir+"/"+ccd.User, tmp.String())
return true, "ccd updated successfully" return true, "ccd updated successfully"
@ -667,30 +701,24 @@ func validateCcd(ccd Ccd) (bool, string) {
if ccd.ClientAddress != "dynamic" { if ccd.ClientAddress != "dynamic" {
_, ovpnNet, err := net.ParseCIDR(*openvpnNetwork) _, ovpnNet, err := net.ParseCIDR(*openvpnNetwork)
if err != nil { if err != nil {
log.Println(err) log.Errorln(err)
} }
if ! checkStaticAddressIsFree(ccd.ClientAddress, ccd.User) { if !checkStaticAddressIsFree(ccd.ClientAddress, ccd.User) {
ccdErr = fmt.Sprintf("ClientAddress \"%s\" already assigned to another user", ccd.ClientAddress) ccdErr = fmt.Sprintf("ClientAddress \"%s\" already assigned to another user", ccd.ClientAddress)
if *debug { log.Debugf("ERROR: Modify ccd for user %s: %s\n", ccd.User, ccdErr)
log.Printf("ERROR: Modify ccd for user %s: %s\n", ccd.User, ccdErr)
}
return false, ccdErr return false, ccdErr
} }
if net.ParseIP(ccd.ClientAddress) == nil { if net.ParseIP(ccd.ClientAddress) == nil {
ccdErr = fmt.Sprintf("ClientAddress \"%s\" not a valid IP address", ccd.ClientAddress) ccdErr = fmt.Sprintf("ClientAddress \"%s\" not a valid IP address", ccd.ClientAddress)
if *debug { log.Debugf("ERROR: Modify ccd for user %s: %s\n", ccd.User, ccdErr)
log.Printf("ERROR: Modify ccd for user %s: %s\n", ccd.User, ccdErr)
}
return false, ccdErr return false, ccdErr
} }
if ! ovpnNet.Contains(net.ParseIP(ccd.ClientAddress)) { if !ovpnNet.Contains(net.ParseIP(ccd.ClientAddress)) {
ccdErr = fmt.Sprintf("ClientAddress \"%s\" not belongs to openvpn server network", ccd.ClientAddress) ccdErr = fmt.Sprintf("ClientAddress \"%s\" not belongs to openvpn server network", ccd.ClientAddress)
if *debug { log.Debugf("ERROR: Modify ccd for user %s: %s\n", ccd.User, ccdErr)
log.Printf("ERROR: Modify ccd for user %s: %s\n", ccd.User, ccdErr)
}
return false, ccdErr return false, ccdErr
} }
} }
@ -698,17 +726,13 @@ func validateCcd(ccd Ccd) (bool, string) {
for _, route := range ccd.CustomRoutes { for _, route := range ccd.CustomRoutes {
if net.ParseIP(route.Address) == nil { if net.ParseIP(route.Address) == nil {
ccdErr = fmt.Sprintf("CustomRoute.Address \"%s\" must be a valid IP address", route.Address) ccdErr = fmt.Sprintf("CustomRoute.Address \"%s\" must be a valid IP address", route.Address)
if *debug { log.Debugf("ERROR: Modify ccd for user %s: %s\n", ccd.User, ccdErr)
log.Printf("ERROR: Modify ccd for user %s: %s\n", ccd.User, ccdErr)
}
return false, ccdErr return false, ccdErr
} }
if net.ParseIP(route.Mask) == nil { if net.ParseIP(route.Mask) == nil {
ccdErr = fmt.Sprintf("CustomRoute.Mask \"%s\" must be a valid IP address", route.Mask) ccdErr = fmt.Sprintf("CustomRoute.Mask \"%s\" must be a valid IP address", route.Mask)
if *debug { log.Debugf("ERROR: Modify ccd for user %s: %s\n", ccd.User, ccdErr)
log.Printf("ERROR: Modify ccd for user %s: %s\n", ccd.User, ccdErr)
}
return false, ccdErr return false, ccdErr
} }
} }
@ -751,7 +775,18 @@ func validatePassword(password string) bool {
} }
func checkUserExist(username string) bool { func checkUserExist(username string) bool {
for _, u := range indexTxtParser(fRead(*indexTxtPath)) { var indexTxt string
if *kubernetesBackend {
var err error
indexTxt, err = app.secretGetIndexTxt()
if err != nil {
log.Error(err)
}
} else {
indexTxt = fRead(*indexTxtPath)
}
for _, u := range indexTxtParser(indexTxt) {
if u.DistinguishedName == ("/CN=" + username) { if u.DistinguishedName == ("/CN=" + username) {
return true return true
} }
@ -769,7 +804,18 @@ func (oAdmin *OvpnAdmin) usersList() []OpenvpnClient {
connectedUsers := 0 connectedUsers := 0
apochNow := time.Now().Unix() apochNow := time.Now().Unix()
for _, line := range indexTxtParser(fRead(*indexTxtPath)) { var indexTxt string
if *kubernetesBackend {
var err error
indexTxt, err = app.secretGetIndexTxt()
if err != nil {
log.Error(err)
}
} else {
indexTxt = fRead(*indexTxtPath)
}
for _, line := range indexTxtParser(indexTxt) {
if line.Identity != "server" { if line.Identity != "server" {
totalCerts += 1 totalCerts += 1
ovpnClient := OpenvpnClient{Identity: line.Identity, ExpirationDate: parseDateToString(indexTxtDateLayout, line.ExpirationDate, stringDateFormat)} ovpnClient := OpenvpnClient{Identity: line.Identity, ExpirationDate: parseDateToString(indexTxtDateLayout, line.ExpirationDate, stringDateFormat)}
@ -808,7 +854,7 @@ func (oAdmin *OvpnAdmin) usersList() []OpenvpnClient {
otherCerts := totalCerts - validCerts - revokedCerts - expiredCerts otherCerts := totalCerts - validCerts - revokedCerts - expiredCerts
if otherCerts != 0 { if otherCerts != 0 {
log.Printf("WARNING: there are %d otherCerts\n", otherCerts) log.Warnf("there are %d otherCerts\n", otherCerts)
} }
ovpnClientsTotal.Set(float64(totalCerts)) ovpnClientsTotal.Set(float64(totalCerts))
@ -824,41 +870,41 @@ func (oAdmin *OvpnAdmin) userCreate(username, password string) (bool, string) {
if checkUserExist(username) { if checkUserExist(username) {
ucErr = fmt.Sprintf("User \"%s\" already exists\n", username) ucErr = fmt.Sprintf("User \"%s\" already exists\n", username)
if *debug { log.Debugf("ERROR: userCreate: %s\n", ucErr)
log.Printf("ERROR: userCreate: %s\n", ucErr)
}
return false, ucErr return false, ucErr
} }
if !validateUsername(username) { if !validateUsername(username) {
ucErr = fmt.Sprintf("Username \"%s\" incorrect, you can use only %s\n", username, usernameRegexp) ucErr = fmt.Sprintf("Username \"%s\" incorrect, you can use only %s\n", username, usernameRegexp)
if *debug { log.Debugf("ERROR: userCreate: %s\n", ucErr)
log.Printf("ERROR: userCreate: %s\n", ucErr)
}
return false, ucErr return false, ucErr
} }
if *authByPassword { if *authByPassword {
if !validatePassword(password) { if !validatePassword(password) {
ucErr = fmt.Sprintf("Password too short, password length must be greater or equal %d", passwordMinLength) ucErr = fmt.Sprintf("Password too short, password length must be greater or equal %d", passwordMinLength)
if *debug { log.Debugf("ERROR: userCreate: %s\n", ucErr)
log.Printf("ERROR: userCreate: %s\n", ucErr)
}
return false, ucErr return false, ucErr
} }
} }
if *kubernetesBackend {
err := app.easyrsaBuildClient(username)
if err != nil {
log.Error(err)
}
} else {
o := runBash(fmt.Sprintf("date +%%Y-%%m-%%d\\ %%H:%%M:%%S && cd %s && easyrsa build-client-full %s nopass", *easyrsaDirPath, username)) o := runBash(fmt.Sprintf("date +%%Y-%%m-%%d\\ %%H:%%M:%%S && cd %s && easyrsa build-client-full %s nopass", *easyrsaDirPath, username))
log.Println(o) log.Println(o)
}
if *authByPassword { if *authByPassword {
o = runBash(fmt.Sprintf("openvpn-user create --db.path %s --user %s --password %s", *authDatabase, username, password)) o := runBash(fmt.Sprintf("openvpn-user create --db.path %s --user %s --password %s", *authDatabase, username, password))
log.Println(o) log.Println(o)
} }
if *verbose { log.Infof("INFO: user created: %s\n", username)
log.Printf("INFO: user created: %s\n", username)
}
oAdmin.clients = oAdmin.usersList() oAdmin.clients = oAdmin.usersList()
@ -873,9 +919,7 @@ func (oAdmin *OvpnAdmin) userChangePassword(username, password string) (bool, st
if !validatePassword(password) { if !validatePassword(password) {
ucpErr := fmt.Sprintf("Password for too short, password length must be greater or equal %d", passwordMinLength) ucpErr := fmt.Sprintf("Password for too short, password length must be greater or equal %d", passwordMinLength)
if *debug { log.Debugf("ERROR: userChangePassword: %s\n", ucpErr)
log.Printf("ERROR: userChangePassword: %s\n", ucpErr)
}
return false, ucpErr return false, ucpErr
} }
@ -888,9 +932,8 @@ func (oAdmin *OvpnAdmin) userChangePassword(username, password string) (bool, st
o = runBash(fmt.Sprintf("openvpn-user change-password --db.path %s --user %s --password %s", *authDatabase, username, password)) o = runBash(fmt.Sprintf("openvpn-user change-password --db.path %s --user %s --password %s", *authDatabase, username, password))
log.Println(o) log.Println(o)
if *verbose { log.Infof("INFO: password for user %s was changed\n", username)
log.Printf("INFO: password for user %s was changed\n", username)
}
return true, "Password changed" return true, "Password changed"
} }
@ -907,29 +950,45 @@ func (oAdmin *OvpnAdmin) getUserStatistic(username string) clientStatus {
} }
func (oAdmin *OvpnAdmin) userRevoke(username string) string { func (oAdmin *OvpnAdmin) userRevoke(username string) string {
var shellOut string
if checkUserExist(username) { if checkUserExist(username) {
// check certificate valid flag 'V' // check certificate valid flag 'V'
o := runBash(fmt.Sprintf("date +%%Y-%%m-%%d\\ %%H:%%M:%%S && cd %s && echo yes | easyrsa revoke %s && easyrsa gen-crl", *easyrsaDirPath, username)) if *kubernetesBackend {
err := app.easyrsaRevoke(username)
if err != nil {
log.Error(err)
}
} else {
shellOut = runBash(fmt.Sprintf("date +%%Y-%%m-%%d\\ %%H:%%M:%%S && cd %s && echo yes | easyrsa revoke %s && easyrsa gen-crl", *easyrsaDirPath, username))
log.Debug(shellOut)
}
if *authByPassword { if *authByPassword {
o = runBash(fmt.Sprintf("openvpn-user revoke --db-path %s --user %s", *authDatabase, username)) shellOut = runBash(fmt.Sprintf("openvpn-user revoke --db-path %s --user %s", *authDatabase, username))
//fmt.Println(o) //log.Debug(shellOut)
} }
crlFix() crlFix()
userConnected, userConnectedTo := isUserConnected(username, oAdmin.activeClients) userConnected, userConnectedTo := isUserConnected(username, oAdmin.activeClients)
if userConnected { if userConnected {
oAdmin.mgmtKillUserConnection(username, userConnectedTo) oAdmin.mgmtKillUserConnection(username, userConnectedTo)
log.Printf("Session for user \"%s\" session killed\n", username) log.Infof("Session for user \"%s\" session killed\n", username)
} }
oAdmin.clients = oAdmin.usersList() oAdmin.clients = oAdmin.usersList()
return fmt.Sprintln(o) return fmt.Sprintln(shellOut)
} }
log.Printf("User \"%s\" not found\n", username) log.Infof("User \"%s\" not found\n", username)
return fmt.Sprintf("User \"%s\" not found", username) return fmt.Sprintf("User \"%s\" not found", username)
} }
func (oAdmin *OvpnAdmin) userUnrevoke(username string) string { func (oAdmin *OvpnAdmin) userUnrevoke(username string) string {
if checkUserExist(username) { if checkUserExist(username) {
if *kubernetesBackend {
err := app.easyrsaUnrevoke(username)
if err != nil {
log.Error(err)
}
} else {
// check certificate revoked flag 'R' // check certificate revoked flag 'R'
usersFromIndexTxt := indexTxtParser(fRead(*indexTxtPath)) usersFromIndexTxt := indexTxtParser(fRead(*indexTxtPath))
for i := range usersFromIndexTxt { for i := range usersFromIndexTxt {
@ -962,6 +1021,7 @@ func (oAdmin *OvpnAdmin) userUnrevoke(username string) string {
} }
fWrite(*indexTxtPath, renderIndexTxt(usersFromIndexTxt)) fWrite(*indexTxtPath, renderIndexTxt(usersFromIndexTxt))
fmt.Print(renderIndexTxt(usersFromIndexTxt)) fmt.Print(renderIndexTxt(usersFromIndexTxt))
}
crlFix() crlFix()
oAdmin.clients = oAdmin.usersList() oAdmin.clients = oAdmin.usersList()
return fmt.Sprintf("{\"msg\":\"User %s successfully unrevoked\"}", username) return fmt.Sprintf("{\"msg\":\"User %s successfully unrevoked\"}", username)
@ -1034,7 +1094,7 @@ func (oAdmin *OvpnAdmin) mgmtConnectedUsersParser(text, serverName string) []cli
func (oAdmin *OvpnAdmin) mgmtKillUserConnection(username, serverName string) { func (oAdmin *OvpnAdmin) mgmtKillUserConnection(username, serverName string) {
conn, err := net.Dial("tcp", oAdmin.mgmtInterfaces[serverName]) conn, err := net.Dial("tcp", oAdmin.mgmtInterfaces[serverName])
if err != nil { if err != nil {
log.Printf("WARNING: openvpn mgmt interface for %s is not reachable by addr %s\n", serverName, oAdmin.mgmtInterfaces[serverName]) log.Errorf("WARNING: openvpn mgmt interface for %s is not reachable by addr %s\n", serverName, oAdmin.mgmtInterfaces[serverName])
return return
} }
oAdmin.mgmtRead(conn) // read welcome message oAdmin.mgmtRead(conn) // read welcome message
@ -1049,7 +1109,7 @@ func (oAdmin *OvpnAdmin) mgmtGetActiveClients() []clientStatus {
for srv, addr := range oAdmin.mgmtInterfaces { for srv, addr := range oAdmin.mgmtInterfaces {
conn, err := net.Dial("tcp", addr) conn, err := net.Dial("tcp", addr)
if err != nil { if err != nil {
log.Printf("WARNING: openvpn mgmt interface for %s is not reachable by addr %s\n", srv, addr) log.Errorf("WARNING: openvpn mgmt interface for %s is not reachable by addr %s\n", srv, addr)
break break
} }
oAdmin.mgmtRead(conn) // read welcome message oAdmin.mgmtRead(conn) // read welcome message
@ -1075,7 +1135,7 @@ func (oAdmin *OvpnAdmin) downloadCerts() bool {
} }
err := fDownload(certsArchivePath, *masterHost+downloadCertsApiUrl+"?token="+oAdmin.masterSyncToken, oAdmin.masterHostBasicAuth) err := fDownload(certsArchivePath, *masterHost+downloadCertsApiUrl+"?token="+oAdmin.masterSyncToken, oAdmin.masterHostBasicAuth)
if err != nil { if err != nil {
log.Println(err) log.Errorln(err)
return false return false
} }
@ -1089,7 +1149,7 @@ func (oAdmin *OvpnAdmin) downloadCcd() bool {
err := fDownload(ccdArchivePath, *masterHost+downloadCcdApiUrl+"?token="+oAdmin.masterSyncToken, oAdmin.masterHostBasicAuth) err := fDownload(ccdArchivePath, *masterHost+downloadCcdApiUrl+"?token="+oAdmin.masterSyncToken, oAdmin.masterHostBasicAuth)
if err != nil { if err != nil {
log.Println(err) log.Errorln(err)
return false return false
} }
@ -1127,25 +1187,25 @@ func (oAdmin *OvpnAdmin) syncDataFromMaster() {
for certsDownloadFailed && certsDownloadRetries < retryCountMax { for certsDownloadFailed && certsDownloadRetries < retryCountMax {
certsDownloadRetries += 1 certsDownloadRetries += 1
log.Printf("Downloading certs archive from master. Attempt %d\n", certsDownloadRetries) log.Infof("Downloading certs archive from master. Attempt %d\n", certsDownloadRetries)
if oAdmin.downloadCerts() { if oAdmin.downloadCerts() {
certsDownloadFailed = false certsDownloadFailed = false
log.Println("Decompression certs archive from master") log.Infoln("Decompression certs archive from master")
unArchiveCerts() unArchiveCerts()
} else { } else {
log.Printf("WARNING: something goes wrong during downloading certs from master. Attempt %d\n", certsDownloadRetries) log.Warnf("WARNING: something goes wrong during downloading certs from master. Attempt %d\n", certsDownloadRetries)
} }
} }
for ccdDownloadFailed && ccdDownloadRetries < retryCountMax { for ccdDownloadFailed && ccdDownloadRetries < retryCountMax {
ccdDownloadRetries += 1 ccdDownloadRetries += 1
log.Printf("Downloading ccd archive from master. Attempt %d\n", ccdDownloadRetries) log.Infof("Downloading ccd archive from master. Attempt %d\n", ccdDownloadRetries)
if oAdmin.downloadCcd() { if oAdmin.downloadCcd() {
ccdDownloadFailed = false ccdDownloadFailed = false
log.Println("Decompression ccd archive from master") log.Infoln("Decompression ccd archive from master")
unArchiveCcd() unArchiveCcd()
} else { } else {
log.Printf("WARNING: something goes wrong during downloading certs from master. Attempt %d\n", ccdDownloadRetries) log.Warnf("WARNING: something goes wrong during downloading certs from master. Attempt %d\n", ccdDownloadRetries)
} }
} }
@ -1162,31 +1222,29 @@ func (oAdmin *OvpnAdmin) syncWithMaster() {
} }
} }
func getOvpnServerHostsFromKubeApi() ([]OpenvpnServer, error) {
func getOvpnServerHostsFromKubeApi() []OpenvpnServer {
var hosts []OpenvpnServer var hosts []OpenvpnServer
var lbHost string var lbHost string
config, err := rest.InClusterConfig() config, err := rest.InClusterConfig()
if err != nil { if err != nil {
log.Printf("ERROR: %s\n", err.Error()) log.Errorf("ERROR: %s\n", err.Error())
} }
clientset, err := kubernetes.NewForConfig(config) clientset, err := kubernetes.NewForConfig(config)
if err != nil { if err != nil {
log.Printf("ERROR: %s\n", err.Error()) log.Errorf("ERROR: %s\n", err.Error())
} }
service, err := clientset.CoreV1().Services(fRead(kubeNamespaceFilePath)).Get(context.TODO(), *openvpnServiceName, metav1.GetOptions{}) service, err := clientset.CoreV1().Services(fRead(kubeNamespaceFilePath)).Get(context.TODO(), *openvpnServiceName, metav1.GetOptions{})
if err != nil { if err != nil {
log.Printf("ERROR: %s\n", err.Error()) log.Errorf("ERROR: %s\n", err.Error())
return nil, err
} }
if *debug { log.Debugf("Debug: service from kube api %v\n", service)
log.Printf("Debug: service from kube api %v\n", service) log.Debugf("Debug: service.Status from kube api %v\n", service.Status)
log.Printf("Debug: service.Status from kube api %v\n", service.Status) log.Debugf("Debug: service.Status.LoadBalancer from kube api %v\n", service.Status.LoadBalancer)
log.Printf("Debug: service.Status.LoadBalancer from kube api %v\n", service.Status.LoadBalancer)
}
if service.Status.LoadBalancer.Ingress[0].Hostname != "" { if service.Status.LoadBalancer.Ingress[0].Hostname != "" {
lbHost = service.Status.LoadBalancer.Ingress[0].Hostname lbHost = service.Status.LoadBalancer.Ingress[0].Hostname
@ -1194,19 +1252,23 @@ func getOvpnServerHostsFromKubeApi() []OpenvpnServer {
if service.Status.LoadBalancer.Ingress[0].IP != "" { if service.Status.LoadBalancer.Ingress[0].IP != "" {
lbHost = service.Status.LoadBalancer.Ingress[0].IP lbHost = service.Status.LoadBalancer.Ingress[0].IP
} }
hosts = append(hosts, OpenvpnServer{lbHost,strconv.Itoa(int(service.Spec.Ports[0].Port)),strings.ToLower(string(service.Spec.Ports[0].Protocol))}) hosts = append(hosts, OpenvpnServer{lbHost, strconv.Itoa(int(service.Spec.Ports[0].Port)), strings.ToLower(string(service.Spec.Ports[0].Protocol))})
return hosts return hosts, nil
} }
func getOvpnCaCertExpireDate() time.Time { func getOvpnCaCertExpireDate() time.Time {
if *kubernetesBackend {
return app.CACert.NotAfter
}
caCertPath := *easyrsaDirPath + "/pki/ca.crt" caCertPath := *easyrsaDirPath + "/pki/ca.crt"
caCertExpireDate := runBash(fmt.Sprintf("openssl x509 -in %s -noout -enddate | awk -F \"=\" {'print $2'}", caCertPath)) caCertExpireDate := runBash(fmt.Sprintf("openssl x509 -in %s -noout -enddate | awk -F \"=\" {'print $2'}", caCertPath))
dateLayout := "Jan 2 15:04:05 2006 MST" dateLayout := "Jan 2 15:04:05 2006 MST"
t, err := time.Parse(dateLayout, strings.TrimSpace(caCertExpireDate)) t, err := time.Parse(dateLayout, strings.TrimSpace(caCertExpireDate))
if err != nil { if err != nil {
log.Printf("WARNING: can`t parse expire date for CA cert: %v\n", err) log.Errorf("WARNING: can`t parse expire date for CA cert: %v\n", err)
return time.Now() return time.Now()
} }
@ -1215,12 +1277,12 @@ func getOvpnCaCertExpireDate() time.Time {
// https://community.openvpn.net/openvpn/ticket/623 // https://community.openvpn.net/openvpn/ticket/623
func crlFix() { func crlFix() {
err1 := os.Chmod(*easyrsaDirPath+"/pki", 0755) err := os.Chmod(*easyrsaDirPath+"/pki", 0755)
if err1 != nil { if err != nil {
log.Println(err1) log.Errorln(err)
} }
err2 := os.Chmod(*easyrsaDirPath+"/pki/crl.pem", 0644) err = os.Chmod(*easyrsaDirPath+"/pki/crl.pem", 0644)
if err2 != nil { if err != nil {
log.Println(err2) log.Errorln(err)
} }
} }