vpn: add support for custom keys

Custom keys are created by admin and specify networks directly, bypassing AD permissions. They are intended to join managed devices into networks where users are not allowed to create keys themselves. Also comprehend a set directly.
2024-07-30 10:53:57 +02:00 · 2024-07-30 10:53:57 +02:00 · 3c25cbe88a
commit 3c25cbe88a
parent 1b26f0738a
8 changed files with 152 additions and 42 deletions
--- a/web/vpn.py
+++ b/web/vpn.py
@ -18,15 +18,36 @@ wgkey_regex = re.compile(r'^[A-Za-z0-9/+=]{44}$')
 def index():
    return flask.render_template('vpn/index.html')

+@blueprint.route('/custom')
+@flask_login.login_required
+def custom():
+    if not flask_login.current_user.is_admin:
+        return flask.Response('forbidden', status=403, mimetype='text/plain')
+    with db.locked():
+        keys = {ip: data for ip, data in db.read('wireguard').items() if data.get('networks') and not data.get('user')}
+        ipsets = db.read('networks') | db.read('ipsets')
+        return flask.render_template('vpn/custom.html', keys=keys, ipsets=ipsets.keys())
+
@blueprint.route('/list')
@flask_login.login_required
 def list():
    # Return logged-in user’s keys, marking the key used for current connection (if any).
    user = flask_login.current_user.get_id()
-    return flask.jsonify({
-        ip: data | {'active': flask.request.remote_addr in (ip, data.get('ip6'))}
+    return flask.jsonify([
+        data | {'ip': ip, 'active': flask.request.remote_addr in (ip, data.get('ip6'))}
            for ip, data in db.load('wireguard').items() if data.get('user') == user
-    })
+    ])
+
+@blueprint.route('/list-custom')
+@flask_login.login_required
+def list_custom():
+    # Return all custom keys.
+    if not flask_login.current_user.is_admin:
+        return flask.Response('forbidden', status=403, mimetype='text/plain')
+    return flask.jsonify([
+        data | {'ip': ip, 'active': flask.request.remote_addr in (ip, data.get('ip6'))}
+            for ip, data in db.load('wireguard').items() if data.get('networks') and not data.get('user')
+    ])

@blueprint.route('/new', methods=('POST',))
@flask_login.login_required
@ -76,7 +97,10 @@ def new():
            return flask.Response('no more available IP addresses', status=500, mimetype='text/plain')

        # Add remaining attributes to new key and update key database.
-        key['user'] = flask_login.current_user.get_id()
+        if flask_login.current_user.is_admin and flask.request.json.get('networks'):
+            key['networks'] = flask.request.json.get('networks')
+        else:
+            key['user'] = flask_login.current_user.get_id()
        keys[str(ip)] = key
        db.write('wireguard', keys)

@ -93,6 +117,7 @@ def new():
        'ip': str(ip),
        'ip6': key['ip6'],
        'name': key['name'],
+        'user': key.get('user', 'custom'),
        'dns': settings.get('wg_dns', '') if options.get('use-dns', True) else False,
        'allowed_nets': settings.get('wg_allowed_nets', ''),
        'add_default': options.get('add-default', False),