From 6d86f15ff822054813b7ab38539bb35e0f3db52a Mon Sep 17 00:00:00 2001 From: Christoph Haas Date: Sun, 5 Jan 2025 10:06:34 +0100 Subject: [PATCH] implement/fix peer and user disable event (#337, #273) --- README.md | 180 +++++++++--------- cmd/wg-portal/main.go | 2 +- go.mod | 22 +-- go.sum | 47 ++--- internal/adapters/wgquick.go | 10 +- .../v0/handlers/endpoint_authentication.go | 6 +- internal/app/auth/auth.go | 4 + internal/app/eventbus.go | 1 + internal/app/users/user_manager.go | 32 +++- internal/app/wireguard/wireguard.go | 112 ++++++++++- .../app/wireguard/wireguard_interfaces.go | 75 +++++--- internal/app/wireguard/wireguard_peers.go | 41 ++-- internal/config/config.go | 15 ++ internal/domain/base.go | 35 ++-- 14 files changed, 394 insertions(+), 188 deletions(-) diff --git a/README.md b/README.md index 6d1055f..4df8899 100644 --- a/README.md +++ b/README.md @@ -55,95 +55,97 @@ By default, WireGuard Portal uses a SQLite database. The database is stored in * ### Configuration Options The following configuration options are available: -| configuration key | parent key | default_value | description | -|---------------------------------|------------|--------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------| -| admin_user | core | admin@wgportal.local | The administrator user. This user will be created as default admin if it does not yet exist. | -| admin_password | core | wgportal | The administrator password. If unchanged, a random password will be set on first startup. | -| editable_keys | core | true | Allow to edit key-pairs in the UI. | -| create_default_peer | core | false | If an LDAP user logs in for the first time and has no peers associated, a new WireGuard peer will be created for all server interfaces. | -| create_default_peer_on_creation | core | false | If an LDAP user is created (e.g. through LDAP sync), a new WireGuard peer will be created for all server interfaces. | -| self_provisioning_allowed | core | false | Allow registered users to automatically create peers via their profile page. | -| import_existing | core | true | Import existing WireGuard interfaces and peers into WireGuard Portal. | -| restore_state | core | true | Restore the WireGuard interface state after WireGuard Portal has started. | -| log_level | advanced | warn | The loglevel, can be one of: trace, debug, info, warn, error. | -| log_pretty | advanced | false | Uses pretty, colorized log messages. | -| log_json | advanced | false | Logs in JSON format. | -| start_listen_port | advanced | 51820 | The first port number that will be used as listening port for new interfaces. | -| start_cidr_v4 | advanced | 10.11.12.0/24 | The first IPv4 subnet that will be used for new interfaces. | -| start_cidr_v6 | advanced | fdfd:d3ad:c0de:1234::0/64 | The first IPv6 subnet that will be used for new interfaces. | -| use_ip_v6 | advanced | true | Enable IPv6 support. | -| config_storage_path | advanced | | If a wg-quick style configuration should be stored to the filesystem, specify a storage directory. | -| expiry_check_interval | advanced | 15m | The interval after which existing peers will be checked if they expired. | -| rule_prio_offset | advanced | 20000 | The default offset for ip route rule priorities. | -| route_table_offset | advanced | 20000 | The default offset for ip route table id's. | -| use_ping_checks | statistics | true | If enabled, peers will be pinged periodically to check if they are still connected. | -| ping_check_workers | statistics | 10 | Number of parallel ping checks that will be executed. | -| ping_unprivileged | statistics | false | If set to false, the ping checks will run without root permissions (BETA). | -| ping_check_interval | statistics | 1m | The interval time between two ping check runs. | -| data_collection_interval | statistics | 1m | The interval between the data collection cycles. | -| collect_interface_data | statistics | true | A flag to enable interface data collection like bytes sent and received. | -| collect_peer_data | statistics | true | A flag to enable peer data collection like bytes sent and received, last handshake and remote endpoint address. | -| collect_audit_data | statistics | true | If enabled, some events, like portal logins, will be logged to the database. | -| listening_address | statistics | :8787 | The listening address of the Prometheus metric server. | -| host | mail | 127.0.0.1 | The mail-server address. | -| port | mail | 25 | The mail-server SMTP port. | -| encryption | mail | none | SMTP encryption type, allowed values: none, tls, starttls. | -| cert_validation | mail | false | Validate the mail server certificate (if encryption tls is used). | -| username | mail | | The SMTP user name. | -| password | mail | | The SMTP password. | -| auth_type | mail | plain | SMTP authentication type, allowed values: plain, login, crammd5. | -| from | mail | Wireguard Portal | The address that is used to send mails. | -| link_only | mail | false | Only send links to WireGuard Portal instead of the full configuration. | -| oidc | auth | Empty Array - no providers configured | A list of OpenID Connect providers. See auth/oidc properties to setup a new provider. | -| oauth | auth | Empty Array - no providers configured | A list of plain OAuth providers. See auth/oauth properties to setup a new provider. | -| ldap | auth | Empty Array - no providers configured | A list of LDAP providers. See auth/ldap properties to setup a new provider. | -| provider_name | auth/oidc | | A unique provider name. This name must be unique throughout all authentication providers (even other types). | -| display_name | auth/oidc | | The display name is shown at the login page (the login button). | -| base_url | auth/oidc | | The base_url is the URL identifier for the service. For example: "https://accounts.google.com". | -| client_id | auth/oidc | | The OAuth client id. | -| client_secret | auth/oidc | | The OAuth client secret. | -| extra_scopes | auth/oidc | | Extra scopes that should be used in the OpenID Connect authentication flow. | -| field_map | auth/oidc | | Mapping of user fields. Internal fields: user_identifier, email, firstname, lastname, phone, department and is_admin. | -| registration_enabled | auth/oidc | | If registration is enabled, new user accounts will created in WireGuard Portal. | -| provider_name | auth/oauth | | A unique provider name. This name must be unique throughout all authentication providers (even other types). | -| display_name | auth/oauth | | The display name is shown at the login page (the login button). | -| client_id | auth/oauth | | The OAuth client id. | -| client_secret | auth/oauth | | The OAuth client secret. | -| auth_url | auth/oauth | | The URL for the authentication endpoint. | -| token_url | auth/oauth | | The URL for the token endpoint. | -| user_info_url | auth/oauth | | The URL for the user information endpoint. | -| scopes | auth/oauth | | OAuth scopes. | -| field_map | auth/oauth | | Mapping of user fields. Internal fields: user_identifier, email, firstname, lastname, phone, department and is_admin. | -| registration_enabled | auth/oauth | | If registration is enabled, new user accounts will created in WireGuard Portal. | -| url | auth/ldap | | The LDAP server url. For example: ldap://srv-ad01.company.local:389 | -| start_tls | auth/ldap | | Use STARTTLS to encrypt LDAP requests. | -| cert_validation | auth/ldap | | Validate the LDAP server certificate. | -| tls_certificate_path | auth/ldap | | A path to the TLS certificate. | -| tls_key_path | auth/ldap | | A path to the TLS key. | -| base_dn | auth/ldap | | The base DN for searching users. For example: DC=COMPANY,DC=LOCAL | -| bind_user | auth/ldap | | The bind user. For example: company\\ldap_wireguard | -| bind_pass | auth/ldap | | The bind password. | -| field_map | auth/ldap | | Mapping of user fields. Internal fields: user_identifier, email, firstname, lastname, phone, department and memberof. | -| login_filter | auth/ldap | | LDAP filters for users that should be allowed to log in. {{login_identifier}} will be replaced with the login username. | -| admin_group | auth/ldap | | Users in this group are marked as administrators. | -| disable_missing | auth/ldap | | If synchronization is enabled, missing LDAP users will be disabled in WireGuard Portal. | -| sync_filter | auth/ldap | | LDAP filters for users that should be synchronized to WireGuard Portal. | -| sync_interval | auth/ldap | | The time interval after which users will be synchronized from LDAP. Empty value or `0` disables synchronization. | -| registration_enabled | auth/ldap | | If registration is enabled, new user accounts will created in WireGuard Portal. | -| debug | database | false | Debug database statements (log each statement). | -| slow_query_threshold | database | | A threshold for slow database queries. If the threshold is exceeded, a warning message will be logged. | -| type | database | sqlite | The database type. Allowed values: sqlite, mssql, mysql or postgres. | -| dsn | database | data/sqlite.db | The database DSN. For example: user:pass@tcp(1.2.3.4:3306)/dbname?charset=utf8mb4&parseTime=True&loc=Local | -| request_logging | web | false | Log all HTTP requests. | -| external_url | web | http://localhost:8888 | The URL where a client can access WireGuard Portal. | -| listening_address | web | :8888 | The listening port of the web server. | -| session_identifier | web | wgPortalSession | The session identifier for the web frontend. | -| session_secret | web | very_secret | The session secret for the web frontend. | -| csrf_secret | web | extremely_secret | The CSRF secret. | -| site_title | web | WireGuard Portal | The title that is shown in the web frontend. | -| site_company_name | web | WireGuard Portal | The company name that is shown at the bottom of the web frontend. | -| cert_file | web | | (Optional) Path to the TLS certificate file | -| key_file | web | | (Optional) Path to the TLS certificate key file | +| configuration key | parent key | default_value | description | +|----------------------------------|------------|--------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------| +| admin_user | core | admin@wgportal.local | The administrator user. This user will be created as default admin if it does not yet exist. | +| admin_password | core | wgportal | The administrator password. If unchanged, a random password will be set on first startup. | +| editable_keys | core | true | Allow to edit key-pairs in the UI. | +| create_default_peer | core | false | If an LDAP user logs in for the first time and has no peers associated, a new WireGuard peer will be created for all server interfaces. | +| create_default_peer_on_creation | core | false | If an LDAP user is created (e.g. through LDAP sync), a new WireGuard peer will be created for all server interfaces. | +| re_enable_peer_after_user_enable | core | true | Re-enable all peers that were previously disabled due to a user disable action. | +| delete_peer_after_user_deleted | core | false | Delete all linked peers if a user gets disabled. Otherwise the peers only get disabled. | +| self_provisioning_allowed | core | false | Allow registered users to automatically create peers via their profile page. | +| import_existing | core | true | Import existing WireGuard interfaces and peers into WireGuard Portal. | +| restore_state | core | true | Restore the WireGuard interface state after WireGuard Portal has started. | +| log_level | advanced | info | The loglevel, can be one of: trace, debug, info, warn, error. | +| log_pretty | advanced | false | Uses pretty, colorized log messages. | +| log_json | advanced | false | Logs in JSON format. | +| start_listen_port | advanced | 51820 | The first port number that will be used as listening port for new interfaces. | +| start_cidr_v4 | advanced | 10.11.12.0/24 | The first IPv4 subnet that will be used for new interfaces. | +| start_cidr_v6 | advanced | fdfd:d3ad:c0de:1234::0/64 | The first IPv6 subnet that will be used for new interfaces. | +| use_ip_v6 | advanced | true | Enable IPv6 support. | +| config_storage_path | advanced | | If a wg-quick style configuration should be stored to the filesystem, specify a storage directory. | +| expiry_check_interval | advanced | 15m | The interval after which existing peers will be checked if they expired. | +| rule_prio_offset | advanced | 20000 | The default offset for ip route rule priorities. | +| route_table_offset | advanced | 20000 | The default offset for ip route table id's. | +| use_ping_checks | statistics | true | If enabled, peers will be pinged periodically to check if they are still connected. | +| ping_check_workers | statistics | 10 | Number of parallel ping checks that will be executed. | +| ping_unprivileged | statistics | false | If set to false, the ping checks will run without root permissions (BETA). | +| ping_check_interval | statistics | 1m | The interval time between two ping check runs. | +| data_collection_interval | statistics | 1m | The interval between the data collection cycles. | +| collect_interface_data | statistics | true | A flag to enable interface data collection like bytes sent and received. | +| collect_peer_data | statistics | true | A flag to enable peer data collection like bytes sent and received, last handshake and remote endpoint address. | +| collect_audit_data | statistics | true | If enabled, some events, like portal logins, will be logged to the database. | +| listening_address | statistics | :8787 | The listening address of the Prometheus metric server. | +| host | mail | 127.0.0.1 | The mail-server address. | +| port | mail | 25 | The mail-server SMTP port. | +| encryption | mail | none | SMTP encryption type, allowed values: none, tls, starttls. | +| cert_validation | mail | false | Validate the mail server certificate (if encryption tls is used). | +| username | mail | | The SMTP user name. | +| password | mail | | The SMTP password. | +| auth_type | mail | plain | SMTP authentication type, allowed values: plain, login, crammd5. | +| from | mail | Wireguard Portal | The address that is used to send mails. | +| link_only | mail | false | Only send links to WireGuard Portal instead of the full configuration. | +| oidc | auth | Empty Array - no providers configured | A list of OpenID Connect providers. See auth/oidc properties to setup a new provider. | +| oauth | auth | Empty Array - no providers configured | A list of plain OAuth providers. See auth/oauth properties to setup a new provider. | +| ldap | auth | Empty Array - no providers configured | A list of LDAP providers. See auth/ldap properties to setup a new provider. | +| provider_name | auth/oidc | | A unique provider name. This name must be unique throughout all authentication providers (even other types). | +| display_name | auth/oidc | | The display name is shown at the login page (the login button). | +| base_url | auth/oidc | | The base_url is the URL identifier for the service. For example: "https://accounts.google.com". | +| client_id | auth/oidc | | The OAuth client id. | +| client_secret | auth/oidc | | The OAuth client secret. | +| extra_scopes | auth/oidc | | Extra scopes that should be used in the OpenID Connect authentication flow. | +| field_map | auth/oidc | | Mapping of user fields. Internal fields: user_identifier, email, firstname, lastname, phone, department and is_admin. | +| registration_enabled | auth/oidc | | If registration is enabled, new user accounts will created in WireGuard Portal. | +| provider_name | auth/oauth | | A unique provider name. This name must be unique throughout all authentication providers (even other types). | +| display_name | auth/oauth | | The display name is shown at the login page (the login button). | +| client_id | auth/oauth | | The OAuth client id. | +| client_secret | auth/oauth | | The OAuth client secret. | +| auth_url | auth/oauth | | The URL for the authentication endpoint. | +| token_url | auth/oauth | | The URL for the token endpoint. | +| user_info_url | auth/oauth | | The URL for the user information endpoint. | +| scopes | auth/oauth | | OAuth scopes. | +| field_map | auth/oauth | | Mapping of user fields. Internal fields: user_identifier, email, firstname, lastname, phone, department and is_admin. | +| registration_enabled | auth/oauth | | If registration is enabled, new user accounts will created in WireGuard Portal. | +| url | auth/ldap | | The LDAP server url. For example: ldap://srv-ad01.company.local:389 | +| start_tls | auth/ldap | | Use STARTTLS to encrypt LDAP requests. | +| cert_validation | auth/ldap | | Validate the LDAP server certificate. | +| tls_certificate_path | auth/ldap | | A path to the TLS certificate. | +| tls_key_path | auth/ldap | | A path to the TLS key. | +| base_dn | auth/ldap | | The base DN for searching users. For example: DC=COMPANY,DC=LOCAL | +| bind_user | auth/ldap | | The bind user. For example: company\\ldap_wireguard | +| bind_pass | auth/ldap | | The bind password. | +| field_map | auth/ldap | | Mapping of user fields. Internal fields: user_identifier, email, firstname, lastname, phone, department and memberof. | +| login_filter | auth/ldap | | LDAP filters for users that should be allowed to log in. {{login_identifier}} will be replaced with the login username. | +| admin_group | auth/ldap | | Users in this group are marked as administrators. | +| disable_missing | auth/ldap | | If synchronization is enabled, missing LDAP users will be disabled in WireGuard Portal. | +| sync_filter | auth/ldap | | LDAP filters for users that should be synchronized to WireGuard Portal. | +| sync_interval | auth/ldap | | The time interval after which users will be synchronized from LDAP. Empty value or `0` disables synchronization. | +| registration_enabled | auth/ldap | | If registration is enabled, new user accounts will created in WireGuard Portal. | +| debug | database | false | Debug database statements (log each statement). | +| slow_query_threshold | database | | A threshold for slow database queries. If the threshold is exceeded, a warning message will be logged. | +| type | database | sqlite | The database type. Allowed values: sqlite, mssql, mysql or postgres. | +| dsn | database | data/sqlite.db | The database DSN. For example: user:pass@tcp(1.2.3.4:3306)/dbname?charset=utf8mb4&parseTime=True&loc=Local | +| request_logging | web | false | Log all HTTP requests. | +| external_url | web | http://localhost:8888 | The URL where a client can access WireGuard Portal. | +| listening_address | web | :8888 | The listening port of the web server. | +| session_identifier | web | wgPortalSession | The session identifier for the web frontend. | +| session_secret | web | very_secret | The session secret for the web frontend. | +| csrf_secret | web | extremely_secret | The CSRF secret. | +| site_title | web | WireGuard Portal | The title that is shown in the web frontend. | +| site_company_name | web | WireGuard Portal | The company name that is shown at the bottom of the web frontend. | +| cert_file | web | | (Optional) Path to the TLS certificate file | +| key_file | web | | (Optional) Path to the TLS certificate key file | ## Upgrading from V1 diff --git a/cmd/wg-portal/main.go b/cmd/wg-portal/main.go index 157c24e..fa3ec9c 100644 --- a/cmd/wg-portal/main.go +++ b/cmd/wg-portal/main.go @@ -132,7 +132,7 @@ func setupLogging(cfg *config.Config) { case "error": logrus.SetLevel(logrus.ErrorLevel) default: - logrus.SetLevel(logrus.WarnLevel) + logrus.SetLevel(logrus.InfoLevel) } switch { diff --git a/go.mod b/go.mod index 242cac8..3424839 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.23 require ( github.com/a8m/envsubst v1.4.2 - github.com/coreos/go-oidc/v3 v3.11.0 + github.com/coreos/go-oidc/v3 v3.12.0 github.com/gin-contrib/cors v1.7.3 github.com/gin-contrib/sessions v1.0.2 github.com/gin-gonic/gin v1.10.0 @@ -22,9 +22,9 @@ require ( github.com/xhit/go-simple-mail/v2 v2.16.0 github.com/yeqown/go-qrcode/v2 v2.2.4 golang.org/x/crypto v0.31.0 - golang.org/x/oauth2 v0.24.0 - golang.org/x/sys v0.28.0 - golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6 + golang.org/x/oauth2 v0.25.0 + golang.org/x/sys v0.29.0 + golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10 gopkg.in/yaml.v2 v2.4.0 gorm.io/driver/mysql v1.5.7 gorm.io/driver/postgres v1.5.11 @@ -45,8 +45,8 @@ require ( github.com/davecgh/go-spew v1.1.1 // indirect github.com/dchest/uniuri v1.2.0 // indirect github.com/dustin/go-humanize v1.0.1 // indirect - github.com/gabriel-vasile/mimetype v1.4.7 // indirect - github.com/gin-contrib/sse v0.1.0 // indirect + github.com/gabriel-vasile/mimetype v1.4.8 // indirect + github.com/gin-contrib/sse v1.0.0 // indirect github.com/glebarez/go-sqlite v1.22.0 // indirect github.com/go-asn1-ber/asn1-ber v1.5.7 // indirect github.com/go-jose/go-jose/v4 v4.0.4 // indirect @@ -102,8 +102,8 @@ require ( github.com/ugorji/go/codec v1.2.12 // indirect github.com/vishvananda/netns v0.0.5 // indirect github.com/yeqown/reedsolomon v1.0.0 // indirect - golang.org/x/arch v0.12.0 // indirect - golang.org/x/exp v0.0.0-20241217172543-b2144cdd0a67 // indirect + golang.org/x/arch v0.13.0 // indirect + golang.org/x/exp v0.0.0-20250103183323-7d7fa50e5329 // indirect golang.org/x/net v0.33.0 // indirect golang.org/x/sync v0.10.0 // indirect golang.org/x/text v0.21.0 // indirect @@ -111,9 +111,9 @@ require ( golang.zx2c4.com/wireguard v0.0.0-20231211153847-12269c276173 // indirect google.golang.org/protobuf v1.36.1 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - modernc.org/libc v1.61.5 // indirect - modernc.org/mathutil v1.7.0 // indirect - modernc.org/memory v1.8.0 // indirect + modernc.org/libc v1.61.6 // indirect + modernc.org/mathutil v1.7.1 // indirect + modernc.org/memory v1.8.1 // indirect modernc.org/sqlite v1.34.4 // indirect sigs.k8s.io/yaml v1.4.0 // indirect ) diff --git a/go.sum b/go.sum index a328999..141096c 100644 --- a/go.sum +++ b/go.sum @@ -45,8 +45,8 @@ github.com/cloudwego/base64x v0.1.4 h1:jwCgWpFanWmN8xoIUHa2rtzmkd5J2plF/dnLS6Xd/ github.com/cloudwego/base64x v0.1.4/go.mod h1:0zlkT4Wn5C6NdauXdJRhSKRlJvmclQ1hhJgA0rcu/8w= github.com/cloudwego/iasm v0.2.0 h1:1KNIy1I1H9hNNFEEH3DVnI4UujN+1zjpuk6gwHLTssg= github.com/cloudwego/iasm v0.2.0/go.mod h1:8rXZaNYT2n95jn+zTI1sDr+IgcD2GVs0nlbbQPiEFhY= -github.com/coreos/go-oidc/v3 v3.11.0 h1:Ia3MxdwpSw702YW0xgfmP1GVCMA9aEFWu12XUZ3/OtI= -github.com/coreos/go-oidc/v3 v3.11.0/go.mod h1:gE3LgjOgFoHi9a4ce4/tJczr0Ai2/BoDhf0r5lltWI0= +github.com/coreos/go-oidc/v3 v3.12.0 h1:sJk+8G2qq94rDI6ehZ71Bol3oUHy63qNYmkiSjrc/Jo= +github.com/coreos/go-oidc/v3 v3.12.0/go.mod h1:gE3LgjOgFoHi9a4ce4/tJczr0Ai2/BoDhf0r5lltWI0= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -57,8 +57,8 @@ github.com/dnaeon/go-vcr v1.1.0/go.mod h1:M7tiix8f0r6mKKJ3Yq/kqU1OYf3MnfmBWVbPx/ github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ= github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY= github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto= -github.com/gabriel-vasile/mimetype v1.4.7 h1:SKFKl7kD0RiPdbht0s7hFtjl489WcQ1VyPW8ZzUMYCA= -github.com/gabriel-vasile/mimetype v1.4.7/go.mod h1:GDlAgAyIRT27BhFl53XNAFtfjzOkLaF35JdEG0P7LtU= +github.com/gabriel-vasile/mimetype v1.4.8 h1:FfZ3gj38NjllZIeJAmMhr+qKL8Wu+nOoI3GqacKw1NM= +github.com/gabriel-vasile/mimetype v1.4.8/go.mod h1:ByKUIKGjh1ODkGM1asKUbQZOLGrPjydw3hYPU2YU9t8= github.com/garyburd/redigo v1.6.0/go.mod h1:NR3MbYisc3/PwhQ00EMzDiPmrwpPxAn5GI05/YaO1SY= github.com/gin-contrib/cors v1.7.3 h1:hV+a5xp8hwJoTw7OY+a70FsL8JkVVFTXw9EcfrYUdns= github.com/gin-contrib/cors v1.7.3/go.mod h1:M3bcKZhxzsvI+rlRSkkxHyljJt1ESd93COUvemZ79j4= @@ -66,8 +66,8 @@ github.com/gin-contrib/sessions v0.0.0-20190101140330-dc5246754963/go.mod h1:4lk github.com/gin-contrib/sessions v1.0.2 h1:UaIjUvTH1cMeOdj3in6dl+Xb6It8RiKRF9Z1anbUyCA= github.com/gin-contrib/sessions v1.0.2/go.mod h1:KxKxWqWP5LJVDCInulOl4WbLzK2KSPlLesfZ66wRvMs= github.com/gin-contrib/sse v0.0.0-20170109093832-22d885f9ecc7/go.mod h1:VJ0WA2NBN22VlZ2dKZQPAPnyWw5XTlK1KymzLKsr59s= -github.com/gin-contrib/sse v0.1.0 h1:Y/yl/+YNO8GZSjAhjMsSuLt29uWRFHdHYUb5lYOV9qE= -github.com/gin-contrib/sse v0.1.0/go.mod h1:RHrZQHXnP2xjPF+u1gW/2HnVO7nvIa9PG3Gm+fLHvGI= +github.com/gin-contrib/sse v1.0.0 h1:y3bT1mUWUxDpW4JLQg/HnTqV4rozuW4tC9eFKTxYI9E= +github.com/gin-contrib/sse v1.0.0/go.mod h1:zNuFdwarAygJBht0NTKiSi3jRf6RbqeILZ9Sp6Slhe0= github.com/gin-gonic/gin v1.3.0/go.mod h1:7cKuhb5qV2ggCFctp2fJQ+ErvciLZrIeoOSOm6mUr7Y= github.com/gin-gonic/gin v1.10.0 h1:nTuyha1TYqgedzytsKYqna+DfLos46nTv2ygFy86HFU= github.com/gin-gonic/gin v1.10.0/go.mod h1:4PMNQiOhvDRa013RKVbsiNwoyezlm2rm0uX/T7kzp5Y= @@ -288,8 +288,8 @@ github.com/yeqown/go-qrcode/v2 v2.2.4/go.mod h1:uHpt9CM0V1HeXLz+Wg5MN50/sI/fQhfk github.com/yeqown/reedsolomon v1.0.0 h1:x1h/Ej/uJnNu8jaX7GLHBWmZKCAWjEJTetkqaabr4B0= github.com/yeqown/reedsolomon v1.0.0/go.mod h1:P76zpcn2TCuL0ul1Fso373qHRc69LKwAw/Iy6g1WiiM= github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= -golang.org/x/arch v0.12.0 h1:UsYJhbzPYGsT0HbEdmYcqtCv8UNGvnaL561NnIUvaKg= -golang.org/x/arch v0.12.0/go.mod h1:FEVrYAQjsQXMVJ1nsMoVVXPZg6p2JE2mx8psSWTDQys= +golang.org/x/arch v0.13.0 h1:KCkqVVV1kGg0X87TFysjCJ8MxtZEIU4Ja/yXGeoECdA= +golang.org/x/arch v0.13.0/go.mod h1:FEVrYAQjsQXMVJ1nsMoVVXPZg6p2JE2mx8psSWTDQys= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58= @@ -304,8 +304,8 @@ golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDf golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8= golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U= golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk= -golang.org/x/exp v0.0.0-20241217172543-b2144cdd0a67 h1:1UoZQm6f0P/ZO0w1Ri+f+ifG/gXhegadRdwBIXEFWDo= -golang.org/x/exp v0.0.0-20241217172543-b2144cdd0a67/go.mod h1:qj5a5QZpwLU2NLQudwIN5koi3beDhSAlJwa67PuM98c= +golang.org/x/exp v0.0.0-20250103183323-7d7fa50e5329 h1:9kj3STMvgqy3YA4VQXBrN7925ICMxD5wzMRcgA30588= +golang.org/x/exp v0.0.0-20250103183323-7d7fa50e5329/go.mod h1:qj5a5QZpwLU2NLQudwIN5koi3beDhSAlJwa67PuM98c= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= @@ -332,8 +332,8 @@ golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44= golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM= golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I= golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4= -golang.org/x/oauth2 v0.24.0 h1:KTBBxWqUa0ykRPLtV69rRto9TLXcqYkeswu48x/gvNE= -golang.org/x/oauth2 v0.24.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= +golang.org/x/oauth2 v0.25.0 h1:CY4y7XT9v0cRI9oupztF8AgiIu99L/ksR/Xp/6jrZ70= +golang.org/x/oauth2 v0.25.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -364,8 +364,9 @@ golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA= golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU= +golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= @@ -405,8 +406,8 @@ golang.org/x/tools v0.28.0/go.mod h1:dcIOrVd3mfQKTgrDVQHqCPMWy6lnhfhtX3hLXYVLfRw golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.zx2c4.com/wireguard v0.0.0-20231211153847-12269c276173 h1:/jFs0duh4rdb8uIfPMv78iAJGcPKDeqAFnaLBropIC4= golang.zx2c4.com/wireguard v0.0.0-20231211153847-12269c276173/go.mod h1:tkCQ4FQXmpAgYVh++1cq16/dH4QJtmvpRv19DWGAHSA= -golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6 h1:CawjfCvYQH2OU3/TnxLx97WDSUDRABfT18pCOYwc2GE= -golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6/go.mod h1:3rxYc4HtVcSG9gVaTs2GEBdehh+sYPOwKtyUWEOTb80= +golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10 h1:3GDAcqdIg1ozBNLgPy4SLT84nfcBjr6rhGtXYtrkWLU= +golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10/go.mod h1:T97yPqesLiNrOYxkwmhMI0ZIlJDm+p0PMR8eRVeR5tQ= google.golang.org/protobuf v1.36.1 h1:yBPeRvTftaleIgM3PZ/WBIZ7XM/eEYAaEyCwvyjq/gk= google.golang.org/protobuf v1.36.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= @@ -434,20 +435,20 @@ gorm.io/gorm v1.25.7-0.20240204074919-46816ad31dde/go.mod h1:hbnx/Oo0ChWMn1BIhpy gorm.io/gorm v1.25.7/go.mod h1:hbnx/Oo0ChWMn1BIhpy1oYozzpM15i4YPuHDmfYtwg8= gorm.io/gorm v1.25.12 h1:I0u8i2hWQItBq1WfE0o2+WuL9+8L21K9e2HHSTE/0f8= gorm.io/gorm v1.25.12/go.mod h1:xh7N7RHfYlNc5EmcI/El95gXusucDrQnHXe0+CgWcLQ= -modernc.org/cc/v4 v4.24.1 h1:mLykA8iIlZ/SZbwI2JgYIURXQMSgmOb/+5jaielxPi4= -modernc.org/cc/v4 v4.24.1/go.mod h1:T1lKJZhXIi2VSqGBiB4LIbKs9NsKTbUXj4IDrmGqtTI= +modernc.org/cc/v4 v4.24.2 h1:uektamHbSXU7egelXcyVpMaaAsrRH4/+uMKUQAQUdOw= +modernc.org/cc/v4 v4.24.2/go.mod h1:T1lKJZhXIi2VSqGBiB4LIbKs9NsKTbUXj4IDrmGqtTI= modernc.org/ccgo/v4 v4.23.5 h1:6uAwu8u3pnla3l/+UVUrDDO1HIGxHTYmFH6w+X9nsyw= modernc.org/ccgo/v4 v4.23.5/go.mod h1:FogrWfBdzqLWm1ku6cfr4IzEFouq2fSAPf6aSAHdAJQ= modernc.org/fileutil v1.3.0 h1:gQ5SIzK3H9kdfai/5x41oQiKValumqNTDXMvKo62HvE= modernc.org/fileutil v1.3.0/go.mod h1:XatxS8fZi3pS8/hKG2GH/ArUogfxjpEKs3Ku3aK4JyQ= modernc.org/gc/v2 v2.6.0 h1:Tiw3pezQj7PfV8k4Dzyu/vhRHR2e92kOXtTFU8pbCl4= modernc.org/gc/v2 v2.6.0/go.mod h1:wzN5dK1AzVGoH6XOzc3YZ+ey/jPgYHLuVckd62P0GYU= -modernc.org/libc v1.61.5 h1:WzsPUvWl2CvsRmk2foyWWHUEUmQ2iW4oFyWOVR0O5ho= -modernc.org/libc v1.61.5/go.mod h1:llBdEGIywhnRgAFuTF+CWaKV8/2bFgACcQZTXhkAuAM= -modernc.org/mathutil v1.7.0 h1:KPlMfpLMs4EXAo8T8JJEkmCT9KP/B4vU1+GaBnDhHQY= -modernc.org/mathutil v1.7.0/go.mod h1:4p5IwJITfppl0G4sUEDtCr4DthTaT47/N3aT6MhfgJg= -modernc.org/memory v1.8.0 h1:IqGTL6eFMaDZZhEWwcREgeMXYwmW83LYW8cROZYkg+E= -modernc.org/memory v1.8.0/go.mod h1:XPZ936zp5OMKGWPqbD3JShgd/ZoQ7899TUuQqxY+peU= +modernc.org/libc v1.61.6 h1:L2jW0wxHPCyHK0YSHaGaVlY0WxjpG/TTVdg6gRJOPqw= +modernc.org/libc v1.61.6/go.mod h1:G+DzuaCcReUYYg4nNSfigIfTDCENdj9EByglvaRx53A= +modernc.org/mathutil v1.7.1 h1:GCZVGXdaN8gTqB1Mf/usp1Y/hSqgI2vAGGP4jZMCxOU= +modernc.org/mathutil v1.7.1/go.mod h1:4p5IwJITfppl0G4sUEDtCr4DthTaT47/N3aT6MhfgJg= +modernc.org/memory v1.8.1 h1:HS1HRg1jEohnuONobEq2WrLEhLyw8+J42yLFTnllm2A= +modernc.org/memory v1.8.1/go.mod h1:ZbjSvMO5NQ1A2i3bWeDiVMxIorXwdClKE/0SZ+BMotU= modernc.org/opt v0.1.3 h1:3XOZf2yznlhC+ibLltsDGzABUGVx8J6pnFMS3E4dcq4= modernc.org/opt v0.1.3/go.mod h1:WdSiB5evDcignE70guQKxYUl14mgWtbClRi5wmkkTX0= modernc.org/sortutil v1.2.0 h1:jQiD3PfS2REGJNzNCMMaLSp/wdMNieTbKX920Cqdgqc= diff --git a/internal/adapters/wgquick.go b/internal/adapters/wgquick.go index 828192f..879f728 100644 --- a/internal/adapters/wgquick.go +++ b/internal/adapters/wgquick.go @@ -3,11 +3,12 @@ package adapters import ( "bytes" "fmt" + "os/exec" + "strings" + "github.com/h44z/wg-portal/internal" "github.com/h44z/wg-portal/internal/domain" "github.com/sirupsen/logrus" - "os/exec" - "strings" ) // WgQuickRepo implements higher level wg-quick like interactions like setting DNS, routing tables or interface hooks. @@ -57,7 +58,10 @@ func (r *WgQuickRepo) SetDNS(id domain.InterfaceIdentifier, dnsStr, dnsSearchStr err := r.exec(dnsCommand, id, dnsCommandInput...) if err != nil { - return fmt.Errorf("failed to set dns settings: %w", err) + return fmt.Errorf( + "failed to set dns settings (is resolvconf available?, for systemd create this symlink: ln -s /usr/bin/resolvectl /usr/local/bin/resolvconf): %w", + err, + ) } return nil diff --git a/internal/app/api/v0/handlers/endpoint_authentication.go b/internal/app/api/v0/handlers/endpoint_authentication.go index 288ce3b..4ef5cc7 100644 --- a/internal/app/api/v0/handlers/endpoint_authentication.go +++ b/internal/app/api/v0/handlers/endpoint_authentication.go @@ -130,7 +130,7 @@ func (e authEndpoint) handleOauthInitiateGet() gin.HandlerFunc { } if currentSession.LoggedIn { - if autoRedirect { + if autoRedirect && e.isValidReturnUrl(returnTo) { queryParams := returnUrl.Query() queryParams.Set("wgLoginState", "success") returnParams = queryParams.Encode() @@ -237,7 +237,7 @@ func (e authEndpoint) handleOauthCallbackGet() gin.HandlerFunc { user, err := e.app.Authenticator.OauthLoginStep2(loginCtx, provider, currentSession.OauthNonce, oauthCode) cancel() if err != nil { - if returnUrl != nil { + if returnUrl != nil && e.isValidReturnUrl(returnUrl.String()) { redirectToReturn() } else { c.JSON(http.StatusUnauthorized, model.Error{Code: http.StatusUnauthorized, Message: err.Error()}) @@ -247,7 +247,7 @@ func (e authEndpoint) handleOauthCallbackGet() gin.HandlerFunc { e.setAuthenticatedUser(c, user) - if returnUrl != nil { + if returnUrl != nil && e.isValidReturnUrl(returnUrl.String()) { queryParams := returnUrl.Query() queryParams.Set("wgLoginState", "success") returnParams = queryParams.Encode() diff --git a/internal/app/auth/auth.go b/internal/app/auth/auth.go index 949a99b..c11185e 100644 --- a/internal/app/auth/auth.go +++ b/internal/app/auth/auth.go @@ -246,6 +246,10 @@ func (a *Authenticator) passwordAuthentication( return nil, errors.New("user not found") } + if userSource == domain.UserSourceLdap && ldapProvider == nil { + return nil, errors.New("ldap provider not found") + } + switch userSource { case domain.UserSourceDatabase: err = existingUser.CheckPassword(password) diff --git a/internal/app/eventbus.go b/internal/app/eventbus.go index 5a5f732..8dfe5fd 100644 --- a/internal/app/eventbus.go +++ b/internal/app/eventbus.go @@ -3,6 +3,7 @@ package app const TopicUserCreated = "user:created" const TopicUserRegistered = "user:registered" const TopicUserDisabled = "user:disabled" +const TopicUserEnabled = "user:enabled" const TopicUserDeleted = "user:deleted" const TopicAuthLogin = "auth:login" const TopicRouteUpdate = "route:update" diff --git a/internal/app/users/user_manager.go b/internal/app/users/user_manager.go index 4c9464e..7640510 100644 --- a/internal/app/users/user_manager.go +++ b/internal/app/users/user_manager.go @@ -30,7 +30,10 @@ type Manager struct { peers PeerDatabaseRepo } -func NewUserManager(cfg *config.Config, bus evbus.MessageBus, users UserDatabaseRepo, peers PeerDatabaseRepo) (*Manager, error) { +func NewUserManager(cfg *config.Config, bus evbus.MessageBus, users UserDatabaseRepo, peers PeerDatabaseRepo) ( + *Manager, + error, +) { m := &Manager{ cfg: cfg, bus: bus, @@ -170,6 +173,13 @@ func (m Manager) UpdateUser(ctx context.Context, user *domain.User) (*domain.Use return nil, fmt.Errorf("update failure: %w", err) } + switch { + case !existingUser.IsDisabled() && user.IsDisabled(): + m.bus.Publish(app.TopicUserDisabled, *user) + case existingUser.IsDisabled() && !user.IsDisabled(): + m.bus.Publish(app.TopicUserEnabled, *user) + } + return user, nil } @@ -225,7 +235,7 @@ func (m Manager) DeleteUser(ctx context.Context, id domain.UserIdentifier) error return fmt.Errorf("deletion failure: %w", err) } - m.bus.Publish(app.TopicUserDeleted, existingUser) + m.bus.Publish(app.TopicUserDeleted, *existingUser) return nil } @@ -374,7 +384,13 @@ func (m Manager) synchronizeLdapUsers(ctx context.Context, provider *config.Ldap return nil } -func (m Manager) updateLdapUsers(ctx context.Context, providerName string, rawUsers []internal.RawLdapUser, fields *config.LdapFields, adminGroupDN *ldap.DN) error { +func (m Manager) updateLdapUsers( + ctx context.Context, + providerName string, + rawUsers []internal.RawLdapUser, + fields *config.LdapFields, + adminGroupDN *ldap.DN, +) error { for _, rawUser := range rawUsers { user, err := convertRawLdapUser(providerName, rawUser, fields, adminGroupDN) if err != nil && !errors.Is(err, domain.ErrNotFound) { @@ -397,7 +413,8 @@ func (m Manager) updateLdapUsers(ctx context.Context, providerName string, rawUs } } - if existingUser != nil && existingUser.Source == domain.UserSourceLdap && userChangedInLdap(existingUser, user) { + if existingUser != nil && existingUser.Source == domain.UserSourceLdap && userChangedInLdap(existingUser, + user) { err := m.users.SaveUser(tctx, user.Identifier, func(u *domain.User) (*domain.User, error) { u.UpdatedAt = time.Now() @@ -421,7 +438,12 @@ func (m Manager) updateLdapUsers(ctx context.Context, providerName string, rawUs return nil } -func (m Manager) disableMissingLdapUsers(ctx context.Context, providerName string, rawUsers []internal.RawLdapUser, fields *config.LdapFields) error { +func (m Manager) disableMissingLdapUsers( + ctx context.Context, + providerName string, + rawUsers []internal.RawLdapUser, + fields *config.LdapFields, +) error { allUsers, err := m.users.GetAllUsers(ctx) if err != nil { return err diff --git a/internal/app/wireguard/wireguard.go b/internal/app/wireguard/wireguard.go index 96f9f52..ab8a007 100644 --- a/internal/app/wireguard/wireguard.go +++ b/internal/app/wireguard/wireguard.go @@ -2,9 +2,10 @@ package wireguard import ( "context" + "time" + "github.com/h44z/wg-portal/internal/app" "github.com/sirupsen/logrus" - "time" evbus "github.com/vardius/message-bus" @@ -21,7 +22,13 @@ type Manager struct { quick WgQuickController } -func NewWireGuardManager(cfg *config.Config, bus evbus.MessageBus, wg InterfaceController, quick WgQuickController, db InterfaceAndPeerDatabaseRepo) (*Manager, error) { +func NewWireGuardManager( + cfg *config.Config, + bus evbus.MessageBus, + wg InterfaceController, + quick WgQuickController, + db InterfaceAndPeerDatabaseRepo, +) (*Manager, error) { m := &Manager{ cfg: cfg, bus: bus, @@ -42,6 +49,9 @@ func (m Manager) StartBackgroundJobs(ctx context.Context) { func (m Manager) connectToMessageBus() { _ = m.bus.Subscribe(app.TopicUserCreated, m.handleUserCreationEvent) _ = m.bus.Subscribe(app.TopicAuthLogin, m.handleUserLoginEvent) + _ = m.bus.Subscribe(app.TopicUserDisabled, m.handleUserDisabledEvent) + _ = m.bus.Subscribe(app.TopicUserEnabled, m.handleUserEnabledEvent) + _ = m.bus.Subscribe(app.TopicUserDeleted, m.handleUserDeletedEvent) } func (m Manager) handleUserCreationEvent(user *domain.User) { @@ -84,6 +94,104 @@ func (m Manager) handleUserLoginEvent(userId domain.UserIdentifier) { } } +func (m Manager) handleUserDisabledEvent(user domain.User) { + ctx := domain.SetUserInfo(context.Background(), domain.SystemAdminContextUserInfo()) + userPeers, err := m.db.GetUserPeers(ctx, user.Identifier) + if err != nil { + logrus.Errorf("failed to retrieve peers for disabled user %s: %v", user.Identifier, err) + return + } + + for _, peer := range userPeers { + if peer.IsDisabled() { + continue // peer is already disabled + } + + logrus.Debugf("disabling peer %s due to user %s being disabled", peer.Identifier, user.Identifier) + + peer.Disabled = user.Disabled // set to user disabled timestamp + peer.DisabledReason = domain.DisabledReasonUserDisabled + + _, err := m.UpdatePeer(ctx, &peer) + if err != nil { + logrus.Errorf("failed to disable peer %s for disabled user %s: %v", + peer.Identifier, user.Identifier, err) + } + } +} + +func (m Manager) handleUserEnabledEvent(user domain.User) { + if !m.cfg.Core.ReEnablePeerAfterUserEnable { + return + } + + ctx := domain.SetUserInfo(context.Background(), domain.SystemAdminContextUserInfo()) + userPeers, err := m.db.GetUserPeers(ctx, user.Identifier) + if err != nil { + logrus.Errorf("failed to retrieve peers for re-enabled user %s: %v", user.Identifier, err) + return + } + + for _, peer := range userPeers { + if !peer.IsDisabled() { + continue // peer is already active + } + + if peer.DisabledReason != domain.DisabledReasonUserDisabled { + continue // peer was disabled for another reason + } + + logrus.Debugf("enabling peer %s due to user %s being enabled", peer.Identifier, user.Identifier) + + peer.Disabled = nil + peer.DisabledReason = "" + + _, err := m.UpdatePeer(ctx, &peer) + if err != nil { + logrus.Errorf("failed to enable peer %s for enabled user %s: %v", + peer.Identifier, user.Identifier, err) + } + } + return +} + +func (m Manager) handleUserDeletedEvent(user domain.User) { + ctx := domain.SetUserInfo(context.Background(), domain.SystemAdminContextUserInfo()) + userPeers, err := m.db.GetUserPeers(ctx, user.Identifier) + if err != nil { + logrus.Errorf("failed to retrieve peers for deleted user %s: %v", user.Identifier, err) + return + } + + deletionTime := time.Now() + for _, peer := range userPeers { + if peer.IsDisabled() { + continue // peer is already disabled + } + + if m.cfg.Core.DeletePeerAfterUserDeleted { + logrus.Debugf("deleting peer %s due to user %s being deleted", peer.Identifier, user.Identifier) + + if err := m.DeletePeer(ctx, peer.Identifier); err != nil { + logrus.Errorf("failed to delete peer %s for deleted user %s: %v", + peer.Identifier, user.Identifier, err) + } + } else { + logrus.Debugf("disabling peer %s due to user %s being deleted", peer.Identifier, user.Identifier) + + peer.UserIdentifier = "" // remove user reference + peer.Disabled = &deletionTime + peer.DisabledReason = domain.DisabledReasonUserDeleted + + _, err := m.UpdatePeer(ctx, &peer) + if err != nil { + logrus.Errorf("failed to disable peer %s for deleted user %s: %v", + peer.Identifier, user.Identifier, err) + } + } + } +} + func (m Manager) runExpiredPeersCheck(ctx context.Context) { ctx = domain.SetUserInfo(ctx, domain.SystemAdminContextUserInfo()) diff --git a/internal/app/wireguard/wireguard_interfaces.go b/internal/app/wireguard/wireguard_interfaces.go index d26d5e9..93e24d7 100644 --- a/internal/app/wireguard/wireguard_interfaces.go +++ b/internal/app/wireguard/wireguard_interfaces.go @@ -175,14 +175,11 @@ func (m Manager) RestoreInterfaceState( } _, err = m.wg.GetInterface(ctx, iface.Identifier) - if err != nil { + if err != nil && !iface.IsDisabled() { logrus.Debugf("creating missing interface %s...", iface.Identifier) // try to create a new interface - _, err = m.saveInterface(ctx, &iface, peers) - if err != nil { - return err - } + _, err = m.saveInterface(ctx, &iface) if err != nil { if updateDbOnError { // disable interface in database as no physical interface exists @@ -196,23 +193,11 @@ func (m Manager) RestoreInterfaceState( } return fmt.Errorf("failed to create physical interface %s: %w", iface.Identifier, err) } - - // restore peers - for _, peer := range peers { - err := m.wg.SavePeer(ctx, iface.Identifier, peer.Identifier, - func(pp *domain.PhysicalPeer) (*domain.PhysicalPeer, error) { - domain.MergeToPhysicalPeer(pp, &peer) - return pp, nil - }) - if err != nil { - return fmt.Errorf("failed to create physical peer %s: %w", peer.Identifier, err) - } - } } else { logrus.Debugf("restoring interface state for %s to disabled=%t", iface.Identifier, iface.IsDisabled()) // try to move interface to stored state - _, err = m.saveInterface(ctx, &iface, peers) + _, err = m.saveInterface(ctx, &iface) if err != nil { if updateDbOnError { // disable interface in database as no physical interface is available @@ -232,6 +217,51 @@ func (m Manager) RestoreInterfaceState( return fmt.Errorf("failed to change physical interface state for %s: %w", iface.Identifier, err) } } + + // restore peers + for _, peer := range peers { + switch { + case iface.IsDisabled(): // if interface is disabled, delete all peers + if err := m.wg.DeletePeer(ctx, iface.Identifier, peer.Identifier); err != nil { + return fmt.Errorf("failed to remove peer %s for disabled interface %s: %w", + peer.Identifier, iface.Identifier, err) + } + case peer.IsDisabled(): // if peer is disabled, delete it + if err := m.wg.DeletePeer(ctx, iface.Identifier, peer.Identifier); err != nil { + return fmt.Errorf("failed to remove disbaled peer %s from interface %s: %w", + peer.Identifier, iface.Identifier, err) + } + default: // update peer + err := m.wg.SavePeer(ctx, iface.Identifier, peer.Identifier, + func(pp *domain.PhysicalPeer) (*domain.PhysicalPeer, error) { + domain.MergeToPhysicalPeer(pp, &peer) + return pp, nil + }) + if err != nil { + return fmt.Errorf("failed to create/update physical peer %s for interface %s: %w", + peer.Identifier, iface.Identifier, err) + } + } + } + + // remove non-wgportal peers + physicalPeers, _ := m.wg.GetPeers(ctx, iface.Identifier) + for _, physicalPeer := range physicalPeers { + isWgPortalPeer := false + for _, peer := range peers { + if peer.Identifier == domain.PeerIdentifier(physicalPeer.PublicKey) { + isWgPortalPeer = true + break + } + } + if !isWgPortalPeer { + err := m.wg.DeletePeer(ctx, iface.Identifier, domain.PeerIdentifier(physicalPeer.PublicKey)) + if err != nil { + return fmt.Errorf("failed to remove non-wgportal peer %s from interface %s: %w", + physicalPeer.PublicKey, iface.Identifier, err) + } + } + } } return nil @@ -334,7 +364,7 @@ func (m Manager) CreateInterface(ctx context.Context, in *domain.Interface) (*do return nil, fmt.Errorf("creation not allowed: %w", err) } - in, err = m.saveInterface(ctx, in, nil) + in, err = m.saveInterface(ctx, in) if err != nil { return nil, fmt.Errorf("creation failure: %w", err) } @@ -356,7 +386,7 @@ func (m Manager) UpdateInterface(ctx context.Context, in *domain.Interface) (*do return nil, nil, fmt.Errorf("update not allowed: %w", err) } - in, err = m.saveInterface(ctx, in, existingPeers) + in, err = m.saveInterface(ctx, in) if err != nil { return nil, nil, fmt.Errorf("update failure: %w", err) } @@ -422,7 +452,7 @@ func (m Manager) DeleteInterface(ctx context.Context, id domain.InterfaceIdentif // region helper-functions -func (m Manager) saveInterface(ctx context.Context, iface *domain.Interface, peers []domain.Peer) ( +func (m Manager) saveInterface(ctx context.Context, iface *domain.Interface) ( *domain.Interface, error, ) { @@ -454,7 +484,6 @@ func (m Manager) saveInterface(ctx context.Context, iface *domain.Interface, pee return nil, fmt.Errorf("failed to save interface: %w", err) } - m.bus.Publish(app.TopicRouteUpdate, "interface updated: "+string(iface.Identifier)) if iface.IsDisabled() { physicalInterface, _ := m.wg.GetInterface(ctx, iface.Identifier) fwMark := iface.FirewallMark @@ -465,6 +494,8 @@ func (m Manager) saveInterface(ctx context.Context, iface *domain.Interface, pee FwMark: fwMark, Table: iface.GetRoutingTable(), }) + } else { + m.bus.Publish(app.TopicRouteUpdate, "interface updated: "+string(iface.Identifier)) } if err := m.handleInterfacePostSaveHooks(stateChanged, iface); err != nil { diff --git a/internal/app/wireguard/wireguard_peers.go b/internal/app/wireguard/wireguard_peers.go index a9b6f07..38c7539 100644 --- a/internal/app/wireguard/wireguard_peers.go +++ b/internal/app/wireguard/wireguard_peers.go @@ -248,6 +248,10 @@ func (m Manager) DeletePeer(ctx context.Context, id domain.PeerIdentifier) error return err } + if err := m.validatePeerDeletion(ctx, peer); err != nil { + return fmt.Errorf("delete not allowed: %w", err) + } + err = m.wg.DeletePeer(ctx, peer.InterfaceIdentifier, id) if err != nil { return fmt.Errorf("wireguard failed to delete peer %s: %w", id, err) @@ -309,20 +313,33 @@ func (m Manager) savePeers(ctx context.Context, peers ...*domain.Peer) error { for i := range peers { peer := peers[i] - err := m.db.SavePeer(ctx, peer.Identifier, func(p *domain.Peer) (*domain.Peer, error) { - peer.CopyCalculatedAttributes(p) + var err error + if peer.IsDisabled() || peer.IsExpired() { + err = m.db.SavePeer(ctx, peer.Identifier, func(p *domain.Peer) (*domain.Peer, error) { + peer.CopyCalculatedAttributes(p) - err := m.wg.SavePeer(ctx, peer.InterfaceIdentifier, peer.Identifier, - func(pp *domain.PhysicalPeer) (*domain.PhysicalPeer, error) { - domain.MergeToPhysicalPeer(pp, peer) - return pp, nil - }) - if err != nil { - return nil, fmt.Errorf("failed to save wireguard peer %s: %w", peer.Identifier, err) - } + if err := m.wg.DeletePeer(ctx, peer.InterfaceIdentifier, peer.Identifier); err != nil { + return nil, fmt.Errorf("failed to delete wireguard peer %s: %w", peer.Identifier, err) + } - return peer, nil - }) + return peer, nil + }) + } else { + err = m.db.SavePeer(ctx, peer.Identifier, func(p *domain.Peer) (*domain.Peer, error) { + peer.CopyCalculatedAttributes(p) + + err := m.wg.SavePeer(ctx, peer.InterfaceIdentifier, peer.Identifier, + func(pp *domain.PhysicalPeer) (*domain.PhysicalPeer, error) { + domain.MergeToPhysicalPeer(pp, peer) + return pp, nil + }) + if err != nil { + return nil, fmt.Errorf("failed to save wireguard peer %s: %w", peer.Identifier, err) + } + + return peer, nil + }) + } if err != nil { return fmt.Errorf("save failure for peer %s: %w", peer.Identifier, err) } diff --git a/internal/config/config.go b/internal/config/config.go index 9ebc055..d378b3a 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -20,6 +20,8 @@ type Config struct { EditableKeys bool `yaml:"editable_keys"` CreateDefaultPeer bool `yaml:"create_default_peer"` CreateDefaultPeerOnCreation bool `yaml:"create_default_peer_on_creation"` + ReEnablePeerAfterUserEnable bool `yaml:"re_enable_peer_after_user_enable"` + DeletePeerAfterUserDeleted bool `yaml:"delete_peer_after_user_deleted"` SelfProvisioningAllowed bool `yaml:"self_provisioning_allowed"` ImportExisting bool `yaml:"import_existing"` RestoreState bool `yaml:"restore_state"` @@ -61,9 +63,13 @@ type Config struct { } func (c *Config) LogStartupValues() { + logrus.Infof("Log Level: %s", c.Advanced.LogLevel) + logrus.Debug("WireGuard Portal Features:") logrus.Debugf(" - EditableKeys: %t", c.Core.EditableKeys) logrus.Debugf(" - CreateDefaultPeerOnCreation: %t", c.Core.CreateDefaultPeerOnCreation) + logrus.Debugf(" - ReEnablePeerAfterUserEnable: %t", c.Core.ReEnablePeerAfterUserEnable) + logrus.Debugf(" - DeletePeerAfterUserDeleted: %t", c.Core.DeletePeerAfterUserDeleted) logrus.Debugf(" - SelfProvisioningAllowed: %t", c.Core.SelfProvisioningAllowed) logrus.Debugf(" - ImportExisting: %t", c.Core.ImportExisting) logrus.Debugf(" - RestoreState: %t", c.Core.RestoreState) @@ -85,8 +91,16 @@ func (c *Config) LogStartupValues() { func defaultConfig() *Config { cfg := &Config{} + cfg.Core.AdminUser = "admin@wgportal.local" + cfg.Core.AdminPassword = "wgportal" cfg.Core.ImportExisting = true cfg.Core.RestoreState = true + cfg.Core.CreateDefaultPeer = false + cfg.Core.CreateDefaultPeerOnCreation = false + cfg.Core.EditableKeys = true + cfg.Core.SelfProvisioningAllowed = false + cfg.Core.ReEnablePeerAfterUserEnable = true + cfg.Core.DeletePeerAfterUserDeleted = false cfg.Database = DatabaseConfig{ Type: "sqlite", @@ -104,6 +118,7 @@ func defaultConfig() *Config { SiteCompanyName: "WireGuard Portal", } + cfg.Advanced.LogLevel = "info" cfg.Advanced.StartListenPort = 51820 cfg.Advanced.StartCidrV4 = "10.11.12.0/24" cfg.Advanced.StartCidrV6 = "fdfd:d3ad:c0de:1234::0/64" diff --git a/internal/domain/base.go b/internal/domain/base.go index e0c8923..41a782a 100644 --- a/internal/domain/base.go +++ b/internal/domain/base.go @@ -1,10 +1,9 @@ package domain import ( + "database/sql/driver" "errors" "time" - - "database/sql/driver" ) type BaseModel struct { @@ -26,30 +25,32 @@ func (PrivateString) String() string { func (ps PrivateString) Value() (driver.Value, error) { if len(ps) == 0 { - return nil, nil - } + return nil, nil + } return string(ps), nil } func (ps *PrivateString) Scan(value interface{}) error { - if value == nil { - *ps = "" - return nil - } - switch v := value.(type) { - case string: - *ps = PrivateString(v) - case []byte: - *ps = PrivateString(string(v)) - default: - return errors.New("invalid type for PrivateString") - } - return nil + if value == nil { + *ps = "" + return nil + } + switch v := value.(type) { + case string: + *ps = PrivateString(v) + case []byte: + *ps = PrivateString(string(v)) + default: + return errors.New("invalid type for PrivateString") + } + return nil } const ( DisabledReasonExpired = "expired" DisabledReasonDeleted = "deleted" + DisabledReasonUserDisabled = "user disabled" + DisabledReasonUserDeleted = "user deleted" DisabledReasonUserEdit = "user edit action" DisabledReasonUserCreate = "user create action" DisabledReasonAdminEdit = "admin edit action"