Add secondary core API mode and clean settings

8 years ago · c102a15743
parent 6110cc3bdf
commit c102a15743
5 changed files with 121 additions and 16 deletions
--- a/ccvpn/settings.py
+++ b/ccvpn/settings.py
@ -157,26 +157,31 @@ SECURE_HSTS_INCLUDE_SUBDOMAINS = True


 # OpenVPN CA Certificate
-
 with open(BASE_DIR + '/ccvpn/ca.crt') as ca_file:
    OPENVPN_CA = ca_file.read()

-
+# HTML added before </head>
 ADDITIONAL_HEADER_HTML = ''
+
+# HTML added before </body>
 ADDITIONAL_HTML = ''

-LAMBDAINST_CLUSTER_MESSAGES = {}  # 'cluster_name': "No P2P"
+# Custom per cluster message displayed config page
+# 'cluster_name': "No P2P"
+LAMBDAINST_CLUSTER_MESSAGES = {}

+# Name used in ticket emails
 TICKETS_SITE_NAME = 'CCrypto VPN Support'

-ROOT_URL = ""  # Full URL to the site root
+# Full URL to the site root
+ROOT_URL = ''

+# reCAPTCHA API details. If empty, no captcha is displayed.
 RECAPTCHA_API = 'https://www.google.com/recaptcha/api/siteverify'
 RECAPTCHA_SITE_KEY = ''
 RECAPTCHA_SECRET_KEY = ''

-# lcore API
-
+# lcore API settings
 LCORE = dict(
    BASE_URL='https://core.test.lambdavpn.net/v1/',
    API_KEY='',
@ -185,13 +190,24 @@ LCORE = dict(
    CACHE_TTL=10,
 )

+# VPN auth credentials and expiration time storage
+# - if 'core', password and expiration_date will be replicated to core and
+#   auth will be done from there.
+# - if 'inst', both will be kept here and core should call the API here to
+#   authenticate users.
+# 'core' is faster and doesn't depend on the instance's stability, 'inst'
+# lets you generate client_config dynamically.
+# /!\ don't use 'core' with unit tests for now.
+VPN_AUTH_STORAGE = 'inst'
+

 # Payment & Trial

+# Payment backends. See payments/backends.py for more infos.
 PAYMENTS_BACKENDS = {
    'paypal': {
-        'TEST': True,
-        'ADDRESS': 'paypal@xomg.net',  # Your PayPal primary address
+        'TEST': True,  # Sandbox
+        'ADDRESS': 'paypal@ccrypto.org',  # Your PayPal primary address
    },
    # Remove the leading '_' to enable these backends.
    '_stripe': {
@ -206,9 +222,9 @@ PAYMENTS_BACKENDS = {

 PAYMENTS_CURRENCY = ('eur', '€')
 PAYMENTS_MONTHLY_PRICE = 300  # in currency*100
-TRIAL_PERIOD = timedelta(hours=2)
+TRIAL_PERIOD = timedelta(hours=2)  # Time added on each trial awarded
 TRIAL_PERIOD_LIMIT = 2  # 2 * 2h = 4h, still has to push the button twice
-NOTIFY_DAYS_BEFORE = (3, 1)  # notify twice 3 and 1 days before expiration
+NOTIFY_DAYS_BEFORE = (3, 1)  # notify twice: 3 and 1 days before expiration


 # Local settings
--- a/lambdainst/admin.py
+++ b/lambdainst/admin.py
@ -7,7 +7,7 @@ from django.contrib.auth.models import User
 from django.utils.translation import ugettext as _

 from lambdainst.models import VPNUser, GiftCode, GiftCodeUser
-
+from . import core

 def make_user_link(user):
    change_url = resolve_url('admin:auth_user_change', user.id)
@ -52,6 +52,11 @@ class VPNUserInline(admin.StackedInline):
    is_paid.boolean = True
    is_paid.short_description = _("Is paid?")

+    def save_model(self, request, obj, form, change):
+        obj.save()
+        if change and 'expiration' in form.changed_data:
+            core.update_user_expiration(obj.user)
+

 class GiftCodeUserAdmin(admin.TabularInline):
    model = GiftCodeUser
@ -104,6 +109,20 @@ class UserAdmin(UserAdmin):
        return s
    links.allow_tags = True

+    def save_model(self, request, obj, form, change):
+        super().save_model(request, obj, form, change)
+
+        # Notify core
+        if core.VPN_AUTH_STORAGE == 'core':
+            if change and 'is_active' in form.changed_data:
+                core.update_user_expiration(obj)
+
+    def delete_model(self, request, obj):
+        if core.VPN_AUTH_STORAGE == 'core':
+            core.delete_user(obj.username)
+
+        super().delete_model(request, obj)
+

 class GiftCodeAdmin(admin.ModelAdmin):
    fields = ('code', 'time', 'created', 'created_by', 'single_use', 'free_only',
--- a/lambdainst/core.py
+++ b/lambdainst/core.py
@ -23,6 +23,9 @@ if isinstance(LCORE_CACHE_TTL, int):
    LCORE_CACHE_TTL = timedelta(seconds=LCORE_CACHE_TTL)
 assert isinstance(LCORE_CACHE_TTL, timedelta)

+VPN_AUTH_STORAGE = settings.VPN_AUTH_STORAGE
+assert VPN_AUTH_STORAGE in ('core', 'inst')
+
 core_api = lcoreapi.API(LCORE_API_KEY, LCORE_API_SECRET, LCORE_BASE_URL)


@ -97,3 +100,54 @@ def get_locations():
    return locations


+def create_user(username, cleartext_password):
+    """ The password will be hashed and stored safely on the core,
+    so we have to send it clearly here.
+    """
+    path = core_api.info['current_instance'] + '/users/'
+    core_api.post(path, data={
+        'username': username,
+        'password': cleartext_password,
+        'expiration_date': datetime(1, 1, 1).isoformat(),  # Expired.
+    })
+
+
+def update_user_expiration(user):
+    path = core_api.info['current_instance'] + '/users/' + user.username
+
+    try:
+        if not user.is_active:
+            core_api.patch(path, data={
+                'expiration_date': datetime(1, 1, 1).isoformat(),  # Expired.
+            })
+            return
+
+        core_api.patch(path, data={
+            'expiration_date': user.vpnuser.expiration,
+        })
+    except lcoreapi.APIError:
+        # User can't do anything to this, we should just report it
+        logger = logging.getLogger('django.request')
+        logger.exception("core api error, missing user (exp update)")
+
+
+def update_user_password(user, cleartext_password):
+    path = core_api.info['current_instance'] + '/users/' + user.username
+
+    try:
+        core_api.patch(path, data={
+            'password': cleartext_password,
+        })
+    except lcoreapi.APINotFoundError:
+        # This time we can try fix it!
+        create_user(user.username, cleartext_password)
+    except lcoreapi.APIError:
+        # and maybe fail.
+        logger = logging.getLogger('django.request')
+        logger.exception("core api error (password update)")
+
+
+def delete_user(username):
+    path = core_api.info['current_instance'] + '/users/' + username
+    core_api.delete(path)
+
--- a/lambdainst/models.py
+++ b/lambdainst/models.py
@ -7,6 +7,7 @@ from django.utils import timezone
 from django.conf import settings
 from django.db.models.signals import post_save
 from django.dispatch import receiver
+from . import core

 assert isinstance(settings.TRIAL_PERIOD, timedelta)
 assert isinstance(settings.TRIAL_PERIOD_LIMIT, int)
@ -55,6 +56,10 @@ class VPNUser(models.Model):
            self.expiration = now
        self.expiration += time

+        # Propagate update to core
+        if core.VPN_AUTH_STORAGE == 'core':
+            core.update_user_expiration(self.user)
+
    def give_trial_period(self):
        self.add_paid_time(settings.TRIAL_PERIOD)
        self.trial_periods_given += 1
--- a/lambdainst/views.py
+++ b/lambdainst/views.py
@ -23,8 +23,8 @@ from django_countries import countries
 from payments.models import ACTIVE_BACKENDS
 from .forms import SignupForm
 from .models import GiftCode, VPNUser
-from .core import core_api, current_active_sessions, get_locations as core_get_locations
-from .core import LCORE_INST_SECRET, LCORE_SOURCE_ADDR
+from .core import core_api
+from . import core
 from . import graphs
 from . import openvpn

@ -34,7 +34,7 @@ def get_locations():
    that depends on the request
    """
    countries_d = dict(countries)
-    locations = core_get_locations()
+    locations = core.get_locations()
    for k, v in locations:
        cc = v['country_code'].upper()
        v['country_name'] = countries_d.get(cc, cc)
@ -69,6 +69,9 @@ def signup(request):
                                    form.cleaned_data['password'])
    user.save()

+    if core.VPN_AUTH_STORAGE == 'core':
+        core.create_user(form.cleaned_data['username'], form.cleaned_data['password'])
+
    try:
        user.vpnuser.referrer = User.objects.get(id=request.session.get('referrer'))
    except User.DoesNotExist:
@ -154,6 +157,11 @@ def settings(request):
        else:
            request.user.set_password(pw)

+            if core.VPN_AUTH_STORAGE == 'core':
+                core.update_user_password(request.user, pw)
+
+            messages.success(request, _("OK!"))
+
    email = request.POST.get('email')
    if email:
        request.user.email = email
@ -269,11 +277,14 @@ def api_auth(request):
    if request.method != 'POST':
        return HttpResponseNotFound()

+    if core.VPN_AUTH_STORAGE != 'inst':
+        return HttpResponseNotFound()
+
    username = request.POST.get('username')
    password = request.POST.get('password')
    secret = request.POST.get('secret')

-    if secret != LCORE_INST_SECRET:
+    if secret != core.LCORE_INST_SECRET:
        return HttpResponseForbidden(content="Invalid secret")

    user = authenticate(username=username, password=password)
@ -295,7 +306,7 @@ def status(request):
    ctx = {
        'title': _("Status"),
        'n_users': VPNUser.objects.filter(expiration__gte=timezone.now()).count(),
-        'n_sess': current_active_sessions(),
+        'n_sess': core.current_active_sessions(),
        'n_gws': sum(l['servers'] for cc, l in locations),
        'n_countries': len(set(cc for cc, l in locations)),
        'total_bw': sum(l['bandwidth'] for cc, l in locations),