totp auth; refactoring; fixes

Author: pashcovich

.dockerignore

@@ -5,12 +5,12 @@ out
 gen
 .github
 
-easyrsa
-easyrsa_master
-easyrsa_slave
-ccd
-ccd_master
-ccd_slave
+easyrsa/
+easyrsa_master/
+easyrsa_slave/
+ccd/
+ccd_master/
+ccd_slave/
 werf.yaml
 frontend/node_modules
 frontend/static/dist
@@ -24,3 +24,5 @@ docker-compose-slave.yaml
 img
 dashboard
 .helm
+.github
+

.env

@@ -0,0 +1,13 @@
+OVPN_SERVER_NET="192.168.100.0"
+OVPN_SERVER_MASK="255.255.255.0"
+OVPN_NETWORK="192.168.100.0/24"
+OVPN_CCD="true"
+OVPN_CCD_PATH="/mnt/ccd"
+EASYRSA_PATH="/mnt/easyrsa"
+OVPN_INDEX_PATH="/mnt/easyrsa/pki/index.txt"
+OVPN_SERVER="127.0.0.1:7777:tcp"
+OVPN_AUTH="true"
+OVPN_AUTH_TFA="true"
+OVPN_PASSWD_AUTH="true"
+OVPN_AUTH_DB_PATH="/mnt/easyrsa/pki/users.db"
+LOG_LEVEL="debug"

.github/workflows/publish-latest.yaml

@@ -12,14 +12,6 @@ jobs:
         uses: actions/checkout@v2
         with:
           fetch-depth: 0
-      - name: Push openvpn image to Docker Hub
-        uses: docker/build-push-action@v1
-        with:
-          username: ${{ secrets.DOCKER_USER }}
-          password: ${{ secrets.DOCKER_PASS }}
-          repository: flant/ovpn-admin
-          tags: openvpn-latest
-          dockerfile:  Dockerfile.openvpn
       - name: Push ovpn-admin image to Docker Hub
         uses: docker/build-push-action@v1
         with:

.github/workflows/publish-tag.yaml

@@ -16,14 +16,6 @@ jobs:
       - name: Get the version
         id: get_version
         run: echo ::set-output name=VERSION::${GITHUB_REF/refs\/tags\//}
-      - name: Push openvpn image to Docker Hub
-        uses: docker/build-push-action@v1
-        with:
-          username: ${{ secrets.DOCKER_USER }}
-          password: ${{ secrets.DOCKER_PASS }}
-          repository: flant/ovpn-admin
-          tags: openvpn-${{ steps.get_version.outputs.VERSION }}
-          dockerfile:  Dockerfile.openvpn
       - name: Push ovpn-admin image to Docker Hub
         uses: docker/build-push-action@v1
         with:

.gitignore

@@ -19,3 +19,5 @@ packrd/
 *.ntvs*
 *.njsproj
 *.sln
+
+.env

Dockerfile

@@ -3,15 +3,16 @@ COPY frontend/ /app
 RUN cd /app && npm install && npm run build
 
 FROM golang:1.17.3-buster AS backend-builder
-RUN go install github.com/gobuffalo/packr/v2/packr2@latest
 COPY --from=frontend-builder /app/static /app/frontend/static
 COPY . /app
-RUN cd /app && packr2 && env CGO_ENABLED=1 GOOS=linux GOARCH=amd64 go build -a -tags netgo -ldflags '-linkmode external -extldflags -static -s -w' -o ovpn-admin && packr2 clean
+RUN cd /app && env CGO_ENABLED=1 GOOS=linux GOARCH=amd64 go build -a -tags netgo -ldflags '-linkmode external -extldflags -static -s -w' -o ovpn-admin
 
 FROM alpine:3.16
 WORKDIR /app
-COPY --from=backend-builder /app/ovpn-admin /app
-RUN apk add --update bash easy-rsa openssl openvpn coreutils  && \
+RUN apk add --update bash easy-rsa openssl openvpn coreutils iptables curl&& \
     ln -s /usr/share/easy-rsa/easyrsa /usr/local/bin && \
-    wget https://github.com/pashcovich/openvpn-user/releases/download/v1.0.4/openvpn-user-linux-amd64.tar.gz -O - | tar xz -C /usr/local/bin && \
+    wget https://github.com/pashcovich/openvpn-user/releases/download/v1.0.9/openvpn-user-linux-amd64.tar.gz -O - |  tar xz -C /usr/local/bin && \
     rm -rf /tmp/* /var/tmp/* /var/cache/apk/* /var/cache/distfiles/*
+COPY --from=backend-builder /app/ovpn-admin /app
+COPY setup/ /etc/openvpn/setup
+RUN chmod +x /etc/openvpn/setup/configure.sh

Dockerfile.openvpn

@@ -50,9 +50,12 @@ Ready docker images available on [Docker Hub](https://hub.docker.com/r/flant/ovp
 
 Requirements. You need Linux with the following components installed:
 - [golang](https://golang.org/doc/install)
-- [packr2](https://github.com/gobuffalo/packr#installation)
 - [nodejs/npm](https://nodejs.org/en/download/package-manager/)
 
+before version 2.1.0 you need 
+- [packr2](https://github.com/gobuffalo/packr#installation)
+
+
 Commands to execute:
 
 ```bash

README.md

@@ -1,4 +1,4 @@
-package main
+package backend
 
 import (
 	"bytes"
@@ -12,8 +12,8 @@ import (
 	"time"
 )
 
-// decode certificate from PEM to x509
-func decodeCert(certPEMBytes []byte) (cert *x509.Certificate, err error) {
+// DecodeCert decode certificate from PEM to x509
+func DecodeCert(certPEMBytes []byte) (cert *x509.Certificate, err error) {
 	certPem, _ := pem.Decode(certPEMBytes)
 	certPemBytes := certPem.Bytes
 
@@ -25,8 +25,8 @@ func decodeCert(certPEMBytes []byte) (cert *x509.Certificate, err error) {
 	return
 }
 
-// decode private key from PEM to RSA format
-func decodePrivKey(privKey []byte) (key *rsa.PrivateKey, err error) {
+// DecodePrivKey decode private key from PEM to RSA format
+func DecodePrivKey(privKey []byte) (key *rsa.PrivateKey, err error) {
 	privKeyPem, _ := pem.Decode(privKey)
 	key, err = x509.ParsePKCS1PrivateKey(privKeyPem.Bytes)
 	if err == nil {
@@ -43,8 +43,8 @@ func decodePrivKey(privKey []byte) (key *rsa.PrivateKey, err error) {
 	return
 }
 
-// return PEM encoded private key
-func genPrivKey() (privKeyPEM *bytes.Buffer, err error) {
+// GenPrivKey return PEM encoded private key
+func GenPrivKey() (privKeyPEM *bytes.Buffer, err error) {
 	privKey, err := rsa.GenerateKey(rand.Reader, 2048)
 
 	//privKeyPKCS1 := x509.MarshalPKCS1PrivateKey(privKey)
@@ -60,12 +60,11 @@ func genPrivKey() (privKeyPEM *bytes.Buffer, err error) {
 		Bytes: privKeyPKCS8,
 	})
 
-
 	return
 }
 
-// return PEM encoded certificate
-func genCA(privKey *rsa.PrivateKey) (issuerPEM *bytes.Buffer, err error) {
+// GenCA return PEM encoded certificate
+func GenCA(privKey *rsa.PrivateKey) (issuerPEM *bytes.Buffer, err error) {
 	serialNumberRange := new(big.Int).Lsh(big.NewInt(1), 128)
 
 	issuerSerial, err := rand.Int(rand.Reader, serialNumberRange)
@@ -96,8 +95,8 @@ func genCA(privKey *rsa.PrivateKey) (issuerPEM *bytes.Buffer, err error) {
 	return
 }
 
-// return PEM encoded certificate
-func genServerCert(privKey, caPrivKey *rsa.PrivateKey, ca *x509.Certificate, cn string) (issuerPEM *bytes.Buffer, err error) {
+// GenServerCert return PEM encoded certificate
+func GenServerCert(privKey, caPrivKey *rsa.PrivateKey, ca *x509.Certificate, cn string) (issuerPEM *bytes.Buffer, err error) {
 	serialNumberRange := new(big.Int).Lsh(big.NewInt(1), 128)
 	serial, err := rand.Int(rand.Reader, serialNumberRange)
 
@@ -128,8 +127,8 @@ func genServerCert(privKey, caPrivKey *rsa.PrivateKey, ca *x509.Certificate, cn
 	return
 }
 
-// return PEM encoded certificate
-func genClientCert(privKey, caPrivKey *rsa.PrivateKey, ca *x509.Certificate, cn string) (issuerPEM *bytes.Buffer, err error) {
+// GenClientCert return PEM encoded certificate
+func GenClientCert(privKey, caPrivKey *rsa.PrivateKey, ca *x509.Certificate, cn string) (issuerPEM *bytes.Buffer, err error) {
 	serialNumberRange := new(big.Int).Lsh(big.NewInt(1), 128)
 	serial, err := rand.Int(rand.Reader, serialNumberRange)
 
@@ -160,8 +159,8 @@ func genClientCert(privKey, caPrivKey *rsa.PrivateKey, ca *x509.Certificate, cn
 	return
 }
 
-// return PEM encoded CRL
-func genCRL(certs []*RevokedCert, ca *x509.Certificate, caKey *rsa.PrivateKey) (crlPEM *bytes.Buffer, err error) {
+// GenCRL return PEM encoded CRL
+func GenCRL(certs []*RevokedCert, ca *x509.Certificate, caKey *rsa.PrivateKey) (crlPEM *bytes.Buffer, err error) {
 	var revokedCertificates []pkix.RevokedCertificate
 
 	for _, cert := range certs {

certificates.go backend/certificates.gocertificates.go renamed to backend/certificates.go

@@ -0,0 +1,14 @@
+package backend
+
+const (
+	usernameRegexp       = `^([a-zA-Z0-9_.-@])+$`
+	passwordMinLength    = 6
+	DownloadCertsApiUrl  = "/api/data/certs/download"
+	DownloadCcdApiUrl    = "/api/data/ccd/download"
+	certsArchiveFileName = "certs.tar.gz"
+	ccdArchiveFileName   = "ccd.tar.gz"
+	indexTxtDateLayout   = "060102150405Z"
+	stringDateFormat     = "2006-01-02 15:04:05"
+
+	KubeNamespaceFilePath = "/var/run/secrets/kubernetes.io/serviceaccount/namespace"
+)