From 454eae48a0e4165f46cb0e6728549363ee69006d Mon Sep 17 00:00:00 2001
From: Andrea Mistrali <akelge@gmail.com>
Date: Thu, 4 Jul 2024 13:50:32 +0200
Subject: [PATCH] Version 1.0

---
 hsapi/hsapi/preauthkeys.py    |   2 +-
 hsapi/hsapi/schemas.py        |   5 +-
 hsman/app/__init__.py         |   6 +-
 hsman/app/static/main.css     |   4 ++
 hsman/app/static/main.js      |  42 +++++++++++++-
 hsman/app/templates/node.html |  51 ++++++++---------
 hsman/app/templates/user.html |  81 ++++++++++++++++++++++----
 hsman/app/views.py            | 105 ++++++++++++++++++++++------------
 8 files changed, 214 insertions(+), 82 deletions(-)

diff --git a/hsapi/hsapi/preauthkeys.py b/hsapi/hsapi/preauthkeys.py
index 117092f..01a4747 100644
--- a/hsapi/hsapi/preauthkeys.py
+++ b/hsapi/hsapi/preauthkeys.py
@@ -16,7 +16,7 @@ class v1PreAuthKeyResponse(BaseModel):
 
 class v1ExpirePreAuthKeyRequest(BaseModel):
     user: str = Field(alias="user", default=None)
-    key: int = Field(alias="key", default=None)
+    key: str = Field(alias="key", default=None)
 
 
 class v1CreatePreAuthKeyRequest(BaseModel):
diff --git a/hsapi/hsapi/schemas.py b/hsapi/hsapi/schemas.py
index 025980b..3b309a7 100644
--- a/hsapi/hsapi/schemas.py
+++ b/hsapi/hsapi/schemas.py
@@ -45,7 +45,10 @@ class v1PreAuthKey(BaseModel):
     def expired(self) -> bool:
         tzinfo = timezone(timedelta(hours=0))  # UTC
         now = datetime.now(tzinfo)
-        return self.expiration < now  # type: ignore
+        exptime = self.expiration < now
+        expused = not self.reusable and self.used
+        expephemereal = self.ephemeral and self.used
+        return exptime or expused or expephemereal
 
 
 class v1User(BaseModel):
diff --git a/hsman/app/__init__.py b/hsman/app/__init__.py
index d6523ac..2bc08a9 100644
--- a/hsman/app/__init__.py
+++ b/hsman/app/__init__.py
@@ -13,11 +13,11 @@ import os
 mobility = Mobility()
 
 client_metadata = ClientMetadata(
-    client_id='client-id',
-    client_secret='client-secret')
+    client_id=os.getenv('HSMAN_OIDC_CLIENT_ID'),
+    client_secret=os.getenv('HSMAN_OIDC_CLIENT_SECRET'))
 
 
-provider_config = ProviderConfiguration(issuer='oidc-issuer-url',
+provider_config = ProviderConfiguration(issuer=os.getenv('HSMAN_OIDC_URL'),
                                         client_metadata=client_metadata,
                                         auth_request_params={
                                             'scope': ['openid',
diff --git a/hsman/app/static/main.css b/hsman/app/static/main.css
index 4404482..aacc4f6 100644
--- a/hsman/app/static/main.css
+++ b/hsman/app/static/main.css
@@ -99,3 +99,7 @@ a.route.False {
 div.dt-container div.dt-scroll-body {
   border-bottom: none !important;
 }
+
+tr.pka-hide {
+  visibility: collapse;
+}
diff --git a/hsman/app/static/main.js b/hsman/app/static/main.js
index 97f7753..0079a52 100644
--- a/hsman/app/static/main.js
+++ b/hsman/app/static/main.js
@@ -1,6 +1,6 @@
 function renameNode(nodeId) {
   var newName = $("#newName").val();
-  var url = "/node/" + nodeId + "/rename/" + newName;
+  var url = `/node/${nodeId}/rename/${newName}`;
   $.ajax({
     url: url,
     xhrFields: {
@@ -13,9 +13,38 @@ function renameNode(nodeId) {
   });
 }
 
+function createPKA(username) {
+  console.log(username);
+  var url = `/user/${username}/pakcreate`;
+  console.log(url);
+  var ephemereal = $("#ephemereal").is(":checked");
+  var reusable = $("#reusable").is(":checked");
+  var expiration = $("#expiration").val();
+  console.log(expiration);
+  $.ajax({
+    url: url,
+    method: "POST",
+    dataType: "json",
+    contentType: "application/json; charset=utf-8",
+    xhrFields: {
+      withCredentials: true,
+    },
+    data: JSON.stringify({
+      ephemeral: ephemereal,
+      reusable: reusable,
+      expiration: expiration,
+    }),
+
+    success: function (data) {
+      $("#createPKA").modal("hide");
+      location.reload();
+    },
+  });
+}
+
 function copyToClipboard(obj) {
   var span = $(obj);
-  var value = span.attr("data-original-title");
+  var value = span.attr("value");
   var original = span.html();
   try {
     navigator.clipboard.writeText(value);
@@ -28,3 +57,12 @@ function copyToClipboard(obj) {
     console.error(error);
   }
 }
+
+function toggleExpired(obj) {
+  var toggle = $(obj);
+  if (toggle.is(":checked")) {
+    $(".pka-expired").removeClass("pka-hide");
+  } else {
+    $(".pka-expired").addClass("pka-hide");
+  }
+}
diff --git a/hsman/app/templates/node.html b/hsman/app/templates/node.html
index bcc3c65..0d9a02f 100644
--- a/hsman/app/templates/node.html
+++ b/hsman/app/templates/node.html
@@ -1,5 +1,4 @@
 {% extends "base.html" %}
-
 {% block content %}
 <h3>
     <span id="givenName">
@@ -51,21 +50,21 @@
     </div>
 </div>
 <p></p>
-<div class="row">
-    <div class="col col-3 float-left">
-        <h5>addresses</h5>
-    </div>
-</div>
+
+<!-- ADDRESSES -->
+<h5>addresses</h5>
 {% for ip in node.ipAddresses %}
 <div class="row data">
-    <div class="col col-3 float-left">
+    <div class="col col-3">
     {{ ip }}
     </div>
 </div>
 {% endfor %}
 <p></p>
+
+<!-- TAGS -->
 <h5>tags</h5>
-<div class="row">
+<div class="row data">
     <div class="col col-3 float-left">
         <strong>
             announced
@@ -74,7 +73,7 @@
     <div class="col col-6 float-left">
         {% if node.validTags %}
             {% for tag in node.validTags %}
-            <span class="badge badge-pill badge-success">
+            <span class="badge badge-pill badge-info">
                {{ tag }}
             </span>
             {% endfor %}
@@ -83,7 +82,7 @@
         {% endif %}
     </div>
 </div>
-<div class="row">
+<div class="row data">
     <div class="col col-3 float-left">
         <strong>forced</strong>
     </div>
@@ -100,12 +99,12 @@
     </div>
 </div>
 
-
+<!-- KEYS -->
 <p></p>
 <h5>keys</h5>
 
-<div class="row">
-    <div class="col col-4 float-left">
+<div class="row data">
+    <div class="col col-3 float-left">
         <strong>machineKey</strong>
     </div>
     <div class="col col-8 float-left">
@@ -113,8 +112,8 @@
     </div>
 </div>
 
-<div class="row">
-    <div class="col col-4 float-left">
+<div class="row data">
+    <div class="col col-3 float-left">
         <strong>nodeKey</strong>
     </div>
     <div class="col col-8 float-left">
@@ -122,43 +121,43 @@
     </div>
 </div>
 
-<div class="row">
-    <div class="col col-4 float-left">
+<div class="row data">
+    <div class="col col-3 float-left">
         <strong>discoKey</strong>
     </div>
     <div class="col col-8 float-left">
             <code>{{ node.discoKey }}</code>
     </div>
 </div>
-
 <p></p>
 
+<!-- ROUTES -->
 <h5>routes
 {% if isExitNode %}
-<span class="small badge-pill badge-success">Exit Node</span>
+<span class="small badge-pill badge-primary">Exit Node</span>
 {% endif %}
 </h5>
 {% if routes %}
 <div class="row">
-    <div class="col col-4 float-left">
+    <div class="col col-3 float-left">
         <strong>prefix</strong>
     </div>
-    <div class="col col-4 float-left">
+    <div class="col col-3 float-left">
         <strong>enabled</strong>
     </div>
-    <div class="col col-4 float-left">
+    <div class="col col-3 float-left">
         <strong>primary</strong>
     </div>
 </div>
 {% for route in routes | sort(attribute='prefix') %}
 <div class="row data">
-    <div class="col col-4 float-left">
+    <div class="col col-3 float-left">
         {{ route.prefix }}
     </div>
-    <div class="col col-4 float-left">
+    <div class="col col-3 float-left">
         {{ route.enabled | fancyBool | safe }}
     </div>
-    <div class="col col-4 float-left">
+    <div class="col col-3 float-left">
         {{ route.isPrimary | fancyBool | safe }}
     </div>
 </div>
@@ -169,6 +168,7 @@
         <h3>No routes announced</h3>
     </div>
 </div>
+{% endif %}
 
 <!-- rename modal -->
 <!-- Modal -->
@@ -191,5 +191,4 @@
       </div>
     </div>
 </div>
-{% endif %}
 {% endblock %}
diff --git a/hsman/app/templates/user.html b/hsman/app/templates/user.html
index 4719be4..ea770a1 100644
--- a/hsman/app/templates/user.html
+++ b/hsman/app/templates/user.html
@@ -14,12 +14,15 @@
         <strong>registered</strong>
     </div>
     <div class="col col-8">
-        <span data-toggle="tooltip" data-placement="right" title="{{ user.createdAt | fmt_datetime }}">
+        <span data-toggle="tooltip"
+            data-placement="right"
+            title="{{ user.createdAt | fmt_datetime }}">
             {{ user.createdAt | htime_dt }}
         </span>
     </div>
 </div>
 <p></p>
+<!-- NODES -->
 <h5>nodes</h5>
 <table id="nodes" class="display" style="width:80%">
     <thead>
@@ -38,7 +41,9 @@
                 </a>
             </td>
             <td>
-                <span data-toggle="tooltip" data-placement="right" title="{{ node.lastSeen | fmt_datetime }}">
+                <span data-toggle="tooltip"
+                    data-placement="right"
+                    title="{{ node.lastSeen | fmt_datetime }}">
                     {{node.lastSeen | htime_dt }}
                 </span>
             </td>
@@ -50,26 +55,40 @@
     </tbody>
 </table>
 <p></p>
-<h5>pre auth keys</h5>
+<!-- PRE AUTH KEYS -->
+<h5>
+    pre auth keys
+    &nbsp;
+    <button class="btn btn-outline-primary btn-sm" data-toggle="modal" data-target="#createPKA">create</button>
+
+</h5>
 {% if preauthKeys %}
 <table id="paks" class="display" style="width:80%">
     <thead>
         <tr>
-            <th>&nbsp;</th>
+            <th>
+        <div class="form-check form-check-inline">
+            <label class="form-check-label small" for="showExpired">
+                show expired&nbsp;
+            </label>
+            <input type="checkbox" class="form-check-input form-control-sm" id="showExpired">
+        </div>
+            </th>
             <th>created</th>
             <th>expiration</th>
             <th>attributes</th>
-            <!-- <th>valid</th> -->
+            <!-- <th>&nbsp;</th> -->
         </tr>
     </thead>
     <tbody>
 {% for key in preauthKeys %}
-        <tr>
+        <tr class="pka{% if key.expired %} pka-expired pka-hide{% endif %}">
             <td>
                 <span data-toggle="tooltip"
                     data-placement="right"
-                    title="click to copy"
-                    class="pak_copy">{{ key.key }}</span>
+                    value="{{ key.key}}"
+                    title="click to copy full value"
+                    class="pak_copy">{{ key.key[:5] }}&hellip;{{ key.key[-5:] }}</span>
             </td>
             <td>
                 <span data-toggle="tooltip"
@@ -97,8 +116,12 @@
                 {% endif %}
             </td>
             <!-- <td>
-               {{(not key.expired) | fancyBool | safe}}
-           </td> -->
+                <span data-toggle="tooltip" data-placement="right" title="expire">
+                    <a class="nodeco" href="/user/{{user.name}}/expire/{{key.key}}">
+                        <i class="fas fa-trash"></i>
+                    </a>
+                </span>
+            </td> -->
        </tr>
 {% endfor %}
     </tbody>
@@ -111,7 +134,38 @@
 </div>
 {% endif %}
 
-
+<!-- new key modal -->
+<div class="modal fade" id="createPKA" tabindex="-1" role="dialog" aria-labelledby="cretePKA" aria-hidden="true">
+    <div class="modal-dialog" role="document">
+      <div class="modal-content">
+        <div class="modal-header">
+          <h5 class="modal-title" id="renameModalLabel">create new pre auth key</h5>
+          <button type="button" class="close" data-dismiss="modal" aria-label="Close">
+            <span aria-hidden="true">&times;</span>
+          </button>
+        </div>
+        <div class="modal-body">
+            <div class="form-check form-check-inline">
+                <input class="form-check-input" type="datetime-local" name="expiration" id="expiration" value="{{ defaultExpiry}}">
+                <label class="form-check-label" for="ephemereal">expiration</label>
+            </div>
+            <p></p>
+            <div class="form-check form-check-inline">
+                <input class="form-check-input" type="checkbox" name="reusable" id="reusable">
+                <label class="form-check-label" for="reusable">reusable</label>
+            </div>
+            <div class="form-check form-check-inline">
+                <input class="form-check-input" type="checkbox" name="ephemereal" id="ephemereal">
+                <label class="form-check-label" for="ephemereal">ephemereal</label>
+            </div>
+        </div>
+        <div class="modal-footer">
+          <button type="button" class="btn btn-secondary" data-dismiss="modal">Close</button>
+          <button type="button" class="btn btn-primary" onClick="createPKA(user='{{user.name}}')">Save changes</button>
+        </div>
+      </div>
+    </div>
+</div>
 {% endblock %}
 
 {% block scripts %}
@@ -121,6 +175,9 @@
         $('.pak_copy').on('click', function() {
             copyToClipboard(this)
         })
+        $('#showExpired').on('change', function() {
+            toggleExpired(this)
+        })
 
         new DataTable('#nodes', {
             scrollY: 130,
@@ -138,7 +195,7 @@
             keys: false,
         });
         new DataTable('#paks', {
-            scrollY: 130,
+            scrollY: 230,
             scrollCollapse: true,
             paging: false,
             // lengthMenu: [5, 10, 30, 50, { label: 'All', value: -1 }],
diff --git a/hsman/app/views.py b/hsman/app/views.py
index d042f12..c503523 100644
--- a/hsman/app/views.py
+++ b/hsman/app/views.py
@@ -1,22 +1,26 @@
-from flask import render_template, Blueprint
+import logging
+from .lib import remote_ip
+import datetime
+from flask import render_template, Blueprint, request
 from flask import redirect, session, url_for
 from app import auth
 
 from flask import jsonify
 from flask_pyoidc.user_session import UserSession
 
-from hsapi import Node, User, Route, PreAuthKey, v1ListPreAuthKeyRequest
+from hsapi import Node, User, Route, PreAuthKey
+from hsapi.preauthkeys import (v1ListPreAuthKeyRequest,
+                               v1CreatePreAuthKeyRequest,
+                               v1ExpirePreAuthKeyRequest)
 
-from .lib import remote_ip
 
-import logging
 log = logging.getLogger()
 
 main_blueprint = Blueprint('main', __name__)
 
 
-@main_blueprint.route('/', methods=['GET', 'POST'])
-@auth.access_control('default')
+@ main_blueprint.route('/', methods=['GET', 'POST'])
+@ auth.access_control('default')
 def index():
     user_session = UserSession(session)
     hs_user = user_session.userinfo['email'].split('@')[0]
@@ -26,35 +30,35 @@ def index():
                            session=user_session)
 
 
-@main_blueprint.route('/token', methods=['GET', 'POST'])
-@auth.access_control('default')
+@ main_blueprint.route('/token', methods=['GET', 'POST'])
+@ auth.access_control('default')
 def token():
     user_session = UserSession(session)
     return jsonify(user_session.userinfo)
 
 
-@main_blueprint.route('/call', methods=['GET', 'POST'])
-@auth.access_control('default')
+@ main_blueprint.route('/call', methods=['GET', 'POST'])
+@ auth.access_control('default')
 def call():
     return "CALL OK"
 
 
-@main_blueprint.route('/logout')
-@auth.oidc_logout
+@ main_blueprint.route('/logout')
+@ auth.oidc_logout
 def logout():
     return redirect('/')
 
 
-@main_blueprint.route('/nodes', methods=['GET'])
-@auth.authorize_admins('default')
+@ main_blueprint.route('/nodes', methods=['GET'])
+@ auth.authorize_admins('default')
 def nodes():
     nodelist = Node().list()
     return render_template('nodes.html',
                            nodes=nodelist.nodes)
 
 
-@main_blueprint.route('/node/<int:nodeId>', methods=['GET'])
-@auth.authorize_admins('default')
+@ main_blueprint.route('/node/<int:nodeId>', methods=['GET'])
+@ auth.authorize_admins('default')
 def node(nodeId):
     # There is a bug in HS api with retrieving a single node
     # and we added a workaround to hsapi, so node.get() returns a
@@ -69,8 +73,8 @@ def node(nodeId):
                            node=node)
 
 
-@main_blueprint.route('/users', methods=['GET'])
-@auth.authorize_admins('default')
+@ main_blueprint.route('/users', methods=['GET'])
+@ auth.authorize_admins('default')
 def users():
     userList = User().list()
     # Get online status of devices of the user
@@ -85,24 +89,27 @@ def users():
                            online=online)
 
 
-@main_blueprint.route('/user/<userName>', methods=['GET'])
-@auth.authorize_admins('default')
+@ main_blueprint.route('/user/<userName>', methods=['GET'])
+@ auth.authorize_admins('default')
 def user(userName):
     user = User().get(userName)
     userNodeList = [n for n in Node().list().nodes if n.user.name == userName]
-    preauthkeyreq = v1ListPreAuthKeyRequest(user=userName)
 
+    preauthkeyreq = v1ListPreAuthKeyRequest(user=userName)
     preauthKeys = PreAuthKey().list(preauthkeyreq)
-    validpak = [k for k in preauthKeys.preAuthKeys if not k.expired]
+
+    defaultExpiry = datetime.datetime.now() + datetime.timedelta(days=7)
+    expStr = defaultExpiry.strftime('%Y-%m-%dT%H:%M')
 
     return render_template("user.html",
                            user=user.user,
-                           preauthKeys=validpak,
+                           defaultExpiry=expStr,
+                           preauthKeys=preauthKeys.preAuthKeys,
                            userNodeList=userNodeList)
 
 
-@main_blueprint.route('/routes', methods=['GET'])
-@auth.authorize_admins('default')
+@ main_blueprint.route('/routes', methods=['GET'])
+@ auth.authorize_admins('default')
 def routes():
     routes = Route().list()
 
@@ -120,8 +127,8 @@ def routes():
                            routes=final)
 
 
-@main_blueprint.route('/routeToggle/<int:routeId>', methods=['GET'])
-@auth.authorize_admins('default')
+@ main_blueprint.route('/routeToggle/<int:routeId>', methods=['GET'])
+@ auth.authorize_admins('default')
 def routeToggle(routeId: int):
     routes = Route().list()
     route = [r for r in routes.routes if r.id == routeId]
@@ -134,36 +141,36 @@ def routeToggle(routeId: int):
     return redirect(url_for("main.routes"))
 
 
-@main_blueprint.route('/node/<int:nodeId>/expire', methods=['GET'])
-@auth.authorize_admins('default')
+@ main_blueprint.route('/node/<int:nodeId>/expire', methods=['GET'])
+@ auth.authorize_admins('default')
 def expireNode(nodeId: int):
     Node().expire(nodeId)
     return redirect(url_for("main.node", nodeId=nodeId))
 
 
-@main_blueprint.route('/node/<int:nodeId>/list-expire', methods=['GET'])
-@auth.authorize_admins('default')
+@ main_blueprint.route('/node/<int:nodeId>/list-expire', methods=['GET'])
+@ auth.authorize_admins('default')
 def expireNodeList(nodeId: int):
     Node().expire(nodeId)
     return redirect(url_for("main.nodes"))
 
 
-@main_blueprint.route('/node/<int:nodeId>/delete', methods=['GET'])
-@auth.authorize_admins('default')
+@ main_blueprint.route('/node/<int:nodeId>/delete', methods=['GET'])
+@ auth.authorize_admins('default')
 def deleteNode(nodeId: int):
     Node().delete(nodeId)
     return redirect(url_for("main.nodes"))
 
 
-@main_blueprint.route('/node/<int:nodeId>/rename/<newName>', methods=['GET'])
-@auth.authorize_admins('default')
+@ main_blueprint.route('/node/<int:nodeId>/rename/<newName>', methods=['GET'])
+@ auth.authorize_admins('default')
 def renameNode(nodeId: int, newName: str):
     Node().rename(nodeId, newName)
     return jsonify(dict(newName=newName))
 
 
-@main_blueprint.route('/user/<userName>/delete', methods=['GET'])
-@auth.authorize_admins('default')
+@ main_blueprint.route('/user/<userName>/delete', methods=['GET'])
+@ auth.authorize_admins('default')
 def deleteUser(userName: str):
     nodes = Node().byUser(userName)
     for node in nodes.nodes:
@@ -171,3 +178,27 @@ def deleteUser(userName: str):
         Node().delete(node.id)
     User().delete(userName)
     return redirect(url_for("main.users"))
+
+
+@ main_blueprint.route('/user/<userName>/pakcreate', methods=['POST'])
+@ auth.authorize_admins('default')
+def createPKA(userName: str):
+    data = request.json
+    log.debug(data)
+    expiration = f"{data['expiration']}:00Z"
+    req = v1CreatePreAuthKeyRequest(user=userName,
+                                    reusable=data['reusable'],
+                                    ephemeral=data['ephemeral'],
+                                    expiration=expiration)
+    pak = PreAuthKey().create((req))
+    return jsonify(dict(key=pak.preAuthKey.key))
+
+
+@ main_blueprint.route('/user/<userName>/expire/<key>', methods=['GET'])
+@ auth.authorize_admins('default')
+def expirePKA(userName: str, key: str):
+    log.debug(key)
+    req = v1ExpirePreAuthKeyRequest(user=userName, key=key)
+
+    PreAuthKey().expire(req)
+    return redirect(url_for('main.user', userName=userName))