add client info page

clients page improvements: convert ip allocation index to addresses
initial implementation of adding clients
2024-12-23 03:16:56 -08:00 · 2024-12-23 00:33:08 -08:00 · 2024-12-23 00:05:00 -08:00 · 2024-12-22 19:45:46 -08:00 · 2024-12-22 19:45:03 -08:00 · 2024-12-22 02:39:15 -08:00
29 changed files with 778 additions and 81 deletions
--- a/.env.example
+++ b/.env.example
@ -1,4 +1,4 @@
-DATABASE_URL=local.db
+DATABASE_URL=file:local.db
 AUTH_DOMAIN=auth.lab.cazzzer.com
 AUTH_CLIENT_ID=
 AUTH_CLIENT_SECRET=
@ -8,3 +8,11 @@ OPNSENSE_API_URL=https://opnsense.home
 OPNSENSE_API_KEY=
 OPNSENSE_API_SECRET=
 OPNSENSE_WG_IFNAME=wg2
+
+IPV4_STARTING_ADDR=10.18.11.100
+IPV6_STARTING_ADDR=fd00:10:18:11::100:0
+IPV6_CLIENT_PREFIX_SIZE=112
+IP_MAX_INDEX=100
+VPN_ENDPOINT=vpn.lab.cazzzer.com:51820
+VPN_DNS=10.18.11.1,fd00:10:18:11::1
+MAX_CLIENTS_PER_USER=20
--- a/.idea/codeStyles/Project.xml
+++ b/.idea/codeStyles/Project.xml
@ -9,7 +9,7 @@
      <option name="SPACE_BEFORE_FUNCTION_LEFT_PARENTH" value="false" />
      <option name="USE_DOUBLE_QUOTES" value="false" />
      <option name="FORCE_QUOTE_STYlE" value="true" />
-      <option name="ENFORCE_TRAILING_COMMA" value="Remove" />
+      <option name="ENFORCE_TRAILING_COMMA" value="WhenMultiline" />
      <option name="SPACES_WITHIN_OBJECT_LITERAL_BRACES" value="true" />
      <option name="SPACES_WITHIN_IMPORTS" value="true" />
    </JSCodeStyleSettings>
@ -120,7 +120,7 @@
      <option name="SPACE_BEFORE_FUNCTION_LEFT_PARENTH" value="false" />
      <option name="USE_DOUBLE_QUOTES" value="false" />
      <option name="FORCE_QUOTE_STYlE" value="true" />
-      <option name="ENFORCE_TRAILING_COMMA" value="Remove" />
+      <option name="ENFORCE_TRAILING_COMMA" value="WhenMultiline" />
      <option name="SPACES_WITHIN_OBJECT_LITERAL_BRACES" value="true" />
      <option name="SPACES_WITHIN_IMPORTS" value="true" />
    </TypeScriptCodeStyleSettings>
--- a/.prettierrc
+++ b/.prettierrc
@ -1,7 +1,6 @@
 {
 	"useTabs": true,
 	"singleQuote": true,
-	"trailingComma": "none",
 	"printWidth": 100,
 	"plugins": ["prettier-plugin-svelte", "prettier-plugin-tailwindcss"],
 	"overrides": [
--- a/bruno/opnsense-api/Add
+++ b/bruno/opnsense-api/Add
@ -22,7 +22,6 @@ body:json {
      "pubkey": "{{clientPubkey}}",
      "psk": "{{psk}}",
      "tunneladdress": "{{clientTunnelAddress}}",
-      "keepalive": "",
      "server": "{{serverUuid}}",
      "endpoint": "{{vpn_endpoint}}"
    }
@ -30,7 +29,7 @@ body:json {
 }

 vars:pre-request {
-  clientName: vpgen-test
+  clientName: vpgen-CaZzzer
  clientPubkey: BJ5faPVJsDP4CCxNYilmKnwlQXOtXEOJjqIwb4U/CgM=
  psk: 0LWopbrISXBNHUxr+WOhCSAg+0hD8j3TLmpyzHkBHCQ=
  clientTunnelAddress: 10.18.11.101/32,fd00::1/128
--- a/bun.lockb
+++ b/bun.lockb
--- a/package.json
+++ b/package.json
@ -11,8 +11,10 @@
 		"format": "prettier --write .",
 		"lint": "prettier --check . && eslint .",
 		"db:push": "drizzle-kit push",
+		"db:generate": "drizzle-kit generate",
 		"db:migrate": "drizzle-kit migrate",
-		"db:studio": "drizzle-kit studio"
+		"db:studio": "drizzle-kit studio",
+		"db:seed": "bun run ./src/lib/server/db/seed.ts"
 	},
 	"devDependencies": {
 		"@sveltejs/adapter-auto": "^3.0.0",
@ -26,7 +28,7 @@
 		"autoprefixer": "^10.4.20",
 		"bits-ui": "^0.21.16",
 		"clsx": "^2.1.1",
-		"drizzle-kit": "^0.22.0",
+		"drizzle-kit": "^0.30.1",
 		"eslint": "^9.7.0",
 		"eslint-config-prettier": "^9.1.0",
 		"eslint-plugin-svelte": "^2.36.0",
@ -44,11 +46,12 @@
 		"vite": "^5.0.3"
 	},
 	"dependencies": {
+		"@libsql/client": "^0.14.0",
 		"@oslojs/crypto": "^1.0.1",
 		"@oslojs/encoding": "^1.1.0",
 		"arctic": "^2.2.1",
-		"better-sqlite3": "^11.1.2",
-		"drizzle-orm": "^0.33.0",
+		"drizzle-orm": "^0.38.2",
+		"ip-address": "^10.0.1",
 		"lucide-svelte": "^0.454.0"
 	}
 }
--- a/src/lib/clients.ts
+++ b/src/lib/clients.ts
@ -0,0 +1,33 @@
+import type { ClientDetails } from '$lib/types/clients';
+
+/**
+ * Convert client details to WireGuard configuration.
+ *
+ * ```conf
+ * [Interface]
+ * PrivateKey = wPa07zR0H4wYoc1ljfeiqlSbR8Z28pPc6jplwE7zPms=
+ * Address = 10.18.11.100/32,fd00::1/128
+ * DNS = 10.18.11.1,fd00::0
+ *
+ * [Peer]
+ * PublicKey = BJ5faPVJsDP4CCxNYilmKnwlQXOtXEOJjqIwb4U/CgM=
+ * PresharedKey = uhZUVqXKF0oayP0BS6yPu6Gepgh68Nz9prtbE5Cuok0=
+ * Endpoint = vpn.lab.cazzzer.com:51820
+ * AllowedIPs = 0.0.0.0/0,::/0
+ * ```
+ * @param client
+ */
+export function clientDetailsToConfig(client: ClientDetails): string {
+	return `\
+[Interface]
+PrivateKey = ${client.privateKey}
+Address = ${client.ips.join(', ')}
+DNS = ${client.vpnDns}
+
+[Peer]
+PublicKey = ${client.vpnPublicKey}
+PresharedKey = ${client.preSharedKey}
+Endpoint = ${client.vpnEndpoint}
+AllowedIPs = 0.0.0.0/0,::/0
+`;
+}
--- a/src/lib/opnsense/wg.ts
+++ b/src/lib/opnsense/wg.ts
@ -59,3 +59,49 @@ export interface OpnsenseWgPeers {
 * };
 * ```
 */
+
+export interface OpnsenseWgServers {
+	status: "ok" | string | number;
+	rows: {
+		name: string;
+		uuid: string;
+	}[];
+}
+
+/**
+ * Sample response for OPNsense WireGuard clients
+ * ```json
+ * {
+ *   "rows": [
+ *     {
+ *       "uuid": "d99334de-7671-4ca7-9c9b-5f5578acae70",
+ *       "enabled": "1",
+ *       "name": "Yura-TPX13",
+ *       "pubkey": "iJa5JmJbMHNlbEluNwoB2Q8LyrPAfb7S/mluanMcI08=",
+ *       "tunneladdress": "fd00::1/112,10.6.0.3/32",
+ *       "serveraddress": "",
+ *       "serverport": "",
+ *       "servers": "wg0"
+ *     }
+ *   ],
+ *   "rowCount": 1,
+ *   "total": 10,
+ *   "current": 1
+ * }
+ * ```
+ */
+export interface OpnsenseWgClients {
+	rowCount: number;
+	total: number;
+	current: number;
+	rows: {
+		uuid: string;
+		enabled: string;
+		name: string;
+		pubkey: string;
+		tunneladdress: string;
+		serveraddress: string;
+		serverport: string;
+		servers: string;
+	}[];
+}
--- a/src/lib/server/auth.ts
+++ b/src/lib/server/auth.ts
@ -23,7 +23,7 @@ export async function createSession(userId: string): Promise<table.Session> {
 		userId,
 		expiresAt: new Date(Date.now() + DAY_IN_MS * 30)
 	};
-	await db.insert(table.session).values(session);
+	await db.insert(table.sessions).values(session);
 	return session;
 }

@ -38,7 +38,7 @@ export function setSessionTokenCookie(event: RequestEvent, sessionId: string, ex
 }

 export async function invalidateSession(sessionId: string): Promise<void> {
-	await db.delete(table.session).where(eq(table.session.id, sessionId));
+	await db.delete(table.sessions).where(eq(table.sessions.id, sessionId));
 }

 export function deleteSessionTokenCookie(event: RequestEvent) {
@ -49,12 +49,12 @@ export async function validateSession(sessionId: string) {
 	const [result] = await db
 		.select({
 			// Adjust user table here to tweak returned data
-			user: { id: table.user.id, username: table.user.username, name: table.user.name },
-			session: table.session
+			user: { id: table.users.id, username: table.users.username, name: table.users.name },
+			session: table.sessions
 		})
-		.from(table.session)
-		.innerJoin(table.user, eq(table.session.userId, table.user.id))
-		.where(eq(table.session.id, sessionId));
+		.from(table.sessions)
+		.innerJoin(table.users, eq(table.sessions.userId, table.users.id))
+		.where(eq(table.sessions.id, sessionId));

 	if (!result) {
 		return { session: null, user: null };
@ -63,7 +63,7 @@ export async function validateSession(sessionId: string) {

 	const sessionExpired = Date.now() >= session.expiresAt.getTime();
 	if (sessionExpired) {
-		await db.delete(table.session).where(eq(table.session.id, session.id));
+		await db.delete(table.sessions).where(eq(table.sessions.id, session.id));
 		return { session: null, user: null };
 	}

@ -71,9 +71,9 @@ export async function validateSession(sessionId: string) {
 	if (renewSession) {
 		session.expiresAt = new Date(Date.now() + DAY_IN_MS * 30);
 		await db
-			.update(table.session)
+			.update(table.sessions)
 			.set({ expiresAt: session.expiresAt })
-			.where(eq(table.session.id, session.id));
+			.where(eq(table.sessions.id, session.id));
 	}

 	return { session, user };
--- a/src/lib/server/clients.ts
+++ b/src/lib/server/clients.ts
@ -0,0 +1,226 @@
+import type { User } from '$lib/server/db/schema';
+import { db } from '$lib/server/db';
+import { wgClients, ipAllocations } from '$lib/server/db/schema';
+import { opnsenseAuth, opnsenseUrl, serverPublicKey, serverUuid } from '$lib/server/opnsense';
+import { Address4, Address6 } from 'ip-address';
+import {
+	IP_MAX_INDEX,
+	IPV4_STARTING_ADDR,
+	IPV6_CLIENT_PREFIX_SIZE,
+	IPV6_STARTING_ADDR,
+	MAX_CLIENTS_PER_USER,
+	VPN_DNS,
+	VPN_ENDPOINT,
+} from '$env/static/private';
+import { and, count, eq, isNull } from 'drizzle-orm';
+import { err, ok, type Result } from '$lib/types';
+import type { ClientDetails } from '$lib/types/clients';
+
+export async function findClients(userId: string) {
+	return db.query.wgClients.findMany({
+		columns: {
+			id: true,
+			name: true,
+			publicKey: true,
+			privateKey: true,
+			preSharedKey: true,
+		},
+		with: {
+			ipAllocation: true,
+		},
+		where: eq(wgClients.userId, userId),
+	});
+}
+
+export async function findClient(userId: string, clientId: number) {
+	return db.query.wgClients.findFirst({
+		columns: {
+			id: true,
+			name: true,
+			publicKey: true,
+			privateKey: true,
+			preSharedKey: true,
+		},
+		with: {
+			ipAllocation: true,
+		},
+		where: and(eq(wgClients.userId, userId), eq(wgClients.id, clientId)),
+	});
+}
+
+export function mapClientToDetails(
+	client: Awaited<ReturnType<typeof findClients>>[0],
+): ClientDetails {
+	const ips = getIpsFromIndex(client.ipAllocation.id);
+	return {
+		id: client.id,
+		name: client.name,
+		publicKey: client.publicKey,
+		privateKey: client.privateKey,
+		preSharedKey: client.preSharedKey,
+		ips,
+		vpnPublicKey: serverPublicKey,
+		vpnEndpoint: VPN_ENDPOINT,
+		vpnDns: VPN_DNS,
+	};
+}
+
+export async function createClient(params: {
+	name: string;
+	user: User;
+}): Promise<Result<null, [400 | 500, string]>> {
+	// check if user exceeds the limit of clients
+	const [{ clientCount }] = await db
+		.select({ clientCount: count() })
+		.from(wgClients)
+		.where(eq(wgClients.userId, params.user.id));
+	if (clientCount >= parseInt(MAX_CLIENTS_PER_USER))
+		return err([400, 'Maximum number of clients reached'] as [400, string]);
+
+	// this is going to be quite long
+	// 1. fetch params for new client from opnsense api
+	// 2.1 get an allocation for the client
+	// 2.2. insert new client into db
+	// 2.3. update the allocation with the client id
+	// 3. create the client in opnsense
+	// 4. reconfigure opnsense to enable the new client
+	const error = await db.transaction(async (tx) => {
+		const [keys, availableAllocation, lastAllocation] = await Promise.all([
+			// fetch params for new client from opnsense api
+			getKeys(),
+			// find first unallocated IP
+			await tx.query.ipAllocations.findFirst({
+				columns: {
+					id: true,
+				},
+				where: isNull(ipAllocations.clientId),
+			}),
+			// find last allocation to check if we have any IPs left
+			await tx.query.ipAllocations.findFirst({
+				columns: {
+					id: true,
+				},
+				orderBy: (ipAllocations, { desc }) => desc(ipAllocations.id),
+			}),
+		]);
+
+		// check for existing allocation or if we have any IPs left
+		if (!availableAllocation && lastAllocation && lastAllocation.id >= parseInt(IP_MAX_INDEX)) {
+			return err([500, 'No more IP addresses available'] as [500, string]);
+		}
+
+		// use existing allocation or create a new one
+		const ipAllocationId =
+			availableAllocation?.id ??
+			(await tx.insert(ipAllocations).values({}).returning({ id: ipAllocations.id }))[0].id;
+
+		// transaction savepoint after creating a new IP allocation
+		// TODO: not sure if this is needed
+		return await tx.transaction(async (tx2) => {
+			// create new client in db
+			const [newClient] = await tx2
+				.insert(wgClients)
+				.values({
+					userId: params.user.id,
+					name: params.name,
+					publicKey: keys.pubkey,
+					privateKey: keys.privkey,
+					preSharedKey: keys.psk,
+				})
+				.returning({ id: wgClients.id });
+
+			// update IP allocation with client ID
+			await tx2
+				.update(ipAllocations)
+				.set({ clientId: newClient.id })
+				.where(eq(ipAllocations.id, ipAllocationId));
+
+			// create client in opnsense
+			const opnsenseRes = await opnsenseCreateClient({
+				username: params.user.username,
+				pubkey: keys.pubkey,
+				psk: keys.psk,
+				allowedIps: getIpsFromIndex(ipAllocationId - 1).join(','),
+			});
+			const opnsenseResJson = await opnsenseRes.json();
+			if (opnsenseResJson['result'] !== 'saved') {
+				tx2.rollback();
+				console.error(`Error creating client in OPNsense: \n${opnsenseResJson}`);
+				return err([500, 'Error creating client in OPNsense'] as [500, string]);
+			}
+
+			// reconfigure opnsense
+			await opnsenseReconfigure();
+		});
+	});
+	if (error) return error;
+	return ok(null);
+}
+
+async function getKeys() {
+	// fetch key pair from opnsense
+	const options: RequestInit = {
+		method: 'GET',
+		headers: {
+			Authorization: opnsenseAuth,
+			Accept: 'application/json',
+		},
+	};
+	const resKeyPair = await fetch(`${opnsenseUrl}/api/wireguard/server/key_pair`, options);
+	const resPsk = await fetch(`${opnsenseUrl}/api/wireguard/client/psk`, options);
+	const keyPair = await resKeyPair.json();
+	const psk = await resPsk.json();
+	return {
+		pubkey: keyPair['pubkey'] as string,
+		privkey: keyPair['privkey'] as string,
+		psk: psk['psk'] as string,
+	};
+}
+
+export function getIpsFromIndex(ipIndex: number) {
+	const v4StartingAddr = new Address4(IPV4_STARTING_ADDR);
+	const v6StartingAddr = new Address6(IPV6_STARTING_ADDR);
+	const v4Allowed = Address4.fromBigInt(v4StartingAddr.bigInt() + BigInt(ipIndex));
+	const v6Offset = BigInt(ipIndex) << (128n - BigInt(IPV6_CLIENT_PREFIX_SIZE));
+	const v6Allowed = Address6.fromBigInt(v6StartingAddr.bigInt() + v6Offset);
+	const v6AllowedShort = v6Allowed.parsedAddress.join(':');
+
+	return [v4Allowed.address + '/32', v6AllowedShort + '/' + IPV6_CLIENT_PREFIX_SIZE];
+}
+
+async function opnsenseCreateClient(params: {
+	username: string;
+	pubkey: string;
+	psk: string;
+	allowedIps: string;
+}) {
+	return fetch(`${opnsenseUrl}/api/wireguard/client/addClientBuilder`, {
+		method: 'POST',
+		headers: {
+			Authorization: opnsenseAuth,
+			Accept: 'application/json',
+			'Content-Type': 'application/json',
+		},
+		body: JSON.stringify({
+			configbuilder: {
+				enabled: '1',
+				name: `vpgen-${params.username}`,
+				pubkey: params.pubkey,
+				psk: params.psk,
+				tunneladdress: params.allowedIps,
+				server: serverUuid,
+				endpoint: VPN_ENDPOINT,
+			},
+		}),
+	});
+}
+
+async function opnsenseReconfigure() {
+	return fetch(`${opnsenseUrl}/api/wireguard/service/reconfigure`, {
+		method: 'POST',
+		headers: {
+			Authorization: opnsenseAuth,
+			Accept: 'application/json',
+		},
+	});
+}
--- a/src/lib/server/db/index.ts
+++ b/src/lib/server/db/index.ts
@ -1,8 +1,5 @@
-import { drizzle } from 'drizzle-orm/better-sqlite3';
-import Database from 'better-sqlite3';
-import { env } from '$env/dynamic/private';
-import assert from 'node:assert';
+import { drizzle } from 'drizzle-orm/libsql';
+import * as schema from './schema';
+import { DATABASE_URL } from '$env/static/private';

-assert(env.DATABASE_URL, 'DATABASE_URL is not set');
-const client = new Database(env.DATABASE_URL);
-export const db = drizzle(client);
+export const db= drizzle(DATABASE_URL, { schema });
--- a/src/lib/server/db/schema.ts
+++ b/src/lib/server/db/schema.ts
@ -1,19 +1,66 @@
 import { sqliteTable, text, integer } from 'drizzle-orm/sqlite-core';
+import { relations } from 'drizzle-orm';

-export const user = sqliteTable('user', {
+export const users = sqliteTable('users', {
 	id: text('id').primaryKey(),
 	username: text('username').notNull(),
 	name: text('name').notNull(),
 });

-export const session = sqliteTable('session', {
+export const usersRelations = relations(users, ({ many }) => ({
+	wgClients: many(wgClients),
+}));
+
+export const sessions = sqliteTable('sessions', {
 	id: text('id').primaryKey(),
 	userId: text('user_id')
 		.notNull()
-		.references(() => user.id),
-	expiresAt: integer('expires_at', { mode: 'timestamp' }).notNull()
+		.references(() => users.id),
+	expiresAt: integer('expires_at', { mode: 'timestamp' }).notNull(),
 });

-export type Session = typeof session.$inferSelect;
+export const ipAllocations = sqliteTable('ip_allocations', {
+	// for now, id will be the same as the ipIndex
+	id: integer('id').primaryKey({ autoIncrement: true }),
+	// clientId is nullable because allocations can remain after the client is deleted
+	// unique for now, only allowing one allocation per client
+	clientId: integer('client_id')
+		.unique()
+		.references(() => wgClients.id),
+});

-export type User = typeof user.$inferSelect;
+export const wgClients = sqliteTable('wg_clients', {
+	id: integer().primaryKey({ autoIncrement: true }),
+	userId: text('user_id')
+		.notNull()
+		.references(() => users.id),
+	name: text('name').notNull(),
+	// questioning whether this should be nullable
+	opnsenseId: text('opnsense_id'),
+	publicKey: text('public_key').notNull().unique(),
+	// nullable for the possibility of a client supplying their own private key
+	privateKey: text('private_key'),
+	// nullable for the possibility of no psk
+	preSharedKey: text('pre_shared_key'),
+	// discarded ideas:
+	// (mostly because they make finding the next available ipIndex difficult)
+	// ipIndex: integer('ip_index').notNull().unique(),
+	// allowedIps: text('allowed_ips').notNull(),
+});
+
+export const wgClientsRelations = relations(wgClients, ({ one }) => ({
+	user: one(users, {
+		fields: [wgClients.userId],
+		references: [users.id],
+	}),
+	ipAllocation: one(ipAllocations, {
+		fields: [wgClients.id],
+		references: [ipAllocations.clientId],
+	}),
+}));
+
+export type WgClient = typeof wgClients.$inferSelect;
+
+export type Session = typeof sessions.$inferSelect;
+
+export type User = typeof users.$inferSelect;
--- a/src/lib/server/db/seed.ts
+++ b/src/lib/server/db/seed.ts
@ -0,0 +1,33 @@
+import { ipAllocations, users, wgClients } from './schema';
+import { eq } from 'drizzle-orm';
+import assert from 'node:assert';
+import { drizzle } from 'drizzle-orm/libsql';
+import * as schema from '$lib/server/db/schema';
+
+assert(process.env.DATABASE_URL, 'DATABASE_URL is not set');
+const db = drizzle(process.env.DATABASE_URL, { schema });
+
+async function seed() {
+	const user = await db.query.users.findFirst({ where: eq(users.username, 'CaZzzer') });
+	assert(user, 'User not found');
+
+	const clients: typeof wgClients.$inferInsert[] = [
+		{
+			userId: user.id,
+			name: 'Client1',
+			publicKey: 'BJ5faPVJsDP4CCxNYilmKnwlQXOtXEOJjqIwb4U/CgM=',
+			privateKey: 'KKqsHDu30WCSrVsyzMkOKbE3saQ+wlx0sBwGs61UGXk=',
+			preSharedKey: '0LWopbrISXBNHUxr+WOhCSAg+0hD8j3TLmpyzHkBHCQ=',
+			// ipIndex: 1,
+			// allowedIps: '10.18.11.101/32,fd00::1/112',
+		},
+	];
+	const returned = await db.insert(wgClients).values(clients).returning({ insertedId: wgClients.id });
+
+	const ipAllocation: typeof ipAllocations.$inferInsert = {
+		clientId: returned[0].insertedId,
+	};
+	await db.insert(ipAllocations).values(ipAllocation);
+}
+
+seed();
--- a/src/lib/server/opnsense.ts
+++ b/src/lib/server/opnsense.ts
@ -1,16 +0,0 @@
-import { env } from '$env/dynamic/private';
-import assert from 'node:assert';
-import { encodeBasicCredentials } from 'arctic/dist/request';
-import { dev } from '$app/environment';
-
-assert(env.OPNSENSE_API_URL, 'OPNSENSE_API_URL is not set');
-assert(env.OPNSENSE_API_KEY, 'OPNSENSE_API_KEY is not set');
-assert(env.OPNSENSE_API_SECRET, 'OPNSENSE_API_SECRET is not set');
-assert(env.OPNSENSE_WG_IFNAME, 'OPNSENSE_WG_IFNAME is not set');
-
-export const opnsenseUrl = env.OPNSENSE_API_URL;
-export const opnsenseAuth = "Basic " + encodeBasicCredentials(env.OPNSENSE_API_KEY, env.OPNSENSE_API_SECRET);
-export const opnsenseIfname = env.OPNSENSE_WG_IFNAME;
-
-// unset secret for security
-if (!dev) env.OPNSENSE_API_SECRET = "";
--- a/src/lib/server/opnsense/index.ts
+++ b/src/lib/server/opnsense/index.ts
@ -0,0 +1,49 @@
+import { env } from '$env/dynamic/private';
+import assert from 'node:assert';
+import { encodeBasicCredentials } from 'arctic/dist/request';
+import { dev } from '$app/environment';
+import type { OpnsenseWgServers } from '$lib/opnsense/wg';
+
+assert(env.OPNSENSE_API_URL, 'OPNSENSE_API_URL is not set');
+assert(env.OPNSENSE_API_KEY, 'OPNSENSE_API_KEY is not set');
+assert(env.OPNSENSE_API_SECRET, 'OPNSENSE_API_SECRET is not set');
+assert(env.OPNSENSE_WG_IFNAME, 'OPNSENSE_WG_IFNAME is not set');
+
+export const opnsenseUrl = env.OPNSENSE_API_URL;
+export const opnsenseAuth =
+	'Basic ' + encodeBasicCredentials(env.OPNSENSE_API_KEY, env.OPNSENSE_API_SECRET);
+export const opnsenseIfname = env.OPNSENSE_WG_IFNAME;
+
+// unset secret for security
+if (!dev) env.OPNSENSE_API_SECRET = '';
+
+// this might be pretty bad if the server is down and in a bunch of other cases
+// TODO: write a retry loop later
+const resServers = await fetch(`${opnsenseUrl}/api/wireguard/client/list_servers`, {
+	method: 'GET',
+	headers: {
+		Authorization: opnsenseAuth,
+		Accept: 'application/json',
+	},
+});
+assert(resServers.ok, 'Failed to fetch OPNsense WireGuard servers');
+const servers = (await resServers.json()) as OpnsenseWgServers;
+assert.equal(servers.status, 'ok', 'Failed to fetch OPNsense WireGuard servers');
+export const serverUuid = servers.rows.find((server) => server.name === opnsenseIfname)?.uuid;
+assert(serverUuid, 'Failed to find server UUID for OPNsense WireGuard server');
+console.log('OPNsense WireGuard server UUID:', serverUuid);
+
+const resServerInfo = await fetch(
+	`${opnsenseUrl}/api/wireguard/client/get_server_info/${serverUuid}`,
+	{
+		method: 'GET',
+		headers: {
+			Authorization: opnsenseAuth,
+			Accept: 'application/json',
+		},
+	},
+);
+assert(resServerInfo.ok, 'Failed to fetch OPNsense WireGuard server info');
+const serverInfo = await resServerInfo.json();
+assert.equal(serverInfo.status, 'ok', 'Failed to fetch OPNsense WireGuard server info');
+export const serverPublicKey = serverInfo['pubkey'];
--- a/src/lib/types/clients.ts
+++ b/src/lib/types/clients.ts
@ -0,0 +1,11 @@
+export type ClientDetails = {
+	id: number;
+	name: string;
+	publicKey: string;
+	privateKey: string | null;
+	preSharedKey: string | null;
+	ips: string[];
+	vpnPublicKey: string;
+	vpnEndpoint: string;
+	vpnDns: string;
+};
--- a/src/lib/types/index.ts
+++ b/src/lib/types/index.ts
@ -0,0 +1,27 @@
+class Ok<T> {
+	readonly _tag = 'ok';
+	value: T;
+
+	constructor(value: T) {
+		this.value = value;
+	}
+}
+
+class Err<E> {
+	readonly _tag = 'err';
+	error: E;
+
+	constructor(error: E) {
+		this.error = error;
+	}
+}
+
+export type Result<T, E> = Ok<T> | Err<E>;
+
+export function err<E>(e: E): Err<E> {
+	return new Err(e);
+}
+
+export function ok<T>(t: T): Ok<T> {
+	return new Ok(t);
+}
--- a/src/routes/+layout.svelte
+++ b/src/routes/+layout.svelte
@ -7,8 +7,8 @@
 	const { user } = data;

 	function getNavClass(path: string) {
-		return cn("hover:text-foreground/80 transition-colors",
-			$page.url.pathname === path ? "text-foreground" : "text-foreground/60");
+		return cn('hover:text-foreground/80 transition-colors',
+			$page.url.pathname.startsWith(path) ? 'text-foreground' : 'text-foreground/60');
 	}
 </script>

@ -19,10 +19,11 @@
 		{#if user}
 			<a href="/user" class={getNavClass("/user")}>Profile</a>
 			<a href="/connections" class={getNavClass("/connections")}>Connections</a>
+			<a href="/clients" class={getNavClass("/clients")}>Clients</a>
 		{/if}
 	</nav>
 </header>
-<main class="flex-grow p-4">
+<main class="flex flex-col flex-grow p-4">
 	{@render children()}
 </main>

--- a/src/routes/api/clients/+server.ts
+++ b/src/routes/api/clients/+server.ts
@ -0,0 +1,72 @@
+import { error } from '@sveltejs/kit';
+import { wgClients } from '$lib/server/db/schema';
+import { db } from '$lib/server/db';
+import { eq } from 'drizzle-orm';
+import type { RequestHandler } from './$types';
+import { createClient, getIpsFromIndex } from '$lib/server/clients';
+
+export const GET: RequestHandler = async (event) => {
+	if (!event.locals.user) {
+		return error(401, 'Unauthorized');
+	}
+
+	const clients = await findClients(event.locals.user.id);
+	return new Response(
+		JSON.stringify({
+			clients,
+		}),
+	);
+};
+
+async function findClients(userId: string) {
+	const clientsData = await db.query.wgClients.findMany({
+		columns: {
+			id: true,
+			name: true,
+			publicKey: true,
+			privateKey: true,
+			preSharedKey: true,
+		},
+		with: {
+			ipAllocation: true,
+		},
+		where: eq(wgClients.userId, userId),
+	});
+	// replace ip index with actual addresses
+	return clientsData.map((client) => {
+		const ips = getIpsFromIndex(client.ipAllocation.id);
+		return {
+			id: client.id,
+			name: client.name,
+			publicKey: client.publicKey,
+			privateKey: client.privateKey,
+			preSharedKey: client.preSharedKey,
+			ips,
+		};
+	});
+}
+
+export type Clients = Awaited<ReturnType<typeof findClients>>;
+
+export const POST: RequestHandler = async (event) => {
+	if (!event.locals.user) {
+		return error(401, 'Unauthorized');
+	}
+	const { name } = await event.request.json();
+	const res = await createClient({
+		name,
+		user: event.locals.user,
+	});
+
+	switch (res._tag) {
+		case 'ok': {
+			return new Response(null, {
+				status: 201,
+			});
+		}
+		case 'err': {
+			const [status, message] = res.error;
+			return error(status, message);
+		}
+	}
+};
--- a/src/routes/api/clients/[id]/+server.ts
+++ b/src/routes/api/clients/[id]/+server.ts
@ -0,0 +1,20 @@
+import { error } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+import { findClient, mapClientToDetails } from '$lib/server/clients';
+
+export const GET: RequestHandler = async (event) => {
+	if (!event.locals.user) {
+		return error(401, 'Unauthorized');
+	}
+
+	const { id } = event.params;
+	const clientId = parseInt(id);
+	if (isNaN(clientId)) {
+		return error(400, 'Invalid client ID');
+	}
+	const client = await findClient(event.locals.user.id, clientId);
+	if (!client) {
+		return error(404, 'Client not found');
+	}
+	return new Response(JSON.stringify(mapClientToDetails(client)));
+};
--- a/src/routes/api/connections/+server.ts
+++ b/src/routes/api/connections/+server.ts
@ -1,9 +1,12 @@
 import { error } from '@sveltejs/kit';
 import type { RequestHandler } from './$types';
-import { opnsenseAuth, opnsenseIfname, opnsenseUrl } from '$lib/server/opnsense';
+import { opnsenseAuth, opnsenseUrl } from '$lib/server/opnsense';
 import type { OpnsenseWgPeers } from '$lib/opnsense/wg';

-export const GET: RequestHandler = async () => {
+export const GET: RequestHandler = async (event) => {
+	if (!event.locals.user) {
+		return error(401, 'Unauthorized');
+	}
 	const apiUrl = `${opnsenseUrl}/api/wireguard/service/show`;
 	const options: RequestInit = {
 		method: 'POST',
@ -13,21 +16,23 @@ export const GET: RequestHandler = async () => {
 			'Content-Type': 'application/json',
 		},
 		body: JSON.stringify({
-			"current": 1,
+			'current': 1,
 			// "rowCount": 7,
-			"sort": {},
-			"searchPhrase": "",
-			"type": ["peer"],
+			'sort': {},
+			// TODO: use a more unique search phrase
+			// unfortunately 64 character limit,
+			// but it should be fine if users can't change their own username
+			'searchPhrase': `vpgen-${event.locals.user.username}`,
+			'type': ['peer'],
 		}),
 	};
-	console.log("Fetching peers from OPNsense WireGuard API: ", apiUrl, options)

 	const res = await fetch(apiUrl, options);
 	const peers = await res.json() as OpnsenseWgPeers;
-	peers.rows = peers.rows.filter(peer => peer['latest-handshake'] && peer.ifname === opnsenseIfname)
+	peers.rows = peers.rows.filter(peer => peer['latest-handshake'])

 	if (!peers) {
-		error(500, "Error getting info from OPNsense API");
+		return error(500, 'Error getting info from OPNsense API');
 	}
 	return new Response(JSON.stringify(peers), {
 		headers: {
--- a/src/routes/auth/authentik/callback/+server.ts
+++ b/src/routes/auth/authentik/callback/+server.ts
@ -39,7 +39,7 @@ export async function GET(event: RequestEvent): Promise<Response> {
 	const userId: string = claims.sub;
 	const username: string = claims.preferred_username;

-	const [existingUser] = await db.select().from(table.user).where(eq(table.user.id, userId));
+	const existingUser = await db.query.users.findFirst({where: eq(table.users.id, userId)});

 	if (existingUser) {
 		const session = await createSession(existingUser.id);
@ -59,7 +59,7 @@ export async function GET(event: RequestEvent): Promise<Response> {
 	};

 	try {
-		await db.insert(table.user).values(user);
+		await db.insert(table.users).values(user);
 		const session = await createSession(user.id);
 		setSessionTokenCookie(event, session.id, session.expiresAt);
 	} catch (e) {
--- a/src/routes/clients/+page.server.ts
+++ b/src/routes/clients/+page.server.ts
@ -0,0 +1,26 @@
+import type { Actions } from './$types';
+import { createClient } from '$lib/server/clients';
+import { error } from '@sveltejs/kit';
+
+export const actions = {
+	create: async (event) => {
+		if (!event.locals.user) return error(401, 'Unauthorized');
+		const name = 'New Client Name';
+		const res = await createClient({
+			name,
+			user: event.locals.user,
+		});
+
+		switch (res._tag) {
+			case 'ok': {
+				return {
+					status: 201,
+				};
+			}
+			case 'err': {
+				const [status, message] = res.error;
+				return error(status, message);
+			}
+		}
+	},
+} satisfies Actions;
--- a/src/routes/clients/+page.svelte
+++ b/src/routes/clients/+page.svelte
@ -0,0 +1,50 @@
+<script lang="ts">
+	import * as Table from '$lib/components/ui/table';
+	import { Badge } from '$lib/components/ui/badge';
+	import { Button } from '$lib/components/ui/button';
+	import type { PageData } from './$types';
+	import { LucidePlus } from 'lucide-svelte';
+
+	const { data }: { data: PageData } = $props();
+</script>
+
+<svelte:head>
+	<title>Clients</title>
+</svelte:head>
+
+<Table.Root class="bg-accent rounded-xl">
+	<Table.Header>
+		<Table.Head>Name</Table.Head>
+		<Table.Head>Public Key</Table.Head>
+		<Table.Head>Private Key</Table.Head>
+		<Table.Head>Pre-Shared Key</Table.Head>
+		<Table.Head>IP Allocation</Table.Head>
+	</Table.Header>
+	<Table.Body>
+		{#each data.clients as client}
+			<Table.Row class="border-y-2 border-background hover:bg-muted-foreground">
+				<a href={`/clients/${client.id}`} class="contents">
+					<Table.Cell>
+						{client.name}
+					</Table.Cell>
+				</a>
+				<Table.Cell class="truncate max-w-[10ch]">{client.publicKey}</Table.Cell>
+				<Table.Cell class="truncate max-w-[10ch]">{client.privateKey}</Table.Cell>
+				<Table.Cell class="truncate max-w-[10ch]">{client.preSharedKey}</Table.Cell>
+				<Table.Cell class="flex gap-1">
+					{#each client.ips as ip}
+						<Badge class="bg-background select-auto" variant="secondary">{ip}</Badge>
+					{/each}
+				</Table.Cell>
+			</Table.Row>
+		{/each}
+	</Table.Body>
+</Table.Root>
+
+<!--Floating action button for adding a new client-->
+<form class="self-end mt-auto pt-4" method="post" action="?/create">
+	<Button type="submit">
+		<LucidePlus />
+		Add Client
+	</Button>
+</form>
--- a/src/routes/clients/+page.ts
+++ b/src/routes/clients/+page.ts
@ -0,0 +1,9 @@
+import type { PageLoad } from './$types';
+import type { Clients } from '../api/clients/+server';
+
+export const load: PageLoad = async ({ fetch }) => {
+	const res = await fetch('/api/clients');
+	const { clients } = await res.json() as { clients: Clients };
+
+	return { clients };
+};
--- a/src/routes/clients/[id]/+page.svelte
+++ b/src/routes/clients/[id]/+page.svelte
@ -0,0 +1,41 @@
+<script lang="ts">
+	import type { PageData } from './$types';
+	import { LucideClipboardCopy } from 'lucide-svelte';
+
+	const { data }: { data: PageData } = $props();
+
+	let tooltipText = $state('Copy to clipboard');
+
+	function copyToClipboard() {
+		navigator.clipboard.writeText(data.config).then(() => {
+			tooltipText = 'Copied';
+		});
+	}
+
+	function onMouseLeave() {
+		tooltipText = 'Copy to Clipboard';
+	}
+</script>
+
+<svelte:head>
+	<title></title>
+</svelte:head>
+
+<h1>Client: {data.client.name}</h1>
+
+<div class="flex relative bg-accent p-2 rounded-xl overflow-x-scroll">
+	<pre><code>{data.config}</code></pre>
+
+	<!--Copy button for the configuration-->
+	<div class="absolute flex right-2 items-center group">
+		<span class="hidden group-hover:block bg-background text-xs rounded py-1 px-2">
+			{tooltipText}
+		</span>
+		<button class="flex items-center justify-center w-10 h-10 bg-background rounded-xl ml-2"
+						onclick={copyToClipboard}
+						onmouseleave="{onMouseLeave}"
+		>
+			<LucideClipboardCopy />
+		</button>
+	</div>
+</div>
--- a/src/routes/clients/[id]/+page.ts
+++ b/src/routes/clients/[id]/+page.ts
@ -0,0 +1,11 @@
+import type { PageLoad } from './$types';
+import type { ClientDetails } from '$lib/types/clients';
+import { clientDetailsToConfig } from '$lib/clients';
+
+export const load: PageLoad = async ({ fetch, params }) => {
+	const res = await fetch(`/api/clients/${params.id}`);
+	const client = (await res.json()) as ClientDetails;
+	const config = clientDetailsToConfig(client);
+
+	return { client, config };
+};
--- a/src/routes/connections/+page.svelte
+++ b/src/routes/connections/+page.svelte
@ -54,7 +54,7 @@
 				<Table.Cell>
 					<div class="flex flex-wrap gap-1">
 						{#each peer['allowed-ips'].split(',') as addr}
-							<Badge class="bg-background" variant="secondary">{addr}</Badge>
+							<Badge class="bg-background select-auto" variant="secondary">{addr}</Badge>
 						{/each}
 					</div>
 				</Table.Cell>
--- a/src/routes/user/+page.svelte
+++ b/src/routes/user/+page.svelte
@ -7,9 +7,9 @@
 	let isLoadingSignOut = $state(false);

 	function refetch() {
-		console.log("refetching");
+		console.log('refetching');
 		invalidate((url) => {
-			console.log("invalidation url", url);
+			console.log('invalidation url', url);
 			return true;
 		});
 		invalidateAll();
@ -20,21 +20,21 @@
 	<title>User Profile</title>
 </svelte:head>

-<p>
-	{JSON.stringify(data.user)}
-</p>
+<pre>{JSON.stringify(data.user, null, 2)}</pre>

-<Button onclick={refetch}>
+<div class="flex gap-2">
+	<Button onclick={refetch}>
 		<LucideRefreshCw class="mr-2 h-4 w-4" />
-	Invalidate Data
-</Button>
-<form class="inline-flex" method="post" action="/auth?/logout">
-	<Button type="submit" onclick={() => {isLoadingSignOut = true}}>
-		{#if isLoadingSignOut}
-			<LucideLoaderCircle class="mr-2 h-4 w-4 animate-spin" />
-		{:else}
-			<LucideLogOut class="mr-2 h-4 w-4" />
-		{/if}
-		Sign Out
+		Invalidate Data
 	</Button>
-</form>
+	<form class="inline-flex" method="post" action="/auth?/logout">
+		<Button type="submit" onclick={() => {isLoadingSignOut = true}}>
+			{#if isLoadingSignOut}
+				<LucideLoaderCircle class="mr-2 h-4 w-4 animate-spin" />
+			{:else}
+				<LucideLogOut class="mr-2 h-4 w-4" />
+			{/if}
+			Sign Out
+		</Button>
+	</form>
+</div>
Author	SHA1	Message	Date
Yuri Tatishchev	32927dfd55	add client info page	2024-12-23 03:16:56 -08:00
Yuri Tatishchev	d5b5f037ac	clients page improvements: convert ip allocation index to addresses	2024-12-23 00:33:08 -08:00
Yuri Tatishchev	2b56cba770	initial implementation of adding clients	2024-12-23 00:05:00 -08:00
Yuri Tatishchev	5e3772d39b	minor improvements	2024-12-22 19:45:46 -08:00
Yuri Tatishchev	3909281bc7	opnsense: add initial api to create new clients	2024-12-22 19:45:03 -08:00
Yuri Tatishchev	5015246a24	new clients page	2024-12-22 02:39:15 -08:00
Yuri Tatishchev	bdea663178	opnsense: filter queried connections	2024-12-22 01:28:46 -08:00