Add generation of WireGuard client configurations

Add generation and storing of per-user sets of WireGuard configs. User
can generate needed number of configurations for every device.

To generate keys, 'wg' binary should be installed and accessible by PATH
at the webserver.

Task: #589

Author: jekhor

Gemfile

@@ -39,6 +39,7 @@ gem 'haml-rails'
 gem 'rest-client'
 gem 'whenever', require: false
 gem 'rack-proxy'
+gem 'ipaddress'
 
 #gem 'copycopter_client', '~> 2.0.1'
 # Use Capistrano for deployment

Gemfile.lock

@@ -166,6 +166,7 @@ GEM
     i18n (1.12.0)
       concurrent-ruby (~> 1.0)
     ice_nine (0.11.2)
+    ipaddress (0.8.3)
     jbuilder (2.11.5)
       actionview (>= 5.0.0)
       activesupport (>= 5.0.0)
@@ -422,6 +423,7 @@ DEPENDENCIES
   groupdate
   haml
   haml-rails
+  ipaddress
   jbuilder
   jquery-rails
   kaminari

app/controllers/hackers_controller.rb

@@ -87,6 +87,7 @@ def remove_nfc
 
   def edit
     @new_public_ssh_key = PublicSshKey.new(user: @user)
+    @new_wg_config = WgConfig.new(user: @user)
     redirect_to root_path, alert: 'Ошибка' unless @user == current_user or current_user.admin?
   end
 

app/controllers/wg_configs_controller.rb

@@ -0,0 +1,61 @@
+class WgConfigsController < ApplicationController
+  load_and_authorize_resource
+
+  before_action :set_user, only: [:create, :destroy, :export]
+  before_action :authenticate_token!, only: [:export_peers]
+
+  def create
+    @wgconfig = WgConfig.new(wg_config_params)
+
+    if @wgconfig.save
+      redirect_to edit_user_path(@user, anchor: 'wg-configs'), notice: "Конфигурация WireGuard создана успешно"
+    else
+      redirect_to edit_user_path(@user),
+        alert: "Ошибка создания конфигурации WireGuard: #{@wgconfig.errors.full_messages.join("\n")}"
+    end
+  end
+
+  def destroy
+    wg = @user.wg_configs.find_by(id: params[:id])
+    wg&.destroy
+    redirect_to edit_user_path(@user, anchor: 'wg-configs')
+  end
+
+  def export
+    wg = @user.wg_configs.find_by(id: params[:id])
+
+    if wg
+      send_data wg.to_s, filename: "wg-hackerspace-#{wg.name}.conf", type: "text/plain"
+    else
+      redirect_to user_path(@user), alert: "Конфигурация WireGuard не найдена"
+    end
+  end
+
+  def export_peers
+    wgs = WgConfig.order(:user_id).select { |wg| wg.user.active? }
+
+    peers_config = wgs.map { |wg| wg.as_peer }.join("\n\n")
+
+    render plain: peers_config
+  end
+
+  private
+
+  def authenticate_token!
+    token = request.headers['Authorization']&.split&.last
+    if not ActiveSupport::SecurityUtils.secure_compare(token || '', Rails.application.secrets.wireguard_token) then
+      render plain: "Authorization required\n", status: :unauthorized
+    end
+  end
+
+  def wg_config_params
+    params.require(:wg_config).permit(
+      :name,
+      :user_id
+    )
+  end
+
+  def set_user
+    @user = User.find(params[:user_id])
+  end
+end

app/models/ability.rb

@@ -52,6 +52,8 @@ def initialize(user)
 
     can [:ssh_keys, :detected_at_hackerspace, :find_by_mac, :useful], User
 
+    can [:export_peers], WgConfig
+
     if user.present?
       can :chart, :main
       can :image, :uploader
@@ -60,6 +62,7 @@ def initialize(user)
       can :manage, Mac, user_id: user.id
       can :manage, NfcKey, user_id: user.id
       can :manage, PublicSshKey, user_id: user.id
+      can :manage, WgConfig, user_id: user.id
 
       can :read, Device
       can :add, Event

app/models/user.rb

@@ -118,6 +118,7 @@ class User < ApplicationRecord
   has_many :payments
   has_many :nfc_keys
   has_many :public_ssh_keys
+  has_many :wg_configs
   belongs_to :tariff
   belongs_to :guarantor1, class_name: 'User', optional: true
   belongs_to :guarantor2, class_name: 'User', optional: true

app/models/wg_config.rb

@@ -0,0 +1,81 @@
+require 'ipaddress'
+require 'open3'
+
+class WgConfig < ApplicationRecord
+
+  belongs_to :user
+
+  validates :name, presence: true
+  validates :privatekey, presence: true
+  validates :publickey, presence: true
+  validates :name, uniqueness: { scope: :user_id }
+
+  after_initialize :init_keys
+
+  def generate_keys!
+    self.privatekey = gen_privatekey
+    self.publickey = gen_publickey(self.privatekey)
+  end
+
+  def addresses(as_networks=true)
+    raise "Model is not saved" if self.id.nil?
+
+    first = IPAddress Setting['wgFirstClientAddress']
+    last = IPAddress Setting['wgLastClientAddress']
+
+    ip = IPAddress(first.to_i + self.id)
+
+    raise "Failed to assign IP: out of range" if ip > last
+
+    ip.netmask = Setting['wgNetmask'] if as_networks
+
+    ip.to_string
+  end
+
+  def to_s
+    lines = []
+    lines << "# WireGuard config #{name}"
+    lines << '[Interface]'
+    lines << "PrivateKey = #{privatekey}"
+    lines << "Address = #{self.addresses}"
+    lines << ''
+    lines << '[Peer]'
+    lines << "PublicKey = #{Setting['wgServerPublicKey']}"
+    lines << "Endpoint = #{Setting['wgServerEndpoint']}"
+    lines << "AllowedIPs = #{Setting['wgAllowedIPs']}"
+
+    lines.join("\n")
+  end
+
+  def as_peer
+    s = []
+    s << "# User #{self.user_id}, config '#{self.name}'"
+    s << "[Peer]"
+    s << "PublicKey = #{publickey}"
+    s << "AllowedIPs = #{addresses(false)}"
+
+    s.join("\n")
+  end
+
+  private
+
+  def init_keys
+    generate_keys! if self.privatekey.blank?
+  end
+
+  def gen_privatekey
+    key, status = Open3.capture2("wg genkey")
+    key.strip
+  end
+
+  def gen_publickey(private_key)
+    stdout_str = ''
+    Open3.popen2("wg pubkey") do |stdin, stdout, _wait_thr|
+      stdin.print(private_key)
+      stdin.close
+      stdout_str = stdout.gets
+    end
+
+    stdout_str.strip
+  end
+end

app/views/hackers/_form.html.haml

@@ -139,3 +139,26 @@
       .form-group
         = submit_tag('Добавить публичный SSH ключ', class: 'btn btn-primary')
 
+-# WireGuard
+%hr
+.row#wg-configs
+  .col-lg-6
+    - unless @user.wg_configs.empty?
+      %h3 Конфигурации WireGuard
+      - @user.wg_configs.each do |wg|
+        .row.small
+          .col-lg-4
+            %p
+              = wg.name
+          .col-lg-1
+            %p
+              = link_to 'Удалить', user_wg_config_path(@user, wg), method: :delete, data: { confirm: 'Вы уверены?' }
+
+.row
+  .col-lg-6
+    = form_for [@user, @new_wg_config] do |f|
+      = f.hidden_field :user_id
+      .form-group
+        = f.text_field :name, class: 'form-control'
+      .form-group
+        = submit_tag('Создать конфигурацию WireGuard', class: 'btn btn-primary')

app/views/hackers/show.html.haml

@@ -74,3 +74,14 @@
       %h4= t('users.public_ssh_keys') + ':'
       - @user.public_ssh_keys.each do |public_ssh_key|
         .ssh-public-key= public_ssh_key.body
+
+-if @user.wg_configs.any?
+  .row.additional_info
+    .col-md-8
+      %h4= t('users.wg_configs') + ':'
+      - @user.wg_configs.each do |wg|
+        .wg_config.row
+          .col-lg-3
+            = wg.name
+          .col-lg-2
+            = link_to 'Скачать', user_wg_export_path(@user, wg), method: :post

config/locales/ru.yml

@@ -308,6 +308,7 @@ ru:
     telegram_username: Telegram
     github_username: Github
     public_ssh_keys: Public SSH keys
+    wg_configs: Конфигурации WireGuard
     last_payment_ended_at: Оплачено по
     last_seen_in_hackerspace: Видели в ХС
     learner: Курсант