User Attachment Points (#306)

Allow SCIONLab users to operate attachment points and by that serve as provider for other user ASes.
To run an attachment point, a static, public IP is required. User attachment points may also offer an OpenVPN server.

User attachment points operate in the same way as the existing APs, which have previously been modified to fetch their configuration in a polling based model, instead of previously pushing via SSH, to make this possible.
The health of attachment points is determined by checking whether they are actively polling for configuration updates. APs that fail to do so will no longer be listed. Note that this does not make any guarantees about the health of the APs SCION connectivity.

Author: fl99kl

.circleci/config.yml

@@ -16,6 +16,7 @@
 #
 # Check https://circleci.com/docs/2.0/language-python/ for more details
 #
+
 version: 2.1
 
 commands:
@@ -150,6 +151,7 @@ jobs:
 
       - run: .circleci/setup/check-scion-connectivity.sh
 
+
       - run:
           name: Test TRC update and pull changes
           command: |

scionlab/defines.py

@@ -49,6 +49,8 @@
 BW_PORT = 40001
 PP_PORT = 40002
 
+OPENVPN_SERVER_PORT = 1194
+
 DEFAULT_HOST_INTERNAL_IP = "127.0.0.1"
 DEFAULT_LINK_MTU = 1500 - 20 - 8
 DEFAULT_LINK_BANDWIDTH = 1000

scionlab/forms/attachment_conf_form.py

@@ -18,6 +18,7 @@
 from django.conf import settings
 from django.forms import BaseModelFormSet
 from django.core.exceptions import ValidationError
+from django.db.models import Case, Value, When, BooleanField
 
 from crispy_forms.helper import FormHelper
 from crispy_forms.layout import Layout, Row, Column, Div, HTML
@@ -55,6 +56,11 @@ def _check_isd(self, forms):
             if len(isd_set) > 1:
                 raise ValidationError("All attachment points must belong to the same ISD")
 
+        if instance and instance.is_attachment_point():
+            for form in forms:
+                if form.cleaned_data['attachment_point'] == instance.attachment_point_info:
+                    raise ValidationError("A link to your own AP is not allowed.")
+
         if not instance:
             if len(isd_set) == 1:
                 self.isd = isd_set.pop()
@@ -224,6 +230,23 @@ def __init__(self, instance, userAS, *args, **kwargs):
         self.disable_csrf = True
 
 
+class ProviderLinkWidget(forms.Select):
+    """
+    Subclass of Django's select widget that will disable options which refer to inactive APs.
+    """
+
+    def __init__(self, attrs=None, choices=(), disabled_choices=()):
+        super(ProviderLinkWidget, self).__init__(attrs, choices=choices)
+        self.disabled_choices = disabled_choices
+
+    def create_option(self, name, value, label, selected, index, subindex=None, attrs=None):
+        option_dict = super()\
+            .create_option(name, value, label, selected, index, subindex=subindex, attrs=attrs)
+        if value in self.disabled_choices:
+            option_dict['attrs']['disabled'] = 'disabled'
+        return option_dict
+
+
 class AttachmentConfForm(forms.ModelForm):
     """
     Form for creating and updating a Link involving a UserAS
@@ -257,7 +280,12 @@ class AttachmentConfForm(forms.ModelForm):
         label="Active",
         help_text="Activate or deactivate this connection without deleting it"
     )
-    attachment_point = forms.ModelChoiceField(queryset=AttachmentPoint.objects)
+    attachment_point = forms.ModelChoiceField(
+        queryset=None,
+        widget=ProviderLinkWidget(disabled_choices=[]),
+        help_text="""Links to User Attachment Points can disappear when
+                     the corresponding Attachment Point is deleted."""
+    )
 
     class Meta:
         model = Link
@@ -299,6 +327,21 @@ def __init__(self, *args, **kwargs):
 
         self.helper = AttachmentConfFormHelper(instance, userAS)
         super().__init__(*args, initial=initial, **kwargs)
+        self.fields['attachment_point'].queryset = AttachmentPoint.objects.all().annotate(
+            is_user_ap=Case(
+                When(
+                    AS__owner=None,
+                    then=Value(False)
+                ),
+                default=True,
+                output_field=BooleanField()
+            )
+        ).order_by('is_user_ap', '-AS__hosts__config_queried_at')
+        disabled_choices = []
+        for index, option in enumerate(self.fields['attachment_point'].queryset):
+            if option.AS.owner is not None and not option.is_active():
+                disabled_choices.append(index + 1)
+        self.fields['attachment_point'].widget.disabled_choices = disabled_choices
 
     @staticmethod
     def _get_formset_index(prefix):

scionlab/forms/user_as_form.py

@@ -13,9 +13,10 @@
 # limitations under the License.
 from crispy_forms.bootstrap import AppendedText
 from crispy_forms.helper import FormHelper
-from crispy_forms.layout import Layout, Field
+from crispy_forms.layout import Layout, Field, Column, Row, Div
 from django import forms
 from django.forms import modelformset_factory
+from django.core.exceptions import ValidationError
 
 from scionlab.forms.attachment_conf_form import AttachmentConfForm, AttachmentConfFormSet
 from scionlab.models.core import Link
@@ -36,6 +37,22 @@ def _crispy_helper(instance):
             'installation_type',
             template='scionlab/partials/installation_type_accordion.html',
         ),
+        Div(
+            Div(
+                Row(
+                    'become_user_ap',
+                ),
+                css_class="card-header",
+            ),
+            Div(
+                Row(
+                    Column('public_ip', css_class='col-md-5'),
+                    Column('provide_vpn', css_class='col-md-5'),
+                ),
+                css_class="card-body", css_id="user-ap-card-body",
+            ),
+            css_class="card",
+        ),
     )
 
     # We need this to render the UserASForm along with the AttachmentConfForm
@@ -73,6 +90,25 @@ class UserASForm(forms.Form):
         required=True,
         widget=forms.RadioSelect(),
     )
+    become_user_ap = forms.BooleanField(
+        required=False,
+        label="Make this AS a publicly available Attachment Point",
+        help_text="""If this option is enabled, this AS will show up in the list of available
+        Attachment Points. All users will be able to create provider links to this AS.<br/> Your
+        host will have to run the scionlab-config daemon, in order to refresh its configuration
+        whenever other users create or modify links to your AS. Please refer to
+        <a href='https://docs.scionlab.org' target='_blank'>Tutorials</a> for more details."""
+    )
+    public_ip = forms.GenericIPAddressField(
+        required=False,
+        label="Public IP",
+        help_text="Public IP Address to be used for connections to child ASes"
+    )
+    provide_vpn = forms.BooleanField(
+        required=False,
+        label="Provide VPN",
+        help_text="Allow Users to connect to your AP via VPN"
+    )
 
     def _get_attachment_conf_form_set(self, data, instance: UserAS):
         """
@@ -99,20 +135,37 @@ def __init__(self, data=None, *args, **kwargs):
         self.instance = kwargs.pop('instance', None)
         self.attachment_conf_form_set = self._get_attachment_conf_form_set(data, self.instance)
         initial = kwargs.pop('initial', {})
+        has_vpn = False
         if self.instance:
+            host = self.instance.host
+            is_ap = self.instance.is_attachment_point()
+            has_vpn = is_ap and self.instance.attachment_point_info.vpn is not None
             initial.update({
                 'label': self.instance.label,
                 'installation_type': self.instance.installation_type,
+                'public_ip': host.public_ip,
+                'become_user_ap': is_ap,
+                'provide_vpn': has_vpn
             })
         self.helper = _crispy_helper(self.instance)
         super().__init__(data, *args, initial=initial, **kwargs)
+        if has_vpn:
+            self.fields['provide_vpn'].widget.attrs['disabled'] = 'disabled'
 
     def clean(self):
         cleaned_data = super().clean()
         if self.instance is None:
             self.user.check_as_quota()
 
         self.attachment_conf_form_set.full_clean()
+
+        if cleaned_data['become_user_ap']:
+            if not cleaned_data.get('public_ip'):
+                self.add_error(
+                    'public_ip',
+                    ValidationError('Please enter a public IP address to become User AP')
+                )
+
         return cleaned_data
 
     def has_changed(self):
@@ -139,13 +192,19 @@ def save(self, commit=True):
                 isd=self.attachment_conf_form_set.isd,
                 installation_type=self.cleaned_data['installation_type'],
                 label=self.cleaned_data['label'],
+                public_ip=self.cleaned_data['public_ip'],
+                wants_user_ap=self.cleaned_data['become_user_ap'],
+                wants_vpn=self.cleaned_data['provide_vpn'],
             )
             self.attachment_conf_form_set.save(user_as)
             return user_as
         else:
             self.instance.update(
                 installation_type=self.cleaned_data['installation_type'],
-                label=self.cleaned_data['label']
+                label=self.cleaned_data['label'],
+                public_ip=self.cleaned_data['public_ip'],
+                wants_user_ap=self.cleaned_data['become_user_ap'],
+                wants_vpn=self.cleaned_data['provide_vpn'],
             )
             self.attachment_conf_form_set.save(self.instance)
             return self.instance

scionlab/models/core.py

@@ -371,6 +371,9 @@ def _make_master_as_key():
         """
         return _base64encode(os.urandom(16))
 
+    def is_attachment_point(self):
+        return hasattr(self, 'attachment_point_info')
+
 
 class HostManager(models.Manager):
     use_in_migrations = True

scionlab/models/user_as.py

@@ -18,9 +18,11 @@
 """
 
 import ipaddress
+import datetime
 from typing import List, Set
 
 from django import urls
+from django.conf import settings
 from django.core.exceptions import ValidationError
 from django.db import models
 from django.utils.html import format_html
@@ -33,7 +35,7 @@
     BorderRouter,
     Host
 )
-from scionlab.models.vpn import VPNClient
+from scionlab.models.vpn import VPN, VPNClient
 from scionlab.defines import (
     USER_AS_ID_BEGIN,
     USER_AS_ID_END,
@@ -49,13 +51,19 @@ def create(self,
                owner: User,
                installation_type: str,
                isd: int,
+               public_ip: str = "",
+               wants_user_ap: bool = False,
+               wants_vpn: bool = False,
                as_id: str = None,
                label: str = None) -> 'UserAS':
         """Create a UserAS
 
         :param User owner: owner of this UserAS
         :param str installation_type:
         :param int isd:
+        :param str public_ip: optional public IP address for the host of the AS
+        :param bool wants_user_ap: optional boolean if the User AS should be AP
+        :param str wants_vpn: optional boolean if the User AP should provide a VPN
         :param str as_id: optional as_id, if None is given, the next free ID is chosen
         :param str label: optional label
 
@@ -82,7 +90,14 @@ def create(self,
 
         user_as.generate_keys()
         user_as.generate_certs()
-        user_as.init_default_services()
+        user_as.init_default_services(public_ip=public_ip)
+
+        if wants_user_ap:
+            host = user_as.hosts.first()
+            vpn = None
+            if wants_vpn:
+                vpn = VPN.objects.create(server=host)
+            AttachmentPoint.objects.create(AS=user_as, vpn=vpn)
 
         return user_as
 
@@ -133,7 +148,8 @@ class Meta:
     def get_absolute_url(self):
         return urls.reverse('user_as_detail', kwargs={'pk': self.pk})
 
-    def update(self, label: str, installation_type: str):
+    def update(self, label: str, installation_type: str, public_ip: str = "",
+               wants_user_ap: bool = False, wants_vpn: bool = False):
         """
         Updates the `UserAS` fields and immediately saves
         """
@@ -144,6 +160,29 @@ def update(self, label: str, installation_type: str):
             elif self.installation_type == UserAS.VM:
                 self._unset_bind_ips_for_vagrant()
             self.installation_type = installation_type
+        host = self.host
+        host.update(public_ip=public_ip)
+        if self.is_attachment_point():
+            # the case has_vpn and not wants_vpn will be ignored here because it's not allowed
+            ap = self.attachment_point_info
+            # does the User already offer a VPN connection?
+            has_vpn = ap.vpn is not None
+            if not wants_user_ap:
+                # User unchecks the 'become ap' box meaning he will not be AP anymore
+                if has_vpn:
+                    ap.vpn.delete()
+                ap.delete()
+                Link.objects.filter(interfaceA__AS=self).delete()
+            elif not has_vpn and wants_vpn:
+                # User wants to provide a VPN for his already existing AP
+                ap.vpn = VPN.objects.create(server=host)
+                ap.save()
+        elif wants_user_ap:
+            # a new User AP will be created
+            ap = AttachmentPoint.objects.create(AS=self)
+            if wants_vpn:
+                ap.vpn = VPN.objects.create(server=host)
+                ap.save()
         self.save()
 
     def update_attachments(self,
@@ -425,8 +464,20 @@ class AttachmentPoint(models.Model):
     )
 
     def __str__(self):
+        """
+        this representation with User prefix is expected and parsed by the frontend logic
+        :return: string representation of an AP (with UserAP prefix if it has no owner)
+        """
+        if self.AS.owner is not None:
+            return 'UserAP: %s' % (str(self.AS))
         return str(self.AS)
 
+    def is_active(self) -> bool:
+        threshold = datetime.datetime.utcnow() - settings.USERAP_FILTER_THRESHOLD
+        if self.AS.hosts.first().config_queried_at is None:
+            return False
+        return self.AS.hosts.first().config_queried_at > threshold
+
     def get_border_router_for_useras_interface(self) -> BorderRouter:
         """
         Selects the preferred border router on which the Interfaces to UserASes should be configured

scionlab/models/vpn.py

@@ -29,10 +29,24 @@
     get_cert_common_name,
 )
 from scionlab.util.django import value_set
+from scionlab.defines import OPENVPN_SERVER_PORT
+
+
+def find_free_subnet(supernet, prefixlen, existing):
+    subnets = supernet.subnets(prefixlen_diff=prefixlen - supernet.prefixlen)
+    next(subnets)
+    for sub in subnets:
+        if not any(sub.overlaps(ipaddress.ip_network(other)) for other in existing):
+            return sub
+    return None
 
 
 class VPNManager(models.Manager):
-    def create(self, server, server_port, subnet, server_vpn_ip):
+    def create(self, server, server_port=OPENVPN_SERVER_PORT, server_vpn_ip=None, subnet=None):
+        subnet = subnet or str(self._find_vpn_subnet())
+        if server_vpn_ip is None:
+            server_vpn_ip = str(next(ipaddress.ip_network(subnet).hosts()))
+
         vpn = VPN(
             server=server,
             server_port=server_port,
@@ -44,6 +58,13 @@ def create(self, server, server_port, subnet, server_vpn_ip):
         server.bump_config()
         return vpn
 
+    def _find_vpn_subnet(self):
+        """
+        Find the next free IP subnet in form 10.10.x.0/24
+        """
+        existing_vpns = value_set(VPN.objects.all(), 'subnet')
+        return find_free_subnet(ipaddress.ip_network('10.10.0.0/16'), 24, existing_vpns)
+
 
 class VPN(models.Model):
     server = models.ForeignKey(