1 # Create your views here.
5 from django import forms
6 from django.views.decorators.csrf import csrf_exempt
7 from django.core import urlresolvers
8 from django.core import serializers
9 from django.contrib.auth.decorators import login_required
10 from django.contrib.auth import logout
11 from django.contrib.sites.models import Site
12 from django.contrib.auth.models import User
13 from django.http import HttpResponseRedirect, HttpResponseForbidden, HttpResponse
14 from django.shortcuts import get_object_or_404, render_to_response
15 from django.core.context_processors import request
16 from django.template.context import RequestContext
17 from django.template.loader import get_template, render_to_string
18 from django.utils.translation import ugettext as _
19 from django.core.urlresolvers import reverse
20 from django.contrib import messages
21 from flowspy.accounts.models import *
24 from django.contrib.auth import authenticate, login
26 from django.forms.models import model_to_dict
28 from flowspy.flowspec.forms import *
29 from flowspy.flowspec.models import *
30 from flowspy.peers.models import *
32 from registration.models import RegistrationProfile
34 from copy import deepcopy
35 from flowspy.utils.decorators import shib_required
37 from django.views.decorators.cache import never_cache
38 from django.conf import settings
39 from django.core.mail.message import EmailMessage
43 LOG_FILENAME = os.path.join(settings.LOG_FILE_LOCATION, 'celery_jobs.log')
44 #FORMAT = '%(asctime)s %(levelname)s: %(message)s'
45 #logging.basicConfig(format=FORMAT)
46 formatter = logging.Formatter('%(asctime)s %(levelname)s %(clientip)s %(user)s: %(message)s')
48 logger = logging.getLogger(__name__)
49 logger.setLevel(logging.DEBUG)
50 handler = logging.FileHandler(LOG_FILENAME)
51 handler.setFormatter(formatter)
52 logger.addHandler(handler)
55 def user_routes(request):
56 user_routes = Route.objects.filter(applier=request.user)
57 return render_to_response('user_routes.html', {'routes': user_routes},
58 context_instance=RequestContext(request))
61 return render_to_response('welcome.html', context_instance=RequestContext(request))
65 def group_routes(request):
68 peer = request.user.get_profile().peer
69 except UserProfile.DoesNotExist:
70 error = "User <strong>%s</strong> does not belong to any peer or organization. It is not possible to create new firewall rules.<br>Please contact Helpdesk to resolve this issue" % request.user.username
71 return render_to_response('error.html', {'error': error})
73 peer_members = UserProfile.objects.filter(peer=peer)
74 users = [prof.user for prof in peer_members]
75 group_routes = Route.objects.filter(applier__in=users)
76 if request.user.is_superuser:
77 group_routes = Route.objects.all()
78 return render_to_response('user_routes.html', {'routes': group_routes},
79 context_instance=RequestContext(request))
84 def add_route(request):
85 applier = request.user.pk
86 applier_peer_networks = request.user.get_profile().peer.networks.all()
87 if not applier_peer_networks:
88 messages.add_message(request, messages.WARNING,
89 _("Insufficient rights on administrative networks. Cannot add rule. Contact your administrator"))
90 return HttpResponseRedirect(reverse("group-routes"))
91 if request.method == "GET":
92 form = RouteForm(initial={'applier': applier})
93 if not request.user.is_superuser:
94 form.fields['then'] = forms.ModelMultipleChoiceField(queryset=ThenAction.objects.filter(action__in=settings.UI_USER_THEN_ACTIONS).order_by('action'), required=True)
95 form.fields['protocol'] = forms.ModelMultipleChoiceField(queryset=MatchProtocol.objects.filter(protocol__in=settings.UI_USER_PROTOCOLS).order_by('protocol'), required=False)
96 return render_to_response('apply.html', {'form': form, 'applier': applier},
97 context_instance=RequestContext(request))
100 request_data = request.POST.copy()
101 if request.user.is_superuser:
102 request_data['issuperuser'] = request.user.username
104 request_data['applier'] = applier
106 del requset_data['issuperuser']
109 form = RouteForm(request_data)
111 route=form.save(commit=False)
112 if not request.user.is_superuser:
113 route.applier = request.user
114 route.status = "PENDING"
115 route.response = "Applying"
116 route.source = IPNetwork("%s/%s" %(IPNetwork(route.source).network.compressed, IPNetwork(route.source).prefixlen)).compressed
117 route.destination = IPNetwork("%s/%s" %(IPNetwork(route.destination).network.compressed, IPNetwork(route.destination).prefixlen)).compressed
121 requesters_address = request.META['HTTP_X_FORWARDED_FOR']
122 fqdn = Site.objects.get_current().domain
123 admin_url = "https://%s%s" % (fqdn, "/fod/edit/%s"%route.name)
124 mail_body = render_to_string("rule_action.txt",
125 {"route": route, "address": requesters_address, "action": "creation", "url": admin_url})
126 user_mail = "%s" %route.applier.email
127 user_mail = user_mail.split(';')
128 send_new_mail(settings.EMAIL_SUBJECT_PREFIX + "Rule %s creation request submitted by %s" %(route.name, route.applier.username),
129 mail_body, settings.SERVER_EMAIL, user_mail,
130 get_peer_techc_mails(route.applier))
131 d = { 'clientip' : "%s"%requesters_address, 'user' : route.applier.username }
132 logger.info(mail_body, extra=d)
133 return HttpResponseRedirect(reverse("group-routes"))
135 if not request.user.is_superuser:
136 form.fields['then'] = forms.ModelMultipleChoiceField(queryset=ThenAction.objects.filter(action__in=settings.UI_USER_THEN_ACTIONS).order_by('action'), required=True)
137 form.fields['protocol'] = forms.ModelMultipleChoiceField(queryset=MatchProtocol.objects.filter(protocol__in=settings.UI_USER_PROTOCOLS).order_by('protocol'), required=False)
138 return render_to_response('apply.html', {'form': form, 'applier':applier},
139 context_instance=RequestContext(request))
143 def edit_route(request, route_slug):
144 applier = request.user.pk
145 applier_peer = request.user.get_profile().peer
146 route_edit = get_object_or_404(Route, name=route_slug)
147 route_edit_applier_peer = route_edit.applier.get_profile().peer
148 if applier_peer != route_edit_applier_peer and (not request.user.is_superuser):
149 messages.add_message(request, messages.WARNING,
150 _("Insufficient rights to edit rule %s") %(route_slug))
151 return HttpResponseRedirect(reverse("group-routes"))
152 # if route_edit.status == "ADMININACTIVE" :
153 # messages.add_message(request, messages.WARNING,
154 # "Administrator has disabled editing of rule %s" %(route_slug))
155 # return HttpResponseRedirect(reverse("group-routes"))
156 # if route_edit.status == "EXPIRED" :
157 # messages.add_message(request, messages.WARNING,
158 # "Cannot edit the expired rule %s. Contact helpdesk to enable it" %(route_slug))
159 # return HttpResponseRedirect(reverse("group-routes"))
160 if route_edit.status == "PENDING" :
161 messages.add_message(request, messages.WARNING,
162 _("Cannot edit a pending rule: %s.") %(route_slug))
163 return HttpResponseRedirect(reverse("group-routes"))
164 route_original = deepcopy(route_edit)
166 request_data = request.POST.copy()
167 if request.user.is_superuser:
168 request_data['issuperuser'] = request.user.username
170 request_data['applier'] = applier
172 del request_data['issuperuser']
175 form = RouteForm(request_data, instance = route_edit)
176 critical_changed_values = ['source', 'destination', 'sourceport', 'destinationport', 'port', 'protocol', 'then']
178 changed_data = form.changed_data
179 route=form.save(commit=False)
180 route.name = route_original.name
181 route.status = route_original.status
182 route.response = route_original.response
183 if not request.user.is_superuser:
184 route.applier = request.user
185 if bool(set(changed_data) & set(critical_changed_values)) or (not route_original.status == 'ACTIVE'):
186 route.status = "PENDING"
187 route.response = "Applying"
188 route.source = IPNetwork("%s/%s" %(IPNetwork(route.source).network.compressed, IPNetwork(route.source).prefixlen)).compressed
189 route.destination = IPNetwork("%s/%s" %(IPNetwork(route.destination).network.compressed, IPNetwork(route.destination).prefixlen)).compressed
191 if bool(set(changed_data) & set(critical_changed_values)) or (not route_original.status == 'ACTIVE'):
194 requesters_address = request.META['HTTP_X_FORWARDED_FOR']
195 fqdn = Site.objects.get_current().domain
196 admin_url = "https://%s%s" % (fqdn, "/fod/edit/%s"%route.name)
197 mail_body = render_to_string("rule_action.txt",
198 {"route": route, "address": requesters_address, "action": "edit", "url": admin_url})
199 user_mail = "%s" %route.applier.email
200 user_mail = user_mail.split(';')
201 send_new_mail(settings.EMAIL_SUBJECT_PREFIX + "Rule %s edit request submitted by %s" %(route.name, route.applier.username),
202 mail_body, settings.SERVER_EMAIL, user_mail,
203 get_peer_techc_mails(route.applier))
204 d = { 'clientip' : requesters_address, 'user' : route.applier.username }
205 logger.info(mail_body, extra=d)
206 return HttpResponseRedirect(reverse("group-routes"))
208 if not request.user.is_superuser:
209 form.fields['then'] = forms.ModelMultipleChoiceField(queryset=ThenAction.objects.filter(action__in=settings.UI_USER_THEN_ACTIONS).order_by('action'), required=True)
210 form.fields['protocol'] = forms.ModelMultipleChoiceField(queryset=MatchProtocol.objects.filter(protocol__in=settings.UI_USER_PROTOCOLS).order_by('protocol'), required=False)
211 return render_to_response('apply.html', {'form': form, 'edit':True, 'applier': applier},
212 context_instance=RequestContext(request))
214 if (not route_original.status == 'ACTIVE'):
215 route_edit.expires = datetime.date.today() + datetime.timedelta(days = settings.EXPIRATION_DAYS_OFFSET)
216 dictionary = model_to_dict(route_edit, fields=[], exclude=[])
217 if request.user.is_superuser:
218 dictionary['issuperuser'] = request.user.username
221 del dictionary['issuperuser']
224 form = RouteForm(dictionary)
225 if not request.user.is_superuser:
226 form.fields['then'] = forms.ModelMultipleChoiceField(queryset=ThenAction.objects.filter(action__in=settings.UI_USER_THEN_ACTIONS).order_by('action'), required=True)
227 form.fields['protocol'] = forms.ModelMultipleChoiceField(queryset=MatchProtocol.objects.filter(protocol__in=settings.UI_USER_PROTOCOLS).order_by('protocol'), required=False)
228 return render_to_response('apply.html', {'form': form, 'edit':True, 'applier': applier},
229 context_instance=RequestContext(request))
233 def delete_route(request, route_slug):
234 if request.is_ajax():
235 route = get_object_or_404(Route, name=route_slug)
236 applier_peer = route.applier.get_profile().peer
237 requester_peer = request.user.get_profile().peer
238 if applier_peer == requester_peer or request.user.is_superuser:
239 route.status = "PENDING"
240 route.expires = datetime.date.today()
241 if not request.user.is_superuser:
242 route.applier = request.user
243 route.response = "Suspending"
245 route.commit_delete()
246 requesters_address = request.META['HTTP_X_FORWARDED_FOR']
247 fqdn = Site.objects.get_current().domain
248 admin_url = "https://%s%s" % (fqdn, "/fod/edit/%s"%route.name)
249 mail_body = render_to_string("rule_action.txt",
250 {"route": route, "address": requesters_address, "action": "removal", "url": admin_url})
251 user_mail = "%s" %route.applier.email
252 user_mail = user_mail.split(';')
253 send_new_mail(settings.EMAIL_SUBJECT_PREFIX + "Rule %s removal request submitted by %s" %(route.name, route.applier.username),
254 mail_body, settings.SERVER_EMAIL, user_mail,
255 get_peer_techc_mails(route.applier))
256 d = { 'clientip' : requesters_address, 'user' : route.applier.username }
257 logger.info(mail_body, extra=d)
258 html = "<html><body>Done</body></html>"
259 return HttpResponse(html)
261 return HttpResponseRedirect(reverse("group-routes"))
265 def user_profile(request):
268 peer = request.user.get_profile().peer
269 peers = Peer.objects.filter(pk=peer.pk)
270 if user.is_superuser:
271 peers = Peer.objects.all()
272 except UserProfile.DoesNotExist:
273 error = "User <strong>%s</strong> does not belong to any peer or organization. It is not possible to create new firewall rules.<br>Please contact Helpdesk to resolve this issue" % user.username
274 return render_to_response('error.html', {'error': error})
275 return render_to_response('profile.html', {'user': user, 'peers':peers},
276 context_instance=RequestContext(request))
279 def user_login(request):
281 error_username = False
282 error_orgname = False
283 error_entitlement = False
285 has_entitlement = False
287 username = request.META['HTTP_EPPN']
289 error_username = True
290 firstname = request.META['HTTP_SHIB_INETORGPERSON_GIVENNAME']
291 lastname = request.META['HTTP_SHIB_PERSON_SURNAME']
292 mail = request.META['HTTP_SHIB_INETORGPERSON_MAIL']
293 organization = request.META['HTTP_SHIB_HOMEORGANIZATION']
294 entitlement = request.META['HTTP_SHIB_EP_ENTITLEMENT']
295 if settings.SHIB_AUTH_ENTITLEMENT in entitlement.split(";"):
296 has_entitlement = True
297 if not has_entitlement:
298 error_entitlement = True
304 error = _("Your idP should release the HTTP_EPPN attribute towards this service<br>")
306 error = error + _("Your idP should release the HTTP_SHIB_HOMEORGANIZATION attribute towards this service<br>")
307 if error_entitlement:
308 error = error + _("Your idP should release an appropriate HTTP_SHIB_EP_ENTITLEMENT attribute towards this service<br>")
310 error = error + _("Your idP should release the HTTP_SHIB_INETORGPERSON_MAIL attribute towards this service")
311 if error_username or error_orgname or error_entitlement or error_mail:
312 return render_to_response('error.html', {'error': error, "missing_attributes": True},
313 context_instance=RequestContext(request))
315 user = User.objects.get(username__exact=username)
317 user.first_name = firstname
318 user.last_name = lastname
323 user = authenticate(username=username, firstname=firstname, lastname=lastname, mail=mail, authsource='shibboleth')
326 peer = Peer.objects.get(domain_name=organization)
327 up = UserProfile.objects.get_or_create(user=user,peer=peer)
329 error = _("Your organization's domain name does not match our peers' domain names<br>Please contact Helpdesk to resolve this issue")
330 return render_to_response('error.html', {'error': error})
332 user_activation_notify(user)
335 return HttpResponseRedirect(reverse("group-routes"))
337 error = _("User account <strong>%s</strong> is pending activation. Administrators have been notified and will activate this account within the next days. <br>If this account has remained inactive for a long time contact your technical coordinator or GRNET Helpdesk") %user.username
338 return render_to_response('error.html', {'error': error, 'inactive': True},
339 context_instance=RequestContext(request))
341 error = _("Something went wrong during user authentication. Contact your administrator")
342 return render_to_response('error.html', {'error': error,},
343 context_instance=RequestContext(request))
345 error = _("Invalid login procedure")
346 return render_to_response('error.html', {'error': error,},
347 context_instance=RequestContext(request))
348 # Return an 'invalid login' error message.
349 # return HttpResponseRedirect(reverse("user-routes"))
351 def user_activation_notify(user):
352 current_site = Site.objects.get_current()
353 subject = render_to_string('registration/activation_email_subject.txt',
354 { 'site': current_site })
355 # Email subject *must not* contain newlines
356 subject = ''.join(subject.splitlines())
357 registration_profile = RegistrationProfile.objects.create_profile(user)
358 message = render_to_string('registration/activation_email.txt',
359 { 'activation_key': registration_profile.activation_key,
360 'expiration_days': settings.ACCOUNT_ACTIVATION_DAYS,
361 'site': current_site,
363 send_new_mail(settings.EMAIL_SUBJECT_PREFIX + subject,
364 message, settings.SERVER_EMAIL,
365 get_peer_techc_mails(user), [])
369 def add_rate_limit(request):
370 if request.method == "GET":
371 form = ThenPlainForm()
372 return render_to_response('add_rate_limit.html', {'form': form,},
373 context_instance=RequestContext(request))
376 form = ThenPlainForm(request.POST)
378 then=form.save(commit=False)
379 then.action_value = "%sk"%then.action_value
382 response_data['pk'] = "%s" %then.pk
383 response_data['value'] = "%s:%s" %(then.action, then.action_value)
384 return HttpResponse(json.dumps(response_data), mimetype='application/json')
386 return render_to_response('add_rate_limit.html', {'form': form,},
387 context_instance=RequestContext(request))
391 def add_port(request):
392 if request.method == "GET":
393 form = PortPlainForm()
394 return render_to_response('add_port.html', {'form': form,},
395 context_instance=RequestContext(request))
398 form = PortPlainForm(request.POST)
402 response_data['value'] = "%s" %port.pk
403 response_data['text'] = "%s" %port.port
404 return HttpResponse(json.dumps(response_data), mimetype='application/json')
406 return render_to_response('add_port.html', {'form': form,},
407 context_instance=RequestContext(request))
411 def user_logout(request):
413 return HttpResponseRedirect(reverse('group-routes'))
416 def load_jscript(request, file):
417 long_polling_timeout = int(settings.POLL_SESSION_UPDATE)*1000 + 10000
418 return render_to_response('%s.js' % file, {'timeout': long_polling_timeout}, context_instance=RequestContext(request), mimetype="text/javascript")
421 def get_peer_techc_mails(user):
425 user_mail = "%s" %user.email
426 user_mail = user_mail.split(';')
427 techmails = user.get_profile().peer.techc_emails.all()
429 for techmail in techmails:
430 techmails_list.append(techmail.email)
431 if settings.NOTIFY_ADMIN_MAILS:
432 additional_mail = settings.NOTIFY_ADMIN_MAILS
433 # mail.extend(user_mail)
434 mail.extend(additional_mail)
435 mail.extend(techmails_list)
439 return render_to_response('gettos.html', context_instance=RequestContext(request))
441 def getinfo(request):
442 return render_to_response('getinfo.html', context_instance=RequestContext(request))
444 def send_new_mail(subject, message, from_email, recipient_list, bcc_list):
445 return EmailMessage(subject, message, from_email, recipient_list, bcc_list).send()