projects / flowspy / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Made the appropriate changes to settings.py.dist
[flowspy] / flowspec / views.py
1 # Create your views here.
2 import urllib2
3 import socket
4 import json
5 from django import forms
6 from django.views.decorators.csrf import csrf_exempt
7 from django.core import urlresolvers
8 from django.core import serializers
9 from django.contrib.auth.decorators import login_required
10 from django.contrib.auth import logout
11 from django.contrib.sites.models import Site
12 from django.contrib.auth.models import User
13 from django.http import HttpResponseRedirect, HttpResponseForbidden, HttpResponse
14 from django.shortcuts import get_object_or_404, render_to_response
15 from django.core.context_processors import request
16 from django.template.context import RequestContext
17 from django.template.loader import get_template, render_to_string
18 from django.utils.translation import ugettext as _
19 from django.core.urlresolvers import reverse
20 from django.contrib import messages
21 from flowspy.accounts.models import *
22 from ipaddr import *
23
24 from django.contrib.auth import authenticate, login
25
26 from django.forms.models import model_to_dict
27
28 from flowspy.flowspec.forms import * 
29 from flowspy.flowspec.models import *
30 from flowspy.peers.models import *
31
32 from registration.models import RegistrationProfile
33
34 from copy import deepcopy
35 from flowspy.utils.decorators import shib_required
36
37 from django.views.decorators.cache import never_cache
38 from django.conf import settings
39 from django.core.mail.message import EmailMessage
40 import datetime
41 import os
42
43 LOG_FILENAME = os.path.join(settings.LOG_FILE_LOCATION, 'celery_jobs.log')
44 #FORMAT = '%(asctime)s %(levelname)s: %(message)s'
45 #logging.basicConfig(format=FORMAT)
46 formatter = logging.Formatter('%(asctime)s %(levelname)s %(clientip)s %(user)s: %(message)s')
47
48 logger = logging.getLogger(__name__)
49 logger.setLevel(logging.DEBUG)
50 handler = logging.FileHandler(LOG_FILENAME)
51 handler.setFormatter(formatter)
52 logger.addHandler(handler)
53
54 @login_required
55 def user_routes(request):
56     user_routes = Route.objects.filter(applier=request.user)
57     return render_to_response('user_routes.html', {'routes': user_routes},
58                               context_instance=RequestContext(request))
59
60 def welcome(request):
61     return render_to_response('welcome.html', context_instance=RequestContext(request))
62
63 @login_required
64 @never_cache
65 def group_routes(request):
66     group_routes = []
67     try:
68         peer = request.user.get_profile().peer
69     except UserProfile.DoesNotExist:
70         error = "User <strong>%s</strong> does not belong to any peer or organization. It is not possible to create new firewall rules.<br>Please contact Helpdesk to resolve this issue" % request.user.username
71         return render_to_response('error.html', {'error': error})
72     if peer:
73        peer_members = UserProfile.objects.filter(peer=peer)
74        users = [prof.user for prof in peer_members]
75        group_routes = Route.objects.filter(applier__in=users)
76        if request.user.is_superuser:
77            group_routes = Route.objects.all()
78        return render_to_response('user_routes.html', {'routes': group_routes},
79                               context_instance=RequestContext(request))
80
81
82 @login_required
83 @never_cache
84 def add_route(request):
85     applier = request.user.pk
86     applier_peer_networks = request.user.get_profile().peer.networks.all()
87     if not applier_peer_networks:
88          messages.add_message(request, messages.WARNING,
89                              _("Insufficient rights on administrative networks. Cannot add rule. Contact your administrator"))
90          return HttpResponseRedirect(reverse("group-routes"))
91     if request.method == "GET":
92         form = RouteForm(initial={'applier': applier})
93         if not request.user.is_superuser:
94             form.fields['then'] = forms.ModelMultipleChoiceField(queryset=ThenAction.objects.filter(action__in=settings.UI_USER_THEN_ACTIONS).order_by('action'), required=True)
95             form.fields['protocol'] = forms.ModelMultipleChoiceField(queryset=MatchProtocol.objects.filter(protocol__in=settings.UI_USER_PROTOCOLS).order_by('protocol'), required=False)
96         return render_to_response('apply.html', {'form': form, 'applier': applier},
97                                   context_instance=RequestContext(request))
98
99     else:
100         request_data = request.POST.copy()
101         if request.user.is_superuser:
102             request_data['issuperuser'] = request.user.username
103         else:
104             request_data['applier'] = applier
105             try:
106                 del requset_data['issuperuser']
107             except:
108                 pass
109         form = RouteForm(request_data)
110         if form.is_valid():
111             route=form.save(commit=False)
112             if not request.user.is_superuser:
113                 route.applier = request.user
114             route.status = "PENDING"
115             route.response = "Applying"
116             route.source = IPNetwork("%s/%s" %(IPNetwork(route.source).network.compressed, IPNetwork(route.source).prefixlen)).compressed
117             route.destination = IPNetwork("%s/%s" %(IPNetwork(route.destination).network.compressed, IPNetwork(route.destination).prefixlen)).compressed
118             route.save()
119             form.save_m2m()
120             route.commit_add()
121             requesters_address = request.META['HTTP_X_FORWARDED_FOR']
122             fqdn = Site.objects.get_current().domain
123             admin_url = "https://%s%s" % (fqdn, "/fod/edit/%s"%route.name)
124             mail_body = render_to_string("rule_action.txt",
125                                              {"route": route, "address": requesters_address, "action": "creation", "url": admin_url})
126             user_mail = "%s" %route.applier.email
127             user_mail = user_mail.split(';')
128             send_new_mail(settings.EMAIL_SUBJECT_PREFIX + "Rule %s creation request submitted by %s" %(route.name, route.applier.username),
129                               mail_body, settings.SERVER_EMAIL, user_mail,
130                               get_peer_techc_mails(route.applier))
131             d = { 'clientip' : "%s"%requesters_address, 'user' : route.applier.username }
132             logger.info(mail_body, extra=d)
133             return HttpResponseRedirect(reverse("group-routes"))
134         else:
135             if not request.user.is_superuser:
136                 form.fields['then'] = forms.ModelMultipleChoiceField(queryset=ThenAction.objects.filter(action__in=settings.UI_USER_THEN_ACTIONS).order_by('action'), required=True)
137                 form.fields['protocol'] = forms.ModelMultipleChoiceField(queryset=MatchProtocol.objects.filter(protocol__in=settings.UI_USER_PROTOCOLS).order_by('protocol'), required=False)
138             return render_to_response('apply.html', {'form': form, 'applier':applier},
139                                       context_instance=RequestContext(request))
140
141 @login_required
142 @never_cache
143 def edit_route(request, route_slug):
144     applier = request.user.pk
145     applier_peer = request.user.get_profile().peer
146     route_edit = get_object_or_404(Route, name=route_slug)
147     route_edit_applier_peer = route_edit.applier.get_profile().peer
148     if applier_peer != route_edit_applier_peer and (not request.user.is_superuser):
149         messages.add_message(request, messages.WARNING,
150                              _("Insufficient rights to edit rule %s") %(route_slug))
151         return HttpResponseRedirect(reverse("group-routes"))
152 #    if route_edit.status == "ADMININACTIVE" :
153 #        messages.add_message(request, messages.WARNING,
154 #                             "Administrator has disabled editing of rule %s" %(route_slug))
155 #        return HttpResponseRedirect(reverse("group-routes"))
156 #    if route_edit.status == "EXPIRED" :
157 #        messages.add_message(request, messages.WARNING,
158 #                             "Cannot edit the expired rule %s. Contact helpdesk to enable it" %(route_slug))
159 #        return HttpResponseRedirect(reverse("group-routes"))
160     if route_edit.status == "PENDING" :
161         messages.add_message(request, messages.WARNING,
162                              _("Cannot edit a pending rule: %s.") %(route_slug))
163         return HttpResponseRedirect(reverse("group-routes"))
164     route_original = deepcopy(route_edit)
165     if request.POST:
166         request_data = request.POST.copy()
167         if request.user.is_superuser:
168             request_data['issuperuser'] = request.user.username
169         else:
170             request_data['applier'] = applier
171             try:
172                 del request_data['issuperuser']
173             except:
174                 pass
175         form = RouteForm(request_data, instance = route_edit)
176         critical_changed_values = ['source', 'destination', 'sourceport', 'destinationport', 'port', 'protocol', 'then']
177         if form.is_valid():
178             changed_data = form.changed_data
179             route=form.save(commit=False)
180             route.name = route_original.name
181             route.status = route_original.status
182             route.response = route_original.response
183             if not request.user.is_superuser:
184                 route.applier = request.user
185             if bool(set(changed_data) & set(critical_changed_values)) or (not route_original.status == 'ACTIVE'):
186                 route.status = "PENDING"
187                 route.response = "Applying"
188                 route.source = IPNetwork("%s/%s" %(IPNetwork(route.source).network.compressed, IPNetwork(route.source).prefixlen)).compressed
189                 route.destination = IPNetwork("%s/%s" %(IPNetwork(route.destination).network.compressed, IPNetwork(route.destination).prefixlen)).compressed
190             route.save()
191             if bool(set(changed_data) & set(critical_changed_values)) or (not route_original.status == 'ACTIVE'):
192                 form.save_m2m()
193                 route.commit_edit()
194                 requesters_address = request.META['HTTP_X_FORWARDED_FOR']
195                 fqdn = Site.objects.get_current().domain
196                 admin_url = "https://%s%s" % (fqdn, "/fod/edit/%s"%route.name)
197                 mail_body = render_to_string("rule_action.txt",
198                                              {"route": route, "address": requesters_address, "action": "edit", "url": admin_url})
199                 user_mail = "%s" %route.applier.email
200                 user_mail = user_mail.split(';')
201                 send_new_mail(settings.EMAIL_SUBJECT_PREFIX + "Rule %s edit request submitted by %s" %(route.name, route.applier.username),
202                               mail_body, settings.SERVER_EMAIL, user_mail,
203                               get_peer_techc_mails(route.applier))
204                 d = { 'clientip' : requesters_address, 'user' : route.applier.username }
205                 logger.info(mail_body, extra=d)
206             return HttpResponseRedirect(reverse("group-routes"))
207         else:
208             if not request.user.is_superuser:
209                 form.fields['then'] = forms.ModelMultipleChoiceField(queryset=ThenAction.objects.filter(action__in=settings.UI_USER_THEN_ACTIONS).order_by('action'), required=True)
210                 form.fields['protocol'] = forms.ModelMultipleChoiceField(queryset=MatchProtocol.objects.filter(protocol__in=settings.UI_USER_PROTOCOLS).order_by('protocol'), required=False)
211             return render_to_response('apply.html', {'form': form, 'edit':True, 'applier': applier},
212                                       context_instance=RequestContext(request))
213     else:
214         if (not route_original.status == 'ACTIVE'):
215             route_edit.expires = datetime.date.today() + datetime.timedelta(days = settings.EXPIRATION_DAYS_OFFSET)
216         dictionary = model_to_dict(route_edit, fields=[], exclude=[])
217         if request.user.is_superuser:
218             dictionary['issuperuser'] = request.user.username
219         else:
220             try:
221                 del dictionary['issuperuser']
222             except:
223                 pass
224         form = RouteForm(dictionary)
225         if not request.user.is_superuser:
226             form.fields['then'] = forms.ModelMultipleChoiceField(queryset=ThenAction.objects.filter(action__in=settings.UI_USER_THEN_ACTIONS).order_by('action'), required=True)
227             form.fields['protocol'] = forms.ModelMultipleChoiceField(queryset=MatchProtocol.objects.filter(protocol__in=settings.UI_USER_PROTOCOLS).order_by('protocol'), required=False)
228         return render_to_response('apply.html', {'form': form, 'edit':True, 'applier': applier},
229                                   context_instance=RequestContext(request))
230
231 @login_required
232 @never_cache
233 def delete_route(request, route_slug):
234     if request.is_ajax():
235         route = get_object_or_404(Route, name=route_slug)
236         applier_peer = route.applier.get_profile().peer
237         requester_peer = request.user.get_profile().peer
238         if applier_peer == requester_peer or request.user.is_superuser:
239             route.status = "PENDING"
240             route.expires = datetime.date.today()
241             if not request.user.is_superuser:
242                 route.applier = request.user
243             route.response = "Suspending"
244             route.save()
245             route.commit_delete()
246             requesters_address = request.META['HTTP_X_FORWARDED_FOR']
247             fqdn = Site.objects.get_current().domain
248             admin_url = "https://%s%s" % (fqdn, "/fod/edit/%s"%route.name)
249             mail_body = render_to_string("rule_action.txt",
250                                              {"route": route, "address": requesters_address, "action": "removal", "url": admin_url})
251             user_mail = "%s" %route.applier.email
252             user_mail = user_mail.split(';')
253             send_new_mail(settings.EMAIL_SUBJECT_PREFIX + "Rule %s removal request submitted by %s" %(route.name, route.applier.username), 
254                               mail_body, settings.SERVER_EMAIL, user_mail,
255                              get_peer_techc_mails(route.applier))
256             d = { 'clientip' : requesters_address, 'user' : route.applier.username }
257             logger.info(mail_body, extra=d)
258         html = "<html><body>Done</body></html>"
259         return HttpResponse(html)
260     else:
261         return HttpResponseRedirect(reverse("group-routes"))
262
263 @login_required
264 @never_cache
265 def user_profile(request):
266     user = request.user
267     try:
268         peer = request.user.get_profile().peer
269         peers = Peer.objects.filter(pk=peer.pk)
270         if user.is_superuser:
271             peers = Peer.objects.all()
272     except UserProfile.DoesNotExist:
273         error = "User <strong>%s</strong> does not belong to any peer or organization. It is not possible to create new firewall rules.<br>Please contact Helpdesk to resolve this issue" % user.username
274         return render_to_response('error.html', {'error': error})
275     return render_to_response('profile.html', {'user': user, 'peers':peers},
276                                   context_instance=RequestContext(request))
277
278 @never_cache
279 def user_login(request):
280     try:
281         error_username = False
282         error_orgname = False
283         error_entitlement = False
284         error_mail = False
285         has_entitlement = False
286         error = ''
287         username = request.META['HTTP_EPPN']
288         if not username:
289             error_username = True
290         firstname = request.META['HTTP_SHIB_INETORGPERSON_GIVENNAME']
291         lastname = request.META['HTTP_SHIB_PERSON_SURNAME']
292         mail = request.META['HTTP_SHIB_INETORGPERSON_MAIL']
293         organization = request.META['HTTP_SHIB_HOMEORGANIZATION']
294         entitlement = request.META['HTTP_SHIB_EP_ENTITLEMENT']
295         if settings.SHIB_AUTH_ENTITLEMENT in entitlement.split(";"):
296             has_entitlement = True
297         if not has_entitlement:
298             error_entitlement = True
299         if not organization:
300             error_orgname = True
301         if not mail:
302             error_mail = True
303         if error_username:
304             error = _("Your idP should release the HTTP_EPPN attribute towards this service<br>")
305         if error_orgname:
306             error = error + _("Your idP should release the HTTP_SHIB_HOMEORGANIZATION attribute towards this service<br>")
307         if error_entitlement:
308             error = error + _("Your idP should release an appropriate HTTP_SHIB_EP_ENTITLEMENT attribute towards this service<br>")
309         if error_mail:
310             error = error + _("Your idP should release the HTTP_SHIB_INETORGPERSON_MAIL attribute towards this service")
311         if error_username or error_orgname or error_entitlement or error_mail:
312             return render_to_response('error.html', {'error': error, "missing_attributes": True},
313                                   context_instance=RequestContext(request))
314         try:
315             user = User.objects.get(username__exact=username)
316             user.email = mail
317             user.first_name = firstname
318             user.last_name = lastname
319             user.save()
320             user_exists = True
321         except:
322             user_exists = False
323         user = authenticate(username=username, firstname=firstname, lastname=lastname, mail=mail, authsource='shibboleth')
324         if user is not None:
325             try:
326                 peer = Peer.objects.get(domain_name=organization)
327                 up = UserProfile.objects.get_or_create(user=user,peer=peer)
328             except:
329                 error = _("Your organization's domain name does not match our peers' domain names<br>Please contact Helpdesk to resolve this issue")
330                 return render_to_response('error.html', {'error': error})
331             if not user_exists:
332                 user_activation_notify(user)
333             if user.is_active:
334                login(request, user)
335                return HttpResponseRedirect(reverse("group-routes"))
336             else:
337                 error = _("User account <strong>%s</strong> is pending activation. Administrators have been notified and will activate this account within the next days. <br>If this account has remained inactive for a long time contact your technical coordinator or GRNET Helpdesk") %user.username
338                 return render_to_response('error.html', {'error': error, 'inactive': True},
339                                   context_instance=RequestContext(request))
340         else:
341             error = _("Something went wrong during user authentication. Contact your administrator")
342             return render_to_response('error.html', {'error': error,},
343                                   context_instance=RequestContext(request))
344     except Exception:
345         error = _("Invalid login procedure")
346         return render_to_response('error.html', {'error': error,},
347                                   context_instance=RequestContext(request))
348         # Return an 'invalid login' error message.
349 #    return HttpResponseRedirect(reverse("user-routes"))
350
351 def user_activation_notify(user):
352     current_site = Site.objects.get_current()
353     subject = render_to_string('registration/activation_email_subject.txt',
354                                    { 'site': current_site })
355     # Email subject *must not* contain newlines
356     subject = ''.join(subject.splitlines())
357     registration_profile = RegistrationProfile.objects.create_profile(user)
358     message = render_to_string('registration/activation_email.txt',
359                                    { 'activation_key': registration_profile.activation_key,
360                                      'expiration_days': settings.ACCOUNT_ACTIVATION_DAYS,
361                                      'site': current_site,
362                                      'user': user })
363     send_new_mail(settings.EMAIL_SUBJECT_PREFIX + subject, 
364                               message, settings.SERVER_EMAIL,
365                              get_peer_techc_mails(user), [])
366
367 @login_required
368 @never_cache
369 def add_rate_limit(request):
370     if request.method == "GET":
371         form = ThenPlainForm()
372         return render_to_response('add_rate_limit.html', {'form': form,},
373                                   context_instance=RequestContext(request))
374
375     else:
376         form = ThenPlainForm(request.POST)
377         if form.is_valid():
378             then=form.save(commit=False)
379             then.action_value = "%sk"%then.action_value
380             then.save()
381             response_data = {}
382             response_data['pk'] = "%s" %then.pk
383             response_data['value'] = "%s:%s" %(then.action, then.action_value)
384             return HttpResponse(json.dumps(response_data), mimetype='application/json')
385         else:
386             return render_to_response('add_rate_limit.html', {'form': form,},
387                                       context_instance=RequestContext(request))
388
389 @login_required
390 @never_cache
391 def add_port(request):
392     if request.method == "GET":
393         form = PortPlainForm()
394         return render_to_response('add_port.html', {'form': form,},
395                                   context_instance=RequestContext(request))
396
397     else:
398         form = PortPlainForm(request.POST)
399         if form.is_valid():
400             port=form.save()
401             response_data = {}
402             response_data['value'] = "%s" %port.pk
403             response_data['text'] = "%s" %port.port
404             return HttpResponse(json.dumps(response_data), mimetype='application/json')
405         else:
406             return render_to_response('add_port.html', {'form': form,},
407                                       context_instance=RequestContext(request))
408
409 @login_required
410 @never_cache
411 def user_logout(request):
412     logout(request)
413     return HttpResponseRedirect(reverse('group-routes'))
414     
415 @never_cache
416 def load_jscript(request, file):
417     long_polling_timeout = int(settings.POLL_SESSION_UPDATE)*1000 + 10000
418     return render_to_response('%s.js' % file, {'timeout': long_polling_timeout}, context_instance=RequestContext(request), mimetype="text/javascript")
419
420
421 def get_peer_techc_mails(user):
422     mail = []
423     additional_mail = []
424     techmails_list = []
425     user_mail = "%s" %user.email
426     user_mail = user_mail.split(';')
427     techmails = user.get_profile().peer.techc_emails.all()
428     if techmails:
429         for techmail in techmails:
430             techmails_list.append(techmail.email)
431     if settings.NOTIFY_ADMIN_MAILS:
432         additional_mail = settings.NOTIFY_ADMIN_MAILS
433 #    mail.extend(user_mail)
434     mail.extend(additional_mail)
435     mail.extend(techmails_list)
436     return mail
437
438 def gettos(request):
439     return render_to_response('gettos.html', context_instance=RequestContext(request))
440
441 def getinfo(request):
442     return render_to_response('getinfo.html', context_instance=RequestContext(request))
443
444 def send_new_mail(subject, message, from_email, recipient_list, bcc_list):
445     return EmailMessage(subject, message, from_email, recipient_list, bcc_list).send()
446
Unnamed repository; edit this file 'description' to name the repository.