1 # Create your views here.
5 from django import forms
6 from django.views.decorators.csrf import csrf_exempt
7 from django.core import urlresolvers
8 from django.core import serializers
9 from django.contrib.auth.decorators import login_required
10 from django.contrib.auth import logout
11 from django.contrib.sites.models import Site
12 from django.contrib.auth.models import User
13 from django.http import HttpResponseRedirect, HttpResponseForbidden, HttpResponse
14 from django.shortcuts import get_object_or_404, render_to_response
15 from django.core.context_processors import request
16 from django.template.context import RequestContext
17 from django.template.loader import get_template, render_to_string
18 from django.core.urlresolvers import reverse
19 from django.contrib import messages
20 from flowspy.accounts.models import *
23 from django.contrib.auth import authenticate, login
25 from django.forms.models import model_to_dict
27 from flowspy.flowspec.forms import *
28 from flowspy.flowspec.models import *
29 from flowspy.peers.models import *
31 from registration.models import RegistrationProfile
33 from copy import deepcopy
34 from flowspy.utils.decorators import shib_required
36 from django.views.decorators.cache import never_cache
37 from django.conf import settings
38 from django.core.mail.message import EmailMessage
42 LOG_FILENAME = os.path.join(settings.LOG_FILE_LOCATION, 'celery_jobs.log')
43 #FORMAT = '%(asctime)s %(levelname)s: %(message)s'
44 #logging.basicConfig(format=FORMAT)
45 formatter = logging.Formatter('%(asctime)s %(levelname)s %(clientip)s %(user)s: %(message)s')
47 logger = logging.getLogger(__name__)
48 logger.setLevel(logging.DEBUG)
49 handler = logging.FileHandler(LOG_FILENAME)
50 handler.setFormatter(formatter)
51 logger.addHandler(handler)
54 def user_routes(request):
55 user_routes = Route.objects.filter(applier=request.user)
56 return render_to_response('user_routes.html', {'routes': user_routes},
57 context_instance=RequestContext(request))
60 return render_to_response('welcome.html', context_instance=RequestContext(request))
64 def group_routes(request):
67 peer = request.user.get_profile().peer
68 except UserProfile.DoesNotExist:
69 error = "User <strong>%s</strong> does not belong to any peer or organization. It is not possible to create new firewall rules.<br>Please contact Helpdesk to resolve this issue" % request.user.username
70 return render_to_response('error.html', {'error': error})
72 peer_members = UserProfile.objects.filter(peer=peer)
73 users = [prof.user for prof in peer_members]
74 group_routes = Route.objects.filter(applier__in=users)
75 if request.user.is_superuser:
76 group_routes = Route.objects.all()
77 return render_to_response('user_routes.html', {'routes': group_routes},
78 context_instance=RequestContext(request))
83 def add_route(request):
84 applier = request.user.pk
85 applier_peer_networks = request.user.get_profile().peer.networks.all()
86 if not applier_peer_networks:
87 messages.add_message(request, messages.WARNING,
88 "Insufficient rights on administrative networks. Cannot add rule. Contact your administrator")
89 return HttpResponseRedirect(reverse("group-routes"))
90 if request.method == "GET":
91 form = RouteForm(initial={'applier': applier})
92 if not request.user.is_superuser:
93 form.fields['then'] = forms.ModelMultipleChoiceField(queryset=ThenAction.objects.filter(action__in=settings.UI_USER_THEN_ACTIONS).order_by('action'), required=True)
94 form.fields['protocol'] = forms.ModelMultipleChoiceField(queryset=MatchProtocol.objects.filter(protocol__in=settings.UI_USER_PROTOCOLS).order_by('protocol'), required=False)
95 return render_to_response('apply.html', {'form': form, 'applier': applier},
96 context_instance=RequestContext(request))
99 request_data = request.POST.copy()
100 if request.user.is_superuser:
101 request_data['issuperuser'] = request.user.username
103 request_data['applier'] = applier
105 del requset_data['issuperuser']
108 form = RouteForm(request_data)
110 route=form.save(commit=False)
111 if not request.user.is_superuser:
112 route.applier = request.user
113 route.status = "PENDING"
114 route.response = "Applying..."
115 route.source = IPNetwork("%s/%s" %(IPNetwork(route.source).network.compressed, IPNetwork(route.source).prefixlen)).compressed
116 route.destination = IPNetwork("%s/%s" %(IPNetwork(route.destination).network.compressed, IPNetwork(route.destination).prefixlen)).compressed
120 requesters_address = request.META['HTTP_X_FORWARDED_FOR']
121 mail_body = render_to_string("rule_add_mail.txt",
122 {"route": route, "address": requesters_address})
123 user_mail = "%s" %route.applier.email
124 user_mail = user_mail.split(';')
125 send_new_mail(settings.EMAIL_SUBJECT_PREFIX + "Rule %s creation request submitted by %s" %(route.name, route.applier.username),
126 mail_body, settings.SERVER_EMAIL, user_mail,
127 get_peer_techc_mails(route.applier))
128 d = { 'clientip' : "%s"%requesters_address, 'user' : route.applier.username }
129 logger.info(mail_body, extra=d)
130 return HttpResponseRedirect(reverse("group-routes"))
132 if not request.user.is_superuser:
133 form.fields['then'] = forms.ModelMultipleChoiceField(queryset=ThenAction.objects.filter(action__in=settings.UI_USER_THEN_ACTIONS).order_by('action'), required=True)
134 form.fields['protocol'] = forms.ModelMultipleChoiceField(queryset=MatchProtocol.objects.filter(protocol__in=settings.UI_USER_PROTOCOLS).order_by('protocol'), required=False)
135 return render_to_response('apply.html', {'form': form, 'applier':applier},
136 context_instance=RequestContext(request))
140 def edit_route(request, route_slug):
141 applier = request.user.pk
142 applier_peer = request.user.get_profile().peer
143 route_edit = get_object_or_404(Route, name=route_slug)
144 route_edit_applier_peer = route_edit.applier.get_profile().peer
145 if applier_peer != route_edit_applier_peer and (not request.user.is_superuser):
146 messages.add_message(request, messages.WARNING,
147 "Insufficient rights to edit rule %s" %(route_slug))
148 return HttpResponseRedirect(reverse("group-routes"))
149 # if route_edit.status == "ADMININACTIVE" :
150 # messages.add_message(request, messages.WARNING,
151 # "Administrator has disabled editing of rule %s" %(route_slug))
152 # return HttpResponseRedirect(reverse("group-routes"))
153 # if route_edit.status == "EXPIRED" :
154 # messages.add_message(request, messages.WARNING,
155 # "Cannot edit the expired rule %s. Contact helpdesk to enable it" %(route_slug))
156 # return HttpResponseRedirect(reverse("group-routes"))
157 if route_edit.status == "PENDING" :
158 messages.add_message(request, messages.WARNING,
159 "Cannot edit a pending rule: %s." %(route_slug))
160 return HttpResponseRedirect(reverse("group-routes"))
161 route_original = deepcopy(route_edit)
163 request_data = request.POST.copy()
164 if request.user.is_superuser:
165 request_data['issuperuser'] = request.user.username
167 request_data['applier'] = applier
169 del request_data['issuperuser']
172 form = RouteForm(request_data, instance = route_edit)
173 critical_changed_values = ['source', 'destination', 'sourceport', 'destinationport', 'port', 'protocol', 'then']
175 changed_data = form.changed_data
176 route=form.save(commit=False)
177 route.name = route_original.name
178 route.status = route_original.status
179 route.response = route_original.response
180 if not request.user.is_superuser:
181 route.applier = request.user
182 if bool(set(changed_data) & set(critical_changed_values)) or (not route_original.status == 'ACTIVE'):
183 route.status = "PENDING"
184 route.response = "Applying..."
185 route.source = IPNetwork("%s/%s" %(IPNetwork(route.source).network.compressed, IPNetwork(route.source).prefixlen)).compressed
186 route.destination = IPNetwork("%s/%s" %(IPNetwork(route.destination).network.compressed, IPNetwork(route.destination).prefixlen)).compressed
188 if bool(set(changed_data) & set(critical_changed_values)) or (not route_original.status == 'ACTIVE'):
191 requesters_address = request.META['HTTP_X_FORWARDED_FOR']
192 mail_body = render_to_string("rule_edit_mail.txt",
193 {"route": route, "address": requesters_address})
194 user_mail = "%s" %route.applier.email
195 user_mail = user_mail.split(';')
196 send_new_mail(settings.EMAIL_SUBJECT_PREFIX + "Rule %s edit request submitted by %s" %(route.name, route.applier.username),
197 mail_body, settings.SERVER_EMAIL, user_mail,
198 get_peer_techc_mails(route.applier))
199 d = { 'clientip' : requesters_address, 'user' : route.applier.username }
200 logger.info(mail_body, extra=d)
201 return HttpResponseRedirect(reverse("group-routes"))
203 if not request.user.is_superuser:
204 form.fields['then'] = forms.ModelMultipleChoiceField(queryset=ThenAction.objects.filter(action__in=settings.UI_USER_THEN_ACTIONS).order_by('action'), required=True)
205 form.fields['protocol'] = forms.ModelMultipleChoiceField(queryset=MatchProtocol.objects.filter(protocol__in=settings.UI_USER_PROTOCOLS).order_by('protocol'), required=False)
206 return render_to_response('apply.html', {'form': form, 'edit':True, 'applier': applier},
207 context_instance=RequestContext(request))
209 if (not route_original.status == 'ACTIVE'):
210 route_edit.expires = datetime.date.today() + datetime.timedelta(days = settings.EXPIRATION_DAYS_OFFSET)
211 dictionary = model_to_dict(route_edit, fields=[], exclude=[])
212 if request.user.is_superuser:
213 dictionary['issuperuser'] = request.user.username
216 del dictionary['issuperuser']
219 form = RouteForm(dictionary)
220 if not request.user.is_superuser:
221 form.fields['then'] = forms.ModelMultipleChoiceField(queryset=ThenAction.objects.filter(action__in=settings.UI_USER_THEN_ACTIONS).order_by('action'), required=True)
222 form.fields['protocol'] = forms.ModelMultipleChoiceField(queryset=MatchProtocol.objects.filter(protocol__in=settings.UI_USER_PROTOCOLS).order_by('protocol'), required=False)
223 return render_to_response('apply.html', {'form': form, 'edit':True, 'applier': applier},
224 context_instance=RequestContext(request))
228 def delete_route(request, route_slug):
229 if request.is_ajax():
230 route = get_object_or_404(Route, name=route_slug)
231 applier_peer = route.applier.get_profile().peer
232 requester_peer = request.user.get_profile().peer
233 if applier_peer == requester_peer or request.user.is_superuser:
234 route.status = "PENDING"
235 route.expires = datetime.date.today()
236 if not request.user.is_superuser:
237 route.applier = request.user
238 route.response = "Suspending..."
240 route.commit_delete()
241 requesters_address = request.META['HTTP_X_FORWARDED_FOR']
242 mail_body = render_to_string("rule_delete_mail.txt",
243 {"route": route, "address": requesters_address})
244 user_mail = "%s" %route.applier.email
245 user_mail = user_mail.split(';')
246 send_new_mail(settings.EMAIL_SUBJECT_PREFIX + "Rule %s removal request submitted by %s" %(route.name, route.applier.username),
247 mail_body, settings.SERVER_EMAIL, user_mail,
248 get_peer_techc_mails(route.applier))
249 d = { 'clientip' : requesters_address, 'user' : route.applier.username }
250 logger.info(mail_body, extra=d)
251 html = "<html><body>Done</body></html>"
252 return HttpResponse(html)
254 return HttpResponseRedirect(reverse("group-routes"))
258 def user_profile(request):
261 peer = request.user.get_profile().peer
262 peers = Peer.objects.filter(pk=peer.pk)
263 if user.is_superuser:
264 peers = Peer.objects.all()
265 except UserProfile.DoesNotExist:
266 error = "User <strong>%s</strong> does not belong to any peer or organization. It is not possible to create new firewall rules.<br>Please contact Helpdesk to resolve this issue" % user.username
267 return render_to_response('error.html', {'error': error})
268 return render_to_response('profile.html', {'user': user, 'peers':peers},
269 context_instance=RequestContext(request))
272 def user_login(request):
274 error_username = False
275 error_orgname = False
276 error_entitlement = False
278 has_entitlement = False
280 username = request.META['HTTP_EPPN']
282 error_username = True
283 firstname = request.META['HTTP_SHIB_INETORGPERSON_GIVENNAME']
284 lastname = request.META['HTTP_SHIB_PERSON_SURNAME']
285 mail = request.META['HTTP_SHIB_INETORGPERSON_MAIL']
286 organization = request.META['HTTP_SHIB_HOMEORGANIZATION']
287 entitlement = request.META['HTTP_SHIB_EP_ENTITLEMENT']
288 if settings.SHIB_AUTH_ENTITLEMENT in entitlement.split(";"):
289 has_entitlement = True
290 if not has_entitlement:
291 error_entitlement = True
297 error = "Your idP should release the HTTP_EPPN attribute towards this service<br>"
299 error = error + "Your idP should release the HTTP_SHIB_HOMEORGANIZATION attribute towards this service<br>"
300 if error_entitlement:
301 error = error + "Your idP should release an appropriate HTTP_SHIB_EP_ENTITLEMENT attribute towards this service<br>"
303 error = error + "Your idP should release the HTTP_SHIB_INETORGPERSON_MAIL attribute towards this service"
304 if error_username or error_orgname or error_entitlement or error_mail:
305 return render_to_response('error.html', {'error': error, "missing_attributes": True},
306 context_instance=RequestContext(request))
308 user = User.objects.get(username__exact=username)
310 user.first_name = firstname
311 user.last_name = lastname
316 user = authenticate(username=username, firstname=firstname, lastname=lastname, mail=mail, authsource='shibboleth')
319 peer = Peer.objects.get(domain_name=organization)
320 up = UserProfile.objects.get_or_create(user=user,peer=peer)
322 error = "Your organization's domain name does not match our peers' domain names<br>Please contact Helpdesk to resolve this issue"
323 return render_to_response('error.html', {'error': error})
325 user_activation_notify(user)
328 return HttpResponseRedirect(reverse("group-routes"))
330 error = "User account <strong>%s</strong> is pending activation. Administrators have been notified and will activate this account within the next days. <br>If this account has remained inactive for a long time contact your technical coordinator or GRNET Helpdesk" %user.username
331 return render_to_response('error.html', {'error': error, 'inactive': True},
332 context_instance=RequestContext(request))
334 error = "Something went wrong during user authentication. Contact your administrator"
335 return render_to_response('error.html', {'error': error,},
336 context_instance=RequestContext(request))
338 error = "Invalid login procedure"
339 return render_to_response('error.html', {'error': error,},
340 context_instance=RequestContext(request))
341 # Return an 'invalid login' error message.
342 # return HttpResponseRedirect(reverse("user-routes"))
344 def user_activation_notify(user):
345 current_site = Site.objects.get_current()
346 subject = render_to_string('registration/activation_email_subject.txt',
347 { 'site': current_site })
348 # Email subject *must not* contain newlines
349 subject = ''.join(subject.splitlines())
350 registration_profile = RegistrationProfile.objects.create_profile(user)
351 message = render_to_string('registration/activation_email.txt',
352 { 'activation_key': registration_profile.activation_key,
353 'expiration_days': settings.ACCOUNT_ACTIVATION_DAYS,
354 'site': current_site,
356 send_new_mail(settings.EMAIL_SUBJECT_PREFIX + subject,
357 message, settings.SERVER_EMAIL,
358 get_peer_techc_mails(user), [])
362 def add_rate_limit(request):
363 if request.method == "GET":
364 form = ThenPlainForm()
365 return render_to_response('add_rate_limit.html', {'form': form,},
366 context_instance=RequestContext(request))
369 form = ThenPlainForm(request.POST)
371 then=form.save(commit=False)
372 then.action_value = "%sk"%then.action_value
375 response_data['pk'] = "%s" %then.pk
376 response_data['value'] = "%s:%s" %(then.action, then.action_value)
377 return HttpResponse(json.dumps(response_data), mimetype='application/json')
379 return render_to_response('add_rate_limit.html', {'form': form,},
380 context_instance=RequestContext(request))
384 def add_port(request):
385 if request.method == "GET":
386 form = PortPlainForm()
387 return render_to_response('add_port.html', {'form': form,},
388 context_instance=RequestContext(request))
391 form = PortPlainForm(request.POST)
395 response_data['value'] = "%s" %port.pk
396 response_data['text'] = "%s" %port.port
397 return HttpResponse(json.dumps(response_data), mimetype='application/json')
399 return render_to_response('add_port.html', {'form': form,},
400 context_instance=RequestContext(request))
404 def user_logout(request):
406 return HttpResponseRedirect(reverse('group-routes'))
409 def load_jscript(request, file):
410 long_polling_timeout = int(settings.POLL_SESSION_UPDATE)*1000 + 10000
411 return render_to_response('%s.js' % file, {'timeout': long_polling_timeout}, context_instance=RequestContext(request), mimetype="text/javascript")
414 def get_peer_techc_mails(user):
418 user_mail = "%s" %user.email
419 user_mail = user_mail.split(';')
420 techmails = user.get_profile().peer.techc_emails.all()
422 for techmail in techmails:
423 techmails_list.append(techmail.email)
424 if settings.NOTIFY_ADMIN_MAILS:
425 additional_mail = settings.NOTIFY_ADMIN_MAILS
426 # mail.extend(user_mail)
427 mail.extend(additional_mail)
428 mail.extend(techmails_list)
432 def send_new_mail(subject, message, from_email, recipient_list, bcc_list):
433 return EmailMessage(subject, message, from_email, recipient_list, bcc_list).send()