projects / flowspy / blob
? search:


d321558fb6694be8403eb7f67d44b88908218c93
[flowspy] / flowspec / views.py
1 # Create your views here.
2 import urllib2
3 import socket
4 import json
5 from django import forms
6 from django.views.decorators.csrf import csrf_exempt
7 from django.core import urlresolvers
8 from django.core import serializers
9 from django.contrib.auth.decorators import login_required
10 from django.contrib.auth import logout
11 from django.contrib.sites.models import Site
12 from django.contrib.auth.models import User
13 from django.http import HttpResponseRedirect, HttpResponseForbidden, HttpResponse
14 from django.shortcuts import get_object_or_404, render_to_response
15 from django.core.context_processors import request
16 from django.template.context import RequestContext
17 from django.template.loader import get_template, render_to_string
18 from django.core.urlresolvers import reverse
19 from django.contrib import messages
20 from flowspy.accounts.models import *
21 from ipaddr import *
22
23 from django.contrib.auth import authenticate, login
24
25 from django.forms.models import model_to_dict
26
27 from flowspy.flowspec.forms import * 
28 from flowspy.flowspec.models import *
29 from flowspy.peers.models import *
30
31 from registration.models import RegistrationProfile
32
33 from copy import deepcopy
34 from flowspy.utils.decorators import shib_required
35
36 from django.views.decorators.cache import never_cache
37 from django.conf import settings
38 from django.core.mail.message import EmailMessage
39 import datetime
40 import os
41
42 LOG_FILENAME = os.path.join(settings.LOG_FILE_LOCATION, 'celery_jobs.log')
43 #FORMAT = '%(asctime)s %(levelname)s: %(message)s'
44 #logging.basicConfig(format=FORMAT)
45 formatter = logging.Formatter('%(asctime)s %(levelname)s %(clientip)s %(user)s: %(message)s')
46
47 logger = logging.getLogger(__name__)
48 logger.setLevel(logging.DEBUG)
49 handler = logging.FileHandler(LOG_FILENAME)
50 handler.setFormatter(formatter)
51 logger.addHandler(handler)
52
53 @login_required
54 def user_routes(request):
55     user_routes = Route.objects.filter(applier=request.user)
56     return render_to_response('user_routes.html', {'routes': user_routes},
57                               context_instance=RequestContext(request))
58
59 def welcome(request):
60     return render_to_response('welcome.html', context_instance=RequestContext(request))
61
62 @login_required
63 @never_cache
64 def group_routes(request):
65     group_routes = []
66     try:
67         peer = request.user.get_profile().peer
68     except UserProfile.DoesNotExist:
69         error = "User <strong>%s</strong> does not belong to any peer or organization. It is not possible to create new firewall rules.<br>Please contact Helpdesk to resolve this issue" % request.user.username
70         return render_to_response('error.html', {'error': error})
71     if peer:
72        peer_members = UserProfile.objects.filter(peer=peer)
73        users = [prof.user for prof in peer_members]
74        group_routes = Route.objects.filter(applier__in=users)
75        if request.user.is_superuser:
76            group_routes = Route.objects.all()
77        return render_to_response('user_routes.html', {'routes': group_routes},
78                               context_instance=RequestContext(request))
79
80
81 @login_required
82 @never_cache
83 def add_route(request):
84     applier = request.user.pk
85     applier_peer_networks = request.user.get_profile().peer.networks.all()
86     if not applier_peer_networks:
87          messages.add_message(request, messages.WARNING,
88                              "Insufficient rights on administrative networks. Cannot add rule. Contact your administrator")
89          return HttpResponseRedirect(reverse("group-routes"))
90     if request.method == "GET":
91         form = RouteForm(initial={'applier': applier})
92         if not request.user.is_superuser:
93             form.fields['then'] = forms.ModelMultipleChoiceField(queryset=ThenAction.objects.filter(action__in=settings.UI_USER_THEN_ACTIONS).order_by('action'), required=True)
94             form.fields['protocol'] = forms.ModelMultipleChoiceField(queryset=MatchProtocol.objects.filter(protocol__in=settings.UI_USER_PROTOCOLS).order_by('protocol'), required=False)
95         return render_to_response('apply.html', {'form': form, 'applier': applier},
96                                   context_instance=RequestContext(request))
97
98     else:
99         request_data = request.POST.copy()
100         if request.user.is_superuser:
101             request_data['issuperuser'] = request.user.username
102         else:
103             request_data['applier'] = applier
104             try:
105                 del requset_data['issuperuser']
106             except:
107                 pass
108         form = RouteForm(request_data)
109         if form.is_valid():
110             route=form.save(commit=False)
111             if not request.user.is_superuser:
112                 route.applier = request.user
113             route.status = "PENDING"
114             route.response = "Applying..."
115             route.source = IPNetwork("%s/%s" %(IPNetwork(route.source).network.compressed, IPNetwork(route.source).prefixlen)).compressed
116             route.destination = IPNetwork("%s/%s" %(IPNetwork(route.destination).network.compressed, IPNetwork(route.destination).prefixlen)).compressed
117             route.save()
118             form.save_m2m()
119             route.commit_add()
120             requesters_address = request.META['HTTP_X_FORWARDED_FOR']
121             mail_body = render_to_string("rule_add_mail.txt",
122                                              {"route": route, "address": requesters_address})
123             user_mail = "%s" %route.applier.email
124             user_mail = user_mail.split(';')
125             send_new_mail(settings.EMAIL_SUBJECT_PREFIX + "Rule %s creation request submitted by %s" %(route.name, route.applier.username),
126                               mail_body, settings.SERVER_EMAIL, user_mail,
127                               get_peer_techc_mails(route.applier))
128             d = { 'clientip' : "%s"%requesters_address, 'user' : route.applier.username }
129             logger.info(mail_body, extra=d)
130             return HttpResponseRedirect(reverse("group-routes"))
131         else:
132             if not request.user.is_superuser:
133                 form.fields['then'] = forms.ModelMultipleChoiceField(queryset=ThenAction.objects.filter(action__in=settings.UI_USER_THEN_ACTIONS).order_by('action'), required=True)
134                 form.fields['protocol'] = forms.ModelMultipleChoiceField(queryset=MatchProtocol.objects.filter(protocol__in=settings.UI_USER_PROTOCOLS).order_by('protocol'), required=False)
135             return render_to_response('apply.html', {'form': form, 'applier':applier},
136                                       context_instance=RequestContext(request))
137
138 @login_required
139 @never_cache
140 def edit_route(request, route_slug):
141     applier = request.user.pk
142     applier_peer = request.user.get_profile().peer
143     route_edit = get_object_or_404(Route, name=route_slug)
144     route_edit_applier_peer = route_edit.applier.get_profile().peer
145     if applier_peer != route_edit_applier_peer and (not request.user.is_superuser):
146         messages.add_message(request, messages.WARNING,
147                              "Insufficient rights to edit rule %s" %(route_slug))
148         return HttpResponseRedirect(reverse("group-routes"))
149 #    if route_edit.status == "ADMININACTIVE" :
150 #        messages.add_message(request, messages.WARNING,
151 #                             "Administrator has disabled editing of rule %s" %(route_slug))
152 #        return HttpResponseRedirect(reverse("group-routes"))
153 #    if route_edit.status == "EXPIRED" :
154 #        messages.add_message(request, messages.WARNING,
155 #                             "Cannot edit the expired rule %s. Contact helpdesk to enable it" %(route_slug))
156 #        return HttpResponseRedirect(reverse("group-routes"))
157     if route_edit.status == "PENDING" :
158         messages.add_message(request, messages.WARNING,
159                              "Cannot edit a pending rule: %s." %(route_slug))
160         return HttpResponseRedirect(reverse("group-routes"))
161     route_original = deepcopy(route_edit)
162     if request.POST:
163         request_data = request.POST.copy()
164         if request.user.is_superuser:
165             request_data['issuperuser'] = request.user.username
166         else:
167             request_data['applier'] = applier
168             try:
169                 del request_data['issuperuser']
170             except:
171                 pass
172         form = RouteForm(request_data, instance = route_edit)
173         critical_changed_values = ['source', 'destination', 'sourceport', 'destinationport', 'port', 'protocol', 'then']
174         if form.is_valid():
175             changed_data = form.changed_data
176             route=form.save(commit=False)
177             route.name = route_original.name
178             route.status = route_original.status
179             route.response = route_original.response
180             if not request.user.is_superuser:
181                 route.applier = request.user
182             if bool(set(changed_data) & set(critical_changed_values)) or (not route_original.status == 'ACTIVE'):
183                 route.status = "PENDING"
184                 route.response = "Applying..."
185                 route.source = IPNetwork("%s/%s" %(IPNetwork(route.source).network.compressed, IPNetwork(route.source).prefixlen)).compressed
186                 route.destination = IPNetwork("%s/%s" %(IPNetwork(route.destination).network.compressed, IPNetwork(route.destination).prefixlen)).compressed
187             route.save()
188             if bool(set(changed_data) & set(critical_changed_values)) or (not route_original.status == 'ACTIVE'):
189                 form.save_m2m()
190                 route.commit_edit()
191                 requesters_address = request.META['HTTP_X_FORWARDED_FOR']
192                 mail_body = render_to_string("rule_edit_mail.txt",
193                                              {"route": route, "address": requesters_address})
194                 user_mail = "%s" %route.applier.email
195                 user_mail = user_mail.split(';')
196                 send_new_mail(settings.EMAIL_SUBJECT_PREFIX + "Rule %s edit request submitted by %s" %(route.name, route.applier.username),
197                               mail_body, settings.SERVER_EMAIL, user_mail,
198                               get_peer_techc_mails(route.applier))
199                 d = { 'clientip' : requesters_address, 'user' : route.applier.username }
200                 logger.info(mail_body, extra=d)
201             return HttpResponseRedirect(reverse("group-routes"))
202         else:
203             if not request.user.is_superuser:
204                 form.fields['then'] = forms.ModelMultipleChoiceField(queryset=ThenAction.objects.filter(action__in=settings.UI_USER_THEN_ACTIONS).order_by('action'), required=True)
205                 form.fields['protocol'] = forms.ModelMultipleChoiceField(queryset=MatchProtocol.objects.filter(protocol__in=settings.UI_USER_PROTOCOLS).order_by('protocol'), required=False)
206             return render_to_response('apply.html', {'form': form, 'edit':True, 'applier': applier},
207                                       context_instance=RequestContext(request))
208     else:
209         if (not route_original.status == 'ACTIVE'):
210             route_edit.expires = datetime.date.today() + datetime.timedelta(days = settings.EXPIRATION_DAYS_OFFSET)
211         dictionary = model_to_dict(route_edit, fields=[], exclude=[])
212         if request.user.is_superuser:
213             dictionary['issuperuser'] = request.user.username
214         else:
215             try:
216                 del dictionary['issuperuser']
217             except:
218                 pass
219         form = RouteForm(dictionary)
220         if not request.user.is_superuser:
221             form.fields['then'] = forms.ModelMultipleChoiceField(queryset=ThenAction.objects.filter(action__in=settings.UI_USER_THEN_ACTIONS).order_by('action'), required=True)
222             form.fields['protocol'] = forms.ModelMultipleChoiceField(queryset=MatchProtocol.objects.filter(protocol__in=settings.UI_USER_PROTOCOLS).order_by('protocol'), required=False)
223         return render_to_response('apply.html', {'form': form, 'edit':True, 'applier': applier},
224                                   context_instance=RequestContext(request))
225
226 @login_required
227 @never_cache
228 def delete_route(request, route_slug):
229     if request.is_ajax():
230         route = get_object_or_404(Route, name=route_slug)
231         applier_peer = route.applier.get_profile().peer
232         requester_peer = request.user.get_profile().peer
233         if applier_peer == requester_peer or request.user.is_superuser:
234             route.status = "PENDING"
235             route.expires = datetime.date.today()
236             if not request.user.is_superuser:
237                 route.applier = request.user
238             route.response = "Suspending..."
239             route.save()
240             route.commit_delete()
241             requesters_address = request.META['HTTP_X_FORWARDED_FOR']
242             mail_body = render_to_string("rule_delete_mail.txt",
243                                              {"route": route, "address": requesters_address})
244             user_mail = "%s" %route.applier.email
245             user_mail = user_mail.split(';')
246             send_new_mail(settings.EMAIL_SUBJECT_PREFIX + "Rule %s removal request submitted by %s" %(route.name, route.applier.username), 
247                               mail_body, settings.SERVER_EMAIL, user_mail,
248                              get_peer_techc_mails(route.applier))
249             d = { 'clientip' : requesters_address, 'user' : route.applier.username }
250             logger.info(mail_body, extra=d)
251         html = "<html><body>Done</body></html>"
252         return HttpResponse(html)
253     else:
254         return HttpResponseRedirect(reverse("group-routes"))
255
256 @login_required
257 @never_cache
258 def user_profile(request):
259     user = request.user
260     try:
261         peer = request.user.get_profile().peer
262         peers = Peer.objects.filter(pk=peer.pk)
263         if user.is_superuser:
264             peers = Peer.objects.all()
265     except UserProfile.DoesNotExist:
266         error = "User <strong>%s</strong> does not belong to any peer or organization. It is not possible to create new firewall rules.<br>Please contact Helpdesk to resolve this issue" % user.username
267         return render_to_response('error.html', {'error': error})
268     return render_to_response('profile.html', {'user': user, 'peers':peers},
269                                   context_instance=RequestContext(request))
270
271 @never_cache
272 def user_login(request):
273     try:
274         error_username = False
275         error_orgname = False
276         error_entitlement = False
277         error_mail = False
278         has_entitlement = False
279         error = ''
280         username = request.META['HTTP_EPPN']
281         if not username:
282             error_username = True
283         firstname = request.META['HTTP_SHIB_INETORGPERSON_GIVENNAME']
284         lastname = request.META['HTTP_SHIB_PERSON_SURNAME']
285         mail = request.META['HTTP_SHIB_INETORGPERSON_MAIL']
286         organization = request.META['HTTP_SHIB_HOMEORGANIZATION']
287         entitlement = request.META['HTTP_SHIB_EP_ENTITLEMENT']
288         if settings.SHIB_AUTH_ENTITLEMENT in entitlement.split(";"):
289             has_entitlement = True
290         if not has_entitlement:
291             error_entitlement = True
292         if not organization:
293             error_orgname = True
294         if not mail:
295             error_mail = True
296         if error_username:
297             error = "Your idP should release the HTTP_EPPN attribute towards this service<br>"
298         if error_orgname:
299             error = error + "Your idP should release the HTTP_SHIB_HOMEORGANIZATION attribute towards this service<br>"
300         if error_entitlement:
301             error = error + "Your idP should release an appropriate HTTP_SHIB_EP_ENTITLEMENT attribute towards this service<br>"
302         if error_mail:
303             error = error + "Your idP should release the HTTP_SHIB_INETORGPERSON_MAIL attribute towards this service"
304         if error_username or error_orgname or error_entitlement or error_mail:
305             return render_to_response('error.html', {'error': error, "missing_attributes": True},
306                                   context_instance=RequestContext(request))
307         try:
308             user = User.objects.get(username__exact=username)
309             user.email = mail
310             user.first_name = firstname
311             user.last_name = lastname
312             user.save()
313             user_exists = True
314         except:
315             user_exists = False
316         user = authenticate(username=username, firstname=firstname, lastname=lastname, mail=mail, authsource='shibboleth')
317         if user is not None:
318             try:
319                 peer = Peer.objects.get(domain_name=organization)
320                 up = UserProfile.objects.get_or_create(user=user,peer=peer)
321             except:
322                 error = "Your organization's domain name does not match our peers' domain names<br>Please contact Helpdesk to resolve this issue"
323                 return render_to_response('error.html', {'error': error})
324             if not user_exists:
325                 user_activation_notify(user)
326             if user.is_active:
327                login(request, user)
328                return HttpResponseRedirect(reverse("group-routes"))
329             else:
330                 error = "User account <strong>%s</strong> is pending activation. Administrators have been notified and will activate this account within the next days. <br>If this account has remained inactive for a long time contact your technical coordinator or GRNET Helpdesk" %user.username
331                 return render_to_response('error.html', {'error': error, 'inactive': True},
332                                   context_instance=RequestContext(request))
333         else:
334             error = "Something went wrong during user authentication. Contact your administrator"
335             return render_to_response('error.html', {'error': error,},
336                                   context_instance=RequestContext(request))
337     except Exception:
338         error = "Invalid login procedure"
339         return render_to_response('error.html', {'error': error,},
340                                   context_instance=RequestContext(request))
341         # Return an 'invalid login' error message.
342 #    return HttpResponseRedirect(reverse("user-routes"))
343
344 def user_activation_notify(user):
345     current_site = Site.objects.get_current()
346     subject = render_to_string('registration/activation_email_subject.txt',
347                                    { 'site': current_site })
348     # Email subject *must not* contain newlines
349     subject = ''.join(subject.splitlines())
350     registration_profile = RegistrationProfile.objects.create_profile(user)
351     message = render_to_string('registration/activation_email.txt',
352                                    { 'activation_key': registration_profile.activation_key,
353                                      'expiration_days': settings.ACCOUNT_ACTIVATION_DAYS,
354                                      'site': current_site,
355                                      'user': user })
356     send_new_mail(settings.EMAIL_SUBJECT_PREFIX + subject, 
357                               message, settings.SERVER_EMAIL,
358                              get_peer_techc_mails(user), [])
359
360 @login_required
361 @never_cache
362 def add_rate_limit(request):
363     if request.method == "GET":
364         form = ThenPlainForm()
365         return render_to_response('add_rate_limit.html', {'form': form,},
366                                   context_instance=RequestContext(request))
367
368     else:
369         form = ThenPlainForm(request.POST)
370         if form.is_valid():
371             then=form.save(commit=False)
372             then.action_value = "%sk"%then.action_value
373             then.save()
374             response_data = {}
375             response_data['pk'] = "%s" %then.pk
376             response_data['value'] = "%s:%s" %(then.action, then.action_value)
377             return HttpResponse(json.dumps(response_data), mimetype='application/json')
378         else:
379             return render_to_response('add_rate_limit.html', {'form': form,},
380                                       context_instance=RequestContext(request))
381
382 @login_required
383 @never_cache
384 def add_port(request):
385     if request.method == "GET":
386         form = PortPlainForm()
387         return render_to_response('add_port.html', {'form': form,},
388                                   context_instance=RequestContext(request))
389
390     else:
391         form = PortPlainForm(request.POST)
392         if form.is_valid():
393             port=form.save()
394             response_data = {}
395             response_data['value'] = "%s" %port.pk
396             response_data['text'] = "%s" %port.port
397             return HttpResponse(json.dumps(response_data), mimetype='application/json')
398         else:
399             return render_to_response('add_port.html', {'form': form,},
400                                       context_instance=RequestContext(request))
401
402 @login_required
403 @never_cache
404 def user_logout(request):
405     logout(request)
406     return HttpResponseRedirect(reverse('group-routes'))
407     
408 @never_cache
409 def load_jscript(request, file):
410     long_polling_timeout = int(settings.POLL_SESSION_UPDATE)*1000 + 10000
411     return render_to_response('%s.js' % file, {'timeout': long_polling_timeout}, context_instance=RequestContext(request), mimetype="text/javascript")
412
413
414 def get_peer_techc_mails(user):
415     mail = []
416     additional_mail = []
417     techmails_list = []
418     user_mail = "%s" %user.email
419     user_mail = user_mail.split(';')
420     techmails = user.get_profile().peer.techc_emails.all()
421     if techmails:
422         for techmail in techmails:
423             techmails_list.append(techmail.email)
424     if settings.NOTIFY_ADMIN_MAILS:
425         additional_mail = settings.NOTIFY_ADMIN_MAILS
426 #    mail.extend(user_mail)
427     mail.extend(additional_mail)
428     mail.extend(techmails_list)
429     return mail
430
431
432 def send_new_mail(subject, message, from_email, recipient_list, bcc_list):
433     return EmailMessage(subject, message, from_email, recipient_list, bcc_list).send()
434
Unnamed repository; edit this file 'description' to name the repository.