X-Git-Url: https://code.grnet.gr/git/flowspy/blobdiff_plain/052c14aae9f075e11f6e055951fb4e8034e89ef0..1698da77c6ed2a08d5f3990e02d23fbfffe35d11:/flowspec/views.py?ds=sidebyside
diff --git a/flowspec/views.py b/flowspec/views.py
index ff40f8b..ff8f21a 100644
--- a/flowspec/views.py
+++ b/flowspec/views.py
@@ -7,15 +7,19 @@ from django.views.decorators.csrf import csrf_exempt
from django.core import urlresolvers
from django.core import serializers
from django.contrib.auth.decorators import login_required
+from django.contrib.auth import logout
+from django.contrib.sites.models import Site
+from django.contrib.auth.models import User
from django.http import HttpResponseRedirect, HttpResponseForbidden, HttpResponse
from django.shortcuts import get_object_or_404, render_to_response
from django.core.context_processors import request
from django.template.context import RequestContext
from django.template.loader import get_template, render_to_string
-from django.utils import simplejson
+from django.utils.translation import ugettext as _
from django.core.urlresolvers import reverse
from django.contrib import messages
from flowspy.accounts.models import *
+from ipaddr import *
from django.contrib.auth import authenticate, login
@@ -23,17 +27,29 @@ from django.forms.models import model_to_dict
from flowspy.flowspec.forms import *
from flowspy.flowspec.models import *
+from flowspy.peers.models import *
+
+from registration.models import RegistrationProfile
from copy import deepcopy
from flowspy.utils.decorators import shib_required
-import datetime
from django.views.decorators.cache import never_cache
from django.conf import settings
-from django.core.mail import mail_admins, mail_managers, send_mail
+from django.core.mail.message import EmailMessage
+import datetime
+import os
+LOG_FILENAME = os.path.join(settings.LOG_FILE_LOCATION, 'celery_jobs.log')
+#FORMAT = '%(asctime)s %(levelname)s: %(message)s'
+#logging.basicConfig(format=FORMAT)
+formatter = logging.Formatter('%(asctime)s %(levelname)s %(clientip)s %(user)s: %(message)s')
-def days_offset(): return datetime.date.today() + datetime.timedelta(days = settings.EXPIRATION_DAYS_OFFSET)
+logger = logging.getLogger(__name__)
+logger.setLevel(logging.DEBUG)
+handler = logging.FileHandler(LOG_FILENAME)
+handler.setFormatter(formatter)
+logger.addHandler(handler)
@login_required
def user_routes(request):
@@ -48,12 +64,18 @@ def welcome(request):
@never_cache
def group_routes(request):
group_routes = []
- peer = request.user.get_profile().peer
+ try:
+ peer = request.user.get_profile().peer
+ except UserProfile.DoesNotExist:
+ error = "User %s does not belong to any peer or organization. It is not possible to create new firewall rules.
Please contact Helpdesk to resolve this issue" % request.user.username
+ return render_to_response('error.html', {'error': error}, context_instance=RequestContext(request))
if peer:
peer_members = UserProfile.objects.filter(peer=peer)
users = [prof.user for prof in peer_members]
group_routes = Route.objects.filter(applier__in=users)
- return render_to_response('user_routes.html', {'routes': group_routes},
+ if request.user.is_superuser:
+ group_routes = Route.objects.all()
+ return render_to_response('user_routes.html', {'routes': group_routes},
context_instance=RequestContext(request))
@@ -64,29 +86,55 @@ def add_route(request):
applier_peer_networks = request.user.get_profile().peer.networks.all()
if not applier_peer_networks:
messages.add_message(request, messages.WARNING,
- "Insufficient rights on administrative networks. Cannot add rule. Contact your administrator")
+ _("Insufficient rights on administrative networks. Cannot add rule. Contact your administrator"))
return HttpResponseRedirect(reverse("group-routes"))
if request.method == "GET":
- form = RouteForm()
+ form = RouteForm(initial={'applier': applier})
+ if not request.user.is_superuser:
+ form.fields['then'] = forms.ModelMultipleChoiceField(queryset=ThenAction.objects.filter(action__in=settings.UI_USER_THEN_ACTIONS).order_by('action'), required=True)
+ form.fields['protocol'] = forms.ModelMultipleChoiceField(queryset=MatchProtocol.objects.filter(protocol__in=settings.UI_USER_PROTOCOLS).order_by('protocol'), required=False)
return render_to_response('apply.html', {'form': form, 'applier': applier},
context_instance=RequestContext(request))
else:
- form = RouteForm(request.POST)
+ request_data = request.POST.copy()
+ if request.user.is_superuser:
+ request_data['issuperuser'] = request.user.username
+ else:
+ request_data['applier'] = applier
+ try:
+ del requset_data['issuperuser']
+ except:
+ pass
+ form = RouteForm(request_data)
if form.is_valid():
route=form.save(commit=False)
- route.applier = request.user
- route.expires = days_offset()
+ if not request.user.is_superuser:
+ route.applier = request.user
route.status = "PENDING"
+ route.response = "Applying"
+ route.source = IPNetwork("%s/%s" %(IPNetwork(route.source).network.compressed, IPNetwork(route.source).prefixlen)).compressed
+ route.destination = IPNetwork("%s/%s" %(IPNetwork(route.destination).network.compressed, IPNetwork(route.destination).prefixlen)).compressed
route.save()
form.save_m2m()
route.commit_add()
- mail_body = render_to_string("rule_add_mail.txt",
- {"route": route})
- mail_admins("Rule %s creation request submitted by %s" %(route.name, route.applier.username),
- mail_body, fail_silently=True)
+ requesters_address = request.META['HTTP_X_FORWARDED_FOR']
+ fqdn = Site.objects.get_current().domain
+ admin_url = "https://%s%s" % (fqdn, "/fod/edit/%s"%route.name)
+ mail_body = render_to_string("rule_action.txt",
+ {"route": route, "address": requesters_address, "action": "creation", "url": admin_url})
+ user_mail = "%s" %route.applier.email
+ user_mail = user_mail.split(';')
+ send_new_mail(settings.EMAIL_SUBJECT_PREFIX + "Rule %s creation request submitted by %s" %(route.name, route.applier.username),
+ mail_body, settings.SERVER_EMAIL, user_mail,
+ get_peer_techc_mails(route.applier))
+ d = { 'clientip' : "%s"%requesters_address, 'user' : route.applier.username }
+ logger.info(mail_body, extra=d)
return HttpResponseRedirect(reverse("group-routes"))
else:
+ if not request.user.is_superuser:
+ form.fields['then'] = forms.ModelMultipleChoiceField(queryset=ThenAction.objects.filter(action__in=settings.UI_USER_THEN_ACTIONS).order_by('action'), required=True)
+ form.fields['protocol'] = forms.ModelMultipleChoiceField(queryset=MatchProtocol.objects.filter(protocol__in=settings.UI_USER_PROTOCOLS).order_by('protocol'), required=False)
return render_to_response('apply.html', {'form': form, 'applier':applier},
context_instance=RequestContext(request))
@@ -97,46 +145,86 @@ def edit_route(request, route_slug):
applier_peer = request.user.get_profile().peer
route_edit = get_object_or_404(Route, name=route_slug)
route_edit_applier_peer = route_edit.applier.get_profile().peer
- if applier_peer != route_edit_applier_peer:
- messages.add_message(request, messages.WARNING,
- "Insufficient rights to edit rule %s" %(route_slug))
- return HttpResponseRedirect(reverse("group-routes"))
- if route_edit.status == "ADMININACTIVE" :
- messages.add_message(request, messages.WARNING,
- "Administrator has disabled editing of rule %s" %(route_slug))
- return HttpResponseRedirect(reverse("group-routes"))
- if route_edit.status == "EXPIRED" :
+ if applier_peer != route_edit_applier_peer and (not request.user.is_superuser):
messages.add_message(request, messages.WARNING,
- "Cannot edit the expired rule %s. Contact helpdesk to enable it" %(route_slug))
+ _("Insufficient rights to edit rule %s") %(route_slug))
return HttpResponseRedirect(reverse("group-routes"))
+# if route_edit.status == "ADMININACTIVE" :
+# messages.add_message(request, messages.WARNING,
+# "Administrator has disabled editing of rule %s" %(route_slug))
+# return HttpResponseRedirect(reverse("group-routes"))
+# if route_edit.status == "EXPIRED" :
+# messages.add_message(request, messages.WARNING,
+# "Cannot edit the expired rule %s. Contact helpdesk to enable it" %(route_slug))
+# return HttpResponseRedirect(reverse("group-routes"))
if route_edit.status == "PENDING" :
messages.add_message(request, messages.WARNING,
- "Cannot edit a pending rule: %s." %(route_slug))
+ _("Cannot edit a pending rule: %s.") %(route_slug))
return HttpResponseRedirect(reverse("group-routes"))
route_original = deepcopy(route_edit)
if request.POST:
- form = RouteForm(request.POST, instance = route_edit)
+ request_data = request.POST.copy()
+ if request.user.is_superuser:
+ request_data['issuperuser'] = request.user.username
+ else:
+ request_data['applier'] = applier
+ try:
+ del request_data['issuperuser']
+ except:
+ pass
+ form = RouteForm(request_data, instance = route_edit)
+ critical_changed_values = ['source', 'destination', 'sourceport', 'destinationport', 'port', 'protocol', 'then']
if form.is_valid():
+ changed_data = form.changed_data
route=form.save(commit=False)
route.name = route_original.name
- route.applier = request.user
- route.expires = route_original.expires
- route.status = "PENDING"
+ route.status = route_original.status
+ route.response = route_original.response
+ if not request.user.is_superuser:
+ route.applier = request.user
+ if bool(set(changed_data) & set(critical_changed_values)) or (not route_original.status == 'ACTIVE'):
+ route.status = "PENDING"
+ route.response = "Applying"
+ route.source = IPNetwork("%s/%s" %(IPNetwork(route.source).network.compressed, IPNetwork(route.source).prefixlen)).compressed
+ route.destination = IPNetwork("%s/%s" %(IPNetwork(route.destination).network.compressed, IPNetwork(route.destination).prefixlen)).compressed
route.save()
- form.save_m2m()
- route.commit_edit()
- mail_body = render_to_string("rule_edit_mail.txt",
- {"route": route})
- mail_admins("Rule %s edit request submitted by %s" %(route.name, route.applier.username),
- mail_body, fail_silently=True)
+ if bool(set(changed_data) & set(critical_changed_values)) or (not route_original.status == 'ACTIVE'):
+ form.save_m2m()
+ route.commit_edit()
+ requesters_address = request.META['HTTP_X_FORWARDED_FOR']
+ fqdn = Site.objects.get_current().domain
+ admin_url = "https://%s%s" % (fqdn, "/fod/edit/%s"%route.name)
+ mail_body = render_to_string("rule_action.txt",
+ {"route": route, "address": requesters_address, "action": "edit", "url": admin_url})
+ user_mail = "%s" %route.applier.email
+ user_mail = user_mail.split(';')
+ send_new_mail(settings.EMAIL_SUBJECT_PREFIX + "Rule %s edit request submitted by %s" %(route.name, route.applier.username),
+ mail_body, settings.SERVER_EMAIL, user_mail,
+ get_peer_techc_mails(route.applier))
+ d = { 'clientip' : requesters_address, 'user' : route.applier.username }
+ logger.info(mail_body, extra=d)
return HttpResponseRedirect(reverse("group-routes"))
else:
+ if not request.user.is_superuser:
+ form.fields['then'] = forms.ModelMultipleChoiceField(queryset=ThenAction.objects.filter(action__in=settings.UI_USER_THEN_ACTIONS).order_by('action'), required=True)
+ form.fields['protocol'] = forms.ModelMultipleChoiceField(queryset=MatchProtocol.objects.filter(protocol__in=settings.UI_USER_PROTOCOLS).order_by('protocol'), required=False)
return render_to_response('apply.html', {'form': form, 'edit':True, 'applier': applier},
context_instance=RequestContext(request))
else:
+ if (not route_original.status == 'ACTIVE'):
+ route_edit.expires = datetime.date.today() + datetime.timedelta(days = settings.EXPIRATION_DAYS_OFFSET)
dictionary = model_to_dict(route_edit, fields=[], exclude=[])
- #form = RouteForm(instance=route_edit)
+ if request.user.is_superuser:
+ dictionary['issuperuser'] = request.user.username
+ else:
+ try:
+ del dictionary['issuperuser']
+ except:
+ pass
form = RouteForm(dictionary)
+ if not request.user.is_superuser:
+ form.fields['then'] = forms.ModelMultipleChoiceField(queryset=ThenAction.objects.filter(action__in=settings.UI_USER_THEN_ACTIONS).order_by('action'), required=True)
+ form.fields['protocol'] = forms.ModelMultipleChoiceField(queryset=MatchProtocol.objects.filter(protocol__in=settings.UI_USER_PROTOCOLS).order_by('protocol'), required=False)
return render_to_response('apply.html', {'form': form, 'edit':True, 'applier': applier},
context_instance=RequestContext(request))
@@ -147,13 +235,26 @@ def delete_route(request, route_slug):
route = get_object_or_404(Route, name=route_slug)
applier_peer = route.applier.get_profile().peer
requester_peer = request.user.get_profile().peer
- if applier_peer == requester_peer:
+ if applier_peer == requester_peer or request.user.is_superuser:
route.status = "PENDING"
+ route.expires = datetime.date.today()
+ if not request.user.is_superuser:
+ route.applier = request.user
+ route.response = "Suspending"
+ route.save()
route.commit_delete()
- mail_body = render_to_string("rule_delete_mail.txt",
- {"route": route})
- mail_admins("Rule %s removal request submitted by %s" %(route.name, route.applier.username),
- mail_body, fail_silently=True)
+ requesters_address = request.META['HTTP_X_FORWARDED_FOR']
+ fqdn = Site.objects.get_current().domain
+ admin_url = "https://%s%s" % (fqdn, "/fod/edit/%s"%route.name)
+ mail_body = render_to_string("rule_action.txt",
+ {"route": route, "address": requesters_address, "action": "removal", "url": admin_url})
+ user_mail = "%s" %route.applier.email
+ user_mail = user_mail.split(';')
+ send_new_mail(settings.EMAIL_SUBJECT_PREFIX + "Rule %s removal request submitted by %s" %(route.name, route.applier.username),
+ mail_body, settings.SERVER_EMAIL, user_mail,
+ get_peer_techc_mails(route.applier))
+ d = { 'clientip' : requesters_address, 'user' : route.applier.username }
+ logger.info(mail_body, extra=d)
html = "