Firewall on Demand

from tastypie.resources import ModelResource

from flowspy.flowspec.models import *

from tastypie import fields

from django.contrib.auth.models import User

from flowspy.accounts.models import *

from tastypie.authentication import BasicAuthentication

from tastypie.authorization import Authorization

from flowspy.djangobackends.restauthBackend import restauthBackend

from django.template.loader import render_to_string

from django import forms

from flowspy.flowspec.forms import *

from ipaddr import * 

from flowspy.flowspec.views import send_new_mail as new_mail

from flowspy.flowspec.views import get_peer_techc_mails as get_peer_techcs_contact

from django.conf import settings

from django.core.exceptions import ObjectDoesNotExist

from tastypie.exceptions import *

from tastypie import http

import logging

import datetime

from django.shortcuts import get_object_or_404

from copy import deepcopy

LOG_FILENAME = os.path.join(settings.LOG_FILE_LOCATION, 'celery_jobs.log')

#FORMAT = '%(asctime)s %(levelname)s: %(message)s'

#logging.basicConfig(format=FORMAT)

formatter = logging.Formatter('%(asctime)s %(levelname)s %(clientip)s %(user)s: %(message)s')

logger = logging.getLogger(__name__)

logger.setLevel(logging.DEBUG)

handler = logging.FileHandler(LOG_FILENAME)

handler.setFormatter(formatter)

logger.addHandler(handler)

class SourcePortRes(ModelResource):

    class Meta:

        queryset = MatchPort.objects.all()

        resource_name = 'sourceport'

        fields = ['port']

        allowed_methods = ['get']

class DestPortRes(ModelResource):

    class Meta:

        queryset = MatchPort.objects.all()

        resource_name = 'destinationport'

        fields = ['port']

        allowed_methods = ['get']

class PortRes(ModelResource):

    class Meta:

        queryset = MatchPort.objects.all()

        resource_name = 'port'

        fields = ['port']

        allowed_methods = ['get']        

class ThenResource(ModelResource):

    class Meta:

        queryset = ThenAction.objects.all()

        resource_name = 'then'

        allowed_methods = ['get']

        fields = ['action', 'action_value']

class RuleResource(ModelResource):

    name = fields.CharField(attribute='name')

    sourceport = fields.ManyToManyField(SourcePortRes, 'sourceport', full=True, null=True)

    destinationport = fields.ManyToManyField(DestPortRes, 'destinationport', full=True, null=True)

    then = fields.ManyToManyField(ThenResource, 'then', full=True, null=True)

    port = fields.ManyToManyField(PortRes, 'port', full=True, null=True)

    def get_object_list(self, request):

        group_routes = []

        user = request.user

        peer = user.get_profile().peer

        if peer:

            peer_members = UserProfile.objects.filter(peer=peer)

            users = [prof.user for prof in peer_members]

        return super(RuleResource, self).get_object_list(request).filter(applier__in=users)

    def obj_create(self, bundle, request=None, **kwargs):

        then_list = []

        sourceport_list = []

        destport_list = []

        port_list = []

        bundle.obj = self._meta.object_class()

        for key, value in kwargs.items():

            setattr(bundle.obj, key, value)

        bundle = self.full_hydrate(bundle)

        m2m_bundle = self.hydrate_m2m(bundle)

        then_action_dict = m2m_bundle.data['then'][0].obj.__dict__

        then_action_pk = ThenAction.objects.get(action=then_action_dict['action'], action_value=then_action_dict['action_value']).pk

        then_list.append(then_action_pk)

        try:

            sourceport_dict = m2m_bundle.data['sourceport']

        except:

            sourceport_dict = None

        if sourceport_dict:

            for sp in sourceport_dict:

                sourceport_pk = get_port_pk_or_create(sp)

                sourceport_list.append(sourceport_pk)

        try:

            destport_dict = m2m_bundle.data['destinationport']

        except:

            destport_dict = None

        if destport_dict:

            for dp in destport_dict:

                destport_pk = get_port_pk_or_create(dp)

                destport_list.append(destport_pk)

        try:

            port_dict = m2m_bundle.data['port']

        except:

            port_dict = None

        if port_dict:

            for prt in port_dict:

                port_pk = get_port_pk_or_create(prt) 

                port_list.append(port_pk)

        datadict = bundle.obj.__dict__

        datadict['applier'] =  request.user.pk

        datadict['comments'] =  "%s: %s" %("Submitted via REST API", datadict['comments'])

        datadict['then'] =  then_list

        datadict['sourceport'] =  sourceport_list

        datadict['destinationport'] =  destport_list

        datadict['port'] =  port_list

        form = RouteForm(data=datadict)

        if form.is_valid():

            route=form.save(commit=False)

            route.applier = request.user

            route.status = "PENDING"

            route.source = IPNetwork("%s/%s" %(IPNetwork(route.source).network.compressed, IPNetwork(route.source).prefixlen)).compressed

            route.destination = IPNetwork("%s/%s" %(IPNetwork(route.destination).network.compressed, IPNetwork(route.destination).prefixlen)).compressed

            route.save()

            form.save_m2m()

            route.commit_add()

            requesters_address = request.META['HTTP_X_FORWARDED_FOR']

            mail_body = render_to_string("rule_add_mail.txt",

                                             {"route": route, "address": requesters_address})

            user_mail = "%s" %route.applier.email

            user_mail = user_mail.split(';')

            new_mail(settings.EMAIL_SUBJECT_PREFIX + "Rule %s creation request submitted by %s via REST api" %(route.name, route.applier.username),

                              mail_body, settings.SERVER_EMAIL, user_mail,

                              get_peer_techcs_contact(route.applier))

            d = { 'clientip' : "REST_API: %s" %requesters_address, 'user' : route.applier.username }

            logger.info(mail_body, extra=d)

        else:

            raise ApiFieldError("ERRORS %s %s" %(form.errors, form.__dict__))

        return bundle

    def obj_delete(self, request=None, **kwargs):

        obj = kwargs.pop('pk', None)

        if obj:

            try:

                route = Route.objects.get(pk=obj)

            except:

                raise NotFound("A model instance matching the provided arguments could not be found.")

            applier_peer = route.applier.get_profile().peer

            requester_peer = request.user.get_profile().peer

            if applier_peer == requester_peer:

                route.status = "PENDING"

                route.expires = datetime.date.today()

                route.save()

                route.commit_delete()

                requesters_address = request.META['HTTP_X_FORWARDED_FOR']

                mail_body = render_to_string("rule_delete_mail.txt",

                                                 {"route": route, "address": requesters_address})

                user_mail = "%s" %route.applier.email

                user_mail = user_mail.split(';')

                new_mail(settings.EMAIL_SUBJECT_PREFIX + "Rule %s removal request submitted by %s" %(route.name, route.applier.username), 

                                  mail_body, settings.SERVER_EMAIL, user_mail,

                                 get_peer_techcs_contact(route.applier))

                d = { 'clientip' : "REST_API: %s" %requesters_address, 'user' : route.applier.username }

                logger.info(mail_body, extra=d)

            else:

                raise NotFound("A model instance matching the provided arguments could not be found.")

        else:

            raise NotFound("A model instance matching the provided arguments could not be found.")

    def delete_list(self, request, **kwargs):

        return http.HttpForbidden()

    def obj_update(self, bundle, request=None, **kwargs):

        then_list = []

        sourceport_list = []

        destport_list = []

        port_list = []

        applier = request.user.pk

        applier_peer = request.user.get_profile().peer

        route_edit = get_object_or_404(Route, pk=kwargs['pk'])

        route_edit_applier_peer = route_edit.applier.get_profile().peer

        if applier_peer != route_edit_applier_peer:

            return http.HttpForbidden()

        route_original = deepcopy(route_edit)

        if not bundle.obj or not bundle.obj.pk:

            try:

                bundle.obj = self.get_object_list(request).model()

                bundle.data.update(kwargs)

                bundle = self.full_hydrate(bundle)

                lookup_kwargs = kwargs.copy()

                for key in kwargs.keys():

                    if key == 'pk':

                        continue

                    elif getattr(bundle.obj, key, NOT_AVAILABLE) is not NOT_AVAILABLE:

                        lookup_kwargs[key] = getattr(bundle.obj, key)

                    else:

                        del lookup_kwargs[key]

            except:

                # if there is trouble hydrating the data, fall back to just

                # using kwargs by itself (usually it only contains a "pk" key

                # and this will work fine.

                lookup_kwargs = kwargs

            try:

                bundle.obj = self.obj_get(request, **lookup_kwargs)

            except ObjectDoesNotExist:

                raise NotFound("A model instance matching the provided arguments could not be found.")

        bundle = self.full_hydrate(bundle)

        m2m_bundle = self.hydrate_m2m(bundle)

        try:

            then_action_dict = m2m_bundle.data['then'][0].obj.__dict__

            then_action_pk = ThenAction.objects.get(action=then_action_dict['action'], action_value=then_action_dict['action_value']).pk

            then_list.append(then_action_pk)

        except:

            then_list.extend([x.pk for x in route_edit.then.all() if x])

        try:

            sourceport_dict = m2m_bundle.data['sourceport']

        except:

            sourceport_dict = None

        if sourceport_dict:

            for sp in sourceport_dict:

                sourceport_pk = get_port_pk_or_create(sp)

                sourceport_list.append(sourceport_pk)

        else:

             sourceport_list.extend([x.pk for x in route_edit.sourceport.all() if x])

        try:

            destport_dict = m2m_bundle.data['destinationport']

        except:

            destport_dict = None

        if destport_dict:

            for dp in destport_dict:

                destport_pk = get_port_pk_or_create(dp)

                destport_list.append(destport_pk)

        else:

             destport_list.extend([x.pk for x in route_edit.destinationport.all() if x])

        try:

            port_dict = m2m_bundle.data['port']

        except:

            port_dict = None

        if port_dict:

            for prt in port_dict:

                port_pk = get_port_pk_or_create(prt)

                port_list.append(port_pk)

        else:

            port_list.extend([x.pk for x in route_edit.port.all() if x])

        datadict = bundle.obj.__dict__

        datadict['applier'] =  request.user.pk

        comment_text = "Submitted via REST API"

        if comment_text not in datadict['comments']:

            datadict['comments'] =  "%s: %s" %("Submitted via REST API", datadict['comments'])

        datadict['then'] =  then_list

        datadict['sourceport'] =  sourceport_list

        datadict['destinationport'] =  destport_list

        datadict['port'] =  port_list

        datadict['name'] =  route_edit.name

        datadict['expires'] = datetime.date.today() + datetime.timedelta(days = settings.EXPIRATION_DAYS_OFFSET)

        form = RouteForm(data=datadict, instance = route_edit)

        if form.is_valid():

            route=form.save(commit=False)

            route.name = route_original.name

            route.applier = request.user

            route.status = "PENDING"

            route.source = IPNetwork("%s/%s" %(IPNetwork(route.source).network.compressed, IPNetwork(route.source).prefixlen)).compressed

            route.destination = IPNetwork("%s/%s" %(IPNetwork(route.destination).network.compressed, IPNetwork(route.destination).prefixlen)).compressed

            route.save()

            form.save_m2m()

            route.commit_edit()

            requesters_address = request.META['HTTP_X_FORWARDED_FOR']

            mail_body = render_to_string("rule_edit_mail.txt",

                                             {"route": route, "address": requesters_address})

            user_mail = "%s" %route.applier.email

            user_mail = user_mail.split(';')

            new_mail(settings.EMAIL_SUBJECT_PREFIX + "Rule %s edit request submitted by %s via REST api" %(route.name, route.applier.username),

                              mail_body, settings.SERVER_EMAIL, user_mail,

                              get_peer_techcs_contact(route.applier))

            d = { 'clientip' : "REST_API: %s" %requesters_address, 'user' : route.applier.username }

            logger.info(mail_body, extra=d)

        else:

            raise ApiFieldError("ERRORS %s %s" %(form.errors, form.__dict__))

        return bundle

    class Meta:

        queryset = Route.objects.all()

        default_format = "application/json"

        resource_name = 'rule'

        allowed_methods = ['get', 'post', 'delete', 'put']

        fields = ['comments', 'source', 'destination', 'expires', 'status', 'id', 'sourceport', 'destinationport', 'then']

        authentication = BasicAuthentication(restauthBackend())

        authorization= Authorization()

def get_port_pk_or_create(prt):

    try:

        port_pk = MatchPort.objects.get(port=prt.obj.__dict__['port']).pk

    except:

        try:

            assert (int(prt.obj.__dict__['port']))

            mp = MatchPort(port=int(int(prt.obj.__dict__['port'])))

            mp.save()

            port_pk=mp.pk

        except:

            raise ApiFieldError("Port should be an integer")

    return port_pk