Refined administrator privileges and actions on users' rules

88a6afb7 · Leonidas Poulopoulos · 3d81901c · 88a6afb7 · 88a6afb7 · 88a6afb7
Commit 88a6afb7 authored Mar 16, 2012 by Leonidas Poulopoulos
--- a/flowspec/forms.py
+++ b/flowspec/forms.py
@@ -26,7 +26,14 @@ class RouteForm(forms.ModelForm):

    class Meta:
        model = Route
-    
+
+    def clean_applier(self):
+        applier = self.cleaned_data['applier']
+        if applier:
+            return self.cleaned_data["applier"]
+        else:
+            raise forms.ValidationError('This field is required.')
+
    def clean_source(self):
        user = User.objects.get(pk=self.data['applier'])
        peer = user.get_profile().peer
@@ -107,9 +114,14 @@ class RouteForm(forms.ModelForm):
        destinationports = self.cleaned_data.get('destinationport', None)
        protocols = self.cleaned_data.get('protocol', None)
        user = self.cleaned_data.get('applier', None)
+        try:
+            issuperuser = self.data['issuperuser']
+            su = User.objects.get(username=issuperuser)
+        except:
+            issuperuser = None
        peer = user.get_profile().peer
        networks = peer.networks.all()
-        if user.is_superuser:
+        if issuperuser:
            networks = PeerRange.objects.filter(peer__in=Peer.objects.all()).distinct()
        mynetwork = False
        route_pk_list = []
@@ -119,7 +131,7 @@ class RouteForm(forms.ModelForm):
                if IPNetwork(destination) in net:
                    mynetwork = True
            if not mynetwork:
-                 raise forms.ValidationError('Destination address/network should belong to your administrative address space. Check My Profile to review your networks')
+                raise forms.ValidationError('Destination address/network should belong to your administrative address space. Check My Profile to review your networks')
        if (sourceports and ports):
            raise forms.ValidationError('Cannot create rule for source ports and ports at the same time. Select either ports or source ports')
        if (destinationports and ports):

--- a/flowspec/views.py
+++ b/flowspec/views.py
@@ -72,6 +72,8 @@ def group_routes(request):
       peer_members = UserProfile.objects.filter(peer=peer)
       users = [prof.user for prof in peer_members]
       group_routes = Route.objects.filter(applier__in=users)
+       if request.user.is_superuser:
+           group_routes = Route.objects.all()
       return render_to_response('user_routes.html', {'routes': group_routes},
                              context_instance=RequestContext(request))

@@ -86,7 +88,7 @@ def add_route(request):
                             "Insufficient rights on administrative networks. Cannot add rule. Contact your administrator")
         return HttpResponseRedirect(reverse("group-routes"))
    if request.method == "GET":
-        form = RouteForm()
+        form = RouteForm(initial={'applier': applier})
        if not request.user.is_superuser:
            form.fields['then'] = forms.ModelMultipleChoiceField(queryset=ThenAction.objects.filter(action__in=settings.UI_USER_THEN_ACTIONS).order_by('action'), required=True)
            form.fields['protocol'] = forms.ModelMultipleChoiceField(queryset=MatchProtocol.objects.filter(protocol__in=settings.UI_USER_PROTOCOLS).order_by('protocol'), required=False)
@@ -94,10 +96,19 @@ def add_route(request):
                                  context_instance=RequestContext(request))

    else:
-        form = RouteForm(request.POST)
+        request_data = request.POST.copy()
+        if request.user.is_superuser:
+            request_data['issuperuser'] = request.user.username
+        else:
+            try:
+                del requset_data['issuperuser']
+            except:
+                pass
+        form = RouteForm(request_data)
        if form.is_valid():
            route=form.save(commit=False)
-            route.applier = request.user
+            if not request.user.is_superuser:
+                route.applier = request.user
            route.status = "PENDING"
            route.source = IPNetwork("%s/%s" %(IPNetwork(route.source).network.compressed, IPNetwork(route.source).prefixlen)).compressed
            route.destination = IPNetwork("%s/%s" %(IPNetwork(route.destination).network.compressed, IPNetwork(route.destination).prefixlen)).compressed
@@ -116,6 +127,9 @@ def add_route(request):
            logger.info(mail_body, extra=d)
            return HttpResponseRedirect(reverse("group-routes"))
        else:
+            if not request.user.is_superuser:
+                form.fields['then'] = forms.ModelMultipleChoiceField(queryset=ThenAction.objects.filter(action__in=settings.UI_USER_THEN_ACTIONS).order_by('action'), required=True)
+                form.fields['protocol'] = forms.ModelMultipleChoiceField(queryset=MatchProtocol.objects.filter(protocol__in=settings.UI_USER_PROTOCOLS).order_by('protocol'), required=False)
            return render_to_response('apply.html', {'form': form, 'applier':applier},
                                      context_instance=RequestContext(request))

@@ -126,7 +140,7 @@ def edit_route(request, route_slug):
    applier_peer = request.user.get_profile().peer
    route_edit = get_object_or_404(Route, name=route_slug)
    route_edit_applier_peer = route_edit.applier.get_profile().peer
-    if applier_peer != route_edit_applier_peer:
+    if applier_peer != route_edit_applier_peer and (not request.user.is_superuser):
        messages.add_message(request, messages.WARNING,
                             "Insufficient rights to edit rule %s" %(route_slug))
        return HttpResponseRedirect(reverse("group-routes"))
@@ -144,7 +158,15 @@ def edit_route(request, route_slug):
        return HttpResponseRedirect(reverse("group-routes"))
    route_original = deepcopy(route_edit)
    if request.POST:
-        form = RouteForm(request.POST, instance = route_edit)
+        request_data = request.POST.copy()
+        if request.user.is_superuser:
+            request_data['issuperuser'] = request.user.username
+        else:
+            try:
+                del request_data['issuperuser']
+            except:
+                pass
+        form = RouteForm(request_data, instance = route_edit)
        critical_changed_values = ['source', 'destination', 'sourceport', 'destinationport', 'port', 'protocol', 'then']
        if form.is_valid():
            changed_data = form.changed_data
@@ -152,10 +174,11 @@ def edit_route(request, route_slug):
            route.name = route_original.name
            route.status = route_original.status
            route.response = route_original.response
-            route.applier = request.user
+            if not request.user.is_superuser:
+                route.applier = request.user
            if bool(set(changed_data) & set(critical_changed_values)) or (not route_original.status == 'ACTIVE'):
                route.status = "PENDING"
-                route.response = "Committing..."
+                route.response = "Applying..."
                route.source = IPNetwork("%s/%s" %(IPNetwork(route.source).network.compressed, IPNetwork(route.source).prefixlen)).compressed
                route.destination = IPNetwork("%s/%s" %(IPNetwork(route.destination).network.compressed, IPNetwork(route.destination).prefixlen)).compressed
            route.save()
@@ -174,11 +197,22 @@ def edit_route(request, route_slug):
                logger.info(mail_body, extra=d)
            return HttpResponseRedirect(reverse("group-routes"))
        else:
+            if not request.user.is_superuser:
+                form.fields['then'] = forms.ModelMultipleChoiceField(queryset=ThenAction.objects.filter(action__in=settings.UI_USER_THEN_ACTIONS).order_by('action'), required=True)
+                form.fields['protocol'] = forms.ModelMultipleChoiceField(queryset=MatchProtocol.objects.filter(protocol__in=settings.UI_USER_PROTOCOLS).order_by('protocol'), required=False)
            return render_to_response('apply.html', {'form': form, 'edit':True, 'applier': applier},
                                      context_instance=RequestContext(request))
    else:
+        if (not route_original.status == 'ACTIVE'):
+            route_edit.expires = datetime.date.today() + datetime.timedelta(days = settings.EXPIRATION_DAYS_OFFSET)
        dictionary = model_to_dict(route_edit, fields=[], exclude=[])
-        #form = RouteForm(instance=route_edit)
+        if request.user.is_superuser:
+            dictionary['issuperuser'] = request.user.username
+        else:
+            try:
+                del dictionary['issuperuser']
+            except:
+                pass
        form = RouteForm(dictionary)
        if not request.user.is_superuser:
            form.fields['then'] = forms.ModelMultipleChoiceField(queryset=ThenAction.objects.filter(action__in=settings.UI_USER_THEN_ACTIONS).order_by('action'), required=True)
@@ -193,10 +227,11 @@ def delete_route(request, route_slug):
        route = get_object_or_404(Route, name=route_slug)
        applier_peer = route.applier.get_profile().peer
        requester_peer = request.user.get_profile().peer
-        if applier_peer == requester_peer:
+        if applier_peer == requester_peer or request.user.is_superuser:
            route.status = "PENDING"
            route.expires = datetime.date.today()
-            route.applier = request.user
+            if not request.user.is_superuser:
+                route.applier = request.user
            route.response = "Suspending..."
            route.save()
            route.commit_delete()
@@ -209,7 +244,7 @@ def delete_route(request, route_slug):
                              mail_body, settings.SERVER_EMAIL, user_mail,
                             get_peer_techc_mails(route.applier))
            d = { 'clientip' : requesters_address, 'user' : route.applier.username }
-            logger.info(mail_body, extra=d)            
+            logger.info(mail_body, extra=d)
        html = "<html><body>Done</body></html>"
        return HttpResponse(html)
    else:

--- a/templates/apply.html
+++ b/templates/apply.html
@@ -256,11 +256,29 @@ div.roundbox, #portsacc, #id_comments{
                    </p>
                </div>
            </fieldset>
+            {% if user.is_superuser %}
+            <fieldset>
+                <legend>
+                    {% trans "Admin Options" %}
+                </legend>
+                 <div class="roundbox">
+                    {{ form.applier.label_tag }}{{ form.applier }}
+                    <br>
+                    {% if form.applier.errors %}
+                    <br>
+                    <p class="error" style="clear:both;">
+                        {{ form.applier.errors|join:", " }}
+                    </p>
+                    {% endif %}
+                </div>
+                </fieldset>
+                {% else %}
+                 <input type="hidden" id="id_applier" name="applier" value="{{applier}}"/>
+                {% endif %}
            <fieldset>
                <legend>
                    {% trans "Rule Match Conditions" %}
                </legend>
-                <input type="hidden" id="id_applier" name="applier" value="{{applier}}"/>
                <div class="roundbox">
                    {{ form.source.label_tag }}{{ form.source }}<img src="/static/threat_source.png"/> {% if form.source.errors %}
                    <br>