Commit 88a6afb7 authored by Leonidas Poulopoulos's avatar Leonidas Poulopoulos

Refined administrator privileges and actions on users' rules

parent 3d81901c
...@@ -26,7 +26,14 @@ class RouteForm(forms.ModelForm): ...@@ -26,7 +26,14 @@ class RouteForm(forms.ModelForm):
class Meta: class Meta:
model = Route model = Route
def clean_applier(self):
applier = self.cleaned_data['applier']
if applier:
return self.cleaned_data["applier"]
else:
raise forms.ValidationError('This field is required.')
def clean_source(self): def clean_source(self):
user = User.objects.get(pk=self.data['applier']) user = User.objects.get(pk=self.data['applier'])
peer = user.get_profile().peer peer = user.get_profile().peer
...@@ -107,9 +114,14 @@ class RouteForm(forms.ModelForm): ...@@ -107,9 +114,14 @@ class RouteForm(forms.ModelForm):
destinationports = self.cleaned_data.get('destinationport', None) destinationports = self.cleaned_data.get('destinationport', None)
protocols = self.cleaned_data.get('protocol', None) protocols = self.cleaned_data.get('protocol', None)
user = self.cleaned_data.get('applier', None) user = self.cleaned_data.get('applier', None)
try:
issuperuser = self.data['issuperuser']
su = User.objects.get(username=issuperuser)
except:
issuperuser = None
peer = user.get_profile().peer peer = user.get_profile().peer
networks = peer.networks.all() networks = peer.networks.all()
if user.is_superuser: if issuperuser:
networks = PeerRange.objects.filter(peer__in=Peer.objects.all()).distinct() networks = PeerRange.objects.filter(peer__in=Peer.objects.all()).distinct()
mynetwork = False mynetwork = False
route_pk_list = [] route_pk_list = []
...@@ -119,7 +131,7 @@ class RouteForm(forms.ModelForm): ...@@ -119,7 +131,7 @@ class RouteForm(forms.ModelForm):
if IPNetwork(destination) in net: if IPNetwork(destination) in net:
mynetwork = True mynetwork = True
if not mynetwork: if not mynetwork:
raise forms.ValidationError('Destination address/network should belong to your administrative address space. Check My Profile to review your networks') raise forms.ValidationError('Destination address/network should belong to your administrative address space. Check My Profile to review your networks')
if (sourceports and ports): if (sourceports and ports):
raise forms.ValidationError('Cannot create rule for source ports and ports at the same time. Select either ports or source ports') raise forms.ValidationError('Cannot create rule for source ports and ports at the same time. Select either ports or source ports')
if (destinationports and ports): if (destinationports and ports):
......
...@@ -72,6 +72,8 @@ def group_routes(request): ...@@ -72,6 +72,8 @@ def group_routes(request):
peer_members = UserProfile.objects.filter(peer=peer) peer_members = UserProfile.objects.filter(peer=peer)
users = [prof.user for prof in peer_members] users = [prof.user for prof in peer_members]
group_routes = Route.objects.filter(applier__in=users) group_routes = Route.objects.filter(applier__in=users)
if request.user.is_superuser:
group_routes = Route.objects.all()
return render_to_response('user_routes.html', {'routes': group_routes}, return render_to_response('user_routes.html', {'routes': group_routes},
context_instance=RequestContext(request)) context_instance=RequestContext(request))
...@@ -86,7 +88,7 @@ def add_route(request): ...@@ -86,7 +88,7 @@ def add_route(request):
"Insufficient rights on administrative networks. Cannot add rule. Contact your administrator") "Insufficient rights on administrative networks. Cannot add rule. Contact your administrator")
return HttpResponseRedirect(reverse("group-routes")) return HttpResponseRedirect(reverse("group-routes"))
if request.method == "GET": if request.method == "GET":
form = RouteForm() form = RouteForm(initial={'applier': applier})
if not request.user.is_superuser: if not request.user.is_superuser:
form.fields['then'] = forms.ModelMultipleChoiceField(queryset=ThenAction.objects.filter(action__in=settings.UI_USER_THEN_ACTIONS).order_by('action'), required=True) form.fields['then'] = forms.ModelMultipleChoiceField(queryset=ThenAction.objects.filter(action__in=settings.UI_USER_THEN_ACTIONS).order_by('action'), required=True)
form.fields['protocol'] = forms.ModelMultipleChoiceField(queryset=MatchProtocol.objects.filter(protocol__in=settings.UI_USER_PROTOCOLS).order_by('protocol'), required=False) form.fields['protocol'] = forms.ModelMultipleChoiceField(queryset=MatchProtocol.objects.filter(protocol__in=settings.UI_USER_PROTOCOLS).order_by('protocol'), required=False)
...@@ -94,10 +96,19 @@ def add_route(request): ...@@ -94,10 +96,19 @@ def add_route(request):
context_instance=RequestContext(request)) context_instance=RequestContext(request))
else: else:
form = RouteForm(request.POST) request_data = request.POST.copy()
if request.user.is_superuser:
request_data['issuperuser'] = request.user.username
else:
try:
del requset_data['issuperuser']
except:
pass
form = RouteForm(request_data)
if form.is_valid(): if form.is_valid():
route=form.save(commit=False) route=form.save(commit=False)
route.applier = request.user if not request.user.is_superuser:
route.applier = request.user
route.status = "PENDING" route.status = "PENDING"
route.source = IPNetwork("%s/%s" %(IPNetwork(route.source).network.compressed, IPNetwork(route.source).prefixlen)).compressed route.source = IPNetwork("%s/%s" %(IPNetwork(route.source).network.compressed, IPNetwork(route.source).prefixlen)).compressed
route.destination = IPNetwork("%s/%s" %(IPNetwork(route.destination).network.compressed, IPNetwork(route.destination).prefixlen)).compressed route.destination = IPNetwork("%s/%s" %(IPNetwork(route.destination).network.compressed, IPNetwork(route.destination).prefixlen)).compressed
...@@ -116,6 +127,9 @@ def add_route(request): ...@@ -116,6 +127,9 @@ def add_route(request):
logger.info(mail_body, extra=d) logger.info(mail_body, extra=d)
return HttpResponseRedirect(reverse("group-routes")) return HttpResponseRedirect(reverse("group-routes"))
else: else:
if not request.user.is_superuser:
form.fields['then'] = forms.ModelMultipleChoiceField(queryset=ThenAction.objects.filter(action__in=settings.UI_USER_THEN_ACTIONS).order_by('action'), required=True)
form.fields['protocol'] = forms.ModelMultipleChoiceField(queryset=MatchProtocol.objects.filter(protocol__in=settings.UI_USER_PROTOCOLS).order_by('protocol'), required=False)
return render_to_response('apply.html', {'form': form, 'applier':applier}, return render_to_response('apply.html', {'form': form, 'applier':applier},
context_instance=RequestContext(request)) context_instance=RequestContext(request))
...@@ -126,7 +140,7 @@ def edit_route(request, route_slug): ...@@ -126,7 +140,7 @@ def edit_route(request, route_slug):
applier_peer = request.user.get_profile().peer applier_peer = request.user.get_profile().peer
route_edit = get_object_or_404(Route, name=route_slug) route_edit = get_object_or_404(Route, name=route_slug)
route_edit_applier_peer = route_edit.applier.get_profile().peer route_edit_applier_peer = route_edit.applier.get_profile().peer
if applier_peer != route_edit_applier_peer: if applier_peer != route_edit_applier_peer and (not request.user.is_superuser):
messages.add_message(request, messages.WARNING, messages.add_message(request, messages.WARNING,
"Insufficient rights to edit rule %s" %(route_slug)) "Insufficient rights to edit rule %s" %(route_slug))
return HttpResponseRedirect(reverse("group-routes")) return HttpResponseRedirect(reverse("group-routes"))
...@@ -144,7 +158,15 @@ def edit_route(request, route_slug): ...@@ -144,7 +158,15 @@ def edit_route(request, route_slug):
return HttpResponseRedirect(reverse("group-routes")) return HttpResponseRedirect(reverse("group-routes"))
route_original = deepcopy(route_edit) route_original = deepcopy(route_edit)
if request.POST: if request.POST:
form = RouteForm(request.POST, instance = route_edit) request_data = request.POST.copy()
if request.user.is_superuser:
request_data['issuperuser'] = request.user.username
else:
try:
del request_data['issuperuser']
except:
pass
form = RouteForm(request_data, instance = route_edit)
critical_changed_values = ['source', 'destination', 'sourceport', 'destinationport', 'port', 'protocol', 'then'] critical_changed_values = ['source', 'destination', 'sourceport', 'destinationport', 'port', 'protocol', 'then']
if form.is_valid(): if form.is_valid():
changed_data = form.changed_data changed_data = form.changed_data
...@@ -152,10 +174,11 @@ def edit_route(request, route_slug): ...@@ -152,10 +174,11 @@ def edit_route(request, route_slug):
route.name = route_original.name route.name = route_original.name
route.status = route_original.status route.status = route_original.status
route.response = route_original.response route.response = route_original.response
route.applier = request.user if not request.user.is_superuser:
route.applier = request.user
if bool(set(changed_data) & set(critical_changed_values)) or (not route_original.status == 'ACTIVE'): if bool(set(changed_data) & set(critical_changed_values)) or (not route_original.status == 'ACTIVE'):
route.status = "PENDING" route.status = "PENDING"
route.response = "Committing..." route.response = "Applying..."
route.source = IPNetwork("%s/%s" %(IPNetwork(route.source).network.compressed, IPNetwork(route.source).prefixlen)).compressed route.source = IPNetwork("%s/%s" %(IPNetwork(route.source).network.compressed, IPNetwork(route.source).prefixlen)).compressed
route.destination = IPNetwork("%s/%s" %(IPNetwork(route.destination).network.compressed, IPNetwork(route.destination).prefixlen)).compressed route.destination = IPNetwork("%s/%s" %(IPNetwork(route.destination).network.compressed, IPNetwork(route.destination).prefixlen)).compressed
route.save() route.save()
...@@ -174,11 +197,22 @@ def edit_route(request, route_slug): ...@@ -174,11 +197,22 @@ def edit_route(request, route_slug):
logger.info(mail_body, extra=d) logger.info(mail_body, extra=d)
return HttpResponseRedirect(reverse("group-routes")) return HttpResponseRedirect(reverse("group-routes"))
else: else:
if not request.user.is_superuser:
form.fields['then'] = forms.ModelMultipleChoiceField(queryset=ThenAction.objects.filter(action__in=settings.UI_USER_THEN_ACTIONS).order_by('action'), required=True)
form.fields['protocol'] = forms.ModelMultipleChoiceField(queryset=MatchProtocol.objects.filter(protocol__in=settings.UI_USER_PROTOCOLS).order_by('protocol'), required=False)
return render_to_response('apply.html', {'form': form, 'edit':True, 'applier': applier}, return render_to_response('apply.html', {'form': form, 'edit':True, 'applier': applier},
context_instance=RequestContext(request)) context_instance=RequestContext(request))
else: else:
if (not route_original.status == 'ACTIVE'):
route_edit.expires = datetime.date.today() + datetime.timedelta(days = settings.EXPIRATION_DAYS_OFFSET)
dictionary = model_to_dict(route_edit, fields=[], exclude=[]) dictionary = model_to_dict(route_edit, fields=[], exclude=[])
#form = RouteForm(instance=route_edit) if request.user.is_superuser:
dictionary['issuperuser'] = request.user.username
else:
try:
del dictionary['issuperuser']
except:
pass
form = RouteForm(dictionary) form = RouteForm(dictionary)
if not request.user.is_superuser: if not request.user.is_superuser:
form.fields['then'] = forms.ModelMultipleChoiceField(queryset=ThenAction.objects.filter(action__in=settings.UI_USER_THEN_ACTIONS).order_by('action'), required=True) form.fields['then'] = forms.ModelMultipleChoiceField(queryset=ThenAction.objects.filter(action__in=settings.UI_USER_THEN_ACTIONS).order_by('action'), required=True)
...@@ -193,10 +227,11 @@ def delete_route(request, route_slug): ...@@ -193,10 +227,11 @@ def delete_route(request, route_slug):
route = get_object_or_404(Route, name=route_slug) route = get_object_or_404(Route, name=route_slug)
applier_peer = route.applier.get_profile().peer applier_peer = route.applier.get_profile().peer
requester_peer = request.user.get_profile().peer requester_peer = request.user.get_profile().peer
if applier_peer == requester_peer: if applier_peer == requester_peer or request.user.is_superuser:
route.status = "PENDING" route.status = "PENDING"
route.expires = datetime.date.today() route.expires = datetime.date.today()
route.applier = request.user if not request.user.is_superuser:
route.applier = request.user
route.response = "Suspending..." route.response = "Suspending..."
route.save() route.save()
route.commit_delete() route.commit_delete()
...@@ -209,7 +244,7 @@ def delete_route(request, route_slug): ...@@ -209,7 +244,7 @@ def delete_route(request, route_slug):
mail_body, settings.SERVER_EMAIL, user_mail, mail_body, settings.SERVER_EMAIL, user_mail,
get_peer_techc_mails(route.applier)) get_peer_techc_mails(route.applier))
d = { 'clientip' : requesters_address, 'user' : route.applier.username } d = { 'clientip' : requesters_address, 'user' : route.applier.username }
logger.info(mail_body, extra=d) logger.info(mail_body, extra=d)
html = "<html><body>Done</body></html>" html = "<html><body>Done</body></html>"
return HttpResponse(html) return HttpResponse(html)
else: else:
......
...@@ -256,11 +256,29 @@ div.roundbox, #portsacc, #id_comments{ ...@@ -256,11 +256,29 @@ div.roundbox, #portsacc, #id_comments{
</p> </p>
</div> </div>
</fieldset> </fieldset>
{% if user.is_superuser %}
<fieldset>
<legend>
{% trans "Admin Options" %}
</legend>
<div class="roundbox">
{{ form.applier.label_tag }}{{ form.applier }}
<br>
{% if form.applier.errors %}
<br>
<p class="error" style="clear:both;">
{{ form.applier.errors|join:", " }}
</p>
{% endif %}
</div>
</fieldset>
{% else %}
<input type="hidden" id="id_applier" name="applier" value="{{applier}}"/>
{% endif %}
<fieldset> <fieldset>
<legend> <legend>
{% trans "Rule Match Conditions" %} {% trans "Rule Match Conditions" %}
</legend> </legend>
<input type="hidden" id="id_applier" name="applier" value="{{applier}}"/>
<div class="roundbox"> <div class="roundbox">
{{ form.source.label_tag }}{{ form.source }}<img src="/static/threat_source.png"/> {% if form.source.errors %} {{ form.source.label_tag }}{{ form.source }}<img src="/static/threat_source.png"/> {% if form.source.errors %}
<br> <br>
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment