diff --git a/manager/views.py b/manager/views.py index 1e45a7d..9b6a99b 100644 --- a/manager/views.py +++ b/manager/views.py @@ -1,6 +1,7 @@ from django.shortcuts import render, get_object_or_404, redirect from django.http import HttpResponse -from django.contrib.auth.forms import AuthenticationForm, PasswordChangeForm, AdminPasswordChangeForm +from django.contrib.auth.forms import AuthenticationForm, PasswordChangeForm +from django.contrib.auth.forms import AdminPasswordChangeForm from django.db.models import Q from django.views.decorators.csrf import csrf_exempt from django.utils import timezone @@ -22,6 +23,7 @@ from .tasks import mkfirmware from distutils.dir_util import copy_tree from celery.exceptions import TimeoutError +from subprocess import call as execute import glob import sys @@ -31,20 +33,24 @@ import socket import tempfile import crypt import tarfile -import datetime +from datetime import datetime import time import uuid + def is_superuser(user): return user.is_superuser + def is_staff(user): return user.is_staff + @login_required def index(request): return redirect(reverse("devices")) + @csrf_exempt def heartbeat(request): device = get_object_or_404(Device, secret=request.POST.get("secret", "")) @@ -52,6 +58,7 @@ def heartbeat(request): return HttpResponse(heartbeathandler(device, ip)) + @csrf_exempt def wireless(request): device = get_object_or_404(Device, secret=request.POST.get("secret", "")) @@ -68,6 +75,7 @@ def hosts(request): device.save() return render(request, "manager/hosts", {"device": device}) + @csrf_exempt def update(request): FWDIR = "/opt/vpnmanager/images/" @@ -75,7 +83,8 @@ def update(request): device = get_object_or_404(Device, secret=request.POST.get("secret", "")) try: - if not mkfirmware.apply_async((device, FWDIR), serializer='pickle').get(timeout=300): + process = mkfirmware.apply_async((device, FWDIR), serializer='pickle') + if not process.get(timeout=300): return HttpResponse(status=503) except TimeoutError: return HttpResponse(status=503) @@ -85,48 +94,97 @@ def update(request): device.save() with open("%s/%s.bin" % (FWDIR, device.id), "rb") as download: - response = HttpResponse(download.read(), content_type="application/octet-stream") - response['Content-Disposition'] = 'inline; filename=%s.bin' % device.serial + response = HttpResponse( + download.read(), + content_type="application/octet-stream" + ) + + response['Content-Disposition'] = ( + 'inline; ' + 'filename=%s.bin' % device.serial + ) + return response + def ping(request, device_id): if request.user.is_authenticated: try: - device = Device.objects.get(id=device_id, organization__in=request.user.organization_set.all()) - except: + device = Device.objects.get( + id=device_id, + organization__in=request.user.organization_set.all() + ) + + except Exception: device = None ajax = '{\n "status": ' if not device: - ajax += "-1" + status = "-1" else: + tz = timezone.get_current_timezone() + if device.lasttime: + naive = timezone.make_naive(device.lasttime, tz) + tt = naive.timetuple() + lasttime = str(int(time.mktime(tt)) * 1000) + else: + lasttime = None + + if device.lastbeat: + naive = timezone.make_naive(device.lastbeat, tz) + tt = naive.timetuple() + lastbeat = str(int(time.mktime(tt)) * 1000) + else: + lastbeat = None + + status = None + try: if device.curip: - socket.inet_aton(device.curip) - except Exception as e: - ajax += "-3" - else: - try: - ajax += str(1 if (device.curip and (timezone.now() - device.lasttime).total_seconds() < 300 and not os.WEXITSTATUS(os.system("ping -c1 -w1 " + device.curip + " > /dev/null 2>&1"))) else 2 if (True if not device.lasttime else (timezone.now() - device.lasttime).total_seconds() > 120) and (timezone.now() - device.lastbeat).total_seconds() < 60 else 0) - except Exception as e: - ajax += str(e) - ajax += "-4" - else: - ajax += ',\n "serial": "%s"' % device.serial - ajax += ',\n "name": "%s"' % device.name if device.name else "" - ajax += ',\n "ip": "%s"' % device.curip if device.curip else "" - ajax += ',\n "time": "%s"' % (None if not device.lasttime else str(int(time.mktime(timezone.make_naive(device.lasttime, timezone.get_current_timezone()).timetuple())) * 1000)) - ajax += ',\n "lastbeat": "%s"' % (None if not device.lastbeat else str(int(time.mktime(timezone.make_naive(device.lastbeat, timezone.get_current_timezone()).timetuple())) * 1000)) - ajax += ',\n "reboot": %i' % (1 if device.reboot else 0) - ajax += ',\n "update": %i' % (1 if device.update else 0) + try: + socket.inet_aton(device.curip) + except Exception: + status = -3 + else: + if device.lasttime: + diff = timezone.now() - device.lasttime + secs = diff.total_seconds() + if secs < 300: + cmd = "ping -c1 -w1 %s >/dev/null 2>&1" + status = os.system(cmd % device.curip) + if not os.WEXITSTATUS(status): + status = 1 - ajax += ',\n "network": {' - ajax += '\n "intip": "%s"' % device.network.intip - ajax += ',\n "extip": "%s"' % device.network.extip - ajax += ',\n "name": "%s"' % (device.network.name if device.network.name else "") - ajax += '\n }' + if not status: + if (not device.lasttime) or secs > 120: + diff = timezone.now() - device.lastbeat + secs = diff.total_seconds() + if secs < 60: + status = 2 + + if not status: + status = 0 + + except Exception as e: + status = str(e) + status += "-4" + finally: + ajax += str(status) + ajax += ',\n "serial": "%s"' % device.serial + ajax += ',\n "name": "%s"' % (device.name or "") + ajax += ',\n "ip": "%s"' % (device.curip or "") + ajax += ',\n "time": "%s"' % lasttime + ajax += ',\n "lastbeat": "%s"' % lastbeat + ajax += ',\n "reboot": %i' % (1 if device.reboot else 0) + ajax += ',\n "update": %i' % (1 if device.update else 0) + + ajax += ',\n "network": {' + ajax += '\n "intip": "%s"' % device.network.intip + ajax += ',\n "extip": "%s"' % device.network.extip + ajax += ',\n "name": "%s"' % (device.network.name or "") + ajax += '\n }' else: ajax += "-2" @@ -134,122 +192,208 @@ def ping(request, device_id): ajax += "\n}" return HttpResponse(ajax, content_type="application/json") + @login_required def devices(request, code=200, exception=None): - return render(request, "manager/index.html", {"title": "Device Administration", "exception": exception}, status=code) + return render( + request, + "manager/index.html", + { + "title": "Device Administration", + "exception": exception + }, + status=code + ) + @login_required def editdevice(request, device_id): - device = get_object_or_404(Device, id=device_id, organization__in=request.user.organization_set.all()) - subnets = Network.objects.filter(organization=device.organization) - wifis = Wifi.objects.filter(organization=device.organization) + post = request.method == "POST" - form = DeviceForm(request.POST if request.method == "POST" else None, instance=device) + device = get_object_or_404( + Device, + id=device_id, + organization__in=request.user.organization_set.all() + ) - form.fields["mac"].disabled = True - form.fields["serial"].disabled = True - form.fields["secret"].disabled = True - form.fields["model"].disabled = True - form.fields["password"].disabled = True + subnets = Network.objects.filter( + organization=device.organization + ) - if request.method == "POST" and form.is_valid(): + wifis = Wifi.objects.filter( + organization=device.organization + ) + + form = DeviceForm( + request.POST if post else None, + instance=device + ) + + form.fields["mac"].disabled = True + form.fields["serial"].disabled = True + form.fields["secret"].disabled = True + form.fields["model"].disabled = True + form.fields["password"].disabled = True + + if post and form.is_valid(): form.save() return redirect(reverse("devices")) - return render(request, "manager/form.html", { "title": "Edit Device", "form": form }) + return render( + request, + "manager/form.html", + { + "title": "Edit Device", + "form": form + } + ) + @user_passes_test(is_superuser) def makeuser(request): if request.POST.get("username", ""): - user = User.objects.create_user( - username=request.POST.get("username", ""), - password=str(uuid.uuid4().hex), - first_name=request.POST.get("firstname", ""), + user = User.objects.create_user( + username=request.POST.get("username", ""), + password=str(uuid.uuid4().hex), + first_name=request.POST.get("firstname", ""), last_name=request.POST.get("lastname", ""), - is_staff=request.POST.get("staff", "0") == "True", - is_superuser=request.POST.get("superuser", "0") == "True", + is_staff=request.POST.get("staff", "0") == "True", + is_superuser=request.POST.get("superuser", "0") == "True", email=request.POST.get("email", "") ) - - user.organization_set.set(set(request.POST.getlist("orga", []))) - form = PasswordResetForm({"email": user.email}) + user.organization_set.set(set(request.POST.getlist("orga", []))) - if form.is_valid(): - form.save( - request=request, - use_https=True, - email_template_name='registration/add_user.html') + form = PasswordResetForm({"email": user.email}) - return redirect(reverse("users")) + if form.is_valid(): + form.save( + request=request, + use_https=True, + email_template_name='registration/add_user.html') + + return redirect(reverse("users")) else: - return render(request, "manager/adduser.html", {"title": "Add User"}) + return render(request, "manager/adduser.html", {"title": "Add User"}) + @login_required def edituser(request, user_id): - if request.user.is_staff or request.user.id == user_id: - orgas = request.user.organization_set.all() - user = request.user if request.user.id == user_id else User.objects.distinct().get(id=user_id, organization__in=orgas) + if request.user.is_staff or request.user.id == user_id: + orgas = request.user.organization_set.all() + user = User.objects.distinct().get(id=user_id, organization__in=orgas) - if not user: - return redirect(reverse("users")) + if not user: + return redirect(reverse("users")) - if request.POST.get("form", ""): - newfirst = request.POST.get("firstname", "") - newlast = request.POST.get("lastname", "") - if newlast != user.last_name or newfirst != user.first_name: - sigRenameUser(user.username, request.user.username, "%s %s" % (user.first_name, user.last_name), "%s %s" % (newfirst, newlast)) - user.first_name = request.POST.get("firstname", "") - user.last_name = request.POST.get("lastname", "") + if request.POST.get("form", ""): + newfirst = request.POST.get("firstname", "") + newlast = request.POST.get("lastname", "") - if request.user.is_staff or request.user.is_superuser: - newstaff = request.POST.get("staff", "0") == "True" - if newstaff != user.is_staff: - sigStaffUser(user.username, request.user.username, newstaff) - user.is_staff = newstaff + if newlast != user.last_name or newfirst != user.first_name: + sigRenameUser( + user.username, + request.user.username, + "%s %s" % (user.first_name, user.last_name), + "%s %s" % (newfirst, newlast) + ) + user.first_name = request.POST.get("firstname", "") + user.last_name = request.POST.get("lastname", "") - if request.user.is_superuser: - newsuper = request.POST.get("superuser", "0") == "True" - if newsuper != user.is_superuser: - sigSuperUser(user.username, request.user.username, newsuper) - user.is_superuser = newsuper + if request.user.is_staff or request.user.is_superuser: + newstaff = request.POST.get("staff", "0") == "True" + if newstaff != user.is_staff: + sigStaffUser( + user.username, + request.user.username, + newstaff + ) + user.is_staff = newstaff - neworgas = set(request.POST.getlist("orga", [])) - oldorgas = set(user.organization_set.all()) - if neworgas != oldorgas: - sigOrgaUser(user.username, request.user.username, oldorgas, neworgas) - user.organization_set.set(neworgas) + if request.user.is_superuser: + newsuper = request.POST.get("superuser", "0") == "True" + if newsuper != user.is_superuser: + sigSuperUser( + user.username, + request.user.username, + newsuper) + user.is_superuser = newsuper - newmail = request.POST.get("email", "") - if newmail != user.email: - sigMailUser(user.username, request.user.username, user.email, newmail) - user.email = newmail + neworgas = set(request.POST.getlist("orga", [])) + oldorgas = set(user.organization_set.all()) + if neworgas != oldorgas: + sigOrgaUser( + user.username, + request.user.username, + oldorgas, + neworgas + ) + user.organization_set.set(neworgas) - user.save() + newmail = request.POST.get("email", "") + if newmail != user.email: + sigMailUser( + user.username, + request.user.username, + user.email, + newmail + ) + user.email = newmail - return redirect(reverse("users")) + user.save() - return render(request, "manager/edituser.html", - { + return redirect(reverse("users")) + + return render( + request, + "manager/edituser.html", + { "title": "Edit User", "auser": user } ) - else: - return redirect(reverse("two_factor:login", kwargs={'next': request.path})) + return redirect( + reverse( + "two_factor:login", + kwargs={ + 'next': request.path + } + ) + ) + @login_required def editwifi(request, wifi_id): - wifi = get_object_or_404(Wifi, id=wifi_id, organization__in=request.user.organization_set.all()) - form = WifiForm(request.POST if request.method == "POST" else None, instance=wifi) - form.fields["organization"].queryset = request.user.organization_set.all() + userorgas = request.user.organization_set.all() + + wifi = get_object_or_404( + Wifi, + id=wifi_id, + organization__in=userorgas + ) + + form = WifiForm( + request.POST if request.method == "POST" else None, + instance=wifi + ) + + form.fields["organization"].queryset = userorgas + if request.method == "POST" and form.is_valid(): form.save() return redirect(reverse("wifi")) - return render(request, "manager/form.html", { "title": "Edit WiFi", "form": form }) + return render( + request, + "manager/form.html", + { + "title": "Edit WiFi", + "form": form + } + ) + @user_passes_test(is_superuser) def getconfig(request, device_id): @@ -258,32 +402,56 @@ def getconfig(request, device_id): device = get_object_or_404(Device, id=device_id) files = glob.glob("%s/%s.bin" % (FWDIR, device_id)) - if not ((files and datetime.datetime.fromtimestamp(os.path.getmtime(files[0]), timezone.get_current_timezone()) > device.model.firmware) or mkfirmware.apply_async((device, FWDIR), serializer='pickle').get(timeout=300)): - return HttpResponse(status=503) + if not files: + mtime = os.path.getmtime(files[0]) + tz = timezone.get_current_timezone() + + if not datetime.fromtimestamp(mtime, tz) > device.model.firmware: + work = mkfirmware.apply_async((device, FWDIR), serializer='pickle') + if not work.get(timeout=300): + return HttpResponse(status=503) sigUpdateDevice(device.serial, None, False) device.update = False device.save() with open("%s/%s.bin" % (FWDIR, device.id), "rb") as download: - response = HttpResponse(download.read(), content_type="application/octet-stream") - response['Content-Disposition'] = 'inline; filename=%s.bin' % device.serial + response = HttpResponse( + download.read(), + content_type="application/octet-stream" + ) + + response['Content-Disposition'] = ( + 'inline; ' + 'filename=%s.bin' % device.serial + ) + return response + @login_required def rebootdevice(request, device_id): - device = get_object_or_404(Device, id=device_id, organization__in=request.user.organization_set.all()) + device = get_object_or_404( + Device, + id=device_id, + organization__in=request.user.organization_set.all() + ) if not device.reboot: - sigRebootDevice(device.serial, request.user.username, True) - device.reboot = True - device.save() + sigRebootDevice(device.serial, request.user.username, True) + device.reboot = True + device.save() return redirect(reverse("devices")) + @user_passes_test(is_staff) def updatedevice(request, device_id): - device = get_object_or_404(Device, id=device_id, organization__in=request.user.organization_set.all()) + device = get_object_or_404( + Device, + id=device_id, + organization__in=request.user.organization_set.all() + ) if not device.update: sigUpdateDevice(device.serial, request.user.username, True) @@ -292,6 +460,7 @@ def updatedevice(request, device_id): return redirect(reverse("devices")) + @user_passes_test(is_superuser) def deletedevice(request, device_id): CADIR = "/etc/openvpn/ca/" @@ -301,7 +470,7 @@ def deletedevice(request, device_id): os.chdir(CADIR) - subprocess.call(CADIR + "/revoke " + device.serial, shell=True) + execute(CADIR + "/revoke " + device.serial, shell=True) os.system("rm " + CADIR + "/keys/" + device.serial + ".{crt,csr,key}") os.chdir(BEFORE) @@ -310,39 +479,62 @@ def deletedevice(request, device_id): return redirect(reverse("devices")) + @user_passes_test(is_staff) def deletewifi(request, wifi_id): - wifi = get_object_or_404(Wifi, id=wifi_id, organization__in=request.user.organization_set.all()) + wifi = get_object_or_404( + Wifi, + id=wifi_id, + organization__in=request.user.organization_set.all() + ) wifi.delete() return redirect(reverse("wifi")) + @user_passes_test(is_superuser) def deleteuser(request, user_id): user = get_object_or_404(User, id=user_id) user.delete() return redirect(reverse("users")) + @user_passes_test(is_superuser) def deletenetwork(request, network_id): network = get_object_or_404(Network, id=network_id) network.delete() return redirect(reverse("networks")) + @user_passes_test(is_superuser) def deleteorga(request, orga_id): orga = get_object_or_404(Organization, id=orga_id) orga.delete() return redirect(reverse("organizations")) + @login_required def makewifi(request): - form = WifiForm(request.POST if request.method == "POST" else None, initial={"organization": request.user.userstatus.orga} if request.method == "GET" else None) + post = request.method == "POST" + postdata = request.POST if post else None + + organization = request.user.userstatus.orga + initial = {"organization": organization} if not post else None + + form = WifiForm(postdata, initial=initial) form.fields["organization"].queryset = request.user.organization_set.all() if request.method == "POST" and form.is_valid(): form.save() return redirect(reverse("wifi")) - - return render(request, "manager/form.html", { "title": "Add WiFi", "form": form }) + + return render( + request, + "manager/form.html", + { + "title": "Add WiFi", + "form": form + } + ) + @user_passes_test(is_superuser) def makenetwork(request): @@ -355,12 +547,21 @@ def makenetwork(request): else: form = NetworkForm() - return render(request, "manager/form.html", { "title": "Add Network", "form": form }) + return render( + request, + "manager/form.html", + { + "title": "Add Network", + "form": form + } + ) + @user_passes_test(is_superuser) def editnetwork(request, network_id): net = get_object_or_404(Network, id=network_id) - form = NetworkForm(request.POST if request.method == "POST" else None, instance=net) + postdata = request.POST if request.method == "POST" else None + form = NetworkForm(postdata, instance=net) form.fields["intip"].disabled = True form.fields["extip"].disabled = True @@ -368,14 +569,28 @@ def editnetwork(request, network_id): form.save() return redirect(reverse("networks")) - return render(request, "manager/form.html", { "title": "Edit Network", "form": form }) + return render( + request, + "manager/form.html", + { + "title": "Edit Network", + "form": form + } + ) + @login_required def setactiveorga(request, orga_id): - request.user.userstatus.orga = get_object_or_404(Organization, id=orga_id, users=request.user) + request.user.userstatus.orga = get_object_or_404( + Organization, + id=orga_id, + users=request.user + ) + request.user.userstatus.save() return HttpResponse("") + @user_passes_test(is_superuser) def makeorganization(request): if request.method == "POST": @@ -389,7 +604,15 @@ def makeorganization(request): else: form = OrgaForm() - return render(request, "manager/form.html", { "title": "Add Organization", "form": form }) + return render( + request, + "manager/form.html", + { + "title": "Add Organization", + "form": form + } + ) + @user_passes_test(is_superuser) def editorganization(request, orga_id): @@ -403,102 +626,138 @@ def editorganization(request, orga_id): else: form = OrgaForm(instance=orga) - return render(request, "manager/form.html", { "title": "Change Organization", "form": form }) + return render( + request, + "manager/form.html", + { + "title": "Change Organization", + "form": form + } + ) + @user_passes_test(is_superuser) def makedevice(request): - CADIR = "/etc/openvpn/ca/" - CONFIGDIR = "/etc/openvpn/client-configs/" - BEFORE = os.getcwd() + CADIR = "/etc/openvpn/ca/" + CONFIGDIR = "/etc/openvpn/client-configs/" + BEFORE = os.getcwd() - device_serial = request.POST.get("serial", "").replace(" ", "_") - device_name = request.POST.get("name", "") - device_organization = request.POST.get("organization", "") - device_model = request.POST.get("model", "") - device_ssid = request.POST.get("ssid", device_serial) - device_key = request.POST.get("key", "") - device_mac = request.POST.get("mac", "") + device_serial = request.POST.get("serial", "").replace(" ", "_") + device_name = request.POST.get("name", "") + device_organization = request.POST.get("organization", "") + device_model = request.POST.get("model", "") + device_ssid = request.POST.get("ssid", device_serial) + device_key = request.POST.get("key", "") + device_mac = request.POST.get("mac", "") - if not device_serial: - orga = Organization.objects.all() - models = Model.objects.all() + if not device_serial: + orga = Organization.objects.all() + models = Model.objects.all() - return render(request, "manager/add.html", - { - "title": "Add Device", - "organizations": orga, - "models": models - } - ) + return render(request, "manager/add.html", + { + "title": "Add Device", + "organizations": orga, + "models": models + } + ) - if glob.glob(CADIR + "/keys/" + device_serial + "*"): - return HttpResponse("This key already exists.") + if glob.glob(CADIR + "/keys/" + device_serial + "*"): + return HttpResponse("Key already exists.") - os.chdir(CADIR) + os.chdir(CADIR) - if subprocess.call(CADIR + "/generate-key " + device_serial, shell=True): - os.chdir(BEFORE) - return HttpResponse("Something went wrong trying to generate the key.") + if execute(CADIR + "/generate-key " + device_serial, shell=True): + os.chdir(BEFORE) + return HttpResponse("Error generating key.") - if glob.glob(CONFIGDIR + "/files/" + device_serial + "*"): - os.chdir(BEFORE) - return HttpResponse("This configuration file already exists.") + if glob.glob(CONFIGDIR + "/files/" + device_serial + "*"): + os.chdir(BEFORE) + return HttpResponse("Configuration file already exists.") - os.chdir(CONFIGDIR) + os.chdir(CONFIGDIR) - if subprocess.call(CONFIGDIR + "/make_config " + device_serial, shell=True): - os.chdir(BEFORE) - return HttpResponse("Something went wrong trying to generate the config file.") + if execute(CONFIGDIR + "/make_config " + device_serial, shell=True): + os.chdir(BEFORE) + return HttpResponse("Error generating config file.") - os.chdir(BEFORE) + os.chdir(BEFORE) - device = Device.objects.create( + with open(CONFIGDIR + "/files/" + device_serial + ".ovpn") as vpnfile: + vpnconfig = vpnfile.read() + + organization = Organization.objects.get(id=device_organization) + + device = Device.objects.create( serial=device_serial, name=device_name, ssid=device_ssid, key=device_key, model=Model.objects.filter(id=device_model)[0], network=Network.objects.filter(intip="No VPN")[0], - organization=Organization.objects.filter(id=device_organization)[0], - vpnconfig = open(CONFIGDIR + "/files/" + device_serial + ".ovpn").read(), - mac = device_mac or None, - changed = timezone.now() + organization=organization, + vpnconfig=vpnconfig, + mac=device_mac or None, + changed=timezone.now() ) - return redirect(reverse("devices")) + return redirect(reverse("devices")) + @receiver(post_save, sender=settings.AUTH_USER_MODEL) def createUserStatus(sender, instance, created, **kwargs): if created: UserStatus.objects.create(user=instance) + @receiver(post_save, sender=settings.AUTH_USER_MODEL) def saveUserStatus(sender, instance, **kwargs): try: instance.userstatus.save() - except: + except Exception: UserStatus.objects.create(user=instance) + def errorhandler(request, code, exception): if code == 403: - exception.human = "You have no permission to access the requested page." + exception.human = ("You have no permission " + "to access the requested page.") elif code == 400: - exception.human = "Something seems to be wrong with the request you sent. Please try again." + exception.human = ("Something seems to be wrong with " + "the request you sent. Please try again.") + elif code == 404: - exception.human = "Sorry, we were unable to find the page you requested. Please check the address and try again." + exception.human = ("Sorry, we were unable to find the page you " + "requested. Please check the address and try again." + ) + elif code == 500: - exception.human = "Sorry, something seems to be wrong on our end. Please try again later or contact support if the problem persists." + exception.human = ("Sorry, something seems to be wrong on our end. " + "Please try again later or contact support if " + "the problem persists.") return devices(request, code=code, exception=exception) + def handler400(request, exception): return errorhandler(request, 400, exception) + def handler403(request, exception): return errorhandler(request, 403, exception) + def handler404(request, exception): - return errorhandler(request, 404, exception) + return errorhandler( + request, + 404, + exception + ) + def handler500(request): - return errorhandler(request, 500, Exception("Please check the server logs for additional information.")) + return errorhandler( + request, + 500, + Exception("Please check server logs for additional information.") + )