Use decorators for permission checks

This commit is contained in:
Kumi 2019-01-17 09:19:26 +01:00
parent 0707fb2211
commit c5f539e5e8

View file

@ -7,6 +7,7 @@ from django.utils import timezone
from django.core.files import File
from django.db.models.fields.files import FieldFile
from django.contrib.auth.models import User
from django.contrib.auth.decorators import login_required, user_passes_test
from .models import Device, Organization, Network, Model, Wifi
@ -23,17 +24,21 @@ import tarfile
import datetime
import time
def is_superuser(user):
return user.is_superuser
def is_staff(user):
return user.is_staff
@login_required
def index(request):
if request.user.is_authenticated:
return redirect("/devices")
else:
return redirect("/accounts/login")
return redirect("/devices")
@csrf_exempt
def heartbeat(request):
device = get_object_or_404(Device, secret=request.POST.get("secret", ""))
ip = request.POST.get("ip", "")
if device.update:
device.reboot = False
code = """
@ -133,16 +138,16 @@ def mkfirmware(device, path):
vpnconf.write(device.vpnconfig)
# Write secret
with open(tempdir.name + "/etc/vpnsecret", "w") as secret:
secret.write('SECRET="%s"' % device.secret)
# Write password
with open(tempdir.name + "/etc/shadow", "r") as shadow:
password = crypt.crypt(device.password, crypt.mksalt(crypt.METHOD_MD5))
shadowin = shadow.read()
with open(tempdir.name + "/etc/shadow", "w") as shadowout:
shadowout.write(shadowin.replace("$PASSWORD", password))
@ -154,18 +159,6 @@ def mkfirmware(device, path):
with open(tempdir.name + "/etc/config/wireless", "w") as wireout:
wire = wirein.replace("$SSID", device.serial)
wireout.write(wire + "\n" + makewificonfig(device))
'''
# Generate .tar.gz file
with tarfile.open(tempdir.name + ".tar.gz", "w:gz") as tar:
tar.add(tempdir.name, arcname=os.path.sep)
with open(tempdir.name + ".tar.gz", "rb") as download:
response = HttpResponse(download.read(), content_type="application/tar+gzip")
response['Content-Disposition'] = 'inline; filename=' + os.path.basename(device.serial + ".tar.gz")
return response
'''
# Create compilation environment
@ -203,7 +196,7 @@ def update(request):
FWDIR = "/opt/vpnmanager/images/"
device = get_object_or_404(Device, secret=request.POST.get("secret", ""))
if not mkfirmware(device, FWDIR):
return HttpResponse(status=503)
@ -252,119 +245,113 @@ def ping(request, device_id):
ajax += "\n}"
return HttpResponse(ajax, content_type="application/json")
@login_required
def devices(request):
if request.user.is_authenticated:
user = request.user
devices = set()
wifis = set()
users = set()
orga = ", ".join([x.__str__() for x in Organization.objects.filter(users=user)])
user = request.user
devices = set()
wifis = set()
users = set()
orga = ", ".join([x.__str__() for x in Organization.objects.filter(users=user)])
for organization in Organization.objects.filter(users=user):
for device in Device.objects.filter(organization=organization):
devices.add(device)
for wifi in Wifi.objects.filter(organization=organization):
wifis.add(wifi)
if user.is_staff:
for orgauser in User.objects.filter(organization=organization):
orgauser.organizations = set()
for orga in Organization.objects.filter(users=orgauser):
orgauser.organizations.add(orga)
users.add(orgauser)
for organization in Organization.objects.filter(users=user):
for device in Device.objects.filter(organization=organization):
devices.add(device)
for wifi in Wifi.objects.filter(organization=organization):
wifis.add(wifi)
if user.is_staff:
for orgauser in User.objects.filter(organization=organization):
orgauser.organizations = set()
for orga in Organization.objects.filter(users=orgauser):
orgauser.organizations.add(orga)
users.add(orgauser)
return render(request, "manager/index.html",
{
"title": "Device Administration",
"user": user,
"organization": orga,
"devices": sorted(devices, key=lambda x: x.serial),
"wifis": sorted(wifis, key=lambda x: x.serial),
"users": sorted(users, key=lambda x: x.username)
}
)
else:
return redirect("/")
return render(request, "manager/index.html",
{
"title": "Device Administration",
"user": user,
"organization": orga,
"devices": sorted(devices, key=lambda x: x.serial),
"wifis": sorted(wifis, key=lambda x: x.serial),
"users": sorted(users, key=lambda x: x.username)
}
)
@login_required
def editdevice(request, device_id):
if request.user.is_authenticated:
device = None
subnets = set()
wifis = set()
for organization in Organization.objects.filter(users=request.user):
device = device or Device.objects.filter(id=device_id, organization=organization)
if not device:
device = None
subnets = set()
wifis = set()
for organization in Organization.objects.filter(users=request.user):
device = device or Device.objects.filter(id=device_id, organization=organization)
if not device:
return redirect("/")
for subnet in Network.objects.filter(organizations=device[0].organization):
subnets.add(subnet)
for wifi in Wifi.objects.filter(organization=device[0].organization):
wifis.add(wifi)
if request.POST.get("subnet", ""):
subnet = Network.objects.filter(intip=request.POST.get("subnet", device[0].network.intip if device[0].network else "No VPN"))
if subnet[0] in subnets:
device[0].name = request.POST.get("name", "")
device[0].network = subnet[0]
device[0].reboot = True if request.POST.get("reboot", "0") == "True" else False
device[0].update = True if request.POST.get("update", "0") == "True" else False
device[0].wifi.set(request.POST.getlist("wifi", []))
device[0].changed = timezone.now()
device[0].save()
return redirect("/")
for subnet in Network.objects.filter(organizations=device[0].organization):
subnets.add(subnet)
for wifi in Wifi.objects.filter(organization=device[0].organization):
wifis.add(wifi)
if request.POST.get("subnet", ""):
subnet = Network.objects.filter(intip=request.POST.get("subnet", device[0].network.intip if device[0].network else "No VPN"))
if subnet[0] in subnets:
device[0].name = request.POST.get("name", "")
device[0].network = subnet[0]
device[0].reboot = True if request.POST.get("reboot", "0") == "True" else False
device[0].update = True if request.POST.get("update", "0") == "True" else False
device[0].wifi.set(request.POST.getlist("wifi", []))
device[0].changed = timezone.now()
device[0].save()
return redirect("/")
return render(request, "manager/edit.html",
{
"title": "Edit Device",
"device": device[0],
"subnets": subnets,
"user": request.user,
"wifis": wifis,
"curfis": Wifi.objects.filter(device=device[0])
}
)
else:
return redirect("/")
return render(request, "manager/edit.html",
{
"title": "Edit Device",
"device": device[0],
"subnets": subnets,
"user": request.user,
"wifis": wifis,
"curfis": Wifi.objects.filter(device=device[0])
}
)
@login_required
def edituser(request, user_id):
if request.user.is_staff or request.user.id == user_id:
if request.user.is_staff or request.user.id == user_id:
user = None
orgas = Organization.objects.filter(users=request.user)
for organization in orgas:
user = user or User.objects.filter(id=user_id, organization=organization)
user = user or User.objects.filter(id=user_id, organization=organization)
if not user:
return redirect("/")
if request.POST.get("form", ""):
user[0].first_name = request.POST.get("firstname", "")
user[0].last_name = request.POST.get("lastname", "")
user[0].is_staff = True if request.POST.get("staff", "0") == "True" else False
user[0].email = request.POST.get("email", "")
user[0].save()
user[0].first_name = request.POST.get("firstname", "")
user[0].last_name = request.POST.get("lastname", "")
user[0].is_staff = True if request.POST.get("staff", "0") == "True" else False
user[0].email = request.POST.get("email", "")
user[0].save()
return redirect("/")
return redirect("/")
return render(request, "manager/edituser.html",
{
"title": "Edit User",
"auser": user[0]
}
)
{
"title": "Edit User",
"auser": user[0]
}
)
else:
return redirect("/")
else:
return redirect('/accounts/login/?next=%s' % request.path)
@login_required
def editwifi(request, wifi_id):
if not request.user.is_authenticated:
return redirect("/")
wifi = None
for organization in Organization.objects.filter(users=request.user):
@ -388,17 +375,15 @@ def editwifi(request, wifi_id):
}
)
@user_passes_test(is_superuser)
def getconfig(request, device_id):
FWDIR = "/opt/vpnmanager/images/"
if not request.user.is_superuser:
return redirect("/")
device = get_object_or_404(Device, id=device_id)
if not mkfirmware(device, FWDIR):
return HttpResponse("Something went wrong generating the firmware image. The server may be busy, please try again later.")
device.update = False
device.save()
@ -407,68 +392,67 @@ def getconfig(request, device_id):
response['Content-Disposition'] = 'inline; filename=%s.bin' % device.serial
return response
@login_required
def rebootdevice(request, device_id):
if request.user.is_authenticated:
device = None
for organization in Organization.objects.filter(users=request.user):
device = device or Device.objects.filter(id=device_id, organization=organization)
device = None
for organization in Organization.objects.filter(users=request.user):
device = device or Device.objects.filter(id=device_id, organization=organization)
if device:
device[0].reboot = True
device[0].save()
if device:
device[0].reboot = True
device[0].save()
return redirect("/")
@user_passes_test(is_staff)
def updatedevice(request, device_id):
if request.user.is_staff:
device = None
for organization in Organization.objects.filter(users=request.user):
device = device or Device.objects.filter(id=device_id, organization=organization)
device = None
if device:
device[0].update = True
device[0].save()
for organization in Organization.objects.filter(users=request.user):
device = device or Device.objects.filter(id=device_id, organization=organization)
if device:
device[0].update = True
device[0].save()
return redirect("/")
@user_passes_test(is_superuser)
def deletedevice(request, device_id):
if request.user.is_superuser:
CADIR = "/etc/openvpn/ca/"
BEFORE = os.getcwd()
CADIR = "/etc/openvpn/ca/"
BEFORE = os.getcwd()
device = get_object_or_404(Device, id=device_id)
device = get_object_or_404(Device, id=device_id)
os.chdir(CADIR)
os.chdir(CADIR)
subprocess.call(CADIR + "/revoke " + device.serial, shell=True)
os.system("rm " + CADIR + "/keys/" + device.serial + ".{crt,csr,key}")
subprocess.call(CADIR + "/revoke " + device.serial, shell=True)
os.system("rm " + CADIR + "/keys/" + device.serial + ".{crt,csr,key}")
os.chdir(BEFORE)
os.chdir(BEFORE)
device.delete()
device.delete()
return redirect("/")
@user_passes_test(is_staff)
def deletewifi(request, wifi_id):
if request.user.is_staff:
wifi = get_object_or_404(Wifi, id=wifi_id)
wifi = get_object_or_404(Wifi, id=wifi_id)
for organization in Organization.objects.filter(users=request.user):
if organization == wifi.organization:
wifi.delete()
break
for organization in Organization.objects.filter(users=request.user):
if organization == wifi.organization:
wifi.delete()
break
return redirect("/")
@user_passes_test(is_staff)
def makewifi(request):
wifi_serial = request.POST.get("serial", "")
wifi_ssid = request.POST.get("ssid", "")
wifi_key = request.POST.get("key", "")
wifi_organization = request.POST.get("organization", "")
if not request.user.is_staff:
return redirect("/")
if not wifi_serial:
orga = Organization.objects.filter(users=request.user)
@ -479,15 +463,16 @@ def makewifi(request):
}
)
wifi = Wifi.objects.create(
serial = wifi_serial,
ssid = wifi_ssid,
key = wifi_key,
organization = Organization.objects.filter(id=wifi_organization)[0]
)
wifi = Wifi.objects.create(
serial = wifi_serial,
ssid = wifi_ssid,
key = wifi_key,
organization = Organization.objects.filter(id=wifi_organization)[0]
)
return redirect("/")
return redirect("/")
@user_passes_test(is_superuser)
def makedevice(request):
CADIR = "/etc/openvpn/ca/"
CONFIGDIR = "/etc/openvpn/client-configs/"
@ -499,13 +484,13 @@ def makedevice(request):
device_model = request.POST.get("model", "")
if not request.user.is_superuser:
return redirect("/")
return redirect("/")
if not device_serial:
orga = Organization.objects.all()
models = Model.objects.all()
return render(request, "manager/add.html",
orga = Organization.objects.all()
models = Model.objects.all()
return render(request, "manager/add.html",
{
"title": "Add Device",
"organizations": orga,
@ -513,14 +498,14 @@ def makedevice(request):
}
)
if glob.glob(CADIR + "/keys/" + device_serial + "*"):
return HttpResponse("This key already exists.")
if glob.glob(CADIR + "/keys/" + device_serial + "*"):
return HttpResponse("This key already exists.")
os.chdir(CADIR)
if subprocess.call(CADIR + "/generate-key " + device_serial, shell=True):
os.chdir(BEFORE)
return HttpResponse("Something went wrong trying to generate the key.")
os.chdir(BEFORE)
return HttpResponse("Something went wrong trying to generate the key.")
if glob.glob(CONFIGDIR + "/files/" + device_serial + "*"):
os.chdir(BEFORE)