def post(self, request, *args, **kwargs): user_agent, ip = user_agent_and_ip_address_from_request(request) try: request_json = json.loads(request.body.decode("utf-8")) secret = request_json["secret"] serial_number = request_json["serial_number"] uuid = request_json["uuid"] es_request = verify_enrollment_secret("munki_enrollment", secret, user_agent, ip, serial_number, uuid) except (KeyError, ValueError, EnrollmentSecretVerificationFailed): raise SuspiciousOperation else: # get or create enrolled machine enrolled_machine, enrolled_machine_created = EnrolledMachine.objects.get_or_create( enrollment=es_request.enrollment_secret.munki_enrollment, serial_number=serial_number, defaults={"token": get_random_string(64)}) # apply enrollment secret tags for tag in es_request.enrollment_secret.tags.all(): MachineTag.objects.get_or_create(serial_number=serial_number, tag=tag) # post event post_munki_enrollment_event( serial_number, user_agent, ip, { 'action': "enrollment" if enrolled_machine_created else "re-enrollment" }) return JsonResponse({"token": enrolled_machine.token})
def login(request): """ Displays the login form and handles the login action. """ redirect_to = request.POST.get(REDIRECT_FIELD_NAME, request.GET.get(REDIRECT_FIELD_NAME, '')) if request.method == "POST": form = ZentralAuthenticationForm(request, data=request.POST) if form.is_valid(): user = form.get_user() # Ensure the user-originating redirection url is safe. if not is_safe_url(url=redirect_to, allowed_hosts={request.get_host()}, require_https=request.is_secure()): redirect_to = resolve_url(settings.LOGIN_REDIRECT_URL) if user.has_verification_device: # Redirect to verification page token = signing.dumps( { "auth_backend": user.backend, "redirect_to": redirect_to, "user_id": user.id }, salt="zentral_verify_token", key=settings.SECRET_KEY) request.session["verification_token"] = token user_agent, _ = user_agent_and_ip_address_from_request(request) try: verification_device = user.get_prioritized_verification_devices( user_agent)[0] except ValueError: form.add_error( None, "No configured verification devices compatible with your current browser." ) else: return HttpResponseRedirect( verification_device.get_verification_url()) else: # Okay, security check complete. Log the user in. auth_login(request, form.get_user()) return HttpResponseRedirect(redirect_to) else: form = ZentralAuthenticationForm(request) context = { 'form': form, 'login_realms': [(r, reverse("realms:zentral_login", args=(r.pk, ))) for r in Realm.objects.filter(enabled_for_login=True)], REDIRECT_FIELD_NAME: redirect_to, } return TemplateResponse(request, "registration/login.html", context)
def post(self, request, *args, **kwargs): self.enrollment_secret_secret = kwargs["enrollment_secret"] try: self.hardware_uuid = str(UUID(kwargs["machine_id"])) except ValueError: raise PermissionDenied("Invalid machine id") try: self.enrolled_machine = EnrolledMachine.objects.select_related( "enrollment__secret", "enrollment__configuration").get( enrollment__secret__secret=self.enrollment_secret_secret, hardware_uuid=self.hardware_uuid) except EnrolledMachine.DoesNotExist: if self.require_enrolled_machine: raise PermissionDenied("Unknown machine") self.enrolled_machine = None else: if self.enrolled_machine.enrollment.configuration.client_certificate_auth and \ self.get_client_cert() is None: raise PermissionDenied("Missing client certificate") self.machine_serial_number = self.enrolled_machine.serial_number self.business_unit = self.enrolled_machine.enrollment.secret.get_api_enrollment_business_unit( ) data = self._get_json_data(request) self.user_agent, self.ip = user_agent_and_ip_address_from_request( request) return JsonResponse(self.do_post(data))
def dispatch(self, request, *args, **kwargs): try: token = request.META['HTTP_X_MONOLITH_TOKEN'].strip() api_data = verify_secret(token, 'zentral.contrib.monolith') except (KeyError, ValueError, APIAuthError): return HttpResponseForbidden("No no no!") # machine serial number h_msn = request.META.get("HTTP_X_ZENTRAL_SERIAL_NUMBER") # new way t_msn = api_data.get("machine_serial_number") # old way if h_msn and t_msn and h_msn != t_msn: logger.warning("Serial number mismatch. header: %s, token: %s", h_msn, t_msn) self.machine_serial_number = h_msn or t_msn # priority to h_msn because set in preflight script # business unit, manifest self.meta_business_unit = api_data['business_unit'].meta_business_unit self.manifest = get_object_or_404( Manifest, meta_business_unit=self.meta_business_unit) self.user_agent, self.ip = user_agent_and_ip_address_from_request( request) # machine extra infos self.machine = MetaMachine(self.machine_serial_number) self.tags = self.machine.tags if not self.machine_serial_number: logger.warning("Missing serial number. mbu: %s %s", self.meta_business_unit, self.meta_business_unit.pk) return super().dispatch(request, *args, **kwargs)
def post(self, request, *args, **kwargs): self.user_agent, self.ip = user_agent_and_ip_address_from_request(request) try: request_json = json.loads(request.body.decode("utf-8")) secret = request_json["secret"] serial_number = request_json["serial_number"] es_request = verify_enrollment_secret( "filebeat_enrollment", secret, self.user_agent, self.ip, serial_number ) except (ValueError, KeyError, EnrollmentSecretVerificationFailed): raise SuspiciousOperation else: enrollment_session = EnrollmentSession.objects.create_from_enrollment( enrollment=es_request.enrollment_secret.filebeat_enrollment, serial_number=serial_number ) # response response = { "scep": { "cn": enrollment_session.get_common_name(), "org": enrollment_session.get_organization(), "challenge": enrollment_session.get_challenge(), "url": "{}/scep".format(settings["api"]["tls_hostname"]), # TODO: hardcoded scep url }, "secret": enrollment_session.enrollment_secret.secret, } # post event post_enrollment_event(serial_number, self.user_agent, self.ip, enrollment_session.serialize_for_event()) return JsonResponse(response)
def get_form_kwargs(self): kwargs = super().get_form_kwargs() request = self.request user_agent, _ = user_agent_and_ip_address_from_request(request) kwargs["session"] = request.session kwargs["user_agent"] = user_agent return kwargs
def post(self, request, *args, **kwargs): try: if request.META.get("HTTP_CONTENT_ENCODING") == "gzip": self.data = json.load(GzipFile(fileobj=request)) else: self.data = json.loads(request.body) except ValueError: raise SuspiciousOperation("Could not read JSON data") self.user_agent, self.ip = user_agent_and_ip_address_from_request(request) self.authenticate() return JsonResponse(self.do_post())
def dispatch(self, request, *args, **kwargs): try: token = request.META['HTTP_X_MONOLITH_TOKEN'].strip() api_data = verify_secret(token, 'zentral.contrib.monolith') except (KeyError, ValueError, APIAuthError): return HttpResponseForbidden("No no no!") self.machine_serial_number = api_data.get("machine_serial_number", None) self.user_agent, self.ip = user_agent_and_ip_address_from_request(request) self.machine = MetaMachine(self.machine_serial_number) self.tags = self.machine.tags self.meta_business_unit = api_data['business_unit'].meta_business_unit self.manifest = get_object_or_404(Manifest, meta_business_unit=self.meta_business_unit) return super().dispatch(request, *args, **kwargs)
def post(self, request, *args, **kwargs): try: instance = puppet_conf.get_instance_with_secret(kwargs["secret"]) except APIAuthError: return HttpResponseForbidden("Forbidden") except KeyError: return HttpResponseNotFound("Unknown puppet instance") user_agent, ip = user_agent_and_ip_address_from_request(request) if not request.encoding or request.encoding.lower() != "utf-8": return HttpResponse("Unsupported encoding", status=415) payload = request.body.decode(request.encoding) post_puppet_report(instance, user_agent, ip, payload) return HttpResponse("OK")
def post(self, request, *args, **kwargs): # DN => serial_number + meta_business_unit dn = request.META.get("HTTP_X_SSL_CLIENT_S_DN") if not dn: raise SuspiciousOperation("missing DN in request headers") dn_d = parse_dn(dn) cn = dn_d.get("CN") try: cn_prefix, enrollment_secret_secret = cn.split("$") except (AttributeError, ValueError): raise SuspiciousOperation("missing or bad CN in client certificate DN") # verify prefix if cn_prefix != "FLBT": raise SuspiciousOperation("bad CN prefix in client certificate") self.user_agent, self.ip = user_agent_and_ip_address_from_request(request) try: request_json = json.loads(request.body.decode("utf-8")) secret = request_json["secret"] serial_number = request_json["serial_number"] es_request = verify_enrollment_secret( "filebeat_enrollment_session", secret, self.user_agent, self.ip, serial_number, filebeat_enrollment_session__status__in=(EnrollmentSession.STARTED, EnrollmentSession.SCEP_VERIFIED) ) certificate = request_json["certificate"] key = request_json["key"] certificate_authority = request_json["certificate_authority"] except (ValueError, KeyError, EnrollmentSecretVerificationFailed): raise SuspiciousOperation("Could not verify enrollment session secret") else: # update enrollment session enrollment_session = es_request.enrollment_secret.filebeat_enrollment_session enrolled_machine, _ = EnrolledMachine.objects.get_or_create(serial_number=serial_number) enrollment_session.set_completed(enrolled_machine) # apply enrollment secret tags for tag in es_request.enrollment_secret.tags.all(): MachineTag.objects.get_or_create(serial_number=serial_number, tag=tag) # post event post_enrollment_event(serial_number, self.user_agent, self.ip, enrollment_session.serialize_for_event()) # response response = { "filebeat.yml": build_filebeat_yml(enrollment_session.enrollment.configuration, certificate=certificate, key=key, certificate_authority=certificate_authority) } return JsonResponse(response)
def post(self, request, *args, **kwargs): self.user_agent, self.ip = user_agent_and_ip_address_from_request( request) self.load_token(request) self.load_event(request) try: self.enrolled_machine = EnrolledMachine.objects.select_related( "enrollment__secret__meta_business_unit").get( enrollment__secret__secret=self.token, serial_number=self.serial_number) except EnrolledMachine.DoesNotExist: self.enroll_machine() self.commit_machine_snapshot() post_event(self.serial_number, self.user_agent, self.ip, self.event) return HttpResponse("OK")
def post(self, request, *args, **kwargs): self.user_agent, self.ip = user_agent_and_ip_address_from_request( request) try: request_json = json.loads(request.body.decode("utf-8")) secret = request_json["secret"] serial_number = request_json["serial_number"] uuid = request_json["uuid"] es_request = verify_enrollment_secret("santa_enrollment", secret, self.user_agent, self.ip, serial_number, uuid) except (ValueError, KeyError, EnrollmentSecretVerificationFailed): raise SuspiciousOperation else: # get or create enrolled machine enrolled_machine, enrolled_machine_created = EnrolledMachine.objects.get_or_create( enrollment=es_request.enrollment_secret.santa_enrollment, serial_number=serial_number, defaults={"machine_id": get_random_string(64)}) # apply enrollment secret tags for tag in es_request.enrollment_secret.tags.all(): MachineTag.objects.get_or_create(serial_number=serial_number, tag=tag) # response response = {"machine_id": enrolled_machine.machine_id} cp_name, cp_content = build_configuration_profile(enrolled_machine) cp_content = base64.b64encode(cp_content).decode("utf-8") response["configuration_profile"] = { "name": cp_name, "content": cp_content } cpl_name, cpl_content = build_config_plist(enrolled_machine) response["config_plist"] = { "name": cpl_name, "content": cpl_content } # post event post_enrollment_event( serial_number, self.user_agent, self.ip, { 'action': "enrollment" if enrolled_machine_created else "re-enrollment" }) return JsonResponse(response)
def post(self, request, *args, **kwargs): manifest = get_object_or_404(Manifest, pk=kwargs["pk"]) serializer = CacheServerSerializer(data=request.data) try: serializer.is_valid(raise_exception=True) except ValidationError as e: post_monolith_cache_server_update_request(request, errors=e.detail) raise defaults = serializer.data.copy() name = defaults.pop("name") _, public_ip_address = user_agent_and_ip_address_from_request(request) defaults["public_ip_address"] = public_ip_address cache_server, _ = CacheServer.objects.update_or_create( manifest=manifest, name=name, defaults=defaults) post_monolith_cache_server_update_request(request, cache_server=cache_server) return Response({"status": 0})
def post(self, request, *args, **kwargs): # URL kwargs self.enrollment_secret_secret = kwargs["enrollment_secret"] try: self.hardware_uuid = str(UUID(kwargs["machine_id"])) except ValueError: raise PermissionDenied("Invalid machine id") self.client_cert_dn = self._get_client_cert_dn() self.user_agent, self.ip = user_agent_and_ip_address_from_request( request) self.request_data = self._get_json_data(request) self.cache_key = f"tests/santa/fixtures/{self.enrollment_secret_secret}{self.hardware_uuid}" self.enrolled_machine = None self.tag_ids = [] if self.use_enrolled_machine_cache: try: self.enrolled_machine, self.tag_ids = cache.get(self.cache_key) except TypeError: pass else: if self.enrolled_machine.enrollment.configuration.client_certificate_auth and not self.client_cert_dn: raise PermissionDenied("Missing client certificate") if not self.enrolled_machine: self.enrolled_machine = self.get_enrolled_machine() if not self.enrolled_machine: raise PermissionDenied("Machine not enrolled") meta_machine = MetaMachine(self.enrolled_machine.serial_number) self.tag_ids = [t.id for t in meta_machine.tags] cache.set(self.cache_key, (self.enrolled_machine, self.tag_ids), 600) # TODO cache timeout hardcoded return JsonResponse(self.do_post())
def build_from_request(cls, request): user_agent, ip = user_agent_and_ip_address_from_request(request) user = EventRequestUser.build_from_user(request.user) if user_agent or ip or user: return EventRequest(user_agent, ip, user)
def dispatch(self, request, *args, **kwargs): self.user_agent, self.ip = user_agent_and_ip_address_from_request( request) self.serial_number = self.udid = None return super().dispatch(request, *args, **kwargs)
def setup_with_request(self, request): if not self._setup_done: self.user_agent, self.ip = user_agent_and_ip_address_from_request(request) self.serial_number = self.udid = None self.realm_user = None self._setup_done = True