def order_post(request):
_ = request.translate
code = request.POST.get('code')
if code:
return order_post_gc(request, code)
times = (1, 3, 6, 12)
try:
method_name = request.POST.get('method')
time_months = int(request.POST.get('time'))
except (ValueError, TypeError):
return HTTPSeeOther(location=request.route_url('account'))
if method_name == 'admin' and request.user.is_admin:
time = datetime.timedelta(days=30 * time_months)
request.user.add_paid_time(time)
return HTTPSeeOther(location=request.route_url('account'))
method = request.payment_methods.get(method_name)
if not method or time_months not in times:
return HTTPBadRequest('Invalid method/time')
time = datetime.timedelta(days=30 * time_months)
o = method.init(request.user, time)
DBSession.add(o)
DBSession.flush()
return method.start(request, o)
def api_gateway_connect(request):
try:
fullname = request.POST['username']
client_addr = request.POST['remote_addr']
except KeyError:
return HTTPBadRequest('Require username/remote_addr')
if '/' in fullname:
username, profilename = fullname.split('/', 1)
else:
username = fullname
profilename = None
user = DBSession.query(User).filter_by(username=username).first()
if not user or not user.is_active or not user.is_paid:
return HTTPForbidden('Invalid account')
sess = VPNSession()
sess.gateway_id = request.gw.id
sess.gateway_version = request.gw_version
sess.user_id = user.id
sess.remote_addr = client_addr
if profilename:
profile = DBSession.query(Profile) \
.filter_by(name=profilename, uid=user.id).first()
if not profile:
return HTTPForbidden('Unknown profile')
sess.profile_id = profile.id
DBSession.add(sess)
params = {}
return HTTPOk(body=json.dumps(params))
def forgot(request):
if request.method != 'POST' or 'username' not in request.POST:
return {}
u = DBSession.query(User) \
.filter_by(username=request.POST['username']) \
.first()
if not u:
request.messages.error('Unknown username.')
request.response.status_code = HTTPBadRequest.code
return {}
if not u.email:
request.messages.error('No e-mail address associated with username.')
request.response.status_code = HTTPBadRequest.code
return {}
token = PasswordResetToken(u)
with transaction.manager:
DBSession.add(token)
mailer = get_mailer(request)
body = render('mail/password_reset.mako', {
'user': u,
'requested_by': request.remote_addr,
'url': request.route_url('account_reset', token=token.token)
})
message = Message(subject='CCVPN: Password reset request',
recipients=[u.email],
body=body)
mailer.send(message)
request.messages.info('We sent a reset link. Check your emails.')
return {}
def initialize_db():
Base.metadata.create_all(DBSession.bind.engine)
if not DBSession.query(User).filter_by(username='******').count():
with transaction.manager:
admin = User(username='******', is_admin=True)
admin.set_password('admin')
DBSession.add(admin)
def forgot(request):
_ = request.translate
if request.method != 'POST' or 'username' not in request.POST:
return {}
u = DBSession.query(User) \
.filter_by(username=request.POST['username']) \
.first()
if not u:
request.messages.error(_('Unknown username.'))
request.response.status_code = HTTPBadRequest.code
return {}
if not u.email:
request.messages.error(
_('No e-mail address associated with username.'))
request.response.status_code = HTTPBadRequest.code
return {}
token = PasswordResetToken(u)
DBSession.add(token)
DBSession.flush()
mailer = get_mailer(request)
body = render('mail/password_reset.mako', {
'user': u,
'requested_by': request.remote_addr,
'url': request.route_url('account_reset', token=token.token)
},
request=request)
message = Message(subject=_('CCVPN: Password reset request'),
recipients=[u.email],
body=body)
mailer.send(message)
request.messages.info(_('We sent a reset link. Check your emails.'))
return {}
def setUp(self):
self.config = testing.setUp()
self.session = setup_database()
with transaction.manager:
self.u = User(username='******', password='******')
DBSession.add(self.u)
self.pu = User(username='******', password='******')
self.pu.add_paid_time(datetime.timedelta(days=30))
DBSession.add(self.pu)
def account_post(request):
_ = request.translate
redirect = HTTPSeeOther(location=request.route_url('account'))
profiles_limit = 10
profile_name = request.POST.get('profilename')
profile_delete = request.POST.get('delete')
if profile_name:
p = Profile()
if not p.validate_name(profile_name):
request.messages.error(_('Invalid name.'))
return redirect
# Check if the name is already used
used = DBSession.query(Profile).filter_by(uid=request.user.id) \
.filter_by(name=profile_name).first()
if used:
request.messages.error(_('Name already used.'))
return redirect
# Check if this user's under the profile number limit
profiles_count = DBSession.query(func.count(Profile.id)) \
.filter_by(uid=request.user.id).scalar()
if profiles_count > profiles_limit:
request.messages.error(_('You have too many profiles.'))
return redirect
p.name = profile_name
p.uid = request.user.id
DBSession.add(p)
DBSession.flush()
return HTTPSeeOther(
location=request.route_url('account_profiles_edit', id=p.id))
if profile_delete:
try:
profile_delete = int(profile_delete)
except ValueError:
return redirect
p = DBSession.query(Profile) \
.filter_by(id=int(profile_delete)) \
.filter(Profile.name != '') \
.filter_by(uid=request.user.id) \
.first()
if not p:
request.messages.error(_('Unknown profile.'))
return redirect
DBSession.delete(p)
return redirect
def setUp(self):
self.config = testing.setUp()
self.session = setup_database()
self.u = User(username='******', password='******')
DBSession.add(self.u)
self.session.flush()
self.pu = User(username='******', password='******')
self.pu.add_paid_time(datetime.timedelta(days=30))
DBSession.add(self.pu)
self.session.flush()
def setUp(self):
super().setUp()
self.u = User(username='******', password='******')
DBSession.add(self.u)
self.session.flush()
self.pu = User(username='******', password='******')
self.pu.add_paid_time(datetime.timedelta(days=30))
DBSession.add(self.pu)
self.session.flush()
def setUp(self):
super().setUp()
self.u = User(username='******', password='******')
DBSession.add(self.u)
self.session.flush()
self.pu = User(username='******', password='******')
self.pu.add_paid_time(datetime.timedelta(days=30))
DBSession.add(self.pu)
self.session.flush()
def add(args):
t = APIAccessToken()
t.label = args.label
if args.token == '-':
args.token = input('Token (empty=random): ')
if args.token:
t.token = args.token
if args.remote_addr:
t.remote_addr = args.remote_addr
DBSession.add(t)
DBSession.commit()
print('Inserted. token=%s' % t.token)
def add(args):
t = Gateway()
t.label = args.label
if args.token == '-':
args.token = input('Token (empty=random): ')
if args.token:
t.token = args.token
if args.remote_addr:
t.remote_addr = args.remote_addr
DBSession.add(t)
DBSession.commit()
print('Inserted. token=%s' % t.token)
def account_post(request):
_ = request.translate
redirect = HTTPSeeOther(location=request.route_url('account'))
profiles_limit = 10
profile_name = request.POST.get('profilename')
profile_delete = request.POST.get('delete')
if profile_name:
p = Profile()
if not p.validate_name(profile_name):
request.messages.error(_('Invalid name.'))
return redirect
# Check if the name is already used
used = DBSession.query(Profile).filter_by(uid=request.user.id) \
.filter_by(name=profile_name).first()
if used:
request.messages.error(_('Name already used.'))
return redirect
# Check if this user's under the profile number limit
profiles_count = DBSession.query(func.count(Profile.id)) \
.filter_by(uid=request.user.id).scalar()
if profiles_count > profiles_limit:
request.messages.error(_('You have too many profiles.'))
return redirect
p.name = profile_name
p.uid = request.user.id
DBSession.add(p)
DBSession.flush()
return HTTPSeeOther(location=request.route_url('account_profiles_edit', id=p.id))
if profile_delete:
try:
profile_delete = int(profile_delete)
except ValueError:
return redirect
p = DBSession.query(Profile) \
.filter_by(id=int(profile_delete)) \
.filter(Profile.name != '') \
.filter_by(uid=request.user.id) \
.first()
if not p:
request.messages.error(_('Unknown profile.'))
return redirect
DBSession.delete(p)
return redirect
def signup(request):
## TODO: seriously needs refactoring
_ = request.translate
if request.method != 'POST':
return {}
errors = []
try:
username = request.POST.get('username')
password = request.POST.get('password')
password2 = request.POST.get('password2')
email = request.POST.get('email')
if not User.validate_username(username):
errors.append(_('Invalid username.'))
if not User.validate_password(password):
errors.append(_('Invalid password.'))
if email and not User.validate_email(email):
errors.append(_('Invalid email address.'))
if password != password2:
errors.append(_('Both passwords do not match.'))
assert not errors
used = User.is_used(username, email)
if used[0] > 0:
errors.append(_('Username already registered.'))
if used[1] > 0 and email:
errors.append(_('E-mail address already registered.'))
assert not errors
with transaction.manager:
u = User(username=username, email=email, password=password)
if request.referrer:
u.referrer_id = request.referrer.id
DBSession.add(u)
DBSession.flush()
dp = Profile(uid=u.id, name='')
DBSession.add(dp)
request.session['uid'] = u.id
return HTTPSeeOther(location=request.route_url('account'))
except AssertionError:
for error in errors:
request.messages.error(error)
fields = ('username', 'password', 'password2', 'email')
request.response.status_code = HTTPBadRequest.code
return {k: request.POST[k] for k in fields}
def signup(request):
## TODO: seriously needs refactoring
_ = request.translate
if request.method != 'POST':
return {}
errors = []
try:
username = request.POST.get('username')
password = request.POST.get('password')
password2 = request.POST.get('password2')
email = request.POST.get('email')
if not User.validate_username(username):
errors.append(_('Invalid username.'))
if not User.validate_password(password):
errors.append(_('Invalid password.'))
if email and not User.validate_email(email):
errors.append(_('Invalid email address.'))
if password != password2:
errors.append(_('Both passwords do not match.'))
assert not errors
used = User.is_used(username, email)
if used[0] > 0:
errors.append(_('Username already registered.'))
if used[1] > 0 and email:
errors.append(_('E-mail address already registered.'))
assert not errors
with transaction.manager:
u = User(username=username, email=email, password=password)
if request.referrer:
u.referrer_id = request.referrer.id
DBSession.add(u)
DBSession.flush()
dp = Profile(uid=u.id, name='')
DBSession.add(dp)
request.session['uid'] = u.id
return HTTPSeeOther(location=request.route_url('account'))
except AssertionError:
for error in errors:
request.messages.error(error)
fields = ('username', 'password', 'password2', 'email')
request.response.status_code = HTTPBadRequest.code
return {k: request.POST[k] for k in fields}
def tickets_new(request):
_ = request.translate
if request.method != 'POST':
return {}
try:
subject = request.POST['subject']
body = request.POST['message']
subscribe = 'subscribe' in request.POST
except KeyError:
return {}
errors = []
if len(subject) < 1:
errors.append(_('Subject empty'))
if len(subject) > 40:
errors.append(_('Subject too long'))
if len(body) < 1:
errors.append(_('Message empty'))
if len(body) > 2000:
errors.append(_('Message too long'))
if errors:
for e in errors:
request.messages.error(e)
return {'subject': subject, 'message': body}
ticket = Ticket()
ticket.user_id = request.user.id
ticket.subject = subject
ticket.notify_owner = subscribe
DBSession.add(ticket)
DBSession.flush()
message = TicketMessage()
message.ticket_id = ticket.id
message.user_id = request.user.id
message.content = body
DBSession.add(message)
url = request.route_url('tickets_view', id=ticket.id)
return HTTPSeeOther(location=url)
def tickets_new(request):
_ = request.translate
if request.method != 'POST':
return {}
try:
subject = request.POST['subject']
body = request.POST['message']
subscribe = 'subscribe' in request.POST
except KeyError:
return {}
errors = []
if len(subject) < 1:
errors.append(_('Subject empty'))
if len(subject) > 40:
errors.append(_('Subject too long'))
if len(body) < 1:
errors.append(_('Message empty'))
if len(body) > 2000:
errors.append(_('Message too long'))
if errors:
for e in errors:
request.messages.error(e)
return {'subject': subject, 'message': body}
ticket = Ticket()
ticket.user_id = request.user.id
ticket.subject = subject
ticket.notify_owner = subscribe
DBSession.add(ticket)
DBSession.flush()
message = TicketMessage()
message.ticket_id = ticket.id
message.user_id = request.user.id
message.content = body
DBSession.add(message)
url = request.route_url('tickets_view', id=ticket.id)
return HTTPSeeOther(location=url)
def post_item(self):
if 'id' in self.request.POST and self.request.POST['id'] != '':
item = self.get_item(self.request.POST['id'])
item_id = self.request.POST['id']
item = DBSession.query(self.model).filter_by(id=item_id).first()
if not item:
item = self.model()
DBSession.add(item)
else:
item = self.model()
DBSession.add(item)
try:
self.assign_from_form(item)
except:
DBSession.rollback()
raise
DBSession.flush()
self.request.session.flash(('info', 'Saved!'))
route_name = 'admin_' + self.model.__name__.lower() + 's'
location = self.request.route_url(route_name, _query={'id': item.id})
return HTTPSeeOther(location=location)
def api_gateway_connect(request):
try:
fullname = request.POST['username']
client_addr = request.POST['remote_addr']
internal_ip4 = request.POST['internal_ip4']
internal_ip6 = request.POST['internal_ip6']
except KeyError:
return HTTPBadRequest('Require username/remote_addr')
if '/' in fullname:
username, profilename = fullname.split('/', 1)
else:
username = fullname
profilename = None
user = DBSession.query(User).filter_by(username=username).first()
if not user or not user.is_active or not user.is_paid:
return HTTPForbidden('Invalid account')
sess = VPNSession()
sess.gateway_id = request.gw.id
sess.gateway_version = request.gw_version
sess.user_id = user.id
sess.remote_addr = client_addr
sess.internal_ip4 = internal_ip4
sess.internal_ip6 = internal_ip6
if profilename:
profile = DBSession.query(Profile) \
.filter_by(name=profilename, uid=user.id).first()
if not profile:
return HTTPForbidden('Unknown profile')
sess.profile_id = profile.id
DBSession.add(sess)
params = {}
return HTTPOk(body=json.dumps(params))
def post(self, request):
if self.id:
query = DBSession.query(self.model).filter_by(id=self.id)
parent = self.parent
while parent:
if not isinstance(parent, AdminBaseModel):
break
query = query.filter(parent.model.id == parent.id)
parent = parent.parent
self.item = query.first() or self.model()
self.post_edit(request)
else:
self.item = self.model()
self.post_add(request)
DBSession.add(self.item)
DBSession.flush()
request.messages.info('Saved!')
location = request.resource_url(self)
DBSession.expire_all()
return HTTPSeeOther(location=location)
def post(self, request):
if self.id:
query = DBSession.query(self.model).filter_by(id=self.id)
parent = self.parent
while parent:
if not isinstance(parent, AdminBaseModel):
break
query = query.filter(parent.model.id == parent.id)
parent = parent.parent
self.item = query.first() or self.model()
self.post_edit(request)
else:
self.item = self.model()
self.post_add(request)
DBSession.add(self.item)
DBSession.flush()
request.messages.info('Saved!')
location = request.resource_url(self)
DBSession.expire_all()
return HTTPSeeOther(location=location)
def order_post(request):
code = request.POST.get('code')
if code:
return order_post_gc(request, code)
times = (1, 3, 6, 12)
try:
method_name = request.POST.get('method')
time_months = int(request.POST.get('time'))
except ValueError:
return HTTPBadRequest('invalid POST data')
if method_name not in methods.METHODS or time_months not in times:
return HTTPBadRequest('Invalid method/time')
time = datetime.timedelta(days=30 * time_months)
o = Order(user=request.user, time=time, amount=0, method=0)
o.close_date = datetime.datetime.now() + datetime.timedelta(days=7)
o.paid = False
o.payment = {}
method = methods.METHODS[method_name]()
method.init(request, o)
DBSession.add(o)
DBSession.flush()
return method.start(request, o)
def account_post(request):
_ = request.translate
# TODO: Fix that. split in two functions or something.
errors = []
try:
if 'profilename' in request.POST:
p = Profile()
p.validate_name(request.POST['profilename']) or \
errors.append(_('Invalid name.'))
assert not errors
name_used = DBSession.query(Profile) \
.filter_by(uid=request.user.id,
name=request.POST['profilename']) \
.first()
if name_used:
errors.append(_('Name already used.'))
profiles_count = DBSession.query(func.count(Profile.id)) \
.filter_by(uid=request.user.id).scalar()
if profiles_count > 10:
errors.append(_('You have too many profiles.'))
assert not errors
p.name = request.POST['profilename']
p.askpw = 'askpw' in request.POST and request.POST['askpw'] == '1'
p.uid = request.user.id
if not p.askpw:
p.password = random_access_token()
DBSession.add(p)
DBSession.flush()
return account(request)
if 'profiledelete' in request.POST:
p = DBSession.query(Profile) \
.filter_by(id=int(request.POST['profiledelete'])) \
.filter_by(uid=request.user.id) \
.first()
assert p or errors.append(_('Unknown profile.'))
DBSession.delete(p)
DBSession.flush()
return account(request)
u = request.user
if request.POST['password'] != '':
u.validate_password(request.POST['password']) or \
errors.append(_('Invalid password.'))
if request.POST['password'] != request.POST['password2']:
errors.append(_('Both passwords do not match.'))
if request.POST['email'] != '':
u.validate_email(request.POST['email']) or \
errors.append(_('Invalid email address.'))
assert not errors
new_email = request.POST.get('email')
if new_email and new_email != request.user.email:
c = DBSession.query(func.count(User.id).label('ec')) \
.filter_by(email=new_email).first()
if c.ec > 0:
errors.append(_('E-mail address already registered.'))
assert not errors
if request.POST['password'] != '':
u.set_password(request.POST['password'])
if request.POST['email'] != '':
u.email = request.POST['email']
request.messages.info(_('Saved!'))
DBSession.flush()
except KeyError:
return HTTPBadRequest()
except AssertionError:
for error in errors:
request.session.flash(('error', error))
return account(request)
def setUp(self):
self.config = testing.setUp()
self.session = setup_database()
u = User(username='******', email='test@host', password='******')
DBSession.add(u)
self.session.flush()
def tickets_view(request):
_ = request.translate
id = request.matchdict.get('id')
try:
ticket_q = DBSession.query(Ticket).filter_by(id=id)
if not request.user.is_admin:
ticket_q = ticket_q.filter_by(user_id=request.user.id)
ticket = ticket_q.one()
except NoResultFound:
return HTTPNotFound()
if request.method != 'POST':
return {'ticket': ticket}
redirect = HTTPSeeOther(location=request.route_url('tickets_view', id=id))
try:
body = request.POST['message']
close = 'close' in request.POST
subscribe = 'subscribe' in request.POST
except KeyError:
return redirect
if body:
errors = []
if len(body) < 1:
errors.append(_('Message empty'))
if len(body) > 2000:
errors.append(_('Message too long'))
if errors:
for e in errors:
request.messages.error(e)
return {'ticket': ticket}
message = TicketMessage()
message.user_id = request.user.id
message.content = body
message.ticket_id = ticket.id
DBSession.add(message)
if ticket.close:
# We re-open it
ticket.closed = False
if ticket.notify_owner and ticket.user_id != message.user_id and ticket.user.email:
mailer = get_mailer(request)
body = render(
'mail/tickets_updated.mako', {
'user': ticket.user,
'ticket': ticket,
'url': request.route_url('tickets_view', id=ticket.id),
},
request=request)
message = Message(subject=_('CCVPN: Ticket update'),
recipients=[ticket.user.email],
body=body)
mailer.send(message)
if request.user.id == ticket.user_id:
ticket.notify_owner = subscribe
if not ticket.closed and close:
ticket.close()
return redirect
def tickets_view(request):
_ = request.translate
id = request.matchdict.get('id')
try:
ticket_q = DBSession.query(Ticket).filter_by(id=id)
if not request.user.is_admin:
ticket_q = ticket_q.filter_by(user_id=request.user.id)
ticket = ticket_q.one()
except NoResultFound:
return HTTPNotFound()
if request.method != 'POST':
return {'ticket': ticket}
redirect = HTTPSeeOther(location=request.route_url('tickets_view', id=id))
try:
body = request.POST['message']
close = 'close' in request.POST
subscribe = 'subscribe' in request.POST
except KeyError:
return redirect
if body:
errors = []
if len(body) < 1:
errors.append(_('Message empty'))
if len(body) > 2000:
errors.append(_('Message too long'))
if errors:
for e in errors:
request.messages.error(e)
return {'ticket': ticket}
message = TicketMessage()
message.user_id = request.user.id
message.content = body
message.ticket_id = ticket.id
DBSession.add(message)
if ticket.close:
# We re-open it
ticket.closed = False
if ticket.notify_owner and ticket.user_id != message.user_id and ticket.user.email:
mailer = get_mailer(request)
body = render('mail/tickets_updated.mako', {
'user': ticket.user,
'ticket': ticket,
'url': request.route_url('tickets_view', id=ticket.id),
}, request=request)
message = Message(subject=_('CCVPN: Ticket update'),
recipients=[ticket.user.email],
body=body)
mailer.send(message)
if request.user.id == ticket.user_id:
ticket.notify_owner = subscribe
if not ticket.closed and close:
ticket.close()
return redirect
def setUp(self):
super().setUp()
u = User(username='******', email='test@host', password='******')
DBSession.add(u)
self.session.flush()
def account_post(request):
# TODO: Fix that. split in two functions or something.
errors = []
try:
if 'profilename' in request.POST:
p = Profile()
p.validate_name(request.POST['profilename']) or \
errors.append('Invalid name.')
assert not errors
name_used = DBSession.query(Profile) \
.filter_by(uid=request.user.id,
name=request.POST['profilename']) \
.first()
if name_used:
errors.append('Name already used.')
profiles_count = DBSession.query(func.count(Profile.id)) \
.filter_by(uid=request.user.id).scalar()
if profiles_count > 10:
errors.append('You have too many profiles.')
assert not errors
p.name = request.POST['profilename']
p.askpw = 'askpw' in request.POST and request.POST['askpw'] == '1'
p.uid = request.user.id
if not p.askpw:
p.password = random_access_token()
DBSession.add(p)
DBSession.flush()
return account(request)
if 'profiledelete' in request.POST:
p = DBSession.query(Profile) \
.filter_by(id=int(request.POST['profiledelete'])) \
.filter_by(uid=request.user.id) \
.first()
assert p or errors.append('Unknown profile.')
DBSession.delete(p)
DBSession.flush()
return account(request)
u = request.user
if request.POST['password'] != '':
u.validate_password(request.POST['password']) or \
errors.append('Invalid password.')
if request.POST['password'] != request.POST['password2']:
errors.append('Both passwords do not match.')
if request.POST['email'] != '':
u.validate_email(request.POST['email']) or \
errors.append('Invalid email address.')
assert not errors
new_email = request.POST.get('email')
if new_email and new_email != request.user.email:
c = DBSession.query(func.count(User.id).label('ec')) \
.filter_by(email=new_email).first()
if c.ec > 0:
errors.append('E-mail address already registered.')
assert not errors
if request.POST['password'] != '':
u.set_password(request.POST['password'])
if request.POST['email'] != '':
u.email = request.POST['email']
request.session.flash(('info', 'Saved!'))
DBSession.flush()
except KeyError:
return HTTPBadRequest()
except AssertionError:
for error in errors:
request.session.flash(('error', error))
return account(request)
def setUp(self):
self.config = testing.setUp()
self.session = setup_database()
u = User(username='******', email='test@host', password='******')
DBSession.add(u)
self.session.flush()
def setUp(self):
self.config = testing.setUp()
self.session = setup_database()
with transaction.manager:
u = User(username='******', email='test@host', password='******')
DBSession.add(u)
def setUp(self):
super().setUp()
u = User(username='******', email='test@host', password='******')
DBSession.add(u)
self.session.flush()
