def _validate_users(self, ctx, form, data, userpw_dict):
fda = formalutils.FormDataAccessor(form, ['userlist_group'], ctx)
ui_root = helpers.get_ui_config()
# user list validation
idx = 0
users = []
while True:
fda_user = fda.descend(str(idx))
if len(fda_user.keys()) == 0:
break
users.append(fda_user)
idx += 1
s2s_server_usernames = []
if ui_root.hasS(ns_ui.siteToSiteConnections):
for s2s_conn in ui_root.getS(ns_ui.siteToSiteConnections, rdf.Seq(rdf.Type(ns_ui.SiteToSiteConnection))):
if s2s_conn.hasS(ns_ui.mode) and s2s_conn.getS(ns_ui.mode, rdf.String) == 'server' and s2s_conn.hasS(ns_ui.username):
s2s_server_usernames.append(s2s_conn.getS(ns_ui.username, rdf.String))
usernames_found = []
fixed_ips_found = []
for fda_user_index, fda_user in enumerate(users):
# username checks
if fda_user.has_key('username'):
if not uihelpers.check_ppp_username_characters(fda_user['username']):
fda_user.add_error('username', 'Invalid characters')
else:
username = fda_user['username']
if username in usernames_found:
fda_user.add_error('username', 'Duplicate username')
elif username in s2s_server_usernames:
fda_user.add_error('username', 'Duplicate username (already a site-to-site server-mode connection of that name)')
elif len(username) > constants.MAX_USERNAME_LENGTH:
fda_user.add_error('username', 'Username too long')
else:
usernames_found.append(username)
# password chars
if fda_user.has_key('password') and (fda_user['password'] is not None):
if not uihelpers.check_ppp_password_characters(fda_user['password']):
fda_user.add_error('password', 'Invalid characters')
elif len(fda_user['password']) > constants.MAX_PASSWORD_LENGTH:
fda_user.add_error('password', 'Password too long')
# Password is a bit tricky; admin may have changed a username and we don't have
# any permanent user identifiers that allow us to identify this as the same user
# and keep its password despite the name change. So, we require either that the
# password is set, or that a user previously existed with this username (changed
# or not !) and use the old password.
if fda_user.has_key('username') and (fda_user['username'] is not None) and \
(not fda_user.has_key('password') or fda_user['password'] is None or fda_user['password'] == ''):
username = fda_user['username']
if userpw_dict.has_key(username):
# all ok
pass
else:
fda_user.add_error('password', 'Required for new users')
# fixed ip checks
# XXX: we could also check that the fixed IP is from the
# PPP subnet to try to prevent admin configuration errors,
# but this would be too restrictive and is currently not
# done: a warning would help here.
if fda_user.has_key('fixed_ip') and (fda_user['fixed_ip'] is not None) and (fda_user['fixed_ip'] != ''):
fixed_ip_errors = False
fixed_ip = fda_user['fixed_ip']
iprange = ui_root.getS(ns_ui.clientAddressRange, rdf.IPv4AddressRange)
pppsubnet = ui_root.getS(ns_ui.clientSubnet, rdf.IPv4Subnet)
# The fixed IP may not overlap with other users fixed IP addresses
if fixed_ip.toString() in fixed_ips_found:
fda_user.add_error('fixed_ip', 'Duplicate fixed IP address')
fixed_ip_errors = True
# Check restricted addresses inside PPP subnet
if pppsubnet.inSubnet(fixed_ip):
# The fixed IP must not be from the PPP address range (dynamic allocation pool)
if iprange.inRange(fixed_ip):
fda_user.add_error('fixed_ip', 'Overlaps with client address range')
fixed_ip_errors = True
if fixed_ip < pppsubnet.getFirstUsableAddress():
fda_user.add_error('fixed_ip', 'First address of the client subnet prohibited')
fixed_ip_errors = True
elif fixed_ip == pppsubnet.getLastUsableAddress():
fda_user.add_error('fixed_ip', 'Last usable address of the client subnet prohibited')
fixed_ip_errors = True
elif fixed_ip > pppsubnet.getLastUsableAddress():
fda_user.add_error('fixed_ip', 'Last address of the client subnet prohibited')
fixed_ip_errors = True
if not fixed_ip_errors:
fixed_ips_found.append(fixed_ip.toString())
def _validate(self, ctx, form, data):
fda = formalutils.FormDataAccessor(form, ['s2s_connections'], ctx)
# Get some useful stuff for validation
ui_root = helpers.get_ui_config()
pub_iface, pub_addr_subnet = None, None
if ui_root.hasS(ns_ui.internetConnection):
pub_iface = ui_root.getS(ns_ui.internetConnection, rdf.Type(ns_ui.NetworkConnection))
pub_addr = pub_iface.getS(ns_ui.address)
if pub_addr.hasType(ns_ui.StaticAddress):
pub_addr_subnet = datatypes.IPv4AddressSubnet.fromStrings(pub_addr.getS(ns_ui.ipAddress, rdf.IPv4Address).toString(), pub_addr.getS(ns_ui.subnetMask, rdf.IPv4Address).toString())
priv_iface, priv_addr_subnet = None, None
if ui_root.hasS(ns_ui.privateNetworkConnection):
priv_iface = ui_root.getS(ns_ui.privateNetworkConnection, rdf.Type(ns_ui.NetworkConnection))
priv_addr = priv_iface.getS(ns_ui.address)
if priv_addr.hasType(ns_ui.StaticAddress):
priv_addr_subnet = datatypes.IPv4AddressSubnet.fromStrings(priv_addr.getS(ns_ui.ipAddress, rdf.IPv4Address).toString(), priv_addr.getS(ns_ui.subnetMask, rdf.IPv4Address).toString())
ppp_subnet = None
if ui_root.hasS(ns_ui.clientSubnet):
ppp_subnet = ui_root.getS(ns_ui.clientSubnet, rdf.IPv4Subnet)
# Validate individual site-to-site connections
idx = 0
conns = []
while True:
fda_conn = fda.descend(str(idx))
if len(fda_conn.keys()) == 0:
break
conns.append(fda_conn)
idx += 1
remote_access_usernames = []
if ui_root.hasS(ns_ui.users):
for user in ui_root.getS(ns_ui.users, rdf.Seq(rdf.Type(ns_ui.User))):
if user.hasS(ns_ui.username):
remote_access_usernames.append(user.getS(ns_ui.username, rdf.String))
s2s_server_usernames_found = []
for fda_conn_index, fda_conn in enumerate(conns):
if fda_conn.has_key('s2s_username'):
if not uihelpers.check_ppp_username_characters(fda_conn['s2s_username']):
fda_conn.add_error('s2s_username', 'Invalid characters')
elif len(fda_conn['s2s_username']) > constants.MAX_USERNAME_LENGTH:
fda_conn.add_error('s2s_username', 'Username too long')
if fda_conn.has_key('s2s_password'):
if not uihelpers.check_ppp_password_characters(fda_conn['s2s_password']):
fda_conn.add_error('s2s_password', 'Invalid characters')
elif len(fda_conn['s2s_password']) > constants.MAX_PASSWORD_LENGTH:
fda_conn.add_error('s2s_password', 'Password too long')
if fda_conn.has_key('s2s_mode'):
mode = fda_conn['s2s_mode']
if mode == 'client':
# psk and server address are mandatory for client
if not fda_conn.has_key('s2s_psk') or fda_conn['s2s_psk'] == '' or fda_conn['s2s_psk'] is None:
fda_conn.add_error('s2s_psk', 'Required for initiator')
else:
if not uihelpers.check_preshared_key_characters(fda_conn['s2s_psk']):
fda_conn.add_error('s2s_psk', 'Invalid characters')
if not fda_conn.has_key('s2s_server') or fda_conn['s2s_server'] == '' or fda_conn['s2s_server'] is None:
fda_conn.add_error('s2s_server', 'Required for initiator')
else:
if not uihelpers.check_dns_name_characters(fda_conn['s2s_server']):
fda_conn.add_error('s2s_server', 'Invalid characters')
else: # server
# must not have duplicate server-mode names; client mode names may be duplicates
if fda_conn.has_key('s2s_username'):
username = fda_conn['s2s_username']
if username in s2s_server_usernames_found:
fda_conn.add_error('s2s_username', 'Duplicate username for server mode connection')
elif username in remote_access_usernames:
fda_conn.add_error('s2s_username', 'Duplicate username for server mode connection (already a user with that name)')
else:
s2s_server_usernames_found.append(fda_conn['s2s_username'])
# check subnets
if fda_conn.has_key('s2s_subnets'):
subnets = fda_conn['s2s_subnets']
# check that list doesn't contain overlap inside itself
overlap_inside_list = False
for i in xrange(len(subnets)):
for j in xrange(len(subnets)):
if i != j:
if subnets[i].overlapsWithSubnet(subnets[j]):
overlap_inside_list = True
if overlap_inside_list:
fda_conn.add_warning('s2s_subnets', 'Subnets in list overlap')
# check that no element of list overlaps with any other subnet of any other site-to-site connection
overlap_with_other = False
for subnet in subnets:
for other_conn_index, other_conn in enumerate(conns):
if other_conn.has_key('s2s_subnets') and other_conn_index != fda_conn_index:
for other_subnet in other_conn['s2s_subnets']:
if subnet.overlapsWithSubnet(other_subnet):
overlap_with_other = True
if overlap_with_other:
fda_conn.add_warning('s2s_subnets', 'Remote subnet(s) overlap with other connections')
# check overlap against public interface
if pub_addr_subnet is not None:
if subnet.overlapsWithSubnet(pub_addr_subnet.getSubnet()):
fda_conn.add_warning('s2s_subnets', 'Remote subnet(s) overlap with Internet connection subnet')
# check overlap against private interface
if priv_addr_subnet is not None:
if subnet.overlapsWithSubnet(priv_addr_subnet.getSubnet()):
fda_conn.add_warning('s2s_subnets', 'Remote subnet(s) overlap with private network connection subnet')
# check overlap against ppp subnet
if ppp_subnet is not None:
if subnet.overlapsWithSubnet(ppp_subnet):
fda_conn.add_warning('s2s_subnets', 'Remote subnet(s) overlap with client subnet')
def _validate_users(self, ctx, form, data, userpw_dict):
fda = formalutils.FormDataAccessor(form, ['userlist_group'], ctx)
ui_root = helpers.get_ui_config()
# user list validation
idx = 0
users = []
while True:
fda_user = fda.descend(str(idx))
if len(fda_user.keys()) == 0:
break
users.append(fda_user)
idx += 1
s2s_server_usernames = []
if ui_root.hasS(ns_ui.siteToSiteConnections):
for s2s_conn in ui_root.getS(
ns_ui.siteToSiteConnections,
rdf.Seq(rdf.Type(ns_ui.SiteToSiteConnection))):
if s2s_conn.hasS(ns_ui.mode) and s2s_conn.getS(
ns_ui.mode, rdf.String) == 'server' and s2s_conn.hasS(
ns_ui.username):
s2s_server_usernames.append(
s2s_conn.getS(ns_ui.username, rdf.String))
usernames_found = []
fixed_ips_found = []
for fda_user_index, fda_user in enumerate(users):
# username checks
if fda_user.has_key('username'):
if not uihelpers.check_ppp_username_characters(
fda_user['username']):
fda_user.add_error('username', 'Invalid characters')
else:
username = fda_user['username']
if username in usernames_found:
fda_user.add_error('username', 'Duplicate username')
elif username in s2s_server_usernames:
fda_user.add_error(
'username',
'Duplicate username (already a site-to-site server-mode connection of that name)'
)
elif len(username) > constants.MAX_USERNAME_LENGTH:
fda_user.add_error('username', 'Username too long')
else:
usernames_found.append(username)
# password chars
if fda_user.has_key('password') and (fda_user['password']
is not None):
if not uihelpers.check_ppp_password_characters(
fda_user['password']):
fda_user.add_error('password', 'Invalid characters')
elif len(fda_user['password']) > constants.MAX_PASSWORD_LENGTH:
fda_user.add_error('password', 'Password too long')
# Password is a bit tricky; admin may have changed a username and we don't have
# any permanent user identifiers that allow us to identify this as the same user
# and keep its password despite the name change. So, we require either that the
# password is set, or that a user previously existed with this username (changed
# or not !) and use the old password.
if fda_user.has_key('username') and (fda_user['username'] is not None) and \
(not fda_user.has_key('password') or fda_user['password'] is None or fda_user['password'] == ''):
username = fda_user['username']
if userpw_dict.has_key(username):
# all ok
pass
else:
fda_user.add_error('password', 'Required for new users')
# fixed ip checks
# XXX: we could also check that the fixed IP is from the
# PPP subnet to try to prevent admin configuration errors,
# but this would be too restrictive and is currently not
# done: a warning would help here.
if fda_user.has_key('fixed_ip') and (
fda_user['fixed_ip']
is not None) and (fda_user['fixed_ip'] != ''):
fixed_ip_errors = False
fixed_ip = fda_user['fixed_ip']
iprange = ui_root.getS(ns_ui.clientAddressRange,
rdf.IPv4AddressRange)
pppsubnet = ui_root.getS(ns_ui.clientSubnet, rdf.IPv4Subnet)
# The fixed IP may not overlap with other users fixed IP addresses
if fixed_ip.toString() in fixed_ips_found:
fda_user.add_error('fixed_ip',
'Duplicate fixed IP address')
fixed_ip_errors = True
# Check restricted addresses inside PPP subnet
if pppsubnet.inSubnet(fixed_ip):
# The fixed IP must not be from the PPP address range (dynamic allocation pool)
if iprange.inRange(fixed_ip):
fda_user.add_error(
'fixed_ip', 'Overlaps with client address range')
fixed_ip_errors = True
if fixed_ip < pppsubnet.getFirstUsableAddress():
fda_user.add_error(
'fixed_ip',
'First address of the client subnet prohibited')
fixed_ip_errors = True
elif fixed_ip == pppsubnet.getLastUsableAddress():
fda_user.add_error(
'fixed_ip',
'Last usable address of the client subnet prohibited'
)
fixed_ip_errors = True
elif fixed_ip > pppsubnet.getLastUsableAddress():
fda_user.add_error(
'fixed_ip',
'Last address of the client subnet prohibited')
fixed_ip_errors = True
if not fixed_ip_errors:
fixed_ips_found.append(fixed_ip.toString())
def _validate(self, ctx, form, data):
fda = formalutils.FormDataAccessor(form, ['s2s_connections'], ctx)
# Get some useful stuff for validation
ui_root = helpers.get_ui_config()
pub_iface, pub_addr_subnet = None, None
if ui_root.hasS(ns_ui.internetConnection):
pub_iface = ui_root.getS(ns_ui.internetConnection,
rdf.Type(ns_ui.NetworkConnection))
pub_addr = pub_iface.getS(ns_ui.address)
if pub_addr.hasType(ns_ui.StaticAddress):
pub_addr_subnet = datatypes.IPv4AddressSubnet.fromStrings(
pub_addr.getS(ns_ui.ipAddress, rdf.IPv4Address).toString(),
pub_addr.getS(ns_ui.subnetMask,
rdf.IPv4Address).toString())
priv_iface, priv_addr_subnet = None, None
if ui_root.hasS(ns_ui.privateNetworkConnection):
priv_iface = ui_root.getS(ns_ui.privateNetworkConnection,
rdf.Type(ns_ui.NetworkConnection))
priv_addr = priv_iface.getS(ns_ui.address)
if priv_addr.hasType(ns_ui.StaticAddress):
priv_addr_subnet = datatypes.IPv4AddressSubnet.fromStrings(
priv_addr.getS(ns_ui.ipAddress,
rdf.IPv4Address).toString(),
priv_addr.getS(ns_ui.subnetMask,
rdf.IPv4Address).toString())
ppp_subnet = None
if ui_root.hasS(ns_ui.clientSubnet):
ppp_subnet = ui_root.getS(ns_ui.clientSubnet, rdf.IPv4Subnet)
# Validate individual site-to-site connections
idx = 0
conns = []
while True:
fda_conn = fda.descend(str(idx))
if len(fda_conn.keys()) == 0:
break
conns.append(fda_conn)
idx += 1
remote_access_usernames = []
if ui_root.hasS(ns_ui.users):
for user in ui_root.getS(ns_ui.users,
rdf.Seq(rdf.Type(ns_ui.User))):
if user.hasS(ns_ui.username):
remote_access_usernames.append(
user.getS(ns_ui.username, rdf.String))
s2s_server_usernames_found = []
for fda_conn_index, fda_conn in enumerate(conns):
if fda_conn.has_key('s2s_username'):
if not uihelpers.check_ppp_username_characters(
fda_conn['s2s_username']):
fda_conn.add_error('s2s_username', 'Invalid characters')
elif len(fda_conn['s2s_username']
) > constants.MAX_USERNAME_LENGTH:
fda_conn.add_error('s2s_username', 'Username too long')
if fda_conn.has_key('s2s_password'):
if not uihelpers.check_ppp_password_characters(
fda_conn['s2s_password']):
fda_conn.add_error('s2s_password', 'Invalid characters')
elif len(fda_conn['s2s_password']
) > constants.MAX_PASSWORD_LENGTH:
fda_conn.add_error('s2s_password', 'Password too long')
if fda_conn.has_key('s2s_mode'):
mode = fda_conn['s2s_mode']
if mode == 'client':
# psk and server address are mandatory for client
if not fda_conn.has_key('s2s_psk') or fda_conn[
's2s_psk'] == '' or fda_conn['s2s_psk'] is None:
fda_conn.add_error('s2s_psk', 'Required for initiator')
else:
if not uihelpers.check_preshared_key_characters(
fda_conn['s2s_psk']):
fda_conn.add_error('s2s_psk', 'Invalid characters')
if not fda_conn.has_key('s2s_server') or fda_conn[
's2s_server'] == '' or fda_conn[
's2s_server'] is None:
fda_conn.add_error('s2s_server',
'Required for initiator')
else:
if not uihelpers.check_dns_name_characters(
fda_conn['s2s_server']):
fda_conn.add_error('s2s_server',
'Invalid characters')
else: # server
# must not have duplicate server-mode names; client mode names may be duplicates
if fda_conn.has_key('s2s_username'):
username = fda_conn['s2s_username']
if username in s2s_server_usernames_found:
fda_conn.add_error(
's2s_username',
'Duplicate username for server mode connection'
)
elif username in remote_access_usernames:
fda_conn.add_error(
's2s_username',
'Duplicate username for server mode connection (already a user with that name)'
)
else:
s2s_server_usernames_found.append(
fda_conn['s2s_username'])
# check subnets
if fda_conn.has_key('s2s_subnets'):
subnets = fda_conn['s2s_subnets']
# check that list doesn't contain overlap inside itself
overlap_inside_list = False
for i in xrange(len(subnets)):
for j in xrange(len(subnets)):
if i != j:
if subnets[i].overlapsWithSubnet(subnets[j]):
overlap_inside_list = True
if overlap_inside_list:
fda_conn.add_warning('s2s_subnets',
'Subnets in list overlap')
# check that no element of list overlaps with any other subnet of any other site-to-site connection
overlap_with_other = False
for subnet in subnets:
for other_conn_index, other_conn in enumerate(conns):
if other_conn.has_key(
's2s_subnets'
) and other_conn_index != fda_conn_index:
for other_subnet in other_conn['s2s_subnets']:
if subnet.overlapsWithSubnet(other_subnet):
overlap_with_other = True
if overlap_with_other:
fda_conn.add_warning(
's2s_subnets',
'Remote subnet(s) overlap with other connections')
# check overlap against public interface
if pub_addr_subnet is not None:
if subnet.overlapsWithSubnet(pub_addr_subnet.getSubnet()):
fda_conn.add_warning(
's2s_subnets',
'Remote subnet(s) overlap with Internet connection subnet'
)
# check overlap against private interface
if priv_addr_subnet is not None:
if subnet.overlapsWithSubnet(priv_addr_subnet.getSubnet()):
fda_conn.add_warning(
's2s_subnets',
'Remote subnet(s) overlap with private network connection subnet'
)
# check overlap against ppp subnet
if ppp_subnet is not None:
if subnet.overlapsWithSubnet(ppp_subnet):
fda_conn.add_warning(
's2s_subnets',
'Remote subnet(s) overlap with client subnet')