Esempio n. 1
0
    def _validate_users(self, ctx, form, data, userpw_dict):
        fda = formalutils.FormDataAccessor(form, ['userlist_group'], ctx)
        ui_root = helpers.get_ui_config()

        # user list validation
        idx = 0
        users = []
        while True:
            fda_user = fda.descend(str(idx))
            if len(fda_user.keys()) == 0:
                break
            users.append(fda_user)
            idx += 1

        s2s_server_usernames = []
        if ui_root.hasS(ns_ui.siteToSiteConnections):
            for s2s_conn in ui_root.getS(ns_ui.siteToSiteConnections, rdf.Seq(rdf.Type(ns_ui.SiteToSiteConnection))):
                if s2s_conn.hasS(ns_ui.mode) and s2s_conn.getS(ns_ui.mode, rdf.String) == 'server' and s2s_conn.hasS(ns_ui.username):
                    s2s_server_usernames.append(s2s_conn.getS(ns_ui.username, rdf.String))
            
        usernames_found = []
        fixed_ips_found = []
        for fda_user_index, fda_user in enumerate(users):
            # username checks
            if fda_user.has_key('username'):
                if not uihelpers.check_ppp_username_characters(fda_user['username']):
                    fda_user.add_error('username', 'Invalid characters')
                else:
                    username = fda_user['username']
                    if username in usernames_found:
                        fda_user.add_error('username', 'Duplicate username')
                    elif username in s2s_server_usernames:
                        fda_user.add_error('username', 'Duplicate username (already a site-to-site server-mode connection of that name)')
                    elif len(username) > constants.MAX_USERNAME_LENGTH:
                        fda_user.add_error('username', 'Username too long')
                    else:
                        usernames_found.append(username)

            # password chars
            if fda_user.has_key('password') and (fda_user['password'] is not None):
                if not uihelpers.check_ppp_password_characters(fda_user['password']):
                    fda_user.add_error('password', 'Invalid characters')
                elif len(fda_user['password']) > constants.MAX_PASSWORD_LENGTH:
                    fda_user.add_error('password', 'Password too long')

            # Password is a bit tricky; admin may have changed a username and we don't have
            # any permanent user identifiers that allow us to identify this as the same user
            # and keep its password despite the name change.  So, we require either that the
            # password is set, or that a user previously existed with this username (changed
            # or not !) and use the old password.

            if fda_user.has_key('username') and (fda_user['username'] is not None) and \
                   (not fda_user.has_key('password') or fda_user['password'] is None or fda_user['password'] == ''):
                username = fda_user['username']
                if userpw_dict.has_key(username):
                    # all ok
                    pass
                else:
                    fda_user.add_error('password', 'Required for new users')

            # fixed ip checks

            # XXX: we could also check that the fixed IP is from the
            # PPP subnet to try to prevent admin configuration errors,
            # but this would be too restrictive and is currently not
            # done: a warning would help here.

            if fda_user.has_key('fixed_ip') and (fda_user['fixed_ip'] is not None) and (fda_user['fixed_ip'] != ''):
                fixed_ip_errors = False
                fixed_ip = fda_user['fixed_ip']

                iprange = ui_root.getS(ns_ui.clientAddressRange, rdf.IPv4AddressRange)
                pppsubnet = ui_root.getS(ns_ui.clientSubnet, rdf.IPv4Subnet)

                # The fixed IP may not overlap with other users fixed IP addresses
                if fixed_ip.toString() in fixed_ips_found:
                    fda_user.add_error('fixed_ip', 'Duplicate fixed IP address')
                    fixed_ip_errors = True

                # Check restricted addresses inside PPP subnet
                if pppsubnet.inSubnet(fixed_ip):
                    # The fixed IP must not be from the PPP address range (dynamic allocation pool)
                    if iprange.inRange(fixed_ip):
                        fda_user.add_error('fixed_ip', 'Overlaps with client address range')
                        fixed_ip_errors = True

                    if fixed_ip < pppsubnet.getFirstUsableAddress():
                        fda_user.add_error('fixed_ip', 'First address of the client subnet prohibited')
                        fixed_ip_errors = True
                    elif fixed_ip == pppsubnet.getLastUsableAddress():
                        fda_user.add_error('fixed_ip', 'Last usable address of the client subnet prohibited')
                        fixed_ip_errors = True
                    elif fixed_ip > pppsubnet.getLastUsableAddress():
                        fda_user.add_error('fixed_ip', 'Last address of the client subnet prohibited')
                        fixed_ip_errors = True

                if not fixed_ip_errors:
                    fixed_ips_found.append(fixed_ip.toString())
Esempio n. 2
0
    def _validate(self, ctx, form, data):
        fda = formalutils.FormDataAccessor(form, ['s2s_connections'], ctx)

        # Get some useful stuff for validation
        ui_root = helpers.get_ui_config()
        pub_iface, pub_addr_subnet = None, None
        if ui_root.hasS(ns_ui.internetConnection):
            pub_iface = ui_root.getS(ns_ui.internetConnection, rdf.Type(ns_ui.NetworkConnection))
            pub_addr = pub_iface.getS(ns_ui.address)
            if pub_addr.hasType(ns_ui.StaticAddress):
                pub_addr_subnet = datatypes.IPv4AddressSubnet.fromStrings(pub_addr.getS(ns_ui.ipAddress, rdf.IPv4Address).toString(), pub_addr.getS(ns_ui.subnetMask, rdf.IPv4Address).toString())
        priv_iface, priv_addr_subnet = None, None
        if ui_root.hasS(ns_ui.privateNetworkConnection):
            priv_iface = ui_root.getS(ns_ui.privateNetworkConnection, rdf.Type(ns_ui.NetworkConnection))
            priv_addr = priv_iface.getS(ns_ui.address)
            if priv_addr.hasType(ns_ui.StaticAddress):
                priv_addr_subnet = datatypes.IPv4AddressSubnet.fromStrings(priv_addr.getS(ns_ui.ipAddress, rdf.IPv4Address).toString(), priv_addr.getS(ns_ui.subnetMask, rdf.IPv4Address).toString())
        ppp_subnet = None
        if ui_root.hasS(ns_ui.clientSubnet):
            ppp_subnet = ui_root.getS(ns_ui.clientSubnet, rdf.IPv4Subnet)
            
        # Validate individual site-to-site connections
        idx = 0
        conns = []
        while True:
            fda_conn = fda.descend(str(idx))
            if len(fda_conn.keys()) == 0:
                break
            conns.append(fda_conn)
            idx += 1

        remote_access_usernames = []
        if ui_root.hasS(ns_ui.users):
            for user in ui_root.getS(ns_ui.users, rdf.Seq(rdf.Type(ns_ui.User))):
                if user.hasS(ns_ui.username):
                    remote_access_usernames.append(user.getS(ns_ui.username, rdf.String))

        s2s_server_usernames_found = []
        for fda_conn_index, fda_conn in enumerate(conns):
            if fda_conn.has_key('s2s_username'):
                if not uihelpers.check_ppp_username_characters(fda_conn['s2s_username']):
                    fda_conn.add_error('s2s_username', 'Invalid characters')
                elif len(fda_conn['s2s_username']) > constants.MAX_USERNAME_LENGTH:
                    fda_conn.add_error('s2s_username', 'Username too long')

            if fda_conn.has_key('s2s_password'):
                if not uihelpers.check_ppp_password_characters(fda_conn['s2s_password']):
                    fda_conn.add_error('s2s_password', 'Invalid characters')
                elif len(fda_conn['s2s_password']) > constants.MAX_PASSWORD_LENGTH:
                    fda_conn.add_error('s2s_password', 'Password too long')

            if fda_conn.has_key('s2s_mode'):
                mode = fda_conn['s2s_mode']
                if mode == 'client':
                    # psk and server address are mandatory for client
                    if not fda_conn.has_key('s2s_psk') or fda_conn['s2s_psk'] == '' or fda_conn['s2s_psk'] is None:
                        fda_conn.add_error('s2s_psk', 'Required for initiator')
                    else:
                        if not uihelpers.check_preshared_key_characters(fda_conn['s2s_psk']):
                            fda_conn.add_error('s2s_psk', 'Invalid characters')
                    if not fda_conn.has_key('s2s_server') or fda_conn['s2s_server'] == '' or fda_conn['s2s_server'] is None:
                        fda_conn.add_error('s2s_server', 'Required for initiator')
                    else:
                        if not uihelpers.check_dns_name_characters(fda_conn['s2s_server']):
                            fda_conn.add_error('s2s_server', 'Invalid characters')
                else:  # server
                    # must not have duplicate server-mode names; client mode names may be duplicates
                    if fda_conn.has_key('s2s_username'):
                        username = fda_conn['s2s_username']
                        if username in s2s_server_usernames_found:
                            fda_conn.add_error('s2s_username', 'Duplicate username for server mode connection')
                        elif username in remote_access_usernames:
                            fda_conn.add_error('s2s_username', 'Duplicate username for server mode connection (already a user with that name)')
                        else:
                            s2s_server_usernames_found.append(fda_conn['s2s_username'])
                    
            # check subnets
            if fda_conn.has_key('s2s_subnets'):
                subnets = fda_conn['s2s_subnets']

                # check that list doesn't contain overlap inside itself
                overlap_inside_list = False
                for i in xrange(len(subnets)):
                    for j in xrange(len(subnets)):
                        if i != j:
                            if subnets[i].overlapsWithSubnet(subnets[j]):
                                overlap_inside_list = True
                if overlap_inside_list:
                    fda_conn.add_warning('s2s_subnets', 'Subnets in list overlap')
                
                # check that no element of list overlaps with any other subnet of any other site-to-site connection
                overlap_with_other = False
                for subnet in subnets:
                    for other_conn_index, other_conn in enumerate(conns):
                        if other_conn.has_key('s2s_subnets') and other_conn_index != fda_conn_index:
                            for other_subnet in other_conn['s2s_subnets']:
                                if subnet.overlapsWithSubnet(other_subnet):
                                    overlap_with_other = True
                if overlap_with_other:
                    fda_conn.add_warning('s2s_subnets', 'Remote subnet(s) overlap with other connections')

                # check overlap against public interface
                if pub_addr_subnet is not None:
                    if subnet.overlapsWithSubnet(pub_addr_subnet.getSubnet()):
                        fda_conn.add_warning('s2s_subnets', 'Remote subnet(s) overlap with Internet connection subnet')
                        
                # check overlap against private interface
                if priv_addr_subnet is not None:
                    if subnet.overlapsWithSubnet(priv_addr_subnet.getSubnet()):
                        fda_conn.add_warning('s2s_subnets', 'Remote subnet(s) overlap with private network connection subnet')

                # check overlap against ppp subnet
                if ppp_subnet is not None:
                    if subnet.overlapsWithSubnet(ppp_subnet):
                        fda_conn.add_warning('s2s_subnets', 'Remote subnet(s) overlap with client subnet')
Esempio n. 3
0
    def _validate_users(self, ctx, form, data, userpw_dict):
        fda = formalutils.FormDataAccessor(form, ['userlist_group'], ctx)
        ui_root = helpers.get_ui_config()

        # user list validation
        idx = 0
        users = []
        while True:
            fda_user = fda.descend(str(idx))
            if len(fda_user.keys()) == 0:
                break
            users.append(fda_user)
            idx += 1

        s2s_server_usernames = []
        if ui_root.hasS(ns_ui.siteToSiteConnections):
            for s2s_conn in ui_root.getS(
                    ns_ui.siteToSiteConnections,
                    rdf.Seq(rdf.Type(ns_ui.SiteToSiteConnection))):
                if s2s_conn.hasS(ns_ui.mode) and s2s_conn.getS(
                        ns_ui.mode, rdf.String) == 'server' and s2s_conn.hasS(
                            ns_ui.username):
                    s2s_server_usernames.append(
                        s2s_conn.getS(ns_ui.username, rdf.String))

        usernames_found = []
        fixed_ips_found = []
        for fda_user_index, fda_user in enumerate(users):
            # username checks
            if fda_user.has_key('username'):
                if not uihelpers.check_ppp_username_characters(
                        fda_user['username']):
                    fda_user.add_error('username', 'Invalid characters')
                else:
                    username = fda_user['username']
                    if username in usernames_found:
                        fda_user.add_error('username', 'Duplicate username')
                    elif username in s2s_server_usernames:
                        fda_user.add_error(
                            'username',
                            'Duplicate username (already a site-to-site server-mode connection of that name)'
                        )
                    elif len(username) > constants.MAX_USERNAME_LENGTH:
                        fda_user.add_error('username', 'Username too long')
                    else:
                        usernames_found.append(username)

            # password chars
            if fda_user.has_key('password') and (fda_user['password']
                                                 is not None):
                if not uihelpers.check_ppp_password_characters(
                        fda_user['password']):
                    fda_user.add_error('password', 'Invalid characters')
                elif len(fda_user['password']) > constants.MAX_PASSWORD_LENGTH:
                    fda_user.add_error('password', 'Password too long')

            # Password is a bit tricky; admin may have changed a username and we don't have
            # any permanent user identifiers that allow us to identify this as the same user
            # and keep its password despite the name change.  So, we require either that the
            # password is set, or that a user previously existed with this username (changed
            # or not !) and use the old password.

            if fda_user.has_key('username') and (fda_user['username'] is not None) and \
                   (not fda_user.has_key('password') or fda_user['password'] is None or fda_user['password'] == ''):
                username = fda_user['username']
                if userpw_dict.has_key(username):
                    # all ok
                    pass
                else:
                    fda_user.add_error('password', 'Required for new users')

            # fixed ip checks

            # XXX: we could also check that the fixed IP is from the
            # PPP subnet to try to prevent admin configuration errors,
            # but this would be too restrictive and is currently not
            # done: a warning would help here.

            if fda_user.has_key('fixed_ip') and (
                    fda_user['fixed_ip']
                    is not None) and (fda_user['fixed_ip'] != ''):
                fixed_ip_errors = False
                fixed_ip = fda_user['fixed_ip']

                iprange = ui_root.getS(ns_ui.clientAddressRange,
                                       rdf.IPv4AddressRange)
                pppsubnet = ui_root.getS(ns_ui.clientSubnet, rdf.IPv4Subnet)

                # The fixed IP may not overlap with other users fixed IP addresses
                if fixed_ip.toString() in fixed_ips_found:
                    fda_user.add_error('fixed_ip',
                                       'Duplicate fixed IP address')
                    fixed_ip_errors = True

                # Check restricted addresses inside PPP subnet
                if pppsubnet.inSubnet(fixed_ip):
                    # The fixed IP must not be from the PPP address range (dynamic allocation pool)
                    if iprange.inRange(fixed_ip):
                        fda_user.add_error(
                            'fixed_ip', 'Overlaps with client address range')
                        fixed_ip_errors = True

                    if fixed_ip < pppsubnet.getFirstUsableAddress():
                        fda_user.add_error(
                            'fixed_ip',
                            'First address of the client subnet prohibited')
                        fixed_ip_errors = True
                    elif fixed_ip == pppsubnet.getLastUsableAddress():
                        fda_user.add_error(
                            'fixed_ip',
                            'Last usable address of the client subnet prohibited'
                        )
                        fixed_ip_errors = True
                    elif fixed_ip > pppsubnet.getLastUsableAddress():
                        fda_user.add_error(
                            'fixed_ip',
                            'Last address of the client subnet prohibited')
                        fixed_ip_errors = True

                if not fixed_ip_errors:
                    fixed_ips_found.append(fixed_ip.toString())
Esempio n. 4
0
    def _validate(self, ctx, form, data):
        fda = formalutils.FormDataAccessor(form, ['s2s_connections'], ctx)

        # Get some useful stuff for validation
        ui_root = helpers.get_ui_config()
        pub_iface, pub_addr_subnet = None, None
        if ui_root.hasS(ns_ui.internetConnection):
            pub_iface = ui_root.getS(ns_ui.internetConnection,
                                     rdf.Type(ns_ui.NetworkConnection))
            pub_addr = pub_iface.getS(ns_ui.address)
            if pub_addr.hasType(ns_ui.StaticAddress):
                pub_addr_subnet = datatypes.IPv4AddressSubnet.fromStrings(
                    pub_addr.getS(ns_ui.ipAddress, rdf.IPv4Address).toString(),
                    pub_addr.getS(ns_ui.subnetMask,
                                  rdf.IPv4Address).toString())
        priv_iface, priv_addr_subnet = None, None
        if ui_root.hasS(ns_ui.privateNetworkConnection):
            priv_iface = ui_root.getS(ns_ui.privateNetworkConnection,
                                      rdf.Type(ns_ui.NetworkConnection))
            priv_addr = priv_iface.getS(ns_ui.address)
            if priv_addr.hasType(ns_ui.StaticAddress):
                priv_addr_subnet = datatypes.IPv4AddressSubnet.fromStrings(
                    priv_addr.getS(ns_ui.ipAddress,
                                   rdf.IPv4Address).toString(),
                    priv_addr.getS(ns_ui.subnetMask,
                                   rdf.IPv4Address).toString())
        ppp_subnet = None
        if ui_root.hasS(ns_ui.clientSubnet):
            ppp_subnet = ui_root.getS(ns_ui.clientSubnet, rdf.IPv4Subnet)

        # Validate individual site-to-site connections
        idx = 0
        conns = []
        while True:
            fda_conn = fda.descend(str(idx))
            if len(fda_conn.keys()) == 0:
                break
            conns.append(fda_conn)
            idx += 1

        remote_access_usernames = []
        if ui_root.hasS(ns_ui.users):
            for user in ui_root.getS(ns_ui.users,
                                     rdf.Seq(rdf.Type(ns_ui.User))):
                if user.hasS(ns_ui.username):
                    remote_access_usernames.append(
                        user.getS(ns_ui.username, rdf.String))

        s2s_server_usernames_found = []
        for fda_conn_index, fda_conn in enumerate(conns):
            if fda_conn.has_key('s2s_username'):
                if not uihelpers.check_ppp_username_characters(
                        fda_conn['s2s_username']):
                    fda_conn.add_error('s2s_username', 'Invalid characters')
                elif len(fda_conn['s2s_username']
                         ) > constants.MAX_USERNAME_LENGTH:
                    fda_conn.add_error('s2s_username', 'Username too long')

            if fda_conn.has_key('s2s_password'):
                if not uihelpers.check_ppp_password_characters(
                        fda_conn['s2s_password']):
                    fda_conn.add_error('s2s_password', 'Invalid characters')
                elif len(fda_conn['s2s_password']
                         ) > constants.MAX_PASSWORD_LENGTH:
                    fda_conn.add_error('s2s_password', 'Password too long')

            if fda_conn.has_key('s2s_mode'):
                mode = fda_conn['s2s_mode']
                if mode == 'client':
                    # psk and server address are mandatory for client
                    if not fda_conn.has_key('s2s_psk') or fda_conn[
                            's2s_psk'] == '' or fda_conn['s2s_psk'] is None:
                        fda_conn.add_error('s2s_psk', 'Required for initiator')
                    else:
                        if not uihelpers.check_preshared_key_characters(
                                fda_conn['s2s_psk']):
                            fda_conn.add_error('s2s_psk', 'Invalid characters')
                    if not fda_conn.has_key('s2s_server') or fda_conn[
                            's2s_server'] == '' or fda_conn[
                                's2s_server'] is None:
                        fda_conn.add_error('s2s_server',
                                           'Required for initiator')
                    else:
                        if not uihelpers.check_dns_name_characters(
                                fda_conn['s2s_server']):
                            fda_conn.add_error('s2s_server',
                                               'Invalid characters')
                else:  # server
                    # must not have duplicate server-mode names; client mode names may be duplicates
                    if fda_conn.has_key('s2s_username'):
                        username = fda_conn['s2s_username']
                        if username in s2s_server_usernames_found:
                            fda_conn.add_error(
                                's2s_username',
                                'Duplicate username for server mode connection'
                            )
                        elif username in remote_access_usernames:
                            fda_conn.add_error(
                                's2s_username',
                                'Duplicate username for server mode connection (already a user with that name)'
                            )
                        else:
                            s2s_server_usernames_found.append(
                                fda_conn['s2s_username'])

            # check subnets
            if fda_conn.has_key('s2s_subnets'):
                subnets = fda_conn['s2s_subnets']

                # check that list doesn't contain overlap inside itself
                overlap_inside_list = False
                for i in xrange(len(subnets)):
                    for j in xrange(len(subnets)):
                        if i != j:
                            if subnets[i].overlapsWithSubnet(subnets[j]):
                                overlap_inside_list = True
                if overlap_inside_list:
                    fda_conn.add_warning('s2s_subnets',
                                         'Subnets in list overlap')

                # check that no element of list overlaps with any other subnet of any other site-to-site connection
                overlap_with_other = False
                for subnet in subnets:
                    for other_conn_index, other_conn in enumerate(conns):
                        if other_conn.has_key(
                                's2s_subnets'
                        ) and other_conn_index != fda_conn_index:
                            for other_subnet in other_conn['s2s_subnets']:
                                if subnet.overlapsWithSubnet(other_subnet):
                                    overlap_with_other = True
                if overlap_with_other:
                    fda_conn.add_warning(
                        's2s_subnets',
                        'Remote subnet(s) overlap with other connections')

                # check overlap against public interface
                if pub_addr_subnet is not None:
                    if subnet.overlapsWithSubnet(pub_addr_subnet.getSubnet()):
                        fda_conn.add_warning(
                            's2s_subnets',
                            'Remote subnet(s) overlap with Internet connection subnet'
                        )

                # check overlap against private interface
                if priv_addr_subnet is not None:
                    if subnet.overlapsWithSubnet(priv_addr_subnet.getSubnet()):
                        fda_conn.add_warning(
                            's2s_subnets',
                            'Remote subnet(s) overlap with private network connection subnet'
                        )

                # check overlap against ppp subnet
                if ppp_subnet is not None:
                    if subnet.overlapsWithSubnet(ppp_subnet):
                        fda_conn.add_warning(
                            's2s_subnets',
                            'Remote subnet(s) overlap with client subnet')