def _validate_users(self, ctx, form, data, userpw_dict): fda = formalutils.FormDataAccessor(form, ['userlist_group'], ctx) ui_root = helpers.get_ui_config() # user list validation idx = 0 users = [] while True: fda_user = fda.descend(str(idx)) if len(fda_user.keys()) == 0: break users.append(fda_user) idx += 1 s2s_server_usernames = [] if ui_root.hasS(ns_ui.siteToSiteConnections): for s2s_conn in ui_root.getS(ns_ui.siteToSiteConnections, rdf.Seq(rdf.Type(ns_ui.SiteToSiteConnection))): if s2s_conn.hasS(ns_ui.mode) and s2s_conn.getS(ns_ui.mode, rdf.String) == 'server' and s2s_conn.hasS(ns_ui.username): s2s_server_usernames.append(s2s_conn.getS(ns_ui.username, rdf.String)) usernames_found = [] fixed_ips_found = [] for fda_user_index, fda_user in enumerate(users): # username checks if fda_user.has_key('username'): if not uihelpers.check_ppp_username_characters(fda_user['username']): fda_user.add_error('username', 'Invalid characters') else: username = fda_user['username'] if username in usernames_found: fda_user.add_error('username', 'Duplicate username') elif username in s2s_server_usernames: fda_user.add_error('username', 'Duplicate username (already a site-to-site server-mode connection of that name)') elif len(username) > constants.MAX_USERNAME_LENGTH: fda_user.add_error('username', 'Username too long') else: usernames_found.append(username) # password chars if fda_user.has_key('password') and (fda_user['password'] is not None): if not uihelpers.check_ppp_password_characters(fda_user['password']): fda_user.add_error('password', 'Invalid characters') elif len(fda_user['password']) > constants.MAX_PASSWORD_LENGTH: fda_user.add_error('password', 'Password too long') # Password is a bit tricky; admin may have changed a username and we don't have # any permanent user identifiers that allow us to identify this as the same user # and keep its password despite the name change. So, we require either that the # password is set, or that a user previously existed with this username (changed # or not !) and use the old password. if fda_user.has_key('username') and (fda_user['username'] is not None) and \ (not fda_user.has_key('password') or fda_user['password'] is None or fda_user['password'] == ''): username = fda_user['username'] if userpw_dict.has_key(username): # all ok pass else: fda_user.add_error('password', 'Required for new users') # fixed ip checks # XXX: we could also check that the fixed IP is from the # PPP subnet to try to prevent admin configuration errors, # but this would be too restrictive and is currently not # done: a warning would help here. if fda_user.has_key('fixed_ip') and (fda_user['fixed_ip'] is not None) and (fda_user['fixed_ip'] != ''): fixed_ip_errors = False fixed_ip = fda_user['fixed_ip'] iprange = ui_root.getS(ns_ui.clientAddressRange, rdf.IPv4AddressRange) pppsubnet = ui_root.getS(ns_ui.clientSubnet, rdf.IPv4Subnet) # The fixed IP may not overlap with other users fixed IP addresses if fixed_ip.toString() in fixed_ips_found: fda_user.add_error('fixed_ip', 'Duplicate fixed IP address') fixed_ip_errors = True # Check restricted addresses inside PPP subnet if pppsubnet.inSubnet(fixed_ip): # The fixed IP must not be from the PPP address range (dynamic allocation pool) if iprange.inRange(fixed_ip): fda_user.add_error('fixed_ip', 'Overlaps with client address range') fixed_ip_errors = True if fixed_ip < pppsubnet.getFirstUsableAddress(): fda_user.add_error('fixed_ip', 'First address of the client subnet prohibited') fixed_ip_errors = True elif fixed_ip == pppsubnet.getLastUsableAddress(): fda_user.add_error('fixed_ip', 'Last usable address of the client subnet prohibited') fixed_ip_errors = True elif fixed_ip > pppsubnet.getLastUsableAddress(): fda_user.add_error('fixed_ip', 'Last address of the client subnet prohibited') fixed_ip_errors = True if not fixed_ip_errors: fixed_ips_found.append(fixed_ip.toString())
def _validate(self, ctx, form, data): fda = formalutils.FormDataAccessor(form, ['s2s_connections'], ctx) # Get some useful stuff for validation ui_root = helpers.get_ui_config() pub_iface, pub_addr_subnet = None, None if ui_root.hasS(ns_ui.internetConnection): pub_iface = ui_root.getS(ns_ui.internetConnection, rdf.Type(ns_ui.NetworkConnection)) pub_addr = pub_iface.getS(ns_ui.address) if pub_addr.hasType(ns_ui.StaticAddress): pub_addr_subnet = datatypes.IPv4AddressSubnet.fromStrings(pub_addr.getS(ns_ui.ipAddress, rdf.IPv4Address).toString(), pub_addr.getS(ns_ui.subnetMask, rdf.IPv4Address).toString()) priv_iface, priv_addr_subnet = None, None if ui_root.hasS(ns_ui.privateNetworkConnection): priv_iface = ui_root.getS(ns_ui.privateNetworkConnection, rdf.Type(ns_ui.NetworkConnection)) priv_addr = priv_iface.getS(ns_ui.address) if priv_addr.hasType(ns_ui.StaticAddress): priv_addr_subnet = datatypes.IPv4AddressSubnet.fromStrings(priv_addr.getS(ns_ui.ipAddress, rdf.IPv4Address).toString(), priv_addr.getS(ns_ui.subnetMask, rdf.IPv4Address).toString()) ppp_subnet = None if ui_root.hasS(ns_ui.clientSubnet): ppp_subnet = ui_root.getS(ns_ui.clientSubnet, rdf.IPv4Subnet) # Validate individual site-to-site connections idx = 0 conns = [] while True: fda_conn = fda.descend(str(idx)) if len(fda_conn.keys()) == 0: break conns.append(fda_conn) idx += 1 remote_access_usernames = [] if ui_root.hasS(ns_ui.users): for user in ui_root.getS(ns_ui.users, rdf.Seq(rdf.Type(ns_ui.User))): if user.hasS(ns_ui.username): remote_access_usernames.append(user.getS(ns_ui.username, rdf.String)) s2s_server_usernames_found = [] for fda_conn_index, fda_conn in enumerate(conns): if fda_conn.has_key('s2s_username'): if not uihelpers.check_ppp_username_characters(fda_conn['s2s_username']): fda_conn.add_error('s2s_username', 'Invalid characters') elif len(fda_conn['s2s_username']) > constants.MAX_USERNAME_LENGTH: fda_conn.add_error('s2s_username', 'Username too long') if fda_conn.has_key('s2s_password'): if not uihelpers.check_ppp_password_characters(fda_conn['s2s_password']): fda_conn.add_error('s2s_password', 'Invalid characters') elif len(fda_conn['s2s_password']) > constants.MAX_PASSWORD_LENGTH: fda_conn.add_error('s2s_password', 'Password too long') if fda_conn.has_key('s2s_mode'): mode = fda_conn['s2s_mode'] if mode == 'client': # psk and server address are mandatory for client if not fda_conn.has_key('s2s_psk') or fda_conn['s2s_psk'] == '' or fda_conn['s2s_psk'] is None: fda_conn.add_error('s2s_psk', 'Required for initiator') else: if not uihelpers.check_preshared_key_characters(fda_conn['s2s_psk']): fda_conn.add_error('s2s_psk', 'Invalid characters') if not fda_conn.has_key('s2s_server') or fda_conn['s2s_server'] == '' or fda_conn['s2s_server'] is None: fda_conn.add_error('s2s_server', 'Required for initiator') else: if not uihelpers.check_dns_name_characters(fda_conn['s2s_server']): fda_conn.add_error('s2s_server', 'Invalid characters') else: # server # must not have duplicate server-mode names; client mode names may be duplicates if fda_conn.has_key('s2s_username'): username = fda_conn['s2s_username'] if username in s2s_server_usernames_found: fda_conn.add_error('s2s_username', 'Duplicate username for server mode connection') elif username in remote_access_usernames: fda_conn.add_error('s2s_username', 'Duplicate username for server mode connection (already a user with that name)') else: s2s_server_usernames_found.append(fda_conn['s2s_username']) # check subnets if fda_conn.has_key('s2s_subnets'): subnets = fda_conn['s2s_subnets'] # check that list doesn't contain overlap inside itself overlap_inside_list = False for i in xrange(len(subnets)): for j in xrange(len(subnets)): if i != j: if subnets[i].overlapsWithSubnet(subnets[j]): overlap_inside_list = True if overlap_inside_list: fda_conn.add_warning('s2s_subnets', 'Subnets in list overlap') # check that no element of list overlaps with any other subnet of any other site-to-site connection overlap_with_other = False for subnet in subnets: for other_conn_index, other_conn in enumerate(conns): if other_conn.has_key('s2s_subnets') and other_conn_index != fda_conn_index: for other_subnet in other_conn['s2s_subnets']: if subnet.overlapsWithSubnet(other_subnet): overlap_with_other = True if overlap_with_other: fda_conn.add_warning('s2s_subnets', 'Remote subnet(s) overlap with other connections') # check overlap against public interface if pub_addr_subnet is not None: if subnet.overlapsWithSubnet(pub_addr_subnet.getSubnet()): fda_conn.add_warning('s2s_subnets', 'Remote subnet(s) overlap with Internet connection subnet') # check overlap against private interface if priv_addr_subnet is not None: if subnet.overlapsWithSubnet(priv_addr_subnet.getSubnet()): fda_conn.add_warning('s2s_subnets', 'Remote subnet(s) overlap with private network connection subnet') # check overlap against ppp subnet if ppp_subnet is not None: if subnet.overlapsWithSubnet(ppp_subnet): fda_conn.add_warning('s2s_subnets', 'Remote subnet(s) overlap with client subnet')
def _validate_users(self, ctx, form, data, userpw_dict): fda = formalutils.FormDataAccessor(form, ['userlist_group'], ctx) ui_root = helpers.get_ui_config() # user list validation idx = 0 users = [] while True: fda_user = fda.descend(str(idx)) if len(fda_user.keys()) == 0: break users.append(fda_user) idx += 1 s2s_server_usernames = [] if ui_root.hasS(ns_ui.siteToSiteConnections): for s2s_conn in ui_root.getS( ns_ui.siteToSiteConnections, rdf.Seq(rdf.Type(ns_ui.SiteToSiteConnection))): if s2s_conn.hasS(ns_ui.mode) and s2s_conn.getS( ns_ui.mode, rdf.String) == 'server' and s2s_conn.hasS( ns_ui.username): s2s_server_usernames.append( s2s_conn.getS(ns_ui.username, rdf.String)) usernames_found = [] fixed_ips_found = [] for fda_user_index, fda_user in enumerate(users): # username checks if fda_user.has_key('username'): if not uihelpers.check_ppp_username_characters( fda_user['username']): fda_user.add_error('username', 'Invalid characters') else: username = fda_user['username'] if username in usernames_found: fda_user.add_error('username', 'Duplicate username') elif username in s2s_server_usernames: fda_user.add_error( 'username', 'Duplicate username (already a site-to-site server-mode connection of that name)' ) elif len(username) > constants.MAX_USERNAME_LENGTH: fda_user.add_error('username', 'Username too long') else: usernames_found.append(username) # password chars if fda_user.has_key('password') and (fda_user['password'] is not None): if not uihelpers.check_ppp_password_characters( fda_user['password']): fda_user.add_error('password', 'Invalid characters') elif len(fda_user['password']) > constants.MAX_PASSWORD_LENGTH: fda_user.add_error('password', 'Password too long') # Password is a bit tricky; admin may have changed a username and we don't have # any permanent user identifiers that allow us to identify this as the same user # and keep its password despite the name change. So, we require either that the # password is set, or that a user previously existed with this username (changed # or not !) and use the old password. if fda_user.has_key('username') and (fda_user['username'] is not None) and \ (not fda_user.has_key('password') or fda_user['password'] is None or fda_user['password'] == ''): username = fda_user['username'] if userpw_dict.has_key(username): # all ok pass else: fda_user.add_error('password', 'Required for new users') # fixed ip checks # XXX: we could also check that the fixed IP is from the # PPP subnet to try to prevent admin configuration errors, # but this would be too restrictive and is currently not # done: a warning would help here. if fda_user.has_key('fixed_ip') and ( fda_user['fixed_ip'] is not None) and (fda_user['fixed_ip'] != ''): fixed_ip_errors = False fixed_ip = fda_user['fixed_ip'] iprange = ui_root.getS(ns_ui.clientAddressRange, rdf.IPv4AddressRange) pppsubnet = ui_root.getS(ns_ui.clientSubnet, rdf.IPv4Subnet) # The fixed IP may not overlap with other users fixed IP addresses if fixed_ip.toString() in fixed_ips_found: fda_user.add_error('fixed_ip', 'Duplicate fixed IP address') fixed_ip_errors = True # Check restricted addresses inside PPP subnet if pppsubnet.inSubnet(fixed_ip): # The fixed IP must not be from the PPP address range (dynamic allocation pool) if iprange.inRange(fixed_ip): fda_user.add_error( 'fixed_ip', 'Overlaps with client address range') fixed_ip_errors = True if fixed_ip < pppsubnet.getFirstUsableAddress(): fda_user.add_error( 'fixed_ip', 'First address of the client subnet prohibited') fixed_ip_errors = True elif fixed_ip == pppsubnet.getLastUsableAddress(): fda_user.add_error( 'fixed_ip', 'Last usable address of the client subnet prohibited' ) fixed_ip_errors = True elif fixed_ip > pppsubnet.getLastUsableAddress(): fda_user.add_error( 'fixed_ip', 'Last address of the client subnet prohibited') fixed_ip_errors = True if not fixed_ip_errors: fixed_ips_found.append(fixed_ip.toString())
def _validate(self, ctx, form, data): fda = formalutils.FormDataAccessor(form, ['s2s_connections'], ctx) # Get some useful stuff for validation ui_root = helpers.get_ui_config() pub_iface, pub_addr_subnet = None, None if ui_root.hasS(ns_ui.internetConnection): pub_iface = ui_root.getS(ns_ui.internetConnection, rdf.Type(ns_ui.NetworkConnection)) pub_addr = pub_iface.getS(ns_ui.address) if pub_addr.hasType(ns_ui.StaticAddress): pub_addr_subnet = datatypes.IPv4AddressSubnet.fromStrings( pub_addr.getS(ns_ui.ipAddress, rdf.IPv4Address).toString(), pub_addr.getS(ns_ui.subnetMask, rdf.IPv4Address).toString()) priv_iface, priv_addr_subnet = None, None if ui_root.hasS(ns_ui.privateNetworkConnection): priv_iface = ui_root.getS(ns_ui.privateNetworkConnection, rdf.Type(ns_ui.NetworkConnection)) priv_addr = priv_iface.getS(ns_ui.address) if priv_addr.hasType(ns_ui.StaticAddress): priv_addr_subnet = datatypes.IPv4AddressSubnet.fromStrings( priv_addr.getS(ns_ui.ipAddress, rdf.IPv4Address).toString(), priv_addr.getS(ns_ui.subnetMask, rdf.IPv4Address).toString()) ppp_subnet = None if ui_root.hasS(ns_ui.clientSubnet): ppp_subnet = ui_root.getS(ns_ui.clientSubnet, rdf.IPv4Subnet) # Validate individual site-to-site connections idx = 0 conns = [] while True: fda_conn = fda.descend(str(idx)) if len(fda_conn.keys()) == 0: break conns.append(fda_conn) idx += 1 remote_access_usernames = [] if ui_root.hasS(ns_ui.users): for user in ui_root.getS(ns_ui.users, rdf.Seq(rdf.Type(ns_ui.User))): if user.hasS(ns_ui.username): remote_access_usernames.append( user.getS(ns_ui.username, rdf.String)) s2s_server_usernames_found = [] for fda_conn_index, fda_conn in enumerate(conns): if fda_conn.has_key('s2s_username'): if not uihelpers.check_ppp_username_characters( fda_conn['s2s_username']): fda_conn.add_error('s2s_username', 'Invalid characters') elif len(fda_conn['s2s_username'] ) > constants.MAX_USERNAME_LENGTH: fda_conn.add_error('s2s_username', 'Username too long') if fda_conn.has_key('s2s_password'): if not uihelpers.check_ppp_password_characters( fda_conn['s2s_password']): fda_conn.add_error('s2s_password', 'Invalid characters') elif len(fda_conn['s2s_password'] ) > constants.MAX_PASSWORD_LENGTH: fda_conn.add_error('s2s_password', 'Password too long') if fda_conn.has_key('s2s_mode'): mode = fda_conn['s2s_mode'] if mode == 'client': # psk and server address are mandatory for client if not fda_conn.has_key('s2s_psk') or fda_conn[ 's2s_psk'] == '' or fda_conn['s2s_psk'] is None: fda_conn.add_error('s2s_psk', 'Required for initiator') else: if not uihelpers.check_preshared_key_characters( fda_conn['s2s_psk']): fda_conn.add_error('s2s_psk', 'Invalid characters') if not fda_conn.has_key('s2s_server') or fda_conn[ 's2s_server'] == '' or fda_conn[ 's2s_server'] is None: fda_conn.add_error('s2s_server', 'Required for initiator') else: if not uihelpers.check_dns_name_characters( fda_conn['s2s_server']): fda_conn.add_error('s2s_server', 'Invalid characters') else: # server # must not have duplicate server-mode names; client mode names may be duplicates if fda_conn.has_key('s2s_username'): username = fda_conn['s2s_username'] if username in s2s_server_usernames_found: fda_conn.add_error( 's2s_username', 'Duplicate username for server mode connection' ) elif username in remote_access_usernames: fda_conn.add_error( 's2s_username', 'Duplicate username for server mode connection (already a user with that name)' ) else: s2s_server_usernames_found.append( fda_conn['s2s_username']) # check subnets if fda_conn.has_key('s2s_subnets'): subnets = fda_conn['s2s_subnets'] # check that list doesn't contain overlap inside itself overlap_inside_list = False for i in xrange(len(subnets)): for j in xrange(len(subnets)): if i != j: if subnets[i].overlapsWithSubnet(subnets[j]): overlap_inside_list = True if overlap_inside_list: fda_conn.add_warning('s2s_subnets', 'Subnets in list overlap') # check that no element of list overlaps with any other subnet of any other site-to-site connection overlap_with_other = False for subnet in subnets: for other_conn_index, other_conn in enumerate(conns): if other_conn.has_key( 's2s_subnets' ) and other_conn_index != fda_conn_index: for other_subnet in other_conn['s2s_subnets']: if subnet.overlapsWithSubnet(other_subnet): overlap_with_other = True if overlap_with_other: fda_conn.add_warning( 's2s_subnets', 'Remote subnet(s) overlap with other connections') # check overlap against public interface if pub_addr_subnet is not None: if subnet.overlapsWithSubnet(pub_addr_subnet.getSubnet()): fda_conn.add_warning( 's2s_subnets', 'Remote subnet(s) overlap with Internet connection subnet' ) # check overlap against private interface if priv_addr_subnet is not None: if subnet.overlapsWithSubnet(priv_addr_subnet.getSubnet()): fda_conn.add_warning( 's2s_subnets', 'Remote subnet(s) overlap with private network connection subnet' ) # check overlap against ppp subnet if ppp_subnet is not None: if subnet.overlapsWithSubnet(ppp_subnet): fda_conn.add_warning( 's2s_subnets', 'Remote subnet(s) overlap with client subnet')