diff options
| author | Rob Austein <sra@hactrn.net> | 2013-01-31 05:04:39 +0000 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2013-01-31 05:04:39 +0000 |
| commit | 1dfcb1fc0ae6e9367868c3dab8d38c1bd091dcaf (patch) | |
| tree | 9afde39f2bd354e212e709145adaa8763d31ecc0 | |
| parent | b7c329cb97367a670a36dd9c50a3f761dd2b4963 (diff) | |
| parent | 7f49d94068077fabfab83307c3f648b710ab369d (diff) | |
Pull from trunk.
svn path=/branches/tk377/; revision=4989
| -rw-r--r-- | rcynic/rcynic.c | 4 | ||||
| -rw-r--r-- | rpkid/rpki/gui/app/templates/base.html | 2 | ||||
| -rw-r--r-- | rpkid/rpki/gui/app/templates/registration/login.html | 2 | ||||
| -rw-r--r-- | rpkid/rpki/gui/app/views.py | 2 | ||||
| -rw-r--r-- | rpkid/rpki/gui/decorators.py | 31 | ||||
| -rw-r--r-- | rpkid/rpki/gui/urls.py | 4 | ||||
| -rw-r--r-- | rpkid/rpki/gui/views.py | 30 | ||||
| -rw-r--r-- | rpkid/rpki/x509.py | 12 |
8 files changed, 79 insertions, 8 deletions
diff --git a/rcynic/rcynic.c b/rcynic/rcynic.c index 2f37ed79..0634bc52 100644 --- a/rcynic/rcynic.c +++ b/rcynic/rcynic.c @@ -3707,7 +3707,8 @@ static int check_x509(rcynic_ctx_t *rc, ex_count--; if ((loc = X509_get_ext_by_NID(x, NID_sbgp_ipAddrBlock, -1)) < 0 || !X509_EXTENSION_get_critical(X509_get_ext(x, loc)) || - !v3_addr_is_canonical(x->rfc3779_addr)) { + !v3_addr_is_canonical(x->rfc3779_addr) || + sk_IPAddressFamily_num(x->rfc3779_addr) == 0) { log_validation_status(rc, uri, bad_ipaddrblocks, generation); goto done; } @@ -3718,6 +3719,7 @@ static int check_x509(rcynic_ctx_t *rc, if ((loc = X509_get_ext_by_NID(x, NID_sbgp_autonomousSysNum, -1)) < 0 || !X509_EXTENSION_get_critical(X509_get_ext(x, loc)) || !v3_asid_is_canonical(x->rfc3779_asid) || + x->rfc3779_asid->asnum == NULL || x->rfc3779_asid->rdi != NULL) { log_validation_status(rc, uri, bad_asidentifiers, generation); goto done; diff --git a/rpkid/rpki/gui/app/templates/base.html b/rpkid/rpki/gui/app/templates/base.html index 0af1d241..89aa0b9a 100644 --- a/rpkid/rpki/gui/app/templates/base.html +++ b/rpkid/rpki/gui/app/templates/base.html @@ -24,7 +24,7 @@ {% if user.is_authenticated %} <li><p class="navbar-text">Logged in as {{ user }}</li> <li class="divider-vertical"></li> - <li><a href="{% url django.contrib.auth.views.logout %}">Log Out</a></li> + <li><a href="{% url rpki.gui.views.logout %}">Log Out</a></li> {% endif %} </ul> </div> diff --git a/rpkid/rpki/gui/app/templates/registration/login.html b/rpkid/rpki/gui/app/templates/registration/login.html index 27ad21cf..d2ee9468 100644 --- a/rpkid/rpki/gui/app/templates/registration/login.html +++ b/rpkid/rpki/gui/app/templates/registration/login.html @@ -8,7 +8,7 @@ </div> {% endif %} -<form method="post" action="{% url django.contrib.auth.views.login %}"> +<form method="post" action="{% url rpki.gui.views.login %}"> {% csrf_token %} <div class="clearfix"> diff --git a/rpkid/rpki/gui/app/views.py b/rpkid/rpki/gui/app/views.py index 535ffe6c..2d674c95 100644 --- a/rpkid/rpki/gui/app/views.py +++ b/rpkid/rpki/gui/app/views.py @@ -42,6 +42,7 @@ import rpki.exceptions from rpki.gui.cacheview.models import ROAPrefixV4, ROA from rpki.gui.routeview.models import RouteOrigin +from rpki.gui.decorators import tls_required def superuser_required(f): @@ -63,6 +64,7 @@ def handle_required(f): """ @login_required + @tls_required def wrapped_fn(request, *args, **kwargs): if 'handle' not in request.session: if request.user.is_superuser: diff --git a/rpkid/rpki/gui/decorators.py b/rpkid/rpki/gui/decorators.py new file mode 100644 index 00000000..69d20c46 --- /dev/null +++ b/rpkid/rpki/gui/decorators.py @@ -0,0 +1,31 @@ +# Copyright (C) 2013 SPARTA, Inc. a Parsons Company +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND SPARTA DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL SPARTA BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +__version__ = '$Id$' + +from django import http + + +def tls_required(f): + """Decorator which returns a 500 error if the connection is not secured + with TLS (https). + + """ + def _tls_required(request, *args, **kwargs): + if not request.is_secure(): + return http.HttpResponseServerError( + 'This resource may only be accessed securely via https', + content_type='text/plain') + return f(request, *args, **kwargs) + return _tls_required diff --git a/rpkid/rpki/gui/urls.py b/rpkid/rpki/gui/urls.py index 52949b73..58e2ea9f 100644 --- a/rpkid/rpki/gui/urls.py +++ b/rpkid/rpki/gui/urls.py @@ -30,7 +30,7 @@ urlpatterns = patterns('', (r'^cacheview/', include('rpki.gui.cacheview.urls')), (r'^rpki/', include('rpki.gui.app.urls')), - (r'^accounts/login/$', 'django.contrib.auth.views.login'), - (r'^accounts/logout/$', 'django.contrib.auth.views.logout', + (r'^accounts/login/$', 'rpki.gui.views.login'), + (r'^accounts/logout/$', 'rpki.gui.views.logout', {'next_page': '/rpki/'}), ) diff --git a/rpkid/rpki/gui/views.py b/rpkid/rpki/gui/views.py new file mode 100644 index 00000000..5c62cf62 --- /dev/null +++ b/rpkid/rpki/gui/views.py @@ -0,0 +1,30 @@ +# Copyright (C) 2013 SPARTA, Inc. a Parsons Company +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND SPARTA DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL SPARTA BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +__version__ = '$Id$' + +import django.contrib.auth.views +from rpki.gui.decorators import tls_required + + +@tls_required +def login(request, *args, **kwargs): + "Wrapper around django.contrib.auth.views.login to force use of TLS." + return django.contrib.auth.views.login(request, *args, **kwargs) + + +@tls_required +def logout(request, *args, **kwargs): + "Wrapper around django.contrib.auth.views.logout to force use of TLS." + return django.contrib.auth.views.login(request, *args, **kwargs) diff --git a/rpkid/rpki/x509.py b/rpkid/rpki/x509.py index 6f28e6f7..9befb320 100644 --- a/rpkid/rpki/x509.py +++ b/rpkid/rpki/x509.py @@ -693,9 +693,15 @@ class X509(DER_object): if resources is not None: cert.setRFC3779( - asn = ((r.min, r.max) for r in resources.asn), - ipv4 = ((rpki.POW.IPAddress(r.min, 4), rpki.POW.IPAddress(r.max, 4)) for r in resources.v4), - ipv6 = ((rpki.POW.IPAddress(r.min, 6), rpki.POW.IPAddress(r.max, 6)) for r in resources.v6)) + asn = (("inherit" if resources.asn.inherit else + ((r.min, r.max) for r in resources.asn)) + or None), + ipv4 = (("inherit" if resources.v4.inherit else + ((r.min, r.max) for r in resources.v4)) + or None), + ipv6 = (("inherit" if resources.v6.inherit else + ((r.min, r.max) for r in resources.v6)) + or None)) cert.sign(keypair.get_POW(), rpki.POW.SHA256_DIGEST) |