From 130b28c5b4fe7b812ef263bd20c66be19d59a297 Mon Sep 17 00:00:00 2001 From: RPKI Documentation Robot Date: Tue, 8 Jan 2013 02:00:11 +0000 Subject: Automatic pull of documentation from Wiki. svn path=/trunk/; revision=4953 --- doc/doc.RPKI.CA.UI.GUI | 12 ++++++++++++ doc/manual.pdf | Bin 483602 -> 484817 bytes 2 files changed, 12 insertions(+) diff --git a/doc/doc.RPKI.CA.UI.GUI b/doc/doc.RPKI.CA.UI.GUI index 89df1d0a..4b887e60 100644 --- a/doc/doc.RPKI.CA.UI.GUI +++ b/doc/doc.RPKI.CA.UI.GUI @@ -120,6 +120,18 @@ In addition, your rcynic script should also have after the rcynic run. +****** Expiration Checking ****** + +The web portal can notify users when it detects that RPKI certificates will +expire in the near future. Run the following script as a cron job, perhaps once +a night: + + /usr/local/sbin/rpkigui-check-expired + +By default it will warn of expiration 14 days in advance, but this may be +changed by using the -t command line option and specifying how many days in +advance to check. + ****** Using the GUI ****** ****** GUI Examples ****** diff --git a/doc/manual.pdf b/doc/manual.pdf index 556dd130..836697e3 100644 Binary files a/doc/manual.pdf and b/doc/manual.pdf differ -- cgit v1.2.3 From 53b7d85d9724585afbcb36d008597910ff4aa8fa Mon Sep 17 00:00:00 2001 From: RPKI Documentation Robot Date: Tue, 8 Jan 2013 12:00:09 +0000 Subject: Automatic pull of documentation from Wiki. svn path=/trunk/; revision=4955 --- doc/doc.RPKI.CA.Configuration.rootd | 6 +++++- doc/manual.pdf | Bin 484817 -> 484924 bytes 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/doc/doc.RPKI.CA.Configuration.rootd b/doc/doc.RPKI.CA.Configuration.rootd index 678e2edf..f27bdd15 100644 --- a/doc/doc.RPKI.CA.Configuration.rootd +++ b/doc/doc.RPKI.CA.Configuration.rootd @@ -142,7 +142,11 @@ generate a root certificate as follows: $ openssl x509 -req -sha256 \ -signkey root.key -in root.req \ -outform DER -out root.cer \ - -extfile root.conf -extensions x509v3_extensions + -extfile root.conf -extensions x509v3_extensions \ + -days 1825 + +You may want to shorten the five year expire time (1825 days), which is a bit +long. It is a root certificate, so a longer expire is not unusual. The generated root.cer must be copied to the publication directory as defined in rpki.conf, diff --git a/doc/manual.pdf b/doc/manual.pdf index 836697e3..8f6912cf 100644 Binary files a/doc/manual.pdf and b/doc/manual.pdf differ -- cgit v1.2.3 From 8609ad03805edb0b71f401aee46f80f898a59098 Mon Sep 17 00:00:00 2001 From: Michael Elkins Date: Tue, 8 Jan 2013 17:46:22 +0000 Subject: merge ^/branches/tk325 svn path=/trunk/; revision=4957 --- rpkid/rpki/gui/app/templates/app/dashboard.html | 33 ++++++++++++++++++++----- rpkid/rpki/gui/app/views.py | 18 +++++++++++++- 2 files changed, 44 insertions(+), 7 deletions(-) diff --git a/rpkid/rpki/gui/app/templates/app/dashboard.html b/rpkid/rpki/gui/app/templates/app/dashboard.html index b6a7a9cb..0af4bae6 100644 --- a/rpkid/rpki/gui/app/templates/app/dashboard.html +++ b/rpkid/rpki/gui/app/templates/app/dashboard.html @@ -65,6 +65,7 @@

The following resources have not been allocated to a child, nor appear in a ROA. {% if unused_asns %} +

ASNs

    {% for asn in unused_asns %}
  • AS{{ asn }} @@ -73,19 +74,39 @@ {% endif %} {% if unused_prefixes %} -
      +

      IPv4

      + + {% for addr in unused_prefixes %} -
    • {{ addr }} +
      • + + + {% endfor %} - +
      PrefixAction
      {{ addr }} + {# if addr can be represented as a prefix, add a button for issuing a roa #} + {% if addr.is_prefix %} + ROA + {% endif %} +
      {% endif %} {% if unused_prefixes_v6 %} -
        +

        IPv6

        + + {% for addr in unused_prefixes_v6 %} -
      • {{ addr }} +
        • + + + {% endfor %} - +
        Prefix
        {{ addr }} + {# if addr can be represented as a prefix, add a button for issuing a roa #} + {% if addr.is_prefix %} + roa + {% endif %} +
        {% endif %} diff --git a/rpkid/rpki/gui/app/views.py b/rpkid/rpki/gui/app/views.py index fc1e9cce..535ffe6c 100644 --- a/rpkid/rpki/gui/app/views.py +++ b/rpkid/rpki/gui/app/views.py @@ -38,6 +38,7 @@ from rpki.gui.app import models, forms, glue, range_list from rpki.resource_set import (resource_range_as, resource_range_ipv4, resource_range_ipv6, roa_prefix_ipv4) from rpki import sundial +import rpki.exceptions from rpki.gui.cacheview.models import ROAPrefixV4, ROA from rpki.gui.routeview.models import RouteOrigin @@ -195,6 +196,16 @@ def dashboard(request): my_prefixes_v6 = range_list.RangeList([obj.as_resource_range() for obj in prefixes_v6]) unused_prefixes = my_prefixes.difference(used_prefixes) + # monkey-patch each object with a boolean value indicating whether or not + # it is a prefix. We have to do this here because in the template there is + # no way to catch the MustBePrefix exception. + for x in unused_prefixes: + try: + x.prefixlen() + x.is_prefix = True + except rpki.exceptions.MustBePrefix: + x.is_prefix = False + unused_prefixes_v6 = my_prefixes_v6.difference(used_prefixes_v6) clients = models.Client.objects.all() if request.user.is_superuser else None @@ -487,7 +498,12 @@ def roa_create(request): 'max_prefixlen': max_prefixlen, 'routes': routes}) else: - form = forms.ROARequest() + # pull initial values from query parameters + d = {} + for s in ('asn', 'prefix'): + if s in request.GET: + d[s] = request.GET[s] + form = forms.ROARequest(initial=d) return render(request, 'app/roarequest_form.html', {'form': form}) -- cgit v1.2.3 From 95d3eb56c11c96b2a3c0890b1abfb3f9826cdd9f Mon Sep 17 00:00:00 2001 From: Rob Austein Date: Fri, 25 Jan 2013 04:52:38 +0000 Subject: Catch any exceptions that might occur during invocation of caller object's internal done() handler (eg, CMS verification errors), so that any such exceptions propagate correctly to the synchronous caller rather than being trapped by the asynchronous I/O core. See #396. svn path=/trunk/; revision=4977 --- rpkid/rpki/http.py | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/rpkid/rpki/http.py b/rpkid/rpki/http.py index c3eae1fe..d7690988 100644 --- a/rpkid/rpki/http.py +++ b/rpkid/rpki/http.py @@ -1048,13 +1048,18 @@ class caller(object): """ Handle CMS-wrapped XML response message. """ - r_cms = self.proto.cms_msg(DER = r_der) - r_msg = r_cms.unwrap((self.server_ta, self.server_cert)) - self.cms_timestamp = r_cms.check_replay(self.cms_timestamp) - if self.debug: - print "" - print r_cms.pretty_print_content() - cb(r_msg) + try: + r_cms = self.proto.cms_msg(DER = r_der) + r_msg = r_cms.unwrap((self.server_ta, self.server_cert)) + self.cms_timestamp = r_cms.check_replay(self.cms_timestamp) + if self.debug: + print "" + print r_cms.pretty_print_content() + cb(r_msg) + except (rpki.async.ExitNow, SystemExit): + raise + except Exception, e: + eb(e) q_msg = self.proto.msg.query(*pdus) q_cms = self.proto.cms_msg() -- cgit v1.2.3 From 10b6151727182e7caa7fdfad2d67e406e3afc726 Mon Sep 17 00:00:00 2001 From: Rob Austein Date: Fri, 25 Jan 2013 07:39:13 +0000 Subject: Clean up and extend rpki.log.init() to support things like letting the GUI provide its own file-like object as a destination for logging. See #396. svn path=/trunk/; revision=4979 --- rpkid/rpki/adns.py | 2 +- rpkid/rpki/irdbd.py | 5 ++-- rpkid/rpki/log.py | 60 +++++++++++++++++++++++++++++------------------- rpkid/rpki/old_irdbd.py | 5 ++-- rpkid/rpki/pubd.py | 6 +++-- rpkid/rpki/rootd.py | 5 ++-- rpkid/rpki/rpkic.py | 4 +--- rpkid/rpki/rpkid.py | 5 ++-- rpkid/tests/smoketest.py | 3 +-- rpkid/tests/yamlconf.py | 3 +-- rpkid/tests/yamltest.py | 3 +-- 11 files changed, 57 insertions(+), 44 deletions(-) diff --git a/rpkid/rpki/adns.py b/rpkid/rpki/adns.py index 736d793a..d221f01e 100644 --- a/rpkid/rpki/adns.py +++ b/rpkid/rpki/adns.py @@ -329,7 +329,7 @@ class getaddrinfo(object): if __name__ == "__main__": - rpki.log.use_syslog = False + rpki.log.init("test-adns", use_syslog = False) print "Some adns tests may take a minute or two, please be patient" class test_getaddrinfo(object): diff --git a/rpkid/rpki/irdbd.py b/rpkid/rpki/irdbd.py index dafdaff9..d67027ff 100644 --- a/rpkid/rpki/irdbd.py +++ b/rpkid/rpki/irdbd.py @@ -151,6 +151,7 @@ class main(object): cfg_file = None foreground = False profile = None + use_syslog = True opts, argv = getopt.getopt(sys.argv[1:], "c:dfhp:?", ["config=", "debug", "foreground", "help", "profile="]) @@ -161,7 +162,7 @@ class main(object): if o in ("-c", "--config"): cfg_file = a elif o in ("-d", "--debug"): - rpki.log.use_syslog = False + use_syslog = False foreground = True elif o in ("-f", "--foreground"): foreground = True @@ -170,7 +171,7 @@ class main(object): if argv: raise rpki.exceptions.CommandParseFailure("Unexpected arguments %s" % argv) - rpki.log.init("irdbd") + rpki.log.init("irdbd", use_syslog = use_syslog) self.cfg = rpki.config.parser(cfg_file, "irdbd") self.cfg.set_global_flags() diff --git a/rpkid/rpki/log.py b/rpkid/rpki/log.py index 2b48cb6d..38642999 100644 --- a/rpkid/rpki/log.py +++ b/rpkid/rpki/log.py @@ -49,11 +49,6 @@ except ImportError: enable_trace = False -## @var use_syslog -# Whether to use syslog - -use_syslog = True - ## @var show_python_ids # Whether __repr__() methods should show Python id numbers @@ -80,47 +75,55 @@ use_setproctitle = True proctitle_extra = os.path.basename(os.getcwd()) -tag = "" -pid = 0 - -def init(ident = "rpki", flags = syslog.LOG_PID, facility = syslog.LOG_DAEMON): +def init(ident = "rpki", flags = syslog.LOG_PID, facility = syslog.LOG_DAEMON, use_syslog = None, log_file = sys.stderr, tag_log_lines = True): """ Initialize logging system. """ + # If caller didn't say whether to use syslog, use log file if user supplied one, otherwise use syslog + + if use_syslog is None: + use_syslog = log_file is sys.stderr + + logger.use_syslog = use_syslog + logger.tag_log_lines = tag_log_lines + if use_syslog: - return syslog.openlog(ident, flags, facility) + syslog.openlog(ident, flags, facility) + else: - global tag, pid - tag = ident - pid = os.getpid() + logger.tag = ident + logger.pid = os.getpid() + logger.log_file = log_file + if ident and have_setproctitle and use_setproctitle: if proctitle_extra: setproctitle.setproctitle("%s (%s)" % (ident, proctitle_extra)) else: setproctitle.setproctitle(ident) -def set_trace(enable): - """ - Enable or disable call tracing. - """ - - global enable_trace - enable_trace = enable - class logger(object): """ Closure for logging. """ + use_syslog = True + tag = "" + pid = 0 + log_file = sys.stderr + def __init__(self, priority): self.priority = priority def __call__(self, message): - if use_syslog: - return syslog.syslog(self.priority, message) + if self.use_syslog: + syslog.syslog(self.priority, message) + elif self.tag_log_lines: + self.log_file.write("%s %s[%d]: %s\n" % (time.strftime("%F %T"), self.tag, self.pid, message)) + self.log_file.flush() else: - sys.stderr.write("%s %s[%d]: %s\n" % (time.strftime("%F %T"), tag, pid, message)) + self.log_file.write(message + "\n") + self.log_file.flush() error = logger(syslog.LOG_ERR) warn = logger(syslog.LOG_WARNING) @@ -128,6 +131,15 @@ note = logger(syslog.LOG_NOTICE) info = logger(syslog.LOG_INFO) debug = logger(syslog.LOG_DEBUG) + +def set_trace(enable): + """ + Enable or disable call tracing. + """ + + global enable_trace + enable_trace = enable + def trace(): """ Execution trace -- where are we now, and whence came we here? diff --git a/rpkid/rpki/old_irdbd.py b/rpkid/rpki/old_irdbd.py index 6cc6cb14..dd7fc13e 100644 --- a/rpkid/rpki/old_irdbd.py +++ b/rpkid/rpki/old_irdbd.py @@ -210,6 +210,7 @@ class main(object): time.tzset() cfg_file = None + use_syslog = True opts, argv = getopt.getopt(sys.argv[1:], "c:dh?", ["config=", "debug", "help"]) for o, a in opts: @@ -219,11 +220,11 @@ class main(object): if o in ("-c", "--config"): cfg_file = a elif o in ("-d", "--debug"): - rpki.log.use_syslog = False + use_syslog = False if argv: raise rpki.exceptions.CommandParseFailure, "Unexpected arguments %s" % argv - rpki.log.init("irdbd") + rpki.log.init("irdbd", use_syslog = use_syslog) self.cfg = rpki.config.parser(cfg_file, "irdbd") diff --git a/rpkid/rpki/pubd.py b/rpkid/rpki/pubd.py index a6d8f83f..b026bfff 100644 --- a/rpkid/rpki/pubd.py +++ b/rpkid/rpki/pubd.py @@ -70,6 +70,8 @@ class main(object): self.foreground = False self.irbe_cms_timestamp = None + use_syslog = True + opts, argv = getopt.getopt(sys.argv[1:], "c:dfhp:?", ["config=", "debug", "foreground", "help", "profile="]) for o, a in opts: @@ -79,7 +81,7 @@ class main(object): elif o in ("-c", "--config"): self.cfg_file = a elif o in ("-d", "--debug"): - rpki.log.use_syslog = False + use_syslog = False self.foreground = True elif o in ("-f", "--foreground"): self.foreground = True @@ -88,7 +90,7 @@ class main(object): if argv: raise rpki.exceptions.CommandParseFailure, "Unexpected arguments %s" % argv - rpki.log.init("pubd") + rpki.log.init("pubd", use_syslog = use_syslog) self.cfg = rpki.config.parser(self.cfg_file, "pubd") self.cfg.set_global_flags() diff --git a/rpkid/rpki/rootd.py b/rpkid/rpki/rootd.py index 6da7081b..a74194ea 100644 --- a/rpkid/rpki/rootd.py +++ b/rpkid/rpki/rootd.py @@ -332,6 +332,7 @@ class main(object): time.tzset() self.cfg_file = None + use_syslog = True opts, argv = getopt.getopt(sys.argv[1:], "c:dfh?", ["config=", "debug", "foreground", "help"]) for o, a in opts: @@ -341,7 +342,7 @@ class main(object): elif o in ("-c", "--config"): self.cfg_file = a elif o in ("-d", "--debug"): - rpki.log.use_syslog = False + use_syslog = False self.foreground = True elif o in ("-f", "--foreground"): self.foreground = True @@ -349,7 +350,7 @@ class main(object): if argv: raise rpki.exceptions.CommandParseFailure, "Unexpected arguments %s" % argv - rpki.log.init("rootd") + rpki.log.init("rootd", use_syslog = use_syslog) self.cfg = rpki.config.parser(self.cfg_file, "rootd") self.cfg.set_global_flags() diff --git a/rpkid/rpki/rpkic.py b/rpkid/rpki/rpkic.py index f00e15b5..b7e340ab 100644 --- a/rpkid/rpki/rpkic.py +++ b/rpkid/rpki/rpkic.py @@ -73,8 +73,6 @@ class main(rpki.cli.Cmd): os.environ["TZ"] = "UTC" time.tzset() - rpki.log.use_syslog = False - self.cfg_file = None self.handle = None profile = None @@ -105,7 +103,7 @@ class main(rpki.cli.Cmd): self.main() def main(self): - rpki.log.init("rpkic") + rpki.log.init("rpkic", use_syslog = False) self.read_config() rpki.cli.Cmd.__init__(self, self.argv) diff --git a/rpkid/rpki/rpkid.py b/rpkid/rpki/rpkid.py index 7e6f9151..0fd9f7bc 100644 --- a/rpkid/rpki/rpkid.py +++ b/rpkid/rpki/rpkid.py @@ -75,6 +75,7 @@ class main(object): self.irbe_cms_timestamp = None self.task_current = None self.task_queue = [] + use_syslog = True opts, argv = getopt.getopt(sys.argv[1:], "c:dfhp:?", ["config=", "debug", "foreground", "help", "profile="]) @@ -83,7 +84,7 @@ class main(object): print __doc__ sys.exit(0) elif o in ("-d", "--debug"): - rpki.log.use_syslog = False + use_syslog = False self.foreground = True elif o in ("-f", "--foreground"): self.foreground = True @@ -94,7 +95,7 @@ class main(object): if argv: raise rpki.exceptions.CommandParseFailure, "Unexpected arguments %s" % argv - rpki.log.init("rpkid") + rpki.log.init("rpkid", use_syslog = use_syslog) self.cfg = rpki.config.parser(self.cfg_file, "rpkid") self.cfg.set_global_flags() diff --git a/rpkid/tests/smoketest.py b/rpkid/tests/smoketest.py index 67e31fed..33f73091 100644 --- a/rpkid/tests/smoketest.py +++ b/rpkid/tests/smoketest.py @@ -184,8 +184,7 @@ def main(): Main program. """ - rpki.log.use_syslog = False - rpki.log.init(smoketest_name) + rpki.log.init(smoketest_name, use_syslog = False) rpki.log.info("Starting") pubd_process = None diff --git a/rpkid/tests/yamlconf.py b/rpkid/tests/yamlconf.py index f9f69ba1..ac1c3292 100644 --- a/rpkid/tests/yamlconf.py +++ b/rpkid/tests/yamlconf.py @@ -611,8 +611,7 @@ def main(): quiet = args.quiet yaml_file = args.yaml_file - rpki.log.use_syslog = False - rpki.log.init("yamlconf") + rpki.log.init("yamlconf", use_syslog = False) # Allow optional config file for this tool to override default # passwords: this is mostly so that I can show a complete working diff --git a/rpkid/tests/yamltest.py b/rpkid/tests/yamltest.py index 3006a6fa..506b68f2 100644 --- a/rpkid/tests/yamltest.py +++ b/rpkid/tests/yamltest.py @@ -565,8 +565,7 @@ try: if pidfile is not None: open(pidfile, "w").write("%s\n" % os.getpid()) - rpki.log.use_syslog = False - rpki.log.init("yamltest") + rpki.log.init("yamltest", use_syslog = False) yaml_file = argv[0] if argv else "smoketest.1.yaml" -- cgit v1.2.3 From 91245d338cefa204088276bd5a4d2907d3586cd0 Mon Sep 17 00:00:00 2001 From: Rob Austein Date: Tue, 29 Jan 2013 23:23:10 +0000 Subject: Check for empty RFC 3779 extensions. See #406. svn path=/trunk/; revision=4981 --- rcynic/rcynic.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rcynic/rcynic.c b/rcynic/rcynic.c index 2f37ed79..0634bc52 100644 --- a/rcynic/rcynic.c +++ b/rcynic/rcynic.c @@ -3707,7 +3707,8 @@ static int check_x509(rcynic_ctx_t *rc, ex_count--; if ((loc = X509_get_ext_by_NID(x, NID_sbgp_ipAddrBlock, -1)) < 0 || !X509_EXTENSION_get_critical(X509_get_ext(x, loc)) || - !v3_addr_is_canonical(x->rfc3779_addr)) { + !v3_addr_is_canonical(x->rfc3779_addr) || + sk_IPAddressFamily_num(x->rfc3779_addr) == 0) { log_validation_status(rc, uri, bad_ipaddrblocks, generation); goto done; } @@ -3718,6 +3719,7 @@ static int check_x509(rcynic_ctx_t *rc, if ((loc = X509_get_ext_by_NID(x, NID_sbgp_autonomousSysNum, -1)) < 0 || !X509_EXTENSION_get_critical(X509_get_ext(x, loc)) || !v3_asid_is_canonical(x->rfc3779_asid) || + x->rfc3779_asid->asnum == NULL || x->rfc3779_asid->rdi != NULL) { log_validation_status(rc, uri, bad_asidentifiers, generation); goto done; -- cgit v1.2.3 From cce70c7b31498037b731024bcd805b8d47670fd0 Mon Sep 17 00:00:00 2001 From: Rob Austein Date: Tue, 29 Jan 2013 23:46:40 +0000 Subject: Regen. Perhaps Generator Id in defstack.py's output was a mistake? svn path=/trunk/; revision=4982 --- rcynic/defstack.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rcynic/defstack.h b/rcynic/defstack.h index 97490878..370c8129 100644 --- a/rcynic/defstack.h +++ b/rcynic/defstack.h @@ -1,6 +1,6 @@ /* * Automatically generated, do not edit. - * Generator $Id: defstack.py 4725 2012-09-19 21:28:34Z sra $ + * Generator $Id: defstack.py 4878 2012-11-15 22:13:53Z sra $ */ #ifndef __RCYNIC_C__DEFSTACK_H__ -- cgit v1.2.3 From ef13cddc2f03d9e97d700e57454e164bfa6a4815 Mon Sep 17 00:00:00 2001 From: Rob Austein Date: Wed, 30 Jan 2013 00:29:47 +0000 Subject: rpki.x509.X509._issue() wasn't passing inheritance flags into rpki.POW.X509.setRFC3779(), which was resulting in empty IPAddrBlock extensions for manifests and Ghostbusters records. See #406. svn path=/trunk/; revision=4983 --- rpkid/rpki/x509.py | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/rpkid/rpki/x509.py b/rpkid/rpki/x509.py index 6f28e6f7..9befb320 100644 --- a/rpkid/rpki/x509.py +++ b/rpkid/rpki/x509.py @@ -693,9 +693,15 @@ class X509(DER_object): if resources is not None: cert.setRFC3779( - asn = ((r.min, r.max) for r in resources.asn), - ipv4 = ((rpki.POW.IPAddress(r.min, 4), rpki.POW.IPAddress(r.max, 4)) for r in resources.v4), - ipv6 = ((rpki.POW.IPAddress(r.min, 6), rpki.POW.IPAddress(r.max, 6)) for r in resources.v6)) + asn = (("inherit" if resources.asn.inherit else + ((r.min, r.max) for r in resources.asn)) + or None), + ipv4 = (("inherit" if resources.v4.inherit else + ((r.min, r.max) for r in resources.v4)) + or None), + ipv6 = (("inherit" if resources.v6.inherit else + ((r.min, r.max) for r in resources.v6)) + or None)) cert.sign(keypair.get_POW(), rpki.POW.SHA256_DIGEST) -- cgit v1.2.3 From e065bbc64b4dc3fc51387eb5275ece174baf8242 Mon Sep 17 00:00:00 2001 From: Michael Elkins Date: Thu, 31 Jan 2013 01:13:24 +0000 Subject: require a connection secured with TLS, otherwise return a HTTP 500 error closes #401 svn path=/branches/tk401/; revision=4985 --- rpkid/rpki/gui/app/templates/base.html | 2 +- .../rpki/gui/app/templates/registration/login.html | 2 +- rpkid/rpki/gui/app/views.py | 2 ++ rpkid/rpki/gui/decorators.py | 31 ++++++++++++++++++++++ rpkid/rpki/gui/urls.py | 4 +-- rpkid/rpki/gui/views.py | 30 +++++++++++++++++++++ 6 files changed, 67 insertions(+), 4 deletions(-) create mode 100644 rpkid/rpki/gui/decorators.py create mode 100644 rpkid/rpki/gui/views.py diff --git a/rpkid/rpki/gui/app/templates/base.html b/rpkid/rpki/gui/app/templates/base.html index 0af1d241..89aa0b9a 100644 --- a/rpkid/rpki/gui/app/templates/base.html +++ b/rpkid/rpki/gui/app/templates/base.html @@ -24,7 +24,7 @@ {% if user.is_authenticated %}

      • Logged in as {{ user }}

      • -
      • Log Out
        • +
      • Log Out
        • {% endif %}
      diff --git a/rpkid/rpki/gui/app/templates/registration/login.html b/rpkid/rpki/gui/app/templates/registration/login.html index 27ad21cf..d2ee9468 100644 --- a/rpkid/rpki/gui/app/templates/registration/login.html +++ b/rpkid/rpki/gui/app/templates/registration/login.html @@ -8,7 +8,7 @@ {% endif %} -
      + {% csrf_token %}
      diff --git a/rpkid/rpki/gui/app/views.py b/rpkid/rpki/gui/app/views.py index 535ffe6c..2d674c95 100644 --- a/rpkid/rpki/gui/app/views.py +++ b/rpkid/rpki/gui/app/views.py @@ -42,6 +42,7 @@ import rpki.exceptions from rpki.gui.cacheview.models import ROAPrefixV4, ROA from rpki.gui.routeview.models import RouteOrigin +from rpki.gui.decorators import tls_required def superuser_required(f): @@ -63,6 +64,7 @@ def handle_required(f): """ @login_required + @tls_required def wrapped_fn(request, *args, **kwargs): if 'handle' not in request.session: if request.user.is_superuser: diff --git a/rpkid/rpki/gui/decorators.py b/rpkid/rpki/gui/decorators.py new file mode 100644 index 00000000..69d20c46 --- /dev/null +++ b/rpkid/rpki/gui/decorators.py @@ -0,0 +1,31 @@ +# Copyright (C) 2013 SPARTA, Inc. a Parsons Company +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND SPARTA DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL SPARTA BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +__version__ = '$Id$' + +from django import http + + +def tls_required(f): + """Decorator which returns a 500 error if the connection is not secured + with TLS (https). + + """ + def _tls_required(request, *args, **kwargs): + if not request.is_secure(): + return http.HttpResponseServerError( + 'This resource may only be accessed securely via https', + content_type='text/plain') + return f(request, *args, **kwargs) + return _tls_required diff --git a/rpkid/rpki/gui/urls.py b/rpkid/rpki/gui/urls.py index 52949b73..58e2ea9f 100644 --- a/rpkid/rpki/gui/urls.py +++ b/rpkid/rpki/gui/urls.py @@ -30,7 +30,7 @@ urlpatterns = patterns('', (r'^cacheview/', include('rpki.gui.cacheview.urls')), (r'^rpki/', include('rpki.gui.app.urls')), - (r'^accounts/login/$', 'django.contrib.auth.views.login'), - (r'^accounts/logout/$', 'django.contrib.auth.views.logout', + (r'^accounts/login/$', 'rpki.gui.views.login'), + (r'^accounts/logout/$', 'rpki.gui.views.logout', {'next_page': '/rpki/'}), ) diff --git a/rpkid/rpki/gui/views.py b/rpkid/rpki/gui/views.py new file mode 100644 index 00000000..5c62cf62 --- /dev/null +++ b/rpkid/rpki/gui/views.py @@ -0,0 +1,30 @@ +# Copyright (C) 2013 SPARTA, Inc. a Parsons Company +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND SPARTA DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL SPARTA BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +__version__ = '$Id$' + +import django.contrib.auth.views +from rpki.gui.decorators import tls_required + + +@tls_required +def login(request, *args, **kwargs): + "Wrapper around django.contrib.auth.views.login to force use of TLS." + return django.contrib.auth.views.login(request, *args, **kwargs) + + +@tls_required +def logout(request, *args, **kwargs): + "Wrapper around django.contrib.auth.views.logout to force use of TLS." + return django.contrib.auth.views.login(request, *args, **kwargs) -- cgit v1.2.3