0003-add-blacklists-by-nameIDs-and-mac-addresses-support.patch
usr/local/univnautes/sp/rc.sh | ||
---|---|---|
32 | 32 |
) & |
33 | 33 |
} |
34 | 34 | |
35 |
function syncbl() { |
|
36 |
echo "sync blacklist in progress (backgrounded)" | logger -p local4.info -t sp/syncblacklists |
|
37 |
( |
|
38 |
cd /usr/local/univnautes/sp/ |
|
39 |
./update-blacklists.sh | logger -p local4.info -t sp/update-blacklists |
|
40 |
) & |
|
41 |
} |
|
42 | ||
35 | 43 |
function syncdata() { |
36 | 44 |
echo "sync metadatas + geoinfos in progress (backgrounded)" | logger -p local4.info -t sp/syncdata |
37 | 45 |
( |
... | ... | |
56 | 64 |
echo "started (manage.py runfcgi)" | logger -p local4.info -t sp/start |
57 | 65 |
syncdata |
58 | 66 |
syncwl |
67 |
syncbl |
|
59 | 68 |
cronstart |
60 | 69 |
} |
61 | 70 |
usr/local/univnautes/sp/sp/auth.py | ||
---|---|---|
1 | 1 |
# -*- encoding: utf-8 -*- |
2 | 2 | |
3 |
import re |
|
3 | 4 |
import subprocess |
4 | 5 |
import syslog |
5 | 6 |
import xml.etree.ElementTree |
... | ... | |
8 | 9 |
from django.contrib import messages |
9 | 10 | |
10 | 11 |
from authentic2.authsaml2 import signals |
12 |
from sp import pfconfigxml |
|
13 | ||
14 |
COMMENT=re.compile('^\s*($|#)') |
|
11 | 15 | |
12 | 16 |
def user_login_cb(sender, request, attributes={}, **kwargs): |
13 | 17 |
if request and request.user.is_anonymous(): |
... | ... | |
35 | 39 |
# log needs eduPersonTargetedID + transientID + idp |
36 | 40 |
username = eduPersonTargetedID + '|' + eduPersonTargetedID_NameQualifier |
37 | 41 | |
38 |
# TODO : blacklist |
|
39 | ||
40 | 42 |
ip = request.META['REMOTE_ADDR'] |
41 | 43 | |
44 |
# user blacklist |
|
45 |
try: |
|
46 |
nameid_bl = pfconfigxml.get_blacklists('nameid') |
|
47 |
for line in nameid_bl.splitlines(True): |
|
48 |
if COMMENT.match(line): |
|
49 |
continue |
|
50 |
userbl = line.strip() |
|
51 |
# if the line starts with ~, it's a regex |
|
52 |
if userbl[0] == '~' and re.match(userbl[1::], username): |
|
53 |
request.session['pfsenseid'] = 'BLACKLISTED' |
|
54 |
messages.error(request, u"Connexion refusée (règle dans une liste noire).") |
|
55 |
syslog.openlog("logportalauth", syslog.LOG_PID) |
|
56 |
syslog.syslog(syslog.LOG_LOCAL4 | syslog.LOG_INFO , "BLACKLISTED-REGEX: %s,,%s" % (username, ip)) |
|
57 |
return False |
|
58 |
elif userbl.strip() == username: |
|
59 |
request.session['pfsenseid'] = 'BLACKLISTED' |
|
60 |
messages.error(request, u"Connexion refusée (présent dans une liste noire).") |
|
61 |
syslog.openlog("logportalauth", syslog.LOG_PID) |
|
62 |
syslog.syslog(syslog.LOG_LOCAL4 | syslog.LOG_INFO , "BLACKLISTED: %s,,%s" % (username, ip)) |
|
63 |
return False |
|
64 |
except: |
|
65 |
pass |
|
66 | ||
42 | 67 |
# univnautes idp returns univnautesPrivileges attribute (a list) |
43 | 68 |
multiple = 0 |
44 | 69 |
privileges = attributes.get((u'univnautesPrivileges', u'urn:oasis:names:tc:SAML:2.0:attrname-format:basic'), []) |
usr/local/univnautes/sp/sp/management/commands/configxml.py | ||
---|---|---|
18 | 18 | |
19 | 19 |
from django.core.management.base import BaseCommand, CommandError |
20 | 20 |
import os |
21 |
import sys |
|
21 | 22 |
from sp import pfconfigxml |
22 | 23 | |
23 |
def get(key): |
|
24 |
def get(key, args):
|
|
24 | 25 |
if key == 'cpnames': |
25 | 26 |
for n in pfconfigxml.get_saml_cps(): |
26 | 27 |
print n['name'] |
28 |
elif key == 'blacklist': |
|
29 |
if len(args) > 2: |
|
30 |
print pfconfigxml.get_blacklists(args[2]) |
|
31 |
else: |
|
32 |
print >> sys.stderr, 'you need to choose a blacklist (nameid or macadresses)' |
|
27 | 33 | |
28 | 34 |
class Command(BaseCommand): |
29 | 35 |
help = 'get infos from config.xml' |
... | ... | |
35 | 41 |
print "syntax: configxml get|set key" |
36 | 42 |
return |
37 | 43 |
if action == 'get': |
38 |
return get(key) |
|
44 |
return get(key, args)
|
|
39 | 45 |
usr/local/univnautes/sp/sp/pfconfigxml.py | ||
---|---|---|
240 | 240 |
}) |
241 | 241 |
return whitelists |
242 | 242 | |
243 | ||
244 |
def get_blacklists(list_type): |
|
245 |
""" |
|
246 |
<blacklists> |
|
247 |
<macaddresses>base64</macaddresses> |
|
248 |
<nameid>base64</nameid> |
|
249 |
</blacklists> |
|
250 |
""" |
|
251 |
xml_blacklist = root().find('univnautes/blacklists/%s' % list_type) |
|
252 |
if xml_blacklist is not None and xml_blacklist.text: |
|
253 |
return xml_blacklist.text.decode('base64') |
|
254 |
return '' |
|
255 |
usr/local/univnautes/sp/update-blacklists.sh | ||
---|---|---|
1 |
#!/bin/sh |
|
2 | ||
3 |
log() { |
|
4 |
logger -p local4.info -t macblacklist -- "$*" |
|
5 |
} |
|
6 | ||
7 |
log "update MAC blacklist" |
|
8 |
cd /usr/local/univnautes/sp |
|
9 |
for ctx in $(./manage.py configxml get cpnames); do |
|
10 |
/sbin/ipfw -x $ctx -fq delete 666 |
|
11 |
for MAC in $(./manage.py configxml get blacklist macaddresses | sed 's/#.*$//'); do |
|
12 |
# sanitize |
|
13 |
MAC=`echo $MAC | tr -dc 0-9a-fA-F:` |
|
14 |
if test -n "$MAC"; then |
|
15 |
if /sbin/ipfw -x $ctx -fq add 666 deny MAC $MAC any; then |
|
16 |
log "added: $MAC in $ctx" |
|
17 |
else |
|
18 |
log "ERROR can't add: $MAC (incorrect MAC address ?)" |
|
19 |
fi |
|
20 |
fi |
|
21 |
done |
|
22 |
done |
|
23 | ||
24 |
exit 0 |
|
0 |
- |