0003-add-blacklists-by-nameIDs-and-mac-addresses-support.patch
| usr/local/univnautes/sp/rc.sh | ||
|---|---|---|
| 32 | 32 |
) & |
| 33 | 33 |
} |
| 34 | 34 | |
| 35 |
function syncbl() {
|
|
| 36 |
echo "sync blacklist in progress (backgrounded)" | logger -p local4.info -t sp/syncblacklists |
|
| 37 |
( |
|
| 38 |
cd /usr/local/univnautes/sp/ |
|
| 39 |
./update-blacklists.sh | logger -p local4.info -t sp/update-blacklists |
|
| 40 |
) & |
|
| 41 |
} |
|
| 42 | ||
| 35 | 43 |
function syncdata() {
|
| 36 | 44 |
echo "sync metadatas + geoinfos in progress (backgrounded)" | logger -p local4.info -t sp/syncdata |
| 37 | 45 |
( |
| ... | ... | |
| 56 | 64 |
echo "started (manage.py runfcgi)" | logger -p local4.info -t sp/start |
| 57 | 65 |
syncdata |
| 58 | 66 |
syncwl |
| 67 |
syncbl |
|
| 59 | 68 |
cronstart |
| 60 | 69 |
} |
| 61 | 70 | |
| usr/local/univnautes/sp/sp/auth.py | ||
|---|---|---|
| 1 | 1 |
# -*- encoding: utf-8 -*- |
| 2 | 2 | |
| 3 |
import re |
|
| 3 | 4 |
import subprocess |
| 4 | 5 |
import syslog |
| 5 | 6 |
import xml.etree.ElementTree |
| ... | ... | |
| 8 | 9 |
from django.contrib import messages |
| 9 | 10 | |
| 10 | 11 |
from authentic2.authsaml2 import signals |
| 12 |
from sp import pfconfigxml |
|
| 13 | ||
| 14 |
COMMENT=re.compile('^\s*($|#)')
|
|
| 11 | 15 | |
| 12 | 16 |
def user_login_cb(sender, request, attributes={}, **kwargs):
|
| 13 | 17 |
if request and request.user.is_anonymous(): |
| ... | ... | |
| 35 | 39 |
# log needs eduPersonTargetedID + transientID + idp |
| 36 | 40 |
username = eduPersonTargetedID + '|' + eduPersonTargetedID_NameQualifier |
| 37 | 41 | |
| 38 |
# TODO : blacklist |
|
| 39 | ||
| 40 | 42 |
ip = request.META['REMOTE_ADDR'] |
| 41 | 43 | |
| 44 |
# user blacklist |
|
| 45 |
try: |
|
| 46 |
nameid_bl = pfconfigxml.get_blacklists('nameid')
|
|
| 47 |
for line in nameid_bl.splitlines(True): |
|
| 48 |
if COMMENT.match(line): |
|
| 49 |
continue |
|
| 50 |
userbl = line.strip() |
|
| 51 |
# if the line starts with ~, it's a regex |
|
| 52 |
if userbl[0] == '~' and re.match(userbl[1::], username): |
|
| 53 |
request.session['pfsenseid'] = 'BLACKLISTED' |
|
| 54 |
messages.error(request, u"Connexion refusée (règle dans une liste noire).") |
|
| 55 |
syslog.openlog("logportalauth", syslog.LOG_PID)
|
|
| 56 |
syslog.syslog(syslog.LOG_LOCAL4 | syslog.LOG_INFO , "BLACKLISTED-REGEX: %s,,%s" % (username, ip)) |
|
| 57 |
return False |
|
| 58 |
elif userbl.strip() == username: |
|
| 59 |
request.session['pfsenseid'] = 'BLACKLISTED' |
|
| 60 |
messages.error(request, u"Connexion refusée (présent dans une liste noire).") |
|
| 61 |
syslog.openlog("logportalauth", syslog.LOG_PID)
|
|
| 62 |
syslog.syslog(syslog.LOG_LOCAL4 | syslog.LOG_INFO , "BLACKLISTED: %s,,%s" % (username, ip)) |
|
| 63 |
return False |
|
| 64 |
except: |
|
| 65 |
pass |
|
| 66 | ||
| 42 | 67 |
# univnautes idp returns univnautesPrivileges attribute (a list) |
| 43 | 68 |
multiple = 0 |
| 44 | 69 |
privileges = attributes.get((u'univnautesPrivileges', u'urn:oasis:names:tc:SAML:2.0:attrname-format:basic'), []) |
| usr/local/univnautes/sp/sp/management/commands/configxml.py | ||
|---|---|---|
| 18 | 18 | |
| 19 | 19 |
from django.core.management.base import BaseCommand, CommandError |
| 20 | 20 |
import os |
| 21 |
import sys |
|
| 21 | 22 |
from sp import pfconfigxml |
| 22 | 23 | |
| 23 |
def get(key): |
|
| 24 |
def get(key, args):
|
|
| 24 | 25 |
if key == 'cpnames': |
| 25 | 26 |
for n in pfconfigxml.get_saml_cps(): |
| 26 | 27 |
print n['name'] |
| 28 |
elif key == 'blacklist': |
|
| 29 |
if len(args) > 2: |
|
| 30 |
print pfconfigxml.get_blacklists(args[2]) |
|
| 31 |
else: |
|
| 32 |
print >> sys.stderr, 'you need to choose a blacklist (nameid or macadresses)' |
|
| 27 | 33 | |
| 28 | 34 |
class Command(BaseCommand): |
| 29 | 35 |
help = 'get infos from config.xml' |
| ... | ... | |
| 35 | 41 |
print "syntax: configxml get|set key" |
| 36 | 42 |
return |
| 37 | 43 |
if action == 'get': |
| 38 |
return get(key) |
|
| 44 |
return get(key, args)
|
|
| 39 | 45 | |
| usr/local/univnautes/sp/sp/pfconfigxml.py | ||
|---|---|---|
| 240 | 240 |
}) |
| 241 | 241 |
return whitelists |
| 242 | 242 | |
| 243 | ||
| 244 |
def get_blacklists(list_type): |
|
| 245 |
""" |
|
| 246 |
<blacklists> |
|
| 247 |
<macaddresses>base64</macaddresses> |
|
| 248 |
<nameid>base64</nameid> |
|
| 249 |
</blacklists> |
|
| 250 |
""" |
|
| 251 |
xml_blacklist = root().find('univnautes/blacklists/%s' % list_type)
|
|
| 252 |
if xml_blacklist is not None and xml_blacklist.text: |
|
| 253 |
return xml_blacklist.text.decode('base64')
|
|
| 254 |
return '' |
|
| 255 | ||
| usr/local/univnautes/sp/update-blacklists.sh | ||
|---|---|---|
| 1 |
#!/bin/sh |
|
| 2 | ||
| 3 |
log() {
|
|
| 4 |
logger -p local4.info -t macblacklist -- "$*" |
|
| 5 |
} |
|
| 6 | ||
| 7 |
log "update MAC blacklist" |
|
| 8 |
cd /usr/local/univnautes/sp |
|
| 9 |
for ctx in $(./manage.py configxml get cpnames); do |
|
| 10 |
/sbin/ipfw -x $ctx -fq delete 666 |
|
| 11 |
for MAC in $(./manage.py configxml get blacklist macaddresses | sed 's/#.*$//'); do |
|
| 12 |
# sanitize |
|
| 13 |
MAC=`echo $MAC | tr -dc 0-9a-fA-F:` |
|
| 14 |
if test -n "$MAC"; then |
|
| 15 |
if /sbin/ipfw -x $ctx -fq add 666 deny MAC $MAC any; then |
|
| 16 |
log "added: $MAC in $ctx" |
|
| 17 |
else |
|
| 18 |
log "ERROR can't add: $MAC (incorrect MAC address ?)" |
|
| 19 |
fi |
|
| 20 |
fi |
|
| 21 |
done |
|
| 22 |
done |
|
| 23 | ||
| 24 |
exit 0 |
|
| 0 |
- |
|