8
0
Fork 0
mirror of https://gitlab2.federez.net/re2o/re2o synced 2024-11-24 20:33:11 +00:00
This commit is contained in:
chapeau 2021-05-13 19:43:39 +02:00
parent f70b97677f
commit a234be0981
2 changed files with 18 additions and 19 deletions

View file

@ -213,7 +213,7 @@ class AutodetectACLPermission(permissions.BasePermission):
return [perm(obj) for perm in self.perms_obj_map[method]] return [perm(obj) for perm in self.perms_obj_map[method]]
@ staticmethod @staticmethod
def _queryset(view): def _queryset(view):
return _get_param_in_view(view, "queryset") return _get_param_in_view(view, "queryset")
@ -240,7 +240,9 @@ class AutodetectACLPermission(permissions.BasePermission):
if getattr(view, "_ignore_model_permissions", False): if getattr(view, "_ignore_model_permissions", False):
return True return True
if not getattr(view, "queryset", None): # Bypass permission verifications if it is a functional view
# (permissions are handled by ACL)
if not hasattr(view, "queryset") and not hasattr(view, "get_queryset"):
return True return True
if not request.user or not request.user.is_authenticated: if not request.user or not request.user.is_authenticated:
@ -277,8 +279,7 @@ class AutodetectACLPermission(permissions.BasePermission):
# they have read permissions to see 403, or not, and simply see # they have read permissions to see 403, or not, and simply see
# a 404 response. # a 404 response.
SAFE_METHODS = ("GET", "OPTIONS", "HEAD", SAFE_METHODS = ("GET", "OPTIONS", "HEAD", "POST", "PUT", "PATCH", "DELETE")
"POST", "PUT", "PATCH", "DELETE")
if request.method in SAFE_METHODS: if request.method in SAFE_METHODS:
# Read permissions already checked and failed, no need # Read permissions already checked and failed, no need

View file

@ -34,12 +34,12 @@ https://github.com/FreeRADIUS/freeradius-server/blob/master/src/modules/rlm_pyth
Inspired by Daniel Stan in Crans Inspired by Daniel Stan in Crans
""" """
import logging
import os import os
import sys import sys
import logging
import traceback import traceback
import radiusd # Magic module freeradius (radiusd.py is dummy)
import radiusd # Magic module freeradius (radiusd.py is dummy)
from django.core.wsgi import get_wsgi_application from django.core.wsgi import get_wsgi_application
from django.db.models import Q from django.db.models import Q
@ -54,11 +54,10 @@ os.chdir(proj_path)
# This is so models get loaded. # This is so models get loaded.
application = get_wsgi_application() application = get_wsgi_application()
from machines.models import Interface, IpList, Nas, Domain from machines.models import Domain, Interface, IpList, Nas
from preferences.models import RadiusOption
from topologie.models import Port, Switch from topologie.models import Port, Switch
from users.models import User from users.models import User
from preferences.models import RadiusOption
# Logging # Logging
@ -76,7 +75,7 @@ class RadiusdHandler(logging.Handler):
radiusd.radlog(rad_sig, str(record.msg)) radiusd.radlog(rad_sig, str(record.msg))
# Init for logging # Init for logging
logger = logging.getLogger("auth.py") logger = logging.getLogger("auth.py")
logger.setLevel(logging.DEBUG) logger.setLevel(logging.DEBUG)
formatter = logging.Formatter("%(name)s: [%(levelname)s] %(message)s") formatter = logging.Formatter("%(name)s: [%(levelname)s] %(message)s")
@ -97,7 +96,7 @@ def radius_event(fun):
""" """
def new_f(auth_data): def new_f(auth_data):
""" The function transforming the tuples as dict """ """The function transforming the tuples as dict """
if isinstance(auth_data, dict): if isinstance(auth_data, dict):
data = auth_data data = auth_data
else: else:
@ -132,10 +131,10 @@ def authorize(data):
- If the nas is known, we apply the 802.1X if enabled, - If the nas is known, we apply the 802.1X if enabled,
- It the nas is known AND nas auth is enabled with mac address, returns - It the nas is known AND nas auth is enabled with mac address, returns
accept here""" accept here"""
# For proxified request, split # For proxified request, split
nas = data.get("NAS-IP-Address", data.get("NAS-Identifier", None)) nas = data.get("NAS-IP-Address", data.get("NAS-Identifier", None))
nas_instance = find_nas_from_request(nas) nas_instance = find_nas_from_request(nas)
# For none proxified requests # For none proxified requests
nas_type = None nas_type = None
if nas_instance: if nas_instance:
nas_type = Nas.objects.filter(nas_type=nas_instance.machine_type).first() nas_type = Nas.objects.filter(nas_type=nas_instance.machine_type).first()
@ -162,12 +161,11 @@ def authorize(data):
@radius_event @radius_event
def post_auth(data): def post_auth(data):
""" Function called after the user is authenticated """ Function called after the user is authenticated"""
"""
nas = data.get("NAS-IP-Address", data.get("NAS-Identifier", None)) nas = data.get("NAS-IP-Address", data.get("NAS-Identifier", None))
nas_instance = find_nas_from_request(nas) nas_instance = find_nas_from_request(nas)
# All non proxified requests # All non proxified requests
if not nas_instance: if not nas_instance:
logger.info("Proxified request, nas unknown") logger.info("Proxified request, nas unknown")
return radiusd.RLM_MODULE_OK return radiusd.RLM_MODULE_OK
@ -309,7 +307,7 @@ def decide_vlan_switch(nas_machine, nas_type, port_number, mac_address):
- no room : Decision set in Re2o RadiusOption, - no room : Decision set in Re2o RadiusOption,
- no user in this room : Reject, - no user in this room : Reject,
- user of this room is banned or disable : Reject, - user of this room is banned or disable : Reject,
- user of this room non-contributor and not whitelisted: - user of this room non-contributor and not whitelisted:
Decision set in Re2o RadiusOption Decision set in Re2o RadiusOption
- mode common : - mode common :
- mac-address already registered: - mac-address already registered:
@ -336,7 +334,7 @@ def decide_vlan_switch(nas_machine, nas_type, port_number, mac_address):
} }
# Get port from switch and port number # Get port from switch and port number
extra_log = "" extra_log = ""
# If NAS is unknown, go to default vlan # If NAS is unknown, go to default vlan
if not nas_machine: if not nas_machine:
return ( return (
"?", "?",
@ -366,7 +364,7 @@ def decide_vlan_switch(nas_machine, nas_type, port_number, mac_address):
RadiusOption.get_cached_value("unknown_port") != RadiusOption.REJECT, RadiusOption.get_cached_value("unknown_port") != RadiusOption.REJECT,
RadiusOption.get_attributes("unknown_port_attributes", attributes_kwargs), RadiusOption.get_attributes("unknown_port_attributes", attributes_kwargs),
) )
# Retrieve port profile # Retrieve port profile
port_profile = port.get_port_profile port_profile = port.get_port_profile