8
0
Fork 0
mirror of https://gitlab2.federez.net/re2o/re2o synced 2024-11-28 15:42:25 +00:00

Pre-subscription VLAN

This commit is contained in:
Hugo LEVY-FALK 2018-09-02 16:53:21 +02:00
parent 8ce1a6a184
commit c419c1239d
7 changed files with 314 additions and 17 deletions

View file

@ -63,6 +63,7 @@ from preferences.models import OptionalTopologie
options, created = OptionalTopologie.objects.get_or_create() options, created = OptionalTopologie.objects.get_or_create()
VLAN_NOK = options.vlan_decision_nok.vlan_id VLAN_NOK = options.vlan_decision_nok.vlan_id
VLAN_OK = options.vlan_decision_ok.vlan_id VLAN_OK = options.vlan_decision_ok.vlan_id
VLAN_NON_MEMBER = options.vlan_non_member.vlan_id
RADIUS_POLICY = options.radius_general_policy RADIUS_POLICY = options.radius_general_policy
#: Serveur radius de test (pas la prod) #: Serveur radius de test (pas la prod)
@ -338,14 +339,15 @@ def decide_vlan_switch(nas_machine, nas_type, port_number,
- mode strict : - mode strict :
- pas de chambre associée : VLAN_NOK - pas de chambre associée : VLAN_NOK
- pas d'utilisateur dans la chambre : VLAN_NOK - pas d'utilisateur dans la chambre : VLAN_NOK
- cotisation non à jour : VLAN_NOK - cotisation non à jour : VLAN_NON_MEMBER
- sinon passe à common (ci-dessous) - sinon passe à common (ci-dessous)
- mode common : - mode common :
- interface connue (macaddress): - interface connue (macaddress):
- utilisateur proprio non cotisant ou banni : VLAN_NOK - utilisateur proprio non cotisant : VLAN_NON_MEMBER
- utilisateur proprio banni : VLAN_NOK
- user à jour : VLAN_OK - user à jour : VLAN_OK
- interface inconnue : - interface inconnue :
- register mac désactivé : VLAN_NOK - register mac désactivé : VLAN_NON_MEMBER
- register mac activé -> redirection vers webauth - register mac activé -> redirection vers webauth
""" """
# Get port from switch and port number # Get port from switch and port number
@ -414,8 +416,10 @@ def decide_vlan_switch(nas_machine, nas_type, port_number,
if not room_user: if not room_user:
return (sw_name, room, u'Chambre non cotisante -> Web redirect', None, False) return (sw_name, room, u'Chambre non cotisante -> Web redirect', None, False)
for user in room_user: for user in room_user:
if not user.has_access(): if user.is_ban() or user.state != User.STATE_ACTIVE:
return (sw_name, room, u'Chambre resident desactive -> Web redirect', None, False) return (sw_name, room, u'Chambre resident desactive -> Web redirect', None, False)
elif not (user.is_connected() or user.is_whitelisted()):
return (sw_name, room, u'Utilisateur non cotisant', VLAN_NON_MEMBER)
# else: user OK, on passe à la verif MAC # else: user OK, on passe à la verif MAC
# Si on fait de l'auth par mac, on cherche l'interface via sa mac dans la bdd # Si on fait de l'auth par mac, on cherche l'interface via sa mac dans la bdd
@ -431,7 +435,7 @@ def decide_vlan_switch(nas_machine, nas_type, port_number,
# On essaye de register la mac, si l'autocapture a été activée # On essaye de register la mac, si l'autocapture a été activée
# Sinon on rejette sur vlan_nok # Sinon on rejette sur vlan_nok
if not nas_type.autocapture_mac: if not nas_type.autocapture_mac:
return (sw_name, "", u'Machine inconnue', VLAN_NOK, True) return (sw_name, "", u'Machine inconnue', VLAN_NON_MEMBER)
# On rejette pour basculer sur du webauth # On rejette pour basculer sur du webauth
else: else:
return (sw_name, room, u'Machine Inconnue -> Web redirect', None, False) return (sw_name, room, u'Machine Inconnue -> Web redirect', None, False)
@ -445,8 +449,7 @@ def decide_vlan_switch(nas_machine, nas_type, port_number,
return (sw_name, return (sw_name,
room, room,
u'Machine non active / adherent non cotisant', u'Machine non active / adherent non cotisant',
VLAN_NOK, VLAN_NON_MEMBER)
True)
## Si on choisi de placer les machines sur le vlan correspondant à leur type : ## Si on choisi de placer les machines sur le vlan correspondant à leur type :
if RADIUS_POLICY == 'MACHINE': if RADIUS_POLICY == 'MACHINE':
DECISION_VLAN = interface.type.ip_type.vlan.vlan_id DECISION_VLAN = interface.type.ip_type.vlan.vlan_id

View file

@ -0,0 +1,91 @@
# -*- coding: utf-8 -*-
# Generated by Django 1.10.7 on 2018-10-13 14:29
from __future__ import unicode_literals
from django.db import migrations, models
import django.db.models.deletion
import re2o.mixins
def create_radius_policy(apps, schema_editor):
OptionalTopologie = apps.get_model('preferences', 'OptionalTopologie')
RadiusOption = apps.get_model('preferences', 'RadiusOption')
RadiusPolicy = apps.get_model('preferences', 'RadiusPolicy')
option,_ = OptionalTopologie.objects.get_or_create()
radius_option = RadiusOption()
radius_option.radius_general_policy = option.radius_general_policy
radius_option.unknown_machine = RadiusPolicy.objects.create()
radius_option.unknown_port = RadiusPolicy.objects.create()
radius_option.unknown_room = RadiusPolicy.objects.create()
radius_option.non_member = RadiusPolicy.objects.create()
radius_option.banned = RadiusPolicy.objects.create()
radius_option.vlan_decision_ok = option.vlan_decision_ok
radius_option.save()
class Migration(migrations.Migration):
dependencies = [
('machines', '0095_auto_20180919_2225'),
('preferences', '0051_auto_20180919_2225'),
]
operations = [
migrations.CreateModel(
name='RadiusOption',
fields=[
('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
('radius_general_policy', models.CharField(choices=[('MACHINE', "On the IP range's VLAN of the machine"), ('DEFINED', "Preset in 'VLAN for machines accepted by RADIUS'")], default='DEFINED', max_length=32)),
],
options={
'verbose_name': 'radius policies',
},
bases=(re2o.mixins.AclMixin, models.Model),
),
migrations.CreateModel(
name='RadiusPolicy',
fields=[
('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
('policy', models.CharField(choices=[('REJECT', 'Reject the machine'), ('SET_VLAN', 'Place the machine on the VLAN')], default='REJECT', max_length=32)),
('vlan', models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.PROTECT, to='machines.Vlan')),
],
options={
'verbose_name': 'radius policy',
},
bases=(re2o.mixins.AclMixin, models.Model),
),
migrations.AddField(
model_name='radiusoption',
name='non_member',
field=models.ForeignKey(on_delete=django.db.models.deletion.PROTECT, related_name='non_member_option', to='preferences.RadiusPolicy', verbose_name='Policy non member users.'),
),
migrations.AddField(
model_name='radiusoption',
name='unknown_machine',
field=models.ForeignKey(on_delete=django.db.models.deletion.PROTECT, related_name='unknown_machine_option', to='preferences.RadiusPolicy', verbose_name='Policy for unknown machines'),
),
migrations.AddField(
model_name='radiusoption',
name='unknown_port',
field=models.ForeignKey(on_delete=django.db.models.deletion.PROTECT, related_name='unknown_port_option', to='preferences.RadiusPolicy', verbose_name='Policy for unknown machines'),
),
migrations.AddField(
model_name='radiusoption',
name='unknown_room',
field=models.ForeignKey(on_delete=django.db.models.deletion.PROTECT, related_name='unknown_room_option', to='preferences.RadiusPolicy', verbose_name='Policy for machine connecting from unregistered room (relevant on ports with STRICT radius mode)'),
),
migrations.AddField(
model_name='radiusoption',
name='banned',
field=models.ForeignKey(on_delete=django.db.models.deletion.PROTECT, related_name='banned_option', to='preferences.RadiusPolicy', verbose_name='Policy for banned users.'),
),
migrations.AddField(
model_name='radiusoption',
name='vlan_decision_ok',
field=models.OneToOneField(blank=True, null=True, on_delete=django.db.models.deletion.PROTECT, related_name='vlan_ok_option', to='machines.Vlan'),
),
migrations.RunPython(create_radius_policy),
]

View file

@ -218,6 +218,7 @@ class OptionalTopologie(AclMixin, PreferencesModel):
blank=True, blank=True,
null=True null=True
) )
switchs_web_management = models.BooleanField( switchs_web_management = models.BooleanField(
default=False, default=False,
help_text="Web management, activé si provision automatique" help_text="Web management, activé si provision automatique"
@ -309,7 +310,6 @@ class OptionalTopologie(AclMixin, PreferencesModel):
"""Return true if all settings are ok : switchs on automatic provision, """Return true if all settings are ok : switchs on automatic provision,
ip_type""" ip_type"""
return bool(self.provisioned_switchs and self.switchs_ip_type and SwitchManagementCred.objects.filter(default_switch=True).exists() and self.switchs_management_interface_ip and bool(self.switchs_provision != 'sftp' or self.switchs_management_sftp_creds)) return bool(self.provisioned_switchs and self.switchs_ip_type and SwitchManagementCred.objects.filter(default_switch=True).exists() and self.switchs_management_interface_ip and bool(self.switchs_provision != 'sftp' or self.switchs_management_sftp_creds))
class Meta: class Meta:
permissions = ( permissions = (
("view_optionaltopologie", _("Can view the topology options")), ("view_optionaltopologie", _("Can view the topology options")),
@ -588,3 +588,86 @@ class MailMessageOption(AclMixin, models.Model):
) )
verbose_name = _("email message options") verbose_name = _("email message options")
class RadiusPolicy(AclMixin, models.Model):
class Meta:
verbose_name = _('radius policy')
REJECT = 'REJECT'
SET_VLAN = 'SET_VLAN'
CHOICE_POLICY = (
(REJECT, _('Reject the machine')),
(SET_VLAN, _('Place the machine on the VLAN'))
)
policy = models.CharField(
max_length=32,
choices=CHOICE_POLICY,
default=REJECT
)
vlan = models.ForeignKey(
'machines.Vlan',
on_delete=models.PROTECT,
blank=True,
null=True
)
class RadiusOption(AclMixin, models.Model):
class Meta:
verbose_name = _("radius policies")
MACHINE = 'MACHINE'
DEFINED = 'DEFINED'
CHOICE_RADIUS = (
(MACHINE, _("On the IP range's VLAN of the machine")),
(DEFINED, _("Preset in 'VLAN for machines accepted by RADIUS'")),
)
radius_general_policy = models.CharField(
max_length=32,
choices=CHOICE_RADIUS,
default='DEFINED'
)
unknown_machine = models.ForeignKey(
RadiusPolicy,
on_delete=models.PROTECT,
verbose_name=_("Policy for unknown machines"),
related_name='unknown_machine_option',
)
unknown_port = models.ForeignKey(
RadiusPolicy,
on_delete=models.PROTECT,
verbose_name=_("Policy for unknown machines"),
related_name='unknown_port_option',
)
unknown_room = models.ForeignKey(
RadiusPolicy,
on_delete=models.PROTECT,
verbose_name=_(
"Policy for machine connecting from "
"unregistered room (relevant on ports with STRICT "
"radius mode)"
),
related_name='unknown_room_option',
)
non_member = models.ForeignKey(
RadiusPolicy,
on_delete=models.PROTECT,
verbose_name=_("Policy non member users."),
related_name='non_member_option',
)
banned = models.ForeignKey(
RadiusPolicy,
on_delete=models.PROTECT,
verbose_name=_("Policy for banned users."),
related_name='banned_option'
)
vlan_decision_ok = models.OneToOneField(
'machines.Vlan',
on_delete=models.PROTECT,
related_name='vlan_ok_option',
blank=True,
null=True
)

View file

@ -0,0 +1,96 @@
{% comment %}
Re2o est un logiciel d'administration développé initiallement au rezometz. Il
se veut agnostique au réseau considéré, de manière à être installable en
quelques clics.
Copyright © 2018 Hugo Levy-Falk
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
{% endcomment %}
{% load i18n %}
{% load acl %}
{% load logs_extra %}
<table>
<tr>
<th>{% trans "General policy for VLAN setting" %}</th>
<td>{{ radiusoptions.radius_general_policy }}</td>
<td>{% trans "This setting defines the VLAN policy after acceptance by RADIUS: either on the IP range's VLAN of the machine, or a VLAN preset in 'VLAN for machines accepted by RADIUS'" %}</td>
</tr>
<tr>
<th>{% trans "VLAN for machines accepted by RADIUS" %}</th>
<td>{{ radiusoptions.vlan_decision_ok }}</td>
</tr>
</table>
<hr/>
<table class="table table-striped">
<thead>
<tr>
<th>{% trans "Situation" %}</th>
<th>{% trans "Behavior" %}</th>
</tr>
</thead>
<tr>
<th>{% trans "Unknown machine" %}</th>
<td>
{% if radiusoptions.unknown_machine.policy == 'REJECT' %}
<span class="label label-danger">{% trans "Reject" %}</span>
{% else %}
<span class="label label-success">Vlan {{ radiusoptions.unknown_machine.vlan }}</span>
{% endif %}
</td>
</tr>
<tr>
<th>{% trans "Unknown port" %}</th>
<td>
{% if radiusoptions.unknown_port.policy == 'REJECT' %}
<span class="label label-danger">{% trans "Reject" %}</span>
{% else %}
<span class="label label-success">Vlan {{ radiusoptions.unknown_port.vlan }}</span>
{% endif %}
</td>
</tr>
<tr>
<th>{% trans "Unknown room" %}</th>
<td>
{% if radiusoptions.unknown_room.policy == 'REJECT' %}
<span class="label label-danger">{% trans "Reject" %}</span>
{% else %}
<span class="label label-success">Vlan {{ radiusoptions.unknown_room.vlan }}</span>
{% endif %}
</td>
</tr>
<tr>
<th>{% trans "Non member" %}</th>
<td>
{% if radiusoptions.non_member.policy == 'REJECT' %}
<span class="label label-danger">{% trans "Reject" %}</span>
{% else %}
<span class="label label-success">Vlan {{ radiusoptions.non_member.vlan }}</span>
{% endif %}
</td>
</tr>
<tr>
<th>{% trans "Banned user" %}</th>
<td>
{% if radiusoptions.unknown_port.policy == 'REJECT' %}
<span class="label label-danger">{% trans "Reject" %}</span>
{% else %}
<span class="label label-success">Vlan {{ radiusoptions.banned.vlan }}</span>
{% endif %}
</td>
</tr>
</table>

View file

@ -133,8 +133,8 @@ with this program; if not, write to the Free Software Foundation, Inc.,
<td>{{ topologieoptions.vlan_decision_nok }}</td> <td>{{ topologieoptions.vlan_decision_nok }}</td>
</tr> </tr>
<tr> <tr>
<th>Placement sur ce vlan par default en cas de rejet</th> <th>{% trans "VLAN for non members machines" %}</th>
<td>{{ topologieoptions.vlan_decision_nok }}</td> <td>{{ topologieoptions.vlan_non_member }}</td>
</tr> </tr>
</table> </table>
@ -195,6 +195,22 @@ with this program; if not, write to the Free Software Foundation, Inc.,
<h5>{% if topologieoptions.provisioned_switchs %}<span class="label label-success">Provision de la config des switchs{% else %}<span class="label label-danger">Provision de la config des switchs{% endif%}</span></h5>
<table class="table table-striped">
<tr>
<th>Switchs configurés automatiquement</th>
<td>{{ topologieoptions.provisioned_switchs|join:", " }}</td>
</tr>
</table>
<h4>{% trans "Radius preferences" %}</h4>
<a class="btn btn-primary btn-sm" role="button" href="{% url 'preferences:edit-options' 'RadiusOption' %}">
<i class="fa fa-edit"></i>
{% trans "Edit" %}
</a>
{% include "preferences/aff_radiusoptions.html" %}
<h4>{% trans "General preferences" %}</h4> <h4>{% trans "General preferences" %}</h4>
<a class="btn btn-primary btn-sm" role="button" href="{% url 'preferences:edit-options' 'GeneralOption' %}"> <a class="btn btn-primary btn-sm" role="button" href="{% url 'preferences:edit-options' 'GeneralOption' %}">
<i class="fa fa-edit"></i> <i class="fa fa-edit"></i>

View file

@ -66,6 +66,11 @@ urlpatterns = [
views.edit_options, views.edit_options,
name='edit-options' name='edit-options'
), ),
url(
r'^edit_options/(?P<section>RadiusOption)$',
views.edit_options,
name='edit-options'
),
url(r'^add_service/$', views.add_service, name='add-service'), url(r'^add_service/$', views.add_service, name='add-service'),
url( url(
r'^edit_service/(?P<serviceid>[0-9]+)$', r'^edit_service/(?P<serviceid>[0-9]+)$',

View file

@ -62,7 +62,8 @@ from .models import (
HomeOption, HomeOption,
Reminder, Reminder,
RadiusKey, RadiusKey,
SwitchManagementCred SwitchManagementCred,
RadiusOption,
) )
from . import models from . import models
from . import forms from . import forms
@ -86,6 +87,7 @@ def display_options(request):
reminder_list = Reminder.objects.all() reminder_list = Reminder.objects.all()
radiuskey_list = RadiusKey.objects.all() radiuskey_list = RadiusKey.objects.all()
switchmanagementcred_list = SwitchManagementCred.objects.all() switchmanagementcred_list = SwitchManagementCred.objects.all()
radiusoptions, _ = RadiusOption.objects.get_or_create()
return form({ return form({
'useroptions': useroptions, 'useroptions': useroptions,
'machineoptions': machineoptions, 'machineoptions': machineoptions,
@ -99,6 +101,7 @@ def display_options(request):
'reminder_list': reminder_list, 'reminder_list': reminder_list,
'radiuskey_list' : radiuskey_list, 'radiuskey_list' : radiuskey_list,
'switchmanagementcred_list': switchmanagementcred_list, 'switchmanagementcred_list': switchmanagementcred_list,
'radiusoptions' : radiusoptions,
}, 'preferences/display_preferences.html', request) }, 'preferences/display_preferences.html', request)