disallow user without perm to see instance edit/view/change it #28

vycontrol/accounts/templates/registration/login.html

@@ -17,7 +17,7 @@
 {% if next %}
     {% if user.is_authenticated %}
     <p>Your account doesn't have access to this page. To proceed,
-    please login with an account that has access.</p>
+    please login with an account that has access. Or <a href="/">login to start page</a>.</p>
     {% else %}
     <p>Please login to see this page.</p>
     {% endif %}

vycontrol/accounts/templates/vauth/oldlogin.html

@@ -1,35 +0,0 @@
-{% extends "base.html" %}
-
-{% block header_title %}VyControl Login{% endblock %}
-{% block section_title %}VyControl Login{% endblock %}
-
-{% block debug %}
-{% endblock %}
-
-{% block content %}
-
-
-{% if error_message %}<p><strong>{{ error_message }}</strong></p>{% endif %}
-
-<form action="{% url 'vauth:vauth-login' %}" method="post">
-{% csrf_token %}
-
-<p>
-<label for="username">Username</label><br>
-<input type="text" name="username" id="username" size="20">
-</p>
-
-<p>
-<label for="password">password</label><br>
-<input type="password" name="password" id="password"  size="32">
-</p>
-
-<input type="submit" value="Login">
-</form>
-
-
-
-
-
-{% endblock %}
-

vycontrol/config/templates/config/group_add.html

@@ -2,6 +2,7 @@
 
 {% block header_title %}Add new group{% endblock %}
 {% block section_title %}Add new group{% endblock %}
+{% block username %}{{ username }}{% endblock %}
 
 {% block content %}
 

vycontrol/config/templates/config/groups_list.html

@@ -8,6 +8,7 @@
 
 {% block header_title %}Manage groups{% endblock %}
 {% block section_title %}Manage groups{% endblock %}
+{% block username %}{{ username }}{% endblock %}
 
 {% block content %}
 

vycontrol/config/templates/config/instance_add.html

@@ -3,6 +3,7 @@
 
 {% block header_title %}Add new instance{% endblock %}
 {% block section_title %}Add new instance{% endblock %}
+{% block username %}{{ username }}{% endblock %}
 
 {% block content %}
 

vycontrol/config/templates/config/instance_conntry.html

@@ -2,6 +2,7 @@
 
 {% block header_title %}List instances{% endblock %}
 {% block section_title %}List instances{% endblock %}
+{% block username %}{{ username }}{% endblock %}
 
 {% block content %}
 

vycontrol/config/templates/config/instances.html

@@ -2,6 +2,7 @@
 
 {% block header_title %}List instances{% endblock %}
 {% block section_title %}List instances{% endblock %}
+{% block username %}{{ username }}{% endblock %}
 
 {% block debug %}
     {% for instance in instances %}
@@ -23,7 +24,7 @@
         <th>test connection</th>
         <th>default</th>
         <th>group access</th>
-        <th>remove</th>
+        {% if is_superuser %}<th>remove</th>{% endif %}
     </tr>
 
     {% for instance in instances %}
@@ -35,6 +36,7 @@
         <td>{{ instance.https }}</td>
         <td><a href="{% url 'config:instance-conntry' instance.hostname %}">test</a></td>
         <td>{% if instance.main == True %}default{% else %}<a href="{% url 'config:instance-change' instance.hostname %}">set default</a>{% endif %}</td>
+        {%if is_superuser %}
         <td><form action="{% url 'config:instance-changegroup' instance.hostname %}" method="post">
             {% csrf_token %}
 
@@ -47,7 +49,12 @@
             </select>
         </form>
         </td>
-        <td>{% if instance.main == True %}-{% else %}<a href="{% url 'config:instance-remove' instance.hostname %}">remove</a>{% endif %}</td>
+        {% else %}
+        <td>{{ instance.group }}</td>
+        {% endif %}
+        {% if is_superuser %}
+            <td>{% if instance.main == True %}-{% else %}<a href="{% url 'config:instance-remove' instance.hostname %}">remove</a>{% endif %}</td>
+        {% endif %}
     </tr>
 
     {% endfor %}

vycontrol/config/templates/config/user_add.html

@@ -2,6 +2,7 @@
 
 {% block header_title %}Add new user{% endblock %}
 {% block section_title %}Add new user{% endblock %}
+{% block username %}{{ username }}{% endblock %}
 
 {% block content %}
 

vycontrol/config/templates/config/users_list.html

@@ -9,6 +9,7 @@
 
 {% block header_title %}List users{% endblock %}
 {% block section_title %}List users{% endblock %}
+{% block username %}{{ username }}{% endblock %}
 
 {% block content %}
 

vycontrol/config/views.py

@@ -18,6 +18,7 @@ from django.template.defaultfilters import register
 
 
 from perms import is_authenticated
+import perms
 
 
 @register.filter
@@ -26,7 +27,9 @@ def get_item(dictionary, key):
 
 @is_authenticated
 def index(request):
-       
+
+    is_superuser = perms.get_is_superuser(request.user)
+ 
     #interfaces = vyos.get_interfaces()
     all_instances = vyos.instance_getall()
     for instance in all_instances:
@@ -41,12 +44,17 @@ def index(request):
         #'interfaces': interfaces,
         'instances': all_instances,
         'hostname_default': hostname_default,
+        'username': request.user,
+        'is_superuser' : is_superuser,
     }   
     return HttpResponse(template.render(context, request))
 
+@perms.is_superuser
 @is_authenticated
 def users_list(request):
-       
+    is_superuser = perms.get_is_superuser(request.user)
+
+
     #interfaces = vyos.get_interfaces()
     all_instances = vyos.instance_getall()
     hostname_default = vyos.get_hostname_prefered(request)
@@ -120,12 +128,17 @@ def users_list(request):
         'hostname_default': hostname_default,
         'users' : users,
         'groups': group_show,
-        'user_groups': user_groups
+        'user_groups': user_groups,
+        'username': request.user,
+        'is_superuser' : is_superuser,
     }   
     return HttpResponse(template.render(context, request))
 
+@perms.is_superuser
 @is_authenticated
 def groups_list(request):
+    is_superuser = perms.get_is_superuser(request.user)
+
     #interfaces = vyos.get_interfaces()
     all_instances = vyos.instance_getall()
     hostname_default = vyos.get_hostname_prefered(request)
@@ -138,14 +151,18 @@ def groups_list(request):
         'instances': all_instances,
         'hostname_default': hostname_default,
         'groups' : groups,
+        'username': request.user,
+        'is_superuser' : is_superuser,
     }   
     return HttpResponse(template.render(context, request))
 
 @is_authenticated
 def instances(request):
+    is_superuser = perms.get_is_superuser(request.user)
         
-    all_instances = vyos.instance_getall()
+    all_instances = perms.instance_getall_by_group(request)
     hostname_default = vyos.get_hostname_prefered(request)
+    is_superuser = perms.get_is_superuser(request.user)
 
     print(all_instances)
 
@@ -166,11 +183,15 @@ def instances(request):
         'instances': all_instances,
         'hostname_default': hostname_default,
         'groups' : groups,
+        'username': request.user,
+        'is_superuser' : is_superuser,
     }   
     return HttpResponse(template.render(context, request))
 
+@perms.is_superuser
 @is_authenticated
 def instance_add(request):
+    is_superuser = perms.get_is_superuser(request.user)
         
     #interfaces = vyos.get_interfaces()
     all_instances = vyos.instance_getall()
@@ -196,11 +217,15 @@ def instance_add(request):
         'hostname_default': hostname_default,
         'instance_id': instance_id,
         'instances': all_instances,
+        'username': request.user,
+        'is_superuser' : is_superuser,
     }   
     return HttpResponse(template.render(context, request))
 
+@perms.is_superuser
 @is_authenticated
 def group_add(request):
+    is_superuser = perms.get_is_superuser(request.user)
         
     #interfaces = vyos.get_interfaces()
     all_instances = vyos.instance_getall()
@@ -224,13 +249,17 @@ def group_add(request):
         'hostname_default': hostname_default,
         'instance_id': instance_id,
         'instances': all_instances,
-        'error_message' : error_message
-    }   
+        'error_message' : error_message,
+        'username': request.user,
+        'is_superuser' : is_superuser,
+    }
     return HttpResponse(template.render(context, request)) 
 
+@perms.is_superuser
 @is_authenticated    
 def user_add(request):
-        
+    is_superuser = perms.get_is_superuser(request.user)
+
     #interfaces = vyos.get_interfaces()
     all_instances = vyos.instance_getall()
     hostname_default = vyos.get_hostname_prefered(request)
@@ -282,16 +311,22 @@ def user_add(request):
         'username' : username,
         'password' : password,
         'email' : email,
+        'username': request.user,
+        'is_superuser' : is_superuser,
 
     }   
     return HttpResponse(template.render(context, request))    
 
 @is_authenticated
 def instance_conntry(request, hostname):
+    is_superuser = perms.get_is_superuser(request.user)
        
     all_instances = vyos.instance_getall()
     hostname_default = vyos.get_hostname_prefered(request)
 
+    if perms.user_has_hostname_access(request.user, hostname) == False:
+        return redirect('config:instances')
+
     # permcheck
     instance = Instance.objects.get(hostname=hostname)
     connected = vyos.conntry(hostname)
@@ -305,6 +340,8 @@ def instance_conntry(request, hostname):
         "connected": connected,
         'instances': all_instances,
         'hostname_default': hostname_default,
+        'username': request.user,
+        'is_superuser' : is_superuser,
     }   
     return HttpResponse(template.render(context, request))
 
@@ -324,6 +361,9 @@ def instance_change(request, hostname = False):
  
     # permcheck
     if hostname != False:
+        if perms.user_has_hostname_access(request.user, hostname) == False:
+            return redirect('config:instances')
+
         try:
             instance = Instance.objects.get(hostname=hostname)
         except Instance.DoesNotExist:
@@ -340,6 +380,7 @@ def instance_change(request, hostname = False):
 
     return redirect('config:instances')    
 
+@perms.is_superuser
 @is_authenticated
 def instance_remove(request, hostname):
         
@@ -355,6 +396,7 @@ def instance_remove(request, hostname):
 
     return redirect('config:instances')
 
+@perms.is_superuser
 @is_authenticated
 def instance_changegroup(request, hostname):
        

vycontrol/firewall/templates/firewall/list.html

@@ -2,6 +2,8 @@
 
 {% block header_title %}Firewall List{% endblock %}
 {% block section_title %}Firewall List{% endblock %}
+{% block username %}{{ username }}{% endblock %}
+
 
 {% block debug %}
 {{ firewall_all }}

vycontrol/firewall/views.py

@@ -12,12 +12,10 @@ from perms import is_authenticated
 
 
 
-@timer
 @is_authenticated
 def index(request):
-       
     #interfaces = vyos.get_interfaces()
-    all_instances = vyos.instance_getall()
+    all_instances = vyos.instance_getall_by_group(request)
     hostname_default = vyos.get_hostname_prefered(request)
 
 
@@ -37,6 +35,7 @@ def index(request):
         'instances': all_instances,
         'hostname_default': hostname_default,
         'firewall_all':  firewall_all,
+        'username': request.user,
     }   
     return HttpResponse(template.render(context, request))
 

vycontrol/perms.py

@@ -4,6 +4,9 @@ from django.shortcuts import redirect
 from django.urls import reverse
 
 from config.models import Instance
+from django.contrib.auth.models import Group
+from django.contrib.auth.models import User
+from django.contrib import auth
 
 import vyos
 
@@ -13,10 +16,164 @@ def is_authenticated(func):
         request = args[0]
         if not request.user.is_authenticated:
            return redirect('%s?next=%s' % (reverse('registration-login'), request.path))
+           #return redirect('registration-login')
 
         hostname_default = vyos.get_hostname_prefered(request)
 
 
         value = func(*args, **kwargs)
         return value
-    return wrapper_perm
+    return wrapper_perm
+
+
+def is_superuser(func):
+    @functools.wraps(func)
+    def wrapper_perm(*args, **kwargs):
+        request = args[0]
+
+        # get username    
+        username = request.user
+                
+        # check if username is admin
+        useradmin = User.objects.filter(
+            username=username,
+            is_active=True,
+            is_superuser=True
+        )
+        is_admin = False
+        if useradmin.count() > 0:
+            is_admin = True
+
+        if is_admin == False:
+            auth.logout(request)
+            return redirect('registration-login')
+
+        value = func(*args, **kwargs)
+        return value
+    return wrapper_perm
+
+def get_is_superuser(username):
+    # check if username is admin
+    useradmin = User.objects.filter(
+        username=username,
+        is_active=True,
+        is_superuser=True
+    )
+    is_admin = False
+    if useradmin.count() > 0:
+        is_admin = True
+    return is_admin    
+
+def instance_getall_by_group(request):
+     # get username    
+    username = request.user
+
+    # check if username is admin
+    useradmin = User.objects.filter(
+        username=username,
+        is_active=True,
+        is_superuser=True
+    )
+    is_admin = False
+    if useradmin.count() > 0:
+        is_admin = True
+
+
+
+    if is_admin:
+        instances = Instance.objects.all()
+        return instances
+    else:
+        # get usergroup - VyControl groups is one to one
+        try:
+            usergroup = Group.objects.get(user=username)
+        except Group.DoesNotExist:
+            return None
+                    
+        try:
+            instances = Instance.objects.filter(group=usergroup)
+            return instances
+        except Instance.DoesNotExist:
+            pass
+
+    return None
+
+
+
+def instance_getall():
+    instances = Instance.objects.all()
+    return instances
+
+def user_has_hostname_access(username, hostname):
+    # superuser has access too all hostnames
+    if get_is_superuser(username) == True:
+        return True
+
+    # get usergroup - VyControl groups is one to one
+    try:
+        usergroup = Group.objects.get(user=username)
+    except Group.DoesNotExist:
+        # if user has no group return false because only groups has access to instances
+        return False
+
+    try:
+        instance = Instance.objects.get(hostname=hostname, group=usergroup)
+        if instance.count() == 1:
+            return True
+    except Instance.DoesNotExist:
+        return False
+
+    return False
+
+
+def get_hostname_prefered(request):
+    # get username    
+    username = request.user
+    hostname = None
+
+    # get usergroup - VyControl groups is one to one
+    try:
+        usergroup = Group.objects.get(user=username)
+    except Group.DoesNotExist:
+        usergroup = None
+
+    # check if username is admin
+    useradmin = User.objects.filter(
+        username=username,
+        is_active=True,
+        is_superuser=True
+    )
+    is_admin = False
+    if useradmin.count() > 0:
+        is_admin = True
+
+    # get session hostname and validate if group has permission
+    if request.session.get('hostname', None) != None and usergroup != None:
+        hostname = request.session.get('hostname', None)
+        try:
+            instance = Instance.objects.get(hostname=hostname, group=usergroup)
+            return instance.hostname
+        except Instance.DoesNotExist:
+            pass
+
+    # if we have no hostname yet try to get the default one from database
+    if hostname == None:
+        try:
+            instance = Instance.objects.get(main=True, group=usergroup)
+            request.session['hostname'] = instance.hostname
+            return instance.hostname
+        except Instance.DoesNotExist:
+            pass
+
+        # if superuser get any instance
+        if is_admin:
+            try:
+                instance = Instance.objects.all()
+                for i in instance:
+                    request.session['hostname'] = i.hostname
+                    return i.hostname
+
+
+            except Instance.DoesNotExist:
+                pass
+    return None

vycontrol/s/main.css

@@ -32,7 +32,7 @@ body {
 }
 
 #menu-logotop a {
-  color: #af1d1d;
+  color:#af1d1d ;
 }
 
 #menu-topline {
@@ -140,3 +140,8 @@ input[type=submit] {
 }
 
 
+
+#menu-username {
+  margin-right: 10px;
+  color:#af1d1d ;
+}

vycontrol/static/templates/static/add.html

@@ -1,7 +1,9 @@
-{% extends "base.html" %}
+{% extends "base.html"%}
 
 {% block header_title %}Static Routes{% endblock %}
 {% block section_title %}Static Routes{% endblock %}
+{% block username %}{{ username }}{% endblock %}
+
 
 {% block debug %}
 {{ static_list }}
@@ -9,12 +11,20 @@
 
 {% block content %}
 
+<p class="submenu1">
+    <a href="{% url 'static:static-list' %}">List static routes</a>
+</p>
+<p class="submenu2">
+    
+</p>
+
+
 {% if error_message %}<p><strong>{{ error_message }}</strong></p>{% endif %}
 
 
 <h2>Create new static route</h2>
 
-<form action="{% url 'static:static-add  %}" method="post">
+<form action="{% url 'static:static-add'  %}" method="post">
     {% csrf_token %}
     
     <p>

vycontrol/static/templates/static/list.html

@@ -4,6 +4,8 @@
 
 {% block header_title %}Static Routes{% endblock %}
 {% block section_title %}Static Routes{% endblock %}
+{% block username %}{{ username }}{% endblock %}
+
 
 {% block debug %}
 {{ static_list }}
@@ -12,10 +14,13 @@
 {% block content %}
 
 
-
-<p class="margin-topbottom">
+<p class="submenu1">
     <a href="{% url 'static:static-add' %}">Create new static route</a>
 </p>
+<p class="submenu2">
+    
+</p>
+
 
 
 {% if static_list %}

vycontrol/static/views.py

@@ -26,7 +26,8 @@ def static_list(request):
     context = { 
         'instances': all_instances,
         'hostname_default': hostname_default,
-        'static_list' : static_list
+        'static_list' : static_list,
+        'username': request.user,
     }   
     return HttpResponse(template.render(context, request))
 
@@ -57,6 +58,7 @@ def static_add(request):
         'hostname_default': hostname_default,
         'static_list' : static_list,
         'error_message' : error_message,
+        'username': request.user,
     }   
     return HttpResponse(template.render(context, request))
 

vycontrol/vycenter/templates/base.html

@@ -8,7 +8,7 @@
 
     <!-- Bootstrap CSS -->
     <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.4.1/css/bootstrap.min.css" integrity="sha384-Vkoo8x4CGsO3+Hhxv8T/Q5PaXtkKtu6ug5TOeNV6gBiFeWPGFN9MuhOf23Q9Ifjh" crossorigin="anonymous">
-    <link rel="stylesheet" href="{% static "main.css" %}?16">
+    <link rel="stylesheet" href="{% static "main.css" %}?17">
     <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script>
 
     <title>{% block header_title %}{% endblock %} - VyControl</title>
@@ -39,7 +39,7 @@
               </select>
             
 
-              <span id="vycenter-config-menu"><a href="{% url 'registration-logout' %}">Logout</a></span>
+              <span id="menu-username">{% block username %}{% endblock %}</span> <span id="vycenter-config-menu"> <a href="{% url 'registration-logout' %}">Logout</a></span>
 
 
           </p>
@@ -107,12 +107,12 @@
 
     <h2>Manage VyControl</h2>
     <ul>
-    <li><a href="{% url 'config:instance-add' %}">Add new instance</a></li>
+      {% if is_superuser %}<li><a href="{% url 'config:instance-add' %}">Add new instance</a></li>{% endif %}
     <li><a href="{% url 'config:instances' %}">List instances</a></li>
-    <li><a href="{% url 'config:users-list' %}">List users</a></li>
-    <li><a href="{% url 'config:user-add' %}">Add new user</a></li>
-    <li><a href="{% url 'config:groups-list' %}">List groups</a></li>
-    <li><a href="{% url 'config:group-add' %}">Add new group</a></li>
+    {% if is_superuser %}<li><a href="{% url 'config:users-list' %}">List users</a></li>{% endif %}
+    {% if is_superuser %}<li><a href="{% url 'config:user-add' %}">Add new user</a></li>{% endif %}
+    {% if is_superuser %}<li><a href="{% url 'config:groups-list' %}">List groups</a></li>{% endif %}
+    {% if is_superuser %}<li><a href="{% url 'config:group-add' %}">Add new group</a></li>{% endif %}
 
   </ul>
 

vycontrol/vycenter/urls.py

@@ -32,7 +32,7 @@ from django.contrib.auth import views as auth_views
 app_name = 'vycenter'
 
 urlpatterns = [
-    path('', include('accounts.urls')),
+    path('', include('accounts.urls'), name="main-page"),
     path('config/', include('config.urls')),
     path('dashboard/', include('dashboard.urls')),
     #path('', views.vycenter_login, name='vycenter-login'),

vycontrol/vyos.py

@@ -7,58 +7,17 @@ from config.models import Instance
 from django.contrib.auth.models import Group
 from django.contrib.auth.models import User
 
-def get_hostname_prefered(request):
-    # get username    
-    username = request.user
-    hostname = None
 
-    # get usergroup - VyControl groups is one to one
-    try:
-        usergroup = Group.objects.get(user=username)
-    except Group.DoesNotExist:
-        usergroup = None
-
-    # check if username is admin
-    useradmin = User.objects.filter(
-        username=username,
-        is_active=True,
-        is_superuser=True
-    )
-    is_admin = False
-    if useradmin.count() > 0:
-        is_admin = True
-
-    # get session hostname and validate if group has permission
-    if request.session.get('hostname', None) != None and usergroup != None:
-        hostname = request.session.get('hostname', None)
-        try:
-            instance = Instance.objects.get(hostname=hostname, group=usergroup)
-            return instance.hostname
-        except Instance.DoesNotExist:
-            pass
-
-    # if we have no hostname yet try to get the default one from database
-    if hostname == None:
-        try:
-            instance = Instance.objects.get(main=True, group=usergroup)
-            request.session['hostname'] = instance.hostname
-            return instance.hostname
-        except Instance.DoesNotExist:
-            pass
-
-
-        # if superuser get any instance
-        if is_admin:
-            try:
-                instance = Instance.objects.all()
-                for i in instance:
-                    request.session['hostname'] = i.hostname
-                    return i.hostname
-
-
-            except Instance.DoesNotExist:
-                pass
-    return None
+import perms
+
+def instance_getall(*args, **kwargs):
+    return perms.instance_getall(*args, **kwargs)
+
+def get_hostname_prefered(*args, **kwargs):
+    return perms.get_hostname_prefered(*args, **kwargs)
+
+def instance_getall_by_group(*args, **kwargs):
+    return perms.instance_getall_by_group(*args, **kwargs)
 
 
 
@@ -176,9 +135,10 @@ def conntry(hostname):
 
     return False
 
-def instance_getall():
-    instances = Instance.objects.all()
-    return instances
+
+
+
+
 
 def get_firewall_all(hostname):
     cmd = {"op": "showConfig", "path": ["firewall"]}