diff --git a/freeradius_utils/auth.py b/freeradius_utils/auth.py index ab10d457..9bd56015 100644 --- a/freeradius_utils/auth.py +++ b/freeradius_utils/auth.py @@ -63,6 +63,7 @@ from preferences.models import OptionalTopologie options, created = OptionalTopologie.objects.get_or_create() VLAN_NOK = options.vlan_decision_nok.vlan_id VLAN_OK = options.vlan_decision_ok.vlan_id +VLAN_NON_MEMBER = options.vlan_non_member.vlan_id RADIUS_POLICY = options.radius_general_policy #: Serveur radius de test (pas la prod) @@ -338,14 +339,15 @@ def decide_vlan_switch(nas_machine, nas_type, port_number, - mode strict : - pas de chambre associée : VLAN_NOK - pas d'utilisateur dans la chambre : VLAN_NOK - - cotisation non à jour : VLAN_NOK + - cotisation non à jour : VLAN_NON_MEMBER - sinon passe à common (ci-dessous) - mode common : - interface connue (macaddress): - - utilisateur proprio non cotisant ou banni : VLAN_NOK + - utilisateur proprio non cotisant : VLAN_NON_MEMBER + - utilisateur proprio banni : VLAN_NOK - user à jour : VLAN_OK - interface inconnue : - - register mac désactivé : VLAN_NOK + - register mac désactivé : VLAN_NON_MEMBER - register mac activé -> redirection vers webauth """ # Get port from switch and port number @@ -414,8 +416,10 @@ def decide_vlan_switch(nas_machine, nas_type, port_number, if not room_user: return (sw_name, room, u'Chambre non cotisante -> Web redirect', None, False) for user in room_user: - if not user.has_access(): + if user.is_ban() or user.state != User.STATE_ACTIVE: return (sw_name, room, u'Chambre resident desactive -> Web redirect', None, False) + elif not (user.is_connected() or user.is_whitelisted()): + return (sw_name, room, u'Utilisateur non cotisant', VLAN_NON_MEMBER) # else: user OK, on passe à la verif MAC # Si on fait de l'auth par mac, on cherche l'interface via sa mac dans la bdd @@ -431,7 +435,7 @@ def decide_vlan_switch(nas_machine, nas_type, port_number, # On essaye de register la mac, si l'autocapture a été activée # Sinon on rejette sur vlan_nok if not nas_type.autocapture_mac: - return (sw_name, "", u'Machine inconnue', VLAN_NOK, True) + return (sw_name, "", u'Machine inconnue', VLAN_NON_MEMBER) # On rejette pour basculer sur du webauth else: return (sw_name, room, u'Machine Inconnue -> Web redirect', None, False) @@ -445,8 +449,7 @@ def decide_vlan_switch(nas_machine, nas_type, port_number, return (sw_name, room, u'Machine non active / adherent non cotisant', - VLAN_NOK, - True) + VLAN_NON_MEMBER) ## Si on choisi de placer les machines sur le vlan correspondant à leur type : if RADIUS_POLICY == 'MACHINE': DECISION_VLAN = interface.type.ip_type.vlan.vlan_id diff --git a/preferences/migrations/0052_auto_20181013_1629.py b/preferences/migrations/0052_auto_20181013_1629.py new file mode 100644 index 00000000..70498536 --- /dev/null +++ b/preferences/migrations/0052_auto_20181013_1629.py @@ -0,0 +1,91 @@ +# -*- coding: utf-8 -*- +# Generated by Django 1.10.7 on 2018-10-13 14:29 +from __future__ import unicode_literals + +from django.db import migrations, models +import django.db.models.deletion +import re2o.mixins + + +def create_radius_policy(apps, schema_editor): + OptionalTopologie = apps.get_model('preferences', 'OptionalTopologie') + RadiusOption = apps.get_model('preferences', 'RadiusOption') + RadiusPolicy = apps.get_model('preferences', 'RadiusPolicy') + + option,_ = OptionalTopologie.objects.get_or_create() + + radius_option = RadiusOption() + radius_option.radius_general_policy = option.radius_general_policy + radius_option.unknown_machine = RadiusPolicy.objects.create() + radius_option.unknown_port = RadiusPolicy.objects.create() + radius_option.unknown_room = RadiusPolicy.objects.create() + radius_option.non_member = RadiusPolicy.objects.create() + radius_option.banned = RadiusPolicy.objects.create() + radius_option.vlan_decision_ok = option.vlan_decision_ok + + radius_option.save() + + +class Migration(migrations.Migration): + + dependencies = [ + ('machines', '0095_auto_20180919_2225'), + ('preferences', '0051_auto_20180919_2225'), + ] + + operations = [ + migrations.CreateModel( + name='RadiusOption', + fields=[ + ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')), + ('radius_general_policy', models.CharField(choices=[('MACHINE', "On the IP range's VLAN of the machine"), ('DEFINED', "Preset in 'VLAN for machines accepted by RADIUS'")], default='DEFINED', max_length=32)), + ], + options={ + 'verbose_name': 'radius policies', + }, + bases=(re2o.mixins.AclMixin, models.Model), + ), + migrations.CreateModel( + name='RadiusPolicy', + fields=[ + ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')), + ('policy', models.CharField(choices=[('REJECT', 'Reject the machine'), ('SET_VLAN', 'Place the machine on the VLAN')], default='REJECT', max_length=32)), + ('vlan', models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.PROTECT, to='machines.Vlan')), + ], + options={ + 'verbose_name': 'radius policy', + }, + bases=(re2o.mixins.AclMixin, models.Model), + ), + migrations.AddField( + model_name='radiusoption', + name='non_member', + field=models.ForeignKey(on_delete=django.db.models.deletion.PROTECT, related_name='non_member_option', to='preferences.RadiusPolicy', verbose_name='Policy non member users.'), + ), + migrations.AddField( + model_name='radiusoption', + name='unknown_machine', + field=models.ForeignKey(on_delete=django.db.models.deletion.PROTECT, related_name='unknown_machine_option', to='preferences.RadiusPolicy', verbose_name='Policy for unknown machines'), + ), + migrations.AddField( + model_name='radiusoption', + name='unknown_port', + field=models.ForeignKey(on_delete=django.db.models.deletion.PROTECT, related_name='unknown_port_option', to='preferences.RadiusPolicy', verbose_name='Policy for unknown machines'), + ), + migrations.AddField( + model_name='radiusoption', + name='unknown_room', + field=models.ForeignKey(on_delete=django.db.models.deletion.PROTECT, related_name='unknown_room_option', to='preferences.RadiusPolicy', verbose_name='Policy for machine connecting from unregistered room (relevant on ports with STRICT radius mode)'), + ), + migrations.AddField( + model_name='radiusoption', + name='banned', + field=models.ForeignKey(on_delete=django.db.models.deletion.PROTECT, related_name='banned_option', to='preferences.RadiusPolicy', verbose_name='Policy for banned users.'), + ), + migrations.AddField( + model_name='radiusoption', + name='vlan_decision_ok', + field=models.OneToOneField(blank=True, null=True, on_delete=django.db.models.deletion.PROTECT, related_name='vlan_ok_option', to='machines.Vlan'), + ), + migrations.RunPython(create_radius_policy), + ] diff --git a/preferences/models.py b/preferences/models.py index 43ff7580..f3f5527e 100644 --- a/preferences/models.py +++ b/preferences/models.py @@ -218,6 +218,7 @@ class OptionalTopologie(AclMixin, PreferencesModel): blank=True, null=True ) + switchs_web_management = models.BooleanField( default=False, help_text="Web management, activé si provision automatique" @@ -309,7 +310,6 @@ class OptionalTopologie(AclMixin, PreferencesModel): """Return true if all settings are ok : switchs on automatic provision, ip_type""" return bool(self.provisioned_switchs and self.switchs_ip_type and SwitchManagementCred.objects.filter(default_switch=True).exists() and self.switchs_management_interface_ip and bool(self.switchs_provision != 'sftp' or self.switchs_management_sftp_creds)) - class Meta: permissions = ( ("view_optionaltopologie", _("Can view the topology options")), @@ -588,3 +588,86 @@ class MailMessageOption(AclMixin, models.Model): ) verbose_name = _("email message options") + +class RadiusPolicy(AclMixin, models.Model): + class Meta: + verbose_name = _('radius policy') + + REJECT = 'REJECT' + SET_VLAN = 'SET_VLAN' + CHOICE_POLICY = ( + (REJECT, _('Reject the machine')), + (SET_VLAN, _('Place the machine on the VLAN')) + ) + + policy = models.CharField( + max_length=32, + choices=CHOICE_POLICY, + default=REJECT + ) + + vlan = models.ForeignKey( + 'machines.Vlan', + on_delete=models.PROTECT, + blank=True, + null=True + ) + + +class RadiusOption(AclMixin, models.Model): + class Meta: + verbose_name = _("radius policies") + + MACHINE = 'MACHINE' + DEFINED = 'DEFINED' + CHOICE_RADIUS = ( + (MACHINE, _("On the IP range's VLAN of the machine")), + (DEFINED, _("Preset in 'VLAN for machines accepted by RADIUS'")), + ) + radius_general_policy = models.CharField( + max_length=32, + choices=CHOICE_RADIUS, + default='DEFINED' + ) + unknown_machine = models.ForeignKey( + RadiusPolicy, + on_delete=models.PROTECT, + verbose_name=_("Policy for unknown machines"), + related_name='unknown_machine_option', + ) + unknown_port = models.ForeignKey( + RadiusPolicy, + on_delete=models.PROTECT, + verbose_name=_("Policy for unknown machines"), + related_name='unknown_port_option', + ) + unknown_room = models.ForeignKey( + RadiusPolicy, + on_delete=models.PROTECT, + verbose_name=_( + "Policy for machine connecting from " + "unregistered room (relevant on ports with STRICT " + "radius mode)" + ), + related_name='unknown_room_option', + ) + non_member = models.ForeignKey( + RadiusPolicy, + on_delete=models.PROTECT, + verbose_name=_("Policy non member users."), + related_name='non_member_option', + ) + banned = models.ForeignKey( + RadiusPolicy, + on_delete=models.PROTECT, + verbose_name=_("Policy for banned users."), + related_name='banned_option' + ) + vlan_decision_ok = models.OneToOneField( + 'machines.Vlan', + on_delete=models.PROTECT, + related_name='vlan_ok_option', + blank=True, + null=True + ) + diff --git a/preferences/templates/preferences/aff_radiusoptions.html b/preferences/templates/preferences/aff_radiusoptions.html new file mode 100644 index 00000000..b434319d --- /dev/null +++ b/preferences/templates/preferences/aff_radiusoptions.html @@ -0,0 +1,96 @@ +{% comment %} +Re2o est un logiciel d'administration développé initiallement au rezometz. Il +se veut agnostique au réseau considéré, de manière à être installable en +quelques clics. + +Copyright © 2018 Hugo Levy-Falk + +This program is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation; either version 2 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License along +with this program; if not, write to the Free Software Foundation, Inc., +51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +{% endcomment %} +{% load i18n %} +{% load acl %} +{% load logs_extra %} + + + + + + + + + + + +
{% trans "General policy for VLAN setting" %}{{ radiusoptions.radius_general_policy }}{% trans "This setting defines the VLAN policy after acceptance by RADIUS: either on the IP range's VLAN of the machine, or a VLAN preset in 'VLAN for machines accepted by RADIUS'" %}
{% trans "VLAN for machines accepted by RADIUS" %}{{ radiusoptions.vlan_decision_ok }}
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
{% trans "Situation" %}{% trans "Behavior" %}
{% trans "Unknown machine" %} + {% if radiusoptions.unknown_machine.policy == 'REJECT' %} + {% trans "Reject" %} + {% else %} + Vlan {{ radiusoptions.unknown_machine.vlan }} + {% endif %} +
{% trans "Unknown port" %} + {% if radiusoptions.unknown_port.policy == 'REJECT' %} + {% trans "Reject" %} + {% else %} + Vlan {{ radiusoptions.unknown_port.vlan }} + {% endif %} +
{% trans "Unknown room" %} + {% if radiusoptions.unknown_room.policy == 'REJECT' %} + {% trans "Reject" %} + {% else %} + Vlan {{ radiusoptions.unknown_room.vlan }} + {% endif %} +
{% trans "Non member" %} + {% if radiusoptions.non_member.policy == 'REJECT' %} + {% trans "Reject" %} + {% else %} + Vlan {{ radiusoptions.non_member.vlan }} + {% endif %} +
{% trans "Banned user" %} + {% if radiusoptions.unknown_port.policy == 'REJECT' %} + {% trans "Reject" %} + {% else %} + Vlan {{ radiusoptions.banned.vlan }} + {% endif %} +
+ diff --git a/preferences/templates/preferences/display_preferences.html b/preferences/templates/preferences/display_preferences.html index 3fde911d..21d25b43 100644 --- a/preferences/templates/preferences/display_preferences.html +++ b/preferences/templates/preferences/display_preferences.html @@ -32,14 +32,14 @@ with this program; if not, write to the Free Software Foundation, Inc., {% block content %}
- +

{% trans "General preferences" %} -

+
- +
@@ -70,7 +70,7 @@ with this program; if not, write to the Free Software Foundation, Inc., {% trans "General message displayed on the website" %} {{ generaloptions.general_message }} {% trans "Main site url" %} - {{ generaloptions.main_site_url }} + {{ generaloptions.main_site_url }} {% trans "Summary of the General Terms of Use" %} @@ -99,7 +99,7 @@ with this program; if not, write to the Free Software Foundation, Inc.,

{% trans "User preferences" %}

-
+

@@ -146,7 +146,7 @@ with this program; if not, write to the Free Software Foundation, Inc.,
- +

@@ -159,7 +159,7 @@ with this program; if not, write to the Free Software Foundation, Inc., {% trans "Edit" %} - +

@@ -208,10 +208,10 @@ with this program; if not, write to the Free Software Foundation, Inc., - - - - + + + +
{% trans "VLAN for machines rejected by RADIUS" %} {{ topologieoptions.vlan_decision_nok }}
Placement sur ce vlan par default en cas de rejet{{ topologieoptions.vlan_decision_nok }}
{% trans "VLAN for non members machines" %}{{ topologieoptions.vlan_non_member }}

Clef radius

@@ -219,7 +219,7 @@ with this program; if not, write to the Free Software Foundation, Inc., Ajouter une clef radius {% acl_end %} {% include "preferences/aff_radiuskey.html" with radiuskey_list=radiuskey_list %} - +
@@ -236,7 +236,7 @@ with this program; if not, write to the Free Software Foundation, Inc., {% trans "Edit" %}

- + @@ -254,11 +254,11 @@ with this program; if not, write to the Free Software Foundation, Inc., - + - + @@ -287,6 +287,18 @@ with this program; if not, write to the Free Software Foundation, Inc., +
+
+

{% trans "Radius preferences" %}

+
+
+ + + {% trans "Edit" %} + + {% include "preferences/aff_radiusoptions.html" %} +
+
@@ -295,7 +307,6 @@ with this program; if not, write to the Free Software Foundation, Inc.,
- {% trans "Edit" %} @@ -331,11 +342,11 @@ with this program; if not, write to the Free Software Foundation, Inc.,
Web management, activé si provision automatiqueSwitchs configurés automatiquement {{ topologieoptions.provisioned_switchs|join:", " }} {% if topologieoptions.provisioned_switchs %} OK{% else %}Manquant{% endif %}
Plage d'ip de management des switchs {{ topologieoptions.switchs_ip_type }} {% if topologieoptions.switchs_ip_type %} OK{% else %}Manquant{% endif %}
Serveur des config des switchs {{ topologieoptions.switchs_management_interface }} {% if topologieoptions.switchs_management_interface %} - {{ topologieoptions.switchs_management_interface_ip }} OK{% else %}Manquant{% endif %}
- +

- Message pour les mails + Message pour les mails

@@ -367,7 +378,7 @@ with this program; if not, write to the Free Software Foundation, Inc.,
{% can_create preferences.Reminder%} - + Ajouter un rappel

{% acl_end %} @@ -384,12 +395,12 @@ with this program; if not, write to the Free Software Foundation, Inc.,
{% can_create preferences.Service%} - + {% trans " Add a service" %}

{% acl_end %} {% include "preferences/aff_service.html" with service_list=service_list %} - +
@@ -400,7 +411,7 @@ with this program; if not, write to the Free Software Foundation, Inc.,
- + {% can_create preferences.MailContact %} {% trans "Add an address" %} {% acl_end %} diff --git a/preferences/urls.py b/preferences/urls.py index 63ca6a39..30163868 100644 --- a/preferences/urls.py +++ b/preferences/urls.py @@ -66,6 +66,11 @@ urlpatterns = [ views.edit_options, name='edit-options' ), + url( + r'^edit_options/(?P
RadiusOption)$', + views.edit_options, + name='edit-options' + ), url(r'^add_service/$', views.add_service, name='add-service'), url( r'^edit_service/(?P[0-9]+)$', diff --git a/preferences/views.py b/preferences/views.py index ee81ae89..f62a5a0d 100644 --- a/preferences/views.py +++ b/preferences/views.py @@ -62,7 +62,8 @@ from .models import ( HomeOption, Reminder, RadiusKey, - SwitchManagementCred + SwitchManagementCred, + RadiusOption, ) from . import models from . import forms @@ -86,6 +87,7 @@ def display_options(request): reminder_list = Reminder.objects.all() radiuskey_list = RadiusKey.objects.all() switchmanagementcred_list = SwitchManagementCred.objects.all() + radiusoptions, _ = RadiusOption.objects.get_or_create() return form({ 'useroptions': useroptions, 'machineoptions': machineoptions, @@ -98,7 +100,8 @@ def display_options(request): 'mailcontact_list': mailcontact_list, 'reminder_list': reminder_list, 'radiuskey_list' : radiuskey_list, - 'switchmanagementcred_list': switchmanagementcred_list, + 'switchmanagementcred_list': switchmanagementcred_list, + 'radiusoptions' : radiusoptions, }, 'preferences/display_preferences.html', request)