nsupdate.info/nsupdate/api/views.py

# -*- coding: utf-8 -*-

import logging
logger = logging.getLogger(__name__)

from django.http import HttpResponse
from django.conf import settings
from django.contrib.auth.hashers import check_password
from django.contrib.auth.decorators import login_required
from django.contrib.sessions.backends.db import SessionStore

from main.models import Host
import dns.inet
import os

from main.dnstools import update, SameIpError


def MyIpView(request):
    """
    return the IP address (can be v4 or v6) of the client requesting this view.

    :param request: django request object
    :return: HttpResponse object
    """
    return HttpResponse(request.META['REMOTE_ADDR'], content_type="text/plain")


def DetectIpView(request, secret=None):
    """
    Put the IP address (can be v4 or v6) of the client requesting this view
    into the client's session.

    :param request: django request object
    :param secret: session key used to find the correct session w/o session cookie
    :return: HttpResponse object
    """
    # we do not have the session as usual, as this is a different host,
    # so the session cookie is not received here - thus we access it via
    # the secret:
    s = SessionStore(session_key=secret)
    ipaddr = request.META['REMOTE_ADDR']
    af = dns.inet.af_for_address(ipaddr)
    key = 'ipv4' if af == dns.inet.AF_INET else 'ipv6'
    s[key] = ipaddr
    s.save()
    with open(os.path.join(settings.STATIC_ROOT, "1px.gif"), "rb") as f:
        image_data = f.read()
    return HttpResponse(image_data, mimetype="image/png")


def basic_challenge(realm, content='Authorization Required'):
    """
    Construct a 401 response requesting http basic auth.

    :param realm: realm string (displayed by the browser)
    :param content: request body content
    :return: HttpResponse object
    """
    response = HttpResponse(content, content_type="text/plain")
    response['WWW-Authenticate'] = 'Basic realm="%s"' % (realm, )
    response.status_code = 401
    return response


def basic_authenticate(auth):
    """
    Get username and password from http basic auth string.

    :param auth: http basic auth string
    :return: username, password
    """
    authmeth, auth = auth.split(' ', 1)
    if authmeth.lower() != 'basic':
        return
    auth = auth.strip().decode('base64')
    username, password = auth.split(':', 1)
    return username, password


def check_api_auth(username, password):
    """
    Check username and password against our database.

    :param username: http basic auth username (== fqdn)
    :param password: update password
    :return: True if authenticated, False otherwise.
    """
    fqdn = username
    hosts = Host.filter_by_fqdn(fqdn)
    num_hosts = len(hosts)
    if num_hosts == 0:
        return False
    if num_hosts > 1:
        logging.error("fqdn %s has multiple entries" % fqdn)
        return False
    password_hash = hosts[0].update_secret
    return check_password(password, password_hash)


def check_session_auth(user, hostname):
    """
    Check our database whether the hostname is owned by the user.

    :param user: django user object
    :param hostname: fqdn
    :return: True if hostname is owned by this user, False otherwise.
    """
    fqdn = hostname
    hosts = Host.filter_by_fqdn(fqdn, created_by=user)
    num_hosts = len(hosts)
    if num_hosts == 0:
        return False
    if num_hosts > 1:
        logging.error("fqdn %s has multiple entries" % fqdn)
        return False
    return True


def Response(content):
    """
    shortcut for plaintext response

    :param content: plain text content for the response
    :return: HttpResonse object
    """
    return HttpResponse(content, content_type='text/plain')


def NicUpdateView(request):
    """
    dyndns2 compatible /nic/update API.

    Example URLs:

    Will request username (fqdn) and password (secret) from user,
    for interactive testing / updating:
    https://nsupdate.info/nic/update

    You can put it also into the url, so the browser will automatically
    send the http basic auth with the request:
    https://fqdn:secret@nsupdate.info/nic/update

    If the request does not come from the correct IP, you can give it as
    a query parameter, you can also give the hostname (then it won't use
    the username from http basic auth as the fqdn:
    https://fqdn:secret@nsupdate.info/nic/update?hostname=fqdn&myip=1.2.3.4

    :param request: django request object
    :return: HttpResponse object
    """
    hostname = request.GET.get('hostname')
    auth = request.META.get('HTTP_AUTHORIZATION')
    if auth is None:
        logger.warning('%s - received no auth' % (hostname, ))
        return basic_challenge("authenticate to update DNS", 'noauth')
    username, password = basic_authenticate(auth)
    if not check_api_auth(username, password):
        logger.info('%s - received bad credentials, username: %s' % (hostname, username, ))
        return basic_challenge("authenticate to update DNS", 'badauth')
    if hostname is None:
        # as we use update_username == hostname, we can fall back to that:
        hostname = username
    ipaddr = request.GET.get('myip')
    if ipaddr is None:
        ipaddr = request.META.get('REMOTE_ADDR')
    agent = request.META.get('HTTP_USER_AGENT')
    if agent in settings.BAD_AGENTS:
        logger.info('%s - received update from bad user agent %s' % (hostname, agent, ))
        return Response('badagent')
    return _update(hostname, ipaddr)


@login_required
def AuthorizedNicUpdateView(request):
    """
    similar to NicUpdateView, but the client is not a router or other dyndns client,
    but the admin browser who is currently logged into the nsupdate.info site.

    Example URLs:

    https://supdate.info/nic/update?hostname=fqdn&myip=1.2.3.4

    :param request: django request object
    :return: HttpResponse object
    """
    hostname = request.GET.get('hostname')
    if hostname is None:
        return Response('nohost')
    if not check_session_auth(request.user, hostname):
        logger.info('%s - is not owned by user: %s' % (hostname, request.user.username, ))
        return Response('nohost')
    ipaddr = request.GET.get('myip')
    if ipaddr is None:
        ipaddr = request.META.get('REMOTE_ADDR')
    return _update(hostname, ipaddr)


def _update(hostname, ipaddr):
    ipaddr = str(ipaddr)  # XXX bug in dnspython: crashes if ipaddr is unicode, wants a str!
    try:
        update(hostname, ipaddr)
        logger.info('%s - received good update -> ip: %s' % (hostname, ipaddr, ))
        return Response('good %s' % ipaddr)
    except SameIpError:
        logger.warning('%s - received no-change update, ip: %s' % (hostname, ipaddr, ))
        return Response('nochg %s' % ipaddr)
moved the /myip call into the api module 2013-09-28 18:46:31 +02:00			`# -- coding: utf-8 --`
implement / configure logging to stderr, reorder actions for update api, so that a lot of info can be logged 2013-09-28 21:41:47 +02:00
			`import logging`
			`logger = logging.getLogger(__name__)`

moved the /myip call into the api module 2013-09-28 18:46:31 +02:00			`from django.http import HttpResponse`
			`from django.conf import settings`
store update_secret as salted sha1 (use crypto code from django), fix bug: we also need to catch NoAnswer, not just NXDOMAIN. NoAnswer == there is a record, but not of the type (A or AAAA) we requested. NXDOMAIN == there is no record at all. 2013-09-29 00:34:26 +02:00			`from django.contrib.auth.hashers import check_password`
changed updateIp to detectIP 2013-09-29 02:07:58 +02:00			`from django.contrib.auth.decorators import login_required`
removed proxy user, because solution was not working. Made id session based. please work now :'( 2013-09-29 14:33:24 +02:00			`from django.contrib.sessions.backends.db import SessionStore`
store update_secret as salted sha1 (use crypto code from django), fix bug: we also need to catch NoAnswer, not just NXDOMAIN. NoAnswer == there is a record, but not of the type (A or AAAA) we requested. NXDOMAIN == there is no record at all. 2013-09-29 00:34:26 +02:00
removed proxy user, because solution was not working. Made id session based. please work now :'( 2013-09-29 14:33:24 +02:00			`from main.models import Host`
imrpoved ipv4/ipv6 check. now always update ip, in case host changes IP. added a create_host() method for the HostForm. 2013-09-28 20:18:20 +02:00			`import dns.inet`
updadd Host fields. serve 1px image instead of OK text in /updateip/. favicon change. 2013-09-29 01:12:23 +02:00			`import os`
moved the /myip call into the api module 2013-09-28 18:46:31 +02:00
implemented update api (still without checking the DB), misc. cleanups 2013-09-28 20:35:30 +02:00			`from main.dnstools import update, SameIpError`


moved the /myip call into the api module 2013-09-28 18:46:31 +02:00			`def MyIpView(request):`
add docstrings 2013-09-29 15:59:16 +02:00			`"""`
			`return the IP address (can be v4 or v6) of the client requesting this view.`

			`:param request: django request object`
			`:return: HttpResponse object`
			`"""`
get ipv4 and ipv6 adr from session 2013-09-28 19:01:40 +02:00			`return HttpResponse(request.META['REMOTE_ADDR'], content_type="text/plain")`

implemented update api (still without checking the DB), misc. cleanups 2013-09-28 20:35:30 +02:00
changed User to ProxyUser 2013-09-29 14:07:24 +02:00			`def DetectIpView(request, secret=None):`
add docstrings 2013-09-29 15:59:16 +02:00			`"""`
			`Put the IP address (can be v4 or v6) of the client requesting this view`
			`into the client's session.`

			`:param request: django request object`
more docstrings fixes 2013-09-29 16:14:43 +02:00			`:param secret: session key used to find the correct session w/o session cookie`
add docstrings 2013-09-29 15:59:16 +02:00			`:return: HttpResponse object`
			`"""`
			`# we do not have the session as usual, as this is a different host,`
			`# so the session cookie is not received here - thus we access it via`
			`# the secret:`
debug ip detection problem 2013-09-29 14:41:47 +02:00			`s = SessionStore(session_key=secret)`
imrpoved ipv4/ipv6 check. now always update ip, in case host changes IP. added a create_host() method for the HostForm. 2013-09-28 20:18:20 +02:00			`ipaddr = request.META['REMOTE_ADDR']`
			`af = dns.inet.af_for_address(ipaddr)`
removed proxy user, because solution was not working. Made id session based. please work now :'( 2013-09-29 14:33:24 +02:00			`key = 'ipv4' if af == dns.inet.AF_INET else 'ipv6'`
			`s[key] = ipaddr`
debug ip detection problem 2013-09-29 14:41:47 +02:00			`s.save()`
fixed the ip detection :3 2013-09-29 15:15:34 +02:00			`with open(os.path.join(settings.STATIC_ROOT, "1px.gif"), "rb") as f:`
			`image_data = f.read()`
			`return HttpResponse(image_data, mimetype="image/png")`
implemented update api (still without checking the DB), misc. cleanups 2013-09-28 20:35:30 +02:00

verify username (fqdn) and password (update secret) against the database, improve docstrings 2013-09-28 23:32:15 +02:00			`def basic_challenge(realm, content='Authorization Required'):`
			`"""`
			`Construct a 401 response requesting http basic auth.`

			`:param realm: realm string (displayed by the browser)`
			`:param content: request body content`
			`:return: HttpResponse object`
			`"""`
			`response = HttpResponse(content, content_type="text/plain")`
implemented update api (still without checking the DB), misc. cleanups 2013-09-28 20:35:30 +02:00			`response['WWW-Authenticate'] = 'Basic realm="%s"' % (realm, )`
			`response.status_code = 401`
			`return response`


			`def basic_authenticate(auth):`
verify username (fqdn) and password (update secret) against the database, improve docstrings 2013-09-28 23:32:15 +02:00			`"""`
			`Get username and password from http basic auth string.`

			`:param auth: http basic auth string`
			`:return: username, password`
			`"""`
implemented update api (still without checking the DB), misc. cleanups 2013-09-28 20:35:30 +02:00			`authmeth, auth = auth.split(' ', 1)`
			`if authmeth.lower() != 'basic':`
			`return`
			`auth = auth.strip().decode('base64')`
			`username, password = auth.split(':', 1)`
			`return username, password`


implemented authorized nic update view (via admin session) 2013-09-29 02:42:20 +02:00			`def check_api_auth(username, password):`
verify username (fqdn) and password (update secret) against the database, improve docstrings 2013-09-28 23:32:15 +02:00			`"""`
			`Check username and password against our database.`

			`:param username: http basic auth username (== fqdn)`
			`:param password: update password`
			`:return: True if authenticated, False otherwise.`
			`"""`
store update_secret as salted sha1 (use crypto code from django), fix bug: we also need to catch NoAnswer, not just NXDOMAIN. NoAnswer == there is a record, but not of the type (A or AAAA) we requested. NXDOMAIN == there is no record at all. 2013-09-29 00:34:26 +02:00			`fqdn = username`
fqdn fix 2013-09-29 18:15:15 +02:00			`hosts = Host.filter_by_fqdn(fqdn)`
store update_secret as salted sha1 (use crypto code from django), fix bug: we also need to catch NoAnswer, not just NXDOMAIN. NoAnswer == there is a record, but not of the type (A or AAAA) we requested. NXDOMAIN == there is no record at all. 2013-09-29 00:34:26 +02:00			`num_hosts = len(hosts)`
			`if num_hosts == 0:`
			`return False`
			`if num_hosts > 1:`
			`logging.error("fqdn %s has multiple entries" % fqdn)`
			`return False`
			`password_hash = hosts[0].update_secret`
			`return check_password(password, password_hash)`
implemented update api (still without checking the DB), misc. cleanups 2013-09-28 20:35:30 +02:00

implemented authorized nic update view (via admin session) 2013-09-29 02:42:20 +02:00			`def check_session_auth(user, hostname):`
			`"""`
			`Check our database whether the hostname is owned by the user.`

			`:param user: django user object`
			`:param hostname: fqdn`
			`:return: True if hostname is owned by this user, False otherwise.`
			`"""`
fqdn fix 2013-09-29 18:15:15 +02:00			`fqdn = hostname`
			`hosts = Host.filter_by_fqdn(fqdn, created_by=user)`
implemented authorized nic update view (via admin session) 2013-09-29 02:42:20 +02:00			`num_hosts = len(hosts)`
			`if num_hosts == 0:`
			`return False`
			`if num_hosts > 1:`
			`logging.error("fqdn %s has multiple entries" % fqdn)`
			`return False`
			`return True`


implement / configure logging to stderr, reorder actions for update api, so that a lot of info can be logged 2013-09-28 21:41:47 +02:00			`def Response(content):`
more docstrings fixes 2013-09-29 16:14:43 +02:00			`"""`
			`shortcut for plaintext response`

			`:param content: plain text content for the response`
			`:return: HttpResonse object`
			`"""`
implemented update api (still without checking the DB), misc. cleanups 2013-09-28 20:35:30 +02:00			`return HttpResponse(content, content_type='text/plain')`


			`def NicUpdateView(request):`
verify username (fqdn) and password (update secret) against the database, improve docstrings 2013-09-28 23:32:15 +02:00			`"""`
			`dyndns2 compatible /nic/update API.`

			`Example URLs:`

			`Will request username (fqdn) and password (secret) from user,`
			`for interactive testing / updating:`
			`https://nsupdate.info/nic/update`

			`You can put it also into the url, so the browser will automatically`
			`send the http basic auth with the request:`
			`https://fqdn:secret@nsupdate.info/nic/update`

			`If the request does not come from the correct IP, you can give it as`
			`a query parameter, you can also give the hostname (then it won't use`
			`the username from http basic auth as the fqdn:`
			`https://fqdn:secret@nsupdate.info/nic/update?hostname=fqdn&myip=1.2.3.4`
add docstrings 2013-09-29 15:59:16 +02:00
			`:param request: django request object`
			`:return: HttpResponse object`
verify username (fqdn) and password (update secret) against the database, improve docstrings 2013-09-28 23:32:15 +02:00			`"""`
implement / configure logging to stderr, reorder actions for update api, so that a lot of info can be logged 2013-09-28 21:41:47 +02:00			`hostname = request.GET.get('hostname')`
implemented update api (still without checking the DB), misc. cleanups 2013-09-28 20:35:30 +02:00			`auth = request.META.get('HTTP_AUTHORIZATION')`
			`if auth is None:`
implement / configure logging to stderr, reorder actions for update api, so that a lot of info can be logged 2013-09-28 21:41:47 +02:00			`logger.warning('%s - received no auth' % (hostname, ))`
verify username (fqdn) and password (update secret) against the database, improve docstrings 2013-09-28 23:32:15 +02:00			`return basic_challenge("authenticate to update DNS", 'noauth')`
implemented update api (still without checking the DB), misc. cleanups 2013-09-28 20:35:30 +02:00			`username, password = basic_authenticate(auth)`
implemented authorized nic update view (via admin session) 2013-09-29 02:42:20 +02:00			`if not check_api_auth(username, password):`
implement / configure logging to stderr, reorder actions for update api, so that a lot of info can be logged 2013-09-28 21:41:47 +02:00			`logger.info('%s - received bad credentials, username: %s' % (hostname, username, ))`
verify username (fqdn) and password (update secret) against the database, improve docstrings 2013-09-28 23:32:15 +02:00			`return basic_challenge("authenticate to update DNS", 'badauth')`
implement / configure logging to stderr, reorder actions for update api, so that a lot of info can be logged 2013-09-28 21:41:47 +02:00			`if hostname is None:`
			`# as we use update_username == hostname, we can fall back to that:`
			`hostname = username`
implemented update api (still without checking the DB), misc. cleanups 2013-09-28 20:35:30 +02:00			`ipaddr = request.GET.get('myip')`
			`if ipaddr is None:`
			`ipaddr = request.META.get('REMOTE_ADDR')`
implement / configure logging to stderr, reorder actions for update api, so that a lot of info can be logged 2013-09-28 21:41:47 +02:00			`agent = request.META.get('HTTP_USER_AGENT')`
			`if agent in settings.BAD_AGENTS:`
			`logger.info('%s - received update from bad user agent %s' % (hostname, agent, ))`
			`return Response('badagent')`
implemented authorized nic update view (via admin session) 2013-09-29 02:42:20 +02:00			`return _update(hostname, ipaddr)`


			`@login_required`
			`def AuthorizedNicUpdateView(request):`
			`"""`
			`similar to NicUpdateView, but the client is not a router or other dyndns client,`
			`but the admin browser who is currently logged into the nsupdate.info site.`

			`Example URLs:`

			`https://supdate.info/nic/update?hostname=fqdn&myip=1.2.3.4`
add docstrings 2013-09-29 15:59:16 +02:00
			`:param request: django request object`
			`:return: HttpResponse object`
implemented authorized nic update view (via admin session) 2013-09-29 02:42:20 +02:00			`"""`
			`hostname = request.GET.get('hostname')`
			`if hostname is None:`
			`return Response('nohost')`
			`if not check_session_auth(request.user, hostname):`
			`logger.info('%s - is not owned by user: %s' % (hostname, request.user.username, ))`
			`return Response('nohost')`
			`ipaddr = request.GET.get('myip')`
			`if ipaddr is None:`
			`ipaddr = request.META.get('REMOTE_ADDR')`
			`return _update(hostname, ipaddr)`


			`def _update(hostname, ipaddr):`
implemented update api (still without checking the DB), misc. cleanups 2013-09-28 20:35:30 +02:00			`ipaddr = str(ipaddr) # XXX bug in dnspython: crashes if ipaddr is unicode, wants a str!`
			`try:`
			`update(hostname, ipaddr)`
implement / configure logging to stderr, reorder actions for update api, so that a lot of info can be logged 2013-09-28 21:41:47 +02:00			`logger.info('%s - received good update -> ip: %s' % (hostname, ipaddr, ))`
implemented update api (still without checking the DB), misc. cleanups 2013-09-28 20:35:30 +02:00			`return Response('good %s' % ipaddr)`
			`except SameIpError:`
implement / configure logging to stderr, reorder actions for update api, so that a lot of info can be logged 2013-09-28 21:41:47 +02:00			`logger.warning('%s - received no-change update, ip: %s' % (hostname, ipaddr, ))`
implemented update api (still without checking the DB), misc. cleanups 2013-09-28 20:35:30 +02:00			`return Response('nochg %s' % ipaddr)`