nsupdate.info/nsupdate/api/views.py

# -*- coding: utf-8 -*-

import logging
logger = logging.getLogger(__name__)

from django.http import HttpResponse
from django.conf import settings
from django.contrib.auth.hashers import check_password
from django.contrib.auth.decorators import login_required

from main.models import Host
import dns.inet
import os

from main.dnstools import update, SameIpError


def MyIpView(request):
    return HttpResponse(request.META['REMOTE_ADDR'], content_type="text/plain")


def DetectIpView(request):
    ipaddr = request.META['REMOTE_ADDR']
    af = dns.inet.af_for_address(ipaddr)
    key = 'ipv4' if af == dns.inet.AF_INET else 'ipv6'
    request.session[key] = ipaddr
    image_data = open(settings.STATIC_ROOT+"/1px.gif", "rb").read()
    return HttpResponse(image_data, mimetype="image/png")


def basic_challenge(realm, content='Authorization Required'):
    """
    Construct a 401 response requesting http basic auth.

    :param realm: realm string (displayed by the browser)
    :param content: request body content
    :return: HttpResponse object
    """
    response = HttpResponse(content, content_type="text/plain")
    response['WWW-Authenticate'] = 'Basic realm="%s"' % (realm, )
    response.status_code = 401
    return response


def basic_authenticate(auth):
    """
    Get username and password from http basic auth string.

    :param auth: http basic auth string
    :return: username, password
    """
    authmeth, auth = auth.split(' ', 1)
    if authmeth.lower() != 'basic':
        return
    auth = auth.strip().decode('base64')
    username, password = auth.split(':', 1)
    return username, password


def check_auth(username, password):
    """
    Check username and password against our database.

    :param username: http basic auth username (== fqdn)
    :param password: update password
    :return: True if authenticated, False otherwise.
    """
    fqdn = username
    hosts = Host.objects.filter(fqdn=fqdn)
    num_hosts = len(hosts)
    if num_hosts == 0:
        return False
    if num_hosts > 1:
        logging.error("fqdn %s has multiple entries" % fqdn)
        return False
    password_hash = hosts[0].update_secret
    return check_password(password, password_hash)


def Response(content):
    return HttpResponse(content, content_type='text/plain')


def NicUpdateView(request):
    """
    dyndns2 compatible /nic/update API.

    Example URLs:

    Will request username (fqdn) and password (secret) from user,
    for interactive testing / updating:
    https://nsupdate.info/nic/update

    You can put it also into the url, so the browser will automatically
    send the http basic auth with the request:
    https://fqdn:secret@nsupdate.info/nic/update

    If the request does not come from the correct IP, you can give it as
    a query parameter, you can also give the hostname (then it won't use
    the username from http basic auth as the fqdn:
    https://fqdn:secret@nsupdate.info/nic/update?hostname=fqdn&myip=1.2.3.4
    """
    hostname = request.GET.get('hostname')
    auth = request.META.get('HTTP_AUTHORIZATION')
    if auth is None:
        logger.warning('%s - received no auth' % (hostname, ))
        return basic_challenge("authenticate to update DNS", 'noauth')
    username, password = basic_authenticate(auth)
    if not check_auth(username, password):
        logger.info('%s - received bad credentials, username: %s' % (hostname, username, ))
        return basic_challenge("authenticate to update DNS", 'badauth')
    if hostname is None:
        # as we use update_username == hostname, we can fall back to that:
        hostname = username
    ipaddr = request.GET.get('myip')
    if ipaddr is None:
        ipaddr = request.META.get('REMOTE_ADDR')
    agent = request.META.get('HTTP_USER_AGENT')
    if agent in settings.BAD_AGENTS:
        logger.info('%s - received update from bad user agent %s' % (hostname, agent, ))
        return Response('badagent')
    ipaddr = str(ipaddr)  # XXX bug in dnspython: crashes if ipaddr is unicode, wants a str!
    try:
        update(hostname, ipaddr)
        logger.info('%s - received good update -> ip: %s' % (hostname, ipaddr, ))
        return Response('good %s' % ipaddr)
    except SameIpError:
        logger.warning('%s - received no-change update, ip: %s' % (hostname, ipaddr, ))
        return Response('nochg %s' % ipaddr)
moved the /myip call into the api module 2013-09-28 18:46:31 +02:00			`# -- coding: utf-8 --`
implement / configure logging to stderr, reorder actions for update api, so that a lot of info can be logged 2013-09-28 21:41:47 +02:00
			`import logging`
			`logger = logging.getLogger(__name__)`

moved the /myip call into the api module 2013-09-28 18:46:31 +02:00			`from django.http import HttpResponse`
			`from django.conf import settings`
store update_secret as salted sha1 (use crypto code from django), fix bug: we also need to catch NoAnswer, not just NXDOMAIN. NoAnswer == there is a record, but not of the type (A or AAAA) we requested. NXDOMAIN == there is no record at all. 2013-09-29 00:34:26 +02:00			`from django.contrib.auth.hashers import check_password`
changed updateIp to detectIP 2013-09-29 02:07:58 +02:00			`from django.contrib.auth.decorators import login_required`
store update_secret as salted sha1 (use crypto code from django), fix bug: we also need to catch NoAnswer, not just NXDOMAIN. NoAnswer == there is a record, but not of the type (A or AAAA) we requested. NXDOMAIN == there is no record at all. 2013-09-29 00:34:26 +02:00
verify username (fqdn) and password (update secret) against the database, improve docstrings 2013-09-28 23:32:15 +02:00			`from main.models import Host`
imrpoved ipv4/ipv6 check. now always update ip, in case host changes IP. added a create_host() method for the HostForm. 2013-09-28 20:18:20 +02:00			`import dns.inet`
updadd Host fields. serve 1px image instead of OK text in /updateip/. favicon change. 2013-09-29 01:12:23 +02:00			`import os`
moved the /myip call into the api module 2013-09-28 18:46:31 +02:00
implemented update api (still without checking the DB), misc. cleanups 2013-09-28 20:35:30 +02:00			`from main.dnstools import update, SameIpError`


moved the /myip call into the api module 2013-09-28 18:46:31 +02:00			`def MyIpView(request):`
get ipv4 and ipv6 adr from session 2013-09-28 19:01:40 +02:00			`return HttpResponse(request.META['REMOTE_ADDR'], content_type="text/plain")`

implemented update api (still without checking the DB), misc. cleanups 2013-09-28 20:35:30 +02:00
changed updateIp to detectIP 2013-09-29 02:07:58 +02:00			`def DetectIpView(request):`
imrpoved ipv4/ipv6 check. now always update ip, in case host changes IP. added a create_host() method for the HostForm. 2013-09-28 20:18:20 +02:00			`ipaddr = request.META['REMOTE_ADDR']`
			`af = dns.inet.af_for_address(ipaddr)`
small style change 2013-09-28 20:42:18 +02:00			`key = 'ipv4' if af == dns.inet.AF_INET else 'ipv6'`
			`request.session[key] = ipaddr`
updadd Host fields. serve 1px image instead of OK text in /updateip/. favicon change. 2013-09-29 01:12:23 +02:00			`image_data = open(settings.STATIC_ROOT+"/1px.gif", "rb").read()`
			`return HttpResponse(image_data, mimetype="image/png")`
implemented update api (still without checking the DB), misc. cleanups 2013-09-28 20:35:30 +02:00

verify username (fqdn) and password (update secret) against the database, improve docstrings 2013-09-28 23:32:15 +02:00			`def basic_challenge(realm, content='Authorization Required'):`
			`"""`
			`Construct a 401 response requesting http basic auth.`

			`:param realm: realm string (displayed by the browser)`
			`:param content: request body content`
			`:return: HttpResponse object`
			`"""`
			`response = HttpResponse(content, content_type="text/plain")`
implemented update api (still without checking the DB), misc. cleanups 2013-09-28 20:35:30 +02:00			`response['WWW-Authenticate'] = 'Basic realm="%s"' % (realm, )`
			`response.status_code = 401`
			`return response`


			`def basic_authenticate(auth):`
verify username (fqdn) and password (update secret) against the database, improve docstrings 2013-09-28 23:32:15 +02:00			`"""`
			`Get username and password from http basic auth string.`

			`:param auth: http basic auth string`
			`:return: username, password`
			`"""`
implemented update api (still without checking the DB), misc. cleanups 2013-09-28 20:35:30 +02:00			`authmeth, auth = auth.split(' ', 1)`
			`if authmeth.lower() != 'basic':`
			`return`
			`auth = auth.strip().decode('base64')`
			`username, password = auth.split(':', 1)`
			`return username, password`


			`def check_auth(username, password):`
verify username (fqdn) and password (update secret) against the database, improve docstrings 2013-09-28 23:32:15 +02:00			`"""`
			`Check username and password against our database.`

			`:param username: http basic auth username (== fqdn)`
			`:param password: update password`
			`:return: True if authenticated, False otherwise.`
			`"""`
store update_secret as salted sha1 (use crypto code from django), fix bug: we also need to catch NoAnswer, not just NXDOMAIN. NoAnswer == there is a record, but not of the type (A or AAAA) we requested. NXDOMAIN == there is no record at all. 2013-09-29 00:34:26 +02:00			`fqdn = username`
			`hosts = Host.objects.filter(fqdn=fqdn)`
			`num_hosts = len(hosts)`
			`if num_hosts == 0:`
			`return False`
			`if num_hosts > 1:`
			`logging.error("fqdn %s has multiple entries" % fqdn)`
			`return False`
			`password_hash = hosts[0].update_secret`
			`return check_password(password, password_hash)`
implemented update api (still without checking the DB), misc. cleanups 2013-09-28 20:35:30 +02:00

implement / configure logging to stderr, reorder actions for update api, so that a lot of info can be logged 2013-09-28 21:41:47 +02:00			`def Response(content):`
implemented update api (still without checking the DB), misc. cleanups 2013-09-28 20:35:30 +02:00			`return HttpResponse(content, content_type='text/plain')`


			`def NicUpdateView(request):`
verify username (fqdn) and password (update secret) against the database, improve docstrings 2013-09-28 23:32:15 +02:00			`"""`
			`dyndns2 compatible /nic/update API.`

			`Example URLs:`

			`Will request username (fqdn) and password (secret) from user,`
			`for interactive testing / updating:`
			`https://nsupdate.info/nic/update`

			`You can put it also into the url, so the browser will automatically`
			`send the http basic auth with the request:`
			`https://fqdn:secret@nsupdate.info/nic/update`

			`If the request does not come from the correct IP, you can give it as`
			`a query parameter, you can also give the hostname (then it won't use`
			`the username from http basic auth as the fqdn:`
			`https://fqdn:secret@nsupdate.info/nic/update?hostname=fqdn&myip=1.2.3.4`
			`"""`
implement / configure logging to stderr, reorder actions for update api, so that a lot of info can be logged 2013-09-28 21:41:47 +02:00			`hostname = request.GET.get('hostname')`
implemented update api (still without checking the DB), misc. cleanups 2013-09-28 20:35:30 +02:00			`auth = request.META.get('HTTP_AUTHORIZATION')`
			`if auth is None:`
implement / configure logging to stderr, reorder actions for update api, so that a lot of info can be logged 2013-09-28 21:41:47 +02:00			`logger.warning('%s - received no auth' % (hostname, ))`
verify username (fqdn) and password (update secret) against the database, improve docstrings 2013-09-28 23:32:15 +02:00			`return basic_challenge("authenticate to update DNS", 'noauth')`
implemented update api (still without checking the DB), misc. cleanups 2013-09-28 20:35:30 +02:00			`username, password = basic_authenticate(auth)`
			`if not check_auth(username, password):`
implement / configure logging to stderr, reorder actions for update api, so that a lot of info can be logged 2013-09-28 21:41:47 +02:00			`logger.info('%s - received bad credentials, username: %s' % (hostname, username, ))`
verify username (fqdn) and password (update secret) against the database, improve docstrings 2013-09-28 23:32:15 +02:00			`return basic_challenge("authenticate to update DNS", 'badauth')`
implement / configure logging to stderr, reorder actions for update api, so that a lot of info can be logged 2013-09-28 21:41:47 +02:00			`if hostname is None:`
			`# as we use update_username == hostname, we can fall back to that:`
			`hostname = username`
implemented update api (still without checking the DB), misc. cleanups 2013-09-28 20:35:30 +02:00			`ipaddr = request.GET.get('myip')`
			`if ipaddr is None:`
			`ipaddr = request.META.get('REMOTE_ADDR')`
implement / configure logging to stderr, reorder actions for update api, so that a lot of info can be logged 2013-09-28 21:41:47 +02:00			`agent = request.META.get('HTTP_USER_AGENT')`
			`if agent in settings.BAD_AGENTS:`
			`logger.info('%s - received update from bad user agent %s' % (hostname, agent, ))`
			`return Response('badagent')`
implemented update api (still without checking the DB), misc. cleanups 2013-09-28 20:35:30 +02:00			`ipaddr = str(ipaddr) # XXX bug in dnspython: crashes if ipaddr is unicode, wants a str!`
			`try:`
			`update(hostname, ipaddr)`
implement / configure logging to stderr, reorder actions for update api, so that a lot of info can be logged 2013-09-28 21:41:47 +02:00			`logger.info('%s - received good update -> ip: %s' % (hostname, ipaddr, ))`
implemented update api (still without checking the DB), misc. cleanups 2013-09-28 20:35:30 +02:00			`return Response('good %s' % ipaddr)`
			`except SameIpError:`
implement / configure logging to stderr, reorder actions for update api, so that a lot of info can be logged 2013-09-28 21:41:47 +02:00			`logger.warning('%s - received no-change update, ip: %s' % (hostname, ipaddr, ))`
implemented update api (still without checking the DB), misc. cleanups 2013-09-28 20:35:30 +02:00			`return Response('nochg %s' % ipaddr)`