nsupdate.info/nsupdate/api/views.py

# -*- coding: utf-8 -*-

import logging
logger = logging.getLogger(__name__)

import json

from django.http import HttpResponse
from django.conf import settings
from django.contrib.auth.hashers import check_password
from django.contrib.auth.decorators import login_required
from django.contrib.sessions.backends.db import SessionStore
from django.utils.timezone import now

from ..main.models import Host
from ..main.dnstools import update, SameIpError, check_ip


def Response(content):
    """
    shortcut for text/plain HttpResponse

    :param content: plain text content for the response
    :return: HttpResonse object
    """
    return HttpResponse(content, content_type='text/plain')


def MyIpView(request):
    """
    return the IP address (can be v4 or v6) of the client requesting this view.

    :param request: django request object
    :return: HttpResponse object
    """
    return Response(request.META['REMOTE_ADDR'])


def DetectIpView(request, secret=None):
    """
    Put the IP address (can be v4 or v6) of the client requesting this view
    into the client's session.

    :param request: django request object
    :param secret: session key used to find the correct session w/o session cookie
    :return: HttpResponse object
    """
    # we do not have the session as usual, as this is a different host,
    # so the session cookie is not received here - thus we access it via
    # the secret:
    s = SessionStore(session_key=secret)
    ipaddr = request.META['REMOTE_ADDR']
    key = check_ip(ipaddr)
    s[key] = ipaddr
    s[key + '_timestamp'] = now()
    logger.debug("detected %s: %s" % (key, ipaddr))
    s.save()
    return HttpResponse(status=204)


def AjaxGetIps(request):
    """
    Get the IP addresses of the client from the session via AJAX
    (so we don't need to reload the view in case we just invalidated stale IPs
    and triggered new detection).

    :param request: django request object
    :return: HttpResponse object
    """
    response = dict(
        ipv4=request.session['ipv4'],
        ipv6=request.session['ipv6'],
    )
    logger.debug("ajax_get_ips response: %r" % (response, ))
    return HttpResponse(json.dumps(response), content_type='application/json')


def basic_challenge(realm, content='Authorization Required'):
    """
    Construct a 401 response requesting http basic auth.

    :param realm: realm string (displayed by the browser)
    :param content: request body content
    :return: HttpResponse object
    """
    response = Response(content)
    response['WWW-Authenticate'] = 'Basic realm="%s"' % (realm, )
    response.status_code = 401
    return response


def basic_authenticate(auth):
    """
    Get username and password from http basic auth string.

    :param auth: http basic auth string
    :return: username, password
    """
    authmeth, auth = auth.split(' ', 1)
    if authmeth.lower() != 'basic':
        return
    auth = auth.strip().decode('base64')
    username, password = auth.split(':', 1)
    return username, password


def check_api_auth(username, password):
    """
    Check username and password against our database.

    :param username: http basic auth username (== fqdn)
    :param password: update password
    :return: True if authenticated, False otherwise.
    """
    fqdn = username
    hosts = Host.filter_by_fqdn(fqdn)
    num_hosts = len(hosts)
    if num_hosts == 0:
        return False
    if num_hosts > 1:
        logging.error("fqdn %s has multiple entries" % fqdn)
        return False
    password_hash = hosts[0].update_secret
    return check_password(password, password_hash)


def check_session_auth(user, hostname):
    """
    Check our database whether the hostname is owned by the user.

    :param user: django user object
    :param hostname: fqdn
    :return: True if hostname is owned by this user, False otherwise.
    """
    fqdn = hostname
    hosts = Host.filter_by_fqdn(fqdn, created_by=user)
    num_hosts = len(hosts)
    if num_hosts == 0:
        return False
    if num_hosts > 1:
        logging.error("fqdn %s has multiple entries" % fqdn)
        return False
    return True


def NicUpdateView(request):
    """
    dyndns2 compatible /nic/update API.

    Example URLs:

    Will request username (fqdn) and password (secret) from user,
    for interactive testing / updating:
    https://nsupdate.info/nic/update

    You can put it also into the url, so the browser will automatically
    send the http basic auth with the request:
    https://fqdn:secret@nsupdate.info/nic/update

    If the request does not come from the correct IP, you can give it as
    a query parameter, you can also give the hostname (then it won't use
    the username from http basic auth as the fqdn:
    https://fqdn:secret@nsupdate.info/nic/update?hostname=fqdn&myip=1.2.3.4

    :param request: django request object
    :return: HttpResponse object
    """
    hostname = request.GET.get('hostname')
    agent = request.META.get('HTTP_USER_AGENT', 'unknown')
    auth = request.META.get('HTTP_AUTHORIZATION')
    if auth is None:
        logger.warning('%s - received no auth [ua: %s]' % (hostname, agent, ))
        return basic_challenge("authenticate to update DNS", 'noauth')
    username, password = basic_authenticate(auth)
    if not check_api_auth(username, password):
        logger.info('%s - received bad credentials, username: %s [ua: %s]' % (hostname, username, agent, ))
        return basic_challenge("authenticate to update DNS", 'badauth')
    if hostname is None:
        # as we use update_username == hostname, we can fall back to that:
        hostname = username
    ipaddr = request.GET.get('myip')
    if ipaddr is None:
        ipaddr = request.META.get('REMOTE_ADDR')
    if agent in settings.BAD_AGENTS:
        logger.info('%s - received update from bad user agent [ua: %s]' % (hostname, agent, ))
        return Response('badagent')
    return _update(hostname, ipaddr, agent)


@login_required
def AuthorizedNicUpdateView(request):
    """
    similar to NicUpdateView, but the client is not a router or other dyndns client,
    but the admin browser who is currently logged into the nsupdate.info site.

    Example URLs:

    https://nsupdate.info/nic/update?hostname=fqdn&myip=1.2.3.4

    :param request: django request object
    :return: HttpResponse object
    """
    agent = request.META.get('HTTP_USER_AGENT', 'unknown')
    hostname = request.GET.get('hostname')
    if hostname is None:
        return Response('nohost')
    if not check_session_auth(request.user, hostname):
        logger.info('%s - is not owned by user: %s' % (hostname, request.user.username, ))
        return Response('nohost')
    ipaddr = request.GET.get('myip')
    if not ipaddr:
        ipaddr = request.META.get('REMOTE_ADDR')
    return _update(hostname, ipaddr, agent)


def _update(hostname, ipaddr, agent='unknown'):
    ipaddr = str(ipaddr)  # bug in dnspython: crashes if ipaddr is unicode, wants a str!
                          # https://github.com/rthalley/dnspython/issues/41
                          # TODO: reproduce and submit traceback to issue 41
    hosts = Host.filter_by_fqdn(hostname)
    num_hosts = len(hosts)
    if num_hosts == 0:
        return False
    if num_hosts > 1:
        logging.error("fqdn %s has multiple entries" % hostname)
        return False
    kind = check_ip(ipaddr, ('ipv4', 'ipv6'))
    hosts[0].poke(kind)
    try:
        update(hostname, ipaddr)
        logger.info('%s - received good update -> ip: %s [ua: %s]' % (hostname, ipaddr, agent))
        return Response('good %s' % ipaddr)
    except SameIpError:
        logger.warning('%s - received no-change update, ip: %s [ua: %s]' % (hostname, ipaddr, agent))
        return Response('nochg %s' % ipaddr)
moved the /myip call into the api module 2013-09-28 18:46:31 +02:00			`# -- coding: utf-8 --`
implement / configure logging to stderr, reorder actions for update api, so that a lot of info can be logged 2013-09-28 21:41:47 +02:00
			`import logging`
			`logger = logging.getLogger(__name__)`

use AJAX to update view with current IPs, cosmetic changes, deal with v4 and v6 js separately 2013-11-01 06:03:36 +01:00			`import json`

moved the /myip call into the api module 2013-09-28 18:46:31 +02:00			`from django.http import HttpResponse`
			`from django.conf import settings`
store update_secret as salted sha1 (use crypto code from django), fix bug: we also need to catch NoAnswer, not just NXDOMAIN. NoAnswer == there is a record, but not of the type (A or AAAA) we requested. NXDOMAIN == there is no record at all. 2013-09-29 00:34:26 +02:00			`from django.contrib.auth.hashers import check_password`
changed updateIp to detectIP 2013-09-29 02:07:58 +02:00			`from django.contrib.auth.decorators import login_required`
removed proxy user, because solution was not working. Made id session based. please work now :'( 2013-09-29 14:33:24 +02:00			`from django.contrib.sessions.backends.db import SessionStore`
remove stale IPs from session, so we don't show outdated information could happen if there once was a IPv6 connection, but now is not any more. it now kills infos older than 3 minutes from the session. it also shows the age of the infos now on the hosts overview view (but not on home view due to cosmetic reasons). optimization: only request the fake images for ipv4/v6 detection if we don't have a fresh IP already. added example settings for using detectip on (ip6-)localhost 2013-11-01 04:03:34 +01:00			`from django.utils.timezone import now`
store update_secret as salted sha1 (use crypto code from django), fix bug: we also need to catch NoAnswer, not just NXDOMAIN. NoAnswer == there is a record, but not of the type (A or AAAA) we requested. NXDOMAIN == there is no record at all. 2013-09-29 00:34:26 +02:00
Move all stuff into own top-level package 2013-10-17 20:50:44 +00:00			`from ..main.models import Host`
			`from ..main.dnstools import update, SameIpError, check_ip`
implemented update api (still without checking the DB), misc. cleanups 2013-09-28 20:35:30 +02:00

api: use Response() more often 2013-10-03 19:38:07 +02:00			`def Response(content):`
			`"""`
			`shortcut for text/plain HttpResponse`

			`:param content: plain text content for the response`
			`:return: HttpResonse object`
			`"""`
			`return HttpResponse(content, content_type='text/plain')`


moved the /myip call into the api module 2013-09-28 18:46:31 +02:00			`def MyIpView(request):`
add docstrings 2013-09-29 15:59:16 +02:00			`"""`
			`return the IP address (can be v4 or v6) of the client requesting this view.`

			`:param request: django request object`
			`:return: HttpResponse object`
			`"""`
api: use Response() more often 2013-10-03 19:38:07 +02:00			`return Response(request.META['REMOTE_ADDR'])`
get ipv4 and ipv6 adr from session 2013-09-28 19:01:40 +02:00
implemented update api (still without checking the DB), misc. cleanups 2013-09-28 20:35:30 +02:00
changed User to ProxyUser 2013-09-29 14:07:24 +02:00			`def DetectIpView(request, secret=None):`
add docstrings 2013-09-29 15:59:16 +02:00			`"""`
			`Put the IP address (can be v4 or v6) of the client requesting this view`
			`into the client's session.`

			`:param request: django request object`
more docstrings fixes 2013-09-29 16:14:43 +02:00			`:param secret: session key used to find the correct session w/o session cookie`
add docstrings 2013-09-29 15:59:16 +02:00			`:return: HttpResponse object`
			`"""`
			`# we do not have the session as usual, as this is a different host,`
			`# so the session cookie is not received here - thus we access it via`
			`# the secret:`
debug ip detection problem 2013-09-29 14:41:47 +02:00			`s = SessionStore(session_key=secret)`
imrpoved ipv4/ipv6 check. now always update ip, in case host changes IP. added a create_host() method for the HostForm. 2013-09-28 20:18:20 +02:00			`ipaddr = request.META['REMOTE_ADDR']`
new check_ip() validates if a str is a ip addr and also determines address family, deduplicate code 2013-10-03 20:39:55 +02:00			`key = check_ip(ipaddr)`
removed proxy user, because solution was not working. Made id session based. please work now :'( 2013-09-29 14:33:24 +02:00			`s[key] = ipaddr`
fix typo in CSRF setting, fix pep8 issues 2013-11-01 04:22:53 +01:00			`s[key + '_timestamp'] = now()`
remove stale IPs from session, so we don't show outdated information could happen if there once was a IPv6 connection, but now is not any more. it now kills infos older than 3 minutes from the session. it also shows the age of the infos now on the hosts overview view (but not on home view due to cosmetic reasons). optimization: only request the fake images for ipv4/v6 detection if we don't have a fresh IP already. added example settings for using detectip on (ip6-)localhost 2013-11-01 04:03:34 +01:00			`logger.debug("detected %s: %s" % (key, ipaddr))`
debug ip detection problem 2013-09-29 14:41:47 +02:00			`s.save()`
Create 204 response in detect ip view 2013-10-18 00:11:04 +02:00			`return HttpResponse(status=204)`
implemented update api (still without checking the DB), misc. cleanups 2013-09-28 20:35:30 +02:00

use AJAX to update view with current IPs, cosmetic changes, deal with v4 and v6 js separately 2013-11-01 06:03:36 +01:00			`def AjaxGetIps(request):`
			`"""`
			`Get the IP addresses of the client from the session via AJAX`
			`(so we don't need to reload the view in case we just invalidated stale IPs`
			`and triggered new detection).`

			`:param request: django request object`
			`:return: HttpResponse object`
			`"""`
			`response = dict(`
			`ipv4=request.session['ipv4'],`
			`ipv6=request.session['ipv6'],`
			`)`
			`logger.debug("ajax_get_ips response: %r" % (response, ))`
			`return HttpResponse(json.dumps(response), content_type='application/json')`


verify username (fqdn) and password (update secret) against the database, improve docstrings 2013-09-28 23:32:15 +02:00			`def basic_challenge(realm, content='Authorization Required'):`
			`"""`
			`Construct a 401 response requesting http basic auth.`

			`:param realm: realm string (displayed by the browser)`
			`:param content: request body content`
			`:return: HttpResponse object`
			`"""`
api: use Response() more often 2013-10-03 19:38:07 +02:00			`response = Response(content)`
implemented update api (still without checking the DB), misc. cleanups 2013-09-28 20:35:30 +02:00			`response['WWW-Authenticate'] = 'Basic realm="%s"' % (realm, )`
			`response.status_code = 401`
			`return response`


			`def basic_authenticate(auth):`
verify username (fqdn) and password (update secret) against the database, improve docstrings 2013-09-28 23:32:15 +02:00			`"""`
			`Get username and password from http basic auth string.`

			`:param auth: http basic auth string`
			`:return: username, password`
			`"""`
implemented update api (still without checking the DB), misc. cleanups 2013-09-28 20:35:30 +02:00			`authmeth, auth = auth.split(' ', 1)`
			`if authmeth.lower() != 'basic':`
			`return`
			`auth = auth.strip().decode('base64')`
			`username, password = auth.split(':', 1)`
			`return username, password`


implemented authorized nic update view (via admin session) 2013-09-29 02:42:20 +02:00			`def check_api_auth(username, password):`
verify username (fqdn) and password (update secret) against the database, improve docstrings 2013-09-28 23:32:15 +02:00			`"""`
			`Check username and password against our database.`

			`:param username: http basic auth username (== fqdn)`
			`:param password: update password`
			`:return: True if authenticated, False otherwise.`
			`"""`
store update_secret as salted sha1 (use crypto code from django), fix bug: we also need to catch NoAnswer, not just NXDOMAIN. NoAnswer == there is a record, but not of the type (A or AAAA) we requested. NXDOMAIN == there is no record at all. 2013-09-29 00:34:26 +02:00			`fqdn = username`
fqdn fix 2013-09-29 18:15:15 +02:00			`hosts = Host.filter_by_fqdn(fqdn)`
store update_secret as salted sha1 (use crypto code from django), fix bug: we also need to catch NoAnswer, not just NXDOMAIN. NoAnswer == there is a record, but not of the type (A or AAAA) we requested. NXDOMAIN == there is no record at all. 2013-09-29 00:34:26 +02:00			`num_hosts = len(hosts)`
			`if num_hosts == 0:`
			`return False`
			`if num_hosts > 1:`
			`logging.error("fqdn %s has multiple entries" % fqdn)`
			`return False`
			`password_hash = hosts[0].update_secret`
			`return check_password(password, password_hash)`
implemented update api (still without checking the DB), misc. cleanups 2013-09-28 20:35:30 +02:00

implemented authorized nic update view (via admin session) 2013-09-29 02:42:20 +02:00			`def check_session_auth(user, hostname):`
			`"""`
			`Check our database whether the hostname is owned by the user.`

			`:param user: django user object`
			`:param hostname: fqdn`
			`:return: True if hostname is owned by this user, False otherwise.`
			`"""`
fqdn fix 2013-09-29 18:15:15 +02:00			`fqdn = hostname`
			`hosts = Host.filter_by_fqdn(fqdn, created_by=user)`
implemented authorized nic update view (via admin session) 2013-09-29 02:42:20 +02:00			`num_hosts = len(hosts)`
			`if num_hosts == 0:`
			`return False`
			`if num_hosts > 1:`
			`logging.error("fqdn %s has multiple entries" % fqdn)`
			`return False`
			`return True`


implemented update api (still without checking the DB), misc. cleanups 2013-09-28 20:35:30 +02:00			`def NicUpdateView(request):`
verify username (fqdn) and password (update secret) against the database, improve docstrings 2013-09-28 23:32:15 +02:00			`"""`
			`dyndns2 compatible /nic/update API.`

			`Example URLs:`

			`Will request username (fqdn) and password (secret) from user,`
			`for interactive testing / updating:`
			`https://nsupdate.info/nic/update`

			`You can put it also into the url, so the browser will automatically`
			`send the http basic auth with the request:`
			`https://fqdn:secret@nsupdate.info/nic/update`

			`If the request does not come from the correct IP, you can give it as`
			`a query parameter, you can also give the hostname (then it won't use`
			`the username from http basic auth as the fqdn:`
			`https://fqdn:secret@nsupdate.info/nic/update?hostname=fqdn&myip=1.2.3.4`
add docstrings 2013-09-29 15:59:16 +02:00
			`:param request: django request object`
			`:return: HttpResponse object`
verify username (fqdn) and password (update secret) against the database, improve docstrings 2013-09-28 23:32:15 +02:00			`"""`
implement / configure logging to stderr, reorder actions for update api, so that a lot of info can be logged 2013-09-28 21:41:47 +02:00			`hostname = request.GET.get('hostname')`
add useragent to api / authorized update logging 2013-11-02 02:39:25 +01:00			`agent = request.META.get('HTTP_USER_AGENT', 'unknown')`
implemented update api (still without checking the DB), misc. cleanups 2013-09-28 20:35:30 +02:00			`auth = request.META.get('HTTP_AUTHORIZATION')`
			`if auth is None:`
add useragent to api / authorized update logging 2013-11-02 02:39:25 +01:00			`logger.warning('%s - received no auth [ua: %s]' % (hostname, agent, ))`
verify username (fqdn) and password (update secret) against the database, improve docstrings 2013-09-28 23:32:15 +02:00			`return basic_challenge("authenticate to update DNS", 'noauth')`
implemented update api (still without checking the DB), misc. cleanups 2013-09-28 20:35:30 +02:00			`username, password = basic_authenticate(auth)`
implemented authorized nic update view (via admin session) 2013-09-29 02:42:20 +02:00			`if not check_api_auth(username, password):`
add useragent to api / authorized update logging 2013-11-02 02:39:25 +01:00			`logger.info('%s - received bad credentials, username: %s [ua: %s]' % (hostname, username, agent, ))`
verify username (fqdn) and password (update secret) against the database, improve docstrings 2013-09-28 23:32:15 +02:00			`return basic_challenge("authenticate to update DNS", 'badauth')`
implement / configure logging to stderr, reorder actions for update api, so that a lot of info can be logged 2013-09-28 21:41:47 +02:00			`if hostname is None:`
			`# as we use update_username == hostname, we can fall back to that:`
			`hostname = username`
implemented update api (still without checking the DB), misc. cleanups 2013-09-28 20:35:30 +02:00			`ipaddr = request.GET.get('myip')`
			`if ipaddr is None:`
			`ipaddr = request.META.get('REMOTE_ADDR')`
implement / configure logging to stderr, reorder actions for update api, so that a lot of info can be logged 2013-09-28 21:41:47 +02:00			`if agent in settings.BAD_AGENTS:`
add useragent to api / authorized update logging 2013-11-02 02:39:25 +01:00			`logger.info('%s - received update from bad user agent [ua: %s]' % (hostname, agent, ))`
implement / configure logging to stderr, reorder actions for update api, so that a lot of info can be logged 2013-09-28 21:41:47 +02:00			`return Response('badagent')`
add useragent to api / authorized update logging 2013-11-02 02:39:25 +01:00			`return _update(hostname, ipaddr, agent)`
implemented authorized nic update view (via admin session) 2013-09-29 02:42:20 +02:00

			`@login_required`
			`def AuthorizedNicUpdateView(request):`
			`"""`
			`similar to NicUpdateView, but the client is not a router or other dyndns client,`
			`but the admin browser who is currently logged into the nsupdate.info site.`

			`Example URLs:`

fix typo 2013-10-03 01:18:48 +02:00			`https://nsupdate.info/nic/update?hostname=fqdn&myip=1.2.3.4`
add docstrings 2013-09-29 15:59:16 +02:00
			`:param request: django request object`
			`:return: HttpResponse object`
implemented authorized nic update view (via admin session) 2013-09-29 02:42:20 +02:00			`"""`
add useragent to api / authorized update logging 2013-11-02 02:39:25 +01:00			`agent = request.META.get('HTTP_USER_AGENT', 'unknown')`
implemented authorized nic update view (via admin session) 2013-09-29 02:42:20 +02:00			`hostname = request.GET.get('hostname')`
			`if hostname is None:`
			`return Response('nohost')`
			`if not check_session_auth(request.user, hostname):`
			`logger.info('%s - is not owned by user: %s' % (hostname, request.user.username, ))`
			`return Response('nohost')`
			`ipaddr = request.GET.get('myip')`
fixed dns api, so an empty myip get parameter is treated like no myip parameter used. made the update ip adr as ajax. 2013-09-29 23:34:07 +02:00			`if not ipaddr:`
implemented authorized nic update view (via admin session) 2013-09-29 02:42:20 +02:00			`ipaddr = request.META.get('REMOTE_ADDR')`
add useragent to api / authorized update logging 2013-11-02 02:39:25 +01:00			`return _update(hostname, ipaddr, agent)`
implemented authorized nic update view (via admin session) 2013-09-29 02:42:20 +02:00

add useragent to api / authorized update logging 2013-11-02 02:39:25 +01:00			`def _update(hostname, ipaddr, agent='unknown'):`
add dnspython issue URL and TODO 2013-10-03 17:25:10 +02:00			`ipaddr = str(ipaddr) # bug in dnspython: crashes if ipaddr is unicode, wants a str!`
			`# https://github.com/rthalley/dnspython/issues/41`
			`# TODO: reproduce and submit traceback to issue 41`
added logic for last_api_update. field updated with Hosts.poke() method 2013-09-29 21:00:08 +02:00			`hosts = Host.filter_by_fqdn(hostname)`
			`num_hosts = len(hosts)`
			`if num_hosts == 0:`
			`return False`
			`if num_hosts > 1:`
			`logging.error("fqdn %s has multiple entries" % hostname)`
			`return False`
separate ipv4 and v6 update timestamps 2013-10-27 13:09:46 +01:00			`kind = check_ip(ipaddr, ('ipv4', 'ipv6'))`
			`hosts[0].poke(kind)`
implemented update api (still without checking the DB), misc. cleanups 2013-09-28 20:35:30 +02:00			`try:`
			`update(hostname, ipaddr)`
add useragent to api / authorized update logging 2013-11-02 02:39:25 +01:00			`logger.info('%s - received good update -> ip: %s [ua: %s]' % (hostname, ipaddr, agent))`
implemented update api (still without checking the DB), misc. cleanups 2013-09-28 20:35:30 +02:00			`return Response('good %s' % ipaddr)`
			`except SameIpError:`
add useragent to api / authorized update logging 2013-11-02 02:39:25 +01:00			`logger.warning('%s - received no-change update, ip: %s [ua: %s]' % (hostname, ipaddr, agent))`
implemented update api (still without checking the DB), misc. cleanups 2013-09-28 20:35:30 +02:00			`return Response('nochg %s' % ipaddr)`