Commit 1de90b85 by Bach Dániel

firewall: add blacklist hook support

parent 9f8191f1
...@@ -563,3 +563,4 @@ CLIENT_DOWNLOAD_URL = get_env_variable('CLIENT_DOWNLOAD_URL', 'http://circleclou ...@@ -563,3 +563,4 @@ CLIENT_DOWNLOAD_URL = get_env_variable('CLIENT_DOWNLOAD_URL', 'http://circleclou
ADMIN_ENABLED = False ADMIN_ENABLED = False
BLACKLIST_PASSWORD = get_env_variable("BLACKLIST_PASSWORD", "") BLACKLIST_PASSWORD = get_env_variable("BLACKLIST_PASSWORD", "")
BLACKLIST_HOOK_URL = get_env_variable("BLACKLIST_HOOK_URL", "")
...@@ -18,9 +18,12 @@ ...@@ -18,9 +18,12 @@
from __future__ import absolute_import, unicode_literals from __future__ import absolute_import, unicode_literals
from datetime import timedelta from datetime import timedelta
from json import dumps
import logging import logging
from netaddr import AddrFormatError, IPAddress from netaddr import AddrFormatError, IPAddress
from requests import post
from requests.exceptions import RequestException
from django.core.exceptions import PermissionDenied from django.core.exceptions import PermissionDenied
from django.http import HttpResponse from django.http import HttpResponse
...@@ -36,6 +39,28 @@ from django.conf import settings ...@@ -36,6 +39,28 @@ from django.conf import settings
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
def send_request(obj):
data = {"ip": obj.ipv4,
"msg": obj.snort_message,
"reason": obj.reason,
"expires_at": str(obj.expires_at).split('.')[0],
"object_kind": "ban"}
if obj.host:
data.update({"hostname": obj.host.hostname,
"username": obj.host.owner.username,
"fullname": obj.host.owner.get_full_name()})
try:
r = post(settings.BLACKLIST_HOOK_URL, data=dumps(data, indent=2),
timeout=3)
r.raise_for_status()
except RequestException as e:
logger.warning("Error in HTTP POST: %s. url: %s params: %s",
str(e), settings.BLACKLIST_HOOK_URL, data)
else:
logger.info("Successful HTTP POST. url: %s params: %s",
settings.BLACKLIST_HOOK_URL, data)
@csrf_exempt @csrf_exempt
@require_POST @require_POST
def add_blacklist_item(request): def add_blacklist_item(request):
...@@ -48,7 +73,7 @@ def add_blacklist_item(request): ...@@ -48,7 +73,7 @@ def add_blacklist_item(request):
try: try:
address = request.POST.get('address') address = request.POST.get('address')
IPAddress(address, version=4) address_object = IPAddress(address, version=4)
except (AddrFormatError, TypeError) as e: except (AddrFormatError, TypeError) as e:
logger.warning("Invalid IP address: %s (%s)", address, str(e)) logger.warning("Invalid IP address: %s (%s)", address, str(e))
return HttpResponse(_("Invalid IP address.")) return HttpResponse(_("Invalid IP address."))
...@@ -56,13 +81,15 @@ def add_blacklist_item(request): ...@@ -56,13 +81,15 @@ def add_blacklist_item(request):
obj, created = BlacklistItem.objects.get_or_create(ipv4=address) obj, created = BlacklistItem.objects.get_or_create(ipv4=address)
if created: if created:
try: try:
obj.host = Host.objects.get(ipv4=address) db_format = '.'.join("%03d" % x for x in address_object.words)
obj.host = Host.objects.get(ipv4=db_format)
except Host.DoesNotExist: except Host.DoesNotExist:
pass pass
now = timezone.now() now = timezone.now()
can_update = ((obj.whitelisted and now > obj.expires_at) or can_update = ((obj.whitelisted and now > obj.expires_at) or
not obj.whitelisted) not obj.whitelisted)
is_new = created or (obj.expires_at and now > obj.expires_at)
if created or can_update: if created or can_update:
obj.reason = request.POST.get('reason') obj.reason = request.POST.get('reason')
...@@ -77,4 +104,7 @@ def add_blacklist_item(request): ...@@ -77,4 +104,7 @@ def add_blacklist_item(request):
elif can_update: elif can_update:
logger.info("Successfully modified blacklist item %s.", address) logger.info("Successfully modified blacklist item %s.", address)
if is_new and settings.BLACKLIST_HOOK_URL:
send_request(obj)
return HttpResponse(unicode(_("OK"))) return HttpResponse(unicode(_("OK")))
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or sign in to comment