ivanleoncz / pycaptive Goto Github PK

• scripts
• Puppet
• Jenkins

?

Werkzeug output (formatted):

FIRST SUCCESSFUL LOGIN

127.0.0.1 - - [13/Nov/2017 17:43:51] "GET /login HTTP/1.1" 200 -
MONGODB: login() has been called.
MONGODB: add_record() has been called.
IPTABLES: test_add_rule() has been called.
Table: <iptc.ip4tc.Table object at 0x7f1c53a7f668>
Chain: <iptc.ip4tc.Chain object at 0x7f1c53a7f0b8>
Rule: <iptc.ip4tc.Rule object at 0x7f1c53a7f8d0>
Match: <iptc.ip4tc.Match object at 0x7f1c53a7fa20>
Target: <iptc.ip4tc.Target object at 0x7f1c53a7f748>
127.0.0.1 - - [13/Nov/2017 17:43:59] "POST /login HTTP/1.1" 200 -

SCHEDULER: running!
MONGODB: del_records() has been called.
SCHEDULER: expired sessions - ['127.0.0.1']
IPTABLES: test_del_rule() has been called.
IPTABLES: Processing IP -> 127.0.0.1
IPTABLES: Processing Rule -> <iptc.ip4tc.Rule object at 0x7f1c53a7fb70>
IPTABLES: Rule Found!
IPTABLES: Processing Match -> <iptc.ip4tc.Match object at 0x7f1c53a7f978>
IPTABLES: Match Found!
IPTABLES: Processing Rule -> <iptc.ip4tc.Rule object at 0x7f1c53aa8898>
IPTABLES: Processing Rule -> <iptc.ip4tc.Rule object at 0x7f1c53aa8be0>
IPTABLES: Processing Rule -> <iptc.ip4tc.Rule object at 0x7f1c53aa8320>
IPTABLES: Processing Rule -> <iptc.ip4tc.Rule object at 0x7f1c53aa8d30>
IPTABLES: Processing Rule -> <iptc.ip4tc.Rule object at 0x7f1c53aa8e80>
IPTABLES: Processing Rule -> <iptc.ip4tc.Rule object at 0x7f1c53aa8fd0>
IPTABLES: Processing Rule -> <iptc.ip4tc.Rule object at 0x7f1c52a40160>
IPTABLES: Processing Rule -> <iptc.ip4tc.Rule object at 0x7f1c52a402b0>
Table: <iptc.ip4tc.Table object at 0x7f1c53a7f668>
Chain: <iptc.ip4tc.Chain object at 0x7f1c53aa8400>
SCHEDULER: removed rules - 1

SECOND SUCCESSFUL LOGIN

127.0.0.1 - - [13/Nov/2017 17:49:01] "GET /login HTTP/1.1" 200 -
MONGODB: login() has been called.
MONGODB: add_record() has been called.
IPTABLES: test_add_rule() has been called.
Table: <iptc.ip4tc.Table object at 0x7f1c53a7f668>
Chain: <iptc.ip4tc.Chain object at 0x7f1c53aa8400>
Rule: <iptc.ip4tc.Rule object at 0x7f1c52a40940>
Match: <iptc.ip4tc.Match object at 0x7f1c52a40588>
Target: <iptc.ip4tc.Target object at 0x7f1c52a40ac8>
127.0.0.1 - - [13/Nov/2017 17:49:08] "POST /login HTTP/1.1" 200 -

SCHEDULER: running!
MONGODB: del_records() has been called.
SCHEDULER: expired sessions - ['127.0.0.1']
IPTABLES: test_del_rule() has been called.
IPTABLES: Processing IP -> 127.0.0.1
IPTABLES: Processing Rule -> <iptc.ip4tc.Rule object at 0x7f1c52a49208>
IPTABLES: Processing Rule -> <iptc.ip4tc.Rule object at 0x7f1c52a495f8>
IPTABLES: Processing Rule -> <iptc.ip4tc.Rule object at 0x7f1c52a49780>
IPTABLES: Processing Rule -> <iptc.ip4tc.Rule object at 0x7f1c52a49828>
IPTABLES: Processing Rule -> <iptc.ip4tc.Rule object at 0x7f1c52a49978>
IPTABLES: Processing Rule -> <iptc.ip4tc.Rule object at 0x7f1c52a49ac8>
IPTABLES: Processing Rule -> <iptc.ip4tc.Rule object at 0x7f1c53ac8cc0>
IPTABLES: Processing Rule -> <iptc.ip4tc.Rule object at 0x7f1c52a40b70>
Table: <iptc.ip4tc.Table object at 0x7f1c53a7f668>
Chain: <iptc.ip4tc.Chain object at 0x7f1c53aa8400>

----> Can't find rule for the expired session (IP).... (???)

To improve:

• filenames
• directory names
• disposition of files

The search order and load of pycaptive.init is ready, but yet not integrated with the application modules.
One suggestion might be of, binding ini variable to app.config context to a variable like PYCAPTIVE.

Here's the pycaptive.ini search and load instruction associated to ini variable:

Configurations from pycaptive.ini, are going to be used throughout the application, to define behaviours and most importantly, settings according to user desire, considering its infrastructure definitions (NICs, networks, IP addresses, etc.)

1. Application entrypoint.
2. Define pycaptive.ini
3. App configuration (pycaptive.ini file).
4. wsgi.py for gunicorn execution via systemd

Current:

[2018-01-07 13:24:16.495511] REQUEST 127.0.0.1 GET http /login? 200 OK
[2018-01-07 13:24:25.253459] EVENT mongodb login:OK [glen]
[2018-01-07 13:24:25.264101] EVENT mongodb add_session:OK [127.0.0.1]
[2018-01-07 13:24:25.266333] EVENT iptables test_add_rule:OK [127.0.0.1]
[2018-01-07 13:24:25.266691] REQUEST 127.0.0.1 POST http /login? 200 OK
[2018-01-07 13:24:46.593739] EVENT scheduler expirer:RUNNING

Expected:

• EVENT: OK at the end of the line
• REQUEST: METHOD - RETURN - SCHEME - URL_PATH - IP - STATUS

[2018-01-07 13:24:16.495511] REQUEST GET 200 http /login? 127.0.0.1 OK
[2018-01-07 13:24:25.253459] EVENT mongodb login:[glen] OK
[2018-01-07 13:24:25.264101] EVENT mongodb add_session:[127.0.0.1] OK
[2018-01-07 13:24:25.266333] EVENT iptables test_add_rule:[127.0.0.1] OK
[2018-01-07 13:24:25.266691] REQUEST POST 200 http /login? 127.0.0.1 OK
[2018-01-07 13:24:46.593739] EVENT scheduler expirer:RUNNING

Should use this variable:

And not the old app.config structure:

There's already something written in Python, but with too much lines of code and some sort of templates, quit confusing to maintain. We need to get rid of this and use a more intelligent and human readable schema for generating configuration files for supportive services (Nginx, NETFILTER/iptables, etc.) using configurations defined on PyCaptive .ini file.

Basic OS setup (file creation, permissions, user creation, etc.) for pycaptive.ini file.

Traceback (most recent call last):
File "pycaptive_werkzeug.py", line 15, in
from app import app
File "/home/ivanlmj/git/PyCaptive/app/init.py", line 5, in
from app.modules import scheduler
File "/home/ivanlmj/git/PyCaptive/app/modules/scheduler.py", line 15, in
from app import log
ImportError: cannot import name 'log'

Verify and test import and export functions from cptool.

Verify the behavior of PyCaptive in face of multiple open sessions.

There must be created scripts for PyCaptive operation, contemplating the following topics:

• sessions (listing, destroying, etc.
• user database (load + dump)
• users (crud)

Describing IPTABLES/Netfilter and Squid3 configuration (mainly).

Concept:

After eliminating the firewall rules that allow internet access for authenticated sessions, there are established connections that are maintained on conntrack table. Those connections must be wiped, after eliminating the firewall rule for expired sessions.

Reference: http://conntrack-tools.netfilter.org/manual.html

conntrack is command line interface conntrack provides a more flexible interface to the connnection tracking system than /proc/net/ip_conntrack. With conntrack, you can show, delete and update the existing state entries; and you can also listen to flow events.

I see generated the file rules.v4 but no code to translate that to a sh file.

Besides all job that install.sh is doing, it is necessary to install all repo content on /opt.
Uninstall option should be capable of deleting the application directory from /opt.
Right permissions should be considered, in order to allow Systemd to manage pycaptive daemon, considering pycaptive user, of course.

Options considered for the task:

• rsync (excluding possible files/directories like .git, .gitignore, etc.)
• install (must verify if it covers with directories, besides file installation)

No reason for using Mongob on this case. SQlite will do the job of holding all the logic behind sessions.

Gunicorn expects an application object, instead of app, which is the reference for init.py from app directory. Basically, Gunicorn can't understand app.run().

Tip: maybe from app import app as application can do the trick.