[base, komaz, utils, zamok] Factorisation de code via l'ajout de la methode blacklisted_ips

De plus, on rend le code plus jolie en prenant en compte l'ajout récent de méthodes dans lc_ldap.
2014-02-19 19:35:57 +01:00 · 2014-02-19 19:35:57 +01:00 · cd8ce5c729
commit cd8ce5c729
parent 63895c98d4
4 changed files with 37 additions and 39 deletions
--- a/gestion/gen_confs/firewall4/base.py
+++ b/gestion/gen_confs/firewall4/base.py
@ -3,7 +3,6 @@
 import os
 import sys
 import socket
-import netaddr

 import utils
 from utils import pretty_print, anim, OK, cprint
@ -96,7 +95,7 @@ class firewall(utils.firewall_tools) :
 #        for ip in ip_list:
 #            machine = self.conn.search(u"ipHostNumber=%s" % ip)
 #            # Est-ce qu'il y a des blacklists hard parmis les blacklists de la machine
-#            if machine and set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(config.blacklist_sanctions):
+#            if machine and set([bl['type'] for bl in machine[0].blacklist_actif() ]).intersection(config.blacklist_sanctions):
 #                try: self.ipset['blacklist']['hard'].add(ip)
 #                except IpsetError: pass
 #            else:
@ -112,15 +111,7 @@ class firewall(utils.firewall_tools) :
        if fill_ipset:
            anim('\tRestoration de l\'ipset %s' % self.ipset['blacklist']['hard'])
            # On récupère la liste de toutes les ips blacklistés hard
-            bl_hard_ips = set(
-                str(ip) for ips in
-                [
-                    machine['ipHostNumber'] for machine in self.blacklisted_machines() if machine['ipHostNumber'] and reduce(lambda x,y: x or y, ( ip.value in netaddr.IPNetwork(n) for n in  config.NETs['all'] for ip in machine['ipHostNumber']))
-                    if set([bl.value['type'] for bl in machine.blacklist_actif() ]).intersection(config.blacklist_sanctions)
-                ]
-                for ip in ips
-            )
-
+            bl_hard_ips = self.blacklisted_ips(config.blacklist_sanctions, config.NETs['all'])
            self.ipset['blacklist']['hard'].restore(bl_hard_ips)
            print OK

--- a/gestion/gen_confs/firewall4/komaz.py
+++ b/gestion/gen_confs/firewall4/komaz.py
@ -298,7 +298,7 @@ class firewall(base.firewall_routeur):
 #        for ip in ip_list:
 #            machine = self.conn.search(u"ipHostNumber=%s" % ip)
 #            # Est-ce qu'il y a des blacklists soft parmis les blacklists de la machine
-#            if machine and set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(base.config.blacklist_sanctions_soft):
+#            if machine and set([bl['type'] for bl in machine[0].blacklist_actif() ]).intersection(base.config.blacklist_sanctions_soft):
 #                try: self.ipset['blacklist']['soft'].add(ip)
 #                except IpsetError: pass
 #            else:
@ -312,15 +312,7 @@ class firewall(base.firewall_routeur):
        if fill_ipset:
            anim('\tRestoration de l\'ipset %s' % self.ipset['blacklist']['soft'])
            # On récupère la liste de toutes les ips blacklistés soft
-            bl_soft_ips = set(
-                str(ip) for ips in
-                [
-                    machine['ipHostNumber'] for machine in self.blacklisted_machines() if machine['ipHostNumber'] and reduce(lambda x,y: x or y, ( ip.value in base.netaddr.IPNetwork(n) for n in  base.config.NETs['all'] for ip in machine['ipHostNumber']))
-                    if set([bl.value['type'] for bl in machine.blacklist_actif() ]).intersection(base.config.blacklist_sanctions_soft)
-                ]
-                for ip in ips
-            )
-
+            bl_soft_ips = self.blacklisted_ips(base.config.blacklist_sanctions_soft, base.config.NETs['all'])
            self.ipset['blacklist']['soft'].restore(bl_soft_ips)
            print OK

@ -348,7 +340,7 @@ class firewall(base.firewall_routeur):
 #        for ip in ip_list:
 #            machine = self.conn.search(u"ipHostNumber=%s" % ip)
 #            # Est-ce qu'il y a des blacklists pour upload parmis les blacklists de la machine
-#            if machine and set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(blacklist_bridage_upload):
+#            if machine and set([bl['type'] for bl in machine[0].blacklist_actif() ]).intersection(blacklist_bridage_upload):
 #                try: self.ipset['blacklist']['upload'].add(ip)
 #                except IpsetError: pass
 #            else:
@ -362,15 +354,7 @@ class firewall(base.firewall_routeur):
        if fill_ipset:
            anim('\tRestoration de l\'ipset %s' % self.ipset['blacklist']['upload'])
            # On récupère la liste de toutes les ips blacklistés pour upload
-            bl_upload_ips = set(
-                str(ip) for ips in
-                [
-                    machine['ipHostNumber'] for machine in self.blacklisted_machines()
-                    if set([bl.value['type'] for bl in machine.blacklist_actif() ]).intersection(base.config.blacklist_bridage_upload)
-                ]
-                for ip in ips
-            )
-
+            bl_upload_ips = self.blacklisted_ips(base.config.blacklist_bridage_upload, base.config.NETs['all'])
            self.ipset['blacklist']['upload'].restore(bl_upload_ips)
            print OK

@ -446,13 +430,13 @@ class firewall(base.firewall_routeur):

            for machine in self.machines():
                for ip in machine['ipHostNumber']:
-                    if 'portTCPout' in machine.attrs.keys():
+                    if 'portTCPout' in machine:
                        add_ports(ip, machine, 'tcp', 'out')
-                    if 'portUDPout' in machine.attrs.keys():
+                    if 'portUDPout' in machine:
                        add_ports(ip, machine, 'udp', 'out')
-                    if 'portTCPin' in machine.attrs.keys():
+                    if 'portTCPin' in machine:
                        add_ports(ip, machine, 'tcp', 'in')
-                    if 'portUDPin' in machine.attrs.keys():
+                    if 'portUDPin' in machine:
                        add_ports(ip, machine, 'udp', 'in')

            self.add(table, chain, '-j REJECT')
--- a/gestion/gen_confs/firewall4/utils.py
+++ b/gestion/gen_confs/firewall4/utils.py
@ -2,6 +2,7 @@
 # -*- coding: utf-8 -*-
 import os
 import sys
+import netaddr

 if '/usr/scripts/' not in sys.path:
    sys.path.append('/usr/scripts/')
@ -58,11 +59,19 @@ class firewall_tools(object) :
        """Renvois la liste de toutes les machines"""
        if self._machines:
            return self._machines
+        # On utilise allMachinesAdherents car on a besoin que
+        # les machine.proprio() soit déjà peuplés. En effet, on regarde
+        # les blacklistes d'un proprio lorsque l'on regarde les blacklistes 
+        # d'une machine
        self._machines, self._adherents = self.conn.allMachinesAdherents()
+        self._adherents = [ adh for adh in self._adherents if adh.paiement_ok() ]
        return self._machines

    def adherents(self):
-        """Renvois la liste de tous les adhérents"""
+        """
+        Renvois la liste de tous les adhérents à jour de paiement
+        (car on suppose que la blackliste paiement est hard)
+        """
        if self._adherents:
            return self._adherents
        self._machines, self._adherents = self.conn.allMachinesAdherents()
@ -76,8 +85,22 @@ class firewall_tools(object) :
        self._blacklisted_machines = [ machine for machine in self.machines() if machine.blacklist_actif() ]
        return self._blacklisted_machines

+    def blacklisted_ips(self, blacklist_sanctions=None, nets=None):
+        """Renvois l'ensemble des ips des machines ayant une blacklist dans blacklist_sanctions et étant dans nets si spécifié"""
+        bl_ips = set()
+        for machine in self.blacklisted_machines():
+            if blacklist_sanctions is None or set(bl['type'] for bl in machine.blacklist_actif()).intersection(blacklist_sanctions):
+                for ip in machine['ipHostNumber']:
+                    if nets is None:
+                        bl_ips.add(str(ip))
+                    else:
+                        for net in nets:
+                            if ip in netaddr.IPNetwork(net):
+                                bl_ips.add(str(ip))
+        return bl_ips
+
    def blacklisted_adherents(self, excepts=[]):
-        """Renvois la liste de tous les adhérents ayant une blackliste active"""
+        """Renvois la liste de tous les adhérents ayant une blackliste active en ignorant les blacklist de excepts"""
        if self._blacklisted_adherents and self._blacklisted_adherents_type == set(excepts):
            return self._blacklisted_adherents
        self._blacklisted_adherents = filter(lambda adh: adh.blacklist_actif(excepts), self.adherents())
--- a/gestion/gen_confs/firewall4/zamok.py
+++ b/gestion/gen_confs/firewall4/zamok.py
@ -102,8 +102,8 @@ class firewall(base.firewall):
            self.add(table, chain, '-d 127.0.0.1/8 -j RETURN')
            for net in base.config.NETs['all']:
                        self.add(table, chain, '-d %s -j RETURN' % net)
-            for adh in self.blacklisted_adherents(['paiement']):
-                if 'uidNumber' in adh.attrs.keys():
+            for adh in self.blacklisted_adherents():
+                if 'uidNumber' in adh:
                    self.add(table, chain, '-m owner --uid-owner %s -j REJECT' % adh['uidNumber'][0])
            print OK