feature/authz_netmask: finegrained netmask size per user: start to implement

flowspec/migrations/0004_auto_20250206_1442.py

+# Generated by Django 3.2.16 on 2025-02-06 14:42
+
+from django.conf import settings
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+        ('flowspec', '0003_auto_20220310_1509'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='FoDExtraPermissionsModel',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+            ],
+            options={
+                'permissions': (('can_use_netmask31_in_rules', 'Can use net mask 31 and higher in rules'), ('can_use_netmask30_in_rules', 'Can use net mask 30 and higher in rules'), ('can_use_netmask29_in_rules', 'Can use net mask 29 and higher in rules'), ('can_use_netmask28_in_rules', 'Can use net mask 28 and higher in rules'), ('can_use_netmask27_in_rules', 'Can use net mask 27 and higher in rules'), ('can_use_netmask26_in_rules', 'Can use net mask 26 and higher in rules'), ('can_use_netmask25_in_rules', 'Can use net mask 25 and higher in rules'), ('can_use_netmask24_in_rules', 'Can use net mask 24 and higher in rules'), ('can_use_netmask23_in_rules', 'Can use net mask 23 and higher in rules'), ('can_use_netmask22_in_rules', 'Can use net mask 22 and higher in rules'), ('can_use_netmask21_in_rules', 'Can use net mask 21 and higher in rules'), ('can_use_netmask20_in_rules', 'Can use net mask 20 and higher in rules')),
+            },
+        ),
+        migrations.AlterModelOptions(
+            name='route',
+            options={'verbose_name': 'Rulex', 'verbose_name_plural': 'Rules'},
+        ),
+        migrations.AlterField(
+            model_name='route',
+            name='applier',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.DO_NOTHING, to=settings.AUTH_USER_MODEL),
+        ),
+    ]

flowspec/models.py

@@ -24,6 +24,7 @@ from django.contrib.sites.models import Site
 from django.utils.translation import ugettext_lazy as _
 from django.urls import reverse
 from flowspec.tasks import *
+from django.contrib.auth.models import Permission
 
 from flowspec.helpers import send_new_mail, get_peer_techc_mails
 from utils import proxy as PR
@@ -806,6 +807,59 @@ class Route(models.Model):
 
 ##
 
+class FoDExtraPermissionsModel(models.Model):
+   # Model fields go here
+    class Meta:
+        # TODO: like this, only useful for IPV4:
+        permissions = (
+                        ( "can_use_netmask31_in_rules", "Can use net mask 31 and higher in rules"), 
+                        ( "can_use_netmask30_in_rules", "Can use net mask 30 and higher in rules"), 
+                        ( "can_use_netmask29_in_rules", "Can use net mask 29 and higher in rules"), 
+                        ( "can_use_netmask28_in_rules", "Can use net mask 28 and higher in rules"), 
+                        ( "can_use_netmask27_in_rules", "Can use net mask 27 and higher in rules"), 
+                        ( "can_use_netmask26_in_rules", "Can use net mask 26 and higher in rules"), 
+                        ( "can_use_netmask25_in_rules", "Can use net mask 25 and higher in rules"), 
+                        ( "can_use_netmask24_in_rules", "Can use net mask 24 and higher in rules"), 
+                        ( "can_use_netmask23_in_rules", "Can use net mask 23 and higher in rules"), 
+                        ( "can_use_netmask22_in_rules", "Can use net mask 22 and higher in rules"), 
+                        ( "can_use_netmask21_in_rules", "Can use net mask 21 and higher in rules"), 
+                        ( "can_use_netmask20_in_rules", "Can use net mask 20 and higher in rules"), 
+                      )
+
+    @classmethod
+    def test_can_use_netmask__inner(classhandle, permissions, min_netmasksize):
+      string1="can_use_netmask"
+      string2="_in_rules"
+      permissions = permissions.filter(codename__startswith=string1).filter(codename__endswith=string2)
+
+      for perm in permissions:
+        codename=perm.codename
+        logger.info("test_can_use_netmask(): codename="+str(codename))
+        netmask=codename[len(string1):]
+        netmask=netmask[0:len(netmask)-len(string2)]
+        logger.info("test_can_use_netmask(): => netmask="+str(netmask))
+        netmask=int(netmask)
+        if netmask < min_netmasksize:
+          min_netmasksize = netmask
+
+      return min_netmasksize
+
+    @classmethod
+    def test_can_use_netmask(classhandle, request):
+        # Individual permissions
+        permissions = Permission.objects.filter(user=request.user)
+        logger.info("test_can_use_netmask(): permissions1="+str(permissions))
+        min_netmasksize = classhandle.test_can_use_netmask__inner(permissions, 32)
+
+        # Permissions that the user has via a group
+        group_permissions = Permission.objects.filter(group__user=request.user)
+        logger.info("test_can_use_netmask(): permissions2="+str(group_permissions))
+        min_netmasksize = classhandle.test_can_use_netmask__inner(group_permissions, min_netmasksize)
+
+        logger.info("test_can_use_netmask(): => min_netmasksize="+str(min_netmasksize))
+
+##
+
 def send_message(msg, peer, route):
     ##    username = user.username
     ##b = beanstalkc.Connection()

flowspec/views.py

@@ -460,6 +460,8 @@ def edit_route(request, route_slug):
     applier = request.user.pk
     route_edit = get_object_or_404(Route, name=route_slug)
 
+    FoDExtraPermissionsModel.test_can_use_netmask(request)
+
     applier_peer_networks = []
     if request.user.is_superuser:
         applier_peer_networks = PeerRange.objects.all()