This project is a prototype of a REST API Backend for documenting simple Layer-3/Layer-4 network firewall rules. It should help administrators to keep the desired state of these rules in one place and provide this information as a single-source-of-truth. It was written by Jakob Wölfl as part of his bachelors' thesis.
The project was developed and tested with Python3.11 and Django 4.2.6
A corresponding prototype client is available here
-
Install required dependencies (for python-ldap)
Debian:
sudo apt install build-essential python3.11-dev libldap2-dev libsasl2-dev slapd ldap-utils tox lcov valgrind- Install Python packages
pip install -r requirements.txt- Generate Django
SECRET_KEY
python -c 'from django.core.management.utils import get_random_secret_key; print(get_random_secret_key())'or you use Djecrety to generate the key once
-
Adapt
.env-File. ReplaceDJANGO_SECRET_KEYin environment variables and change other values according to your needs. -
Verify that your configured database is online and reachable.
-
Run Django migrations and create default FRC usergroups and permissions (permissions are documented here).
python manage.py migrate
python manage.py create_frc_groups- Create Django Superuser
python manage.py createsuperuser- Run Django Developmentserver
python manage.py runserver-
Generate Django
SECRET_KEY- either you have django installed in your local python environment and run step 3 from above, or you use Djecrety to generate the key once. -
Adapt
.env-File. ReplaceDJANGO_SECRET_KEYin environment variables and change other values according to your needs. -
Build Container
docker build -t frc-backend -f Dockerfile.prod .We also provide a rudimentary docker-compose-File for running the "production ready"-containers. The nginx-configuration that is used inside the backend-web-container is located here. Inside there TLS configuration could be provided for example.
| Name | Default | Description |
|---|---|---|
| DJANGO_DEBUG | False | DEBUG |
| DJANGO_ALLOWED_HOSTS | localhost | ALLOWED_HOSTS |
| DJANGO_CORS_ALLOWED_ORIGINS | - | CORS_ALLOWED_ORIGINS |
| DJANGO_SECRET_KEY | - | SECRET_KEY |
| DJANGO_LANGUAGE_CODE | - | LANGUAGE_CODE |
| DJANGO_TIME_ZONE | - | TIME_ZONE |
| DJANGO_CSRF_TRUSTED_ORIGINS | - | CSRF_TRUSTED_ORIGINS |
| DJANGO_JWT_ACCESS_TOKEN_LIFETIME_MINS | 5 | ACCESS_TOKEN_LIFETIME |
| DJANGO_JWT_REFRESH_TOKEN_LIFETIME_HOURS | 24 | REFRESH_TOKEN_LIFETIME |
| DJANGO_AUTH_LDAP_SERVER_URI | - | LDAP_SERVER_URI |
| DJANGO_LDAP_TLS_REQUIRED | False | Enable TLS connection to LDAP server |
| DJANGO_LDAP_CA_FILE_PATH | - | Path to CA-File of LDAP certificate |
| DJANGO_AUTH_LDAP_BIND_DN | - | AUTH_LDAP_BIND_DN |
| DJANGO_AUTH_LDAP_BIND_PASSWORD | - | AUTH_LDAP_BIND_PASSWORD |
| DJANGO_LDAP_USER_BASE_DN | - | Base DN where user accounts reside |
| DJANGO_LDAP_USER_FILTER | - | Filter for user accounts |
| DJANGO_LDAP_GROUP_BASE_DN | - | Base DN where groups reside |
| DJANGO_LDAP_GROUP_FILTER | - | Filter for groups |
| DJANGO_AUTH_LDAP_USER_FLAGS_BY_GROUP | - | AUTH_LDAP_USER_FLAGS_BY_GROUP given as JSON |
| DJANGO_LDAP_LOGGING_LEVEL | WARNING | https://django-auth-ldap.readthedocs.io/en/latest/logging.html |
| DJANGO_DATABASE_URL | - | https://django-environ.readthedocs.io/en/latest/types.html#environ-env-db-url |
- REST API Backend provides following components/functions:
- Rule
- Add new Rule
- View all Rules
- View specific Rule
- Update specific Rule
- Delete specific Rule
- Import Rules from CSV
- RuleSetRequest
- Add new RuleSetRequest
- View all RuleSetRequests
- View specific RuleSetRequest
- Approve/Refuse specific RuleSetRequest
- Firewall
- View all Firewalls
- User
- View all Users
- Authentication
- Tokenauthentication
- JWT Authentication
- Rule
For a comprehensive API description visit the OpenAPI Doc here or when the application is running at /api/schema/, /api/schema/redoc/ or /api/schema/swagger-ui/. (no custom descriptions and examples yet...)
All other functions are currently not implemented or available for staff-members via the admin panel.
This project is licensed under the MIT license. See LICENSE for more information.