def radius_test():
provider = Provider()
radius = provider.radius()
if not radius.test_connection():
flash('RADIUS Response: {0}'.format(radius.error_message), 'error')
else:
flash('Connection established!', 'success')
return redirect(url_for('config.radius'))
def login():
if current_user.is_authenticated:
return redirect(url_for('home.index'))
provider = Provider()
ldap = provider.ldap()
radius = provider.radius()
return render_template('auth/login.html',
next=request.args.get('next', ''),
multiauth=(ldap.enabled and radius.enabled))
def __auth_radius(username, password):
provider = Provider()
radius = provider.radius()
result = radius.authenticate(username, password)
return result, radius.error_message
def login_process():
if current_user.is_authenticated:
return redirect(url_for('home.index'))
username = request.form['username'].strip()
password = request.form['password'].strip()
next = urllib.parse.unquote_plus(request.form['next'].strip())
provider = Provider()
users = provider.users()
ldap = provider.ldap()
radius = provider.radius()
zones = provider.dns_zones()
# If more than one external methods are defined, the user has to specify which one they want to authenticate
# against, as we won't be trying each and every one until we get a hit. If only one method is enabled (ie LDAP) then
# LOCAL auth will be tried first and then it will try LDAP.
multiauth = ldap.enabled and radius.enabled
auth = request.form['auth'].strip().lower(
) if 'auth' in request.form else ''
login_result = False
fullname = ''
email = ''
if (multiauth is False) or (multiauth is True and auth == 'local'):
auth = 'local' # For when multiauth = False.
login_result = __auth_local(username, password)
if (login_result is False) and ldap.enabled:
if (multiauth is False) or (multiauth is True and auth == 'ldap'):
auth = 'ldap'
ldap_result, error_message = __auth_ldap(username, password)
if ldap_result is False:
error_message = error_message if len(
error_message) > 0 else 'Invalid credentials'
flash(error_message, 'error')
return redirect(url_for('auth.login', next=next))
elif ldap_result['result'] == ldap.AUTH_SUCCESS:
login_result = True
fullname = ldap_result['user']['fullname'].lower()
email = ldap_result['user']['email'].lower()
elif ldap_result['result'] == ldap.AUTH_CHANGE_PASSWORD:
if ldap.pwchange:
session['ldap_username'] = username
session['ldap_time'] = int(time.time())
flash('Your LDAP password has expired or needs changing',
'error')
return redirect(url_for('auth.ldap_changepwd', next=next))
else:
flash('Your LDAP password has expired or needs changing',
'error')
return redirect(url_for('auth.login', next=next))
elif ldap_result['result'] == ldap.AUTH_LOCKED:
flash('Your AD account is disabled', 'error')
return redirect(url_for('auth.login', next=next))
else:
flash('Invalid credentials', 'error')
return redirect(url_for('auth.login', next=next))
if (login_result is False) and radius.enabled:
if (multiauth is False) or (multiauth is True and auth == 'radius'):
auth = 'radius'
radius_result, error_message = __auth_radius(username, password)
if radius_result is False:
error_message = error_message if len(
error_message) > 0 else 'Invalid credentials'
flash(error_message, 'error')
return redirect(url_for('auth.login', next=next))
login_result = radius_result
fullname = username.lower()
email = ''
if login_result is False:
flash('Invalid credentials', 'error')
return redirect(url_for('auth.login', next=next))
# Check to see if the user exists. This will return false only if it's the first login of an external user.
user = users.find_user_login(username)
if not user:
user = users.save(0, username.lower(), password, fullname.lower(),
email.lower(), False, auth, True)
if not user:
flash(
'Could not create external user: {0}'.format(users.last_error),
'error')
return redirect(url_for('auth.login', next=next))
# Now create the default zone for that user.
if not zones.create_user_base_zone(user):
flash(
'User has been created but there was a problem creating their base domain. Make sure the DNS Base Domain has been set.',
'error')
return redirect(url_for('auth.login', next=next))
if not user.active:
# This check has to be after the password validation.
flash('Your account is disabled.', 'error')
return redirect(url_for('auth.login', next=next))
# Forward to 2FA validation if it's enabled.
if user.has_2fa():
session['otp_userid'] = user.id
session['otp_time'] = int(time.time())
return redirect(url_for('auth.login_2fa', next=next))
user = users.login_session(user)
login_user(user)
# On every login we get the hashcat version and the git hash version.
system = provider.system()
system.run_updates()
if next and url_parse(next).netloc == '':
return redirect(next)
return redirect(url_for('home.index'))
