def radius_test(): provider = Provider() radius = provider.radius() if not radius.test_connection(): flash('RADIUS Response: {0}'.format(radius.error_message), 'error') else: flash('Connection established!', 'success') return redirect(url_for('config.radius'))
def login(): if current_user.is_authenticated: return redirect(url_for('home.index')) provider = Provider() ldap = provider.ldap() radius = provider.radius() return render_template('auth/login.html', next=request.args.get('next', ''), multiauth=(ldap.enabled and radius.enabled))
def __auth_radius(username, password): provider = Provider() radius = provider.radius() result = radius.authenticate(username, password) return result, radius.error_message
def login_process(): if current_user.is_authenticated: return redirect(url_for('home.index')) username = request.form['username'].strip() password = request.form['password'].strip() next = urllib.parse.unquote_plus(request.form['next'].strip()) provider = Provider() users = provider.users() ldap = provider.ldap() radius = provider.radius() zones = provider.dns_zones() # If more than one external methods are defined, the user has to specify which one they want to authenticate # against, as we won't be trying each and every one until we get a hit. If only one method is enabled (ie LDAP) then # LOCAL auth will be tried first and then it will try LDAP. multiauth = ldap.enabled and radius.enabled auth = request.form['auth'].strip().lower( ) if 'auth' in request.form else '' login_result = False fullname = '' email = '' if (multiauth is False) or (multiauth is True and auth == 'local'): auth = 'local' # For when multiauth = False. login_result = __auth_local(username, password) if (login_result is False) and ldap.enabled: if (multiauth is False) or (multiauth is True and auth == 'ldap'): auth = 'ldap' ldap_result, error_message = __auth_ldap(username, password) if ldap_result is False: error_message = error_message if len( error_message) > 0 else 'Invalid credentials' flash(error_message, 'error') return redirect(url_for('auth.login', next=next)) elif ldap_result['result'] == ldap.AUTH_SUCCESS: login_result = True fullname = ldap_result['user']['fullname'].lower() email = ldap_result['user']['email'].lower() elif ldap_result['result'] == ldap.AUTH_CHANGE_PASSWORD: if ldap.pwchange: session['ldap_username'] = username session['ldap_time'] = int(time.time()) flash('Your LDAP password has expired or needs changing', 'error') return redirect(url_for('auth.ldap_changepwd', next=next)) else: flash('Your LDAP password has expired or needs changing', 'error') return redirect(url_for('auth.login', next=next)) elif ldap_result['result'] == ldap.AUTH_LOCKED: flash('Your AD account is disabled', 'error') return redirect(url_for('auth.login', next=next)) else: flash('Invalid credentials', 'error') return redirect(url_for('auth.login', next=next)) if (login_result is False) and radius.enabled: if (multiauth is False) or (multiauth is True and auth == 'radius'): auth = 'radius' radius_result, error_message = __auth_radius(username, password) if radius_result is False: error_message = error_message if len( error_message) > 0 else 'Invalid credentials' flash(error_message, 'error') return redirect(url_for('auth.login', next=next)) login_result = radius_result fullname = username.lower() email = '' if login_result is False: flash('Invalid credentials', 'error') return redirect(url_for('auth.login', next=next)) # Check to see if the user exists. This will return false only if it's the first login of an external user. user = users.find_user_login(username) if not user: user = users.save(0, username.lower(), password, fullname.lower(), email.lower(), False, auth, True) if not user: flash( 'Could not create external user: {0}'.format(users.last_error), 'error') return redirect(url_for('auth.login', next=next)) # Now create the default zone for that user. if not zones.create_user_base_zone(user): flash( 'User has been created but there was a problem creating their base domain. Make sure the DNS Base Domain has been set.', 'error') return redirect(url_for('auth.login', next=next)) if not user.active: # This check has to be after the password validation. flash('Your account is disabled.', 'error') return redirect(url_for('auth.login', next=next)) # Forward to 2FA validation if it's enabled. if user.has_2fa(): session['otp_userid'] = user.id session['otp_time'] = int(time.time()) return redirect(url_for('auth.login_2fa', next=next)) user = users.login_session(user) login_user(user) # On every login we get the hashcat version and the git hash version. system = provider.system() system.run_updates() if next and url_parse(next).netloc == '': return redirect(next) return redirect(url_for('home.index'))