def cli_zones_import(file, user_id): provider = Provider() import_manager = provider.dns_import() users = provider.users() user = users.get_user(user_id) if not user: print("Could not find user with ID: {0}".format(user_id)) return False import_type = import_manager.identify(file) if import_type != import_manager.IMPORT_TYPE_ZONE: print("Invalid import file: {0}".format(import_manager.last_error)) return False data = import_manager.review(file, import_type, user.id, show_progressbar=True) if not data: print("Could not load file: {0}".format(import_manager.last_error)) return False if len(data['errors']) > 0: errors = [] for error in data['errors']: errors.append([error['row'], error['error']]) print(tabulate.tabulate(errors, ['row', 'error'])) return False result = import_manager.run(data['data'], import_type, user.id, show_progressbar=True) if result: return True for error in result: print(error) return False
def export(): provider = Provider() search = provider.search() logs = provider.dns_logs() users = provider.users() # Prepare names and variables. filename = str(int(time.time())) + '.csv' download_filename = "snitch_logs_" + filename save_results_as = users.get_user_data_path(current_user.id, filename=filename) # Perform the search. results = search.search_from_request(request, paginate=False, method='get') rows = results['results'] # Export to disk. if not logs.save_results_csv(rows, save_results_as, overwrite=True): flash('Could not generate CSV file.', 'error') return redirect(url_for('logs.index')) # And download. return send_file(save_results_as, attachment_filename=download_filename, as_attachment=True)
def login_2fa(): next = urllib.parse.unquote_plus(request.args.get('next', '').strip()) provider = Provider() users = provider.users() id = int(session['otp_userid']) if 'otp_userid' in session else 0 otp_time = int(session['otp_time']) if 'otp_time' in session else 0 can_continue = True if id <= 0: can_continue = False elif int(time.time()) > (otp_time + 120): # This page is valid for 2 minutes. can_continue = False if not can_continue: session.pop('otp_userid', None) session.pop('otp_time', None) return redirect(url_for('auth.login', next=next)) user = users.get_user(id) if not user: return redirect(url_for('auth.login', next=next)) return render_template('auth/login_2fa.html', next=request.args.get('next', ''))
def user_save(user_id): if not current_user.admin: flash('Access Denied', 'error') return redirect(url_for('home.index')) username = request.form['username'].strip( ) if 'username' in request.form else '' password = request.form['password'].strip( ) if 'password' in request.form else '' full_name = request.form['full_name'].strip( ) if 'full_name' in request.form else '' email = request.form['email'].strip() if 'email' in request.form else '' admin = int(request.form.get('admin', 0)) ldap = int(request.form.get('ldap', 0)) active = int(request.form.get('active', 0)) provider = Provider() users = provider.users() if not users.save(user_id, username, password, full_name, email, admin, ldap, active): flash(users.get_last_error(), 'error') return redirect(url_for('admin.user_edit', user_id=user_id)) flash('User saved', 'success') return redirect(url_for('admin.users'))
def index(): # This function deliberately doesn't have a @login_required parameter because we want to run a check for a # 'first-visit' type scenario, in order to create the administrator. provider = Provider() zones = provider.dns_zones() users = provider.users() if users.count() == 0: # Looks like we need to setup the administrator. return redirect(url_for('install.index')) if not current_user.is_authenticated: return redirect(url_for('auth.login')) search = provider.search() results = search.search_from_request(request) aliases = provider.aliases() return render_template( 'home/index.html', results=results['results'], params=results['params'], page_url='home.index', zone_count=zones.count(user_id=current_user.id), aliases=aliases.get_dict( None if current_user.admin else current_user.id))
def logout(): provider = Provider() users = provider.users() users.logout_session(current_user.id) logout_user() return redirect(url_for('auth.login'))
def ldap_changepwd(): provider = Provider() users = provider.users() next = urllib.parse.unquote_plus(request.args.get('next', '').strip()) username = session['ldap_username'] if 'ldap_username' in session else '' ldap_time = session['ldap_time'] if 'ldap_time' in session else 0 if len(username) == 0: session.pop('ldap_username', None) session.pop('ldap_time', None) return redirect(url_for('auth.login', next=next)) elif int(time.time()) > (ldap_time + 120): session.pop('ldap_username', None) session.pop('ldap_time', None) return redirect(url_for('auth.login', next=next)) user = users.get_ldap_user(username) if not user: session.pop('ldap_username', None) session.pop('ldap_time', None) return redirect(url_for('auth.login', next=next)) return render_template('auth/ldap_password.html', next=request.args.get('next', ''))
def save(): provider = Provider() users = provider.users() if users.get_user_count() > 0: flash('Application has already been configured.', 'error') return redirect(url_for('home.index')) username = request.form['username'].strip() password = request.form['password'].strip() full_name = request.form['full_name'].strip() email = request.form['email'].strip() if len(username) == 0 or len(password) == 0 or len(full_name) == 0 or len( email) == 0: flash('Please fill in all the fields', 'error') return redirect(url_for('install.index')) if not users.save(0, username, password, full_name, email, 1, 0, 1): flash( 'Could not create user - make sure the database file is writable', 'error') return redirect(url_for('install.index')) flash('Please login as the newly created administrator', 'success') return redirect(url_for('home.index'))
def login_process(): if current_user.is_authenticated: return redirect(url_for('home.index')) provider = Provider() ldap = provider.ldap() users = provider.users() settings = provider.settings() username = request.form['username'] password = request.form['password'] next = urllib.parse.unquote_plus(request.form['next'].strip()) allow_logins = int(settings.get('allow_logins', 0)) # First check if user is local. Local users take priority. user = UserModel.query.filter( and_( func.lower(UserModel.username) == func.lower(username), UserModel.ldap == 0)).first() if user: if not users.validate_password(user.password, password): flash('Invalid credentials', 'error') return redirect(url_for('auth.login', next=next)) elif ldap.is_enabled() and allow_logins == 1: if not ldap.authenticate(username, password, True): flash('Invalid credentials', 'error') return redirect(url_for('auth.login', next=next)) user = UserModel.query.filter( and_( func.lower(UserModel.username) == func.lower(username), UserModel.ldap == 1)).first() if not user: flash( 'Could not create your local account. Please contact the administrator.', 'error') return redirect(url_for('auth.login', next=next)) else: flash('Invalid credentials', 'error') return redirect(url_for('auth.login', next=next)) # If we reach this point it means that our user exists. Check if the user is active. if user.active is False: flash('Your account has been disabled by the Administrator.', 'error') return redirect(url_for('auth.login', next=next)) user = users.login_session(user) login_user(user) users.record_login(user.id) # On every login we get the hashcat version and the git hash version. system = provider.system() system.run_updates() if next and url_parse(next).netloc == '': return redirect(next) return redirect(url_for('home.index'))
def __auth_local(username, password): provider = Provider() users = provider.users() user = users.find_user_login(username, 'local') if user and users.validate_password(user.password, password): return True return False
def index(): provider = Provider() users = provider.users() if users.get_user_count() > 0: flash('Application has already been configured.', 'error') return redirect(url_for('home.index')) return render_template('install/index.html')
def user_logins(): provider = Provider() users = provider.users() user_logins = users.get_user_logins(0) return render_template( 'config/system/users/logins.html', logins=user_logins )
def logins(): if not current_user.admin: flash('Access Denied', 'error') return redirect(url_for('home.index')) provider = Provider() users = provider.users() user_logins = users.get_user_logins(0) return render_template('admin/users/logins.html', logins=user_logins)
def settings(user_id): if current_user.id != user_id: flash('Access denied', 'error') return redirect(url_for('home.index')) provider = Provider() users = provider.users() user = users.get_by_id(current_user.id) return render_template('account/settings.html', user=user)
def logins(user_id): if current_user.id != user_id: flash('Access denied', 'error') return redirect(url_for('home.index')) provider = Provider() users = provider.users() user_logins = users.get_user_logins(user_id) return render_template('account/logins.html', logins=user_logins)
def profile(): provider = Provider() users = provider.users() ldap = provider.ldap() return render_template( 'config/account/profile/general.html', user=users.get_user(current_user.id), has_email_mapping=(len(ldap.mapping_email) > 0), password_complexity=users.password_complexity.get_requirement_description() )
def cli_users_update(username, password, full_name, email, active, admin, ldap, update_password): provider = Provider() users = provider.users() user = users.find_user_login(username, None) if not user: print("Could not find user") return False active = user.active if active is None else (active in ['true', 'yes']) admin = user.admin if admin is None else (admin in ['true', 'yes']) ldap = user.ldap if ldap is None else (ldap in ['true', 'yes']) ask_for_password = False hash_password = False check_complexity = False if update_password: if len(password) == 0: if not ldap: ask_for_password = True check_complexity = True hash_password = True else: ask_for_password = False hash_password = False check_complexity = False else: password = user.password hash_password = False check_complexity = False if ask_for_password: password = click.prompt('Password', hide_input=True, confirmation_prompt=True) # If the user entered the password manually it's in plaintext so we can check for complexity. user = users.save(user.id, username, password, full_name, email, admin, ldap, active, check_complexity=check_complexity, hash_password=hash_password) if not user: print(users.last_error) return False print("User updated") return True
def index(): provider = Provider() users = provider.users() password_complexity = provider.password_complexity() if users.get_user_count() > 0: flash('Application has already been configured.', 'error') return redirect(url_for('home.index')) return render_template( 'install/index.html', complexity=password_complexity.get_requirement_description())
def profile(user_id=None): if user_id is None: user_id = current_user.id elif user_id != current_user.id: flash('Access denied', 'error') return redirect(url_for('home.index')) provider = Provider() users = provider.users() user = users.get_by_id(user_id) return render_template('config/account/profile.html', user=user)
def index(user_id): if not current_user.is_authenticated: return redirect(url_for('auth.login')) elif current_user.id != user_id: flash('Access denied', 'error') return redirect(url_for('home.index')) provider = Provider() users = provider.users() user = users.get_by_id(current_user.id) return render_template('account/index.html', user=user)
def profile(): provider = Provider() users = provider.users() ldap = provider.ldap() user = users.get_user(current_user.id) auth_type = users.get_authtype(id=user.auth_type_id).name return render_template( 'config/account/profile/general.html', user=user, has_email_mapping=(len(ldap.mapping_email) > 0), password_complexity=users.password_complexity.get_requirement_description(), auth_type=auth_type.lower(), ldap_pwdchange=ldap.pwchange )
def profile_2fa(): provider = Provider() users = provider.users() twofa_enabled = False if current_user.otp_secret is None else len(current_user.otp_secret) > 0 otp = users.otp_new(current_user) # Save the secret into the session to prevent users from setting their own during the request. session['otp'] = otp['secret'] return render_template( 'config/account/profile/2fa.html', twofa_enabled=twofa_enabled, otp_secret=otp['secret'], otp_uri=otp['uri'] )
def theme(): provider = Provider() users = provider.users() filesystem = provider.filesystem() user_settings = provider.user_settings() settings = provider.settings() user = users.get_by_id(current_user.id) themes = filesystem.get_files( os.path.join(current_app.root_path, 'static', 'css', 'themes')) theme = user_settings.get(current_user.id, 'theme', settings.get('theme', 'lumen')) return render_template('config/account/theme.html', user=user, themes=themes, selected_theme=theme)
def ldap_changepwd_process(): provider = Provider() users = provider.users() ldap = provider.ldap() next = urllib.parse.unquote_plus(request.args.get('next', '').strip()) password = request.form['password'].strip() new_password = request.form['new_password'].strip() confirm_password = request.form['confirm_password'].strip() username = session['ldap_username'] if 'ldap_username' in session else '' ldap_time = session['ldap_time'] if 'ldap_time' in session else 0 if len(username) == 0: session.pop('ldap_username', None) session.pop('ldap_time', None) return redirect(url_for('auth.login', next=next)) elif int(time.time()) > (ldap_time + 120): session.pop('ldap_username', None) session.pop('ldap_time', None) return redirect(url_for('auth.login', next=next)) user = users.get_ldap_user(username) if not user: session.pop('ldap_username', None) session.pop('ldap_time', None) return redirect(url_for('auth.login', next=next)) if len(password) == 0: flash('Please enter your current password', 'error') return redirect(url_for('ldap_changepwd', next=next)) elif len(new_password) == 0 or len(confirm_password) == 0: flash('Please enter your new password', 'error') return redirect(url_for('ldap_changepwd', next=next)) elif new_password != confirm_password: flash('New passwords do not match', 'error') return redirect(url_for('ldap_changepwd', next=next)) session.pop('ldap_username', None) session.pop('ldap_time', None) if not ldap.update_password_ad(user.username, password, new_password): flash('Could not update password', 'error') return redirect(url_for('auth.login', next=next)) flash('Password updated - please login again', 'success') return redirect(url_for('auth.login', next=next))
def login_2fa_process(): next = urllib.parse.unquote_plus(request.args.get('next', '').strip()) otp = request.form['otp'].strip() provider = Provider() users = provider.users() id = int(session['otp_userid']) if 'otp_userid' in session else 0 otp_time = int(session['otp_time']) if 'otp_time' in session else 0 can_continue = True if id <= 0: can_continue = False elif int(time.time()) > (otp_time + 120): # This page is valid for 2 minutes. can_continue = False if not can_continue: session.pop('otp_userid', None) session.pop('otp_time', None) return redirect(url_for('auth.login', next=next)) user = users.get_user(id) if not user: return redirect(url_for('auth.login', next=next)) if not users.otp_verify_user(user, otp): flash('Invalid Code', 'error') return redirect(url_for('auth.login_2fa', next=next)) session.pop('otp_userid', None) session.pop('otp_time', None) # If we reach this point it means that our user exists. Check if the user is active. user = users.login_session(user) login_user(user) # On every login we get the hashcat version and the git hash version. system = provider.system() system.run_updates() if next and url_parse(next).netloc == '': return redirect(next) return redirect(url_for('home.index'))
def cli_users_add(username, password, full_name, email, active, admin, ldap, create_zone): provider = Provider() users = provider.users() zones = provider.dns_zones() active = (active in ['true', 'yes']) admin = (admin in ['true', 'yes']) ldap = (ldap in ['true', 'yes']) ask_for_password = False if len(password) == 0: # If it's an LDAP user, we don't need it. if not ldap: ask_for_password = True if ask_for_password: password = click.prompt('Password', hide_input=True, confirmation_prompt=True) # If the user entered the password manually it's in plaintext so we can check for complexity. user = users.save(0, username, password, full_name, email, admin, ldap, active, check_complexity=ask_for_password, hash_password=ask_for_password) if not user: print(users.last_error) return False if create_zone: if not zones.create_user_base_zone(user): print( 'User has been created but there was a problem creating their base domain. Make sure the DNS Base Domain has been set.' ) return False print("User created") return True
def theme(user_id): if current_user.id != user_id: flash('Access denied', 'error') return redirect(url_for('home.index')) provider = Provider() users = provider.users() filesystem = provider.filesystem() user_settings = provider.user_settings() settings = provider.settings() user = users.get_by_id(current_user.id) themes = filesystem.get_files( os.path.join(current_app.root_path, 'static', 'css', 'themes')) theme = user_settings.get(user_id, 'theme', settings.get('theme', 'lumen')) return render_template('account/theme.html', user=user, themes=themes, selected_theme=theme)
def cli_users_list(): provider = Provider() users = provider.users() results = users.all() headers = [ 'id', 'username', 'full name', 'email', 'admin', 'active', 'ldap', '2fa' ] table = [] for user in results: table.append([ user.id, user.username, user.full_name, user.email, user.admin, user.active, user.ldap, user.has_2fa() ]) print(tabulate.tabulate(table, headers)) return True
def user_edit(user_id): provider = Provider() users = provider.users() zones = provider.dns_zones() user = None if user_id <= 0: user_id = 0 else: user = users.get_user(user_id) if not user: flash('Invalid User ID', 'error') return redirect(url_for('config.users')) return render_template('config/system/users/edit.html', user_id=user_id, user=user, password_complexity=users.password_complexity. get_requirement_description(), base_domain=zones.base_domain)
def profile_2fa_save(): provider = Provider() users = provider.users() if users.has_2fa(current_user.id): # This will be treated as a "disable 2fa" request. action = request.form['action'] if 'action' in request.form else '' if action == 'disable': users.twofa_disable(current_user.id) users.logout_session(current_user.id) flash('Two Factor Authentication has been disabled. Please login again.') return redirect(url_for('auth.login')) else: # This will be treated as an "enable 2fa" request. otp_code = request.form['otp'].strip() otp_secret = '' if 'otp' in session: otp_secret = session['otp'] del session['otp'] if len(otp_secret) == 0: flash('Could not load OTP secret from session.', 'error') return redirect(url_for('config.profile_2fa')) elif len(otp_code) == 0: flash('OTP code is missing', 'error') return redirect(url_for('config.profile_2fa')) if not users.otp_verify(otp_secret, otp_code): flash('Invalid OTP Code', 'error') return redirect(url_for('config.profile_2fa')) if not users.twofa_enable(current_user.id, otp_secret): flash('Could not enable 2FA', 'error') return redirect(url_for('config.profile_2fa')) users.logout_session(current_user.id) flash('Two Factor Authentication has been enabled. Please login again.') return redirect(url_for('auth.login')) return redirect(url_for('config.profile_2fa'))