def run(self, name):
"""Creates the group."""
name = unicode(name.decode(encoding=u'utf-8'))
group = Group.get_or_create(name=name)
db_session.add(group)
db_session.commit()
sys.stdout.write(u'Group {0:s} created\n'.format(name))
def run(self, name):
"""Creates the group."""
if not isinstance(name, six.text_type):
name = codecs.decode(name, 'utf-8')
group = Group.get_or_create(name=name)
db_session.add(group)
db_session.commit()
sys.stdout.write('Group {0:s} created\n'.format(name))
def run(self, name):
"""Creates the group."""
if not isinstance(name, six.text_type):
name = codecs.decode(name, 'utf-8')
group = Group.get_or_create(name=name)
db_session.add(group)
db_session.commit()
sys.stdout.write('Group {0:s} created\n'.format(name))
def _create_group(self, name, user):
"""Create a user in the database.
Args:
name: Group name
user: A user (instance of timesketch.models.user.User)
Returns:
A group (instance of timesketch.models.user.Group)
"""
group = Group.get_or_create(name=name)
user.groups.append(group)
self._commit_to_database(group)
return group
def _create_group(self, name, user):
"""Create a user in the database.
Args:
name: Group name
user: A user (instance of timesketch.models.user.User)
Returns:
A group (instance of timesketch.models.user.Group)
"""
group = Group.get_or_create(name=name)
user.groups.append(group)
self._commit_to_database(group)
return group
def login():
"""Handler for the login page view.
There are three ways of authentication.
1) Google Cloud Identity-Aware Proxy.
2) If Single Sign On (SSO) is enabled in the configuration and the
environment variable is present, e.g. REMOTE_USER then the system will
get or create the user object and setup a session for the user.
3) Local authentication is used if SSO login is not enabled. This will
authenticate the user against the local user database.
Returns:
Redirect if authentication is successful or template with context
otherwise.
"""
# Google OpenID Connect authentication.
if current_app.config.get('GOOGLE_OIDC_ENABLED', False):
hosted_domain = current_app.config.get('GOOGLE_OIDC_HOSTED_DOMAIN')
return redirect(get_oauth2_authorize_url(hosted_domain))
# Google Identity-Aware Proxy authentication (using JSON Web Tokens)
if current_app.config.get('GOOGLE_IAP_ENABLED', False):
encoded_jwt = request.environ.get('HTTP_X_GOOG_IAP_JWT_ASSERTION',
None)
if encoded_jwt:
expected_audience = current_app.config.get('GOOGLE_IAP_AUDIENCE')
expected_issuer = current_app.config.get('GOOGLE_IAP_ISSUER')
algorithm = current_app.config.get('GOOGLE_IAP_ALGORITHM')
url = current_app.config.get('GOOGLE_IAP_PUBLIC_KEY_URL')
try:
public_key = get_public_key_for_jwt(encoded_jwt, url)
decoded_jwt = decode_jwt(encoded_jwt, public_key, algorithm,
expected_audience)
validate_jwt(decoded_jwt, expected_issuer)
email = decoded_jwt.get('email')
if email:
user = User.get_or_create(username=email, name=email)
login_user(user)
except (ImportError, NameError, UnboundLocalError):
raise
except (JwtValidationError, JwtKeyError, Exception) as e: # pylint: disable=broad-except
current_app.logger.error('{}'.format(e))
# SSO login based on environment variable, e.g. REMOTE_USER.
if current_app.config.get('SSO_ENABLED', False):
remote_user_env = current_app.config.get('SSO_USER_ENV_VARIABLE',
'REMOTE_USER')
sso_group_env = current_app.config.get('SSO_GROUP_ENV_VARIABLE', None)
remote_user = request.environ.get(remote_user_env, None)
if remote_user:
user = User.get_or_create(username=remote_user, name=remote_user)
login_user(user)
# If we get groups from the SSO system create the group(s) in
# Timesketch and add/remove the user from it.
if sso_group_env:
groups_string = request.environ.get(sso_group_env, '')
separator = current_app.config.get('SSO_GROUP_SEPARATOR', ';')
not_member_sign = current_app.config.get(
'SSO_GROUP_NOT_MEMBER_SIGN', None)
for group_name in groups_string.split(separator):
remove_group = False
if not_member_sign:
remove_group = group_name.startswith(not_member_sign)
group_name = group_name.lstrip(not_member_sign)
# Get or create the group in the Timesketch database.
group = Group.get_or_create(name=group_name)
if remove_group:
if group in user.groups:
user.groups.remove(group)
else:
if group not in user.groups:
user.groups.append(group)
# Commit the changes to the database.
db_session.commit()
# Login form POST
form = UsernamePasswordForm()
if form.validate_on_submit:
user = User.query.filter_by(username=form.username.data).first()
if user:
if user.check_password(plaintext=form.password.data):
login_user(user)
# Log the user in and setup the session.
if current_user.is_authenticated:
return redirect(request.args.get('next') or '/')
return render_template('login.html', form=form)
def login():
"""Handler for the login page view.
There are three ways of authentication.
1) Google Cloud Identity-Aware Proxy.
2) If Single Sign On (SSO) is enabled in the configuration and the
environment variable is present, e.g. REMOTE_USER then the system will
get or create the user object and setup a session for the user.
3) Local authentication is used if SSO login is not enabled. This will
authenticate the user against the local user database.
Returns:
Redirect if authentication is successful or template with context
otherwise.
"""
# Google OpenID Connect authentication.
if current_app.config.get('GOOGLE_OIDC_ENABLED', False):
hosted_domain = current_app.config.get('GOOGLE_OIDC_HOSTED_DOMAIN')
return redirect(get_oauth2_authorize_url(hosted_domain))
# Google Identity-Aware Proxy authentication (using JSON Web Tokens)
if current_app.config.get('GOOGLE_IAP_ENABLED', False):
encoded_jwt = request.environ.get(
'HTTP_X_GOOG_IAP_JWT_ASSERTION', None)
if encoded_jwt:
expected_audience = current_app.config.get('GOOGLE_IAP_AUDIENCE')
expected_issuer = current_app.config.get('GOOGLE_IAP_ISSUER')
algorithm = current_app.config.get('GOOGLE_IAP_ALGORITHM')
url = current_app.config.get('GOOGLE_IAP_PUBLIC_KEY_URL')
try:
public_key = get_public_key_for_jwt(encoded_jwt, url)
validated_jwt = validate_jwt(
encoded_jwt, public_key, algorithm, expected_audience,
expected_issuer)
email = validated_jwt.get('email')
if email:
user = User.get_or_create(username=email, name=email)
login_user(user)
except (ImportError, NameError, UnboundLocalError): # pylint: disable=try-except-raise
raise
except (JwtValidationError, JwtKeyError, Exception) as e: # pylint: disable=broad-except
current_app.logger.error('{}'.format(e))
# SSO login based on environment variable, e.g. REMOTE_USER.
if current_app.config.get('SSO_ENABLED', False):
remote_user_env = current_app.config.get('SSO_USER_ENV_VARIABLE',
'REMOTE_USER')
sso_group_env = current_app.config.get('SSO_GROUP_ENV_VARIABLE', None)
remote_user = request.environ.get(remote_user_env, None)
if remote_user:
user = User.get_or_create(username=remote_user, name=remote_user)
login_user(user)
# If we get groups from the SSO system create the group(s) in
# Timesketch and add/remove the user from it.
if sso_group_env:
groups_string = request.environ.get(sso_group_env, '')
separator = current_app.config.get('SSO_GROUP_SEPARATOR', ';')
not_member_sign = current_app.config.get(
'SSO_GROUP_NOT_MEMBER_SIGN', None)
for group_name in groups_string.split(separator):
remove_group = False
if not_member_sign:
remove_group = group_name.startswith(not_member_sign)
group_name = group_name.lstrip(not_member_sign)
# Get or create the group in the Timesketch database.
group = Group.get_or_create(name=group_name)
if remove_group:
if group in user.groups:
user.groups.remove(group)
else:
if group not in user.groups:
user.groups.append(group)
# Commit the changes to the database.
db_session.commit()
# Login form POST
form = UsernamePasswordForm()
if form.validate_on_submit:
user = User.query.filter_by(username=form.username.data).first()
if user:
if user.check_password(plaintext=form.password.data):
login_user(user)
# Log the user in and setup the session.
if current_user.is_authenticated:
return redirect(request.args.get('next') or '/')
return render_template('user/login.html', form=form)
def login():
"""Handler for the login page view.
There are two ways of authentication.
1) If Single Sign On (SSO) is enabled in configuration and the environment
variable is present, e.g. REMOTE_USER then the system will get or create
the user object and setup a session for the user.
2) Local authentication is used if SSO login is not enabled. This will
authenticate the user against the local user database.
Returns:
Redirect if authentication is successful or template with context
otherwise.
"""
form = UsernamePasswordForm()
# SSO login based on environment variable, e.g. REMOTE_USER.
if current_app.config.get(u'SSO_ENABLED', False):
remote_user_env = current_app.config.get(u'SSO_USER_ENV_VARIABLE',
u'REMOTE_USER')
sso_group_env = current_app.config.get(u'SSO_GROUP_ENV_VARIABLE', None)
remote_user = request.environ.get(remote_user_env, None)
if remote_user:
user = User.get_or_create(username=remote_user, name=remote_user)
login_user(user)
# If we get groups from the SSO system create the group(s) in
# Timesketch and add/remove the user from it.
if sso_group_env:
groups_string = request.environ.get(sso_group_env, u'')
separator = current_app.config.get(u'SSO_GROUP_SEPARATOR', u';')
not_member_sign = current_app.config.get(
u'SSO_GROUP_NOT_MEMBER_SIGN', None)
for group_name in groups_string.split(separator):
remove_group = False
if not_member_sign:
remove_group = group_name.startswith(not_member_sign)
group_name = group_name.lstrip(not_member_sign)
# Get or create the group in the Timesketch database.
group = Group.get_or_create(name=group_name)
if remove_group:
if group in user.groups:
user.groups.remove(group)
else:
if group not in user.groups:
user.groups.append(group)
# Commit the changes to the database.
db_session.commit()
# Login form POST
if form.validate_on_submit:
user = User.query.filter_by(username=form.username.data).first()
if user:
if user.check_password(plaintext=form.password.data):
login_user(user)
if current_user.is_authenticated:
return redirect(request.args.get(u'next') or u'/')
return render_template(u'user/login.html', form=form)
def login():
"""Handler for the login page view.
There are two ways of authentication.
1) If Single Sign On (SSO) is enabled in configuration and the environment
variable is present, e.g. REMOTE_USER then the system will get or create
the user object and setup a session for the user.
2) Local authentication is used if SSO login is not enabled. This will
authenticate the user against the local user database.
Returns:
Redirect if authentication is successful or template with context
otherwise.
"""
form = UsernamePasswordForm()
# SSO login based on environment variable, e.g. REMOTE_USER.
if current_app.config.get(u'SSO_ENABLED', False):
remote_user_env = current_app.config.get(
u'SSO_USER_ENV_VARIABLE', u'REMOTE_USER')
sso_group_env = current_app.config.get(
u'SSO_GROUP_ENV_VARIABLE', None)
remote_user = request.environ.get(remote_user_env, None)
if remote_user:
user = User.get_or_create(username=remote_user, name=remote_user)
login_user(user)
# If we get groups from the SSO system create the group(s) in
# Timesketch and add/remove the user from it.
if sso_group_env:
groups_string = request.environ.get(sso_group_env, u'')
separator = current_app.config.get(
u'SSO_GROUP_SEPARATOR', u';')
not_member_sign = current_app.config.get(
u'SSO_GROUP_NOT_MEMBER_SIGN', None)
for group_name in groups_string.split(separator):
remove_group = False
if not_member_sign:
remove_group = group_name.startswith(not_member_sign)
group_name = group_name.lstrip(not_member_sign)
# Get or create the group in the Timesketch database.
group = Group.get_or_create(name=group_name)
if remove_group:
if group in user.groups:
user.groups.remove(group)
else:
if group not in user.groups:
user.groups.append(group)
# Commit the changes to the database.
db_session.commit()
# Login form POST
if form.validate_on_submit:
user = User.query.filter_by(username=form.username.data).first()
if user:
if user.check_password(plaintext=form.password.data):
login_user(user)
if current_user.is_authenticated:
return redirect(request.args.get(u'next') or u'/')
return render_template(u'user/login.html', form=form)
def create_group(group_name):
"""Create a group."""
group = Group.get_or_create(name=group_name)
db_session.add(group)
db_session.commit()
print(f"Group created: {group_name}")
