def save(self, name):
group = usergroup.Group(name)
list(hookmanager.trigger("HOOK_GROUPMANAGEMENT_GROUP_MODIFY", group))
old_permissions = env.auth.get_group_permissions(group)
permissions = self._make_permissions_from_parameters(old_permissions)
self.log_property_list_change("permissions", group, old_permissions,
permissions)
env.auth.set_group_permissions(group, permissions)
if env.auth.is_member_of(group, env.request.user):
env.request.user.permissions = env.auth.get_user_permissions(
env.request.user)
# Group memberships
if env.auth.can_manage_group_members():
users = set(
usergroup.User(i)
for i in env.request.parameters.getlist("member_object"))
self.log_property_list_change("users", group,
env.auth.get_group_members(group),
users)
env.auth.set_group_members(group, users)
return response.PrewikkaResponse({
"type": "reload",
"target": ".commonlisting"
})
def _make_job(self, res):
id, name, userid, schedule, ext_type, ext_id, base, runcnt, enabled, error_s = res
func = self._plugin_callback.get(ext_type)
if not func:
err = error.PrewikkaUserError(
N_("Invalid job extension"),
N_("Scheduled job with invalid extension type '%s'", ext_type))
elif error_s:
err = utils.json.loads(error_s)
else:
err = None
if ext_id:
ext_id = int(ext_id)
if base:
base = env.db.parse_datetime(base)
user = None
if userid:
user = usergroup.User(userid=userid)
return CronJob(int(id),
name,
schedule,
func,
base,
int(runcnt),
ext_type=ext_type,
ext_id=ext_id,
user=user,
error=err,
enabled=bool(int(enabled)))
def get_user(self, request):
info = self.get_user_info(request)
if not (info) or not (info.login) or self.autologin:
try:
login = self.__check_session(request)
except (SessionInvalid, SessionExpired):
if not self.autologin:
raise
else:
if not info or not info.login or login == info.login:
return usergroup.User(login)
else:
self.__delete_session(request)
user = self.authenticate(request, info)
self.__create_session(request, user)
list(hookmanager.trigger("HOOK_SESSION_CREATE", user))
is_admin = set(user.permissions) == usergroup.ALL_PERMISSIONS
env.log.info("User login with profile '%s'" %
("admin" if is_admin else "default"))
if "login_prevent_redirect" in env.request.web.arguments:
return user
raise RedirectionError(env.request.web.get_raw_uri(True), 303)
def modify(self):
self._object = user = usergroup.User(env.request.parameters.get("name", env.request.user.name))
if not env.request.parameters["language"] in localization.getLanguagesIdentifiers():
raise error.PrewikkaUserError(N_("Invalid Language"), N_("Specified language does not exist"), log_priority=log.WARNING)
list(hookmanager.trigger("HOOK_USERMANAGEMENT_USER_MODIFY", user))
if not env.request.parameters["timezone"] in localization.get_timezones():
raise error.PrewikkaUserError(N_("Invalid Timezone"), N_("Specified timezone does not exist"), log_priority=log.WARNING)
need_reload = False
user.begin_properties_change()
for param, reload in (("fullname", False), ("email", False), ("theme", True), ("language", True), ("timezone", False)):
if user == env.request.user and reload and env.request.parameters.get(param) != user.get_property(param):
need_reload = True
user.set_property(param, env.request.parameters.get(param))
if user == env.request.user:
user.set_locale()
user.commit_properties_change()
# Make sure nothing is returned (reset the default dataset)
env.request.dataset = None
if need_reload:
return response.PrewikkaDirectResponse({"type": "reload"})
return response.PrewikkaRedirectResponse(url_for(".display"), 303)
def initialization_fixtures(request):
"""
Main fixture for all tests: load Prewikka out of browser by setup
configuration.
Configuration and databases information are loaded through default testing file
or specific configuration file.
@pytest.fixture:
scope=session caching lifecycle of fixture, available during all tests of
the run
autouse=True activated for all tests that can see it
"""
# init IDMEF database
init_idmef_database(config.Config(TEST_CONFIG_FILE))
# init prewikka core with config file
core = main.Core.from_config(TEST_CONFIG_FILE, autoupdate=True)
# setup "env.request"
initial_request = FakeInitialRequest('/')
# load prewikka to setup all settings
core.process(initial_request)
# setup "env.request.web.input_cookie"
cookie = cookies.SimpleCookie()
cookie[str(
'sessionid'
)] = TEST_SESSION_ID # force str() type to avoid TypeError, works with both py2 and py3
env.request.web.input_cookie = dict(cookie.items())
# setup "env.request.dataset" and "env.request.parameters"
# used only when just a specific test is launched to prevent fails
env.request.dataset = {}
env.request.menu_parameters = {
'timeline_value': 0,
'timeline_unit': 'day',
'timeline_absolute': None,
'auto_apply_value': None
}
# setup "env.request.user"
env.request.user = usergroup.User('anonymous')
def tear_down():
"""
TearDown
- clean IDMEF database
- clean Prewikka database
- clean "downloads" directory
"""
clean_database(env.config.idmef_database)
clean_database(env.config.database)
clean_directory(TEST_DOWNLOAD_DIR)
request.addfinalizer(tear_down)
def delete(self):
if not env.request.user.has("USER_MANAGEMENT"):
raise error.PrewikkaUserError(
N_("Permission Denied"),
N_("Access denied to users modification"),
log_priority=log.WARNING)
for obj in env.request.parameters.getlist("id"):
usergroup.User(userid=obj).delete()
def logout(self, request):
login = self.__check_session(request)
self.__delete_session(request)
list(hookmanager.trigger("HOOK_SESSION_DELETE", usergroup.User(login)))
env.log.info("Logged out")
raise SessionInvalid(message=N_("Logged out"),
login=login,
log_priority=log.INFO,
template=self.template)
def edit(self, name=None, widget=True):
user = None
user_permissions = []
group_permissions = []
if not name:
target = url_for(".create")
else:
user = usergroup.User(name)
if not env.auth.has_user(user):
raise error.PrewikkaUserError(
_("Invalid User"),
N_("Requested user '%s' does not exist", user))
if user != env.request.user and not env.request.user.has(
"USER_MANAGEMENT"):
raise error.PrewikkaUserError(
_("Permission Denied"),
N_("Access denied to other users settings"),
log_priority=log.WARNING)
target = url_for(".save", name=name)
dset = self._setup_dataset(target, user)
if user:
dset["fullname"] = user.get_property("fullname")
dset["email"] = user.get_property("email")
dset["timezone"] = user.get_property(
"timezone", default=env.config.general.default_timezone)
dset["language"] = user.get_property(
"language", default=env.config.general.default_locale)
dset["user_theme"] = user.get_property(
"theme", default=env.config.general.default_theme)
user_permissions = env.auth.get_user_permissions(user,
ignore_group=True)
group_permissions = env.auth.get_user_permissions_from_groups(user)
dset["widget"] = widget
dset["ask_current_password"] = (user == env.request.user)
dset["permissions"] = []
for perm in sorted(usergroup.ACTIVE_PERMISSIONS):
dset["permissions"].append((perm, perm in user_permissions, perm
in group_permissions))
dset["extra_content"] = filter(
None,
hookmanager.trigger("HOOK_USERMANAGEMENT_EXTRA_CONTENT", user,
"user"))
return dset.render()
def get_user(self, request):
info = self.get_user_info(request)
if not(info) or not(info.login) or self.autologin:
try:
login = self.__check_session(request)
return usergroup.User(login)
except (SessionInvalid, SessionExpired):
if not self.autologin:
raise
user = self.authenticate(request, info)
self.__create_session(request, user)
is_admin = set(user.permissions) == usergroup.ALL_PERMISSIONS
env.log.info("User login with profile '%s'" % ("admin" if is_admin else "default"))
raise RedirectionError(env.request.web.get_raw_uri(True), 303)
def __check_session(self, request):
sessionid = request.input_cookie.get("sessionid")
if not sessionid:
# No session cookie sent by the browser
if request.is_xhr:
# In case of an AJAX request, we consider that
# the session cookie expired and was not sent.
raise SessionExpired(login=None, template=self.template)
else:
# Otherwise, we consider that the session cookie did not exist,
# and we don't display any message on the login page.
raise SessionInvalid(message="",
template=self.template,
log_priority=log.INFO)
sessionid = sessionid.value
try:
login, t = self._db.get_session(sessionid)
except:
request.delete_cookie("sessionid")
raise SessionInvalid(template=self.template)
# Check that the session is still alive...
now = int(time.time())
if now - t > self._expiration:
self.__delete_session(request)
raise SessionExpired(login, template=self.template)
# And that the user it carry still exist in the current authentication
# backend (which might have changed)
user = usergroup.User(login)
if not env.auth.has_user(user):
self.__delete_session(request)
raise SessionInvalid(login, template=self.template)
if (now - t) / 60 >= 5:
self._db.update_session(sessionid, now)
list(hookmanager.trigger("HOOK_SESSION_UPDATE", user))
self.__set_session(request, sessionid)
return login
def init(self, config):
adminuser = usergroup.User(config.get("initial_admin_user", usergroup.ADMIN_LOGIN))
adminpass = config.get("initial_admin_pass", usergroup.ADMIN_LOGIN)
deprecated_schemes = config.get("deprecated_password_schemes", "").split()
schemes = config.get("password_schemes", "sha256_crypt").split() + deprecated_schemes
try:
self._context = CryptContext(schemes=schemes, deprecated=deprecated_schemes)
except (KeyError, ValueError) as e:
raise error.PrewikkaUserError(N_("DBAuth initialization error"), e)
# If there are no accessible users other than ADMIN_LOGIN
# with administrative rights, we grant all permissions to ADMIN_LOGIN.
has_user_manager = any("USER_MANAGEMENT" in user.permissions and user != adminuser for user in self.get_user_list())
if not has_user_manager:
if not self.has_user(adminuser):
adminuser.create()
if not adminuser.has_property("password"):
self.set_password(adminuser, adminpass)
self.set_user_permissions(adminuser, usergroup.ALL_PERMISSIONS)
def create(self):
login = env.request.parameters.get("name")
if not login:
raise error.PrewikkaUserError(N_("Could not create user"),
N_("Username required"))
if login.startswith("/"):
raise error.PrewikkaUserError(
N_("Could not create user"),
N_("Username cannot start with a slash"))
user = usergroup.User(login)
if env.auth.has_user(user):
raise error.PrewikkaUserError(N_("Could not create user"),
N_("User %s already exists", login))
user.create()
self.save(login)
return response.PrewikkaResponse({
"type": "reload",
"target": ".commonlisting"
})
def authenticate(self, login, password="", no_password_check=False):
if login is None:
raise auth.AuthError(env.session, _("No login name provided"))
user = usergroup.User(login)
if not self.has_user(user):
raise auth.AuthError(env.session, log_user=login)
if not no_password_check:
try:
real_password = user.get_property_fail("password")
except:
raise auth.AuthError(env.session, log_user=user)
valid, new_hash = self._verify(password, real_password)
if not valid:
raise auth.AuthError(env.session, log_user=user)
if new_hash:
# Make sure the password uses the proper hashing algorithm
user.set_property("password", new_hash)
user.sync_properties()
return user
def get_user_list(self, search=None):
query = "SELECT name, userid FROM Prewikka_User"
if search:
query += " WHERE name LIKE %s" % self.escape("%%%s%%" % search)
return [usergroup.User(*r) for r in self.query(query)]
def get_group_members(self, group):
return [usergroup.User(*r) for r in self.query("SELECT PU.name, PUG.userid FROM Prewikka_User_Group PUG "
"JOIN Prewikka_User PU USING (userid) WHERE groupid = %s", group.id)]
def get_user_list(self, search=None):
return [usergroup.User("anonymous")]
def getUserByID(self, id_):
return usergroup.User("anonymous")
def save(self, name):
user = usergroup.User(name)
modify_self = env.request.user == user
if not env.auth.has_user(user):
raise error.PrewikkaUserError(N_("Invalid user"),
N_("Specified user does not exist"),
log_priority=log.WARNING)
if name != env.request.user.name and not env.request.user.has(
"USER_MANAGEMENT"):
raise error.PrewikkaUserError(
N_("Permission Denied"),
N_("Cannot modify other users settings"),
log_priority=log.WARNING)
if not env.request.parameters[
"language"] in localization.get_languages():
raise error.PrewikkaUserError(
N_("Invalid Language"),
N_("Specified language does not exist"),
log_priority=log.WARNING)
if not env.request.parameters[
"timezone"] in localization.get_timezones():
raise error.PrewikkaUserError(
N_("Invalid Timezone"),
N_("Specified timezone does not exist"),
log_priority=log.WARNING)
if "password_new" in env.request.parameters and env.request.parameters[
"password_new"] != env.request.parameters.get(
"password_new_confirmation"):
raise error.PrewikkaUserError(N_("Password error"),
N_("Password mismatch"))
reload_type = 0
for param, reload in (("fullname", "none"), ("email", "none"),
("timezone", "view"), ("theme", "window"),
("language", "window")):
value = env.request.parameters.get(param)
if value != user.get_property(param):
if value:
user.set_property(param, value)
else:
user.del_property(param)
if modify_self:
reload_type = max(reload_type, ReloadEnum[reload])
list(hookmanager.trigger("HOOK_USERMANAGEMENT_USER_MODIFY", user))
if env.request.user.has(
"USER_MANAGEMENT") and env.auth.can_manage_permissions():
permissions = self._make_permissions_from_parameters(
user.permissions)
if permissions != set(user.permissions):
old_perms = set(
env.auth.get_user_permissions(
user, ignore_group=True)).difference(
env.auth.get_user_permissions_from_groups(user))
user.permissions = permissions
self.log_property_list_change("permissions", user, old_perms,
permissions)
reload_type = max(
ReloadEnum["window"] if modify_self else
ReloadEnum[".commonlisting"], reload_type)
# Group memberships
if env.auth.can_manage_group_members():
groups = set(
usergroup.Group(i)
for i in env.request.parameters.getlist("member_object"))
if groups != set(env.auth.get_member_of(user)):
self.log_property_list_change("groups", user,
env.auth.get_member_of(user),
groups)
env.auth.set_member_of(user, groups)
reload_type = max(
ReloadEnum["window"] if modify_self else
ReloadEnum[".commonlisting"], reload_type)
if "password_new" in env.request.parameters:
if modify_self:
try:
env.auth.authenticate(
name,
env.request.parameters.get("password_current", ""))
except auth.AuthError:
raise error.PrewikkaUserError(
N_("Password error"), N_("Invalid password specified"))
env.auth.set_password(user, env.request.parameters["password_new"])
user.sync_properties()
if reload_type > ReloadEnum["none"]:
return response.PrewikkaResponse({
"type": "reload",
"target": reload_type.name
})
def authenticate(self, login, password="", no_password_check=False):
return usergroup.User("anonymous")
def has_user(self, other):
return usergroup.User("anonymous")
def get_user_by_id(self, id_):
return usergroup.User("anonymous")
def get_user_by_id(self, id_):
ret = self.query(
"SELECT name, userid FROM Prewikka_User WHERE userid = %s", id_)
return usergroup.User(*ret[0]) if ret else None
def init(self, config):
user = usergroup.User("anonymous")
if not auth.Auth.get_user_by_id(self, user.id):
self.create_user(user)
