Esempio n. 1
0
 def run(self, name):
     """Creates the group."""
     name = unicode(name.decode(encoding=u'utf-8'))
     group = Group.get_or_create(name=name)
     db_session.add(group)
     db_session.commit()
     sys.stdout.write(u'Group {0:s} created\n'.format(name))
Esempio n. 2
0
 def run(self, name):
     """Creates the group."""
     if not isinstance(name, six.text_type):
         name = codecs.decode(name, 'utf-8')
     group = Group.get_or_create(name=name)
     db_session.add(group)
     db_session.commit()
     sys.stdout.write('Group {0:s} created\n'.format(name))
Esempio n. 3
0
 def run(self, name):
     """Creates the group."""
     if not isinstance(name, six.text_type):
         name = codecs.decode(name, 'utf-8')
     group = Group.get_or_create(name=name)
     db_session.add(group)
     db_session.commit()
     sys.stdout.write('Group {0:s} created\n'.format(name))
Esempio n. 4
0
 def _create_group(self, name, user):
     """Create a user in the database.
     Args:
         name: Group name
         user: A user (instance of timesketch.models.user.User)
     Returns:
         A group (instance of timesketch.models.user.Group)
     """
     group = Group.get_or_create(name=name)
     user.groups.append(group)
     self._commit_to_database(group)
     return group
Esempio n. 5
0
    def _create_group(self, name, user):
        """Create a user in the database.

        Args:
            name: Group name
            user: A user (instance of timesketch.models.user.User)
        Returns:
            A group (instance of timesketch.models.user.Group)
        """
        group = Group.get_or_create(name=name)
        user.groups.append(group)
        self._commit_to_database(group)
        return group
Esempio n. 6
0
def login():
    """Handler for the login page view.

    There are three ways of authentication.
    1) Google Cloud Identity-Aware Proxy.
    2) If Single Sign On (SSO) is enabled in the configuration and the
       environment variable is present, e.g. REMOTE_USER then the system will
       get or create the user object and setup a session for the user.
    3) Local authentication is used if SSO login is not enabled. This will
       authenticate the user against the local user database.

    Returns:
        Redirect if authentication is successful or template with context
        otherwise.
    """
    # Google OpenID Connect authentication.
    if current_app.config.get('GOOGLE_OIDC_ENABLED', False):
        hosted_domain = current_app.config.get('GOOGLE_OIDC_HOSTED_DOMAIN')
        return redirect(get_oauth2_authorize_url(hosted_domain))

    # Google Identity-Aware Proxy authentication (using JSON Web Tokens)
    if current_app.config.get('GOOGLE_IAP_ENABLED', False):
        encoded_jwt = request.environ.get('HTTP_X_GOOG_IAP_JWT_ASSERTION',
                                          None)
        if encoded_jwt:
            expected_audience = current_app.config.get('GOOGLE_IAP_AUDIENCE')
            expected_issuer = current_app.config.get('GOOGLE_IAP_ISSUER')
            algorithm = current_app.config.get('GOOGLE_IAP_ALGORITHM')
            url = current_app.config.get('GOOGLE_IAP_PUBLIC_KEY_URL')
            try:
                public_key = get_public_key_for_jwt(encoded_jwt, url)
                decoded_jwt = decode_jwt(encoded_jwt, public_key, algorithm,
                                         expected_audience)
                validate_jwt(decoded_jwt, expected_issuer)
                email = decoded_jwt.get('email')
                if email:
                    user = User.get_or_create(username=email, name=email)
                    login_user(user)

            except (ImportError, NameError, UnboundLocalError):
                raise

            except (JwtValidationError, JwtKeyError, Exception) as e:  # pylint: disable=broad-except
                current_app.logger.error('{}'.format(e))

    # SSO login based on environment variable, e.g. REMOTE_USER.
    if current_app.config.get('SSO_ENABLED', False):
        remote_user_env = current_app.config.get('SSO_USER_ENV_VARIABLE',
                                                 'REMOTE_USER')
        sso_group_env = current_app.config.get('SSO_GROUP_ENV_VARIABLE', None)

        remote_user = request.environ.get(remote_user_env, None)
        if remote_user:
            user = User.get_or_create(username=remote_user, name=remote_user)
            login_user(user)

        # If we get groups from the SSO system create the group(s) in
        # Timesketch and add/remove the user from it.
        if sso_group_env:
            groups_string = request.environ.get(sso_group_env, '')
            separator = current_app.config.get('SSO_GROUP_SEPARATOR', ';')
            not_member_sign = current_app.config.get(
                'SSO_GROUP_NOT_MEMBER_SIGN', None)
            for group_name in groups_string.split(separator):
                remove_group = False
                if not_member_sign:
                    remove_group = group_name.startswith(not_member_sign)
                    group_name = group_name.lstrip(not_member_sign)

                # Get or create the group in the Timesketch database.
                group = Group.get_or_create(name=group_name)

                if remove_group:
                    if group in user.groups:
                        user.groups.remove(group)
                else:
                    if group not in user.groups:
                        user.groups.append(group)
            # Commit the changes to the database.
            db_session.commit()

    # Login form POST
    form = UsernamePasswordForm()
    if form.validate_on_submit:
        user = User.query.filter_by(username=form.username.data).first()
        if user:
            if user.check_password(plaintext=form.password.data):
                login_user(user)

    # Log the user in and setup the session.
    if current_user.is_authenticated:
        return redirect(request.args.get('next') or '/')

    return render_template('login.html', form=form)
Esempio n. 7
0
def login():
    """Handler for the login page view.

    There are three ways of authentication.
    1) Google Cloud Identity-Aware Proxy.
    2) If Single Sign On (SSO) is enabled in the configuration and the
       environment variable is present, e.g. REMOTE_USER then the system will
       get or create the user object and setup a session for the user.
    3) Local authentication is used if SSO login is not enabled. This will
       authenticate the user against the local user database.

    Returns:
        Redirect if authentication is successful or template with context
        otherwise.
    """
    # Google OpenID Connect authentication.
    if current_app.config.get('GOOGLE_OIDC_ENABLED', False):
        hosted_domain = current_app.config.get('GOOGLE_OIDC_HOSTED_DOMAIN')
        return redirect(get_oauth2_authorize_url(hosted_domain))

    # Google Identity-Aware Proxy authentication (using JSON Web Tokens)
    if current_app.config.get('GOOGLE_IAP_ENABLED', False):
        encoded_jwt = request.environ.get(
            'HTTP_X_GOOG_IAP_JWT_ASSERTION', None)
        if encoded_jwt:
            expected_audience = current_app.config.get('GOOGLE_IAP_AUDIENCE')
            expected_issuer = current_app.config.get('GOOGLE_IAP_ISSUER')
            algorithm = current_app.config.get('GOOGLE_IAP_ALGORITHM')
            url = current_app.config.get('GOOGLE_IAP_PUBLIC_KEY_URL')
            try:
                public_key = get_public_key_for_jwt(encoded_jwt, url)
                validated_jwt = validate_jwt(
                    encoded_jwt, public_key, algorithm, expected_audience,
                    expected_issuer)
                email = validated_jwt.get('email')
                if email:
                    user = User.get_or_create(username=email, name=email)
                    login_user(user)

            except (ImportError, NameError, UnboundLocalError):  # pylint: disable=try-except-raise
                raise

            except (JwtValidationError, JwtKeyError, Exception) as e:  # pylint: disable=broad-except
                current_app.logger.error('{}'.format(e))

    # SSO login based on environment variable, e.g. REMOTE_USER.
    if current_app.config.get('SSO_ENABLED', False):
        remote_user_env = current_app.config.get('SSO_USER_ENV_VARIABLE',
                                                 'REMOTE_USER')
        sso_group_env = current_app.config.get('SSO_GROUP_ENV_VARIABLE', None)

        remote_user = request.environ.get(remote_user_env, None)
        if remote_user:
            user = User.get_or_create(username=remote_user, name=remote_user)
            login_user(user)

        # If we get groups from the SSO system create the group(s) in
        # Timesketch and add/remove the user from it.
        if sso_group_env:
            groups_string = request.environ.get(sso_group_env, '')
            separator = current_app.config.get('SSO_GROUP_SEPARATOR', ';')
            not_member_sign = current_app.config.get(
                'SSO_GROUP_NOT_MEMBER_SIGN', None)
            for group_name in groups_string.split(separator):
                remove_group = False
                if not_member_sign:
                    remove_group = group_name.startswith(not_member_sign)
                    group_name = group_name.lstrip(not_member_sign)

                # Get or create the group in the Timesketch database.
                group = Group.get_or_create(name=group_name)

                if remove_group:
                    if group in user.groups:
                        user.groups.remove(group)
                else:
                    if group not in user.groups:
                        user.groups.append(group)
            # Commit the changes to the database.
            db_session.commit()

    # Login form POST
    form = UsernamePasswordForm()
    if form.validate_on_submit:
        user = User.query.filter_by(username=form.username.data).first()
        if user:
            if user.check_password(plaintext=form.password.data):
                login_user(user)

    # Log the user in and setup the session.
    if current_user.is_authenticated:
        return redirect(request.args.get('next') or '/')

    return render_template('user/login.html', form=form)
Esempio n. 8
0
def login():
    """Handler for the login page view.

    There are two ways of authentication.
    1) If Single Sign On (SSO) is enabled in configuration and the environment
       variable is present, e.g. REMOTE_USER then the system will get or create
       the user object and setup a session for the user.
    2) Local authentication is used if SSO login is not enabled. This will
       authenticate the user against the local user database.

    Returns:
        Redirect if authentication is successful or template with context
        otherwise.
    """
    form = UsernamePasswordForm()

    # SSO login based on environment variable, e.g. REMOTE_USER.
    if current_app.config.get(u'SSO_ENABLED', False):
        remote_user_env = current_app.config.get(u'SSO_USER_ENV_VARIABLE',
                                                 u'REMOTE_USER')
        sso_group_env = current_app.config.get(u'SSO_GROUP_ENV_VARIABLE', None)

        remote_user = request.environ.get(remote_user_env, None)
        if remote_user:
            user = User.get_or_create(username=remote_user, name=remote_user)
            login_user(user)

        # If we get groups from the SSO system create the group(s) in
        # Timesketch and add/remove the user from it.
        if sso_group_env:
            groups_string = request.environ.get(sso_group_env, u'')
            separator = current_app.config.get(u'SSO_GROUP_SEPARATOR', u';')
            not_member_sign = current_app.config.get(
                u'SSO_GROUP_NOT_MEMBER_SIGN', None)
            for group_name in groups_string.split(separator):
                remove_group = False
                if not_member_sign:
                    remove_group = group_name.startswith(not_member_sign)
                    group_name = group_name.lstrip(not_member_sign)

                # Get or create the group in the Timesketch database.
                group = Group.get_or_create(name=group_name)

                if remove_group:
                    if group in user.groups:
                        user.groups.remove(group)
                else:
                    if group not in user.groups:
                        user.groups.append(group)
            # Commit the changes to the database.
            db_session.commit()

    # Login form POST
    if form.validate_on_submit:
        user = User.query.filter_by(username=form.username.data).first()
        if user:
            if user.check_password(plaintext=form.password.data):
                login_user(user)

    if current_user.is_authenticated:
        return redirect(request.args.get(u'next') or u'/')

    return render_template(u'user/login.html', form=form)
Esempio n. 9
0
def login():
    """Handler for the login page view.

    There are two ways of authentication.
    1) If Single Sign On (SSO) is enabled in configuration and the environment
       variable is present, e.g. REMOTE_USER then the system will get or create
       the user object and setup a session for the user.
    2) Local authentication is used if SSO login is not enabled. This will
       authenticate the user against the local user database.

    Returns:
        Redirect if authentication is successful or template with context
        otherwise.
    """
    form = UsernamePasswordForm()

    # SSO login based on environment variable, e.g. REMOTE_USER.
    if current_app.config.get(u'SSO_ENABLED', False):
        remote_user_env = current_app.config.get(
            u'SSO_USER_ENV_VARIABLE', u'REMOTE_USER')
        sso_group_env = current_app.config.get(
            u'SSO_GROUP_ENV_VARIABLE', None)

        remote_user = request.environ.get(remote_user_env, None)
        if remote_user:
            user = User.get_or_create(username=remote_user, name=remote_user)
            login_user(user)

        # If we get groups from the SSO system create the group(s) in
        # Timesketch and add/remove the user from it.
        if sso_group_env:
            groups_string = request.environ.get(sso_group_env, u'')
            separator = current_app.config.get(
                u'SSO_GROUP_SEPARATOR', u';')
            not_member_sign = current_app.config.get(
                u'SSO_GROUP_NOT_MEMBER_SIGN', None)
            for group_name in groups_string.split(separator):
                remove_group = False
                if not_member_sign:
                    remove_group = group_name.startswith(not_member_sign)
                    group_name = group_name.lstrip(not_member_sign)

                # Get or create the group in the Timesketch database.
                group = Group.get_or_create(name=group_name)

                if remove_group:
                    if group in user.groups:
                        user.groups.remove(group)
                else:
                    if group not in user.groups:
                        user.groups.append(group)
            # Commit the changes to the database.
            db_session.commit()

    # Login form POST
    if form.validate_on_submit:
        user = User.query.filter_by(username=form.username.data).first()
        if user:
            if user.check_password(plaintext=form.password.data):
                login_user(user)

    if current_user.is_authenticated:
        return redirect(request.args.get(u'next') or u'/')

    return render_template(u'user/login.html', form=form)
Esempio n. 10
0
def create_group(group_name):
    """Create a group."""
    group = Group.get_or_create(name=group_name)
    db_session.add(group)
    db_session.commit()
    print(f"Group created: {group_name}")