コード例 #1
0
ファイル: uiMethods.py プロジェクト: AsherBond/cato
    def wmSaveSettings(self):
        """
            In this method, the values come from the browser in a jQuery serialized array of name/value pairs.
        """
        sModule = uiCommon.getAjaxArg("module")
        sSettings = uiCommon.getAjaxArg("settings")

        # sweet, use getattr to actually get the class we want!
        objname = getattr(settings.settings, sModule.lower())
        obj = objname()
        if obj:
            # spin the sValues array and set the appropriate properties.
            # setattr is so awesome
            for pair in sSettings:
                setattr(obj, pair["name"], pair["value"])
                # print  "setting %s to %s" % (pair["name"], pair["value"])
            # of course all of our settings classes must have a DBSave method
            obj.DBSave()
            catocommon.add_security_log(uiCommon.GetSessionUserID(), catocommon.SecurityLogTypes.Security,
                catocommon.SecurityLogActions.ConfigChange, catocommon.CatoObjectTypes.NA, "",
                "%s settings changed." % sModule.capitalize())

        return "{}"
コード例 #2
0
ファイル: uiCommon.py プロジェクト: AsherBond/cato
def check_roles(method):
    # if you wanna enable verbose page view logging, this is the place to do it.
    s_set = settings.settings.security()
    if s_set.PageViewLogging:
        catocommon.add_security_log(GetSessionUserID(), catocommon.SecurityLogTypes.Usage, catocommon.SecurityLogActions.PageView, 0, method, method)

    user_role = GetSessionUserRole()
    if user_role == "Administrator":
        return True

    if method in uiGlobals.RoleMethods:
        mapping = uiGlobals.RoleMethods[method]
        if mapping is True:
            return True

        if user_role in mapping:
            return True
        else:
            log("User requesting %s - insufficient permissions" % method)
            return False
    else:
        log("ERROR: %s does not have a role mapping." % method)
        return False
コード例 #3
0
ファイル: sysMethods.py プロジェクト: AsherBond/cato
    def update_settings(self, args):
        """Updates the settings of a process or module.

NOTE: the update_settings command requires submission of a JSON settings object.
As a guide for updating settings, first execute this command with the output_format set to json.

For example, to update Messenger settings, first do:

get_settings?module=messenger&output_format=json

...then use the result as a template for update_settings.

Required Arguments: 

* `module` - name of the module to apply the settings.
* `settings` - a list of name:value setting objects.

Returns: Nothing if successful, error messages on failure.
"""
        mod = args.get("module")
        sets = args.get("settings")

        # this is a admin function, kick out 
        if not api._ADMIN:
            return R(err_code=R.Codes.Forbidden, err_msg="Only Administrators can perform this function.")

        required_params = ["module", "settings"]
        has_required, resp = api.check_required_params(required_params, args)
        if not has_required:
            return resp

        if not sets:
            return R(err_code=R.Codes.UpdateError, err_detail="Settings JSON is required.")
            
        # first, validate the settings JSON
        # are the settings json?
        try:
            setsdict = json.loads(sets)
        except Exception as ex:
            return R(err_code=R.Codes.UpdateError, err_detail="Trying to parse settings as JSON failed. %s" % ex)
        
        
        # sweet, use getattr to actually get the class we want!
        objname = getattr(settings.settings, mod.lower())
        obj = objname()
        if obj:
            # spin the sValues array and set the appropriate properties.
            # setattr is so awesome
            for k, v in setsdict.iteritems():
                setattr(obj, k, v)
                # print  "setting %s to %s" % (pair["name"], pair["value"])
            # of course all of our settings classes must have a DBSave method
            obj.DBSave()
            catocommon.add_security_log(api._USER_ID, catocommon.SecurityLogTypes.Security,
                catocommon.SecurityLogActions.ConfigChange, catocommon.CatoObjectTypes.NA, "",
                "%s settings changed via API." % mod.capitalize())
        
            if args.get("output_format") == "json":
                return R(response=obj.AsJSON())
            elif args.get("output_format") == "text":
                return R(response=obj.AsText(args.get("output_delimiter"), args.get("header")))
            else:
                return R(response=obj.AsXML())
コード例 #4
0
ファイル: uiCommon.py プロジェクト: AsherBond/cato
def AttemptLogin(app_name, token=None, sid=None):
    if not app_name:
        raise Exception("Missing Application Name.")
    if not web.ctx.ip:
        raise Exception("Unable to determine client address.")

    address = "%s (%s)" % (web.ctx.ip, app_name)

    in_name = getAjaxArg("username")
    in_pwd = getAjaxArg("password")
    in_pwd = unpackJSON(in_pwd)
    new_pwd = getAjaxArg("change_password")
    new_pwd = unpackJSON(new_pwd)
    answer = getAjaxArg("answer")
    answer = unpackJSON(answer)

    u = catouser.User()

    if token:
        log("Trying Token Authentication using [%s]." % token, 3)
        result, code = u.AuthenticateToken(token, address)
        if not result:
            return json.dumps({"info": code})
    elif sid:
        sid = base64.b64decode(sid)
        log("Attempting to trust another CSK application using [%s]." % sid, 3)
        result, code = u.AuthenticateSession(sid, address)
        if not result:
            return json.dumps({"info": code})

    else:
        log("Attempting Authentication using POST args.", 3)
        # Authenticate will return the codes so we will know
        # how to respond to the login page
        # (must change password, password expired, etc)
        result, code = u.Authenticate(in_name, in_pwd, address, new_pwd, answer)
        if not result:
            if code == "disabled":
                return json.dumps({"info": "Your account has been suspended.  Please contact an Adminstrator."})
            if code == "failures":
                return json.dumps({"info": "Your account has been temporarily locked due to excessive password failures."})
            if code == "change":
                return json.dumps({"result": "change"})

            # no codes matched, but there is a message in there...
            if code:
                return json.dumps({"info": code})

            # failed with no code returned
            return json.dumps({"info": "Invalid Username or Password."})

    # So... they authenticated, but based on the users 'role' (Administrator, Developer, User) ...
    # they may not be allowed to log in to certain "app_name"s.
    # specifically, the User role cannot log in to the "Cato Admin UI" app.

    # TODO: enable this when the Cato EE Portal is released.
#        if u.Role == "User" and "Admin" in app_name:
#            return json.dumps({"info": "Your account isn't authorized for this application."})


    # all good, put a few key things in the session, not the whole object
    # yes, I said SESSION not a cookie, otherwise it could be hacked client side

    current_user = {}
    current_user["session_id"] = u.SessionID
    current_user["user_id"] = u.ID
    current_user["user_name"] = u.LoginID
    current_user["full_name"] = u.FullName
    current_user["role"] = u.Role
    current_user["tags"] = u.Tags
    current_user["email"] = u.Email
    current_user["ip_address"] = address
    SetSessionObject("user", current_user)

    # bit of a hack here... this function was given a pretty "app_name", but we want the non-pretty one.
    cookiename = "%s-applink" % (app_name.replace(" ", "_").lower())
    SetCookie(cookiename, base64.b64encode(u.SessionID))

    log("Login granted for: %s" % (u.FullName), 3)
    log(uiGlobals.session.user, 4)

    # update the security log
    catocommon.add_security_log(u.ID, catocommon.SecurityLogTypes.Security,
        catocommon.SecurityLogActions.UserLogin, catocommon.CatoObjectTypes.User, "",
        "Login to [%s] from [%s] granted." % (app_name, address))

    return json.dumps({"result": "success"})