def _show_page_user_profile(change_pw): start_async_replication = False if not config.user.id: raise MKUserError(None, _('Not logged in.')) if not config.user.may('general.edit_profile') and not config.user.may( 'general.change_password'): raise MKAuthException(_("You are not allowed to edit your user profile.")) if not config.wato_enabled: raise MKAuthException(_('User profiles can not be edited (WATO is disabled).')) success = None if html.request.has_var('_save') and html.check_transaction(): users = userdb.load_users(lock=True) try: # Profile edit (user options like language etc.) if config.user.may('general.edit_profile'): if not change_pw: set_lang = html.get_checkbox('_set_lang') language = html.request.var('language') # Set the users language if requested if set_lang: if language == '': language = None # Set custom language users[config.user.id]['language'] = language config.user.language = language html.set_language_cookie(language) else: # Remove the customized language if 'language' in users[config.user.id]: del users[config.user.id]['language'] config.user.reset_language() # load the new language cmk.gui.i18n.localize(config.user.language) user = users.get(config.user.id) if user is None: raise Exception("current user is not in user DB") if config.user.may('general.edit_notifications') and user.get( "notifications_enabled"): value = forms.get_input(watolib.get_vs_flexible_notifications(), "notification_method") users[config.user.id]["notification_method"] = value # Custom attributes if config.user.may('general.edit_user_attributes'): for name, attr in userdb.get_user_attributes(): if attr.user_editable(): if not attr.permission() or config.user.may(attr.permission()): vs = attr.valuespec() value = vs.from_html_vars('ua_' + name) vs.validate_value(value, "ua_" + name) users[config.user.id][name] = value # Change the password if requested password_changed = False if config.user.may('general.change_password'): cur_password = html.request.var('cur_password') password = html.request.var('password') password2 = html.request.var('password2', '') if change_pw: # Force change pw mode if not cur_password: raise MKUserError("cur_password", _("You need to provide your current password.")) if not password: raise MKUserError("password", _("You need to change your password.")) if cur_password == password: raise MKUserError("password", _("The new password must differ from your current one.")) if cur_password and password: if userdb.hook_login(config.user.id, cur_password) is False: raise MKUserError("cur_password", _("Your old password is wrong.")) if password2 and password != password2: raise MKUserError("password2", _("The both new passwords do not match.")) watolib.verify_password_policy(password) users[config.user.id]['password'] = hash_password(password) users[config.user.id]['last_pw_change'] = int(time.time()) if change_pw: # Has been changed, remove enforcement flag del users[config.user.id]['enforce_pw_change'] # Increase serial to invalidate old cookies if 'serial' not in users[config.user.id]: users[config.user.id]['serial'] = 1 else: users[config.user.id]['serial'] += 1 password_changed = True # Now, if in distributed environment where users can login to remote sites, # set the trigger for pushing the new auth information to the slave sites # asynchronous if config.user.authorized_login_sites(): start_async_replication = True userdb.save_users(users) if password_changed: # Set the new cookie to prevent logout for the current user login.set_auth_cookie(config.user.id) success = True except MKUserError as e: html.add_user_error(e.varname, e) else: users = userdb.load_users() watolib.init_wato_datastructures(with_wato_lock=True) # When in distributed setup, display the replication dialog instead of the normal # profile edit dialog after changing the password. if start_async_replication: user_profile_async_replication_page() return if change_pw: title = _("Change Password") else: title = _("Edit User Profile") html.header(title) # Rule based notifications: The user currently cannot simply call the according # WATO module due to WATO permission issues. So we cannot show this button # right now. if not change_pw: rulebased_notifications = watolib.load_configuration_settings().get( "enable_rulebased_notifications") if rulebased_notifications and config.user.may('general.edit_notifications'): html.begin_context_buttons() url = "wato.py?mode=user_notifications_p" html.context_button(_("Notifications"), url, "notifications") html.end_context_buttons() else: reason = html.request.var('reason') if reason == 'expired': html.p(_('Your password is too old, you need to choose a new password.')) else: html.p(_('You are required to change your password before proceeding.')) if success: html.reload_sidebar() if change_pw: html.show_message(_("Your password has been changed.")) raise HTTPRedirect(html.request.get_str_input_mandatory('_origtarget', 'index.py')) html.show_message(_("Successfully updated user profile.")) # Ensure theme changes are applied without additional user interaction html.immediate_browser_redirect(0.5, html.makeuri([])) if html.has_user_errors(): html.show_user_errors() user = users.get(config.user.id) if user is None: html.show_warning(_("Sorry, your user account does not exist.")) html.footer() return # Returns true if an attribute is locked and should be read only. Is only # checked when modifying an existing user locked_attributes = userdb.locked_attributes(user.get('connector')) def is_locked(attr): return attr in locked_attributes html.begin_form("profile", method="POST") html.prevent_password_auto_completion() html.open_div(class_="wato") forms.header(_("Personal Settings")) if not change_pw: forms.section(_("Name"), simple=True) html.write_text(user.get("alias", config.user.id)) if config.user.may('general.change_password') and not is_locked('password'): forms.section(_("Current Password")) html.password_input('cur_password', autocomplete="new-password") forms.section(_("New Password")) html.password_input('password', autocomplete="new-password") forms.section(_("New Password Confirmation")) html.password_input('password2', autocomplete="new-password") if not change_pw and config.user.may('general.edit_profile'): select_language(user) # Let the user configure how he wants to be notified if not rulebased_notifications \ and config.user.may('general.edit_notifications') \ and user.get("notifications_enabled"): forms.section(_("Notifications")) html.help( _("Here you can configure how you want to be notified about host and service problems and " "other monitoring events.")) watolib.get_vs_flexible_notifications().render_input("notification_method", user.get("notification_method")) if config.user.may('general.edit_user_attributes'): for name, attr in userdb.get_user_attributes(): if attr.user_editable(): vs = attr.valuespec() forms.section(_u(vs.title())) value = user.get(name, vs.default_value()) if not attr.permission() or config.user.may(attr.permission()): vs.render_input("ua_" + name, value) html.help(_u(vs.help())) else: html.write(vs.value_to_text(value)) # Save button forms.end() html.button("_save", _("Save")) html.close_div() html.hidden_fields() html.end_form() html.footer()
def need_overriding_permission(cls, how): if not cls.has_overriding_permission(how): raise MKAuthException( _("Sorry, you lack the permission. Operation: %s, table: %s") % (how, cls.phrase("title_plural")))
def acknowledge_logfile(site, host_name, int_filename, display_name): if not may_see(site, host_name): raise MKAuthException(_('Permission denied.')) command = "MK_LOGWATCH_ACKNOWLEDGE;%s;%s" % (host_name, int_filename) sites.live().command("[%d] %s" % (int(time.time()), command), site)
def __init__(self) -> None: if not _may_see_failed_notifications(): raise MKAuthException(_("You are not allowed to view the failed notifications."))
def page(self): watolib.init_wato_datastructures(with_wato_lock=True) if not config.user.may('wato.diag_host'): raise MKAuthException( _('You are not permitted to perform this action.')) if not transactions.check_transaction(): raise MKAuthException(_("Invalid transaction")) request = self.webapi_request() hostname = request.get("host") if not hostname: raise MKGeneralException(_('The hostname is missing.')) host = watolib.Host.host(hostname) if not host: raise MKGeneralException(_('The given host does not exist.')) if host.is_cluster(): raise MKGeneralException( _('This view does not support cluster hosts.')) host.need_permission("read") _test = request.get('_test') if not _test: raise MKGeneralException(_('The test is missing.')) # Execute a specific test if _test not in dict(ModeDiagHost.diag_host_tests()).keys(): raise MKGeneralException(_('Invalid test.')) # TODO: Use ModeDiagHost._vs_rules() for processing/validation? args: List[str] = [u""] * 13 for idx, what in enumerate([ 'ipaddress', 'snmp_community', 'agent_port', 'snmp_timeout', 'snmp_retries', 'tcp_connect_timeout', ]): args[idx] = request.get(what, u"") if request.get("snmpv3_use"): snmpv3_use = { u"0": u"noAuthNoPriv", u"1": u"authNoPriv", u"2": u"authPriv", }.get(request.get("snmpv3_use", u""), u"") args[7] = snmpv3_use if snmpv3_use != u"noAuthNoPriv": snmpv3_auth_proto = { str(DropdownChoice.option_id("md5")): u"md5", str(DropdownChoice.option_id("sha")): u"sha" }.get(request.get("snmpv3_auth_proto", u""), u"") args[8] = snmpv3_auth_proto args[9] = request.get("snmpv3_security_name", u"") args[10] = request.get("snmpv3_security_password", u"") if snmpv3_use == "authPriv": snmpv3_privacy_proto = { str(DropdownChoice.option_id("DES")): u"DES", str(DropdownChoice.option_id("AES")): u"AES" }.get(request.get("snmpv3_privacy_proto", u""), u"") args[11] = snmpv3_privacy_proto args[12] = request.get("snmpv3_privacy_password", u"") else: args[9] = request.get("snmpv3_security_name", u"") result = watolib.check_mk_automation(host.site_id(), "diag-host", [hostname, _test] + args) return { "next_transid": transactions.fresh_transid(), "status_code": result[0], "output": ensure_str(result[1], errors="replace"), }
def check_parsed_auth_cookie(username, issue_time, cookie_hash): if not userdb.user_exists(username): raise MKAuthException(_('Username is unknown')) if cookie_hash != generate_auth_hash(username, issue_time): raise MKAuthException(_('Invalid credentials'))