def encrypt():
'''
Encryption function - encrypt string using key from file
'''
try:
# Check for element string and that it is not blank
if 'string' not in request.json.keys():
abort(400)
elif not request.json or len(request.json['string']) == 0:
abort(400)
except:
abort(400)
# Get encryption password or give 500 error
try:
with open('%s/.keystore/backup.key' % sys.path[0],'r') as psfile:
cryptokey = psfile.readline().rstrip()
except:
abort(500)
# Encrypt string and return response, m2secret does not like unicode
secret = m2secret.Secret()
secret.encrypt(str(request.json['string']), cryptokey)
serialized = secret.serialize()
return jsonify( {'result' : serialized } )
def getcreds(self,key,id=0):
'''
getcreds(key, id=0) - Gets user credentials from DB
args - key: encryption key used by m2secret
id - device id of creds to fetch, default is for default creds
Return - dict of creds
'''
# Get user and encypted pass from DB, convert to dict of str types
self.dbc.execute("SELECT NAME,PASS FROM BACKUP_USER WHERE ID = %d" % id)
raw_creds = dict(zip( ['name','passwd'], [str(i) for i in self.dbc.fetchone()] ))
# Decrypt pass and return dict of creds
secret = m2secret.Secret()
secret.deserialize(raw_creds['passwd'])
return { 'name' : raw_creds['name'], 'passwd' : secret.decrypt(key) }
def formatter(self, value):
secret = m2secret.Secret()
secret.deserialize(value)
return (secret.decrypt(self.key), None)
def __call__(self, value):
secret = m2secret.Secret()
secret.encrypt(value, self.key)
return secret.serialize()
def prepare(self):
'''
Prepares a the message for sending. Gets setting from DB. Also
pulls certs from DB and creates email message and headers sending.
'''
try:
# Connect to DB
self.log.debug('Email prepare, connecting to DB.')
db = sq.connect(sys.path[0] + '/db/main.db')
dbc = db.cursor()
# Get email settings from DB
self.log.debug('Email prepare, getting email settings from DB.')
dbc.execute('''SELECT SENDER,SENDER_TITLE,TO_MAIL,SUBJECT,HIDE_ACK,
TLS,SERVER,PORT,LOGIN,LOGIN_USER,LOGIN_PASS FROM EMAIL WHERE ID =0''')
db_values_temp = dbc.fetchone()
except:
e = sys.exc_info()[1]
self.log.critical('Email prepare - %s' % e)
raise
# Convert unicode into str
self.log.debug('Email prepare, convert unicode.')
db_values = []
for i in db_values_temp:
if type(i).__name__ == 'unicode':
i = str(i)
# Add new string to new list
db_values.append(i)
# Create email settings dict
self.log.debug('Email prepare, creating email dict.')
db_keys = [
'sender', 'sender_title', 'to_mail', 'subject', 'hide_ack', 'tls',
'server', 'port', 'login', 'login_user', 'login_crypt'
]
self.email_set = dict(zip(db_keys, db_values))
# Get user password
try:
# Get crypto key
self.log.debug('Email prepare, getting key from keystore.')
with open(sys.path[0] + '/.keystore/backup.key', 'r') as psfile:
key = psfile.readline().rstrip()
except:
e = sys.exc_info()[1]
self.log.critical('Can\'t get key from keystore - %s' % e)
raise
# Decrypting user password
if self.email_set['login']:
self.log.debug('Email prepare, decrypting email password.')
try:
secret = m2secret.Secret()
secret.deserialize(self.email_set['login_crypt'])
self.email_set['login_pass'] = secret.decrypt(key)
except:
e = sys.exc_info()[1]
self.log.critical('Can\'t decrypt email login password - %e' %
e)
raise
# build device dict
self.log.debug('Email prepare, building device list.')
dbc.execute('SELECT ID,NAME FROM DEVICES')
self.dev_dict = {}
for idn, name in dbc.fetchall():
self.dev_dict[idn] = str(name)
# Get certs expiring between 30 and 7 days
self.log.debug('Email prepare, getting 30 to 7 certs.')
dbc.execute(
'''SELECT ID,NAME,DEVICE,SUB_CN,EXPIRE FROM CERTS WHERE
EXPIRE < ? AND EXPIRE > ? AND ACK = 0 ORDER BY EXPIRE''',
(self.thirty_days, self.seven_days))
thirty_to_seven = self._get_certs(dbc.fetchall())
# Get certs expiring between 7 days and now
self.log.debug('Email prepare, getting 7 to now certs.')
dbc.execute(
'''SELECT ID,NAME,DEVICE,SUB_CN,EXPIRE FROM CERTS WHERE
EXPIRE < ? AND EXPIRE > ? AND ACK = 0 ORDER BY EXPIRE''',
(self.seven_days, self.now))
seven_to_now = self._get_certs(dbc.fetchall())
# Get expired certs
self.log.debug('Email prepare, getting expireed certs.')
dbc.execute(
'''SELECT ID,NAME,DEVICE,SUB_CN,EXPIRE FROM CERTS WHERE
EXPIRE < ? AND ACK = 0 ORDER BY EXPIRE''', (self.now, ))
expired = self._get_certs(dbc.fetchall())
# Get expired and expiring with in 30 days that have been acked
self.log.debug('Email prepare, getting acked certs.')
dbc.execute(
'''SELECT ID,NAME,DEVICE,SUB_CN,EXPIRE FROM CERTS WHERE
EXPIRE < ? AND ACK = 1 ORDER BY EXPIRE''',
(self.thirty_days, ))
acked = self._get_certs(dbc.fetchall())
# build table of acked certs
acked_certs = ''
if not self.email_set['hide_ack']:
acked_certs = '''
<div align="center"><strong>Certs Expired or Expiring Within 30 Days (Acknowledged)</strong></div>
%s
<br>''' % self._cert_table(acked)
# Build email header
self.log.debug('Email prepare, building header.')
self.header = '''From: %s <%s>
To: %s
MIME-Version: 1.0
Content-type: text/html
Subject: %s
''' % (self.email_set['sender_title'], self.email_set['sender'],
self.email_set['to_mail'], self.email_set['subject'])
# Build Email body
self.log.debug('Email prepare, building message body.')
self.msg_body = '''
<html>
<body>
<style>
body {
text-align:center;
}
table.cert {
border: 1px solid #999999;
border-collapse:collapse;
text-align:center;
}
table.cert th {
border: 1px solid #999999;
border-collapse:collapse;
padding:2px 12px 2px 12px;
height: 25px;
/* background-image:url('/images/banner.png');
background-repeat:repeat-x; */
}
table.cert td {
border: 1px solid #999999;
border-collapse:collapse;
padding:2px 12px 2px 12px;
}
table.title {
text-align: center;
}
table.title th {
font-size:30px;
font-weight:bold;
}
</style>
<table class="title" align="center">
<th>Certificate Report</th>
<tr><td>Config Backup for F5</td></tr>
</table>
<br />
<div align="center"><strong>Certs Expiring in 30 to 7 Days (Not Acknowledged)</strong></div>
%s
<br>
<div align="center"><strong>Certs Expiring Within 7 Days (Not Acknowledged)</strong></div>
%s
<br>
<div align="center"><strong>Expired Certs (Not Acknowledged)</strong></div>
%s
<br>
%s
</body>
</html>''' % (self._cert_table(thirty_to_seven),
self._cert_table(seven_to_now), self._cert_table(expired),
acked_certs)
#Close DB connection
self.log.debug('Email prepare, closing DB.')
db.close
def adauthenicate(user, passwd):
'''
Config backup function for authenticating user in active directory
@param user: Username you wish to authenicate
@param passwd: Password of user
@param log: Log object
This function gets the AD info from the DB and tracks which servers
in and up/down state. If AD server is down it is not attempted again
for another 10 minutes.
'''
# Create logging for authentication
logfile = '%s/log/auth.log' % sys.path[0]
authlog = logsimple.LogSimple(logfile, max_files=5)
authlog.setlevel('INFO')
# Connect to DB
try:
db = sq.connect(sys.path[0] + '/db/main.db')
dbc = db.cursor()
authlog.debug('Connected to DB.')
# Retrieve bind user, password, domain from DB
authlog.debug('Getting bind username and password.')
dbc.execute("SELECT AUTHACCT,AUTHHASH,DOMAIN FROM AUTH WHERE ID = 0")
bind = dbc.fetchone()
except:
e = sys.exc_info()[1]
authlog.critical('DB connect failed - %s' % e)
authlog.close()
raise StandardError(e)
# Get log level from DB and reset in logging object
dbc.execute("SELECT LEVEL FROM LOGGING WHERE NAME = 'AUTH'")
authlog.setlevel(str(dbc.fetchone()[0]))
# Check for value in list bind
if type(bind) is tuple:
#Convert result into dict
bind = {'acct': bind[0], 'passwd': bind[1], 'domain': bind[2]}
else:
authlog.error('No credentials avilable in DB.')
authlog.close()
return [False, 'No credentials avilable in DB.']
#Decrypt password
try:
authlog.debug('Getting crypto key from key store.')
with open(sys.path[0] + '/.keystore/backup.key', 'r') as psfile:
cryptokey = psfile.readline().rstrip()
authlog.debug('Decrypting bind password.')
secret = m2secret.Secret()
secret.deserialize(bind['passwd'])
bind['passwd'] = secret.decrypt(cryptokey)
except:
e = sys.exc_info()[1]
authlog.critical('Can\'t get credentials from DB - %s' % e)
authlog.close()
raise StandardError(e)
# Retrieve list of servers from DB
authlog.debug('Getting list of servers from DB.')
dbc.execute("SELECT ID,SERVER,TLS,TIMEDOWN FROM AUTHSERVERS")
servers = [{
'id': id,
'server': server,
'tls': tls,
'timedown': timedown
} for id, server, tls, timedown in dbc.fetchall()]
# loop through list of servers
for server in servers:
try:
# Has server been declared down within the last 10 min ?
if (server['timedown'] + 600) > int(time.time()):
# If yes skip to next server
next_try = (server['timedown'] + 600) - int(time.time())
authlog.debug(
'Server %s was down within 10 minutes. %d seconds until next retry.'
% (server['server'], next_try))
continue
# If this server works do auth and return result
authlog.debug('Authenicating to server %s.' % server['server'])
authlog.info('Authenicating user %s.' % user)
auth = adauth.ADAuth(server['server'], bind['acct'],
bind['passwd'], bind['domain'], server['tls'])
result = auth.Authenticate(user, passwd)
if result[0] == True:
authlog.info('User successfully authenticated. User:%s.' %
user)
authlog.debug('User %s attr - %s' % (user, str(result[1])))
elif result[0] == False:
authlog.info('User auth failed - User:%s, Reason:%s.' %
(user, result[1]))
authlog.close()
return result
except ldap.SERVER_DOWN as e:
# If server down mark in DB and go to next
authlog.error('Server %s is not up. Marking server down.' %
server['server'])
try:
dbc.execute('UPDATE AUTHSERVERS SET TIMEDOWN = ? WHERE ID = ?',
(int(time.time()), server['id']))
db.commit()
except:
e = sys.exc_info()[1]
authlog.error('Server down DB update - %s' % e)
#Skip to next device
continue
else:
authlog.error('No AD servers avilable.')
authlog.close()
return [False, 'No auth servers avilable.']