def check_auth(username, password, remote_addr=None):
if remote_addr:
cache_key = 'ip_' + remote_addr
count = cache_db.list_length(cache_key)
if count and count > 10:
raise flask.abort(403)
key_exists = cache_db.exists(cache_key)
cache_db.list_rpush(cache_key, '')
if not key_exists:
cache_db.expire(cache_key, 20)
db_username = persist_db.dict_get('auth', 'username') or DEFAULT_USERNAME
if username != db_username:
return False
db_password = persist_db.dict_get('auth', 'password')
if not db_password:
if password == DEFAULT_PASSWORD:
return True
return False
pass_ver, pass_salt, db_pass_hash = db_password.split('$')
if pass_ver == '0':
pass_hash = _hash_password_v0(pass_salt, password)
elif pass_ver == '1':
pass_hash = _hash_password_v1(pass_salt, password)
else:
return False
return pass_hash == db_pass_hash
def check_session():
from pritunl import app_server
auth_token = flask.request.headers.get("Auth-Token", None)
if auth_token:
auth_timestamp = flask.request.headers.get("Auth-Timestamp", None)
auth_nonce = flask.request.headers.get("Auth-Nonce", None)
auth_signature = flask.request.headers.get("Auth-Signature", None)
if not auth_token or not auth_timestamp or not auth_nonce or not auth_signature:
return False
try:
if abs(int(auth_timestamp) - int(time.time())) > AUTH_TIME_WINDOW:
return False
except ValueError:
return False
cache_key = "auth_nonce-%s" % auth_nonce
if cache_db.exists(cache_key):
return False
cache_db.expire(cache_key, int(AUTH_TIME_WINDOW * 2.1))
cache_db.set(cache_key, auth_timestamp)
auth_token_hash = persist_db.dict_get("auth", "token")
auth_secret = persist_db.dict_get("auth", "secret")
if not auth_token_hash or not auth_secret:
return False
if not _test_password_hash(auth_token_hash, auth_token):
return False
auth_string = "&".join(
[auth_token, auth_timestamp, auth_nonce, flask.request.method, flask.request.path]
+ ([flask.request.data] if flask.request.data else [])
)
if len(auth_string) > AUTH_SIG_STRING_MAX_LEN:
return False
auth_test_signature = base64.b64encode(hmac.new(auth_secret.encode(), auth_string, hashlib.sha256).digest())
if auth_signature != auth_test_signature:
return False
else:
if not flask.session:
return False
if not flask.session.get("auth"):
flask.session.clear()
return False
if not app_server.ssl and flask.session.get("source") != get_remote_addr():
flask.session.clear()
return False
if app_server.session_timeout and int(time.time()) - flask.session["timestamp"] > app_server.session_timeout:
flask.session.clear()
return False
return True
def check_auth(username, password, remote_addr=None):
from administrator import Administrator
if remote_addr:
# TODO
cache_key = 'ip_' + remote_addr
count = cache_db.list_length(cache_key)
if count and count > 10:
raise flask.abort(403)
# TODO
key_exists = cache_db.exists(cache_key)
cache_db.list_rpush(cache_key, '')
if not key_exists:
cache_db.expire(cache_key, 20)
administrator = Administrator.find_user(username=username)
if not administrator:
return
if not administrator.test_password(password):
return
return administrator
def check_auth(username, password, remote_addr=None):
if remote_addr:
cache_key = "ip_" + remote_addr
count = cache_db.list_length(cache_key)
if count and count > 10:
raise flask.abort(403)
key_exists = cache_db.exists(cache_key)
cache_db.list_rpush(cache_key, "")
if not key_exists:
cache_db.expire(cache_key, 20)
db_username = persist_db.dict_get("auth", "username") or DEFAULT_USERNAME
if username != db_username:
return False
db_password = persist_db.dict_get("auth", "password")
if not db_password:
if password == DEFAULT_PASSWORD:
return True
return False
return _test_password_hash(db_password, password)
def load_file(self):
if app_server.static_cache and cache_db.exists(self.get_cache_key()):
self.get_cache()
return
if not os.path.isfile(self.path):
if app_server.static_cache:
self.set_cache()
return
file_basename = os.path.basename(self.path)
file_mtime = datetime.datetime.utcfromtimestamp(
os.path.getmtime(self.path))
file_size = int(os.path.getsize(self.path))
with open(self.path, 'r') as static_file:
self.data = static_file.read()
self.mime_type = mimetypes.guess_type(file_basename)[0] or 'text/plain'
self.last_modified = http_date(file_mtime)
self.etag = self.generate_etag(file_basename, file_size, file_mtime)
if app_server.static_cache:
self.set_cache()
def check_session():
from administrator import Administrator
auth_token = flask.request.headers.get('Auth-Token', None)
if auth_token:
auth_timestamp = flask.request.headers.get('Auth-Timestamp', None)
auth_nonce = flask.request.headers.get('Auth-Nonce', None)
auth_signature = flask.request.headers.get('Auth-Signature', None)
if not auth_token or not auth_timestamp or not auth_nonce or \
not auth_signature:
return False
auth_nonce = auth_nonce[:32]
try:
if abs(int(auth_timestamp) - int(time.time())) > AUTH_TIME_WINDOW:
return False
except ValueError:
return False
# TODO
cache_key = 'auth_nonce-%s' % auth_nonce
if cache_db.exists(cache_key):
return False
administrator = Administrator.find_user(token=auth_token)
if not administrator:
return False
auth_string = '&'.join([
auth_token, auth_timestamp, auth_nonce, flask.request.method,
flask.request.path] +
([flask.request.data] if flask.request.data else []))
if len(auth_string) > AUTH_SIG_STRING_MAX_LEN:
return False
auth_test_signature = base64.b64encode(hmac.new(
administrator.secret.encode(), auth_string,
hashlib.sha256).digest())
if auth_signature != auth_test_signature:
return False
# TODO
cache_db.expire(cache_key, int(AUTH_TIME_WINDOW * 2.1))
cache_db.set(cache_key, auth_timestamp)
flask.request.administrator = administrator
else:
from pritunl import app_server
if not flask.session:
return False
admin_id = flask.session.get('admin_id')
if not admin_id:
return False
administrator = Administrator.get_user(id=admin_id)
if not administrator:
return False
if not app_server.ssl and flask.session.get(
'source') != get_remote_addr():
flask.session.clear()
return False
if SESSION_TIMEOUT and int(time.time()) - \
flask.session['timestamp'] > SESSION_TIMEOUT:
flask.session.clear()
return False
flask.request.administrator = administrator
return True
def create_user_key_link(self, user_id):
key_id = uuid.uuid4().hex
key_id_key = 'key_token-%s' % key_id
view_id = None
uri_id = None
for i in xrange(2):
for i in xrange(2048):
temp_id = ''.join(random.sample(
SHORT_URL_CHARS, SHORT_URL_LEN))
if not view_id:
if not cache_db.exists('view_token-%s' % temp_id):
view_id = temp_id
break
else:
if not cache_db.exists('uri_token-%s' % temp_id):
uri_id = temp_id
break
if not view_id and not uri_id:
raise KeyLinkError('Failed to generate random id')
view_id_key = 'view_token-%s' % view_id
uri_id_key = 'uri_token-%s' % uri_id
cache_db.expire(key_id_key, KEY_LINK_TIMEOUT)
cache_db.dict_set(key_id_key, 'org_id', self.id)
cache_db.dict_set(key_id_key, 'user_id', user_id)
cache_db.dict_set(key_id_key, 'view_id', view_id)
cache_db.dict_set(key_id_key, 'uri_id', uri_id)
conf_urls = []
if app_server.inline_certs:
for server in self.iter_servers():
conf_id = uuid.uuid4().hex
conf_id_key = 'conf_token-%s' % conf_id
cache_db.expire(conf_id_key, KEY_LINK_TIMEOUT)
cache_db.dict_set(conf_id_key, 'org_id', self.id)
cache_db.dict_set(conf_id_key, 'user_id', user_id)
cache_db.dict_set(conf_id_key, 'server_id', server.id)
conf_urls.append({
'id': conf_id,
'server_name': server.name,
'url': '/key/%s.ovpn' % conf_id,
})
cache_db.expire(view_id_key, KEY_LINK_TIMEOUT)
cache_db.dict_set(view_id_key, 'org_id', self.id)
cache_db.dict_set(view_id_key, 'user_id', user_id)
cache_db.dict_set(view_id_key, 'key_id', key_id)
cache_db.dict_set(view_id_key, 'uri_id', uri_id)
cache_db.dict_set(view_id_key,
'conf_urls', json.dumps(conf_urls))
cache_db.expire(uri_id_key, KEY_LINK_TIMEOUT)
cache_db.dict_set(uri_id_key, 'org_id', self.id)
cache_db.dict_set(uri_id_key, 'user_id', user_id)
return {
'id': key_id,
'key_url': '/key/%s.tar' % key_id,
'view_url': '/k/%s' % view_id,
'uri_url': '/ku/%s' % uri_id,
}
def check_session():
from pritunl import app_server
auth_valid = True
auth_token = flask.request.headers.get('Auth-Token', None)
if auth_token:
auth_timestamp = flask.request.headers.get('Auth-Timestamp', None)
auth_nonce = flask.request.headers.get('Auth-Nonce', None)
auth_signature = flask.request.headers.get('Auth-Signature', None)
if not auth_token or not auth_timestamp or not auth_nonce or \
not auth_signature:
return False
auth_nonce = auth_nonce[:32]
try:
if abs(int(auth_timestamp) - int(time.time())) > AUTH_TIME_WINDOW:
return False
except ValueError:
return False
cache_key = 'auth_nonce-%s' % auth_nonce
if cache_db.exists(cache_key):
return False
auth_token_hash = persist_db.dict_get('auth', 'token')
auth_secret = persist_db.dict_get('auth', 'secret')
if not auth_token_hash or not auth_secret:
return False
if not _test_password_hash(auth_token_hash, auth_token):
auth_valid = False
auth_string = '&'.join([
auth_token, auth_timestamp, auth_nonce, flask.request.method,
flask.request.path] +
([flask.request.data] if flask.request.data else []))
if len(auth_string) > AUTH_SIG_STRING_MAX_LEN:
return False
auth_test_signature = base64.b64encode(hmac.new(
auth_secret.encode(), auth_string, hashlib.sha256).digest())
if auth_signature != auth_test_signature:
auth_valid = False
if auth_valid:
cache_db.expire(cache_key, int(AUTH_TIME_WINDOW * 2.1))
cache_db.set(cache_key, auth_timestamp)
else:
if not flask.session:
return False
if not flask.session.get('auth'):
flask.session.clear()
return False
if not app_server.ssl and flask.session.get(
'source') != get_remote_addr():
flask.session.clear()
return False
if app_server.session_timeout and int(time.time()) - \
flask.session['timestamp'] > app_server.session_timeout:
flask.session.clear()
return False
return auth_valid