def login():
username = request.form.get('username')
password = request.form.get('password')
created = False
user = None
try:
user = User.get(username=username)
except DoesNotExist:
if USE_LDAP:
try:
user = ldap_auth(username, password)
created = True
except LDAPException:
pass
if not user:
User.get().check_password("")
return jsonify({
'result': 'err',
'msg': 'Invalid username or password.'
})
if user and not user.username == 'guest':
if created or user.check_password(password):
if user.has_fido():
session['fido_preauth_user'] = user.id
return jsonify({
'result': 'fido2',
'msg': "Success; FIDO2 auth required."
})
else:
login_user(user)
flash("Login successful!")
return jsonify({'result': 'success'})
return jsonify({'result': 'err', 'msg': 'Invalid username or password.'})
def ldap_auth(username: str, password: str) -> User:
s = Server(host=LDAP_HOST, port=LDAP_PORT, use_ssl=LDAP_SSL)
c = Connection(s,
user=(LDAP_FILTER.format(username) + ',' + LDAP_BASE_DN),
password=password)
u = None
from home.web.web import app
if c.bind():
app.logger.info("Successful bind for user " + username)
c.search(search_base=LDAP_BASE_DN,
search_filter='({})'.format(LDAP_FILTER.format(username)),
attributes=ALL_ATTRIBUTES)
r = c.response[0]['attributes']
u, created = User.get_or_create(username=username,
defaults={
'ldap':
True,
'password':
'',
'admin':
LDAP_ADMIN_GROUP in r['memberOf']
})
if created:
app.logger.info("Created new user from LDAP: " + username)
else:
u.admin = LDAP_ADMIN_GROUP in r['memberOf']
u.save()
else:
app.logger.info("Failed to bind with user " +
LDAP_FILTER.format(username) + "," + LDAP_BASE_DN)
c.unbind()
return u
def get_widgets(user: User) -> List[str]:
widget_html = []
for d in devices.values():
if user.has_permission(d):
try:
widget_html.append(d.widget['html'])
except (AttributeError, TypeError):
pass
return widget_html
def change_password():
if current_user.admin:
user = User.get(username=request.form.get('username'))
elif current_user.check_password(request.form.get('password')):
user = current_user
if not user.ldap and request.form.get('new_password') == request.form.get(
'new_password_confirm'):
user.set_password(request.form.get('new_password'))
user.save()
if user.ldap:
flash('Sorry, cannot change passwords for LDAP accounts.')
return redirect(url_for('index'))
def create_user():
if not current_user.admin:
abort(403)
if request.form.get('api'):
APIClient.create(name=request.form.get('username'))
else:
if len(request.form.get('password')):
u = User.create(username=request.form.get('username'), password="")
u.set_password(request.form.get('password'))
u.admin = True if request.form.get('admin') else False
u.save()
else:
abort(500)
return redirect(url_for('index'))
def authenticate_complete():
data = cbor.decode(request.get_data())
credential_id = data["credentialId"]
client_data = ClientData(data["clientDataJSON"])
auth_data = AuthenticatorData(data["authenticatorData"])
signature = data["signature"]
user = User.get(session["fido_preauth_user"])
server.authenticate_complete(
session.pop("state"),
get_all_tokens(user),
credential_id,
client_data,
auth_data,
signature,
)
login_user(user)
flash("Login successful!")
return cbor.encode({"status": "OK"})
def get_action_widgets(user: User) -> List[str]:
widget_html = []
groups = get_groups(actions)
for group in groups:
if user.has_permission(group=group):
html = ''
html += '<div class="widget-panel panel panel-info"><div class="panel-heading"><h3 ' \
'class="panel-title">{}</h3></div><div class="panel-body">'.format(group)
html += '<div class="btn-group" role="group" aria-label="...">'
action_html = ''
for action in groups[group]:
if action.button:
action_html += '<button class="widget btn {1}" id="{0}">{0}</button>'.format(
action.name, action.button)
html += action_html
html += '</div></div></div>'
if action_html:
widget_html.append(html)
return widget_html
def index():
"""
Route for the HTML interface.
"""
sec = SecurityController.get()
events = sec.events
interface_list = []
for i in interfaces:
interface_list.append((i, [
d for d in devices.values()
if d.driver and d.driver.interface == i and (
i.public or current_user.is_authenticated
and current_user.has_permission(d))
]))
if current_user.is_active:
widget_html = get_widgets(current_user) + get_action_widgets(
current_user)
return render_template(
'index.html',
interfaces=interface_list,
devices=filter_by_permission(current_user, devices.values()),
sec=sec,
events=events,
clients=APIClient.select(),
actions=filter_by_permission(current_user, actions),
version=VERSION,
debug=DEBUG,
qr=get_qr(),
widgets=widget_html,
displays=displays,
users=User.select(),
run_session=run_session,
)
return render_template('index.html',
interfaces=interface_list,
devices=devices.values())
def ws_admin(data):
if not current_user.admin:
disconnect()
return
command = data.get('command')
if command == 'action':
app.logger.info("({}) Execute action '{}'".format(
current_user.username, data.get('action')))
get_action(data.get('action')).run()
emit(
'message', {
'class': 'alert-success',
'content': "Executing action '{}'.".format(data.get('action'))
})
elif command == 'visible':
interface = get_interface(data.get('iface'))
interface.public = not interface.public
emit(
'message', {
'class':
'alert-success',
'content':
'Temporarily changed interface visibility (until server is restarted).'
})
elif command == 'restart':
emit('update', {}, broadcast=True)
emit('message', {'class': 'alert-success', 'content': 'Restarting...'})
utils.reload()
elif command == 'update':
emit('update', {}, broadcast=True)
emit('message', {'class': 'alert-success', 'content': 'Updating...'})
utils.update()
elif command == 'revoke':
client = APIClient.get(name=data.get('name'))
client.delete_instance()
emit(
'message', {
'class': 'alert-success',
'content': 'Successfully revoked API permissions.'
})
elif command == 'api regen token':
client = APIClient.get(name=data.get('name'))
client.token = random_string()
client.save()
emit(
'message', {
'class': 'alert-success',
'content': 'Successfully updated API token; please refresh.'
})
elif command == 'update permissions':
client = APIClient.get(name=data.get('name'))
client.permissions = data.get('perms').replace(' ', '')
client.save()
emit(
'message', {
'class': 'alert-success',
'content': 'Successfully updated API permissions.'
})
elif command == 'delete':
user = User.get(username=data.get('name'))
user.delete_instance()
emit('message', {
'class': 'alert-success',
'content': 'Successfully deleted user.'
})
elif command == 'user update permissions':
user = User.get(username=data.get('name'))
user._groups = data.get('perms').replace(' ', '')
user.save()
emit(
'message', {
'class': 'alert-success',
'content': 'Successfully updated User permissions.'
})
elif command == 'user regen token':
user = User.get(username=data.get('name'))
user.token = gen_token()
user.save()
emit(
'message', {
'class': 'alert-success',
'content': 'Successfully invalidated sessions.'
})
elif command == 'refresh_display':
emit('display refresh', broadcast=True)
elif command == 'update config':
try:
parser.parse(data=data['config'])
except Exception as e:
parser.parse(file='config.yml')
emit(
'message', {
'class': 'alert-danger',
'content': 'Error parsing device configuration. ' + str(e)
})
else:
with open('config.yml', 'w') as f:
f.write(data['config'])
emit(
'message', {
'class': 'alert-success',
'content': 'Successfully updated device configuration.'
})
elif command == 'refresh logs':
with open(LOG_FILE) as f:
emit('logs', f.read())
elif command == 'get config':
with open('config.yml') as f:
emit('config', f.read())
def authenticate_begin():
user = User.get(session['fido_preauth_user'])
auth_data, state = server.authenticate_begin(get_all_tokens(user))
session["state"] = state
return cbor.encode(auth_data)
def filter_by_permission(user: User, objects: List[Any]):
if user.admin:
return objects
return [o for o in objects if user.has_permission(o)]
def guest_auth(path):
if path == get_qr()[1].split('/')[-1]:
if not current_user.is_authenticated:
login_user(User.get(username='******'))
return redirect(url_for('display'))
abort(403)
def user_loader(token):
try:
return User.get(token=token)
except DoesNotExist:
return None