def login_process(): if current_user.is_authenticated: return redirect(url_for('home.index')) provider = Provider() ldap = provider.ldap() users = provider.users() settings = provider.settings() username = request.form['username'] password = request.form['password'] next = urllib.parse.unquote_plus(request.form['next'].strip()) allow_logins = int(settings.get('allow_logins', 0)) # First check if user is local. Local users take priority. user = UserModel.query.filter( and_( func.lower(UserModel.username) == func.lower(username), UserModel.ldap == 0)).first() if user: if not users.validate_password(user.password, password): flash('Invalid credentials', 'error') return redirect(url_for('auth.login', next=next)) elif ldap.is_enabled() and allow_logins == 1: if not ldap.authenticate(username, password, True): flash('Invalid credentials', 'error') return redirect(url_for('auth.login', next=next)) user = UserModel.query.filter( and_( func.lower(UserModel.username) == func.lower(username), UserModel.ldap == 1)).first() if not user: flash( 'Could not create your local account. Please contact the administrator.', 'error') return redirect(url_for('auth.login', next=next)) else: flash('Invalid credentials', 'error') return redirect(url_for('auth.login', next=next)) # If we reach this point it means that our user exists. Check if the user is active. if user.active is False: flash('Your account has been disabled by the Administrator.', 'error') return redirect(url_for('auth.login', next=next)) user = users.login_session(user) login_user(user) users.record_login(user.id) # On every login we get the hashcat version and the git hash version. system = provider.system() system.run_updates() if next and url_parse(next).netloc == '': return redirect(next) return redirect(url_for('home.index'))
def ldap_test(): provider = Provider() ldap = provider.ldap() if not ldap.test_connection(): message = ldap.error_details if len( ldap.error_details) > 0 else 'Could not connect to LDAP Server' flash('LDAP Response: {0}'.format(message), 'error') else: flash('Connection established!', 'success') return redirect(url_for('config.ldap'))
def login(): if current_user.is_authenticated: return redirect(url_for('home.index')) provider = Provider() ldap = provider.ldap() radius = provider.radius() return render_template('auth/login.html', next=request.args.get('next', ''), multiauth=(ldap.enabled and radius.enabled))
def profile(): provider = Provider() users = provider.users() ldap = provider.ldap() return render_template( 'config/account/profile/general.html', user=users.get_user(current_user.id), has_email_mapping=(len(ldap.mapping_email) > 0), password_complexity=users.password_complexity.get_requirement_description() )
def profile(): provider = Provider() users = provider.users() ldap = provider.ldap() user = users.get_user(current_user.id) auth_type = users.get_authtype(id=user.auth_type_id).name return render_template( 'config/account/profile/general.html', user=user, has_email_mapping=(len(ldap.mapping_email) > 0), password_complexity=users.password_complexity.get_requirement_description(), auth_type=auth_type.lower(), ldap_pwdchange=ldap.pwchange )
def ldap_changepwd_process(): provider = Provider() users = provider.users() ldap = provider.ldap() next = urllib.parse.unquote_plus(request.args.get('next', '').strip()) password = request.form['password'].strip() new_password = request.form['new_password'].strip() confirm_password = request.form['confirm_password'].strip() username = session['ldap_username'] if 'ldap_username' in session else '' ldap_time = session['ldap_time'] if 'ldap_time' in session else 0 if len(username) == 0: session.pop('ldap_username', None) session.pop('ldap_time', None) return redirect(url_for('auth.login', next=next)) elif int(time.time()) > (ldap_time + 120): session.pop('ldap_username', None) session.pop('ldap_time', None) return redirect(url_for('auth.login', next=next)) user = users.get_ldap_user(username) if not user: session.pop('ldap_username', None) session.pop('ldap_time', None) return redirect(url_for('auth.login', next=next)) if len(password) == 0: flash('Please enter your current password', 'error') return redirect(url_for('ldap_changepwd', next=next)) elif len(new_password) == 0 or len(confirm_password) == 0: flash('Please enter your new password', 'error') return redirect(url_for('ldap_changepwd', next=next)) elif new_password != confirm_password: flash('New passwords do not match', 'error') return redirect(url_for('ldap_changepwd', next=next)) session.pop('ldap_username', None) session.pop('ldap_time', None) if not ldap.update_password_ad(user.username, password, new_password): flash('Could not update password', 'error') return redirect(url_for('auth.login', next=next)) flash('Password updated - please login again', 'success') return redirect(url_for('auth.login', next=next))
def ldap_changepwd(): provider = Provider() ldap = provider.ldap() next = urllib.parse.unquote_plus(request.args.get('next', '').strip()) if not ldap.pwchange: return redirect(url_for('auth.login', next=next)) username = session['ldap_username'] if 'ldap_username' in session else '' ldap_time = session['ldap_time'] if 'ldap_time' in session else 0 if len(username) == 0: session.pop('ldap_username', None) session.pop('ldap_time', None) return redirect(url_for('auth.login', next=next)) elif int(time.time()) > (ldap_time + 120): session.pop('ldap_username', None) session.pop('ldap_time', None) return redirect(url_for('auth.login', next=next)) return render_template('auth/ldap_password.html', next=request.args.get('next', ''))
def ldap(): provider = Provider() ldap = provider.ldap() return render_template('config/system/ldap.html', auth_types=ldap.get_supported_auth_methods())
def profile_save(): provider = Provider() users = provider.users() ldap = provider.ldap() email_regex = re.compile(r"[^@]+@[^@]+\.[^@]+") user = users.get_user(current_user.id) auth_type = users.get_authtype(id=user.auth_type_id) if not auth_type: flash('Invalid authentication type', 'error') return redirect(url_for('config.profile')) # Username / Name / Email change if auth_type.name.lower() == 'ldap': has_email_mapping = (len(ldap.mapping_email) > 0) if not has_email_mapping: email = request.form['email'].strip().lower().replace(' ', '') if len(email) == 0 or not email_regex.match(email): flash('Invalid e-mail', 'error') return redirect(url_for('config.profile')) user = users.update_property(current_user.id, 'email', email) elif auth_type.name.lower() == 'local': full_name = request.form['full_name'].strip() email = request.form['email'].strip().lower().replace(' ', '') if len(full_name) == 0: flash('Invalid full name', 'error') return redirect(url_for('config.profile')) elif len(email) == 0 or not email_regex.match(email): flash('Invalid e-mail', 'error') return redirect(url_for('config.profile')) user = users.update_property(current_user.id, 'email', email) user = users.update_property(current_user.id, 'full_name', full_name) # Password change if (auth_type.name.lower() == 'ldap' and ldap.pwchange) or (auth_type.name.lower() == 'local'): existing_password = request.form['existing_password'].strip() new_password = request.form['new_password'].strip() confirm_password = request.form['confirm_password'].strip() if len(existing_password) > 0 and len(new_password) > 0 and len(confirm_password) > 0: if len(existing_password) == 0: flash('Please enter your existing password', 'error') return redirect(url_for('config.profile')) elif len(new_password) == 0: flash('Please enter your new password', 'error') return redirect(url_for('config.profile')) elif new_password != confirm_password: flash('New passwords do not match', 'error') return redirect(url_for('config.profile')) if auth_type.name.lower() == 'ldap': if not ldap.update_password_ad(user.username, existing_password, new_password): if len(ldap.error_message) > 0: flash(ldap.error_message, 'error') else: flash('Could not update password', 'error') return redirect(url_for('config.profile')) elif auth_type.name.lower() == 'local': if not users.validate_user_password(current_user.id, existing_password): flash('Invalid existing password', 'error') return redirect(url_for('config.profile')) elif not users.update_user_password(current_user.id, new_password): flash('Could not update password: '******'error') return redirect(url_for('config.profile')) # Force the user to re-login. users.logout_session(current_user.id) flash('Please login with your new password', 'success') return redirect(url_for('config.profile')) flash('Profile updated', 'success') return redirect(url_for('config.profile'))
def login_process(): if current_user.is_authenticated: return redirect(url_for('home.index')) provider = Provider() ldap = provider.ldap() users = provider.users() settings = provider.settings() username = request.form['username'] password = request.form['password'] next = urllib.parse.unquote_plus(request.form['next'].strip()) # First check if user is local. Local users take priority. user = UserModel.query.filter(and_(func.lower(UserModel.username) == func.lower(username), UserModel.ldap == 0)).first() if user: if not users.validate_password(user.password, password): flash('Invalid credentials', 'error') return redirect(url_for('auth.login', next=next)) elif ldap.is_enabled(): ldap_result = ldap.authenticate(username, password) if ldap_result is False: if len(ldap.error_message) > 0: flash(ldap.error_message, 'error') else: flash('Invalid credentials', 'error') return redirect(url_for('auth.login', next=next)) elif ldap_result['result'] == ldap.AUTH_SUCCESS: ldap_user = ldap_result['user'] elif ldap_result['result'] == ldap.AUTH_CHANGE_PASSWORD: session['ldap_username'] = username session['ldap_time'] = int(time.time()) flash('Your LDAP password has expired or needs changing', 'error') return redirect(url_for('auth.ldap_changepwd', next=next)) elif ldap_result['result'] == ldap.AUTH_LOCKED: flash('Your AD account is disabled', 'error') return redirect(url_for('auth.login', next=next)) else: if len(ldap.error_message) > 0: flash(ldap.error_message, 'error') else: flash('Invalid credentials', 'error') return redirect(url_for('auth.login', next=next)) user = users.get_ldap_user(ldap_user['username']) if not user: # Create user = users.create_ldap_user(ldap_user['username'], ldap_user['fullname'], ldap_user['email']) if not user: flash('Could not create LDAP user', 'error') return redirect(url_for('auth.login', next=next)) else: flash('Invalid credentials', 'error') return redirect(url_for('auth.login', next=next)) # If we reach this point it means that our user exists. Check if the user is active. if user.active is False: flash('Your account has been disabled by the Administrator.', 'error') return redirect(url_for('auth.login', next=next)) user = users.login_session(user) login_user(user) users.record_login(user.id) # On every login we get the hashcat version and the git hash version. system = provider.system() system.run_updates() if next and url_parse(next).netloc == '': return redirect(next) return redirect(url_for('home.index'))
def login_process(): if current_user.is_authenticated: return redirect(url_for('home.index')) username = request.form['username'].strip() password = request.form['password'].strip() next = urllib.parse.unquote_plus(request.form['next'].strip()) provider = Provider() users = provider.users() ldap = provider.ldap() zones = provider.dns_zones() # First lookup local users. user = users.find_user_login(username, False) if user: if not users.validate_password(user.password, password): flash('Invalid credentials', 'error') return redirect(url_for('auth.login', next=next)) elif ldap.enabled: ldap_result = ldap.authenticate(username, password) if ldap_result is False: if len(ldap.error_message) > 0: flash(ldap.error_message, 'error') else: flash('Invalid credentials', 'error') return redirect(url_for('auth.login', next=next)) elif ldap_result['result'] == ldap.AUTH_SUCCESS: ldap_user = ldap_result['user'] elif ldap_result['result'] == ldap.AUTH_CHANGE_PASSWORD: session['ldap_username'] = username session['ldap_time'] = int(time.time()) flash('Your LDAP password has expired or needs changing', 'error') return redirect(url_for('auth.ldap_changepwd', next=next)) elif ldap_result['result'] == ldap.AUTH_LOCKED: flash('Your AD account is disabled', 'error') return redirect(url_for('auth.login', next=next)) else: if len(ldap.error_message) > 0: flash(ldap.error_message, 'error') else: flash('Invalid credentials', 'error') return redirect(url_for('auth.login', next=next)) # Now see if the user exists. user = users.find_user_login(username, True) if not user: # Doesn't exist yet, we'll have to create them now. user = users.save(0, ldap_user['username'].lower(), password, ldap_user['fullname'], ldap_user['email'], False, True, True) if not user: flash( 'Could not create LDAP user: {0}'.format(users.last_error), 'error') return redirect(url_for('auth.login', next=next)) # Now we need to create a zone for that user. if not zones.create_user_base_zone(user): flash( 'User has been created but there was a problem creating their base domain. Make sure the DNS Base Domain has been set.', 'error') return redirect(url_for('auth.login', next=next)) else: flash('Invalid credentials', 'error') return redirect(url_for('auth.login', next=next)) if not user.active: # This check has to be after the password validation. flash('Your account is disabled.', 'error') return redirect(url_for('auth.login', next=next)) # Forward to 2FA validation if it's enabled. if user.has_2fa(): session['otp_userid'] = user.id session['otp_time'] = int(time.time()) return redirect(url_for('auth.login_2fa', next=next)) user = users.login_session(user) login_user(user) # On every login we get the hashcat version and the git hash version. system = provider.system() system.run_updates() if next and url_parse(next).netloc == '': return redirect(next) return redirect(url_for('home.index'))
def __auth_ldap(username, password): provider = Provider() ldap = provider.ldap() result = ldap.authenticate(username, password) return result, ldap.error_message
def login_process(): if current_user.is_authenticated: return redirect(url_for('home.index')) username = request.form['username'].strip() password = request.form['password'].strip() next = urllib.parse.unquote_plus(request.form['next'].strip()) provider = Provider() users = provider.users() ldap = provider.ldap() radius = provider.radius() zones = provider.dns_zones() # If more than one external methods are defined, the user has to specify which one they want to authenticate # against, as we won't be trying each and every one until we get a hit. If only one method is enabled (ie LDAP) then # LOCAL auth will be tried first and then it will try LDAP. multiauth = ldap.enabled and radius.enabled auth = request.form['auth'].strip().lower( ) if 'auth' in request.form else '' login_result = False fullname = '' email = '' if (multiauth is False) or (multiauth is True and auth == 'local'): auth = 'local' # For when multiauth = False. login_result = __auth_local(username, password) if (login_result is False) and ldap.enabled: if (multiauth is False) or (multiauth is True and auth == 'ldap'): auth = 'ldap' ldap_result, error_message = __auth_ldap(username, password) if ldap_result is False: error_message = error_message if len( error_message) > 0 else 'Invalid credentials' flash(error_message, 'error') return redirect(url_for('auth.login', next=next)) elif ldap_result['result'] == ldap.AUTH_SUCCESS: login_result = True fullname = ldap_result['user']['fullname'].lower() email = ldap_result['user']['email'].lower() elif ldap_result['result'] == ldap.AUTH_CHANGE_PASSWORD: if ldap.pwchange: session['ldap_username'] = username session['ldap_time'] = int(time.time()) flash('Your LDAP password has expired or needs changing', 'error') return redirect(url_for('auth.ldap_changepwd', next=next)) else: flash('Your LDAP password has expired or needs changing', 'error') return redirect(url_for('auth.login', next=next)) elif ldap_result['result'] == ldap.AUTH_LOCKED: flash('Your AD account is disabled', 'error') return redirect(url_for('auth.login', next=next)) else: flash('Invalid credentials', 'error') return redirect(url_for('auth.login', next=next)) if (login_result is False) and radius.enabled: if (multiauth is False) or (multiauth is True and auth == 'radius'): auth = 'radius' radius_result, error_message = __auth_radius(username, password) if radius_result is False: error_message = error_message if len( error_message) > 0 else 'Invalid credentials' flash(error_message, 'error') return redirect(url_for('auth.login', next=next)) login_result = radius_result fullname = username.lower() email = '' if login_result is False: flash('Invalid credentials', 'error') return redirect(url_for('auth.login', next=next)) # Check to see if the user exists. This will return false only if it's the first login of an external user. user = users.find_user_login(username) if not user: user = users.save(0, username.lower(), password, fullname.lower(), email.lower(), False, auth, True) if not user: flash( 'Could not create external user: {0}'.format(users.last_error), 'error') return redirect(url_for('auth.login', next=next)) # Now create the default zone for that user. if not zones.create_user_base_zone(user): flash( 'User has been created but there was a problem creating their base domain. Make sure the DNS Base Domain has been set.', 'error') return redirect(url_for('auth.login', next=next)) if not user.active: # This check has to be after the password validation. flash('Your account is disabled.', 'error') return redirect(url_for('auth.login', next=next)) # Forward to 2FA validation if it's enabled. if user.has_2fa(): session['otp_userid'] = user.id session['otp_time'] = int(time.time()) return redirect(url_for('auth.login_2fa', next=next)) user = users.login_session(user) login_user(user) # On every login we get the hashcat version and the git hash version. system = provider.system() system.run_updates() if next and url_parse(next).netloc == '': return redirect(next) return redirect(url_for('home.index'))
def profile_save(): provider = Provider() users = provider.users() ldap = provider.ldap() email_regex = re.compile(r"[^@]+@[^@]+\.[^@]+") user = users.get_user(current_user.id) if user.ldap: has_email_mapping = (len(ldap.mapping_email) > 0) if not has_email_mapping: email = request.form['email'].strip().lower().replace(' ', '') if len(email) == 0 or not email_regex.match(email): flash('Invalid e-mail', 'error') return redirect(url_for('config.profile')) user = users.update_property(current_user.id, 'email', email) else: full_name = request.form['full_name'].strip() email = request.form['email'].strip().lower().replace(' ', '') existing_password = request.form['existing_password'].strip() new_password = request.form['new_password'].strip() confirm_password = request.form['confirm_password'].strip() if len(full_name) == 0: flash('Invalid full name', 'error') return redirect(url_for('config.profile')) elif len(email) == 0 or not email_regex.match(email): flash('Invalid e-mail', 'error') return redirect(url_for('config.profile')) user = users.update_property(current_user.id, 'email', email) user = users.update_property(current_user.id, 'full_name', full_name) if len(existing_password) > 0 and len(new_password) > 0 and len(confirm_password) > 0: # Password change as well. if len(existing_password) == 0: flash('Please enter your existing password', 'error') return redirect(url_for('config.profile')) elif len(new_password) == 0: flash('Please enter your new password', 'error') return redirect(url_for('config.profile')) elif new_password != confirm_password: flash('New passwords do not match', 'error') return redirect(url_for('config.profile')) if not users.validate_user_password(current_user.id, existing_password): flash('Invalid existing password', 'error') return redirect(url_for('config.profile')) elif not users.update_user_password(current_user.id, new_password): flash('Could not update password: '******'error') return redirect(url_for('config.profile')) # Force the user to re-login. users.logout_session(current_user.id) flash('Please login with your new password', 'success') return redirect(url_for('config.profile')) flash('Profile updated', 'success') return redirect(url_for('config.profile'))