Exemplo n.º 1
0
def login_process():
    if current_user.is_authenticated:
        return redirect(url_for('home.index'))

    provider = Provider()
    ldap = provider.ldap()
    users = provider.users()
    settings = provider.settings()

    username = request.form['username']
    password = request.form['password']
    next = urllib.parse.unquote_plus(request.form['next'].strip())

    allow_logins = int(settings.get('allow_logins', 0))

    # First check if user is local. Local users take priority.
    user = UserModel.query.filter(
        and_(
            func.lower(UserModel.username) == func.lower(username),
            UserModel.ldap == 0)).first()
    if user:
        if not users.validate_password(user.password, password):
            flash('Invalid credentials', 'error')
            return redirect(url_for('auth.login', next=next))
    elif ldap.is_enabled() and allow_logins == 1:
        if not ldap.authenticate(username, password, True):
            flash('Invalid credentials', 'error')
            return redirect(url_for('auth.login', next=next))
        user = UserModel.query.filter(
            and_(
                func.lower(UserModel.username) == func.lower(username),
                UserModel.ldap == 1)).first()

        if not user:
            flash(
                'Could not create your local account. Please contact the administrator.',
                'error')
            return redirect(url_for('auth.login', next=next))
    else:
        flash('Invalid credentials', 'error')
        return redirect(url_for('auth.login', next=next))

    # If we reach this point it means that our user exists. Check if the user is active.
    if user.active is False:
        flash('Your account has been disabled by the Administrator.', 'error')
        return redirect(url_for('auth.login', next=next))

    user = users.login_session(user)
    login_user(user)
    users.record_login(user.id)

    # On every login we get the hashcat version and the git hash version.
    system = provider.system()
    system.run_updates()

    if next and url_parse(next).netloc == '':
        return redirect(next)

    return redirect(url_for('home.index'))
Exemplo n.º 2
0
def ldap_test():
    provider = Provider()
    ldap = provider.ldap()

    if not ldap.test_connection():
        message = ldap.error_details if len(
            ldap.error_details) > 0 else 'Could not connect to LDAP Server'
        flash('LDAP Response: {0}'.format(message), 'error')
    else:
        flash('Connection established!', 'success')
    return redirect(url_for('config.ldap'))
Exemplo n.º 3
0
def login():
    if current_user.is_authenticated:
        return redirect(url_for('home.index'))

    provider = Provider()
    ldap = provider.ldap()
    radius = provider.radius()

    return render_template('auth/login.html',
                           next=request.args.get('next', ''),
                           multiauth=(ldap.enabled and radius.enabled))
Exemplo n.º 4
0
def profile():
    provider = Provider()
    users = provider.users()
    ldap = provider.ldap()

    return render_template(
        'config/account/profile/general.html',
        user=users.get_user(current_user.id),
        has_email_mapping=(len(ldap.mapping_email) > 0),
        password_complexity=users.password_complexity.get_requirement_description()
    )
Exemplo n.º 5
0
def profile():
    provider = Provider()
    users = provider.users()
    ldap = provider.ldap()

    user = users.get_user(current_user.id)
    auth_type = users.get_authtype(id=user.auth_type_id).name

    return render_template(
        'config/account/profile/general.html',
        user=user,
        has_email_mapping=(len(ldap.mapping_email) > 0),
        password_complexity=users.password_complexity.get_requirement_description(),
        auth_type=auth_type.lower(),
        ldap_pwdchange=ldap.pwchange
    )
Exemplo n.º 6
0
def ldap_changepwd_process():
    provider = Provider()
    users = provider.users()
    ldap = provider.ldap()

    next = urllib.parse.unquote_plus(request.args.get('next', '').strip())
    password = request.form['password'].strip()
    new_password = request.form['new_password'].strip()
    confirm_password = request.form['confirm_password'].strip()

    username = session['ldap_username'] if 'ldap_username' in session else ''
    ldap_time = session['ldap_time'] if 'ldap_time' in session else 0
    if len(username) == 0:
        session.pop('ldap_username', None)
        session.pop('ldap_time', None)
        return redirect(url_for('auth.login', next=next))
    elif int(time.time()) > (ldap_time + 120):
        session.pop('ldap_username', None)
        session.pop('ldap_time', None)
        return redirect(url_for('auth.login', next=next))

    user = users.get_ldap_user(username)
    if not user:
        session.pop('ldap_username', None)
        session.pop('ldap_time', None)
        return redirect(url_for('auth.login', next=next))

    if len(password) == 0:
        flash('Please enter your current password', 'error')
        return redirect(url_for('ldap_changepwd', next=next))
    elif len(new_password) == 0 or len(confirm_password) == 0:
        flash('Please enter your new password', 'error')
        return redirect(url_for('ldap_changepwd', next=next))
    elif new_password != confirm_password:
        flash('New passwords do not match', 'error')
        return redirect(url_for('ldap_changepwd', next=next))

    session.pop('ldap_username', None)
    session.pop('ldap_time', None)

    if not ldap.update_password_ad(user.username, password, new_password):
        flash('Could not update password', 'error')
        return redirect(url_for('auth.login', next=next))

    flash('Password updated - please login again', 'success')
    return redirect(url_for('auth.login', next=next))
Exemplo n.º 7
0
def ldap_changepwd():
    provider = Provider()
    ldap = provider.ldap()

    next = urllib.parse.unquote_plus(request.args.get('next', '').strip())
    if not ldap.pwchange:
        return redirect(url_for('auth.login', next=next))

    username = session['ldap_username'] if 'ldap_username' in session else ''
    ldap_time = session['ldap_time'] if 'ldap_time' in session else 0
    if len(username) == 0:
        session.pop('ldap_username', None)
        session.pop('ldap_time', None)
        return redirect(url_for('auth.login', next=next))
    elif int(time.time()) > (ldap_time + 120):
        session.pop('ldap_username', None)
        session.pop('ldap_time', None)
        return redirect(url_for('auth.login', next=next))

    return render_template('auth/ldap_password.html',
                           next=request.args.get('next', ''))
Exemplo n.º 8
0
def ldap():
    provider = Provider()
    ldap = provider.ldap()

    return render_template('config/system/ldap.html',
                           auth_types=ldap.get_supported_auth_methods())
Exemplo n.º 9
0
def profile_save():
    provider = Provider()
    users = provider.users()
    ldap = provider.ldap()

    email_regex = re.compile(r"[^@]+@[^@]+\.[^@]+")

    user = users.get_user(current_user.id)
    auth_type = users.get_authtype(id=user.auth_type_id)
    if not auth_type:
        flash('Invalid authentication type', 'error')
        return redirect(url_for('config.profile'))

    # Username / Name / Email change
    if auth_type.name.lower() == 'ldap':
        has_email_mapping = (len(ldap.mapping_email) > 0)
        if not has_email_mapping:
            email = request.form['email'].strip().lower().replace(' ', '')
            if len(email) == 0 or not email_regex.match(email):
                flash('Invalid e-mail', 'error')
                return redirect(url_for('config.profile'))
            user = users.update_property(current_user.id, 'email', email)
    elif auth_type.name.lower() == 'local':
        full_name = request.form['full_name'].strip()
        email = request.form['email'].strip().lower().replace(' ', '')

        if len(full_name) == 0:
            flash('Invalid full name', 'error')
            return redirect(url_for('config.profile'))
        elif len(email) == 0 or not email_regex.match(email):
            flash('Invalid e-mail', 'error')
            return redirect(url_for('config.profile'))

        user = users.update_property(current_user.id, 'email', email)
        user = users.update_property(current_user.id, 'full_name', full_name)

    # Password change
    if (auth_type.name.lower() == 'ldap' and ldap.pwchange) or (auth_type.name.lower() == 'local'):
        existing_password = request.form['existing_password'].strip()
        new_password = request.form['new_password'].strip()
        confirm_password = request.form['confirm_password'].strip()

        if len(existing_password) > 0 and len(new_password) > 0 and len(confirm_password) > 0:
            if len(existing_password) == 0:
                flash('Please enter your existing password', 'error')
                return redirect(url_for('config.profile'))
            elif len(new_password) == 0:
                flash('Please enter your new password', 'error')
                return redirect(url_for('config.profile'))
            elif new_password != confirm_password:
                flash('New passwords do not match', 'error')
                return redirect(url_for('config.profile'))

            if auth_type.name.lower() == 'ldap':
                if not ldap.update_password_ad(user.username, existing_password, new_password):
                    if len(ldap.error_message) > 0:
                        flash(ldap.error_message, 'error')
                    else:
                        flash('Could not update password', 'error')
                    return redirect(url_for('config.profile'))
            elif auth_type.name.lower() == 'local':
                if not users.validate_user_password(current_user.id, existing_password):
                    flash('Invalid existing password', 'error')
                    return redirect(url_for('config.profile'))
                elif not users.update_user_password(current_user.id, new_password):
                    flash('Could not update password: '******'error')
                    return redirect(url_for('config.profile'))

            # Force the user to re-login.
            users.logout_session(current_user.id)

            flash('Please login with your new password', 'success')
            return redirect(url_for('config.profile'))

    flash('Profile updated', 'success')
    return redirect(url_for('config.profile'))
Exemplo n.º 10
0
def login_process():
    if current_user.is_authenticated:
        return redirect(url_for('home.index'))

    provider = Provider()
    ldap = provider.ldap()
    users = provider.users()
    settings = provider.settings()

    username = request.form['username']
    password = request.form['password']
    next = urllib.parse.unquote_plus(request.form['next'].strip())

    # First check if user is local. Local users take priority.
    user = UserModel.query.filter(and_(func.lower(UserModel.username) == func.lower(username), UserModel.ldap == 0)).first()
    if user:
        if not users.validate_password(user.password, password):
            flash('Invalid credentials', 'error')
            return redirect(url_for('auth.login', next=next))
    elif ldap.is_enabled():
        ldap_result = ldap.authenticate(username, password)
        if ldap_result is False:
            if len(ldap.error_message) > 0:
                flash(ldap.error_message, 'error')
            else:
                flash('Invalid credentials', 'error')
            return redirect(url_for('auth.login', next=next))
        elif ldap_result['result'] == ldap.AUTH_SUCCESS:
            ldap_user = ldap_result['user']
        elif ldap_result['result'] == ldap.AUTH_CHANGE_PASSWORD:
            session['ldap_username'] = username
            session['ldap_time'] = int(time.time())
            flash('Your LDAP password has expired or needs changing', 'error')
            return redirect(url_for('auth.ldap_changepwd', next=next))
        elif ldap_result['result'] == ldap.AUTH_LOCKED:
            flash('Your AD account is disabled', 'error')
            return redirect(url_for('auth.login', next=next))
        else:
            if len(ldap.error_message) > 0:
                flash(ldap.error_message, 'error')
            else:
                flash('Invalid credentials', 'error')
            return redirect(url_for('auth.login', next=next))

        user = users.get_ldap_user(ldap_user['username'])
        if not user:
            # Create
            user = users.create_ldap_user(ldap_user['username'], ldap_user['fullname'], ldap_user['email'])
            if not user:
                flash('Could not create LDAP user', 'error')
                return redirect(url_for('auth.login', next=next))
    else:
        flash('Invalid credentials', 'error')
        return redirect(url_for('auth.login', next=next))

    # If we reach this point it means that our user exists. Check if the user is active.
    if user.active is False:
        flash('Your account has been disabled by the Administrator.', 'error')
        return redirect(url_for('auth.login', next=next))

    user = users.login_session(user)
    login_user(user)
    users.record_login(user.id)

    # On every login we get the hashcat version and the git hash version.
    system = provider.system()
    system.run_updates()

    if next and url_parse(next).netloc == '':
        return redirect(next)

    return redirect(url_for('home.index'))
Exemplo n.º 11
0
def login_process():
    if current_user.is_authenticated:
        return redirect(url_for('home.index'))

    username = request.form['username'].strip()
    password = request.form['password'].strip()

    next = urllib.parse.unquote_plus(request.form['next'].strip())
    provider = Provider()
    users = provider.users()
    ldap = provider.ldap()
    zones = provider.dns_zones()

    # First lookup local users.
    user = users.find_user_login(username, False)
    if user:
        if not users.validate_password(user.password, password):
            flash('Invalid credentials', 'error')
            return redirect(url_for('auth.login', next=next))
    elif ldap.enabled:
        ldap_result = ldap.authenticate(username, password)
        if ldap_result is False:
            if len(ldap.error_message) > 0:
                flash(ldap.error_message, 'error')
            else:
                flash('Invalid credentials', 'error')
            return redirect(url_for('auth.login', next=next))
        elif ldap_result['result'] == ldap.AUTH_SUCCESS:
            ldap_user = ldap_result['user']
        elif ldap_result['result'] == ldap.AUTH_CHANGE_PASSWORD:
            session['ldap_username'] = username
            session['ldap_time'] = int(time.time())
            flash('Your LDAP password has expired or needs changing', 'error')
            return redirect(url_for('auth.ldap_changepwd', next=next))
        elif ldap_result['result'] == ldap.AUTH_LOCKED:
            flash('Your AD account is disabled', 'error')
            return redirect(url_for('auth.login', next=next))
        else:
            if len(ldap.error_message) > 0:
                flash(ldap.error_message, 'error')
            else:
                flash('Invalid credentials', 'error')
            return redirect(url_for('auth.login', next=next))

        # Now see if the user exists.
        user = users.find_user_login(username, True)
        if not user:
            # Doesn't exist yet, we'll have to create them now.
            user = users.save(0, ldap_user['username'].lower(), password,
                              ldap_user['fullname'], ldap_user['email'], False,
                              True, True)
            if not user:
                flash(
                    'Could not create LDAP user: {0}'.format(users.last_error),
                    'error')
                return redirect(url_for('auth.login', next=next))

            # Now we need to create a zone for that user.
            if not zones.create_user_base_zone(user):
                flash(
                    'User has been created but there was a problem creating their base domain. Make sure the DNS Base Domain has been set.',
                    'error')
                return redirect(url_for('auth.login', next=next))
    else:
        flash('Invalid credentials', 'error')
        return redirect(url_for('auth.login', next=next))

    if not user.active:
        # This check has to be after the password validation.
        flash('Your account is disabled.', 'error')
        return redirect(url_for('auth.login', next=next))

    # Forward to 2FA validation if it's enabled.
    if user.has_2fa():
        session['otp_userid'] = user.id
        session['otp_time'] = int(time.time())
        return redirect(url_for('auth.login_2fa', next=next))

    user = users.login_session(user)
    login_user(user)

    # On every login we get the hashcat version and the git hash version.
    system = provider.system()
    system.run_updates()

    if next and url_parse(next).netloc == '':
        return redirect(next)

    return redirect(url_for('home.index'))
Exemplo n.º 12
0
def __auth_ldap(username, password):
    provider = Provider()
    ldap = provider.ldap()
    result = ldap.authenticate(username, password)

    return result, ldap.error_message
Exemplo n.º 13
0
def login_process():
    if current_user.is_authenticated:
        return redirect(url_for('home.index'))

    username = request.form['username'].strip()
    password = request.form['password'].strip()

    next = urllib.parse.unquote_plus(request.form['next'].strip())
    provider = Provider()
    users = provider.users()
    ldap = provider.ldap()
    radius = provider.radius()
    zones = provider.dns_zones()

    # If more than one external methods are defined, the user has to specify which one they want to authenticate
    # against, as we won't be trying each and every one until we get a hit. If only one method is enabled (ie LDAP) then
    # LOCAL auth will be tried first and then it will try LDAP.
    multiauth = ldap.enabled and radius.enabled
    auth = request.form['auth'].strip().lower(
    ) if 'auth' in request.form else ''

    login_result = False
    fullname = ''
    email = ''

    if (multiauth is False) or (multiauth is True and auth == 'local'):
        auth = 'local'  # For when multiauth = False.
        login_result = __auth_local(username, password)

    if (login_result is False) and ldap.enabled:
        if (multiauth is False) or (multiauth is True and auth == 'ldap'):
            auth = 'ldap'
            ldap_result, error_message = __auth_ldap(username, password)
            if ldap_result is False:
                error_message = error_message if len(
                    error_message) > 0 else 'Invalid credentials'
                flash(error_message, 'error')
                return redirect(url_for('auth.login', next=next))
            elif ldap_result['result'] == ldap.AUTH_SUCCESS:
                login_result = True
                fullname = ldap_result['user']['fullname'].lower()
                email = ldap_result['user']['email'].lower()
            elif ldap_result['result'] == ldap.AUTH_CHANGE_PASSWORD:
                if ldap.pwchange:
                    session['ldap_username'] = username
                    session['ldap_time'] = int(time.time())
                    flash('Your LDAP password has expired or needs changing',
                          'error')
                    return redirect(url_for('auth.ldap_changepwd', next=next))
                else:
                    flash('Your LDAP password has expired or needs changing',
                          'error')
                    return redirect(url_for('auth.login', next=next))
            elif ldap_result['result'] == ldap.AUTH_LOCKED:
                flash('Your AD account is disabled', 'error')
                return redirect(url_for('auth.login', next=next))
            else:
                flash('Invalid credentials', 'error')
                return redirect(url_for('auth.login', next=next))

    if (login_result is False) and radius.enabled:
        if (multiauth is False) or (multiauth is True and auth == 'radius'):
            auth = 'radius'
            radius_result, error_message = __auth_radius(username, password)
            if radius_result is False:
                error_message = error_message if len(
                    error_message) > 0 else 'Invalid credentials'
                flash(error_message, 'error')
                return redirect(url_for('auth.login', next=next))
            login_result = radius_result
            fullname = username.lower()
            email = ''

    if login_result is False:
        flash('Invalid credentials', 'error')
        return redirect(url_for('auth.login', next=next))

    # Check to see if the user exists. This will return false only if it's the first login of an external user.
    user = users.find_user_login(username)
    if not user:
        user = users.save(0, username.lower(), password, fullname.lower(),
                          email.lower(), False, auth, True)
        if not user:
            flash(
                'Could not create external user: {0}'.format(users.last_error),
                'error')
            return redirect(url_for('auth.login', next=next))

        # Now create the default zone for that user.
        if not zones.create_user_base_zone(user):
            flash(
                'User has been created but there was a problem creating their base domain. Make sure the DNS Base Domain has been set.',
                'error')
            return redirect(url_for('auth.login', next=next))

    if not user.active:
        # This check has to be after the password validation.
        flash('Your account is disabled.', 'error')
        return redirect(url_for('auth.login', next=next))

    # Forward to 2FA validation if it's enabled.
    if user.has_2fa():
        session['otp_userid'] = user.id
        session['otp_time'] = int(time.time())
        return redirect(url_for('auth.login_2fa', next=next))

    user = users.login_session(user)
    login_user(user)

    # On every login we get the hashcat version and the git hash version.
    system = provider.system()
    system.run_updates()

    if next and url_parse(next).netloc == '':
        return redirect(next)

    return redirect(url_for('home.index'))
Exemplo n.º 14
0
def profile_save():
    provider = Provider()
    users = provider.users()
    ldap = provider.ldap()

    email_regex = re.compile(r"[^@]+@[^@]+\.[^@]+")

    user = users.get_user(current_user.id)
    if user.ldap:
        has_email_mapping = (len(ldap.mapping_email) > 0)
        if not has_email_mapping:
            email = request.form['email'].strip().lower().replace(' ', '')
            if len(email) == 0 or not email_regex.match(email):
                flash('Invalid e-mail', 'error')
                return redirect(url_for('config.profile'))
            user = users.update_property(current_user.id, 'email', email)
    else:
        full_name = request.form['full_name'].strip()
        email = request.form['email'].strip().lower().replace(' ', '')

        existing_password = request.form['existing_password'].strip()
        new_password = request.form['new_password'].strip()
        confirm_password = request.form['confirm_password'].strip()

        if len(full_name) == 0:
            flash('Invalid full name', 'error')
            return redirect(url_for('config.profile'))
        elif len(email) == 0 or not email_regex.match(email):
            flash('Invalid e-mail', 'error')
            return redirect(url_for('config.profile'))

        user = users.update_property(current_user.id, 'email', email)
        user = users.update_property(current_user.id, 'full_name', full_name)

        if len(existing_password) > 0 and len(new_password) > 0 and len(confirm_password) > 0:
            # Password change as well.
            if len(existing_password) == 0:
                flash('Please enter your existing password', 'error')
                return redirect(url_for('config.profile'))
            elif len(new_password) == 0:
                flash('Please enter your new password', 'error')
                return redirect(url_for('config.profile'))
            elif new_password != confirm_password:
                flash('New passwords do not match', 'error')
                return redirect(url_for('config.profile'))

            if not users.validate_user_password(current_user.id, existing_password):
                flash('Invalid existing password', 'error')
                return redirect(url_for('config.profile'))
            elif not users.update_user_password(current_user.id, new_password):
                flash('Could not update password: '******'error')
                return redirect(url_for('config.profile'))

            # Force the user to re-login.
            users.logout_session(current_user.id)

            flash('Please login with your new password', 'success')
            return redirect(url_for('config.profile'))

    flash('Profile updated', 'success')
    return redirect(url_for('config.profile'))