def cli_zones_import(file, user_id):
provider = Provider()
import_manager = provider.dns_import()
users = provider.users()
user = users.get_user(user_id)
if not user:
print("Could not find user with ID: {0}".format(user_id))
return False
import_type = import_manager.identify(file)
if import_type != import_manager.IMPORT_TYPE_ZONE:
print("Invalid import file: {0}".format(import_manager.last_error))
return False
data = import_manager.review(file, import_type, user.id, show_progressbar=True)
if not data:
print("Could not load file: {0}".format(import_manager.last_error))
return False
if len(data['errors']) > 0:
errors = []
for error in data['errors']:
errors.append([error['row'], error['error']])
print(tabulate.tabulate(errors, ['row', 'error']))
return False
result = import_manager.run(data['data'], import_type, user.id, show_progressbar=True)
if result:
return True
for error in result:
print(error)
return False
def export():
provider = Provider()
search = provider.search()
logs = provider.dns_logs()
users = provider.users()
# Prepare names and variables.
filename = str(int(time.time())) + '.csv'
download_filename = "snitch_logs_" + filename
save_results_as = users.get_user_data_path(current_user.id,
filename=filename)
# Perform the search.
results = search.search_from_request(request, paginate=False, method='get')
rows = results['results']
# Export to disk.
if not logs.save_results_csv(rows, save_results_as, overwrite=True):
flash('Could not generate CSV file.', 'error')
return redirect(url_for('logs.index'))
# And download.
return send_file(save_results_as,
attachment_filename=download_filename,
as_attachment=True)
def login_2fa():
next = urllib.parse.unquote_plus(request.args.get('next', '').strip())
provider = Provider()
users = provider.users()
id = int(session['otp_userid']) if 'otp_userid' in session else 0
otp_time = int(session['otp_time']) if 'otp_time' in session else 0
can_continue = True
if id <= 0:
can_continue = False
elif int(time.time()) > (otp_time + 120):
# This page is valid for 2 minutes.
can_continue = False
if not can_continue:
session.pop('otp_userid', None)
session.pop('otp_time', None)
return redirect(url_for('auth.login', next=next))
user = users.get_user(id)
if not user:
return redirect(url_for('auth.login', next=next))
return render_template('auth/login_2fa.html',
next=request.args.get('next', ''))
def user_save(user_id):
if not current_user.admin:
flash('Access Denied', 'error')
return redirect(url_for('home.index'))
username = request.form['username'].strip(
) if 'username' in request.form else ''
password = request.form['password'].strip(
) if 'password' in request.form else ''
full_name = request.form['full_name'].strip(
) if 'full_name' in request.form else ''
email = request.form['email'].strip() if 'email' in request.form else ''
admin = int(request.form.get('admin', 0))
ldap = int(request.form.get('ldap', 0))
active = int(request.form.get('active', 0))
provider = Provider()
users = provider.users()
if not users.save(user_id, username, password, full_name, email, admin,
ldap, active):
flash(users.get_last_error(), 'error')
return redirect(url_for('admin.user_edit', user_id=user_id))
flash('User saved', 'success')
return redirect(url_for('admin.users'))
def index():
# This function deliberately doesn't have a @login_required parameter because we want to run a check for a
# 'first-visit' type scenario, in order to create the administrator.
provider = Provider()
zones = provider.dns_zones()
users = provider.users()
if users.count() == 0:
# Looks like we need to setup the administrator.
return redirect(url_for('install.index'))
if not current_user.is_authenticated:
return redirect(url_for('auth.login'))
search = provider.search()
results = search.search_from_request(request)
aliases = provider.aliases()
return render_template(
'home/index.html',
results=results['results'],
params=results['params'],
page_url='home.index',
zone_count=zones.count(user_id=current_user.id),
aliases=aliases.get_dict(
None if current_user.admin else current_user.id))
def logout():
provider = Provider()
users = provider.users()
users.logout_session(current_user.id)
logout_user()
return redirect(url_for('auth.login'))
def ldap_changepwd():
provider = Provider()
users = provider.users()
next = urllib.parse.unquote_plus(request.args.get('next', '').strip())
username = session['ldap_username'] if 'ldap_username' in session else ''
ldap_time = session['ldap_time'] if 'ldap_time' in session else 0
if len(username) == 0:
session.pop('ldap_username', None)
session.pop('ldap_time', None)
return redirect(url_for('auth.login', next=next))
elif int(time.time()) > (ldap_time + 120):
session.pop('ldap_username', None)
session.pop('ldap_time', None)
return redirect(url_for('auth.login', next=next))
user = users.get_ldap_user(username)
if not user:
session.pop('ldap_username', None)
session.pop('ldap_time', None)
return redirect(url_for('auth.login', next=next))
return render_template('auth/ldap_password.html',
next=request.args.get('next', ''))
def save():
provider = Provider()
users = provider.users()
if users.get_user_count() > 0:
flash('Application has already been configured.', 'error')
return redirect(url_for('home.index'))
username = request.form['username'].strip()
password = request.form['password'].strip()
full_name = request.form['full_name'].strip()
email = request.form['email'].strip()
if len(username) == 0 or len(password) == 0 or len(full_name) == 0 or len(
email) == 0:
flash('Please fill in all the fields', 'error')
return redirect(url_for('install.index'))
if not users.save(0, username, password, full_name, email, 1, 0, 1):
flash(
'Could not create user - make sure the database file is writable',
'error')
return redirect(url_for('install.index'))
flash('Please login as the newly created administrator', 'success')
return redirect(url_for('home.index'))
def login_process():
if current_user.is_authenticated:
return redirect(url_for('home.index'))
provider = Provider()
ldap = provider.ldap()
users = provider.users()
settings = provider.settings()
username = request.form['username']
password = request.form['password']
next = urllib.parse.unquote_plus(request.form['next'].strip())
allow_logins = int(settings.get('allow_logins', 0))
# First check if user is local. Local users take priority.
user = UserModel.query.filter(
and_(
func.lower(UserModel.username) == func.lower(username),
UserModel.ldap == 0)).first()
if user:
if not users.validate_password(user.password, password):
flash('Invalid credentials', 'error')
return redirect(url_for('auth.login', next=next))
elif ldap.is_enabled() and allow_logins == 1:
if not ldap.authenticate(username, password, True):
flash('Invalid credentials', 'error')
return redirect(url_for('auth.login', next=next))
user = UserModel.query.filter(
and_(
func.lower(UserModel.username) == func.lower(username),
UserModel.ldap == 1)).first()
if not user:
flash(
'Could not create your local account. Please contact the administrator.',
'error')
return redirect(url_for('auth.login', next=next))
else:
flash('Invalid credentials', 'error')
return redirect(url_for('auth.login', next=next))
# If we reach this point it means that our user exists. Check if the user is active.
if user.active is False:
flash('Your account has been disabled by the Administrator.', 'error')
return redirect(url_for('auth.login', next=next))
user = users.login_session(user)
login_user(user)
users.record_login(user.id)
# On every login we get the hashcat version and the git hash version.
system = provider.system()
system.run_updates()
if next and url_parse(next).netloc == '':
return redirect(next)
return redirect(url_for('home.index'))
def __auth_local(username, password):
provider = Provider()
users = provider.users()
user = users.find_user_login(username, 'local')
if user and users.validate_password(user.password, password):
return True
return False
def index():
provider = Provider()
users = provider.users()
if users.get_user_count() > 0:
flash('Application has already been configured.', 'error')
return redirect(url_for('home.index'))
return render_template('install/index.html')
def user_logins():
provider = Provider()
users = provider.users()
user_logins = users.get_user_logins(0)
return render_template(
'config/system/users/logins.html',
logins=user_logins
)
def logins():
if not current_user.admin:
flash('Access Denied', 'error')
return redirect(url_for('home.index'))
provider = Provider()
users = provider.users()
user_logins = users.get_user_logins(0)
return render_template('admin/users/logins.html', logins=user_logins)
def settings(user_id):
if current_user.id != user_id:
flash('Access denied', 'error')
return redirect(url_for('home.index'))
provider = Provider()
users = provider.users()
user = users.get_by_id(current_user.id)
return render_template('account/settings.html', user=user)
def logins(user_id):
if current_user.id != user_id:
flash('Access denied', 'error')
return redirect(url_for('home.index'))
provider = Provider()
users = provider.users()
user_logins = users.get_user_logins(user_id)
return render_template('account/logins.html', logins=user_logins)
def profile():
provider = Provider()
users = provider.users()
ldap = provider.ldap()
return render_template(
'config/account/profile/general.html',
user=users.get_user(current_user.id),
has_email_mapping=(len(ldap.mapping_email) > 0),
password_complexity=users.password_complexity.get_requirement_description()
)
def cli_users_update(username, password, full_name, email, active, admin, ldap,
update_password):
provider = Provider()
users = provider.users()
user = users.find_user_login(username, None)
if not user:
print("Could not find user")
return False
active = user.active if active is None else (active in ['true', 'yes'])
admin = user.admin if admin is None else (admin in ['true', 'yes'])
ldap = user.ldap if ldap is None else (ldap in ['true', 'yes'])
ask_for_password = False
hash_password = False
check_complexity = False
if update_password:
if len(password) == 0:
if not ldap:
ask_for_password = True
check_complexity = True
hash_password = True
else:
ask_for_password = False
hash_password = False
check_complexity = False
else:
password = user.password
hash_password = False
check_complexity = False
if ask_for_password:
password = click.prompt('Password',
hide_input=True,
confirmation_prompt=True)
# If the user entered the password manually it's in plaintext so we can check for complexity.
user = users.save(user.id,
username,
password,
full_name,
email,
admin,
ldap,
active,
check_complexity=check_complexity,
hash_password=hash_password)
if not user:
print(users.last_error)
return False
print("User updated")
return True
def index():
provider = Provider()
users = provider.users()
password_complexity = provider.password_complexity()
if users.get_user_count() > 0:
flash('Application has already been configured.', 'error')
return redirect(url_for('home.index'))
return render_template(
'install/index.html',
complexity=password_complexity.get_requirement_description())
def profile(user_id=None):
if user_id is None:
user_id = current_user.id
elif user_id != current_user.id:
flash('Access denied', 'error')
return redirect(url_for('home.index'))
provider = Provider()
users = provider.users()
user = users.get_by_id(user_id)
return render_template('config/account/profile.html', user=user)
def index(user_id):
if not current_user.is_authenticated:
return redirect(url_for('auth.login'))
elif current_user.id != user_id:
flash('Access denied', 'error')
return redirect(url_for('home.index'))
provider = Provider()
users = provider.users()
user = users.get_by_id(current_user.id)
return render_template('account/index.html', user=user)
def profile():
provider = Provider()
users = provider.users()
ldap = provider.ldap()
user = users.get_user(current_user.id)
auth_type = users.get_authtype(id=user.auth_type_id).name
return render_template(
'config/account/profile/general.html',
user=user,
has_email_mapping=(len(ldap.mapping_email) > 0),
password_complexity=users.password_complexity.get_requirement_description(),
auth_type=auth_type.lower(),
ldap_pwdchange=ldap.pwchange
)
def profile_2fa():
provider = Provider()
users = provider.users()
twofa_enabled = False if current_user.otp_secret is None else len(current_user.otp_secret) > 0
otp = users.otp_new(current_user)
# Save the secret into the session to prevent users from setting their own during the request.
session['otp'] = otp['secret']
return render_template(
'config/account/profile/2fa.html',
twofa_enabled=twofa_enabled,
otp_secret=otp['secret'],
otp_uri=otp['uri']
)
def theme():
provider = Provider()
users = provider.users()
filesystem = provider.filesystem()
user_settings = provider.user_settings()
settings = provider.settings()
user = users.get_by_id(current_user.id)
themes = filesystem.get_files(
os.path.join(current_app.root_path, 'static', 'css', 'themes'))
theme = user_settings.get(current_user.id, 'theme',
settings.get('theme', 'lumen'))
return render_template('config/account/theme.html',
user=user,
themes=themes,
selected_theme=theme)
def ldap_changepwd_process():
provider = Provider()
users = provider.users()
ldap = provider.ldap()
next = urllib.parse.unquote_plus(request.args.get('next', '').strip())
password = request.form['password'].strip()
new_password = request.form['new_password'].strip()
confirm_password = request.form['confirm_password'].strip()
username = session['ldap_username'] if 'ldap_username' in session else ''
ldap_time = session['ldap_time'] if 'ldap_time' in session else 0
if len(username) == 0:
session.pop('ldap_username', None)
session.pop('ldap_time', None)
return redirect(url_for('auth.login', next=next))
elif int(time.time()) > (ldap_time + 120):
session.pop('ldap_username', None)
session.pop('ldap_time', None)
return redirect(url_for('auth.login', next=next))
user = users.get_ldap_user(username)
if not user:
session.pop('ldap_username', None)
session.pop('ldap_time', None)
return redirect(url_for('auth.login', next=next))
if len(password) == 0:
flash('Please enter your current password', 'error')
return redirect(url_for('ldap_changepwd', next=next))
elif len(new_password) == 0 or len(confirm_password) == 0:
flash('Please enter your new password', 'error')
return redirect(url_for('ldap_changepwd', next=next))
elif new_password != confirm_password:
flash('New passwords do not match', 'error')
return redirect(url_for('ldap_changepwd', next=next))
session.pop('ldap_username', None)
session.pop('ldap_time', None)
if not ldap.update_password_ad(user.username, password, new_password):
flash('Could not update password', 'error')
return redirect(url_for('auth.login', next=next))
flash('Password updated - please login again', 'success')
return redirect(url_for('auth.login', next=next))
def login_2fa_process():
next = urllib.parse.unquote_plus(request.args.get('next', '').strip())
otp = request.form['otp'].strip()
provider = Provider()
users = provider.users()
id = int(session['otp_userid']) if 'otp_userid' in session else 0
otp_time = int(session['otp_time']) if 'otp_time' in session else 0
can_continue = True
if id <= 0:
can_continue = False
elif int(time.time()) > (otp_time + 120):
# This page is valid for 2 minutes.
can_continue = False
if not can_continue:
session.pop('otp_userid', None)
session.pop('otp_time', None)
return redirect(url_for('auth.login', next=next))
user = users.get_user(id)
if not user:
return redirect(url_for('auth.login', next=next))
if not users.otp_verify_user(user, otp):
flash('Invalid Code', 'error')
return redirect(url_for('auth.login_2fa', next=next))
session.pop('otp_userid', None)
session.pop('otp_time', None)
# If we reach this point it means that our user exists. Check if the user is active.
user = users.login_session(user)
login_user(user)
# On every login we get the hashcat version and the git hash version.
system = provider.system()
system.run_updates()
if next and url_parse(next).netloc == '':
return redirect(next)
return redirect(url_for('home.index'))
def cli_users_add(username, password, full_name, email, active, admin, ldap,
create_zone):
provider = Provider()
users = provider.users()
zones = provider.dns_zones()
active = (active in ['true', 'yes'])
admin = (admin in ['true', 'yes'])
ldap = (ldap in ['true', 'yes'])
ask_for_password = False
if len(password) == 0:
# If it's an LDAP user, we don't need it.
if not ldap:
ask_for_password = True
if ask_for_password:
password = click.prompt('Password',
hide_input=True,
confirmation_prompt=True)
# If the user entered the password manually it's in plaintext so we can check for complexity.
user = users.save(0,
username,
password,
full_name,
email,
admin,
ldap,
active,
check_complexity=ask_for_password,
hash_password=ask_for_password)
if not user:
print(users.last_error)
return False
if create_zone:
if not zones.create_user_base_zone(user):
print(
'User has been created but there was a problem creating their base domain. Make sure the DNS Base Domain has been set.'
)
return False
print("User created")
return True
def theme(user_id):
if current_user.id != user_id:
flash('Access denied', 'error')
return redirect(url_for('home.index'))
provider = Provider()
users = provider.users()
filesystem = provider.filesystem()
user_settings = provider.user_settings()
settings = provider.settings()
user = users.get_by_id(current_user.id)
themes = filesystem.get_files(
os.path.join(current_app.root_path, 'static', 'css', 'themes'))
theme = user_settings.get(user_id, 'theme', settings.get('theme', 'lumen'))
return render_template('account/theme.html',
user=user,
themes=themes,
selected_theme=theme)
def cli_users_list():
provider = Provider()
users = provider.users()
results = users.all()
headers = [
'id', 'username', 'full name', 'email', 'admin', 'active', 'ldap',
'2fa'
]
table = []
for user in results:
table.append([
user.id, user.username, user.full_name, user.email, user.admin,
user.active, user.ldap,
user.has_2fa()
])
print(tabulate.tabulate(table, headers))
return True
def user_edit(user_id):
provider = Provider()
users = provider.users()
zones = provider.dns_zones()
user = None
if user_id <= 0:
user_id = 0
else:
user = users.get_user(user_id)
if not user:
flash('Invalid User ID', 'error')
return redirect(url_for('config.users'))
return render_template('config/system/users/edit.html',
user_id=user_id,
user=user,
password_complexity=users.password_complexity.
get_requirement_description(),
base_domain=zones.base_domain)
def profile_2fa_save():
provider = Provider()
users = provider.users()
if users.has_2fa(current_user.id):
# This will be treated as a "disable 2fa" request.
action = request.form['action'] if 'action' in request.form else ''
if action == 'disable':
users.twofa_disable(current_user.id)
users.logout_session(current_user.id)
flash('Two Factor Authentication has been disabled. Please login again.')
return redirect(url_for('auth.login'))
else:
# This will be treated as an "enable 2fa" request.
otp_code = request.form['otp'].strip()
otp_secret = ''
if 'otp' in session:
otp_secret = session['otp']
del session['otp']
if len(otp_secret) == 0:
flash('Could not load OTP secret from session.', 'error')
return redirect(url_for('config.profile_2fa'))
elif len(otp_code) == 0:
flash('OTP code is missing', 'error')
return redirect(url_for('config.profile_2fa'))
if not users.otp_verify(otp_secret, otp_code):
flash('Invalid OTP Code', 'error')
return redirect(url_for('config.profile_2fa'))
if not users.twofa_enable(current_user.id, otp_secret):
flash('Could not enable 2FA', 'error')
return redirect(url_for('config.profile_2fa'))
users.logout_session(current_user.id)
flash('Two Factor Authentication has been enabled. Please login again.')
return redirect(url_for('auth.login'))
return redirect(url_for('config.profile_2fa'))
