def create_users(ds, log=None):
    admin_pass = os.getenv("DEV_ADMIN_PASS", 'admin') or 'admin'
    user_pass = os.getenv("DEV_USER_PASS", 'user') or 'user'
    user_data = User({
        "agrees_with_tos": "NOW",
        "apikeys": {'devkey': {'acl': ["R", "W"], "password": get_password_hash(admin_pass)}},
        "classification": classification.RESTRICTED,
        "name": "Administrator",
        "email": "*****@*****.**",
        "password": get_password_hash(admin_pass),
        "uname": "admin",
        "type": ["admin", "user", "signature_importer"]})
    ds.user.save('admin', user_data)
    ds.user_settings.save('admin', UserSettings({"ignore_cache": True, "deep_scan": True}))
    if log:
        log.info(f"\tU:{user_data.uname}   P:{admin_pass}")

    user_data = User({
        "name": "User",
        "email": "*****@*****.**",
        "apikeys": {'devkey': {'acl': ["R", "W"], "password": get_password_hash(user_pass)}},
        "password": get_password_hash(user_pass),
        "uname": "user"})
    ds.user.save('user', user_data)
    ds.user_settings.save('user', UserSettings())
    if log:
        log.info(f"\tU:{user_data.uname}   P:{user_pass}")

    ds.user.commit()
Exemplo n.º 2
0
def signup_validate(**_):
    """
    Validate a user's signup request

    Variables:
    None

    Arguments:
    None

    Data Block:
    {
     "registration_key": "234234...ADFCB"    # Key used to validate the user's signup process
    }

    Result example:
    {
     "success": true
    }
    """
    if not config.auth.internal.signup.enabled:
        return make_api_response({"success": False},
                                 "Signup process has been disabled", 403)

    try:
        data = request.json
    except BadRequest:
        data = request.values

    registration_key = data.get('registration_key', None)

    if registration_key:
        try:
            signup_queue = get_signup_queue(registration_key)
            members = signup_queue.members()
            signup_queue.delete()
            if members:
                user_info = members[0]

                # Add dynamic classification group
                user_info['classification'] = get_dynamic_classification(
                    user_info.get('classification',
                                  Classification.UNRESTRICTED),
                    user_info['email'])

                user = User(user_info)
                username = user.uname

                STORAGE.user.save(username, user)
                return make_api_response({"success": True})
        except (KeyError, ValueError) as e:
            LOGGER.warning(f"Fail to signup user: {str(e)}")
            pass
    else:
        return make_api_response(
            {"success": False},
            "Not enough information to proceed with user creation", 400)

    return make_api_response({"success": False}, "Invalid registration key",
                             400)
Exemplo n.º 3
0
def signup_validate(**_):
    """
    Validate a user's signup request

    Variables:
    None

    Arguments:
    None

    Data Block:
    {
     "registration_key": "234234...ADFCB"    # Key used to validate the user's signup process
    }

    Result example:
    {
     "success": true
    }
    """
    if not config.auth.internal.signup.enabled:
        return make_api_response({"success": False},
                                 "Signup process has been disabled", 403)

    data = request.json
    if not data:
        data = request.values

    registration_key = data.get('registration_key', None)

    if registration_key:
        try:
            signup_queue = get_signup_queue(registration_key)
            members = signup_queue.members()
            signup_queue.delete()
            if members:
                user_info = members[0]
                user = User(user_info)
                username = user.uname

                STORAGE.user.save(username, user)
                return make_api_response({"success": True})
        except (KeyError, ValueError):
            pass
    else:
        return make_api_response(
            {"success": False},
            "Not enough information to proceed with user creation", 400)

    return make_api_response({"success": False}, "Invalid registration key",
                             400)
Exemplo n.º 4
0
    def ensure_service_account(self):
        """Check that the update service account exists, if it doesn't, create it."""
        uname = 'update_service_account'

        if self.datastore.user.get_if_exists(uname):
            return uname

        user_data = User({
            "agrees_with_tos": "NOW",
            "classification": "RESTRICTED",
            "name": "Update Account",
            "password": get_password_hash(''.join(random.choices(string.ascii_letters, k=20))),
            "uname": uname,
            "type": ["signature_importer"]
        })
        self.datastore.user.save(uname, user_data)
        self.datastore.user_settings.save(uname, UserSettings())
        return uname
Exemplo n.º 5
0
def save_user_account(username, data, user):
    # Clear non user account data
    avatar = data.pop('avatar', None)
    data.pop('2fa_enabled', None)
    data.pop('security_token_enabled', None)
    data.pop('has_password', None)

    data = User(data).as_primitives()

    if username != data['uname']:
        raise AccessDeniedException(
            "You are not allowed to change the username.")

    if username != user['uname'] and 'admin' not in user['type']:
        raise AccessDeniedException(
            "You are not allowed to change another user then yourself.")

    current = STORAGE.user.get(username, as_obj=False)
    if current:
        if 'admin' not in user['type']:
            for key in current.keys():
                if data[key] != current[
                        key] and key not in ACCOUNT_USER_MODIFIABLE:
                    raise AccessDeniedException(
                        "Only Administrators can change the value of the field [%s]."
                        % key)
    else:
        raise InvalidDataException(
            "You cannot save a user that does not exists [%s]." % username)

    if avatar is None:
        STORAGE.user_avatar.delete(username)
    else:
        STORAGE.user_avatar.save(username, avatar)

    return STORAGE.user.save(username, data)
Exemplo n.º 6
0
def add_user_account(username, **_):
    """
    Add a user to the system

    Variables:
    username    => Name of the user to add

    Arguments:
    None

    Data Block:
    {
     "name": "Test user",        # Name of the user
     "is_active": true,          # Is the user active?
     "classification": "",       # Max classification for user
     "uname": "usertest",        # Username
     "type": ['user'],           # List of all types the user is member of
     "avatar": null,             # Avatar of the user
     "groups": ["TEST"]          # Groups the user is member of
    }

    Result example:
    {
     "success": true             # Saving the user info succeded
    }
    """

    data = request.json

    if "{" in username or "}" in username:
        return make_api_response({"success": False}, "You can't use '{}' in the username", 412)

    if not STORAGE.user.get(username):
        new_pass = data.pop('new_pass', None)
        if new_pass:
            password_requirements = config.auth.internal.password_requirements.as_primitives()
            if not check_password_requirements(new_pass, **password_requirements):
                error_msg = get_password_requirement_message(**password_requirements)
                return make_api_response({"success": False}, error_msg, 469)
            data['password'] = get_password_hash(new_pass)
        else:
            data['password'] = data.get('password', "__NO_PASSWORD__") or "__NO_PASSWORD__"

        # Data's username as to match the API call username
        data['uname'] = username
        if not data['name']:
            data['name'] = data['uname']

        # Add add dynamic classification group
        data['classification'] = get_dynamic_classification(data['classification'], data['email'])

        # Clear non user account data
        avatar = data.pop('avatar', None)

        if avatar is not None:
            STORAGE.user_avatar.save(username, avatar)

        try:
            return make_api_response({"success": STORAGE.user.save(username, User(data))})
        except ValueError as e:
            return make_api_response({"success": False}, str(e), 400)

    else:
        return make_api_response({"success": False}, "The username you are trying to add already exists.", 400)
Exemplo n.º 7
0
def login():
    ui4_path = request.cookies.get('ui4_path', None)
    if ui4_path is not None:
        resp = redirect(
            redirect_helper(f"{ui4_path}?{request.query_string.decode()}"))
        resp.delete_cookie("ui4_path")
        return resp

    registration_key = request.args.get('registration_key', None)

    avatar = None
    oauth_token = ''
    oauth_error = ''
    username = ''
    oauth_validation = config.auth.oauth.enabled and 'code' in request.args and 'state' in request.args
    oauth_provider = request.args.get('provider', None)
    up_login = config.auth.internal.enabled or config.auth.ldap.enabled

    next_url = angular_safe(
        request.args.get('next', request.cookies.get('next_url', "/")))
    if "login.html" in next_url or "logout.html" in next_url:
        next_url = "/"

    if registration_key and config.auth.internal.signup.enabled:
        try:
            signup_queue = get_signup_queue(registration_key)
            members = signup_queue.members()
            signup_queue.delete()
            if members:
                user_info = members[0]
                user = User(user_info)
                username = user.uname

                STORAGE.user.save(username, user)
        except (KeyError, ValueError):
            pass

    if config.auth.oauth.enabled:
        providers = str([
            name for name, p in config.auth.oauth.providers.items()
            if p['client_id'] and p['client_secret']
        ])

        if oauth_validation:
            oauth = current_app.extensions.get(
                'authlib.integrations.flask_client')
            provider = oauth.create_client(oauth_provider)

            if provider:
                # noinspection PyBroadException
                try:
                    # Test oauth access token
                    token = provider.authorize_access_token()
                    oauth_provider_config = config.auth.oauth.providers[
                        oauth_provider]

                    # Get user data
                    resp = provider.get(oauth_provider_config.user_get)
                    if resp.ok:
                        user_data = resp.json()

                        # Add group data if API is configured for it
                        if oauth_provider_config.user_groups:
                            resp_grp = provider.get(
                                oauth_provider_config.user_groups)
                            if resp_grp.ok:
                                groups = resp_grp.json()

                                if oauth_provider_config.user_groups_data_field:
                                    groups = groups[oauth_provider_config.
                                                    user_groups_data_field]

                                if oauth_provider_config.user_groups_name_field:
                                    groups = [
                                        x[oauth_provider_config.
                                          user_groups_name_field]
                                        for x in groups
                                    ]

                                user_data['groups'] = groups

                        data = parse_profile(user_data, oauth_provider_config)
                        has_access = data.pop('access', False)
                        if has_access:
                            oauth_avatar = data.pop('avatar', None)

                            # Find if user already exists
                            users = STORAGE.user.search(
                                f"email:{data['email']}",
                                fl="uname",
                                as_obj=False)['items']
                            if users:
                                cur_user = STORAGE.user.get(
                                    users[0]['uname'], as_obj=False) or {}
                                # Do not update username and password from the current user
                                data['uname'] = cur_user.get(
                                    'uname', data['uname'])
                                data['password'] = cur_user.get(
                                    'password', data['password'])
                            else:
                                if data['uname'] != data['email']:
                                    # Username was computed using a regular expression, lets make sure we don't
                                    # assign the same username to two users
                                    res = STORAGE.user.search(
                                        f"uname:{data['uname']}",
                                        rows=0,
                                        as_obj=False)
                                    if res['total'] > 0:
                                        cnt = res['total']
                                        new_uname = f"{data['uname']}{cnt}"
                                        while STORAGE.user.get(
                                                new_uname) is not None:
                                            cnt += 1
                                            new_uname = f"{data['uname']}{cnt}"
                                        data['uname'] = new_uname
                                cur_user = {}

                            username = data['uname']

                            # Make sure the user exists in AL and is in sync
                            if (not cur_user and oauth_provider_config.auto_create) or \
                                    (cur_user and oauth_provider_config.auto_sync):

                                # Update the current user
                                cur_user.update(data)

                                # Save avatar
                                if oauth_avatar:
                                    avatar = fetch_avatar(
                                        oauth_avatar, provider,
                                        oauth_provider_config)
                                    if avatar:
                                        STORAGE.user_avatar.save(
                                            username, avatar)

                                # Save updated user
                                STORAGE.user.save(username, cur_user)

                            if cur_user:
                                if avatar is None:
                                    avatar = STORAGE.user_avatar.get(
                                        username
                                    ) or "/static/images/user_default.png"
                                oauth_token = hashlib.sha256(
                                    str(token).encode(
                                        "utf-8",
                                        errors='replace')).hexdigest()
                                get_token_store(username).add(oauth_token)
                            else:
                                oauth_validation = False
                                avatar = None
                                username = ''
                                oauth_error = "User auto-creation is disabled"
                        else:
                            oauth_validation = False
                            oauth_error = "This user is not allowed access to the system"

                except Exception as _:
                    oauth_validation = False
                    oauth_error = "Invalid oAuth2 token, try again"
    else:
        providers = str([])

    return custom_render("login.html",
                         next=next_url,
                         avatar=avatar,
                         username=username,
                         oauth_error=oauth_error,
                         oauth_token=oauth_token,
                         providers=providers,
                         signup=config.auth.internal.enabled
                         and config.auth.internal.signup.enabled,
                         oauth_validation=str(oauth_validation).lower(),
                         up_login=str(up_login).lower())
Exemplo n.º 8
0
import os

from assemblyline.odm.models.user_settings import UserSettings
from assemblyline.common.security import get_password_hash
from assemblyline.odm.models.user import User
from assemblyline.common import forge


ADMIN_USER = os.environ.get("AL_ADMIN_USER", "admin")
INITIAL_ADMIN_PASSWORD = os.environ.get("AL_ADMIN_PASSWORD", "admin")


if __name__ == '__main__':
    ds = forge.get_datastore()
    if not ds.user.get_if_exists(ADMIN_USER):
        user_data = User({
            "agrees_with_tos": "NOW",
            "classification": "RESTRICTED",
            "name": "Admin user",
            "password": get_password_hash(INITIAL_ADMIN_PASSWORD),
            "uname": ADMIN_USER,
            "type": ["admin", "user", "signature_importer"]})
        ds.user.save(ADMIN_USER, user_data)
        ds.user_settings.save(ADMIN_USER, UserSettings())
        print("Initial user setup finished.")
    else:
        print(f"User {ADMIN_USER} already found, system is already setup.")