def link_location_peer_post(link_id, location_id):
if not settings.local.sub_plan or \
'enterprise' not in settings.local.sub_plan:
return flask.abort(404)
if settings.app.demo_mode:
return utils.demo_blocked()
lnk = link.get_by_id(link_id)
if not lnk or lnk.type == DIRECT:
return flask.abort(404)
loc = lnk.get_location(location_id)
if not loc:
return flask.abort(404)
peer_id = database.ParseObjectId(flask.request.json.get('peer_id'))
loc.remove_exclude(peer_id)
lnk.commit('excludes')
loc.commit('transit_excludes')
event.Event(type=LINKS_UPDATED)
return utils.jsonify({})
def auth_delete():
admin_id = utils.session_opt_str('admin_id')
if admin_id:
admin_id = admin_id[:512]
session_id = utils.session_opt_str('session_id')
if session_id:
session_id = session_id[:512]
remote_addr = utils.get_remote_addr()
journal.entry(
journal.ADMIN_SESSION_END,
admin_id=admin_id,
session_id=session_id,
remote_address=remote_addr,
)
if admin_id and session_id:
admin_id = database.ParseObjectId(admin_id)
auth.clear_session(admin_id, str(session_id))
flask.session.clear()
return utils.jsonify({
'authenticated': False,
})
def iter_users(self,
page=None,
search=None,
search_limit=None,
fields=None,
include_pool=False):
spec = {
'org_id': self.id,
'type': CERT_CLIENT,
}
searched = False
type_search = False
limit = None
skip = None
page_count = settings.user.page_count
if fields:
fields = {key: True for key in fields}
if search is not None:
searched = True
n = search.find('id:')
if n != -1:
user_id = search[n + 3:].split(None, 1)
user_id = user_id[0] if user_id else ''
if user_id:
type_search = True
spec['_id'] = database.ParseObjectId(user_id)
search = search[:n] + search[n + 3 + len(user_id):].strip()
n = search.find('type:')
if n != -1:
user_type = search[n + 5:].split(None, 1)
user_type = user_type[0] if user_type else ''
if user_type:
type_search = True
spec['type'] = user_type
search = search[:n] + search[n + 5 + len(user_type):].strip()
n = search.find('group:')
if n != -1:
user_group = search[n + 6:].split(None, 1)
user_group = user_group[0] if user_group else ''
if user_group:
spec['groups'] = user_group
search = search[:n] + search[n + 6 + len(user_group):].strip()
n = search.find('email:')
if n != -1:
email = search[n + 6:].split(None, 1)
email = email[0] if email else ''
if email:
spec['email'] = {
'$regex': '.*%s.*' % re.escape(email),
'$options': 'i',
}
search = search[:n] + search[n + 6 + len(email):].strip()
n = search.find('status:')
if n != -1:
status = search[n + 7:].split(None, 1)
status = status[0] if status else ''
search = search[:n] + search[n + 7 + len(status):].strip()
if status not in (ONLINE, OFFLINE):
return
user_ids = self.clients_collection.find(
None, {
'_id': True,
'user_id': True,
}).distinct('user_id')
if status == ONLINE:
spec['_id'] = {'$in': user_ids}
else:
spec['_id'] = {'$nin': user_ids}
spec['name'] = {
'$regex': '.*%s.*' % re.escape(search).strip(),
'$options': 'i',
}
limit = search_limit or page_count
elif page is not None:
limit = page_count
skip = page * page_count if page else 0
cursor = user.User.collection.find(spec, fields).sort(
'name', pymongo.ASCENDING)
if skip is not None:
cursor = cursor.skip(page * page_count if page else 0)
if limit is not None:
cursor = cursor.limit(limit + 1)
if searched:
self.last_search_count = cursor.count()
if limit is None:
for doc in cursor:
yield user.User(self, doc=doc, fields=fields)
else:
count = 0
for doc in cursor:
count += 1
if count > limit:
return
yield user.User(self, doc=doc, fields=fields)
if type_search:
return
if include_pool:
spec['type'] = {
'$in': [CERT_SERVER, CERT_CLIENT_POOL, CERT_SERVER_POOL]
}
else:
spec['type'] = CERT_SERVER
cursor = user.User.collection.find(spec, fields).sort(
'name', pymongo.ASCENDING)
for doc in cursor:
yield user.User(self, doc=doc, fields=fields)
def settings_put():
if settings.app.demo_mode:
return utils.demo_blocked()
org_event = False
admin_event = False
admin = flask.g.administrator
changes = set()
settings_commit = False
update_server = False
update_acme = False
update_cert = False
if 'username' in flask.request.json and flask.request.json['username']:
username = utils.filter_str(flask.request.json['username']).lower()
if username != admin.username:
changes.add('username')
admin.username = username
if 'password' in flask.request.json and flask.request.json['password']:
password = flask.request.json['password']
changes.add('password')
admin.password = password
if 'server_cert' in flask.request.json:
settings_commit = True
server_cert = flask.request.json['server_cert']
if server_cert:
server_cert = server_cert.strip()
else:
server_cert = None
if server_cert != settings.app.server_cert:
update_server = True
settings.app.server_cert = server_cert
if 'server_key' in flask.request.json:
settings_commit = True
server_key = flask.request.json['server_key']
if server_key:
server_key = server_key.strip()
else:
server_key = None
if server_key != settings.app.server_key:
update_server = True
settings.app.server_key = server_key
if 'server_port' in flask.request.json:
settings_commit = True
server_port = flask.request.json['server_port']
if not server_port:
server_port = 443
try:
server_port = int(server_port)
if server_port < 1 or server_port > 65535:
raise ValueError('Port invalid')
except ValueError:
return utils.jsonify(
{
'error': PORT_INVALID,
'error_msg': PORT_INVALID_MSG,
}, 400)
if server_port != settings.app.server_port:
update_server = True
settings.app.server_port = server_port
if 'acme_domain' in flask.request.json:
settings_commit = True
acme_domain = utils.filter_str(flask.request.json['acme_domain']
or None)
if acme_domain:
acme_domain = acme_domain.replace('https://', '')
acme_domain = acme_domain.replace('http://', '')
acme_domain = acme_domain.replace('/', '')
if acme_domain != settings.app.acme_domain:
if not acme_domain:
settings.app.acme_key = None
settings.app.acme_timestamp = None
settings.app.server_key = None
settings.app.server_cert = None
update_server = True
update_cert = True
else:
update_acme = True
settings.app.acme_domain = acme_domain
if 'auditing' in flask.request.json:
settings_commit = True
auditing = flask.request.json['auditing'] or None
if settings.app.auditing == ALL and auditing != ALL:
return utils.jsonify(
{
'error': CANNOT_DISABLE_AUDITING,
'error_msg': CANNOT_DISABLE_AUDITING_MSG,
}, 400)
if settings.app.auditing != auditing:
if not flask.g.administrator.super_user:
return utils.jsonify(
{
'error': REQUIRES_SUPER_USER,
'error_msg': REQUIRES_SUPER_USER_MSG,
}, 400)
admin_event = True
org_event = True
settings.app.auditing = auditing
if 'monitoring' in flask.request.json:
settings_commit = True
monitoring = flask.request.json['monitoring'] or None
settings.app.monitoring = monitoring
if 'influxdb_url' in flask.request.json:
settings_commit = True
influxdb_url = flask.request.json['influxdb_url'] or None
settings.app.influxdb_url = influxdb_url
if 'influxdb_token' in flask.request.json:
settings_commit = True
influxdb_token = flask.request.json['influxdb_token'] or None
settings.app.influxdb_token = influxdb_token
if 'influxdb_org' in flask.request.json:
settings_commit = True
influxdb_org = flask.request.json['influxdb_org'] or None
settings.app.influxdb_org = influxdb_org
if 'influxdb_bucket' in flask.request.json:
settings_commit = True
influxdb_bucket = flask.request.json['influxdb_bucket'] or None
settings.app.influxdb_bucket = influxdb_bucket
if 'email_from' in flask.request.json:
settings_commit = True
email_from = flask.request.json['email_from'] or None
if email_from != settings.app.email_from:
changes.add('smtp')
settings.app.email_from = email_from
if 'email_server' in flask.request.json:
settings_commit = True
email_server = flask.request.json['email_server'] or None
if email_server != settings.app.email_server:
changes.add('smtp')
settings.app.email_server = email_server
if 'email_username' in flask.request.json:
settings_commit = True
email_username = flask.request.json['email_username'] or None
if email_username != settings.app.email_username:
changes.add('smtp')
settings.app.email_username = email_username
if 'email_password' in flask.request.json:
settings_commit = True
email_password = flask.request.json['email_password'] or None
if email_password != settings.app.email_password:
changes.add('smtp')
settings.app.email_password = email_password
if 'pin_mode' in flask.request.json:
settings_commit = True
pin_mode = flask.request.json['pin_mode'] or None
if pin_mode != settings.user.pin_mode:
changes.add('pin_mode')
settings.user.pin_mode = pin_mode
if 'sso' in flask.request.json:
org_event = True
settings_commit = True
sso = flask.request.json['sso'] or None
if sso != settings.app.sso:
changes.add('sso')
settings.app.sso = sso
if 'sso_match' in flask.request.json:
settings_commit = True
sso_match = flask.request.json['sso_match'] or None
if sso_match != settings.app.sso_match:
changes.add('sso')
if isinstance(sso_match, list):
settings.app.sso_match = sso_match
else:
settings.app.sso_match = None
if 'sso_azure_directory_id' in flask.request.json:
settings_commit = True
sso_azure_directory_id = flask.request.json[
'sso_azure_directory_id'] or None
if sso_azure_directory_id != settings.app.sso_azure_directory_id:
changes.add('sso')
settings.app.sso_azure_directory_id = sso_azure_directory_id
if 'sso_azure_app_id' in flask.request.json:
settings_commit = True
sso_azure_app_id = flask.request.json['sso_azure_app_id'] or None
if sso_azure_app_id != settings.app.sso_azure_app_id:
changes.add('sso')
settings.app.sso_azure_app_id = sso_azure_app_id
if 'sso_azure_app_secret' in flask.request.json:
settings_commit = True
sso_azure_app_secret = flask.request.json[
'sso_azure_app_secret'] or None
if sso_azure_app_secret != settings.app.sso_azure_app_secret:
changes.add('sso')
settings.app.sso_azure_app_secret = sso_azure_app_secret
if 'sso_azure_version' in flask.request.json:
settings_commit = True
sso_azure_version = flask.request.json['sso_azure_version'] or 0
sso_azure_version = int(sso_azure_version)
if sso_azure_version not in (1, 2):
sso_azure_version = 2
if sso_azure_version != settings.app.sso_azure_version:
changes.add('sso')
settings.app.sso_azure_version = sso_azure_version
if 'sso_authzero_domain' in flask.request.json:
settings_commit = True
sso_authzero_domain = flask.request.json['sso_authzero_domain'] or None
if sso_authzero_domain != settings.app.sso_authzero_domain:
changes.add('sso')
settings.app.sso_authzero_domain = sso_authzero_domain
if 'sso_authzero_app_id' in flask.request.json:
settings_commit = True
sso_authzero_app_id = flask.request.json['sso_authzero_app_id'] or None
if sso_authzero_app_id != settings.app.sso_authzero_app_id:
changes.add('sso')
settings.app.sso_authzero_app_id = sso_authzero_app_id
if 'sso_authzero_app_secret' in flask.request.json:
settings_commit = True
sso_authzero_app_secret = flask.request.json[
'sso_authzero_app_secret'] or None
if sso_authzero_app_secret != settings.app.sso_authzero_app_secret:
changes.add('sso')
settings.app.sso_authzero_app_secret = sso_authzero_app_secret
if 'sso_google_key' in flask.request.json:
settings_commit = True
sso_google_key = flask.request.json['sso_google_key'] or None
if sso_google_key != settings.app.sso_google_key:
changes.add('sso')
settings.app.sso_google_key = sso_google_key
if 'sso_google_email' in flask.request.json:
settings_commit = True
sso_google_email = flask.request.json['sso_google_email'] or None
if sso_google_email != settings.app.sso_google_email:
changes.add('sso')
settings.app.sso_google_email = sso_google_email
if 'sso_duo_token' in flask.request.json:
settings_commit = True
sso_duo_token = flask.request.json['sso_duo_token'] or None
if sso_duo_token != settings.app.sso_duo_token:
changes.add('sso')
settings.app.sso_duo_token = sso_duo_token
if 'sso_duo_secret' in flask.request.json:
settings_commit = True
sso_duo_secret = flask.request.json['sso_duo_secret'] or None
if sso_duo_secret != settings.app.sso_duo_secret:
changes.add('sso')
settings.app.sso_duo_secret = sso_duo_secret
if 'sso_duo_host' in flask.request.json:
settings_commit = True
sso_duo_host = flask.request.json['sso_duo_host'] or None
if sso_duo_host != settings.app.sso_duo_host:
changes.add('sso')
settings.app.sso_duo_host = sso_duo_host
if 'sso_duo_mode' in flask.request.json:
settings_commit = True
sso_duo_mode = flask.request.json['sso_duo_mode'] or None
if sso_duo_mode != settings.app.sso_duo_mode:
changes.add('sso')
settings.app.sso_duo_mode = sso_duo_mode
if 'sso_radius_secret' in flask.request.json:
settings_commit = True
sso_radius_secret = flask.request.json['sso_radius_secret'] or None
if sso_radius_secret != settings.app.sso_radius_secret:
changes.add('sso')
settings.app.sso_radius_secret = sso_radius_secret
if 'sso_radius_host' in flask.request.json:
settings_commit = True
sso_radius_host = flask.request.json['sso_radius_host'] or None
if sso_radius_host != settings.app.sso_radius_host:
changes.add('sso')
settings.app.sso_radius_host = sso_radius_host
if 'sso_org' in flask.request.json:
settings_commit = True
sso_org = flask.request.json['sso_org'] or None
if sso_org:
sso_org = database.ParseObjectId(sso_org)
else:
sso_org = None
if sso_org != settings.app.sso_org:
changes.add('sso')
if settings.app.sso and not sso_org:
return utils.jsonify(
{
'error': SSO_ORG_NULL,
'error_msg': SSO_ORG_NULL_MSG,
}, 400)
settings.app.sso_org = sso_org
if 'sso_saml_url' in flask.request.json:
settings_commit = True
sso_saml_url = flask.request.json['sso_saml_url'] or None
if sso_saml_url != settings.app.sso_saml_url:
changes.add('sso')
settings.app.sso_saml_url = sso_saml_url
if 'sso_saml_issuer_url' in flask.request.json:
settings_commit = True
sso_saml_issuer_url = flask.request.json['sso_saml_issuer_url'] or \
None
if sso_saml_issuer_url != settings.app.sso_saml_issuer_url:
changes.add('sso')
settings.app.sso_saml_issuer_url = sso_saml_issuer_url
if 'sso_saml_cert' in flask.request.json:
settings_commit = True
sso_saml_cert = flask.request.json['sso_saml_cert'] or None
if sso_saml_cert != settings.app.sso_saml_cert:
changes.add('sso')
settings.app.sso_saml_cert = sso_saml_cert
if 'sso_okta_app_id' in flask.request.json:
settings_commit = True
sso_okta_app_id = flask.request.json['sso_okta_app_id'] or None
if sso_okta_app_id != settings.app.sso_okta_app_id:
changes.add('sso')
settings.app.sso_okta_app_id = sso_okta_app_id
if 'sso_okta_token' in flask.request.json:
settings_commit = True
sso_okta_token = flask.request.json['sso_okta_token'] or None
if sso_okta_token != settings.app.sso_okta_token:
changes.add('sso')
settings.app.sso_okta_token = sso_okta_token
if 'sso_okta_mode' in flask.request.json:
sso_mode = settings.app.sso
if sso_mode and sso_mode == SAML_OKTA_AUTH:
settings_commit = True
sso_okta_mode = flask.request.json['sso_okta_mode']
settings.app.sso_okta_mode = sso_okta_mode
if 'sso_onelogin_app_id' in flask.request.json:
settings_commit = True
sso_onelogin_app_id = flask.request.json['sso_onelogin_app_id'] or \
None
if sso_onelogin_app_id != settings.app.sso_onelogin_app_id:
changes.add('sso')
settings.app.sso_onelogin_app_id = sso_onelogin_app_id
if 'sso_onelogin_id' in flask.request.json:
settings_commit = True
sso_onelogin_id = flask.request.json['sso_onelogin_id'] or None
if sso_onelogin_id != settings.app.sso_onelogin_id:
changes.add('sso')
settings.app.sso_onelogin_id = sso_onelogin_id
if 'sso_onelogin_secret' in flask.request.json:
settings_commit = True
sso_onelogin_secret = \
flask.request.json['sso_onelogin_secret'] or None
if sso_onelogin_secret != settings.app.sso_onelogin_secret:
changes.add('sso')
settings.app.sso_onelogin_secret = sso_onelogin_secret
if 'sso_onelogin_mode' in flask.request.json:
sso_mode = settings.app.sso
if sso_mode and sso_mode == SAML_ONELOGIN_AUTH:
settings_commit = True
sso_onelogin_mode = flask.request.json['sso_onelogin_mode']
settings.app.sso_onelogin_mode = sso_onelogin_mode
if 'sso_jumpcloud_secret' in flask.request.json:
settings_commit = True
sso_jumpcloud_secret = \
flask.request.json['sso_jumpcloud_secret'] or None
if sso_jumpcloud_secret != settings.app.sso_jumpcloud_secret:
changes.add('sso')
settings.app.sso_jumpcloud_secret = sso_jumpcloud_secret
if 'ipv6' in flask.request.json:
settings_commit = True
ipv6 = True if \
flask.request.json['ipv6'] else False
settings.vpn.ipv6 = ipv6
if 'sso_cache' in flask.request.json:
settings_commit = True
sso_cache = True if \
flask.request.json['sso_cache'] else False
if sso_cache != settings.app.sso_cache:
changes.add('sso')
settings.app.sso_cache = sso_cache
if 'sso_client_cache' in flask.request.json:
settings_commit = True
sso_client_cache = True if \
flask.request.json['sso_client_cache'] else False
if sso_client_cache != settings.app.sso_client_cache:
changes.add('sso')
settings.app.sso_client_cache = sso_client_cache
if 'restrict_import' in flask.request.json:
settings_commit = True
restrict_import = True if \
flask.request.json['restrict_import'] else False
if restrict_import != settings.user.restrict_import:
changes.add('restrict_import')
settings.user.restrict_import = restrict_import
if 'client_reconnect' in flask.request.json:
settings_commit = True
client_reconnect = True if \
flask.request.json['client_reconnect'] else False
settings.user.reconnect = client_reconnect
if 'drop_permissions' in flask.request.json:
settings_commit = True
drop_permissions = True if \
flask.request.json['drop_permissions'] else False
if drop_permissions != settings.vpn.drop_permissions:
changes.add('drop_permissions')
settings.vpn.drop_permissions = drop_permissions
if 'sso_yubico_client' in flask.request.json:
settings_commit = True
sso_yubico_client = \
flask.request.json['sso_yubico_client'] or None
if sso_yubico_client != settings.app.sso_yubico_client:
changes.add('sso')
settings.app.sso_yubico_client = sso_yubico_client
if 'sso_yubico_secret' in flask.request.json:
settings_commit = True
sso_yubico_secret = \
flask.request.json['sso_yubico_secret'] or None
if sso_yubico_secret != settings.app.sso_yubico_secret:
changes.add('sso')
settings.app.sso_yubico_secret = sso_yubico_secret
if flask.request.json.get('theme'):
settings_commit = True
theme = 'light' if flask.request.json['theme'] == 'light' else 'dark'
if theme != settings.app.theme:
if theme == 'dark':
event.Event(type=THEME_DARK)
else:
event.Event(type=THEME_LIGHT)
settings.app.theme = theme
if 'public_address' in flask.request.json:
public_address = flask.request.json['public_address'] or None
if public_address != settings.local.host.public_addr:
settings.local.host.public_address = public_address
settings.local.host.commit('public_address')
if 'public_address6' in flask.request.json:
public_address6 = flask.request.json['public_address6'] or None
if public_address6 != settings.local.host.public_addr6:
settings.local.host.public_address6 = public_address6
settings.local.host.commit('public_address6')
if 'routed_subnet6' in flask.request.json:
routed_subnet6 = flask.request.json['routed_subnet6']
if routed_subnet6:
try:
routed_subnet6 = ipaddress.IPv6Network(
flask.request.json['routed_subnet6'])
except (ipaddress.AddressValueError, ValueError):
return utils.jsonify(
{
'error': IPV6_SUBNET_INVALID,
'error_msg': IPV6_SUBNET_INVALID_MSG,
}, 400)
if routed_subnet6.prefixlen > 64:
return utils.jsonify(
{
'error': IPV6_SUBNET_SIZE_INVALID,
'error_msg': IPV6_SUBNET_SIZE_INVALID_MSG,
}, 400)
routed_subnet6 = str(routed_subnet6)
else:
routed_subnet6 = None
if settings.local.host.routed_subnet6 != routed_subnet6:
if server.get_online_ipv6_count():
return utils.jsonify(
{
'error': IPV6_SUBNET_ONLINE,
'error_msg': IPV6_SUBNET_ONLINE_MSG,
}, 400)
settings.local.host.routed_subnet6 = routed_subnet6
settings.local.host.commit('routed_subnet6')
if 'routed_subnet6_wg' in flask.request.json:
routed_subnet6_wg = flask.request.json['routed_subnet6_wg']
if routed_subnet6_wg:
try:
routed_subnet6_wg = ipaddress.IPv6Network(
flask.request.json['routed_subnet6_wg'])
except (ipaddress.AddressValueError, ValueError):
return utils.jsonify(
{
'error': IPV6_SUBNET_WG_INVALID,
'error_msg': IPV6_SUBNET_WG_INVALID_MSG,
}, 400)
if routed_subnet6_wg.prefixlen > 64:
return utils.jsonify(
{
'error': IPV6_SUBNET_WG_SIZE_INVALID,
'error_msg': IPV6_SUBNET_WG_SIZE_INVALID_MSG,
}, 400)
routed_subnet6_wg = str(routed_subnet6_wg)
else:
routed_subnet6_wg = None
if settings.local.host.routed_subnet6_wg != routed_subnet6_wg:
if server.get_online_ipv6_count():
return utils.jsonify(
{
'error': IPV6_SUBNET_WG_ONLINE,
'error_msg': IPV6_SUBNET_WG_ONLINE_MSG,
}, 400)
settings.local.host.routed_subnet6_wg = routed_subnet6_wg
settings.local.host.commit('routed_subnet6_wg')
if 'reverse_proxy' in flask.request.json:
settings_commit = True
reverse_proxy = flask.request.json['reverse_proxy']
settings.app.reverse_proxy = True if reverse_proxy else False
if 'cloud_provider' in flask.request.json:
settings_commit = True
cloud_provider = flask.request.json['cloud_provider'] or None
settings.app.cloud_provider = cloud_provider
if 'route53_region' in flask.request.json:
settings_commit = True
settings.app.route53_region = utils.filter_str(
flask.request.json['route53_region']) or None
if 'route53_zone' in flask.request.json:
settings_commit = True
settings.app.route53_zone = utils.filter_str(
flask.request.json['route53_zone']) or None
if settings.app.cloud_provider == 'oracle':
if 'oracle_user_ocid' in flask.request.json:
settings_commit = True
settings.app.oracle_user_ocid = utils.filter_str(
flask.request.json['oracle_user_ocid']) or None
elif settings.app.oracle_user_ocid:
settings_commit = True
settings.app.oracle_user_ocid = None
if 'oracle_public_key' in flask.request.json:
if flask.request.json['oracle_public_key'] == 'reset':
settings_commit = True
private_key, public_key = utils.generate_rsa_key()
settings.app.oracle_private_key = private_key
settings.app.oracle_public_key = public_key
for aws_key in (
'us_east_1_access_key',
'us_east_1_secret_key',
'us_east_2_access_key',
'us_east_2_secret_key',
'us_west_1_access_key',
'us_west_1_secret_key',
'us_west_2_access_key',
'us_west_2_secret_key',
'us_gov_east_1_access_key',
'us_gov_east_1_secret_key',
'us_gov_west_1_access_key',
'us_gov_west_1_secret_key',
'eu_north_1_access_key',
'eu_north_1_secret_key',
'eu_west_1_access_key',
'eu_west_1_secret_key',
'eu_west_2_access_key',
'eu_west_2_secret_key',
'eu_west_3_access_key',
'eu_west_3_secret_key',
'eu_central_1_access_key',
'eu_central_1_secret_key',
'ca_central_1_access_key',
'ca_central_1_secret_key',
'cn_north_1_access_key',
'cn_north_1_secret_key',
'cn_northwest_1_access_key',
'cn_northwest_1_secret_key',
'ap_northeast_1_access_key',
'ap_northeast_1_secret_key',
'ap_northeast_2_access_key',
'ap_northeast_2_secret_key',
'ap_southeast_1_access_key',
'ap_southeast_1_secret_key',
'ap_southeast_2_access_key',
'ap_southeast_2_secret_key',
'ap_east_1_access_key',
'ap_east_1_secret_key',
'ap_south_1_access_key',
'ap_south_1_secret_key',
'sa_east_1_access_key',
'sa_east_1_secret_key',
):
if settings.app.cloud_provider != 'aws':
settings_commit = True
setattr(settings.app, aws_key, None)
elif aws_key in flask.request.json:
settings_commit = True
aws_value = flask.request.json[aws_key]
if aws_value:
setattr(settings.app, aws_key, utils.filter_str(aws_value))
else:
setattr(settings.app, aws_key, None)
if not settings.app.sso:
settings.app.sso_match = None
settings.app.sso_azure_directory_id = None
settings.app.sso_azure_app_id = None
settings.app.sso_azure_app_secret = None
settings.app.sso_authzero_directory_id = None
settings.app.sso_authzero_app_id = None
settings.app.sso_authzero_app_secret = None
settings.app.sso_google_key = None
settings.app.sso_google_email = None
settings.app.sso_duo_token = None
settings.app.sso_duo_secret = None
settings.app.sso_duo_host = None
settings.app.sso_org = None
settings.app.sso_saml_url = None
settings.app.sso_saml_issuer_url = None
settings.app.sso_saml_cert = None
settings.app.sso_okta_app_id = None
settings.app.sso_okta_token = None
settings.app.sso_onelogin_key = None
settings.app.sso_onelogin_app_id = None
settings.app.sso_onelogin_id = None
settings.app.sso_onelogin_secret = None
settings.app.sso_jumpcloud_secret = None
settings.app.sso_radius_secret = None
settings.app.sso_radius_host = None
else:
if RADIUS_AUTH in settings.app.sso and \
settings.app.sso_duo_mode == 'passcode':
return utils.jsonify(
{
'error': RADIUS_DUO_PASSCODE,
'error_msg': RADIUS_DUO_PASSCODE_MSG,
}, 400)
if settings.app.sso == DUO_AUTH and \
settings.app.sso_duo_mode == 'passcode':
return utils.jsonify(
{
'error': DUO_PASSCODE,
'error_msg': DUO_PASSCODE_MSG,
}, 400)
for change in changes:
remote_addr = utils.get_remote_addr()
flask.g.administrator.audit_event(
'admin_settings',
_changes_audit_text[change],
remote_addr=remote_addr,
)
journal.entry(
journal.SETTINGS_UPDATE,
remote_address=remote_addr,
event_long='Settings updated',
changed=_changes_audit_text[change],
)
if settings_commit:
settings.commit()
admin.commit(admin.changed)
if admin_event:
event.Event(type=ADMINS_UPDATED)
if org_event:
for org in organization.iter_orgs(fields=('_id')):
event.Event(type=USERS_UPDATED, resource_id=org.id)
event.Event(type=SETTINGS_UPDATED)
if update_acme:
try:
acme.update_acme_cert()
app.update_server(0.5)
except:
logger.exception(
'Failed to get LetsEncrypt cert',
'handler',
acme_domain=settings.app.acme_domain,
)
settings.app.acme_domain = None
settings.app.acme_key = None
settings.app.acme_timestamp = None
settings.commit()
return utils.jsonify(
{
'error': ACME_ERROR,
'error_msg': ACME_ERROR_MSG,
}, 400)
elif update_cert:
logger.info('Regenerating server certificate...', 'handler')
utils.create_server_cert()
app.update_server(0.5)
elif update_server:
app.update_server(0.5)
response = flask.g.administrator.dict()
response.update(_dict())
return utils.jsonify(response)
def parse_line(self, line):
if self.client:
if line == '>CLIENT:ENV,END':
cmd = self.client['cmd']
if cmd == 'connect':
self.clients.connect(self.client)
elif cmd == 'reauth':
self.clients.connect(self.client, reauth=True)
elif cmd == 'connected':
self.clients.connected(self.client.get('client_id'))
elif cmd == 'disconnected':
self.clients.disconnected(self.client.get('client_id'))
self.client = None
elif line.startswith('>CLIENT:ENV'):
env_key, env_val = line[12:].split('=', 1)
if env_key == 'tls_id_0':
tls_env = ''.join(x for x in env_val if x in VALID_CHARS)
o_index = tls_env.find('O=')
cn_index = tls_env.find('CN=')
if o_index < 0 or cn_index < 0:
self.send_client_deny(
self.client, 'Failed to parse org_id and user_id')
self.client = None
return
if o_index > cn_index:
org_id = tls_env[o_index + 2:]
user_id = tls_env[3:o_index]
else:
org_id = tls_env[2:cn_index]
user_id = tls_env[cn_index + 3:]
self.client['org_id'] = database.ParseObjectId(org_id)
self.client['user_id'] = database.ParseObjectId(user_id)
elif env_key == 'IV_HWADDR':
self.client['mac_addr'] = env_val
elif env_key == 'untrusted_ip':
self.client['remote_ip'] = env_val
elif env_key == 'untrusted_ip6':
remote_ip = env_val
if remote_ip.startswith('::ffff:'):
remote_ip = remote_ip.split(':')[-1]
self.client['remote_ip'] = remote_ip
elif env_key == 'IV_PLAT' and not self.client.get('platform'):
if 'chrome' in env_val.lower():
env_val = 'chrome'
self.client['device_id'] = uuid.uuid4().hex
self.client['device_name'] = 'chrome-os'
self.client['platform'] = env_val
elif env_key == 'UV_ID':
self.client['device_id'] = env_val
elif env_key == 'UV_NAME':
self.client['device_name'] = env_val
elif env_key == 'UV_PLATFORM':
self.client['platform'] = env_val
elif env_key == 'username':
self.client['username'] = env_val
elif env_key == 'password':
self.client['password'] = env_val
else:
self.push_output('CCOM> %s' % line[1:])
elif line.startswith('>BYTECOUNT_CLI'):
client_id, bytes_recv, bytes_sent = line.split(',')
client_id = client_id.split(':')[1]
self.parse_bytecount(client_id, int(bytes_recv), int(bytes_sent))
elif line.startswith('>CLIENT:CONNECT'):
_, client_id, key_id = line.split(',')
self.client = {
'cmd': 'connect',
'client_id': client_id,
'key_id': key_id,
}
elif line.startswith('>CLIENT:REAUTH'):
_, client_id, key_id = line.split(',')
self.client = {
'cmd': 'reauth',
'client_id': client_id,
'key_id': key_id,
}
elif line.startswith('>CLIENT:ESTABLISHED'):
_, client_id = line.split(',')
self.client = {
'cmd': 'connected',
'client_id': client_id,
}
elif line.startswith('>CLIENT:DISCONNECT'):
_, client_id = line.split(',')
self.client = {
'cmd': 'disconnected',
'client_id': client_id,
}
elif line.startswith('SUCCESS:'):
self.push_output('COM> %s' % line)
def check_session(csrf_check):
auth_token = flask.request.headers.get('Auth-Token', None)
if auth_token:
auth_timestamp = flask.request.headers.get('Auth-Timestamp', None)
auth_nonce = flask.request.headers.get('Auth-Nonce', None)
auth_signature = flask.request.headers.get('Auth-Signature', None)
if not auth_token or not auth_timestamp or not auth_nonce or \
not auth_signature:
return False
auth_token = auth_token[:256]
auth_timestamp = auth_timestamp[:64]
auth_nonce = auth_nonce[:32]
auth_signature = auth_signature[:512]
try:
if abs(int(auth_timestamp) - int(utils.time_now())) > \
settings.app.auth_time_window:
return False
except ValueError:
return False
administrator = find_user(token=auth_token)
if not administrator:
return False
if not administrator.auth_api:
return False
auth_string = '&'.join([
auth_token, auth_timestamp, auth_nonce, flask.request.method,
flask.request.path
])
if len(auth_string) > AUTH_SIG_STRING_MAX_LEN or len(auth_nonce) < 8:
return False
if not administrator.secret or len(administrator.secret) < 8:
return False
auth_test_signature = base64.b64encode(
hmac.new(administrator.secret.encode(), auth_string.encode(),
hashlib.sha256).digest()).decode()
if not utils.const_compare(auth_signature, auth_test_signature):
return False
try:
Administrator.nonces_collection.insert({
'token': auth_token,
'nonce': auth_nonce,
'timestamp': utils.now(),
})
except pymongo.errors.DuplicateKeyError:
return False
else:
if not flask.session:
return False
admin_id = utils.session_opt_str('admin_id')
if not admin_id:
return False
admin_id = database.ParseObjectId(admin_id)
session_id = utils.session_opt_str('session_id')
signature = utils.session_opt_str('signature')
if not signature:
return False
if not utils.check_flask_sig():
return False
if csrf_check:
csrf_token = flask.request.headers.get('Csrf-Token', None)
if not validate_token(admin_id, csrf_token):
return False
administrator = get_user(admin_id, session_id)
if not administrator:
return False
if not settings.app.reverse_proxy and \
not settings.app.allow_insecure_session and \
not settings.app.server_ssl and \
utils.session_opt_str('source') != utils.get_remote_addr():
flask.session.clear()
clear_session(admin_id, session_id)
return False
session_timeout = settings.app.session_timeout
if session_timeout and int(utils.time_now()) - \
utils.session_int('timestamp') > session_timeout:
flask.session.clear()
clear_session(admin_id, session_id)
return False
flask.session['timestamp'] = int(utils.time_now())
utils.set_flask_sig()
if administrator.disabled:
return False
flask.g.administrator = administrator
return True