def org_get(org_id=None):
if org_id:
return utils.jsonify(organization.get_org(id=org_id).dict())
orgs = []
for org in organization.iter_orgs():
orgs.append(org.dict())
return utils.jsonify(orgs)
def org_get(org_id=None):
if org_id:
return utils.jsonify(organization.get_org(id=org_id).dict())
orgs = []
for org in organization.iter_orgs():
orgs.append(org.dict())
return utils.jsonify(orgs)
def iter_orgs(self, fields=None):
spec = {
'_id': {
'$in': self.organizations
},
}
for org in organization.iter_orgs(spec=spec, fields=fields):
yield org
def fill_user():
collection = mongo.get_collection("users")
org_collection = mongo.get_collection("organizations")
queue_collection = mongo.get_collection("queue")
orgs = {}
orgs_count = utils.LeastCommonCounter()
type_to_size = {CERT_CLIENT_POOL: settings.app.user_pool_size, CERT_SERVER_POOL: settings.app.server_user_pool_size}
for org in organization.iter_orgs(type=None):
orgs[org.id] = org
orgs_count[org.id, CERT_CLIENT_POOL] = 0
orgs_count[org.id, CERT_SERVER_POOL] = 0
pools = collection.aggregate(
[
{"$match": {"type": {"$in": (CERT_CLIENT_POOL, CERT_SERVER_POOL)}}},
{"$project": {"org_id": True, "type": True}},
{"$group": {"_id": {"org_id": "$org_id", "type": "$type"}, "count": {"$sum": 1}}},
]
)
for pool in pools:
orgs_count[pool["_id"]["org_id"], pool["_id"]["type"]] += pool["count"]
pools = queue_collection.aggregate(
[
{"$match": {"type": "init_user_pooled", "user_doc.type": {"$in": (CERT_CLIENT_POOL, CERT_SERVER_POOL)}}},
{"$project": {"user_doc.org_id": True, "user_doc.type": True}},
{"$group": {"_id": {"org_id": "$user_doc.org_id", "type": "$user_doc.type"}, "count": {"$sum": 1}}},
]
)
for pool in pools:
orgs_count[pool["_id"]["org_id"], pool["_id"]["type"]] += pool["count"]
new_users = []
for org_id_user_type, count in orgs_count.least_common():
org_id, user_type = org_id_user_type
pool_size = type_to_size[user_type]
if count >= pool_size:
break
org = orgs.get(org_id)
if not org:
logger.warning("Pooler cannot find org from user_count", "pooler", org_id=org_id, user_type=user_type)
continue
new_users.append([(org, user_type)] * (pool_size - count))
for org, user_type in utils.roundrobin(*new_users):
org.new_user(type=user_type, block=False)
def org_get(org_id=None):
if org_id:
return utils.jsonify(organization.get_by_id(org_id).dict())
orgs = []
page = flask.request.args.get('page', None)
page = int(page) if page else page
for org in organization.iter_orgs(page=page):
orgs.append(org.dict())
if page is not None:
return utils.jsonify({
'page': page,
'page_total': organization.get_org_page_total(),
'organizations': orgs,
})
else:
return utils.jsonify(orgs)
def org_get(org_id=None):
if org_id:
if settings.app.demo_mode:
resp = utils.demo_get_cache()
if resp:
return utils.jsonify(resp)
resp = organization.get_by_id(org_id).dict()
if settings.app.demo_mode:
utils.demo_set_cache(resp)
return utils.jsonify(resp)
orgs = []
page = flask.request.args.get('page', None)
page = int(page) if page else page
if settings.app.demo_mode:
resp = utils.demo_get_cache(page)
if resp:
return utils.jsonify(resp)
for org in organization.iter_orgs(page=page):
orgs.append(org.dict())
if page is not None:
resp = {
'page': page,
'page_total': organization.get_org_page_total(),
'organizations': orgs,
}
else:
resp = orgs
if settings.app.demo_mode:
utils.demo_set_cache(resp, page)
return utils.jsonify(resp)
def org_get(org_id=None):
if org_id:
if settings.app.demo_mode:
resp = utils.demo_get_cache()
if resp:
return utils.jsonify(resp)
resp = organization.get_by_id(org_id).dict()
if settings.app.demo_mode:
utils.demo_set_cache(resp)
return utils.jsonify(resp)
orgs = []
page = flask.request.args.get('page', None)
page = int(page) if page else page
if settings.app.demo_mode:
resp = utils.demo_get_cache(page)
if resp:
return utils.jsonify(resp)
for org in organization.iter_orgs(page=page):
orgs.append(org.dict())
if page is not None:
resp = {
'page': page,
'page_total': organization.get_org_page_total(),
'organizations': orgs,
}
else:
resp = orgs
if settings.app.demo_mode:
utils.demo_set_cache(resp, page)
return utils.jsonify(resp)
def iter_orgs(self, fields=None):
spec = {
'_id': {'$in': self.organizations},
}
for org in organization.iter_orgs(spec=spec, fields=fields):
yield org
def settings_put():
if settings.app.demo_mode:
return utils.demo_blocked()
org_event = False
admin_event = False
admin = flask.g.administrator
changes = set()
settings_commit = False
update_server = False
update_acme = False
update_cert = False
if 'username' in flask.request.json and flask.request.json['username']:
username = utils.filter_str(flask.request.json['username']).lower()
if username != admin.username:
changes.add('username')
admin.username = username
if 'password' in flask.request.json and flask.request.json['password']:
password = flask.request.json['password']
changes.add('password')
admin.password = password
if 'server_cert' in flask.request.json:
settings_commit = True
server_cert = flask.request.json['server_cert']
if server_cert:
server_cert = server_cert.strip()
else:
server_cert = None
if server_cert != settings.app.server_cert:
update_server = True
settings.app.server_cert = server_cert
if 'server_key' in flask.request.json:
settings_commit = True
server_key = flask.request.json['server_key']
if server_key:
server_key = server_key.strip()
else:
server_key = None
if server_key != settings.app.server_key:
update_server = True
settings.app.server_key = server_key
if 'server_port' in flask.request.json:
settings_commit = True
server_port = flask.request.json['server_port']
if not server_port:
server_port = 443
try:
server_port = int(server_port)
if server_port < 1 or server_port > 65535:
raise ValueError('Port invalid')
except ValueError:
return utils.jsonify(
{
'error': PORT_INVALID,
'error_msg': PORT_INVALID_MSG,
}, 400)
if settings.app.redirect_server and server_port == 80:
return utils.jsonify(
{
'error': PORT_RESERVED,
'error_msg': PORT_RESERVED_MSG,
}, 400)
if server_port != settings.app.server_port:
update_server = True
settings.app.server_port = server_port
if 'acme_domain' in flask.request.json:
settings_commit = True
acme_domain = utils.filter_str(flask.request.json['acme_domain']
or None)
if acme_domain:
acme_domain = acme_domain.replace('https://', '')
acme_domain = acme_domain.replace('http://', '')
acme_domain = acme_domain.replace('/', '')
if acme_domain != settings.app.acme_domain:
if not acme_domain:
settings.app.acme_key = None
settings.app.acme_timestamp = None
settings.app.server_key = None
settings.app.server_cert = None
update_server = True
update_cert = True
else:
update_acme = True
settings.app.acme_domain = acme_domain
if 'auditing' in flask.request.json:
settings_commit = True
auditing = flask.request.json['auditing'] or None
if settings.app.auditing != auditing:
if not flask.g.administrator.super_user:
return utils.jsonify(
{
'error': REQUIRES_SUPER_USER,
'error_msg': REQUIRES_SUPER_USER_MSG,
}, 400)
admin_event = True
org_event = True
settings.app.auditing = auditing
if 'monitoring' in flask.request.json:
settings_commit = True
monitoring = flask.request.json['monitoring'] or None
settings.app.monitoring = monitoring
if 'influxdb_uri' in flask.request.json:
settings_commit = True
influxdb_uri = flask.request.json['influxdb_uri'] or None
settings.app.influxdb_uri = influxdb_uri
if 'email_from' in flask.request.json:
settings_commit = True
email_from = flask.request.json['email_from'] or None
if email_from != settings.app.email_from:
changes.add('smtp')
settings.app.email_from = email_from
if 'email_server' in flask.request.json:
settings_commit = True
email_server = flask.request.json['email_server'] or None
if email_server != settings.app.email_server:
changes.add('smtp')
settings.app.email_server = email_server
if 'email_username' in flask.request.json:
settings_commit = True
email_username = flask.request.json['email_username'] or None
if email_username != settings.app.email_username:
changes.add('smtp')
settings.app.email_username = email_username
if 'email_password' in flask.request.json:
settings_commit = True
email_password = flask.request.json['email_password'] or None
if email_password != settings.app.email_password:
changes.add('smtp')
settings.app.email_password = email_password
if 'pin_mode' in flask.request.json:
settings_commit = True
pin_mode = flask.request.json['pin_mode'] or None
if pin_mode != settings.user.pin_mode:
changes.add('pin_mode')
settings.user.pin_mode = pin_mode
if 'sso' in flask.request.json:
org_event = True
settings_commit = True
sso = flask.request.json['sso'] or None
if sso != settings.app.sso:
changes.add('sso')
settings.app.sso = sso
if 'sso_match' in flask.request.json:
settings_commit = True
sso_match = flask.request.json['sso_match'] or None
if sso_match != settings.app.sso_match:
changes.add('sso')
if isinstance(sso_match, list):
settings.app.sso_match = sso_match
else:
settings.app.sso_match = None
if 'sso_duo_token' in flask.request.json:
settings_commit = True
sso_duo_token = flask.request.json['sso_duo_token'] or None
if sso_duo_token != settings.app.sso_duo_token:
changes.add('sso')
settings.app.sso_duo_token = sso_duo_token
if 'sso_duo_secret' in flask.request.json:
settings_commit = True
sso_duo_secret = flask.request.json['sso_duo_secret'] or None
if sso_duo_secret != settings.app.sso_duo_secret:
changes.add('sso')
settings.app.sso_duo_secret = sso_duo_secret
if 'sso_duo_host' in flask.request.json:
settings_commit = True
sso_duo_host = flask.request.json['sso_duo_host'] or None
if sso_duo_host != settings.app.sso_duo_host:
changes.add('sso')
settings.app.sso_duo_host = sso_duo_host
if 'sso_duo_mode' in flask.request.json:
settings_commit = True
sso_duo_mode = flask.request.json['sso_duo_mode'] or None
if sso_duo_mode != settings.app.sso_duo_mode:
changes.add('sso')
settings.app.sso_duo_mode = sso_duo_mode
if 'sso_radius_secret' in flask.request.json:
settings_commit = True
sso_radius_secret = flask.request.json['sso_radius_secret'] or None
if sso_radius_secret != settings.app.sso_radius_secret:
changes.add('sso')
settings.app.sso_radius_secret = sso_radius_secret
if 'sso_radius_host' in flask.request.json:
settings_commit = True
sso_radius_host = flask.request.json['sso_radius_host'] or None
if sso_radius_host != settings.app.sso_radius_host:
changes.add('sso')
settings.app.sso_radius_host = sso_radius_host
if 'sso_org' in flask.request.json:
settings_commit = True
sso_org = flask.request.json['sso_org'] or None
if sso_org:
sso_org = utils.ObjectId(sso_org)
else:
sso_org = None
if sso_org != settings.app.sso_org:
changes.add('sso')
if settings.app.sso and not sso_org:
return utils.jsonify(
{
'error': SSO_ORG_NULL,
'error_msg': SSO_ORG_NULL_MSG,
}, 400)
settings.app.sso_org = sso_org
if 'sso_saml_url' in flask.request.json:
settings_commit = True
sso_saml_url = flask.request.json['sso_saml_url'] or None
if sso_saml_url != settings.app.sso_saml_url:
changes.add('sso')
settings.app.sso_saml_url = sso_saml_url
if 'sso_saml_issuer_url' in flask.request.json:
settings_commit = True
sso_saml_issuer_url = flask.request.json['sso_saml_issuer_url'] or None
if sso_saml_issuer_url != settings.app.sso_saml_issuer_url:
changes.add('sso')
settings.app.sso_saml_issuer_url = sso_saml_issuer_url
if 'sso_saml_cert' in flask.request.json:
settings_commit = True
sso_saml_cert = flask.request.json['sso_saml_cert'] or None
if sso_saml_cert != settings.app.sso_saml_cert:
changes.add('sso')
settings.app.sso_saml_cert = sso_saml_cert
if 'sso_okta_token' in flask.request.json:
settings_commit = True
sso_okta_token = flask.request.json['sso_okta_token'] or None
if sso_okta_token != settings.app.sso_okta_token:
changes.add('sso')
settings.app.sso_okta_token = sso_okta_token
if 'sso_onelogin_id' in flask.request.json:
settings_commit = True
sso_onelogin_id = flask.request.json['sso_onelogin_id'] or None
if sso_onelogin_id != settings.app.sso_onelogin_id:
changes.add('sso')
settings.app.sso_onelogin_id = sso_onelogin_id
if 'sso_onelogin_secret' in flask.request.json:
settings_commit = True
sso_onelogin_secret = \
flask.request.json['sso_onelogin_secret'] or None
if sso_onelogin_secret != settings.app.sso_onelogin_secret:
changes.add('sso')
settings.app.sso_onelogin_secret = sso_onelogin_secret
if 'sso_client_cache' in flask.request.json:
settings_commit = True
sso_client_cache = True if \
flask.request.json['sso_client_cache'] else False
if sso_client_cache != settings.app.sso_client_cache:
changes.add('sso')
settings.app.sso_client_cache = sso_client_cache
if 'sso_yubico_client' in flask.request.json:
settings_commit = True
sso_yubico_client = \
flask.request.json['sso_yubico_client'] or None
if sso_yubico_client != settings.app.sso_yubico_client:
changes.add('sso')
settings.app.sso_yubico_client = sso_yubico_client
if 'sso_yubico_secret' in flask.request.json:
settings_commit = True
sso_yubico_secret = \
flask.request.json['sso_yubico_secret'] or None
if sso_yubico_secret != settings.app.sso_yubico_secret:
changes.add('sso')
settings.app.sso_yubico_secret = sso_yubico_secret
if flask.request.json.get('theme'):
settings_commit = True
theme = 'light' if flask.request.json['theme'] == 'light' else 'dark'
if theme != settings.app.theme:
if theme == 'dark':
event.Event(type=THEME_DARK)
else:
event.Event(type=THEME_LIGHT)
settings.app.theme = theme
if 'public_address' in flask.request.json:
public_address = flask.request.json['public_address'] or None
if public_address != settings.local.host.public_addr:
settings.local.host.public_address = public_address
settings.local.host.commit('public_address')
if 'public_address6' in flask.request.json:
public_address6 = flask.request.json['public_address6'] or None
if public_address6 != settings.local.host.public_addr6:
settings.local.host.public_address6 = public_address6
settings.local.host.commit('public_address6')
if 'routed_subnet6' in flask.request.json:
routed_subnet6 = flask.request.json['routed_subnet6']
if routed_subnet6:
try:
routed_subnet6 = ipaddress.IPv6Network(
flask.request.json['routed_subnet6'])
except (ipaddress.AddressValueError, ValueError):
return utils.jsonify(
{
'error': IPV6_SUBNET_INVALID,
'error_msg': IPV6_SUBNET_INVALID_MSG,
}, 400)
if routed_subnet6.prefixlen > 64:
return utils.jsonify(
{
'error': IPV6_SUBNET_SIZE_INVALID,
'error_msg': IPV6_SUBNET_SIZE_INVALID_MSG,
}, 400)
routed_subnet6 = str(routed_subnet6)
else:
routed_subnet6 = None
if settings.local.host.routed_subnet6 != routed_subnet6:
if server.get_online_ipv6_count():
return utils.jsonify(
{
'error': IPV6_SUBNET_ONLINE,
'error_msg': IPV6_SUBNET_ONLINE_MSG,
}, 400)
settings.local.host.routed_subnet6 = routed_subnet6
settings.local.host.commit('routed_subnet6')
if 'reverse_proxy' in flask.request.json:
settings_commit = True
reverse_proxy = flask.request.json['reverse_proxy']
settings.app.reverse_proxy = True if reverse_proxy else False
if 'cloud_provider' in flask.request.json:
settings_commit = True
cloud_provider = flask.request.json['cloud_provider'] or None
settings.app.cloud_provider = cloud_provider
if 'route53_region' in flask.request.json:
settings_commit = True
settings.app.route53_region = utils.filter_str(
flask.request.json['route53_region']) or None
if 'route53_zone' in flask.request.json:
settings_commit = True
settings.app.route53_zone = utils.filter_str(
flask.request.json['route53_zone']) or None
for aws_key in (
'us_east_1_access_key',
'us_east_1_secret_key',
'us_east_2_access_key',
'us_east_2_secret_key',
'us_west_1_access_key',
'us_west_1_secret_key',
'us_west_2_access_key',
'us_west_2_secret_key',
'eu_west_1_access_key',
'eu_west_1_secret_key',
'eu_central_1_access_key',
'eu_central_1_secret_key',
'ap_northeast_1_access_key',
'ap_northeast_1_secret_key',
'ap_northeast_2_access_key',
'ap_northeast_2_secret_key',
'ap_southeast_1_access_key',
'ap_southeast_1_secret_key',
'ap_southeast_2_access_key',
'ap_southeast_2_secret_key',
'ap_south_1_access_key',
'ap_south_1_secret_key',
'sa_east_1_access_key',
'sa_east_1_secret_key',
):
if aws_key in flask.request.json:
settings_commit = True
aws_value = flask.request.json[aws_key]
if aws_value:
setattr(settings.app, aws_key, utils.filter_str(aws_value))
else:
setattr(settings.app, aws_key, None)
if not settings.app.sso:
settings.app.sso_host = None
settings.app.sso_token = None
settings.app.sso_secret = None
settings.app.sso_match = None
settings.app.sso_duo_token = None
settings.app.sso_duo_secret = None
settings.app.sso_duo_host = None
settings.app.sso_yubico_client = None
settings.app.sso_yubico_secret = None
settings.app.sso_org = None
settings.app.sso_saml_url = None
settings.app.sso_saml_issuer_url = None
settings.app.sso_saml_cert = None
settings.app.sso_okta_token = None
settings.app.sso_onelogin_key = None
settings.app.sso_onelogin_id = None
settings.app.sso_onelogin_secret = None
settings.app.sso_radius_secret = None
settings.app.sso_radius_host = None
else:
if RADIUS_AUTH in settings.app.sso and \
settings.app.sso_duo_mode == 'passcode':
return utils.jsonify(
{
'error': RADIUS_DUO_PASSCODE,
'error_msg': RADIUS_DUO_PASSCODE_MSG,
}, 400)
if settings.app.sso == DUO_AUTH and \
settings.app.sso_duo_mode == 'passcode':
return utils.jsonify(
{
'error': DUO_PASSCODE,
'error_msg': DUO_PASSCODE_MSG,
}, 400)
for change in changes:
flask.g.administrator.audit_event(
'admin_settings',
_changes_audit_text[change],
remote_addr=utils.get_remote_addr(),
)
if settings_commit:
settings.commit()
admin.commit(admin.changed)
if admin_event:
event.Event(type=ADMINS_UPDATED)
if org_event:
for org in organization.iter_orgs(fields=('_id')):
event.Event(type=USERS_UPDATED, resource_id=org.id)
event.Event(type=SETTINGS_UPDATED)
if update_acme:
try:
acme.update_acme_cert()
app.update_server(0.5)
except:
logger.exception(
'Failed to get LetsEncrypt cert',
'handler',
acme_domain=settings.app.acme_domain,
)
settings.app.acme_domain = None
settings.app.acme_key = None
settings.app.acme_timestamp = None
settings.commit()
return utils.jsonify(
{
'error': ACME_ERROR,
'error_msg': ACME_ERROR_MSG,
}, 400)
elif update_cert:
logger.info('Regenerating server certificate...', 'handler')
utils.create_server_cert()
app.update_server(0.5)
elif update_server:
app.update_server(0.5)
response = flask.g.administrator.dict()
response.update(_dict())
return utils.jsonify(response)
def settings_put():
if settings.app.demo_mode:
return utils.demo_blocked()
org_event = False
admin_event = False
admin = flask.g.administrator
changes = set()
settings_commit = False
update_server = False
update_acme = False
update_cert = False
if 'username' in flask.request.json and flask.request.json['username']:
username = utils.filter_str(
flask.request.json['username']).lower()
if username != admin.username:
changes.add('username')
admin.username = username
if 'password' in flask.request.json and flask.request.json['password']:
password = flask.request.json['password']
changes.add('password')
admin.password = password
if 'token' in flask.request.json and flask.request.json['token']:
admin.generate_token()
changes.add('token')
if 'secret' in flask.request.json and flask.request.json['secret']:
admin.generate_secret()
changes.add('token')
if 'server_cert' in flask.request.json:
settings_commit = True
server_cert = flask.request.json['server_cert']
if server_cert:
server_cert = server_cert.strip()
else:
server_cert = None
if server_cert != settings.app.server_cert:
update_server = True
settings.app.server_cert = server_cert
if 'server_key' in flask.request.json:
settings_commit = True
server_key = flask.request.json['server_key']
if server_key:
server_key = server_key.strip()
else:
server_key = None
if server_key != settings.app.server_key:
update_server = True
settings.app.server_key = server_key
if 'server_port' in flask.request.json:
settings_commit = True
server_port = flask.request.json['server_port']
if not server_port:
server_port = 443
try:
server_port = int(server_port)
if server_port < 1 or server_port > 65535:
raise ValueError('Port invalid')
except ValueError:
return utils.jsonify({
'error': PORT_INVALID,
'error_msg': PORT_INVALID_MSG,
}, 400)
if settings.app.redirect_server and server_port == 80:
return utils.jsonify({
'error': PORT_RESERVED,
'error_msg': PORT_RESERVED_MSG,
}, 400)
if server_port != settings.app.server_port:
update_server = True
settings.app.server_port = server_port
if 'acme_domain' in flask.request.json:
settings_commit = True
acme_domain = utils.filter_str(
flask.request.json['acme_domain'] or None)
if acme_domain:
acme_domain = acme_domain.replace('https://', '')
acme_domain = acme_domain.replace('http://', '')
acme_domain = acme_domain.replace('/', '')
if acme_domain != settings.app.acme_domain:
if not acme_domain:
settings.app.acme_key = None
settings.app.acme_timestamp = None
settings.app.server_key = None
settings.app.server_cert = None
update_server = True
update_cert = True
else:
update_acme = True
settings.app.acme_domain = acme_domain
if 'auditing' in flask.request.json:
settings_commit = True
auditing = flask.request.json['auditing'] or None
if settings.app.auditing != auditing:
if not flask.g.administrator.super_user:
return utils.jsonify({
'error': REQUIRES_SUPER_USER,
'error_msg': REQUIRES_SUPER_USER_MSG,
}, 400)
admin_event = True
org_event = True
settings.app.auditing = auditing
if 'monitoring' in flask.request.json:
settings_commit = True
monitoring = flask.request.json['monitoring'] or None
settings.app.monitoring = monitoring
if 'influxdb_uri' in flask.request.json:
settings_commit = True
influxdb_uri = flask.request.json['influxdb_uri'] or None
settings.app.influxdb_uri = influxdb_uri
if 'email_from' in flask.request.json:
settings_commit = True
email_from = flask.request.json['email_from'] or None
if email_from != settings.app.email_from:
changes.add('smtp')
settings.app.email_from = email_from
if 'email_server' in flask.request.json:
settings_commit = True
email_server = flask.request.json['email_server'] or None
if email_server != settings.app.email_server:
changes.add('smtp')
settings.app.email_server = email_server
if 'email_username' in flask.request.json:
settings_commit = True
email_username = flask.request.json['email_username'] or None
if email_username != settings.app.email_username:
changes.add('smtp')
settings.app.email_username = email_username
if 'email_password' in flask.request.json:
settings_commit = True
email_password = flask.request.json['email_password'] or None
if email_password != settings.app.email_password:
changes.add('smtp')
settings.app.email_password = email_password
if 'pin_mode' in flask.request.json:
settings_commit = True
pin_mode = flask.request.json['pin_mode'] or None
if pin_mode != settings.user.pin_mode:
changes.add('pin_mode')
settings.user.pin_mode = pin_mode
if 'sso' in flask.request.json:
org_event = True
settings_commit = True
sso = flask.request.json['sso'] or None
if sso != settings.app.sso:
changes.add('sso')
settings.app.sso = sso
if 'sso_match' in flask.request.json:
settings_commit = True
sso_match = flask.request.json['sso_match'] or None
if sso_match != settings.app.sso_match:
changes.add('sso')
if isinstance(sso_match, list):
settings.app.sso_match = sso_match
else:
settings.app.sso_match = None
if 'sso_duo_token' in flask.request.json:
settings_commit = True
sso_duo_token = flask.request.json['sso_duo_token'] or None
if sso_duo_token != settings.app.sso_duo_token:
changes.add('sso')
settings.app.sso_duo_token = sso_duo_token
if 'sso_duo_secret' in flask.request.json:
settings_commit = True
sso_duo_secret = flask.request.json['sso_duo_secret'] or None
if sso_duo_secret != settings.app.sso_duo_secret:
changes.add('sso')
settings.app.sso_duo_secret = sso_duo_secret
if 'sso_duo_host' in flask.request.json:
settings_commit = True
sso_duo_host = flask.request.json['sso_duo_host'] or None
if sso_duo_host != settings.app.sso_duo_host:
changes.add('sso')
settings.app.sso_duo_host = sso_duo_host
if 'sso_duo_mode' in flask.request.json:
settings_commit = True
sso_duo_mode = flask.request.json['sso_duo_mode'] or None
if sso_duo_mode != settings.app.sso_duo_mode:
changes.add('sso')
settings.app.sso_duo_mode = sso_duo_mode
if 'sso_radius_secret' in flask.request.json:
settings_commit = True
sso_radius_secret = flask.request.json['sso_radius_secret'] or None
if sso_radius_secret != settings.app.sso_radius_secret:
changes.add('sso')
settings.app.sso_radius_secret = sso_radius_secret
if 'sso_radius_host' in flask.request.json:
settings_commit = True
sso_radius_host = flask.request.json['sso_radius_host'] or None
if sso_radius_host != settings.app.sso_radius_host:
changes.add('sso')
settings.app.sso_radius_host = sso_radius_host
if 'sso_org' in flask.request.json:
settings_commit = True
sso_org = flask.request.json['sso_org'] or None
if sso_org:
sso_org = utils.ObjectId(sso_org)
else:
sso_org = None
if sso_org != settings.app.sso_org:
changes.add('sso')
if settings.app.sso and not sso_org:
return utils.jsonify({
'error': SSO_ORG_NULL,
'error_msg': SSO_ORG_NULL_MSG,
}, 400)
settings.app.sso_org = sso_org
if 'sso_saml_url' in flask.request.json:
settings_commit = True
sso_saml_url = flask.request.json['sso_saml_url'] or None
if sso_saml_url != settings.app.sso_saml_url:
changes.add('sso')
settings.app.sso_saml_url = sso_saml_url
if 'sso_saml_issuer_url' in flask.request.json:
settings_commit = True
sso_saml_issuer_url = flask.request.json['sso_saml_issuer_url'] or None
if sso_saml_issuer_url != settings.app.sso_saml_issuer_url:
changes.add('sso')
settings.app.sso_saml_issuer_url = sso_saml_issuer_url
if 'sso_saml_cert' in flask.request.json:
settings_commit = True
sso_saml_cert = flask.request.json['sso_saml_cert'] or None
if sso_saml_cert != settings.app.sso_saml_cert:
changes.add('sso')
settings.app.sso_saml_cert = sso_saml_cert
if 'sso_okta_token' in flask.request.json:
settings_commit = True
sso_okta_token = flask.request.json['sso_okta_token'] or None
if sso_okta_token != settings.app.sso_okta_token:
changes.add('sso')
settings.app.sso_okta_token = sso_okta_token
if 'sso_onelogin_id' in flask.request.json:
settings_commit = True
sso_onelogin_id = flask.request.json['sso_onelogin_id'] or None
if sso_onelogin_id != settings.app.sso_onelogin_id:
changes.add('sso')
settings.app.sso_onelogin_id = sso_onelogin_id
if 'sso_onelogin_secret' in flask.request.json:
settings_commit = True
sso_onelogin_secret = \
flask.request.json['sso_onelogin_secret'] or None
if sso_onelogin_secret != settings.app.sso_onelogin_secret:
changes.add('sso')
settings.app.sso_onelogin_secret = sso_onelogin_secret
if 'sso_client_cache' in flask.request.json:
settings_commit = True
sso_client_cache = True if \
flask.request.json['sso_client_cache'] else False
if sso_client_cache != settings.app.sso_client_cache:
changes.add('sso')
settings.app.sso_client_cache = sso_client_cache
if flask.request.json.get('theme'):
settings_commit = True
theme = 'light' if flask.request.json['theme'] == 'light' else 'dark'
if theme != settings.app.theme:
if theme == 'dark':
event.Event(type=THEME_DARK)
else:
event.Event(type=THEME_LIGHT)
settings.app.theme = theme
if 'public_address' in flask.request.json:
public_address = flask.request.json['public_address'] or None
if public_address != settings.local.host.public_addr:
settings.local.host.public_address = public_address
settings.local.host.commit('public_address')
if 'public_address6' in flask.request.json:
public_address6 = flask.request.json['public_address6'] or None
if public_address6 != settings.local.host.public_addr6:
settings.local.host.public_address6 = public_address6
settings.local.host.commit('public_address6')
if 'routed_subnet6' in flask.request.json:
routed_subnet6 = flask.request.json['routed_subnet6']
if routed_subnet6:
try:
routed_subnet6 = ipaddress.IPv6Network(
flask.request.json['routed_subnet6'])
except (ipaddress.AddressValueError, ValueError):
return utils.jsonify({
'error': IPV6_SUBNET_INVALID,
'error_msg': IPV6_SUBNET_INVALID_MSG,
}, 400)
if routed_subnet6.prefixlen > 64:
return utils.jsonify({
'error': IPV6_SUBNET_SIZE_INVALID,
'error_msg': IPV6_SUBNET_SIZE_INVALID_MSG,
}, 400)
routed_subnet6 = str(routed_subnet6)
else:
routed_subnet6 = None
if settings.local.host.routed_subnet6 != routed_subnet6:
if server.get_online_ipv6_count():
return utils.jsonify({
'error': IPV6_SUBNET_ONLINE,
'error_msg': IPV6_SUBNET_ONLINE_MSG,
}, 400)
settings.local.host.routed_subnet6 = routed_subnet6
settings.local.host.commit('routed_subnet6')
if 'reverse_proxy' in flask.request.json:
settings_commit = True
reverse_proxy = flask.request.json['reverse_proxy']
settings.app.reverse_proxy = True if reverse_proxy else False
if 'cloud_provider' in flask.request.json:
settings_commit = True
cloud_provider = flask.request.json['cloud_provider'] or None
settings.app.cloud_provider = cloud_provider
if 'route53_region' in flask.request.json:
settings_commit = True
settings.app.route53_region = utils.filter_str(
flask.request.json['route53_region']) or None
if 'route53_zone' in flask.request.json:
settings_commit = True
settings.app.route53_zone = utils.filter_str(
flask.request.json['route53_zone']) or None
for aws_key in (
'us_east_1_access_key',
'us_east_1_secret_key',
'us_east_2_access_key',
'us_east_2_secret_key',
'us_west_1_access_key',
'us_west_1_secret_key',
'us_west_2_access_key',
'us_west_2_secret_key',
'eu_west_1_access_key',
'eu_west_1_secret_key',
'eu_central_1_access_key',
'eu_central_1_secret_key',
'ap_northeast_1_access_key',
'ap_northeast_1_secret_key',
'ap_northeast_2_access_key',
'ap_northeast_2_secret_key',
'ap_southeast_1_access_key',
'ap_southeast_1_secret_key',
'ap_southeast_2_access_key',
'ap_southeast_2_secret_key',
'ap_south_1_access_key',
'ap_south_1_secret_key',
'sa_east_1_access_key',
'sa_east_1_secret_key',
):
if aws_key in flask.request.json:
settings_commit = True
aws_value = flask.request.json[aws_key]
if aws_value:
setattr(settings.app, aws_key, utils.filter_str(aws_value))
else:
setattr(settings.app, aws_key, None)
if not settings.app.sso:
settings.app.sso_host = None
settings.app.sso_token = None
settings.app.sso_secret = None
settings.app.sso_match = None
settings.app.sso_duo_token = None
settings.app.sso_duo_secret = None
settings.app.sso_duo_host = None
settings.app.sso_org = None
settings.app.sso_saml_url = None
settings.app.sso_saml_issuer_url = None
settings.app.sso_saml_cert = None
settings.app.sso_okta_token = None
settings.app.sso_onelogin_key = None
settings.app.sso_onelogin_id = None
settings.app.sso_onelogin_secret = None
settings.app.sso_radius_secret = None
settings.app.sso_radius_host = None
else:
if RADIUS_AUTH in settings.app.sso and \
settings.app.sso_duo_mode == 'passcode':
return utils.jsonify({
'error': RADIUS_DUO_PASSCODE,
'error_msg': RADIUS_DUO_PASSCODE_MSG,
}, 400)
if settings.app.sso == DUO_AUTH and \
settings.app.sso_duo_mode == 'passcode':
return utils.jsonify({
'error': DUO_PASSCODE,
'error_msg': DUO_PASSCODE_MSG,
}, 400)
for change in changes:
flask.g.administrator.audit_event(
'admin_settings',
_changes_audit_text[change],
remote_addr=utils.get_remote_addr(),
)
if settings_commit:
settings.commit()
admin.commit(admin.changed)
if admin_event:
event.Event(type=ADMINS_UPDATED)
if org_event:
for org in organization.iter_orgs(fields=('_id')):
event.Event(type=USERS_UPDATED, resource_id=org.id)
event.Event(type=SETTINGS_UPDATED)
if update_acme:
try:
acme.update_acme_cert()
app.update_server(0.5)
except:
logger.exception('Failed to get LetsEncrypt cert', 'handler',
acme_domain=settings.app.acme_domain,
)
settings.app.acme_domain = None
settings.app.acme_key = None
settings.app.acme_timestamp = None
settings.commit()
return utils.jsonify({
'error': ACME_ERROR,
'error_msg': ACME_ERROR_MSG,
}, 400)
elif update_cert:
logger.info('Regenerating server certificate...', 'handler')
utils.create_server_cert()
app.update_server(0.5)
elif update_server:
app.update_server(0.5)
response = flask.g.administrator.dict()
response.update(_dict())
return utils.jsonify(response)
def settings_put():
if settings.app.demo_mode:
return utils.demo_blocked()
org_event = False
admin = flask.g.administrator
changes = set()
if 'username' in flask.request.json and flask.request.json['username']:
username = utils.filter_str(flask.request.json['username']).lower()
if username != admin.username:
changes.add('username')
admin.username = username
if 'password' in flask.request.json and flask.request.json['password']:
password = flask.request.json['password']
changes.add('password')
admin.password = password
if 'token' in flask.request.json and flask.request.json['token']:
admin.generate_token()
changes.add('token')
if 'secret' in flask.request.json and flask.request.json['secret']:
admin.generate_secret()
changes.add('token')
settings_commit = False
if 'auditing' in flask.request.json:
settings_commit = True
auditing = flask.request.json['auditing'] or None
if settings.app.auditing != auditing:
org_event = True
settings.app.auditing = auditing
if 'monitoring' in flask.request.json:
settings_commit = True
monitoring = flask.request.json['monitoring'] or None
settings.app.monitoring = monitoring
if 'datadog_api_key' in flask.request.json:
settings_commit = True
datadog_api_key = flask.request.json['datadog_api_key'] or None
settings.app.datadog_api_key = datadog_api_key
if 'email_from' in flask.request.json:
settings_commit = True
email_from = flask.request.json['email_from'] or None
if email_from != settings.app.email_from:
changes.add('smtp')
settings.app.email_from = email_from
if 'email_server' in flask.request.json:
settings_commit = True
email_server = flask.request.json['email_server'] or None
if email_server != settings.app.email_server:
changes.add('smtp')
settings.app.email_server = email_server
if 'email_username' in flask.request.json:
settings_commit = True
email_username = flask.request.json['email_username'] or None
if email_username != settings.app.email_username:
changes.add('smtp')
settings.app.email_username = email_username
if 'email_password' in flask.request.json:
settings_commit = True
email_password = flask.request.json['email_password'] or None
if email_password != settings.app.email_password:
changes.add('smtp')
settings.app.email_password = email_password
if 'pin_mode' in flask.request.json:
settings_commit = True
pin_mode = flask.request.json['pin_mode'] or None
if pin_mode != settings.user.pin_mode:
changes.add('pin_mode')
settings.user.pin_mode = pin_mode
if 'sso' in flask.request.json:
org_event = True
settings_commit = True
sso = flask.request.json['sso'] or None
if sso != settings.app.sso:
changes.add('sso')
settings.app.sso = sso
if 'sso_match' in flask.request.json:
settings_commit = True
sso_match = flask.request.json['sso_match'] or None
if sso_match != settings.app.sso_match:
changes.add('sso')
if isinstance(sso_match, list):
settings.app.sso_match = sso_match
else:
settings.app.sso_match = None
if 'sso_token' in flask.request.json:
settings_commit = True
sso_token = flask.request.json['sso_token'] or None
if sso_token != settings.app.sso_token:
changes.add('sso')
settings.app.sso_token = sso_token
if 'sso_secret' in flask.request.json:
settings_commit = True
sso_secret = flask.request.json['sso_secret'] or None
if sso_secret != settings.app.sso_secret:
changes.add('sso')
settings.app.sso_secret = sso_secret
if 'sso_host' in flask.request.json:
settings_commit = True
sso_host = flask.request.json['sso_host'] or None
if sso_host != settings.app.sso_host:
changes.add('sso')
settings.app.sso_host = sso_host
if 'sso_admin' in flask.request.json:
settings_commit = True
sso_admin = flask.request.json['sso_admin'] or None
if sso_admin != settings.app.sso_admin:
changes.add('sso')
settings.app.sso_admin = sso_admin
if 'sso_org' in flask.request.json:
settings_commit = True
sso_org = flask.request.json['sso_org']
if sso_org:
sso_org = utils.ObjectId(sso_org)
else:
sso_org = None
if sso_org != settings.app.sso_org:
changes.add('sso')
settings.app.sso_org = sso_org
if 'sso_saml_url' in flask.request.json:
settings_commit = True
sso_saml_url = flask.request.json['sso_saml_url'] or None
if sso_saml_url != settings.app.sso_saml_url:
changes.add('sso')
settings.app.sso_saml_url = sso_saml_url
if 'sso_saml_issuer_url' in flask.request.json:
settings_commit = True
sso_saml_issuer_url = flask.request.json['sso_saml_issuer_url'] or None
if sso_saml_issuer_url != settings.app.sso_saml_issuer_url:
changes.add('sso')
settings.app.sso_saml_issuer_url = sso_saml_issuer_url
if 'sso_saml_cert' in flask.request.json:
settings_commit = True
sso_saml_cert = flask.request.json['sso_saml_cert'] or None
if sso_saml_cert != settings.app.sso_saml_cert:
changes.add('sso')
settings.app.sso_saml_cert = sso_saml_cert
if 'sso_okta_token' in flask.request.json:
settings_commit = True
sso_okta_token = flask.request.json['sso_okta_token'] or None
if sso_okta_token != settings.app.sso_okta_token:
changes.add('sso')
settings.app.sso_okta_token = sso_okta_token
if 'sso_onelogin_key' in flask.request.json:
settings_commit = True
sso_onelogin_key = flask.request.json['sso_onelogin_key'] or None
if sso_onelogin_key != settings.app.sso_onelogin_key:
changes.add('sso')
settings.app.sso_onelogin_key = sso_onelogin_key
if 'theme' in flask.request.json:
settings_commit = True
theme = 'dark' if flask.request.json['theme'] == 'dark' else 'light'
if theme != settings.app.theme:
if theme == 'dark':
event.Event(type=THEME_DARK)
else:
event.Event(type=THEME_LIGHT)
settings.app.theme = theme
if 'public_address' in flask.request.json:
public_address = flask.request.json['public_address']
settings.local.host.public_address = public_address
settings.local.host.commit('public_address')
if 'public_address6' in flask.request.json:
public_address6 = flask.request.json['public_address6']
settings.local.host.public_address6 = public_address6
settings.local.host.commit('public_address6')
if 'routed_subnet6' in flask.request.json:
routed_subnet6 = flask.request.json['routed_subnet6']
if routed_subnet6:
try:
routed_subnet6 = ipaddress.IPv6Network(
flask.request.json['routed_subnet6'])
except (ipaddress.AddressValueError, ValueError):
return utils.jsonify(
{
'error': IPV6_SUBNET_INVALID,
'error_msg': IPV6_SUBNET_INVALID_MSG,
}, 400)
if routed_subnet6.prefixlen > 64:
return utils.jsonify(
{
'error': IPV6_SUBNET_SIZE_INVALID,
'error_msg': IPV6_SUBNET_SIZE_INVALID_MSG,
}, 400)
routed_subnet6 = str(routed_subnet6)
else:
routed_subnet6 = None
if settings.local.host.routed_subnet6 != routed_subnet6:
if server.get_online_ipv6_count():
return utils.jsonify(
{
'error': IPV6_SUBNET_ONLINE,
'error_msg': IPV6_SUBNET_ONLINE_MSG,
}, 400)
settings.local.host.routed_subnet6 = routed_subnet6
settings.local.host.commit('routed_subnet6')
if 'server_cert' in flask.request.json:
settings_commit = True
server_cert = flask.request.json['server_cert']
if server_cert:
settings.app.server_cert = server_cert.strip()
else:
settings.app.server_cert = None
if 'server_key' in flask.request.json:
settings_commit = True
server_key = flask.request.json['server_key']
if server_key:
settings.app.server_key = server_key.strip()
else:
settings.app.server_key = None
if not settings.app.sso:
settings.app.sso_match = None
settings.app.sso_token = None
settings.app.sso_secret = None
settings.app.sso_host = None
settings.app.sso_admin = None
settings.app.sso_org = None
settings.app.sso_saml_url = None
settings.app.sso_saml_issuer_url = None
settings.app.sso_saml_cert = None
settings.app.sso_okta_token = None
settings.app.sso_onelogin_key = None
for change in changes:
auth.audit_event(
'admin_settings',
_changes_audit_text[change],
remote_addr=utils.get_remote_addr(),
)
if settings_commit:
settings.commit()
admin.commit(admin.changed)
if org_event:
for org in organization.iter_orgs(fields=('_id')):
event.Event(type=USERS_UPDATED, resource_id=org.id)
event.Event(type=SETTINGS_UPDATED)
response = flask.g.administrator.dict()
response.update({
'theme': settings.app.theme,
'auditing': settings.app.auditing,
'monitoring': settings.app.monitoring,
'datadog_api_key': settings.app.datadog_api_key,
'email_from': settings.app.email_from,
'email_server': settings.app.email_server,
'email_username': settings.app.email_username,
'email_password': bool(settings.app.email_password),
'pin_mode': settings.user.pin_mode,
'sso': settings.app.sso,
'sso_match': settings.app.sso_match,
'sso_token': settings.app.sso_token,
'sso_secret': settings.app.sso_secret,
'sso_host': settings.app.sso_host,
'sso_admin': settings.app.sso_admin,
'sso_org': settings.app.sso_org,
'sso_saml_url': settings.app.sso_saml_url,
'sso_saml_issuer_url': settings.app.sso_saml_issuer_url,
'sso_saml_cert': settings.app.sso_saml_cert,
'sso_okta_token': settings.app.sso_okta_token,
'sso_onelogin_key': settings.app.sso_onelogin_key,
'public_address': settings.local.host.public_addr,
})
return utils.jsonify(response)
def fill_user():
collection = mongo.get_collection('users')
org_collection = mongo.get_collection('organizations')
queue_collection = mongo.get_collection('queue')
orgs = {}
orgs_count = utils.LeastCommonCounter()
type_to_size = {
CERT_CLIENT_POOL: settings.app.user_pool_size,
CERT_SERVER_POOL: settings.app.server_user_pool_size,
}
for org in organization.iter_orgs(type=None):
orgs[org.id] = org
orgs_count[org.id, CERT_CLIENT_POOL] = 0
orgs_count[org.id, CERT_SERVER_POOL] = 0
pools = collection.aggregate([
{'$match': {
'type': {'$in': (CERT_CLIENT_POOL, CERT_SERVER_POOL)},
}},
{'$project': {
'org_id': True,
'type': True,
}},
{'$group': {
'_id': {
'org_id': '$org_id',
'type': '$type',
},
'count': {'$sum': 1},
}},
])['result']
for pool in pools:
orgs_count[pool['_id']['org_id'], pool['_id']['type']] += pool[
'count']
pools = queue_collection.aggregate([
{'$match': {
'type': 'init_user_pooled',
'user_doc.type': {'$in': (CERT_CLIENT_POOL, CERT_SERVER_POOL)},
}},
{'$project': {
'user_doc.org_id': True,
'user_doc.type': True,
}},
{'$group': {
'_id': {
'org_id': '$user_doc.org_id',
'type': '$user_doc.type',
},
'count': {'$sum': 1},
}},
])['result']
for pool in pools:
orgs_count[pool['_id']['org_id'], pool['_id']['type']] += pool[
'count']
new_users = []
for org_id_user_type, count in orgs_count.least_common():
org_id, user_type = org_id_user_type
pool_size = type_to_size[user_type]
if count >= pool_size:
break
org = orgs.get(org_id)
if not org:
logger.warning('Pooler cannot find org from user_count', 'pooler',
org_id=org_id,
user_type=user_type,
)
continue
new_users.append([(org, user_type)] * (pool_size - count))
for org, user_type in utils.roundrobin(*new_users):
org.new_user(type=user_type, block=False)
def settings_put():
if settings.app.demo_mode:
return utils.demo_blocked()
org_event = False
admin = flask.g.administrator
changes = set()
if 'username' in flask.request.json and flask.request.json['username']:
username = utils.filter_str(
flask.request.json['username']).lower()
if username != admin.username:
changes.add('username')
admin.username = username
if 'password' in flask.request.json and flask.request.json['password']:
password = flask.request.json['password']
changes.add('password')
admin.password = password
if 'token' in flask.request.json and flask.request.json['token']:
admin.generate_token()
changes.add('token')
if 'secret' in flask.request.json and flask.request.json['secret']:
admin.generate_secret()
changes.add('token')
settings_commit = False
if 'auditing' in flask.request.json:
settings_commit = True
auditing = flask.request.json['auditing'] or None
if settings.app.auditing != auditing:
if not flask.g.administrator.super_user:
return utils.jsonify({
'error': REQUIRES_SUPER_USER,
'error_msg': REQUIRES_SUPER_USER_MSG,
}, 400)
org_event = True
settings.app.auditing = auditing
if 'monitoring' in flask.request.json:
settings_commit = True
monitoring = flask.request.json['monitoring'] or None
settings.app.monitoring = monitoring
if 'datadog_api_key' in flask.request.json:
settings_commit = True
datadog_api_key = flask.request.json['datadog_api_key'] or None
settings.app.datadog_api_key = datadog_api_key
if 'email_from' in flask.request.json:
settings_commit = True
email_from = flask.request.json['email_from'] or None
if email_from != settings.app.email_from:
changes.add('smtp')
settings.app.email_from = email_from
if 'email_server' in flask.request.json:
settings_commit = True
email_server = flask.request.json['email_server'] or None
if email_server != settings.app.email_server:
changes.add('smtp')
settings.app.email_server = email_server
if 'email_username' in flask.request.json:
settings_commit = True
email_username = flask.request.json['email_username'] or None
if email_username != settings.app.email_username:
changes.add('smtp')
settings.app.email_username = email_username
if 'email_password' in flask.request.json:
settings_commit = True
email_password = flask.request.json['email_password'] or None
if email_password != settings.app.email_password:
changes.add('smtp')
settings.app.email_password = email_password
if 'pin_mode' in flask.request.json:
settings_commit = True
pin_mode = flask.request.json['pin_mode'] or None
if pin_mode != settings.user.pin_mode:
changes.add('pin_mode')
settings.user.pin_mode = pin_mode
if 'sso' in flask.request.json:
org_event = True
settings_commit = True
sso = flask.request.json['sso'] or None
if sso != settings.app.sso:
changes.add('sso')
settings.app.sso = sso
if 'sso_match' in flask.request.json:
settings_commit = True
sso_match = flask.request.json['sso_match'] or None
if sso_match != settings.app.sso_match:
changes.add('sso')
if isinstance(sso_match, list):
settings.app.sso_match = sso_match
else:
settings.app.sso_match = None
if 'sso_token' in flask.request.json:
settings_commit = True
sso_token = flask.request.json['sso_token'] or None
if sso_token != settings.app.sso_token:
changes.add('sso')
settings.app.sso_token = sso_token
if 'sso_secret' in flask.request.json:
settings_commit = True
sso_secret = flask.request.json['sso_secret'] or None
if sso_secret != settings.app.sso_secret:
changes.add('sso')
settings.app.sso_secret = sso_secret
if 'sso_host' in flask.request.json:
settings_commit = True
sso_host = flask.request.json['sso_host'] or None
if sso_host != settings.app.sso_host:
changes.add('sso')
settings.app.sso_host = sso_host
if 'sso_admin' in flask.request.json:
settings_commit = True
sso_admin = flask.request.json['sso_admin'] or None
if sso_admin != settings.app.sso_admin:
changes.add('sso')
settings.app.sso_admin = sso_admin
if 'sso_org' in flask.request.json:
settings_commit = True
sso_org = flask.request.json['sso_org']
if sso_org:
sso_org = utils.ObjectId(sso_org)
else:
sso_org = None
if sso_org != settings.app.sso_org:
changes.add('sso')
settings.app.sso_org = sso_org
if 'sso_saml_url' in flask.request.json:
settings_commit = True
sso_saml_url = flask.request.json['sso_saml_url'] or None
if sso_saml_url != settings.app.sso_saml_url:
changes.add('sso')
settings.app.sso_saml_url = sso_saml_url
if 'sso_saml_issuer_url' in flask.request.json:
settings_commit = True
sso_saml_issuer_url = flask.request.json['sso_saml_issuer_url'] or None
if sso_saml_issuer_url != settings.app.sso_saml_issuer_url:
changes.add('sso')
settings.app.sso_saml_issuer_url = sso_saml_issuer_url
if 'sso_saml_cert' in flask.request.json:
settings_commit = True
sso_saml_cert = flask.request.json['sso_saml_cert'] or None
if sso_saml_cert != settings.app.sso_saml_cert:
changes.add('sso')
settings.app.sso_saml_cert = sso_saml_cert
if 'sso_okta_token' in flask.request.json:
settings_commit = True
sso_okta_token = flask.request.json['sso_okta_token'] or None
if sso_okta_token != settings.app.sso_okta_token:
changes.add('sso')
settings.app.sso_okta_token = sso_okta_token
if 'sso_onelogin_key' in flask.request.json:
settings_commit = True
sso_onelogin_key = flask.request.json['sso_onelogin_key'] or None
if sso_onelogin_key != settings.app.sso_onelogin_key:
changes.add('sso')
settings.app.sso_onelogin_key = sso_onelogin_key
if 'theme' in flask.request.json:
settings_commit = True
theme = 'dark' if flask.request.json['theme'] == 'dark' else 'light'
if theme != settings.app.theme:
if theme == 'dark':
event.Event(type=THEME_DARK)
else:
event.Event(type=THEME_LIGHT)
settings.app.theme = theme
if 'public_address' in flask.request.json:
public_address = flask.request.json['public_address']
settings.local.host.public_address = public_address
settings.local.host.commit('public_address')
if 'public_address6' in flask.request.json:
public_address6 = flask.request.json['public_address6']
settings.local.host.public_address6 = public_address6
settings.local.host.commit('public_address6')
if 'routed_subnet6' in flask.request.json:
routed_subnet6 = flask.request.json['routed_subnet6']
if routed_subnet6:
try:
routed_subnet6 = ipaddress.IPv6Network(
flask.request.json['routed_subnet6'])
except (ipaddress.AddressValueError, ValueError):
return utils.jsonify({
'error': IPV6_SUBNET_INVALID,
'error_msg': IPV6_SUBNET_INVALID_MSG,
}, 400)
if routed_subnet6.prefixlen > 64:
return utils.jsonify({
'error': IPV6_SUBNET_SIZE_INVALID,
'error_msg': IPV6_SUBNET_SIZE_INVALID_MSG,
}, 400)
routed_subnet6 = str(routed_subnet6)
else:
routed_subnet6 = None
if settings.local.host.routed_subnet6 != routed_subnet6:
if server.get_online_ipv6_count():
return utils.jsonify({
'error': IPV6_SUBNET_ONLINE,
'error_msg': IPV6_SUBNET_ONLINE_MSG,
}, 400)
settings.local.host.routed_subnet6 = routed_subnet6
settings.local.host.commit('routed_subnet6')
if 'server_cert' in flask.request.json:
settings_commit = True
server_cert = flask.request.json['server_cert']
if server_cert:
settings.app.server_cert = server_cert.strip()
else:
settings.app.server_cert = None
if 'server_key' in flask.request.json:
settings_commit = True
server_key = flask.request.json['server_key']
if server_key:
settings.app.server_key = server_key.strip()
else:
settings.app.server_key = None
if not settings.app.sso:
settings.app.sso_match = None
settings.app.sso_token = None
settings.app.sso_secret = None
settings.app.sso_host = None
settings.app.sso_admin = None
settings.app.sso_org = None
settings.app.sso_saml_url = None
settings.app.sso_saml_issuer_url = None
settings.app.sso_saml_cert = None
settings.app.sso_okta_token = None
settings.app.sso_onelogin_key = None
for change in changes:
flask.g.administrator.audit_event(
'admin_settings',
_changes_audit_text[change],
remote_addr=utils.get_remote_addr(),
)
if settings_commit:
settings.commit()
admin.commit(admin.changed)
if org_event:
for org in organization.iter_orgs(fields=('_id')):
event.Event(type=USERS_UPDATED, resource_id=org.id)
event.Event(type=SETTINGS_UPDATED)
response = flask.g.administrator.dict()
response.update({
'theme': settings.app.theme,
'auditing': settings.app.auditing,
'monitoring': settings.app.monitoring,
'datadog_api_key': settings.app.datadog_api_key,
'email_from': settings.app.email_from,
'email_server': settings.app.email_server,
'email_username': settings.app.email_username,
'email_password': bool(settings.app.email_password),
'pin_mode': settings.user.pin_mode,
'sso': settings.app.sso,
'sso_match': settings.app.sso_match,
'sso_token': settings.app.sso_token,
'sso_secret': settings.app.sso_secret,
'sso_host': settings.app.sso_host,
'sso_admin': settings.app.sso_admin,
'sso_org': settings.app.sso_org,
'sso_saml_url': settings.app.sso_saml_url,
'sso_saml_issuer_url': settings.app.sso_saml_issuer_url,
'sso_saml_cert': settings.app.sso_saml_cert,
'sso_okta_token': settings.app.sso_okta_token,
'sso_onelogin_key': settings.app.sso_onelogin_key,
'public_address': settings.local.host.public_addr,
})
return utils.jsonify(response)
def settings_put():
if settings.app.demo_mode:
return utils.demo_blocked()
org_event = False
admin = flask.g.administrator
changes = set()
if "username" in flask.request.json and flask.request.json["username"]:
username = utils.filter_str(flask.request.json["username"]).lower()
if username != admin.username:
changes.add("username")
admin.username = username
if "password" in flask.request.json and flask.request.json["password"]:
password = flask.request.json["password"]
if password != admin.password:
changes.add("password")
admin.password = flask.request.json["password"]
if "token" in flask.request.json and flask.request.json["token"]:
admin.generate_token()
changes.add("token")
if "secret" in flask.request.json and flask.request.json["secret"]:
admin.generate_secret()
changes.add("token")
settings_commit = False
if "auditing" in flask.request.json:
settings_commit = True
auditing = flask.request.json["auditing"] or None
if settings.app.auditing != auditing:
org_event = True
settings.app.auditing = auditing
if "email_from" in flask.request.json:
settings_commit = True
email_from = flask.request.json["email_from"] or None
if email_from != settings.app.email_from:
changes.add("smtp")
settings.app.email_from = email_from
if "email_server" in flask.request.json:
settings_commit = True
email_server = flask.request.json["email_server"] or None
if email_server != settings.app.email_server:
changes.add("smtp")
settings.app.email_server = email_server
if "email_username" in flask.request.json:
settings_commit = True
email_username = flask.request.json["email_username"] or None
if email_username != settings.app.email_username:
changes.add("smtp")
settings.app.email_username = email_username
if "email_password" in flask.request.json:
settings_commit = True
email_password = flask.request.json["email_password"] or None
if email_password != settings.app.email_password:
changes.add("smtp")
settings.app.email_password = email_password
if "sso" in flask.request.json:
org_event = True
settings_commit = True
sso = flask.request.json["sso"] or None
if sso != settings.app.sso:
changes.add("sso")
settings.app.sso = sso
if "sso_match" in flask.request.json:
settings_commit = True
sso_match = flask.request.json["sso_match"] or None
if sso_match != settings.app.sso_match:
changes.add("sso")
if isinstance(sso_match, list):
settings.app.sso_match = sso_match
else:
settings.app.sso_match = None
if "sso_token" in flask.request.json:
settings_commit = True
sso_token = flask.request.json["sso_token"] or None
if sso_token != settings.app.sso_token:
changes.add("sso")
settings.app.sso_token = sso_token
if "sso_secret" in flask.request.json:
settings_commit = True
sso_secret = flask.request.json["sso_secret"] or None
if sso_secret != settings.app.sso_secret:
changes.add("sso")
settings.app.sso_secret = sso_secret
if "sso_host" in flask.request.json:
settings_commit = True
sso_host = flask.request.json["sso_host"] or None
if sso_host != settings.app.sso_host:
changes.add("sso")
settings.app.sso_host = sso_host
if "sso_admin" in flask.request.json:
settings_commit = True
sso_admin = flask.request.json["sso_admin"] or None
if sso_admin != settings.app.sso_admin:
changes.add("sso")
settings.app.sso_admin = sso_admin
if "sso_org" in flask.request.json:
settings_commit = True
sso_org = flask.request.json["sso_org"]
if sso_org:
sso_org = utils.ObjectId(sso_org)
else:
sso_org = None
if sso_org != settings.app.sso_org:
changes.add("sso")
settings.app.sso_org = sso_org
if "sso_saml_url" in flask.request.json:
settings_commit = True
sso_saml_url = flask.request.json["sso_saml_url"] or None
if sso_saml_url != settings.app.sso_saml_url:
changes.add("sso")
settings.app.sso_saml_url = sso_saml_url
if "sso_saml_issuer_url" in flask.request.json:
settings_commit = True
sso_saml_issuer_url = flask.request.json["sso_saml_issuer_url"] or None
if sso_saml_issuer_url != settings.app.sso_saml_issuer_url:
changes.add("sso")
settings.app.sso_saml_issuer_url = sso_saml_issuer_url
if "sso_saml_cert" in flask.request.json:
settings_commit = True
sso_saml_cert = flask.request.json["sso_saml_cert"] or None
if sso_saml_cert != settings.app.sso_saml_cert:
changes.add("sso")
settings.app.sso_saml_cert = sso_saml_cert
if "sso_okta_token" in flask.request.json:
settings_commit = True
sso_okta_token = flask.request.json["sso_okta_token"] or None
if sso_okta_token != settings.app.sso_okta_token:
changes.add("sso")
settings.app.sso_okta_token = sso_okta_token
if "sso_onelogin_key" in flask.request.json:
settings_commit = True
sso_onelogin_key = flask.request.json["sso_onelogin_key"] or None
if sso_onelogin_key != settings.app.sso_onelogin_key:
changes.add("sso")
settings.app.sso_onelogin_key = sso_onelogin_key
if "theme" in flask.request.json:
settings_commit = True
theme = "dark" if flask.request.json["theme"] == "dark" else "light"
if theme != settings.app.theme:
if theme == "dark":
event.Event(type=THEME_DARK)
else:
event.Event(type=THEME_LIGHT)
settings.app.theme = theme
if "public_address" in flask.request.json:
public_address = flask.request.json["public_address"]
settings.local.host.public_address = public_address
settings.local.host.commit("public_address")
if "public_address6" in flask.request.json:
public_address6 = flask.request.json["public_address6"]
settings.local.host.public_address6 = public_address6
settings.local.host.commit("public_address6")
if "routed_subnet6" in flask.request.json:
routed_subnet6 = flask.request.json["routed_subnet6"]
if routed_subnet6:
try:
routed_subnet6 = ipaddress.IPv6Network(flask.request.json["routed_subnet6"])
except (ipaddress.AddressValueError, ValueError):
return utils.jsonify({"error": IPV6_SUBNET_INVALID, "error_msg": IPV6_SUBNET_INVALID_MSG}, 400)
if routed_subnet6.prefixlen > 64:
return utils.jsonify(
{"error": IPV6_SUBNET_SIZE_INVALID, "error_msg": IPV6_SUBNET_SIZE_INVALID_MSG}, 400
)
routed_subnet6 = str(routed_subnet6)
else:
routed_subnet6 = None
if settings.local.host.routed_subnet6 != routed_subnet6:
if server.get_online_ipv6_count():
return utils.jsonify({"error": IPV6_SUBNET_ONLINE, "error_msg": IPV6_SUBNET_ONLINE_MSG}, 400)
settings.local.host.routed_subnet6 = routed_subnet6
settings.local.host.commit("routed_subnet6")
if "server_cert" in flask.request.json:
settings_commit = True
server_cert = flask.request.json["server_cert"]
if server_cert:
settings.app.server_cert = server_cert.strip()
else:
settings.app.server_cert = None
if "server_key" in flask.request.json:
settings_commit = True
server_key = flask.request.json["server_key"]
if server_key:
settings.app.server_key = server_key.strip()
else:
settings.app.server_key = None
if not settings.app.sso:
settings.app.sso_match = None
settings.app.sso_token = None
settings.app.sso_secret = None
settings.app.sso_host = None
settings.app.sso_admin = None
settings.app.sso_org = None
settings.app.sso_saml_url = None
settings.app.sso_saml_issuer_url = None
settings.app.sso_saml_cert = None
settings.app.sso_okta_token = None
settings.app.sso_onelogin_key = None
for change in changes:
auth.audit_event("admin_settings", _changes_audit_text[change], remote_addr=utils.get_remote_addr())
if settings_commit:
settings.commit()
admin.commit(admin.changed)
if org_event:
for org in organization.iter_orgs(fields=("_id")):
event.Event(type=USERS_UPDATED, resource_id=org.id)
event.Event(type=SETTINGS_UPDATED)
response = flask.g.administrator.dict()
response.update(
{
"theme": settings.app.theme,
"auditing": settings.app.auditing,
"email_from": settings.app.email_from,
"email_server": settings.app.email_server,
"email_username": settings.app.email_username,
"email_password": bool(settings.app.email_password),
"sso": settings.app.sso,
"sso_match": settings.app.sso_match,
"sso_token": settings.app.sso_token,
"sso_secret": settings.app.sso_secret,
"sso_host": settings.app.sso_host,
"sso_admin": settings.app.sso_admin,
"sso_org": settings.app.sso_org,
"sso_saml_url": settings.app.sso_saml_url,
"sso_saml_issuer_url": settings.app.sso_saml_issuer_url,
"sso_saml_cert": settings.app.sso_saml_cert,
"sso_okta_token": settings.app.sso_okta_token,
"sso_onelogin_key": settings.app.sso_onelogin_key,
"public_address": settings.local.host.public_addr,
}
)
return utils.jsonify(response)
def export_get():
data_path = app_server.data_path
temp_path = os.path.join(data_path, TEMP_DIR)
empty_temp_path = os.path.join(temp_path, EMPTY_TEMP_DIR)
data_archive_name = '%s_%s.tar' % (
APP_NAME, time.strftime('%Y_%m_%d_%H_%M_%S', time.localtime()))
data_archive_path = os.path.join(temp_path, data_archive_name)
# Create empty temp directory to recreate temp dirs in tarfile
if not os.path.exists(empty_temp_path):
os.makedirs(empty_temp_path)
tar_file = tarfile.open(data_archive_path, 'w')
try:
tar_add(tar_file, os.path.join(data_path, AUTH_LOG_NAME))
tar_add(tar_file, os.path.join(data_path, 'pritunl.db'))
tar_add(tar_file, os.path.join(data_path, SERVER_CERT_NAME))
tar_add(tar_file, os.path.join(data_path, SERVER_KEY_NAME))
tar_add(tar_file, os.path.join(data_path, VERSION_NAME))
for org in organization.iter_orgs():
tar_add(tar_file, org.get_path())
tar_file.add(empty_temp_path,
arcname=os.path.relpath(
os.path.join(org.path, TEMP_DIR), data_path))
for user in org.iter_users():
tar_add(tar_file, user.reqs_path)
tar_add(tar_file, user.key_path)
tar_add(tar_file, user.cert_path)
tar_add(tar_file, user.get_path())
tar_add(tar_file, org.ca_cert.reqs_path)
tar_add(tar_file, org.ca_cert.key_path)
tar_add(tar_file, org.ca_cert.cert_path)
tar_add(tar_file, org.ca_cert.get_path())
for svr in server.iter_servers():
tar_add(tar_file, svr.dh_param_path)
tar_add(tar_file, svr.ip_pool_path)
tar_add(tar_file, svr.get_path())
tar_add(tar_file, os.path.join(svr.path, NODE_SERVER))
tar_file.add(empty_temp_path,
arcname=os.path.relpath(
os.path.join(svr.path, TEMP_DIR), data_path))
tar_file.close()
with open(data_archive_path, 'r') as archive_file:
response = flask.Response(response=archive_file.read(),
mimetype='application/octet-stream')
response.headers.add(
'Content-Disposition',
'attachment; filename="%s"' % data_archive_name)
return response
finally:
try:
tar_file.close()
except OSError:
pass
try:
os.remove(data_archive_path)
except OSError:
pass
def fill_user():
collection = mongo.get_collection('users')
queue_collection = mongo.get_collection('queue')
orgs = {}
orgs_count = utils.LeastCommonCounter()
type_to_size = {
CERT_CLIENT_POOL: settings.app.user_pool_size,
CERT_SERVER_POOL: settings.app.server_user_pool_size,
}
for org in organization.iter_orgs(type=None):
orgs[org.id] = org
orgs_count[org.id, CERT_CLIENT_POOL] = 0
orgs_count[org.id, CERT_SERVER_POOL] = 0
pools = collection.aggregate([
{
'$match': {
'type': {
'$in': (CERT_CLIENT_POOL, CERT_SERVER_POOL)
},
}
},
{
'$project': {
'org_id': True,
'type': True,
}
},
{
'$group': {
'_id': {
'org_id': '$org_id',
'type': '$type',
},
'count': {
'$sum': 1
},
}
},
])
for pool in pools:
orgs_count[pool['_id']['org_id'], pool['_id']['type']] += pool['count']
pools = queue_collection.aggregate([
{
'$match': {
'type': 'init_user_pooled',
'user_doc.type': {
'$in': (CERT_CLIENT_POOL, CERT_SERVER_POOL)
},
}
},
{
'$project': {
'user_doc.org_id': True,
'user_doc.type': True,
}
},
{
'$group': {
'_id': {
'org_id': '$user_doc.org_id',
'type': '$user_doc.type',
},
'count': {
'$sum': 1
},
}
},
])
for pool in pools:
orgs_count[pool['_id']['org_id'], pool['_id']['type']] += pool['count']
new_users = []
for org_id_user_type, count in orgs_count.least_common():
org_id, user_type = org_id_user_type
pool_size = type_to_size[user_type]
if count >= pool_size:
break
org = orgs.get(org_id)
if not org:
continue
new_users.append([(org, user_type)] * (pool_size - count))
for org, user_type in utils.roundrobin(*new_users):
org.new_user(type=user_type, block=False)
def export_get():
data_path = app_server.data_path
temp_path = os.path.join(data_path, TEMP_DIR)
empty_temp_path = os.path.join(temp_path, EMPTY_TEMP_DIR)
data_archive_name = '%s_%s.tar' % (APP_NAME,
time.strftime('%Y_%m_%d_%H_%M_%S', time.localtime()))
data_archive_path = os.path.join(temp_path, data_archive_name)
# Create empty temp directory to recreate temp dirs in tarfile
if not os.path.exists(empty_temp_path):
os.makedirs(empty_temp_path)
tar_file = tarfile.open(data_archive_path, 'w')
try:
tar_add(tar_file, os.path.join(data_path, AUTH_LOG_NAME))
tar_add(tar_file, os.path.join(data_path, 'pritunl.db'))
tar_add(tar_file, os.path.join(data_path, SERVER_CERT_NAME))
tar_add(tar_file, os.path.join(data_path, SERVER_KEY_NAME))
tar_add(tar_file, os.path.join(data_path, VERSION_NAME))
for org in organization.iter_orgs():
tar_add(tar_file, org.get_path())
tar_file.add(empty_temp_path,
arcname=os.path.relpath(os.path.join(org.path, TEMP_DIR),
data_path))
for user in org.iter_users():
tar_add(tar_file, user.reqs_path)
tar_add(tar_file, user.key_path)
tar_add(tar_file, user.cert_path)
tar_add(tar_file, user.get_path())
tar_add(tar_file, org.ca_cert.reqs_path)
tar_add(tar_file, org.ca_cert.key_path)
tar_add(tar_file, org.ca_cert.cert_path)
tar_add(tar_file, org.ca_cert.get_path())
for svr in server.iter_servers():
tar_add(tar_file, svr.dh_param_path)
tar_add(tar_file, svr.ip_pool_path)
tar_add(tar_file, svr.get_path())
tar_add(tar_file, os.path.join(svr.path, NODE_SERVER))
tar_file.add(empty_temp_path,
arcname=os.path.relpath(os.path.join(svr.path, TEMP_DIR),
data_path))
tar_file.close()
with open(data_archive_path, 'r') as archive_file:
response = flask.Response(response=archive_file.read(),
mimetype='application/octet-stream')
response.headers.add('Content-Disposition',
'attachment; filename="%s"' % data_archive_name)
return response
finally:
try:
tar_file.close()
except OSError:
pass
try:
os.remove(data_archive_path)
except OSError:
pass
def iter_orgs(self, fields=None):
spec = {"_id": {"$in": self.organizations}}
for org in organization.iter_orgs(spec=spec, fields=fields):
yield org
