def create_superuser(app: Flask) -> None:
print("create superuser...")
with app.app_context():
admin = User("admin", "*****@*****.**", stuff=True, superuser=True)
admin.set_password("admin")
db.session.add(admin)
db.session.commit()
def post(self):
hidden = self.request.get("hidden")
if hidden:
return self.redirect_to("temp")
else:
ime = self.request.get("firstname")
priimek = self.request.get("lastname")
email = self.request.get("email").strip()
naslov = self.request.get("address")
starost = self.request.get("age")
telefon = self.request.get("phone2")
kraj_tecaja = self.request.get("country")
kotizacija = self.request.get("sleepover")
prenosnik = self.request.get("prenosnik")
majica = self.request.get("majica")
if ime and priimek and email and naslov and starost and telefon and kraj_tecaja and kotizacija and prenosnik and majica:
user = User.get_by_email(email)
if not user:
# add to database
user = User.create(first_name=ime, last_name=priimek, email=email, address=naslov, dob=starost, phone_number=telefon)
add_user_to_course(user=user, kraj_tecaja=kraj_tecaja, kotizacija=float(kotizacija), prenosnik=prenosnik, majica=majica)
# send email
prijava_februar(ime, priimek, email, naslov, starost, telefon, kraj_tecaja, kotizacija, prenosnik, majica)
params = {"error": "Prijava oddana! :)"}
else:
params = {"error": "Prosim izpolni vsa polja"}
self.render_template("public/main2.html", params)
def setup():
# create admin user
if not User.query.count():
app.logger.info('No users found. Creating new admin user.')
admin = User(username='******',
password='******',
name='Administrative User',
has_access=True)
admin.hash_password()
db.session.add(admin)
db.session.add(
RadCheck(username='******',
attribute='Cleartext-Password',
op=':=',
value='freeradius@admin'))
db.session.commit()
# create default users groups
if not Group.query.count():
app.logger.info('No groups found. Creating default user group.')
db.session.add(Group(name='user', description='Default user group'))
# create default parameters for groups
db.session.add(
RadUserGroup(username='******', groupname='user', priority=1))
db.session.commit()
def app():
db_dir = tempfile.mkdtemp()
media_dir = tempfile.mkdtemp()
app = create_app({
"TESTTING":
True,
"SERVER_NAME":
"localhost.localdomain",
"SQLALCHEMY_DATABASE_URI":
"sqlite:////{}/db.sqlite".format(db_dir),
"UPLOAD_FOLDER":
media_dir,
})
with app.app_context():
db.create_all()
user = User("admin", "*****@*****.**", stuff=True, superuser=True)
user.set_password("admin")
db.session.add(user)
db.session.commit()
yield app
shutil.rmtree(db_dir)
shutil.rmtree(media_dir)
def dispatch(self):
csrf = None
csrf_cookie_value = self.request.cookies.get(
webclient_settings.COOKIE_CSRF_KEY)
if self.autoload_current_user:
from app.models.auth import User
User.set_current_user_from_auth_code(
self.request.cookies.get(webclient_settings.COOKIE_USER_KEY))
current_user = User.current_user()
current_user.set_taskqueue(
self.request.headers.get('X-AppEngine-QueueName', None) != None
) # https://developers.google.com/appengine/docs/python/taskqueue/overview-push#Python_Task_request_headers
current_user.set_cron(
self.request.headers.get('X-Appengine-Cron', None) != None
) # https://developers.google.com/appengine/docs/python/config/cron#Python_app_yaml_Securing_URLs_for_cron
csrf = current_user._csrf
if not csrf_cookie_value:
if csrf == None:
csrf = util.random_chars(32)
self.response.set_cookie(webclient_settings.COOKIE_CSRF_KEY, csrf)
try:
self.before()
super(Base, self).dispatch()
self.after()
finally:
# support our memcache wrapper lib temporary variables, and release them upon request complete
mem._local.__release_local__()
def post(self, user_id):
user = User.get_by_id(int(user_id))
first_name = self.request.get("first_name")
last_name = self.request.get("last_name")
address = self.request.get("address")
phone_number = self.request.get("phone_number")
User.update(user=user, first_name=first_name, last_name=last_name, address=address, phone_number=phone_number)
self.redirect_to("user-details", user_id=int(user_id))
def post(self, user_id):
user = User.get_by_id(int(user_id))
first_name = self.request.get("first_name")
last_name = self.request.get("last_name")
address = self.request.get("address")
phone_number = self.request.get("phone_number")
User.update(user=user, first_name=first_name, last_name=last_name, address=address, phone_number=phone_number)
self.redirect_to("user-details", user_id=int(user_id))
def save_info():
data = request.get_json(silent=True)
name = data.get('name')
roles = data.get('roles')
password = data.get('password')
with db.auto_commit():
User.save(name=name, roles=Role.list_items_by_uids(roles), password=password)
return Success()
def create_users(app: Flask) -> None:
print("create some fake users...")
with app.app_context():
for _ in range(10):
username = name()
user = User(username, "{}@{}.org".format(username, word()))
user.set_password("password")
db.session.add(user)
db.session.commit()
def create_superuser(username, email, password) -> None:
if not username or not email or not password:
click.echo("Failed.")
return
user = User(username, email, stuff=True, superuser=True)
user.set_password(password)
db.session.add(user)
db.session.commit()
click.echo("Created.")
def register():
form = RegisterForm(request.form)
if request.method == 'POST' and form.validate():
user = User()
user.set_attrs(form.data)
db.session.add(user)
db.session.commit()
# redirect 需要endpoint
return redirect(url_for('web.login'))
return render_template('signup.html', form=form)
def get(self):
current_user = users.get_current_user()
profile = User.query(User.email == str(current_user.email())).get()
if not profile:
profile = User()
profile.email = current_user.email()
profile.put()
params = {"profile": profile}
self.render_template("admin/profile.html", params)
def register():
form = RegisterForm(request.form)
if request.method == 'POST' and form.validate():
user = User()
user.email = form.email.data
user.password = form.password.data
db.session.add(user)
db.session.commit()
flash("注册成功")
return render_template('auth/register.html', form=form)
def new_user():
groups = Group.query.all()
form = UserForm()
form.group.choices = [(group.name, group.name) for group in groups]
if form.validate_on_submit():
user = User(username=form.username.data,
email=form.email.data,
password=form.password.data,
active=form.active.data,
name=form.name.data,
phone=form.phone.data,
address=form.address.data,
has_access=form.has_access.data)
user.hash_password()
db.session.add(user)
app.logger.debug('Creating new user %s', user.username)
db.session.add(
RadUserGroup(username=form.username.data,
groupname=form.group.data,
priority=0))
app.logger.debug(
'Creating relation user-group for user %s and group %s',
user.username, form.group.data)
db.session.add(
RadCheck(username=form.username.data,
attribute='Cleartext-Password',
op=':=',
value=form.password.data))
app.logger.debug('Creating Cleartext-Password user check')
if not form.active.data:
db.session.add(
RadCheck(username=form.username.data,
attribute='Auth-Type',
op=':=',
value='Reject'))
app.logger.debug(
'Creating Auth-Type Reject check for disabled user')
db.session.commit()
flash(_('New user added'), 'success')
return redirect(url_for('list_users'))
elif form.errors:
app.logger.debug('Create User form errors: %s', form.errors)
flash(_('Form has errors'), 'error')
return render_template('radius/user_form.html',
form=form,
form_errors=form.errors,
action='add')
def register():
if current_user.is_authenticated:
return redirect(url_for('main.index'))
form = RegistrationForm()
if form.validate_on_submit():
user = User(username=form.username.data, email=form.email.data)
user.set_password(form.password.data)
db.session.add(user)
db.session.commit()
flash('Congratulations, you are now a registered user!')
return redirect(url_for('main.login'))
return render_template('register.html', title='Register', form=form)
def get(self, **kwargs):
parser = reqparse.RequestParser()
parser.add_argument('username', required=True)
parser.add_argument('password', required=True)
args = parser.parse_args()
args = hash_pass(args)
user = User.from_sql('select * from User where username=?',
(args['username'], ))
if len(user) != 0:
return Response('Username already exist.', status=400)
user = User(**args)
user.save()
return {'status': 'OK'}
def deploy():
db.drop_all()
db.create_all()
users = [
{
'name': '*****@*****.**',
'password': '******'
},
]
roles = [
{
'name': 'admin'
},
]
with db.auto_commit():
for user in users:
User.save(**user)
for role in roles:
Role.save(**role)
for item in app.url_map.iter_rules():
if item.endpoint != 'static':
Permission.save(endpoint=item.endpoint)
with db.auto_commit():
admin_user = User.get_item_by_name(name='*****@*****.**')
admin_role = Role.get_item_by_name(name='admin')
admin_role.update(
permissions=[permission for permission in Permission.list_items()])
admin_user.update(roles=[admin_role])
with db.auto_commit():
# Zone.save(name='test')
zone = Zone.save(name='公网')
Zone.save(name='私有云', parent_uid=zone.uid)
Zone.save(name='公有云', parent_uid=zone.uid)
Zone.save(name='内网')
zone = Zone.query.filter(Zone.name == '公有云').first()
import json
with open('domain.txt') as f:
domain_list = json.loads(f.read())
with db.auto_commit():
for domain in domain_list:
Domain.save(zone_uid=zone.uid, **domain)
with open('host.txt') as f:
host_list = json.loads(f.read())
with db.auto_commit():
for host in host_list:
Host.save(zone_uid=zone.uid, **host)
with open('service.txt') as f:
service_list = json.loads(f.read())
with db.auto_commit():
for service in service_list:
Service.save(zone_uid=zone.uid, **service)
def post(self):
data = request.get_json() or {}
username = data.get("username")
password = data.get("password")
email = data.get("email")
if not username or not password or not email:
return invalid_api_usage("No username, password, email provided",
400)
if not check_password(password):
return invalid_api_usage("Invalid password", 400)
user = User(username, email)
user.set_password(password)
db.session.add(user)
db.session.commit()
return {"message": "success"}, 201
def activate():
data = request.get_json(silent=True)
uid = data.get('uid')
u = User.get_item_by_uid(uid, status=0)
with db.auto_commit():
u.activate()
return Success()
def get(self, user_id):
user = User.get_by_id(int(user_id))
admin = False
if user.email in ADMINS:
admin = True
params = {"this_user": user, "admin": admin}
self.render_template("admin/user_details.html", params)
def get_list():
uid = request.args.get('uid', '', type=str)
name = request.args.get('name', '', type=str)
status = request.args.get('status', 1, type=int)
users = User.list_items_by_search(uid=uid, name=name, status=status)
data = {
'pageSize': len(users),
'pageNo': 1,
'totalCount': len(users),
'data': [{
'uid': u.uid,
'name': u.name,
'status': u.status,
'roles': [r.uid for r in u.roles]
} for u in users],
'roles': [{
'uid': r.uid,
'name': r.name,
'permissions': [p.uid for p in r.permissions],
} for r in Role.list_items()],
'permissions': [{
'uid': p.uid,
'endpoint': p.endpoint
} for p in Permission.list_items()],
}
for u in data['data']:
u['permissions'] = set()
for r in data['roles']:
if r['uid'] in u['roles']:
for permission in r['permissions']:
u['permissions'].add(permission)
u['permissions'] = list(u['permissions'])
return Success(msg=data)
def remove():
data = request.get_json(silent=True)
uid = data.get('uid')
u = User.get_item_by_uid(uid)
with db.auto_commit():
u.remove()
return Success()
def get(self, user_id):
user = User.get_by_id(int(user_id))
admin = False
if user.email in ADMINS:
admin = True
params = {"this_user": user, "admin": admin}
self.render_template("admin/user_details.html", params)
def stuff_client(app: Flask):
client = app.test_client()
user = User("stuff", "*****@*****.**", stuff=True)
user.set_password("stuffpsw")
with app.app_context():
db.session.add(user)
db.session.commit()
res = client.post("/auth/token/login",
json={
"username": "******",
"password": "******",
})
assert res.is_json
token = res.get_json().get("token")
client.environ_base["HTTP_AUTHORIZATION"] = "Bearer {}".format(token)
return client
def signup_post():
email = request.form.get('email')
name = request.form.get('name')
password = request.form.get('password')
confirmation_password = request.form.get('confirmation_password')
if password != confirmation_password:
flash('Confirmation password mismatch. Please re-enter signup data.')
return redirect(url_for('auth.signup'))
user = User.query.filter_by(email=email).first()
if user: # if a user is found, we want to redirect back to signup page so user can try again
flash('Email address already exists')
return redirect(url_for('auth.signup'))
# create new user with the form data. Hash the password so plaintext version isn't saved.
new_user = User(email=email,
name=name,
password=generate_password_hash(password, method='sha256'))
# add the new user to the database
db.session.add(new_user)
db.session.commit()
app.logger.info('user %s created successfully', user.name)
return redirect(url_for('auth.login'))
def update_user_profile():
try:
payload = get_payload()
except jwt.exceptions.PyJWTError:
# TODO: explain the error more obviously
return format_response(data=None,
success=False,
message=_('You are not authorized'),
status_code=401)
user_id = payload['id']
connect_db()
user = g.db.execute(sa.select([User
]).where(User.c.id == user_id)).fetchone()
form = ProfileForm(context={'user': user}, partial=True)
data = form.load(request.json or {})
values_to_update = {'modified': sa.func.NOW()}
for key in data:
if key in ['username', 'name', 'email']:
values_to_update.update({key: data[key]})
elif key == 'password':
values_to_update.update(
{'password': generate_password_hash(data[key])})
transaction = g.db.begin()
g.db.execute(
User.update().values(**values_to_update).where(User.c.id == user_id))
transaction.commit()
return format_response(data=None)
def test_transfer_money_zero_balance(self, db_session: Session,
client: TestClient):
"""Перевод денежных средств, недостаточно стредст у пользователя"""
self._setup(db_session)
db_balance = db_session.query(Balance).first()
data_detail = self.add_money(db_session, client, db_balance.id)
db_balance = db_session.query(Balance).first()
assert db_balance.amount == 22
db_recipient_user = User(username='******', is_active=True)
db_session.add(db_recipient_user)
db_recipient_balance = Balance(user=db_recipient_user)
db_session.add(db_recipient_balance)
db_session.commit()
db_session.refresh(db_recipient_user)
db_session.refresh(db_recipient_balance)
url = f"/v1/balances/transfer/{db_balance.id}"
post_date = {'amount': 100, 'to_balance': db_recipient_balance.id}
response = client.put(url, json=post_date)
assert response.status_code == 400
assert response.json(
)['detail'] == f"Insufficient funds on the balance: {db_balance.id}"
self._teardown(db_session)
def test_user_roles():
user = User("test", "*****@*****.**")
assert user.get_roles() == "ordinary"
user.stuff = True
assert user.get_roles() == "stuff"
user.superuser = True
assert user.get_roles() == "admin"
def update_info():
data = request.get_json(silent=True)
uid = data.get('uid')
name = data.get('name')
roles = data.get('roles')
u = User.get_item_by_uid(uid=uid)
with db.auto_commit():
u.update(name=name, roles=Role.list_items_by_uids(roles))
return Success()
def get_token():
data = request.get_json(silent=True)
username = data.get('username')
password = data.get('password')
user = User.get_item_by_name(name=username)
if not user or not user.verify_password(password):
return AuthFailedException(msg='user or secret error')
return Success(msg={
'token': user.generate_api_auth_token(current_app.config['TOKEN_EXPIRATION'])
})
def _setup(self, db_session):
user = db_session.query(User).filter(User.id == 1).first()
if not user:
db_user = User(username='******', is_active=True)
db_session.add(db_user)
db_balance = Balance(user=db_user)
db_session.add(db_balance)
db_session.commit()
db_session.refresh(db_user)
db_session.refresh(db_balance)
def post(self):
hidden = self.request.get("hidden")
if hidden:
return self.redirect_to("temp")
else:
ime = self.request.get("firstname")
priimek = self.request.get("lastname")
email = self.request.get("email").strip()
naslov = self.request.get("address")
starost = self.request.get("age")
telefon = self.request.get("phone2")
kraj_tecaja = self.request.get("country")
kotizacija = self.request.get("sleepover")
prenosnik = self.request.get("prenosnik")
majica = self.request.get("majica")
if ime and priimek and email and naslov and starost and telefon and kraj_tecaja and kotizacija and prenosnik and majica:
user = User.get_by_email(email)
if not user:
# add to database
user = User.create(first_name=ime,
last_name=priimek,
email=email,
address=naslov,
dob=starost,
phone_number=telefon)
add_user_to_course(user=user,
kraj_tecaja=kraj_tecaja,
kotizacija=float(kotizacija),
prenosnik=prenosnik,
majica=majica)
# send email
prijava_februar(ime, priimek, email, naslov, starost, telefon,
kraj_tecaja, kotizacija, prenosnik, majica)
params = {"error": "Prijava oddana! :)"}
else:
params = {"error": "Prosim izpolni vsa polja"}
self.render_template("public/main2.html", params)
def login():
parser = reqparse.RequestParser()
parser.add_argument('username', required=True)
parser.add_argument('password', required=True)
args = parser.parse_args()
args = hash_pass(args)
user = User.get_login_user(username=args['username'],
password=args['password'])
if user is None:
return Response('wrong username or password', status=401)
else:
login_user(user)
return Response('', status=200)
def verify_password(username_or_auth_token, password):
if username_or_auth_token == "":
return False
if password == "":
g.current_user = User.verify_api_auth_token(username_or_auth_token)
g.token_used = True
return g.current_user is not None
user = User.query.filter(User.name == username_or_auth_token).first()
if not user:
return False
g.current_user = user
g.token_used = False
return user.verify_password(password)
def get(self):
users = User.query(User.deleted == False).fetch()
admins = []
students = []
for user in users:
if user.email in ADMINS:
admins.append(user)
else:
students.append(user)
params = {"admins": admins, "students": students}
self.render_template("admin/users_list.html", params)
def get(self):
users = User.query(User.deleted == False).fetch()
admins = []
students = []
for user in users:
if user.email in ADMINS:
admins.append(user)
else:
students.append(user)
params = {"admins": admins, "students": students}
self.render_template("admin/users_list.html", params)
def get(self, *args, **kwargs):
users = User.findall()
for user in users:
user['nickname'] = user['nickname'].decode('unicode-escape')
self.render('admin-users.html', users=users)
def deploy():
db.drop_all()
db.create_all()
# add user
user_info_list = [
{"name": "aaa", "department": "信息安全", "password": "******"},
]
User.insert_items(user_info_list)
# add role
role_info_list = [
{"name": "admin", "department": "特权"},
{"name": "role1", "department": "信息安全"},
{"name": "role2", "department": "信息安全"},
]
Role.insert_items(role_info_list)
# add permission
permission_info_list = [
{"name": "用户列表查看", "endpoint": "auth.user_list"},
{"name": "用户角色信息修改", "endpoint": "auth.user_update"},
{"name": "角色列表查看", "endpoint": "auth.role_list"},
{"name": "角色权限信息修改", "endpoint": "auth.role_update"},
{"name": "角色新增", "endpoint": "auth.role_new"},
{"name": "权限列表查看", "endpoint": "auth.permission_list"},
{"name": "主机资产查看", "endpoint": "assets.host_list"},
{"name": "主机资产信息修改", "endpoint": "assets.host_update"},
{"name": "服务资产查看", "endpoint": "assets.service_list"},
{"name": "服务资产信息修改", "endpoint": "assets.service_update"},
{"name": "域名资产查看", "endpoint": "assets.domain_list"},
{"name": "域名资产信息修改", "endpoint": "assets.domain_update"},
{"name": "任务列表查看", "endpoint": "tasks.task_list"},
{"name": "任务详情查看", "endpoint": "tasks.info"},
{"name": "Web应用列表查看", "endpoint": "web.application_list"},
{"name": "Web应用信息修改", "endpoint": "web.application_update"},
{"name": "Web应用报文列表查看", "endpoint": "web.package_list"},
{"name": "Web应用报文备注修改", "endpoint": "web.package_update"},
{"name": "Web应用报文详情", "endpoint": "web.package_info"},
{"name": "Web扫描插件信息查看", "endpoint": "web.plugin_list"},
{"name": "Web扫描插件信息修改", "endpoint": "web.plugin_update"},
{"name": "新增Web应用", "endpoint": "web.application_new"},
{"name": "新增Web扫描插件", "endpoint": "web.plugin_new"},
{"name": "api_token", "endpoint": "api_v_1_0.get_token"},
{"name": "api_host_list", "endpoint": "api_v_1_0.host_list"},
{"name": "api_host_add", "endpoint": "api_v_1_0.host_add"},
{"name": "api_host_delete", "endpoint": "api_v_1_0.host_delete"},
{"name": "api_service_list", "endpoint": "api_v_1_0.service_list"},
{"name": "api_domain_list", "endpoint": "api_v_1_0.domain_list"},
{"name": "api_domain_add", "endpoint": "api_v_1_0.domain_add"},
{"name": "api_domain_delete", "endpoint": "api_v_1_0.domain_delete"},
{"name": "api_task_list", "endpoint": "api_v_1_0.task_list"},
{"name": "api_application_list", "endpoint": "api_v_1_0.application_list"},
{"name": "api_package_list", "endpoint": "api_v_1_0.package_list"},
{"name": "api_plugin_list", "endpoint": "api_v_1_0.plugin_list"},
]
Permission.insert_items(permission_info_list)
# add auth relationship
admin_user = User.query.first()
admin_role = Role.query.first()
admin_user.update_role_by_id(delete_role_list=[], add_role_list=[admin_role.id])
admin_role.update_permission_by_id(delete_permission_list=[],
add_permission_list=[permission.id for permission in Permission.query.all()])
def post(self, user_id):
user = User.get_by_id(int(user_id))
if user.email not in ADMINS:
user.deleted = True
user.put()
self.redirect_to("users-list")
def get(self, user_id):
user = User.get_by_id(int(user_id))
params = {"this_user": user}
self.render_template("admin/user_edit.html", params)
