def profile():
"""
Allows the normal user to change details about the account,
"""
# security check
if session['is_locked']:
return error_permission_denied('Unable to view profile as account locked')
# auth check
try:
db = LvfsDatabase(os.environ)
db_users = LvfsDatabaseUsers(db)
item = db_users.get_item(session['username'])
except CursorError as e:
return error_internal(str(e))
if not item:
return error_internal('Invalid username query')
# add defaults
if not item.display_name:
item.display_name = "Example Name"
if not item.email:
item.email = "*****@*****.**"
return render_template('profile.html',
vendor_name=item.display_name,
contact_email=item.email,
pubkey=item.pubkey)
def userlist():
"""
Show a list of all users
"""
if session['username'] != 'admin':
return error_permission_denied('Unable to show userlist for non-admin user')
try:
db = LvfsDatabase(os.environ)
db_users = LvfsDatabaseUsers(db)
items = db_users.get_items()
except CursorError as e:
return error_internal(str(e))
return render_template('userlist.html', users=items)
def usermod(username, key, value):
""" Adds or remove a capability to a user """
# security check
if session['username'] != 'admin':
return error_permission_denied('Unable to inc user as not admin')
# save new value
try:
db = LvfsDatabase(os.environ)
db_users = LvfsDatabaseUsers(db)
db_users.set_property(username, key, value)
except CursorError as e:
return error_internal(str(e))
except RuntimeError as e:
return error_permission_denied('Unable to change user as key invalid')
# set correct response code
_event_log("Set %s=%s for user %s" % (key, value, username))
return redirect(url_for('.userlist'))
def login():
""" A login screen to allow access to the LVFS main page """
if request.method != 'POST':
return render_template('login.html')
# auth check
user = None
password = _password_hash(request.form['password'])
try:
db = LvfsDatabase(os.environ)
db_users = LvfsDatabaseUsers(db)
user = db_users.get_item(request.form['username'],
password)
except CursorError as e:
return error_internal(str(e))
if not user:
# log failure
_event_log('Failed login attempt for %s' % request.form['username'])
flash('Incorrect username or password')
return render_template('login.html')
if not user.is_enabled:
# log failure
_event_log('Failed login attempt for %s (user disabled)' % request.form['username'])
flash('User account is disabled')
return render_template('login.html')
# this is signed, not encrypted
session['username'] = user.username
session['qa_capability'] = user.is_qa
session['qa_group'] = user.qa_group
session['is_locked'] = user.is_locked
login_user(user, remember=False)
# log success
_event_log('Logged on')
return redirect(url_for('.index'))
def user_delete(username):
""" Delete a user """
# security check
if session['username'] != 'admin':
return error_permission_denied('Unable to remove user as not admin')
# check whether exists in database
db = LvfsDatabase(os.environ)
db_users = LvfsDatabaseUsers(db)
try:
exists = db_users.is_enabled(username)
except CursorError as e:
return error_internal(str(e))
if not exists:
flash("No entry with username %s" % username)
return redirect(url_for('.userlist')), 400
try:
db_users.remove(username)
except CursorError as e:
return error_internal(str(e))
_event_log("Deleted user %s" % username)
flash('Deleted user')
return redirect(url_for('.userlist')), 201
def load_user(user_id):
db = LvfsDatabase(os.environ)
db_users = LvfsDatabaseUsers(db)
user = db_users.get_item(user_id)
return user
def create_affidavit():
""" Create an affidavit that can be used to sign files """
db = LvfsDatabase(os.environ)
db_users = LvfsDatabaseUsers(db)
key_uid = db_users.get_signing_uid()
return Affidavit(key_uid, KEYRING_DIR)
def useradd():
""" Add a user [ADMIN ONLY] """
# only accept form data
if request.method != 'POST':
return redirect(url_for('.profile'))
# security check
if session['username'] != 'admin':
return error_permission_denied('Unable to add user as non-admin')
db = LvfsDatabase(os.environ)
db_users = LvfsDatabaseUsers(db)
if not 'password_new' in request.form:
return error_permission_denied('Unable to add user an no data')
if not 'username_new' in request.form:
return error_permission_denied('Unable to add user an no data')
if not 'qa_group' in request.form:
return error_permission_denied('Unable to add user an no data')
if not 'name' in request.form:
return error_permission_denied('Unable to add user an no data')
if not 'email' in request.form:
return error_permission_denied('Unable to add user an no data')
try:
auth = db_users.is_enabled(request.form['username_new'])
except CursorError as e:
return error_internal(str(e))
if auth:
return error_internal('Already a entry with that username', 422)
# verify password
password = request.form['password_new']
if not _password_check(password):
return redirect(url_for('.userlist')), 302
# verify email
email = request.form['email']
if not _email_check(email):
return redirect(url_for('.userlist')), 302
# verify qa_group
qa_group = request.form['qa_group']
if len(qa_group) < 3:
flash('QA group invalid')
return redirect(url_for('.userlist')), 302
# verify name
name = request.form['name']
if len(name) < 3:
flash('Name invalid')
return redirect(url_for('.userlist')), 302
# verify username
username_new = request.form['username_new']
if len(username_new) < 3:
flash('Username invalid')
return redirect(url_for('.userlist')), 302
try:
db_users.add(username_new, password, name, email, qa_group)
except CursorError as e:
#FIXME
pass
_event_log("Created user %s" % username_new)
flash('Added user')
return redirect(url_for('.userlist')), 201
def user_modify(username):
""" Change details about the current user """
# only accept form data
if request.method != 'POST':
return redirect(url_for('.profile'))
# security check
if session['username'] != username:
return error_permission_denied('Unable to modify a different user')
if session['is_locked']:
return error_permission_denied('Unable to change user as account locked')
# check we got enough data
if not 'password_new' in request.form:
return error_permission_denied('Unable to change user as no data')
if not 'password_old' in request.form:
return error_permission_denied('Unable to change user as no data')
if not 'name' in request.form:
return error_permission_denied('Unable to change user as no data')
if not 'email' in request.form:
return error_permission_denied('Unable to change user as no data')
db = LvfsDatabase(os.environ)
db_users = LvfsDatabaseUsers(db)
try:
auth = db_users.verify(session['username'], request.form['password_old'])
except CursorError as e:
return error_internal(str(e))
if not auth:
return error_internal('Incorrect existing password')
# check password
password = request.form['password_new']
if not _password_check(password):
return redirect(url_for('.profile')), 400
# check email
email = request.form['email']
if not _email_check(email):
return redirect(url_for('.profile'))
# check pubkey
pubkey = ''
if 'pubkey' in request.form:
pubkey = request.form['pubkey']
if pubkey:
if len(pubkey) > 0:
if not pubkey.startswith("-----BEGIN PGP PUBLIC KEY BLOCK-----"):
flash('Invalid GPG public key')
return redirect(url_for('.profile')), 400
# verify name
name = request.form['name']
if len(name) < 3:
flash('Name invalid')
return redirect(url_for('.profile')), 400
try:
db_users.update(session['username'], password, name, email, pubkey)
except CursorError as e:
return error_internal(str(e))
#session['password'] = _password_hash(password)
_event_log('Changed password')
flash('Updated profile')
return redirect(url_for('.profile'))