From 34e57fe7af06358ee2f8afbb13d963f230bb7412 Mon Sep 17 00:00:00 2001 From: Terrtia Date: Wed, 19 Jun 2019 15:00:25 +0200 Subject: [PATCH] chg: [user_managemant] clean code + check password and email length --- bin/packages/User.py | 2 - var/www/Flask_server.py | 91 +++---------------- var/www/create_default_user.py | 45 +-------- var/www/modules/Flask_config.py | 4 - var/www/modules/Role_Manager.py | 33 +++++-- var/www/modules/settings/Flask_settings.py | 13 +-- .../settings/templates/create_user.html | 4 + .../settings/templates/users_list.html | 2 +- var/www/templates/change_password.html | 4 + var/www/templates/settings/menu_sidebar.html | 2 +- 10 files changed, 53 insertions(+), 147 deletions(-) diff --git a/bin/packages/User.py b/bin/packages/User.py index 5be7021d..cac5c688 100755 --- a/bin/packages/User.py +++ b/bin/packages/User.py @@ -44,10 +44,8 @@ class User(UserMixin): def check_password(self, password): password = password.encode() - print(self.id) hashed_password = self.r_serv_db.hget('user:all', self.id).encode() if bcrypt.checkpw(password, hashed_password): - print('password correct') return True else: return False diff --git a/var/www/Flask_server.py b/var/www/Flask_server.py index a66c5229..5990ff6b 100755 --- a/var/www/Flask_server.py +++ b/var/www/Flask_server.py @@ -1,6 +1,10 @@ #!/usr/bin/env python3 # -*-coding:UTF-8 -* +import os +import re +import sys + import redis import configparser import random @@ -15,10 +19,7 @@ import bcrypt import flask import importlib -import os -import re from os.path import join -import sys sys.path.append(os.path.join(os.environ['AIL_BIN'], 'packages/')) sys.path.append('./modules/') import Paste @@ -31,52 +32,20 @@ from pytaxonomies import Taxonomies # Import config import Flask_config +# Import Role_Manager +from Role_Manager import create_user_db, check_password_strength + def flask_init(): - # check if an account exists - if not r_serv_db.exists('user:all'): - password = secrets.token_urlsafe() - create_user_db('admin@admin.test', password, role='admin',default=True) - # add default roles + # # TODO: move this to update + # role init if not r_serv_db.exists('ail:all_role'): r_serv_db.zadd('ail:all_role', 1, 'admin') r_serv_db.zadd('ail:all_role', 2, 'analyst') -def hashing_password(bytes_password): - hashed = bcrypt.hashpw(bytes_password, bcrypt.gensalt()) - return hashed - -def verify_password(id, bytes_password): - hashed_password = r_serv_db.hget('user:all', id) - if bcrypt.checkpw(password, hashed): - return True - else: - return False - -def check_password_strength(password): - result = regex_password.match(password) - if result: - return True - else: - return False - - -def create_user_db(username_id , password, default=False, role=None, update=False): - password = password.encode() - password_hash = hashing_password(password) - r_serv_db.hset('user:all', username_id, password_hash) - if update: - r_serv_db.hdel('user_metadata:{}'.format(username_id), 'change_passwd') - if username_id=='admin@admin.test': - os.remove(default_passwd_file) - else: - if default: - r_serv_db.hset('user_metadata:{}'.format(username_id), 'change_passwd', True) - if role: - if role in get_all_role(): - r_serv_db.sadd('user_role:{}'.format(role), username_id) - -def get_all_role(): - return r_serv_db.zrange('ail:all_role', 0 , -1) + # check if an account exists + if not r_serv_db.exists('user:all'): + password = secrets.token_urlsafe() + create_user_db('admin@admin.test', password, role='admin',default=True) # CONFIG # cfg = Flask_config.cfg @@ -85,11 +54,6 @@ baseUrl = baseUrl.replace('/', '') if baseUrl != '': baseUrl = '/'+baseUrl -default_passwd_file = os.path.join(os.environ['AIL_HOME'], 'DEFAULT_PASSWORD') - -regex_password = r'^(?=(.*\d){2})(?=.*[a-z])(?=.*[A-Z]).{10,}$' -regex_password = re.compile(regex_password) - # ========= REDIS =========# r_serv_db = redis.StrictRedis( host=cfg.get("ARDB_DB", "host"), @@ -181,9 +145,6 @@ modified_header = modified_header.replace('', '\n'.join(to_add with open('templates/header.html', 'w') as f: f.write(modified_header) -flask_init() - - # ========= JINJA2 FUNCTIONS ======== def list_len(s): return len(s) @@ -213,7 +174,6 @@ def login(): user = User.get(username) if user and user.check_password(password): login_user(user) ## TODO: use remember me ? - print(user.is_active) if user.request_password_change(): return redirect(url_for('change_password')) else: @@ -245,37 +205,12 @@ def change_password(): else: return render_template("change_password.html") -@app.route('/role', methods=['POST', 'GET']) -def role(): - return 'ERROR role' - @app.route('/logout') @login_required def logout(): logout_user() return redirect(url_for('login')) -@app.route('/create_user') -@login_required -def create_user(): - username = request.form.get('username') - password = request.form.get('password') - #role = request.form.get('role') ## TODO: create role - - ## TODO: validate username - ## TODO: validate password - - username = 'admin@admin.test' - password = 'admin' - - if r_serv_db.hexists('user:all', username): - return 'this id is not available' - - create_user_db(username, password) - - return 'True' - - @app.route('/searchbox/') def searchbox(): return render_template("searchbox.html") diff --git a/var/www/create_default_user.py b/var/www/create_default_user.py index 1dcc9aed..9391af56 100755 --- a/var/www/create_default_user.py +++ b/var/www/create_default_user.py @@ -3,60 +3,21 @@ import os import sys -import redis -import configparser -import bcrypt import secrets -# Import config +sys.path.append(os.path.join(os.environ['AIL_BIN'], 'packages/')) sys.path.append('./modules/') -def get_all_role(): - return r_serv_db.zrange('ail:all_role', 0 , -1) +from Role_Manager import create_user_db, get_default_admin_token -def hashing_password(bytes_password): - hashed = bcrypt.hashpw(bytes_password, bcrypt.gensalt()) - return hashed - -def create_user_db(username_id , password, default=False, role=None, update=False): - password = password.encode() - password_hash = hashing_password(password) - r_serv_db.hset('user:all', username_id, password_hash) - if update: - r_serv_db.hdel('user_metadata:{}'.format(username_id), 'change_passwd') - else: - if default: - r_serv_db.hset('user_metadata:{}'.format(username_id), 'change_passwd', True) - r_serv_db.hset('user_metadata:{}'.format(username_id), 'role', role) - if role: - if role in get_all_role(): - r_serv_db.sadd('user_role:{}'.format(role), username_id) if __name__ == "__main__": - configfile = os.path.join(os.environ['AIL_BIN'], 'packages/config.cfg') - if not os.path.exists(configfile): - raise Exception('Unable to find the configuration file. \ - Did you set environment variables? \ - Or activate the virtualenv.') - - cfg = configparser.ConfigParser() - cfg.read(configfile) - - r_serv_db = redis.StrictRedis( - host=cfg.get("ARDB_DB", "host"), - port=cfg.getint("ARDB_DB", "port"), - db=cfg.getint("ARDB_DB", "db"), - decode_responses=True) username = 'admin@admin.test' password = secrets.token_urlsafe() create_user_db(username, password, role='admin', default=True) - - # create user token - token = secrets.token_urlsafe(41) - r_serv_db.hset('user:tokens', token, username) - r_serv_db.hset('user_metadata:{}'.format(username), 'token', token) + token = get_default_admin_token() default_passwd_file = os.path.join(os.environ['AIL_HOME'], 'DEFAULT_PASSWORD') to_write_str = '# Password Generated by default\n# This file is deleted after the first login\n#\nemail=admin@admin.test\npassword=' diff --git a/var/www/modules/Flask_config.py b/var/www/modules/Flask_config.py index 2219824a..899a26b5 100644 --- a/var/www/modules/Flask_config.py +++ b/var/www/modules/Flask_config.py @@ -7,7 +7,6 @@ import configparser import redis import os -import re import sys # FLASK # @@ -176,9 +175,6 @@ max_dashboard_logs = int(cfg.get("Flask", "max_dashboard_logs")) crawler_enabled = cfg.getboolean("Crawler", "activate_crawler") -regex_password = r'^(?=(.*\d){2})(?=.*[a-z])(?=.*[A-Z]).{10,}$' -regex_password = re.compile(regex_password) - # VT try: from virusTotalKEYS import vt_key diff --git a/var/www/modules/Role_Manager.py b/var/www/modules/Role_Manager.py index 85440d57..aa524265 100644 --- a/var/www/modules/Role_Manager.py +++ b/var/www/modules/Role_Manager.py @@ -2,6 +2,7 @@ # -*-coding:UTF-8 -* import os +import re import redis import bcrypt import secrets @@ -31,6 +32,15 @@ r_serv_db = redis.StrictRedis( db=cfg.getint("ARDB_DB", "db"), decode_responses=True) +default_passwd_file = os.path.join(os.environ['AIL_HOME'], 'DEFAULT_PASSWORD') + +regex_password = r'^(?=(.*\d){2})(?=.*[a-z])(?=.*[A-Z]).{10,100}$' +regex_password = re.compile(regex_password) + +############################################################### +############### CHECK ROLE ACCESS ################## +############################################################### + def login_admin(func): @wraps(func) def decorated_view(*args, **kwargs): @@ -57,7 +67,11 @@ def login_analyst(func): ############################################################### ############################################################### - +def get_default_admin_token(): + if r_serv_db.exists('user_metadata:admin@admin.test'): + return r_serv_db.hget('user_metadata:admin@admin.test', 'token') + else: + return '' def create_user_db(username_id , password, default=False, role=None, update=False): password = password.encode() @@ -70,6 +84,9 @@ def create_user_db(username_id , password, default=False, role=None, update=Fals if update: r_serv_db.hdel('user_metadata:{}'.format(username_id), 'change_passwd') + # remove default user password file + if username_id=='admin@admin.test': + os.remove(default_passwd_file) else: if default: r_serv_db.hset('user_metadata:{}'.format(username_id), 'change_passwd', True) @@ -93,22 +110,17 @@ def edit_user_db(user_id, role, password=None): if current_role < request_level: role_to_remove = get_user_role_by_range(current_role -1, request_level - 2) - print('to remove') - print(role_to_remove) for role_id in role_to_remove: r_serv_db.srem('user_role:{}'.format(role_id), user_id) r_serv_db.hset('user_metadata:{}'.format(user_id), 'role', role) else: role_to_add = get_user_role_by_range(request_level -1, current_role) - print('to add') - print(role_to_add) for role_id in role_to_add: r_serv_db.sadd('user_role:{}'.format(role_id), user_id) r_serv_db.hset('user_metadata:{}'.format(user_id), 'role', role) def delete_user_db(user_id): if r_serv_db.exists('user_metadata:{}'.format(user_id)): - print('r') role_to_remove =get_all_role() for role_id in role_to_remove: r_serv_db.srem('user_role:{}'.format(role_id), user_id) @@ -121,6 +133,13 @@ def hashing_password(bytes_password): hashed = bcrypt.hashpw(bytes_password, bcrypt.gensalt()) return hashed +def check_password_strength(password): + result = regex_password.match(password) + if result: + return True + else: + return False + def get_all_role(): return r_serv_db.zrange('ail:all_role', 0, -1) @@ -132,6 +151,4 @@ def get_all_user_role(user_role): return r_serv_db.zrange('ail:all_role', current_role_val -1, -1) def get_user_role_by_range(inf, sup): - print(inf) - print(sup) return r_serv_db.zrange('ail:all_role', inf, sup) diff --git a/var/www/modules/settings/Flask_settings.py b/var/www/modules/settings/Flask_settings.py index 683d5b01..8a5fb776 100644 --- a/var/www/modules/settings/Flask_settings.py +++ b/var/www/modules/settings/Flask_settings.py @@ -7,7 +7,7 @@ from flask import Flask, render_template, jsonify, request, Blueprint, redirect, url_for from flask_login import login_required, current_user -from Role_Manager import login_admin, login_analyst, create_user_db, edit_user_db, delete_user_db +from Role_Manager import login_admin, login_analyst, create_user_db, edit_user_db, delete_user_db, check_password_strength import json import secrets @@ -26,7 +26,6 @@ max_preview_char = Flask_config.max_preview_char max_preview_modal = Flask_config.max_preview_modal REPO_ORIGIN = Flask_config.REPO_ORIGIN dict_update_description = Flask_config.dict_update_description -regex_password = Flask_config.regex_password settings = Blueprint('settings', __name__, template_folder='templates') @@ -36,13 +35,6 @@ settings = Blueprint('settings', __name__, template_folder='templates') def one(): return 1 -def check_password_strength(password): - result = regex_password.match(password) - if result: - return True - else: - return False - def generate_new_token(user_id): # create user token current_token = r_serv_db.hget('user_metadata:{}'.format(user_id), 'token') @@ -162,7 +154,7 @@ def create_user_post(): all_roles = get_all_roles() - if email and role: + if email and len(email)< 300 and role: if role in all_roles: # password set if password1 and password2: @@ -206,7 +198,6 @@ def users_list(): new_user_dict['email'] = new_user new_user_dict['edited'] = request.args.get('new_user_edited') new_user_dict['password'] = request.args.get('new_user_password') - print(new_user) return render_template("users_list.html", all_users=all_users, new_user=new_user_dict) @settings.route("/settings/edit_user", methods=['GET']) diff --git a/var/www/modules/settings/templates/create_user.html b/var/www/modules/settings/templates/create_user.html index 2a24094d..6da31be3 100644 --- a/var/www/modules/settings/templates/create_user.html +++ b/var/www/modules/settings/templates/create_user.html @@ -83,6 +83,10 @@ Digits: 0-9 2 +
  • + Maximum length + 100 +
    • diff --git a/var/www/modules/settings/templates/users_list.html b/var/www/modules/settings/templates/users_list.html index d29dbb8e..ccf4003b 100644 --- a/var/www/modules/settings/templates/users_list.html +++ b/var/www/modules/settings/templates/users_list.html @@ -100,7 +100,7 @@ diff --git a/var/www/templates/change_password.html b/var/www/templates/change_password.html index 2107b7a1..e5f13a84 100644 --- a/var/www/templates/change_password.html +++ b/var/www/templates/change_password.html @@ -91,6 +91,10 @@ Digits: 0-9 2 +
  • + Maximum length + 100 +
    • diff --git a/var/www/templates/settings/menu_sidebar.html b/var/www/templates/settings/menu_sidebar.html index e7aa7a7f..f1af27d1 100644 --- a/var/www/templates/settings/menu_sidebar.html +++ b/var/www/templates/settings/menu_sidebar.html @@ -11,7 +11,7 @@