Skip to content
Snippets Groups Projects
module.py 66.4 KiB
Newer Older
#!/usr/bin/python
# -*- coding: UTF-8 -*-

from cStringIO import StringIO
from datetime import timedelta
from email.mime.text import MIMEText
from threading import Thread
from uuid import uuid4
Marco De Donno's avatar
Marco De Donno committed
import cPickle
from flask import Flask
from flask import jsonify
from flask import render_template, send_from_directory 
from flask import request
from flask import send_file
from flask import session
from flask import url_for
from flask_compress import Compress
from flask_session import Session
from pyotp import random_base32
from werkzeug import abort, redirect
import gnupg
import psycopg2
Marco De Donno's avatar
Marco De Donno committed
import pyotp
import webauthn
Marco De Donno's avatar
Marco De Donno committed
from functions import float_or_null
from functions import pbkdf2, AESCipher
Marco De Donno's avatar
Marco De Donno committed
from functions import pil2buffer
from functions import random_data
from functions import render_jinja_html
from functions import rotate_image_upon_exif
import config
Image.MAX_IMAGE_PIXELS = 1 * 1024 * 1024 * 1024

################################################################################

app = Flask( __name__ )
app.config.from_pyfile( 'config.py' )

Compress( app )
Session( app )

debug = os.environ.get( "DEBUG", False )
baseurl = os.environ.get( "BASEURL", "" )

################################################################################
def session_field_required( field, value ):
    def decorator( func ):
        @functools.wraps( func )
        def wrapper_login_required( *args, **kwargs ):
            if not field in session:
                return redirect( url_for( "login" ) )
            
            elif not session.get( field ) == value:
                return redirect( url_for( "login" ) )
            
            return func( *args, **kwargs )
    
        return wrapper_login_required
    
    return decorator

def login_required( func ):
    @functools.wraps( func )
    def wrapper_login_required( *args, **kwargs ):
        if not session.get( 'logged', False ) :
            session[ 'after' ] = request.full_path
            return redirect( url_for( "login", after = True ) )
        
        return func( *args, **kwargs )

    return wrapper_login_required

def referer_required( func ):
    @functools.wraps( func )
    def wrapper_login_required( *args, **kwargs ):
        if not request.headers.get( "Referer", False ):
            return "referrer needed", 404
        
        return func( *args, **kwargs )

    return wrapper_login_required

def admin_required( func ):
    @functools.wraps( func )
    def wrapper_login_required( *args, **kwargs ):
        if not session.get( 'logged', False ) or not session.get( 'account_type', None ) == 1:
            return redirect( url_for( "login" ) )
        
        return func( *args, **kwargs )

    return wrapper_login_required

def redis_cache( ttl = 3600 ):
    def decorator( func ):
        @functools.wraps( func )
        def wrapper_cache( *args, **kwargs ):
            lst = []
            lst.append( func.__name__ )
            lst.extend( args )
            index = "_".join( lst )
            index = hashlib.sha256( index ).hexdigest()
            
            d = config.redis_shared.get( index )
            
            if d != None:
                buff = StringIO()
                buff.write( base64.b64decode( d ) )
                buff.seek( 0 )
                
Marco De Donno's avatar
Marco De Donno committed
                return cPickle.load( buff )
Marco De Donno's avatar
Marco De Donno committed
                cPickle.dump( d, buff )
                buff.seek( 0 )
                d_cached = base64.b64encode( buff.getvalue() )
                
                config.redis_shared.set( index, d_cached, ex = ttl )
                
                return d
    
        return wrapper_cache
    return decorator

################################################################################
#    Generic routing

@app.route( baseurl + '/ping' )
################################################################################
#    App serving

@app.route( baseurl + '/app/<path>' )
def send_app_files( path ):
    return send_from_directory( 'app', path )

Marco De Donno's avatar
Marco De Donno committed
@app.route( baseurl + '/static/<path>' )
def send_static_files( path ):
    return send_from_directory( 'static', path )

################################################################################
#    Sessions

@app.before_request
def renew_session():
    session.permanent = True
    app.permanent_session_lifetime = timedelta( seconds = config.session_timeout )

@app.route( baseurl + '/logout' )
def logout():
    session.clear()
    return redirect( url_for( 'home' ) )

@app.route( baseurl + '/login' )
def login( after = False ):
    if after:
        after = session.get( "after" )
        session.clear()
        session[ 'after' ] = after
    else:
        session.clear()
    
Marco De Donno's avatar
Marco De Donno committed
    session[ 'process' ] = "login"
    session[ 'need_to_check' ] = [ 'password' ]
    session[ 'logged' ] = False
    session[ 'session_security_key' ] = str( uuid4() )
    return render_template( 
        "login.html",
        baseurl = baseurl,
        js = config.cdnjs,
        session_timeout = config.session_timeout,
        session_security_key = session.get( "session_security_key" )
    )

@app.route( baseurl + '/do_login', methods = [ 'POST' ] )
def do_login():
    need_to_check = session.get( "need_to_check", [ 'password' ] )
    try:
        current_check = need_to_check[ 0 ]
    except:
        current_check = None
    
    session[ 'need_to_check' ] = need_to_check
    
    ############################################################################
    
    if current_check == "password":
Marco De Donno's avatar
Marco De Donno committed
        q = config.db.query( 'SELECT * FROM users WHERE username = %s', ( request.form.get( "username" ), ) )
        user = q.fetchone()
        
        if user == None:
            session[ 'logged' ] = False
Marco De Donno's avatar
Marco De Donno committed
            return jsonify( {
                'error': False,
                'logged': False
            } )
        
        form_password = request.form.get( "password", None )
        
        if form_password == None or not pbkdf2( form_password, user[ 'password' ] ):
            session[ 'logged' ] = False
Marco De Donno's avatar
Marco De Donno committed
            return jsonify( {
                'error': False,
                'logged': False,
            } )
        
        elif not user[ 'active' ]:
            session[ 'logged' ] = False
            return jsonify( {
                'error': False,
                'logged': False,
                'message': 'Your account is not activated. Please contact an administrator.'
            } )
        
        else:
            session[ 'username' ] = user[ 'username' ]
            session[ 'user_id' ] = user[ 'id' ]
            session[ 'password_check' ] = True
            
Marco De Donno's avatar
Marco De Donno committed
            session[ 'need_to_check' ].remove( current_check )
            session[ 'password' ] = pbkdf2( form_password, "AES256", 50000 )
Marco De Donno's avatar
Marco De Donno committed
            
            if user[ 'must_use_totp' ]:
                session[ 'need_to_check' ].append( 'totp' )
            
            if user[ 'must_use_securitykey' ]:
                session[ 'need_to_check' ].append( 'securitykey' )
Marco De Donno's avatar
Marco De Donno committed
    
    elif current_check == 'totp':
Marco De Donno's avatar
Marco De Donno committed
        q = config.db.query( 'SELECT username, totp FROM users WHERE username = %s', ( session[ 'username' ], ) )
        user = q.fetchone()
        
        if not pyotp.TOTP( user[ 'totp' ] ).verify( request.form[ "totp" ], valid_window = 1 ):
            session[ 'logged' ] = False
Marco De Donno's avatar
Marco De Donno committed
            return jsonify( {
                'error': False,
                'logged': False,
                'message': 'Wrong TOTP'
Marco De Donno's avatar
Marco De Donno committed
        
        else:
Marco De Donno's avatar
Marco De Donno committed
            session[ 'need_to_check' ].remove( current_check )
Marco De Donno's avatar
Marco De Donno committed
    
    if len( session[ 'need_to_check' ] ) == 0 and session.get( "password_check", False ):
Marco De Donno's avatar
Marco De Donno committed
        for key in [ 'process', 'need_to_check', 'password_check' ]:
        session[ 'logged' ] = True
        
        q = config.db.query( 'SELECT type FROM users WHERE username = %s', ( session[ 'username' ], ) )
        user = q.fetchone()
        session[ 'account_type' ] = user[ 'type' ]
        
        if session.get( 'after', False ):
            return jsonify( {
                'error': False,
                'logged': True,
                'redirect': session.get( 'after' )
            } )
        
        else:
            return jsonify( {
                'error': False,
                'logged': True,
            } )
        return jsonify( {
            'error': False,
            'next_step': session[ 'need_to_check' ][ 0 ]
Marco De Donno's avatar
Marco De Donno committed
################################################################################
#    Reset

@app.route( baseurl + '/reset_password' )
def password_reset():
Marco De Donno's avatar
Marco De Donno committed
    session.clear()
    session[ 'process' ] = "request_password_reset"
    
    return render_template( 
        "password_reset.html",
        baseurl = baseurl,
        js = config.cdnjs,
        css = config.cdncss
    )

@app.route( baseurl + '/do_reset_password', methods = [ 'POST' ] )
def do_password_reset():
    email = request.form.get( "email", None )
    
    Thread( target = do_password_reset_thread, args = ( email, ) ).start()
    
    return jsonify( {
        'error': False,
        'message': 'OK'
    } )

def do_password_reset_thread( email ):
    q = config.db.query( 'SELECT id, username, email FROM users' )
    users = q.fetchall()
    
    for user in users:
        if not user[ 'email' ].startswith( "pbkdf2$" ):
            continue
        
        elif pbkdf2( email, user[ 'email' ] ):
            id = hashlib.sha512( random_data( 100 ) ).hexdigest()
            
            ####################################################################
            
            data = {
                'process': 'password_reset',
                'process_id': id,
                'user_id': user[ 'id' ]
            }
            data = json.dumps( data )
            data = base64.b64encode( data )
            
            config.redis_shared.set( "reset_" + id, data, ex = 24 * 3600 )
            
            ####################################################################
            
            email_content = render_jinja_html( 
                "templates/email", "reset.html",
                id = id,
                url = config.domain + baseurl + "/reset_password_stage2"
            )
            
            msg = MIMEText( email_content, "html" )
            
            msg[ 'Subject' ] = 'ICNML - User password reset'
            msg[ 'From' ] = config.sender
            msg[ 'To' ] = email
            
            s = smtplib.SMTP( config.smtpserver )
            s.sendmail( config.sender, [ email ], msg.as_string() )
            s.quit()
            
            break

@app.route( baseurl + '/reset_password_stage2/<id>', methods = [ 'GET', 'POST' ] )
def password_reset_stage2( id ):
    id = str( id )
    data = config.redis_shared.get( "reset_" + id )
    
    if data != None:
        data = base64.b64decode( data )
        data = json.loads( data )
        
        password = request.form.get( "password", None )
        
        userid = data.get( "user_id", None )
        
        if password != None:
            password = pbkdf2( password, random_data( 50 ), 50000 )
            config.db.query( "UPDATE users SET password = %s WHERE id = %s", ( password, userid ) )
            config.db.commit()
            
            config.redis_shared.delete( "reset_" + id )
            
            return jsonify( {
                'error': False,
                'password_updated': True
            } )
            
        else:
            return render_template( 
                "password_reset_stage2.html",
                baseurl = baseurl,
                id = id,
                js = config.cdnjs,
                css = config.cdncss
            ) 
        
    else:
        return jsonify( {
            'error': True,
            'message': 'Reset procedure not found/expired'
        } )

################################################################################
@app.route( baseurl + '/u2f/admin' )
def u2f_admin():
        "u2f/admin.html",
        baseurl = baseurl,
        js = config.cdnjs,
        css = config.cdncss,
        session_timeout = config.session_timeout,
        keys = do_u2f_get_list_of_keys( all = True )
def do_u2f_get_list_of_keys( uid = None, all = False ):
    user_id = session.get( "user_id", uid )
    
    sql = "SELECT id, key_name as name, created_on, last_usage, usage_counter, active FROM webauthn WHERE user_id = %s"
    if not all:
        sql += " AND active = true"
    sql += " ORDER BY usage_counter DESC"
    
    q = config.db.query( sql, ( user_id, ) )
    keys = q.fetchall()
    
    data = []
    for key in keys:
        data.append( dict( key ) )
    
    return data

@app.route( baseurl + '/u2f/begin_activate', methods = [ 'POST' ] )
def u2f_begin_activate():
    session[ 'key_name' ] = request.form.get( "key_name", None )
    
    username = session.get( "username" )
    challenge = random_base32( 64 )
    ukey = random_base32( 64 )
    session[ 'challenge' ] = challenge
    session[ 'register_ukey' ] = ukey

    make_credential_options = webauthn.WebAuthnMakeCredentialOptions( 
        challenge, config.rp_name, config.RP_ID,
        ukey, username, username,
        None
    )
    
    return jsonify( make_credential_options.registration_dict )
@app.route( baseurl + '/u2f/verify', methods = [ 'POST' ] )
def u2f_verify():
    challenge = session[ 'challenge' ]
    user_id = session[ 'user_id' ]
    key_name = session.get( "key_name", None )
    ukey = session[ 'register_ukey' ]
    
    response = request.form
    
    webauthn_registration_response = webauthn.WebAuthnRegistrationResponse( 
        config.RP_ID,
        config.ORIGIN,
        response,
        challenge
    )
    
    try:
        webauthn_credential = webauthn_registration_response.verify()
    
    except Exception as e:
        return jsonify( {
            'error': True,
            'message': 'Registration failed. Error: {}'.format( e )
    config.db.query( 
        """
            INSERT INTO webauthn
            ( user_id, key_name, ukey, credential_id, pub_key, sign_count )
            VALUES ( %s, %s, %s, %s, %s, %s )
        """,
        ( 
            user_id, key_name,
            ukey, webauthn_credential.credential_id,
            webauthn_credential.public_key, webauthn_credential.sign_count,
        )
    )
    config.db.commit()
    
    return jsonify( {
        'success': 'User successfully registered.'
    } )

################################################################################

@app.route( baseurl + '/u2f/delete', methods = [ 'POST' ] )
def u2f_delete_key():
    key_id = request.form.get( "key_id", False )
    key_name = request.form.get( "key_name", False )
    userid = session[ 'user_id' ]
    
    try:
        config.db.query( "DELETE FROM webauthn WHERE id = %s AND key_name = %s AND user_id = %s", ( key_id, key_name, userid, ) )
        config.db.commit()
        
        return jsonify( {
            'error': False
        } )
        
    except Exception as e:
        return jsonify( {
            'error': True
        } );

@app.route( baseurl + '/u2f/disable', methods = [ 'POST' ] )
def u2f_disable_key():
    key_id = request.form.get( "key_id", False )
    key_name = request.form.get( "key_name", False )
    userid = session[ 'user_id' ]
    
    try:
        config.db.query( "UPDATE webauthn SET active = False WHERE id = %s AND key_name = %s AND user_id = %s", ( key_id, key_name, userid, ) )
        config.db.commit()
        
        return jsonify( {
            'error': False
        } )
        
    except Exception as e:
        return jsonify( {
            'error': True
        } );

@app.route( baseurl + '/u2f/enable', methods = [ 'POST' ] )
def u2f_enable_key():
    key_id = request.form.get( "key_id", False )
    key_name = request.form.get( "key_name", False )
    userid = session[ 'user_id' ]
    
    try:
        config.db.query( "UPDATE webauthn SET active = True WHERE id = %s AND key_name = %s AND user_id = %s", ( key_id, key_name, userid, ) )
        config.db.commit()
        
        return jsonify( {
            'error': False
        } )
        
    except Exception as e:
        return jsonify( {
            'error': True
        } );

@app.route( baseurl + '/u2f/rename', methods = [ 'POST' ] )
@login_required
def u2f_rename_key():
    key_id = request.form.get( "key_id", False )
    key_name = request.form.get( "key_name", False )
    userid = session[ 'user_id' ]
    
    try:
        config.db.query( "UPDATE webauthn SET key_name = %s WHERE id = %s AND user_id = %s", ( key_name, key_id, userid, ) )
        config.db.commit()
        
        return jsonify( {
            'error': False
        } )
        
    except Exception as e:
        return jsonify( {
            'error': True
        } );

@app.route( baseurl + '/u2f/begin_assertion' )
def u2f_begin_assertion():
    user_id = session.get( "user_id" )
    
    if 'challenge' in session:
        del session[ 'challenge' ]
    
    challenge = random_base32( 64 )
    session[ 'challenge' ] = challenge
    
    q = config.db.query( "SELECT * FROM webauthn WHERE user_id = %s AND active = true", ( user_id, ) )
    credential_id_list = []
    for key in key_list:
        credential_id_list.append( {
            'type': 'public-key',
            'id': key[ 'credential_id' ],
            'transports': [ 'usb', 'nfc', 'ble', 'internal' ]
        } )
     
    assertion_dict = {
        'challenge': challenge,
        'timeout': 60000,
        'allowCredentials': credential_id_list,
        'rpId': config.RP_ID,
    }
    
    return jsonify( {
        'error': False,
@app.route( baseurl + '/u2f/verify_assertion', methods = [ 'POST' ] )
Loading
Loading full blame...