Merge pull request #130 from MISP/authImprovements

Few authentication improvements
2019-10-11 09:59:27 +02:00 · 2019-10-11 09:59:27 +02:00 · d390a169b5
parent 47c4c2e529 1b4df61591
commit d390a169b5
3 changed files with 44 additions and 19 deletions
--- a/diagnostic.py
+++ b/diagnostic.py
@ -387,27 +387,35 @@ def check_server_listening(spinner):

@add_spinner
 def check_server_dynamic_enpoint(spinner):
+    payload = {
+        'username': 'admin@admin.test',
+        'password': 'Password1234',
+        'submit': 'Sign In'
+    }
    sleep_max = 15
    start_time = time.time()
+    url_login = '{}:{}/login'.format(HOST, PORT)
    url = '{}:{}/_logs'.format(HOST, PORT)
-    p = subprocess.Popen(
-        ['curl', '-sfN', '--header', 'Accept: text/event-stream', url],
-        stdout=subprocess.PIPE,
-        bufsize=1)
-    signal.alarm(sleep_max)
+    session = requests.Session()
+    session.verify = False
+    r_login = session.post(url_login, data=payload)
+    if '/login' in r_login.url:
+        return_text = 'Invalid credential. Use valid credential to proceed.'
+        return (False, return_text)
+
+    r = session.get(url, stream=True, timeout=sleep_max, headers={'Accept': 'text/event-stream'})
    return_flag = False
    return_text = 'Dynamic endpoint returned data but not in the correct format.'
    try:
-        for line in iter(p.stdout.readline, b''):
+        for line in r.iter_lines():
            if line.startswith(b'data: '):
                data = line[6:]
                try:
-                    j = json.loads(data)
+                    json.loads(data)
                    return_flag = True
-                    return_text = 'Dynamic endpoint returned data (took {:.2f}s)'.format(time.time()-start_time)
-                    signal.alarm(0)
+                    return_text = 'Dynamic endpoint returned data (took {:.2f}s)\n\t➥ {}...'.format(time.time()-start_time, line[6:20])
                    break
-                except Exception as e:
+                except Exception:
                    return_flag = False
                    return_text = 'Something went wrong. Output {}'.format(line)
                    break
--- a/server.py
+++ b/server.py
@ -109,6 +109,7 @@ class User(UserMixin):
        }

        misp_login_page = auth_host + "/users/login"
+        misp_user_me_page = auth_host + "/users/view/me.json"
        session = requests.Session()
        session.verify = auth_ssl_verify

@ -127,12 +128,16 @@ class User(UserMixin):
        post_data["data[_Token][key]"] = token_key.group(1)

        # POST request with user credentials + hidden form values.
-        post_to_login_page = session.post(misp_login_page, data=post_data)
-
+        post_to_login_page = session.post(misp_login_page, data=post_data, allow_redirects=False)
+        # Consider setup with MISP baseurl set
+        redirect_location = post_to_login_page.headers.get('Location', '')
        # Authentication is successful if MISP returns a redirect to '/users/routeafterlogin'.
-        for resp in post_to_login_page.history:
-            if resp.url == auth_host + '/users/routeafterlogin':
-                return True
+        if '/users/routeafterlogin' in redirect_location:
+            # Logged in, check if logged in user can access the dashboard
+            me_json = session.get(misp_user_me_page).json()
+            dashboard_access = me_json.get('UserSetting', {}).get('dashboard_access', False)
+            if dashboard_access is not False:
+                return dashboard_access is True or dashboard_access == 1
        return None


@ -191,8 +196,10 @@ def login():
            login_user(user)
            return redirect(url_for('index'))

-        return redirect(url_for('login'))
-    return render_template('login.html', title='Login', form=form)
+        return redirect(url_for('login', auth_error=True))
+    else:
+        auth_error = request.args.get('auth_error', False)
+        return render_template('login.html', title='Login', form=form, authError=auth_error)



--- a/templates/login.html
+++ b/templates/login.html
@ -7,9 +7,14 @@
        Users - MISP
    </title>

+    <!-- jQuery -->
+    <script src="{{ url_for('static', filename='js/jquery.min.js') }}"></script>
+    <!-- Bootstrap Core CSS -->
+    <link href="{{ url_for('static', filename='css/bootstrap.min.css') }}" rel="stylesheet">
+    <!-- Custom CSS -->
+    <link href="{{ url_for('static', filename='css/sb-admin-2.css') }}" rel="stylesheet">
    <!-- Bootstrap Core JavaScript -->
    <script src="{{ url_for('static', filename='js/bootstrap.js') }}"></script>
-    <script src="{{ url_for('static', filename='js/bootstrap3-typeahead.min.js') }}"></script>
    <link rel="stylesheet" href="{{ url_for('static', filename='css/font-awesome.min.css') }}" rel="text/css">

 </head>
@ -27,8 +32,13 @@
    <td style="width:460px">

        <div>
-            <img src="{{ url_for('static', filename='/pics/misp-logo.png') }}" style="display:block; margin-left: auto; margin-right: auto;"/>
+            <img src="{{ url_for('static', filename='pics/misp-logo.png') }}" style="display:block; margin-left: auto; margin-right: auto;"/>
        </div>
+        {% if authError %}
+            <div class="alert alert-danger">
+                Username and Password does not match when connecting to MISP or incorrect MISP permission
+            </div>
+        {% endif %}


        <form action="" id="UserLoginForm" method="post" accept-charset="utf-8">