diff --git a/diagnostic.py b/diagnostic.py
index 386c048..008915c 100755
--- a/diagnostic.py
+++ b/diagnostic.py
@@ -387,27 +387,35 @@ def check_server_listening(spinner):
@add_spinner
def check_server_dynamic_enpoint(spinner):
+ payload = {
+ 'username': 'admin@admin.test',
+ 'password': 'Password1234',
+ 'submit': 'Sign In'
+ }
sleep_max = 15
start_time = time.time()
+ url_login = '{}:{}/login'.format(HOST, PORT)
url = '{}:{}/_logs'.format(HOST, PORT)
- p = subprocess.Popen(
- ['curl', '-sfN', '--header', 'Accept: text/event-stream', url],
- stdout=subprocess.PIPE,
- bufsize=1)
- signal.alarm(sleep_max)
+ session = requests.Session()
+ session.verify = False
+ r_login = session.post(url_login, data=payload)
+ if '/login' in r_login.url:
+ return_text = 'Invalid credential. Use valid credential to proceed.'
+ return (False, return_text)
+
+ r = session.get(url, stream=True, timeout=sleep_max, headers={'Accept': 'text/event-stream'})
return_flag = False
return_text = 'Dynamic endpoint returned data but not in the correct format.'
try:
- for line in iter(p.stdout.readline, b''):
+ for line in r.iter_lines():
if line.startswith(b'data: '):
data = line[6:]
try:
- j = json.loads(data)
+ json.loads(data)
return_flag = True
- return_text = 'Dynamic endpoint returned data (took {:.2f}s)'.format(time.time()-start_time)
- signal.alarm(0)
+ return_text = 'Dynamic endpoint returned data (took {:.2f}s)\n\t➥ {}...'.format(time.time()-start_time, line[6:20])
break
- except Exception as e:
+ except Exception:
return_flag = False
return_text = 'Something went wrong. Output {}'.format(line)
break
diff --git a/server.py b/server.py
index 0e23678..833d407 100755
--- a/server.py
+++ b/server.py
@@ -109,6 +109,7 @@ class User(UserMixin):
}
misp_login_page = auth_host + "/users/login"
+ misp_user_me_page = auth_host + "/users/view/me.json"
session = requests.Session()
session.verify = auth_ssl_verify
@@ -127,12 +128,16 @@ class User(UserMixin):
post_data["data[_Token][key]"] = token_key.group(1)
# POST request with user credentials + hidden form values.
- post_to_login_page = session.post(misp_login_page, data=post_data)
-
+ post_to_login_page = session.post(misp_login_page, data=post_data, allow_redirects=False)
+ # Consider setup with MISP baseurl set
+ redirect_location = post_to_login_page.headers.get('Location', '')
# Authentication is successful if MISP returns a redirect to '/users/routeafterlogin'.
- for resp in post_to_login_page.history:
- if resp.url == auth_host + '/users/routeafterlogin':
- return True
+ if '/users/routeafterlogin' in redirect_location:
+ # Logged in, check if logged in user can access the dashboard
+ me_json = session.get(misp_user_me_page).json()
+ dashboard_access = me_json.get('UserSetting', {}).get('dashboard_access', False)
+ if dashboard_access is not False:
+ return dashboard_access is True or dashboard_access == 1
return None
@@ -191,8 +196,10 @@ def login():
login_user(user)
return redirect(url_for('index'))
- return redirect(url_for('login'))
- return render_template('login.html', title='Login', form=form)
+ return redirect(url_for('login', auth_error=True))
+ else:
+ auth_error = request.args.get('auth_error', False)
+ return render_template('login.html', title='Login', form=form, authError=auth_error)
diff --git a/templates/login.html b/templates/login.html
index cfd60fc..4e128ec 100644
--- a/templates/login.html
+++ b/templates/login.html
@@ -7,9 +7,14 @@
Users - MISP
+
+
+
+
+
+
-
@@ -27,8 +32,13 @@
-  }})
+  }})
+ Username and Password does not match when connecting to MISP or incorrect MISP permission
+
+ {% endif %}
|