From 21dedd37eddcf6f0da81a6ebac741bb011d9cc43 Mon Sep 17 00:00:00 2001 From: mokaddem Date: Fri, 11 Oct 2019 08:37:46 +0200 Subject: [PATCH 1/5] chg: [auth] Takes into account MISP baseurl for redirections --- server.py | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/server.py b/server.py index 0e23678..8c4fb44 100755 --- a/server.py +++ b/server.py @@ -127,12 +127,12 @@ class User(UserMixin): post_data["data[_Token][key]"] = token_key.group(1) # POST request with user credentials + hidden form values. - post_to_login_page = session.post(misp_login_page, data=post_data) - + post_to_login_page = session.post(misp_login_page, data=post_data, allow_redirects=False) + # Consider setup with MISP baseurl set + redirect_location = post_to_login_page.headers.get('Location', '') # Authentication is successful if MISP returns a redirect to '/users/routeafterlogin'. - for resp in post_to_login_page.history: - if resp.url == auth_host + '/users/routeafterlogin': - return True + if '/users/routeafterlogin' in redirect_location: + return True return None @@ -191,8 +191,10 @@ def login(): login_user(user) return redirect(url_for('index')) - return redirect(url_for('login')) - return render_template('login.html', title='Login', form=form) + return redirect(url_for('login', auth_error=True)) + else: + auth_error = request.args.get('auth_error', False) + return render_template('login.html', title='Login', form=form, authError=auth_error) From 2ecc4a8fad37b522d9fb6e885751ee331113e7fc Mon Sep 17 00:00:00 2001 From: mokaddem Date: Fri, 11 Oct 2019 08:38:33 +0200 Subject: [PATCH 2/5] chg: [login] Fixed web dependencies and added auth error message --- templates/login.html | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/templates/login.html b/templates/login.html index cfd60fc..93ab85b 100644 --- a/templates/login.html +++ b/templates/login.html @@ -7,9 +7,14 @@ Users - MISP + + + + + + - @@ -27,8 +32,13 @@
- +
+ {% if authError %} +
+ Username and Password does not match when connecting to MISP +
+ {% endif %}
From eaf3ad30d1c20ea7a428d4df96e320fe1ebe1abb Mon Sep 17 00:00:00 2001 From: mokaddem Date: Fri, 11 Oct 2019 08:57:55 +0200 Subject: [PATCH 3/5] chg: [auth] Check if can access the dashboard --- server.py | 9 ++++++++- templates/login.html | 2 +- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/server.py b/server.py index 8c4fb44..d62b8ec 100755 --- a/server.py +++ b/server.py @@ -109,6 +109,7 @@ class User(UserMixin): } misp_login_page = auth_host + "/users/login" + misp_user_me_page = auth_host + "/users/view/me.json" session = requests.Session() session.verify = auth_ssl_verify @@ -132,7 +133,13 @@ class User(UserMixin): redirect_location = post_to_login_page.headers.get('Location', '') # Authentication is successful if MISP returns a redirect to '/users/routeafterlogin'. if '/users/routeafterlogin' in redirect_location: - return True + # Logged in, check if logged in user can access the dashboard + me_json = session.get(misp_user_me_page).json() + dashboard_access = me_json.get('UserSetting', {}).get('dashboard_access', False) + if dashboard_access is not False: + return dashboard_access is True or dashboard_access == 1 + else: + return False return None diff --git a/templates/login.html b/templates/login.html index 93ab85b..4e128ec 100644 --- a/templates/login.html +++ b/templates/login.html @@ -36,7 +36,7 @@ {% if authError %}
- Username and Password does not match when connecting to MISP + Username and Password does not match when connecting to MISP or incorrect MISP permission
{% endif %} From 8da3d509cdcfe2731353036e91e8f600acf43884 Mon Sep 17 00:00:00 2001 From: mokaddem Date: Fri, 11 Oct 2019 09:35:03 +0200 Subject: [PATCH 4/5] chg: [diagnostic] Fixed to support auth --- diagnostic.py | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/diagnostic.py b/diagnostic.py index 386c048..008915c 100755 --- a/diagnostic.py +++ b/diagnostic.py @@ -387,27 +387,35 @@ def check_server_listening(spinner): @add_spinner def check_server_dynamic_enpoint(spinner): + payload = { + 'username': 'admin@admin.test', + 'password': 'Password1234', + 'submit': 'Sign In' + } sleep_max = 15 start_time = time.time() + url_login = '{}:{}/login'.format(HOST, PORT) url = '{}:{}/_logs'.format(HOST, PORT) - p = subprocess.Popen( - ['curl', '-sfN', '--header', 'Accept: text/event-stream', url], - stdout=subprocess.PIPE, - bufsize=1) - signal.alarm(sleep_max) + session = requests.Session() + session.verify = False + r_login = session.post(url_login, data=payload) + if '/login' in r_login.url: + return_text = 'Invalid credential. Use valid credential to proceed.' + return (False, return_text) + + r = session.get(url, stream=True, timeout=sleep_max, headers={'Accept': 'text/event-stream'}) return_flag = False return_text = 'Dynamic endpoint returned data but not in the correct format.' try: - for line in iter(p.stdout.readline, b''): + for line in r.iter_lines(): if line.startswith(b'data: '): data = line[6:] try: - j = json.loads(data) + json.loads(data) return_flag = True - return_text = 'Dynamic endpoint returned data (took {:.2f}s)'.format(time.time()-start_time) - signal.alarm(0) + return_text = 'Dynamic endpoint returned data (took {:.2f}s)\n\t➥ {}...'.format(time.time()-start_time, line[6:20]) break - except Exception as e: + except Exception: return_flag = False return_text = 'Something went wrong. Output {}'.format(line) break From 1b4df61591b43c69fd2364561d5b146fd3f246ce Mon Sep 17 00:00:00 2001 From: mokaddem Date: Fri, 11 Oct 2019 09:45:54 +0200 Subject: [PATCH 5/5] chg: [auth] Simplified condition --- server.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/server.py b/server.py index d62b8ec..833d407 100755 --- a/server.py +++ b/server.py @@ -138,8 +138,6 @@ class User(UserMixin): dashboard_access = me_json.get('UserSetting', {}).get('dashboard_access', False) if dashboard_access is not False: return dashboard_access is True or dashboard_access == 1 - else: - return False return None