Loading lib/DatabaseLayer.py +1 −1 Original line number Diff line number Diff line Loading @@ -327,10 +327,10 @@ def getUser(user): def getToken(user): data = sanitize(colUSERS.find_one({"username": user})) if not data: return None if 'token' in data.keys():return data['token'] else: return generateToken(user) def generateToken(user): token = uuid.uuid4().hex colUSERS.update({'username': user}, {'$set': {'token': token}}) Loading web/advanced_api.py +20 −2 Original line number Diff line number Diff line Loading @@ -34,7 +34,6 @@ from web.api import API, APIError class Advanced_API(API): def __init__(self): super().__init__() self.auth_handler = AuthenticationHandler() routes = [{'r': '/api/admin/whitelist', 'm': ['GET'], 'f': self.api_admin_whitelist}, {'r': '/api/admin/blacklist', 'm': ['GET'], 'f': self.api_admin_blacklist}, {'r': '/api/admin/whitelist/export', 'm': ['GET'], 'f': self.api_admin_whitelist}, Loading @@ -47,6 +46,8 @@ class Advanced_API(API): {'r': '/api/admin/blacklist/add', 'm': ['PUT'], 'f': self.api_admin_add_blacklist}, {'r': '/api/admin/whitelist/remove', 'm': ['PUT'], 'f': self.api_admin_remove_whitelist}, {'r': '/api/admin/blacklist/remove', 'm': ['PUT'], 'f': self.api_admin_remove_blacklist}, {'r': '/api/admin/get_token', 'm': ['GET'], 'f': self.api_admin_get_token}, {'r': '/api/admin/new_token', 'm': ['GET'], 'f': self.api_admin_generate_token}, {'r': '/api/admin/updatedb', 'm': ['GET'], 'f': self.api_update_db}] for route in routes: self.addRoute(route) Loading @@ -68,7 +69,9 @@ class Advanced_API(API): name, token = (':'+auth.strip()).rsplit(":", 1) name = name[1:] # Adding and removing colon to ensure decent split if method.lower() == 'basic': data = ({'status': 'error', 'reason': 'Authorization method not yet implemented'}, 501) authenticator = AuthenticationHandler() if not authenticator.validateUser(name, token): data = ({'status': 'error', 'reason': 'Authentication failed'}, 401) # data = ({'status': 'error', 'reason': 'Authorization method not yet implemented'}, 501) elif method.lower() == 'token': if not db.getToken(name) == token: data = ({'status': 'error', 'reason': 'Authentication failed'}, 401) except Exception as e: Loading @@ -87,6 +90,9 @@ class Advanced_API(API): else: return API.api(funct)(*args, **kwargs) return api_token ########## # ROUTES # ########## # Overriding api_dbInfo to allow for logged-in users to get more info def api_dbInfo(self): errors = Advanced_API.authErrors() Loading Loading @@ -137,7 +143,19 @@ class Advanced_API(API): def api_admin_remove_blacklist(self): return bl.removeBlacklist(request.form['cpe']) @token_required # Of course only the login credentials would work def api_admin_get_token(self): method, auth = (request.headers.get('Authorization')+" ").split(" ", 1) name, token = (':'+auth.strip()).rsplit(":", 1) name = name[1:] return db.getToken(name) @token_required def api_admin_generate_token(self): method, auth = (request.headers.get('Authorization')+" ").split(" ", 1) name, token = (':'+auth.strip()).rsplit(":", 1) name = name[1:] return db.generateToken(name) @token_required def api_update_db(self): Loading web/index.py +10 −2 Original line number Diff line number Diff line Loading @@ -67,9 +67,12 @@ class Index(Minimal, Advanced_API): {'r': '/plugin/<plugin>', 'm': ['GET'], 'f': self.openPlugin}, {'r': '/plugin/<plugin>/subpage/<page>', 'm': ['GET'], 'f': self.openPluginSubpage}, {'r': '/plugin/<plugin>/_cve_action/<action>', 'm': ['GET'], 'f': self._jsonCVEAction}, {'r': '/login', 'm': ['POST'], 'f': self.login_check}, {'r': '/logout', 'm': ['POST'], 'f': self.logout}, {'r': '/admin', 'm': ['GET'], 'f': self.admin}, {'r': '/admin/', 'm': ['GET'], 'f': self.admin}, {'r': '/admin/change_pass', 'm': ['GET'], 'f': self.change_pass}, {'r': '/admin/request_token', 'm': ['GET'], 'f': self.request_token}, {'r': '/admin/updatedb', 'm': ['GET'], 'f': self.updatedb}, {'r': '/admin/whitelist/import', 'm': ['POST'], 'f': self.listImport}, {'r': '/admin/blacklist/import', 'm': ['POST'], 'f': self.listImport}, Loading Loading @@ -191,7 +194,8 @@ class Index(Minimal, Advanced_API): def adminInfo(self, output=None): return {'stats': db.getDBStats(True), 'plugins': self.plugManager.getPlugins(), 'updateOutput': self.filterUpdateField(output)} 'updateOutput': self.filterUpdateField(output), 'token': db.getToken(current_user.id)} # user management Loading Loading @@ -309,6 +313,10 @@ class Index(Minimal, Advanced_API): else: return jsonify({"status": "wrong_user_pass"}) # /admin/request_token @login_required def request_token(self): return jsonify({"token": db.generateToken(current_user.id)}) # /admin/updatedb @login_required Loading Loading @@ -503,7 +511,7 @@ class Index(Minimal, Advanced_API): try: if person and person.authenticate(password): login_user(person) return render_template('admin.html', status="logged_in", **adminInfo()) return render_template('admin.html', status="logged_in", **self.adminInfo()) else: return render_template('login.html', status="wrong_user_pass") except Exception as e: Loading web/static/css/custom/admin.css +2 −9 Original line number Diff line number Diff line Loading @@ -2,17 +2,10 @@ width: 300px; } #stats { #stats, #plugins, #token_request { float: right; width: calc(100% - 320px); } #stats > table > tbody > tr > td{ font-size: 14px; } #plugins { float: right; width: calc(100% - 320px); } #plugins > table > tbody > tr > td{ #stats, #plugins > table > tbody > tr > td{ font-size: 14px; } web/templates/admin.html +9 −0 Original line number Diff line number Diff line Loading @@ -40,6 +40,15 @@ <span>Database size: {{'%0.2f' % (stats['stats']['db_size']/1024**2)}}MB ({{'%0.2f' % (stats['stats']['db_size']/1024**3)}}GB)</span><br /> <span>Database size on disk: {{'%0.2f' % (stats['stats']['size_on_disk']/1024**2)}}MB ({{'%0.2f' % (stats['stats']['size_on_disk']/1024**3)}}GB)</span> </div> <!-- Token request --> <div id="token_request" class="well well-small"> <table> <tr> <td> <input type="text" name="token" id="token" readonly="readonly" value="{{token}}"> </td> <td> <button onclick="requestToken()">Request new token</button> </td> </tr> </table> </div> <!-- Plug-in information --> <div id="plugins" class="well well-small"> <strong>Plug-in Information</strong> <br /> Loading Loading
lib/DatabaseLayer.py +1 −1 Original line number Diff line number Diff line Loading @@ -327,10 +327,10 @@ def getUser(user): def getToken(user): data = sanitize(colUSERS.find_one({"username": user})) if not data: return None if 'token' in data.keys():return data['token'] else: return generateToken(user) def generateToken(user): token = uuid.uuid4().hex colUSERS.update({'username': user}, {'$set': {'token': token}}) Loading
web/advanced_api.py +20 −2 Original line number Diff line number Diff line Loading @@ -34,7 +34,6 @@ from web.api import API, APIError class Advanced_API(API): def __init__(self): super().__init__() self.auth_handler = AuthenticationHandler() routes = [{'r': '/api/admin/whitelist', 'm': ['GET'], 'f': self.api_admin_whitelist}, {'r': '/api/admin/blacklist', 'm': ['GET'], 'f': self.api_admin_blacklist}, {'r': '/api/admin/whitelist/export', 'm': ['GET'], 'f': self.api_admin_whitelist}, Loading @@ -47,6 +46,8 @@ class Advanced_API(API): {'r': '/api/admin/blacklist/add', 'm': ['PUT'], 'f': self.api_admin_add_blacklist}, {'r': '/api/admin/whitelist/remove', 'm': ['PUT'], 'f': self.api_admin_remove_whitelist}, {'r': '/api/admin/blacklist/remove', 'm': ['PUT'], 'f': self.api_admin_remove_blacklist}, {'r': '/api/admin/get_token', 'm': ['GET'], 'f': self.api_admin_get_token}, {'r': '/api/admin/new_token', 'm': ['GET'], 'f': self.api_admin_generate_token}, {'r': '/api/admin/updatedb', 'm': ['GET'], 'f': self.api_update_db}] for route in routes: self.addRoute(route) Loading @@ -68,7 +69,9 @@ class Advanced_API(API): name, token = (':'+auth.strip()).rsplit(":", 1) name = name[1:] # Adding and removing colon to ensure decent split if method.lower() == 'basic': data = ({'status': 'error', 'reason': 'Authorization method not yet implemented'}, 501) authenticator = AuthenticationHandler() if not authenticator.validateUser(name, token): data = ({'status': 'error', 'reason': 'Authentication failed'}, 401) # data = ({'status': 'error', 'reason': 'Authorization method not yet implemented'}, 501) elif method.lower() == 'token': if not db.getToken(name) == token: data = ({'status': 'error', 'reason': 'Authentication failed'}, 401) except Exception as e: Loading @@ -87,6 +90,9 @@ class Advanced_API(API): else: return API.api(funct)(*args, **kwargs) return api_token ########## # ROUTES # ########## # Overriding api_dbInfo to allow for logged-in users to get more info def api_dbInfo(self): errors = Advanced_API.authErrors() Loading Loading @@ -137,7 +143,19 @@ class Advanced_API(API): def api_admin_remove_blacklist(self): return bl.removeBlacklist(request.form['cpe']) @token_required # Of course only the login credentials would work def api_admin_get_token(self): method, auth = (request.headers.get('Authorization')+" ").split(" ", 1) name, token = (':'+auth.strip()).rsplit(":", 1) name = name[1:] return db.getToken(name) @token_required def api_admin_generate_token(self): method, auth = (request.headers.get('Authorization')+" ").split(" ", 1) name, token = (':'+auth.strip()).rsplit(":", 1) name = name[1:] return db.generateToken(name) @token_required def api_update_db(self): Loading
web/index.py +10 −2 Original line number Diff line number Diff line Loading @@ -67,9 +67,12 @@ class Index(Minimal, Advanced_API): {'r': '/plugin/<plugin>', 'm': ['GET'], 'f': self.openPlugin}, {'r': '/plugin/<plugin>/subpage/<page>', 'm': ['GET'], 'f': self.openPluginSubpage}, {'r': '/plugin/<plugin>/_cve_action/<action>', 'm': ['GET'], 'f': self._jsonCVEAction}, {'r': '/login', 'm': ['POST'], 'f': self.login_check}, {'r': '/logout', 'm': ['POST'], 'f': self.logout}, {'r': '/admin', 'm': ['GET'], 'f': self.admin}, {'r': '/admin/', 'm': ['GET'], 'f': self.admin}, {'r': '/admin/change_pass', 'm': ['GET'], 'f': self.change_pass}, {'r': '/admin/request_token', 'm': ['GET'], 'f': self.request_token}, {'r': '/admin/updatedb', 'm': ['GET'], 'f': self.updatedb}, {'r': '/admin/whitelist/import', 'm': ['POST'], 'f': self.listImport}, {'r': '/admin/blacklist/import', 'm': ['POST'], 'f': self.listImport}, Loading Loading @@ -191,7 +194,8 @@ class Index(Minimal, Advanced_API): def adminInfo(self, output=None): return {'stats': db.getDBStats(True), 'plugins': self.plugManager.getPlugins(), 'updateOutput': self.filterUpdateField(output)} 'updateOutput': self.filterUpdateField(output), 'token': db.getToken(current_user.id)} # user management Loading Loading @@ -309,6 +313,10 @@ class Index(Minimal, Advanced_API): else: return jsonify({"status": "wrong_user_pass"}) # /admin/request_token @login_required def request_token(self): return jsonify({"token": db.generateToken(current_user.id)}) # /admin/updatedb @login_required Loading Loading @@ -503,7 +511,7 @@ class Index(Minimal, Advanced_API): try: if person and person.authenticate(password): login_user(person) return render_template('admin.html', status="logged_in", **adminInfo()) return render_template('admin.html', status="logged_in", **self.adminInfo()) else: return render_template('login.html', status="wrong_user_pass") except Exception as e: Loading
web/static/css/custom/admin.css +2 −9 Original line number Diff line number Diff line Loading @@ -2,17 +2,10 @@ width: 300px; } #stats { #stats, #plugins, #token_request { float: right; width: calc(100% - 320px); } #stats > table > tbody > tr > td{ font-size: 14px; } #plugins { float: right; width: calc(100% - 320px); } #plugins > table > tbody > tr > td{ #stats, #plugins > table > tbody > tr > td{ font-size: 14px; }
web/templates/admin.html +9 −0 Original line number Diff line number Diff line Loading @@ -40,6 +40,15 @@ <span>Database size: {{'%0.2f' % (stats['stats']['db_size']/1024**2)}}MB ({{'%0.2f' % (stats['stats']['db_size']/1024**3)}}GB)</span><br /> <span>Database size on disk: {{'%0.2f' % (stats['stats']['size_on_disk']/1024**2)}}MB ({{'%0.2f' % (stats['stats']['size_on_disk']/1024**3)}}GB)</span> </div> <!-- Token request --> <div id="token_request" class="well well-small"> <table> <tr> <td> <input type="text" name="token" id="token" readonly="readonly" value="{{token}}"> </td> <td> <button onclick="requestToken()">Request new token</button> </td> </tr> </table> </div> <!-- Plug-in information --> <div id="plugins" class="well well-small"> <strong>Plug-in Information</strong> <br /> Loading
