chg: [website] admin user

MISP · Feb 29, 2024 · 4426a51 · 4426a51
1 parent 7a31404
commit 4426a51
Show file tree

Hide file tree

Showing 14 changed files with 304 additions and 108 deletions.
diff --git a/website/README.md b/website/README.md
@@ -31,8 +31,18 @@ Edit `config.py`
 
 - `MISP_MODULE`: url and port where misp-module is running
 
+- `ADMIN_USER`: If True, config page will not be accessible
+
+- `ADMIN_PASSWORD`: Password for Admin user if `ADMIN_USER` is True
+
 ## Launch
 
 ```bash
 ./launch.sh -l
 ```
+
+
+
+## Admin user
+
+If admin user is active, type `/login` in url to access a login page and type the password wrote in `config.py` in `ADMIN_PASSOWRD`.
diff --git a/website/app/__init__.py b/website/app/__init__.py
@@ -3,6 +3,7 @@
 from flask_wtf import CSRFProtect
 from flask_migrate import Migrate
 from flask_session import Session
+from flask_login import LoginManager
 
 from config import config as Config
 import os
@@ -11,7 +12,8 @@
 db = SQLAlchemy()
 csrf = CSRFProtect()
 migrate = Migrate()
-sess = Session()
+session = Session()
+login_manager = LoginManager()
 
 def create_app():
     app = Flask(__name__)
@@ -25,12 +27,16 @@ def create_app():
     csrf.init_app(app)
     migrate.init_app(app, db, render_as_batch=True)
     app.config["SESSION_SQLALCHEMY"] = db
-    sess.init_app(app)
+    session.init_app(app)
+    login_manager.login_view = "account.login"
+    login_manager.init_app(app)
 
     from .home import home_blueprint
     from .history.history import history_blueprint
+    from .account.account import account_blueprint
     app.register_blueprint(home_blueprint, url_prefix="/")
     app.register_blueprint(history_blueprint, url_prefix="/")
+    app.register_blueprint(account_blueprint, url_prefix="/")
 
     return app
 
diff --git a/website/app/account/account.py b/website/app/account/account.py
@@ -0,0 +1,45 @@
+from ..db_class.db import User
+from flask import Blueprint, render_template, redirect, url_for, request, flash
+from .form import LoginForm
+from flask_login import (
+    login_required,
+    login_user,
+    logout_user,
+    current_user
+)
+from ..utils.utils import admin_password
+from ..db_class.db import User
+from .. import db
+
+account_blueprint = Blueprint(
+    'account',
+    __name__,
+    template_folder='templates',
+    static_folder='static'
+)
+
+@account_blueprint.route('/login', methods=['GET', 'POST'])
+def login():
+    """Log in an existing user."""
+    form = LoginForm()
+    if form.validate_on_submit():
+        if form.password.data == str(admin_password()):
+            user = User(email="admin@admin.admin")
+            db.session.add(user)
+            db.session.commit()
+            login_user(user, form.remember_me.data)
+            flash('You are now logged in. Welcome back!', 'success')
+            return redirect(request.args.get('next') or "/")
+        else:
+            flash('Invalid password.', 'error')
+    return render_template('account/login.html', form=form)
+
+@account_blueprint.route('/logout')
+@login_required
+def logout():
+    User.query.filter_by(id=current_user.id).delete()
+    logout_user()
+
+    flash('You have been logged out.', 'info')
+    return redirect(url_for('home.home'))
+
diff --git a/website/app/account/form.py b/website/app/account/form.py
@@ -0,0 +1,13 @@
+from flask_wtf import FlaskForm
+from wtforms.fields import (
+    BooleanField,
+    PasswordField,
+    SubmitField
+)
+from wtforms.validators import InputRequired
+
+
+class LoginForm(FlaskForm):
+    password = PasswordField('Password', validators=[InputRequired()])
+    remember_me = BooleanField('Keep me logged in')
+    submit = SubmitField('Log in')
diff --git a/website/app/db_class/db.py b/website/app/db_class/db.py
@@ -1,5 +1,6 @@
 import json
-from .. import db
+from .. import db, login_manager
+from flask_login import  UserMixin, AnonymousUserMixin
 
 
 class Module(db.Model):
@@ -76,3 +77,30 @@ class Module_Config(db.Model):
     config_id = db.Column(db.Integer, index=True)
     value = db.Column(db.String, index=True)
 
+
+class User(UserMixin, db.Model):
+    id = db.Column(db.Integer, primary_key=True, autoincrement=True)
+    first_name = db.Column(db.String(64), index=True)
+    last_name = db.Column(db.String(64), index=True)
+    email = db.Column(db.String(64), unique=True, index=True)
+
+    def to_json(self):
+        return {
+            "id": self.id, 
+            "first_name": self.first_name, 
+            "last_name": self.last_name, 
+            "email": self.email
+        }
+
+class AnonymousUser(AnonymousUserMixin):
+    def is_admin(self):
+        return False
+
+    def read_only(self):
+        return True
+
+login_manager.anonymous_user = AnonymousUser
+
+@login_manager.user_loader
+def load_user(user_id):
+    return User.query.get(int(user_id))
diff --git a/website/app/history/history.py b/website/app/history/history.py
@@ -1,6 +1,7 @@
 import json
-from flask import Flask, Blueprint, render_template, request, jsonify
+from flask import Flask, Blueprint, render_template, request, jsonify, session as sess
 from . import history_core as HistoryModel
+from ..utils.utils import admin_user_active
 
 history_blueprint = Blueprint(
     'history',
@@ -13,6 +14,7 @@
 @history_blueprint.route("/history", methods=["GET"])
 def history():
     """View all history"""
+    sess["admin_user"] = admin_user_active()
     return render_template("history.html")
 
 @history_blueprint.route("/get_history", methods=["GET"])
@@ -25,6 +27,7 @@ def get_history():
 @history_blueprint.route("/history_session", methods=["GET"])
 def history_session():
     """View all history"""
+    sess["admin_user"] = admin_user_active()
     return render_template("history_session.html", tree_view=False)
 
 @history_blueprint.route("/get_history_session", methods=["GET"])
@@ -49,6 +52,7 @@ def save_history(sid):
 @history_blueprint.route("/history_tree", methods=["GET"])
 def history_tree():
     """View all history"""
+    sess["admin_user"] = admin_user_active()
     return render_template("history_session.html", tree_view=True)
 
 @history_blueprint.route("/get_history_tree", methods=["GET"])

diff --git a/website/app/home.py b/website/app/home.py
@@ -1,7 +1,9 @@
 import json
-from flask import Flask, Blueprint, render_template, request, jsonify
+from flask import Blueprint, render_template, request, jsonify, session as sess
+from flask_login import current_user
+from . import session_class as SessionModel
 from . import home_core as HomeModel
-from . import session as SessionModel
+from .utils.utils import admin_user_active
 
 home_blueprint = Blueprint(
     'home',
@@ -13,19 +15,22 @@
 
 @home_blueprint.route("/")
 def home():
+    sess["admin_user"] = admin_user_active()
     if "query" in request.args:
         return render_template("home.html", query=request.args.get("query"))
     return render_template("home.html")
 
 @home_blueprint.route("/home/<sid>", methods=["GET", "POST"])
 def home_query(sid):
+    sess["admin_user"] = admin_user_active()
     if "query" in request.args:
         query = request.args.get("query")
         return render_template("home.html", query=query, sid=sid)
     return render_template("404.html")
 
 @home_blueprint.route("/query/<sid>")
 def query(sid):
+    sess["admin_user"] = admin_user_active()
     session = HomeModel.get_session(sid)
     flag=False
     if session:
@@ -159,38 +164,50 @@ def download(sid):
 
 
 
-
 @home_blueprint.route("/modules_config")
 def modules_config():
     """List all modules for configuration"""
-
-    return render_template("modules_config.html")
+    sess["admin_user"] = admin_user_active()
+    if sess.get("admin_user"):
+        if current_user.is_authenticated:
+            return render_template("modules_config.html")
+    return render_template("404.html")
 
 @home_blueprint.route("/modules_config_data")
 def modules_config_data():
     """List all modules for configuration"""
-
-    modules_config = HomeModel.get_modules_config()
-    return modules_config, 200
+    sess["admin_user"] = admin_user_active()
+    if sess.get("admin_user"):
+        if current_user.is_authenticated:
+            modules_config = HomeModel.get_modules_config()
+            return modules_config, 200
+    return {"message": "Permission denied"}, 403
 
 
 @home_blueprint.route("/change_config", methods=["POST"])
 def change_config():
     """Change configuation for a module"""
-    if "module_name" in request.json["result_dict"]:
-        res = HomeModel.change_config_core(request.json["result_dict"])
-        if res:
-            return {'message': 'Config changed', 'toast_class': "success-subtle"}, 200
-        return {'message': 'Something went wrong', 'toast_class': "danger-subtle"}, 400
-    return {'message': 'Need to pass "module_name"', 'toast_class': "warning-subtle"}, 400
+    sess["admin_user"] = admin_user_active()
+    if sess.get("admin_user"):
+        if current_user.is_authenticated:
+            if "module_name" in request.json["result_dict"]:
+                res = HomeModel.change_config_core(request.json["result_dict"])
+                if res:
+                    return {'message': 'Config changed', 'toast_class': "success-subtle"}, 200
+                return {'message': 'Something went wrong', 'toast_class': "danger-subtle"}, 400
+            return {'message': 'Need to pass "module_name"', 'toast_class': "warning-subtle"}, 400
+    return {'message': 'Permission denied', 'toast_class': "danger-subtle"}, 403
 
 @home_blueprint.route("/change_status", methods=["GET"])
 def change_status():
     """Change the status of a module, active or unactive"""
-    if "module_id" in request.args:
-        res = HomeModel.change_status_core(request.args.get("module_id"))
-        if res:
-            return {'message': 'Module status changed', 'toast_class': "success-subtle"}, 200
-        return {'message': 'Something went wrong', 'toast_class': "danger-subtle"}, 400
-    return {'message': 'Need to pass "module_id"', 'toast_class': "warning-subtle"}, 400
-
+    sess["admin_user"] = admin_user_active()
+    if sess.get("admin_user"):
+        if current_user.is_authenticated:
+            if "module_id" in request.args:
+                res = HomeModel.change_status_core(request.args.get("module_id"))
+                if res:
+                    return {'message': 'Module status changed', 'toast_class': "success-subtle"}, 200
+                return {'message': 'Something went wrong', 'toast_class': "danger-subtle"}, 400
+            return {'message': 'Need to pass "module_id"', 'toast_class': "warning-subtle"}, 400
+    return {'message': 'Permission denied', 'toast_class': "danger-subtle"}, 403
diff --git a/website/app/home_core.py b/website/app/home_core.py
@@ -1,5 +1,5 @@
 import json
-from .utils.utils import query_get_module, isUUID
+from .utils.utils import query_get_module
 from . import db
 from .db_class.db import History, Module, Config, Module_Config, Session_db, History_Tree
 from flask import session as sess

diff --git a/website/app/session.py → website/app/session_class.py b/website/app/session.py → website/app/session_class.py