Commit 0f7d5b14 authored by Benjamin "Ziirish" SANS's avatar Benjamin "Ziirish" SANS
Browse files

allow to list users from LDAP and Local backend

parent 8ae41207
......@@ -78,9 +78,9 @@ class AuthUsers(Resource):
parser_add.add_argument('backend', required=True, help='Backend', location='values')
parser_mod = ns.parser()
parser_mod.add_argument('password', required=True, help='Password', location=('values', 'json'))
parser_mod.add_argument('backend', required=True, help='Backend', location=('values', 'json'))
parser_mod.add_argument('old_password', required=False, help='Old password', location=('values', 'json'))
parser_mod.add_argument('password', required=True, help='Password', location='values')
parser_mod.add_argument('backend', required=True, help='Backend', location='values')
parser_mod.add_argument('old_password', required=False, help='Old password', location='values')
parser_del = ns.parser()
parser_del.add_argument('backend', required=True, help='Backend', location='values')
......
......@@ -296,7 +296,9 @@ def create_app(conf=None, verbose=0, logfile=None, **kwargs):
)
else:
LOG_FORMAT = (
'-' * 80 + '\n' +
'-' * 27 +
'[%(asctime)s]' +
'-' * 28 + '\n' +
'%(levelname)s in %(module)s.%(funcName)s ' +
'[%(pathname)s:%(lineno)d]:\n' +
'%(message)s\n' +
......@@ -467,7 +469,7 @@ def create_app(conf=None, verbose=0, logfile=None, **kwargs):
cache.init_app(app)
try:
# Limiter setup
if app.limiter or str(app.limiter).lower() not \
if app.limiter and str(app.limiter).lower() not \
in ['none', 'false']: # pragma: no cover
from .ext.limit import limiter
app.config['RATELIMIT_HEADERS_ENABLED'] = True
......
......@@ -2,6 +2,7 @@
import os
from ...sessions import session_manager
from ...utils import is_uuid
from .interface import BUIhandler, BUIuser
from importlib import import_module
......@@ -79,8 +80,11 @@ class UserHandler(BUIuser):
self.language = session.get('language', None)
self.backends = backends
self.back = None
self.name = session_manager.get_session_username() or \
session.get('login') or name
if not is_uuid(name):
self.name = name
else:
self.name = session_manager.get_session_username() or \
session.get('login')
self.real = None
self.admin = not self.app.acl
......
......@@ -90,6 +90,7 @@ class LdapLoader(BUIloader):
self.version = get_ssl_version(self.version)
if not self.version:
self.logger.warning('No SSL version chosen')
self.users = []
self.tls = None
self.ssl = False
self.auto_bind = AUTO_BIND_NONE
......@@ -121,12 +122,16 @@ class LdapLoader(BUIloader):
self.ldap = Connection(self.server, user=self.binddn, password=self.bindpw, raise_exceptions=True, client_strategy=RESTARTABLE, auto_bind=self.auto_bind, authentication=SIMPLE)
else:
self.ldap = Connection(self.server, raise_exceptions=True, client_strategy=RESTARTABLE, auto_bind=self.auto_bind)
okay = False
with self.ldap:
self.logger.debug('LDAP Connection = {0}'.format(str(self.ldap)))
self.logger.info('OK, connected to LDAP')
return
okay = True
raise Exception('Not connected')
if not okay:
raise Exception('Not connected')
self._prefetch()
except Exception as e:
self.logger.error('Could not connect to LDAP: {0}'.format(str(e)))
self.server = None
......@@ -139,13 +144,16 @@ class LdapLoader(BUIloader):
if self.ldap and self.ldap.bound:
self.ldap.unbind()
def fetch(self, searchval=None):
def fetch(self, searchval=None, uniq=True):
""":func:`burpui.misc.auth.ldap.LdapLoader.fetch` searches for a user
object in the LDAP server.
:param searchval: attribute value to search for
:type searchval: str
:param uniq: only return one result
:type uniq: bool
:returns: dictionary of `distinguishedName` and `commonName` attributes for the
user if found, otherwise None.
"""
......@@ -166,12 +174,24 @@ class LdapLoader(BUIloader):
self.logger.error('Ooops, LDAP lookup failed: {0}'.format(str(e)))
return None
if not uniq:
return r
for record in r:
attrs = record['attributes']
if self.attr in attrs and searchval in attrs[self.attr]:
self.logger.info('Found DN: {0}'.format(record['dn']))
return {'dn': record['dn'], 'cn': attrs['cn'][0]}
def _prefetch(self):
"""Prefetch all users that match the filter/base"""
self.users = []
results = self.fetch('*', False) or []
for record in results:
attrs = record['attributes']
if self.attr in attrs:
self.users.append(attrs[self.attr][0])
def check(self, dn=None, passwd=None):
""":func:`burpui.misc.auth.ldap.LdapLoader.check` authenticates a user
against the LDAP server.
......
# -*- coding: utf8 -*-
import os
import pwd
import sys
from .interface import BUIhandler, BUIuser, BUIloader
......@@ -21,6 +22,7 @@ class LocalLoader(BUIloader):
self.app = app
self.users = None
handler.name = self.name
limit = 1000
conf = self.app.conf
if self.section in conf.options:
# Maybe the handler argument is None, maybe the 'priority'
......@@ -38,8 +40,21 @@ class LocalLoader(BUIloader):
cast='force_list',
section=self.section
)
limit = conf.safe_get(
'limit',
cast='integer',
section=self.section,
defaults={self.section: {'limit': limit}}
)
if users != [None]:
self.users = users
if self.users is None:
self.users = []
for user in pwd.getpwall():
if user[2] >= limit:
self.users.append(user[0])
self.logger.debug('Local users: ' + str(self.users))
def fetch(self, uid=None):
......
......@@ -149,9 +149,9 @@ tmp_upload_dir = None
# A string of "debug", "info", "warning", "error", "critical"
#
errorlog = '/var/log/gunicorn/burp-ui_access.log'
errorlog = '/var/log/gunicorn/burp-ui_error.log'
loglevel = 'error'
accesslog = '/var/log/gunicorn/burp-ui_error.log'
accesslog = '/var/log/gunicorn/burp-ui_access.log'
access_log_format = '%(h)s %(l)s %(u)s %(t)s "%(r)s" %(s)s %(b)s "%(f)s" "%(a)s"'
#
......
......@@ -554,9 +554,11 @@ Now you can add *local* specific options:
[LOCAL]
# Backend priority. Higher is first
priority = 3
# List of local users allowed to login. If you don't set this setting, every
# local user will be able to login
# List of local users allowed to login. If you don't set this setting, users
# with uid greater than limit will be able to login
users = user1,user2
# Minimum uid that will be allowed to login
limit = 1000
ACL
......
......@@ -205,9 +205,11 @@ noserverrestore = false
#[LOCAL]
## Backend priority. Higher is first
#priority: 3
## List of local users allowed to login. If you don't set this setting, every
## local user will be able to login
## List of local users allowed to login. If you don't set this setting, users
## with uid greater than limit will be able to login
#users: user1,user2
## Minimum uid that will be allowed to login
#limit: 1000
## basicacl specific options
## Note: in case you leave this section commented, the user 'admin' will have
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment