allow to list users from LDAP and Local backend

burpui/api/admin.py

@@ -78,9 +78,9 @@ class AuthUsers(Resource):
     parser_add.add_argument('backend', required=True, help='Backend', location='values')
 
     parser_mod = ns.parser()
-    parser_mod.add_argument('password', required=True, help='Password', location=('values', 'json'))
-    parser_mod.add_argument('backend', required=True, help='Backend', location=('values', 'json'))
-    parser_mod.add_argument('old_password', required=False, help='Old password', location=('values', 'json'))
+    parser_mod.add_argument('password', required=True, help='Password', location='values')
+    parser_mod.add_argument('backend', required=True, help='Backend', location='values')
+    parser_mod.add_argument('old_password', required=False, help='Old password', location='values')
 
     parser_del = ns.parser()
     parser_del.add_argument('backend', required=True, help='Backend', location='values')

burpui/app.py

@@ -296,7 +296,9 @@ def create_app(conf=None, verbose=0, logfile=None, **kwargs):
         )
     else:
         LOG_FORMAT = (
-            '-' * 80 + '\n' +
+            '-' * 27 +
+            '[%(asctime)s]' +
+            '-' * 28 + '\n' +
             '%(levelname)s in %(module)s.%(funcName)s ' +
             '[%(pathname)s:%(lineno)d]:\n' +
             '%(message)s\n' +
@@ -467,7 +469,7 @@ def create_app(conf=None, verbose=0, logfile=None, **kwargs):
             cache.init_app(app)
         try:
             # Limiter setup
-            if app.limiter or str(app.limiter).lower() not \
+            if app.limiter and str(app.limiter).lower() not \
                     in ['none', 'false']:  # pragma: no cover
                 from .ext.limit import limiter
                 app.config['RATELIMIT_HEADERS_ENABLED'] = True

burpui/misc/auth/handler.py

@@ -2,6 +2,7 @@
 import os
 
 from ...sessions import session_manager
+from ...utils import is_uuid
 from .interface import BUIhandler, BUIuser
 
 from importlib import import_module
@@ -79,8 +80,11 @@ class UserHandler(BUIuser):
         self.language = session.get('language', None)
         self.backends = backends
         self.back = None
-        self.name = session_manager.get_session_username() or \
-            session.get('login') or name
+        if not is_uuid(name):
+            self.name = name
+        else:
+            self.name = session_manager.get_session_username() or \
+                session.get('login')
         self.real = None
         self.admin = not self.app.acl
 

burpui/misc/auth/ldap.py

@@ -90,6 +90,7 @@ class LdapLoader(BUIloader):
         self.version = get_ssl_version(self.version)
         if not self.version:
             self.logger.warning('No SSL version chosen')
+        self.users = []
         self.tls = None
         self.ssl = False
         self.auto_bind = AUTO_BIND_NONE
@@ -121,12 +122,16 @@ class LdapLoader(BUIloader):
                 self.ldap = Connection(self.server, user=self.binddn, password=self.bindpw, raise_exceptions=True, client_strategy=RESTARTABLE, auto_bind=self.auto_bind, authentication=SIMPLE)
             else:
                 self.ldap = Connection(self.server, raise_exceptions=True, client_strategy=RESTARTABLE, auto_bind=self.auto_bind)
+            okay = False
             with self.ldap:
                 self.logger.debug('LDAP Connection = {0}'.format(str(self.ldap)))
                 self.logger.info('OK, connected to LDAP')
-                return
+                okay = True
 
-            raise Exception('Not connected')
+            if not okay:
+                raise Exception('Not connected')
+
+            self._prefetch()
         except Exception as e:
             self.logger.error('Could not connect to LDAP: {0}'.format(str(e)))
             self.server = None
@@ -139,13 +144,16 @@ class LdapLoader(BUIloader):
         if self.ldap and self.ldap.bound:
             self.ldap.unbind()
 
-    def fetch(self, searchval=None):
+    def fetch(self, searchval=None, uniq=True):
         """:func:`burpui.misc.auth.ldap.LdapLoader.fetch` searches for a user
         object in the LDAP server.
 
         :param searchval: attribute value to search for
         :type searchval: str
 
+        :param uniq: only return one result
+        :type uniq: bool
+
         :returns: dictionary of `distinguishedName` and `commonName` attributes for the
         user if found, otherwise None.
         """
@@ -166,12 +174,24 @@ class LdapLoader(BUIloader):
             self.logger.error('Ooops, LDAP lookup failed: {0}'.format(str(e)))
             return None
 
+        if not uniq:
+            return r
+
         for record in r:
             attrs = record['attributes']
             if self.attr in attrs and searchval in attrs[self.attr]:
                 self.logger.info('Found DN: {0}'.format(record['dn']))
                 return {'dn': record['dn'], 'cn': attrs['cn'][0]}
 
+    def _prefetch(self):
+        """Prefetch all users that match the filter/base"""
+        self.users = []
+        results = self.fetch('*', False) or []
+        for record in results:
+            attrs = record['attributes']
+            if self.attr in attrs:
+                self.users.append(attrs[self.attr][0])
+
     def check(self, dn=None, passwd=None):
         """:func:`burpui.misc.auth.ldap.LdapLoader.check` authenticates a user
         against the LDAP server.

burpui/misc/auth/local.py

 # -*- coding: utf8 -*-
 import os
+import pwd
 import sys
 
 from .interface import BUIhandler, BUIuser, BUIloader
@@ -21,6 +22,7 @@ class LocalLoader(BUIloader):
         self.app = app
         self.users = None
         handler.name = self.name
+        limit = 1000
         conf = self.app.conf
         if self.section in conf.options:
             # Maybe the handler argument is None, maybe the 'priority'
@@ -38,8 +40,21 @@ class LocalLoader(BUIloader):
                 cast='force_list',
                 section=self.section
             )
+            limit = conf.safe_get(
+                'limit',
+                cast='integer',
+                section=self.section,
+                defaults={self.section: {'limit': limit}}
+            )
             if users != [None]:
                 self.users = users
+
+        if self.users is None:
+            self.users = []
+            for user in pwd.getpwall():
+                if user[2] >= limit:
+                    self.users.append(user[0])
+
         self.logger.debug('Local users: ' + str(self.users))
 
     def fetch(self, uid=None):

contrib/gunicorn/burpui_gunicorn.py

@@ -149,9 +149,9 @@ tmp_upload_dir = None
 #       A string of "debug", "info", "warning", "error", "critical"
 #
 
-errorlog = '/var/log/gunicorn/burp-ui_access.log'
+errorlog = '/var/log/gunicorn/burp-ui_error.log'
 loglevel = 'error'
-accesslog = '/var/log/gunicorn/burp-ui_error.log'
+accesslog = '/var/log/gunicorn/burp-ui_access.log'
 access_log_format = '%(h)s %(l)s %(u)s %(t)s "%(r)s" %(s)s %(b)s "%(f)s" "%(a)s"'
 
 #

docs/advanced_usage.rst

@@ -554,9 +554,11 @@ Now you can add *local* specific options:
     [LOCAL]
     # Backend priority. Higher is first
     priority = 3
-    # List of local users allowed to login. If you don't set this setting, every
-    # local user will be able to login
+    # List of local users allowed to login. If you don't set this setting, users
+    # with uid greater than limit will be able to login
     users = user1,user2
+    # Minimum uid that will be allowed to login
+    limit = 1000
 
 
 ACL

share/burpui/etc/burpui.sample.cfg

@@ -205,9 +205,11 @@ noserverrestore = false
 #[LOCAL]
 ## Backend priority. Higher is first
 #priority: 3
-## List of local users allowed to login. If you don't set this setting, every 
-## local user will be able to login
+## List of local users allowed to login. If you don't set this setting, users
+## with uid greater than limit will be able to login
 #users: user1,user2
+## Minimum uid that will be allowed to login
+#limit: 1000
 
 ## basicacl specific options
 ## Note: in case you leave this section commented, the user 'admin' will have