mirror of
https://github.com/freedombox/FreedomBox.git
synced 2026-01-28 08:03:36 +00:00
ba9af6ddff
- A freshly installed FreedomBox can be hijacked by a third party and an admin account can be created which can be used to inject malware or simply take over the instance. Password protecting the firstboot step is a good way to avoid this. A secret will be displayed to the user as soon as the Plinth package is installed, which they have to enter during firstboot welcome step. Also, writing this to a file in plinth's home in case the user loses it. - This protection is not applicable for images built by freedom-maker and for Amazon Machine Images. Signed-off-by: Joseph Nuthalapati <njoseph@thoughtworks.com> Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
48 lines
1.9 KiB
Python
48 lines
1.9 KiB
Python
#
|
|
# This file is part of FreedomBox.
|
|
#
|
|
# This program is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU Affero General Public License as
|
|
# published by the Free Software Foundation, either version 3 of the
|
|
# License, or (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU Affero General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU Affero General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
#
|
|
|
|
from django import forms
|
|
from django.utils.translation import ugettext_lazy as _
|
|
|
|
from plinth.modules import first_boot
|
|
|
|
|
|
class FirstbootWizardSecretForm(forms.Form):
|
|
"""Form to collect and validate the first boot wizard secret."""
|
|
secret = forms.CharField(
|
|
label='', help_text=_(
|
|
'Enter the secret generated during FreedomBox installation. '
|
|
'This secret can also be obtained from the file '
|
|
'/var/lib/plinth/firstboot-wizard-secret'), required=False,
|
|
widget=forms.PasswordInput(attrs={'placeholder': _('Secret')}))
|
|
|
|
def validate_secret(self, secret):
|
|
"""Match the secret provided by the user with the one
|
|
generated during installation.
|
|
"""
|
|
secret_file_path = first_boot.get_secret_file_path()
|
|
with open(secret_file_path) as secret_file:
|
|
if secret != secret_file.read().strip():
|
|
self.add_error('secret', 'Invalid secret')
|
|
|
|
def clean(self):
|
|
"""Override clean to add form validation logic."""
|
|
cleaned_data = super().clean()
|
|
if first_boot.firstboot_wizard_secret_exists():
|
|
self.validate_secret(cleaned_data.get("secret"))
|
|
return cleaned_data
|