mirror of
https://github.com/freedombox/FreedomBox.git
synced 2026-01-21 07:55:00 +00:00
770974c8ce
- Add explicit dependency on django-ipware >=3. django-axes >= 6 adds only and optional dependency on django-ipware. Adding explicit dependency make the behavior safer. - Depend on django-axes >= 5 where the authentication backend and other features are available. The new code won't work with older versions. The new approach uses and authentication backend to deny access to the login form on lockout and a middleware to redirect user to locked out form when limit of attempts have been reached. - Drop old code used for compatibility with django-axes 3.x. - Suppress verbose and debug messages as django-axes is too chatty. - Re-implment the CAPTCHA form entirely. In the old style, we have a login form with CAPTCHA field. That would not work with the new django-axes authentication middle. On submission of the form, auth.authenticate() will be called. This call invokes various authentication backends include django-axes authentication backend. This backend's behavior is to reject all authentication attempts when the IP is listed in locked table. The new approach is to provide a simple CAPTCHA form with just the CAPTCHA field. If the form is successfully validated (correct CAPTCHA is provided), then the lock on the IP address is reset. The user is then free to perform 3 more attempts to login. - Update firstboot form to send the request parameter when using auth.authenticate() method. This needed by Django axes' authentication method which will be triggered. Tests: - Run tests on Debian Bookworm and Debian testing. - Axes verbose messages and debug messages are not printed on the console when running FreedomBox in debug mode. - Only three invalid attempts are allowed at the login page. After the final incorrect attempt, user is redirected to CAPTCHA page. Visiting the login page using the URL works but entering the correct credentials still takes the user to CAPTCHA page. - CAPTCHA form appears as expected. Clicking the CAPTCHA images downloads the audio file corresponding to the image. Incorrect CAPTCHA shows an error. Correct CAPTCHA takes the user to login form where they are able to login with correct credentials. Entering incorrect credentials 3 times will take the user again to CAPTCHA page. - Creating user account during firstboot works. - Blocked IP address the IP of the client such as 10.42.0.1 and not the local IP address 127.0.0.1 according the django-axes log messages. While one client IP address is blocked, another IP is able to login to the same user account that was attempted by the blocked client. Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org> Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
177 lines
4.7 KiB
Python
177 lines
4.7 KiB
Python
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
"""
|
|
Miscellaneous utility methods.
|
|
"""
|
|
|
|
import gzip
|
|
import importlib
|
|
import os
|
|
import random
|
|
import re
|
|
import string
|
|
|
|
import markupsafe
|
|
import ruamel.yaml
|
|
from django.utils.functional import lazy
|
|
|
|
from plinth.version import Version # noqa
|
|
|
|
|
|
def import_from_gi(library, version):
|
|
"""Import and return a GObject introspection library."""
|
|
try:
|
|
import gi as package
|
|
package_name = 'gi'
|
|
except ImportError:
|
|
import pgi as package
|
|
package_name = 'pgi'
|
|
|
|
package.require_version(library, version)
|
|
|
|
return importlib.import_module(package_name + '.repository.' + library)
|
|
|
|
|
|
def _format_lazy(string, *args, **kwargs):
|
|
"""Lazily format a lazy string."""
|
|
allow_markup = kwargs.pop('allow_markup', False)
|
|
string = str(string)
|
|
string = string.format(*args, **kwargs)
|
|
if allow_markup:
|
|
string = markupsafe.Markup(string)
|
|
|
|
return string
|
|
|
|
|
|
format_lazy = lazy(_format_lazy, str)
|
|
|
|
|
|
def non_admin_view(func):
|
|
"""Decorator to mark a view as accessible by non-admin users."""
|
|
setattr(func, 'IS_NON_ADMIN', True)
|
|
return func
|
|
|
|
|
|
def user_group_view(func, group_name):
|
|
"""Decorator to mark a view as accessible by admin or group users."""
|
|
setattr(func, 'GROUP_NAME', group_name)
|
|
return func
|
|
|
|
|
|
def is_valid_user_name(user_name):
|
|
"""Check if the given username is valid.
|
|
|
|
Note: Debian is VERY flexible with user names.
|
|
"""
|
|
if 32 < len(user_name):
|
|
return False
|
|
|
|
if user_name.startswith('-'):
|
|
return False
|
|
|
|
for forbidden in (' \n\t/\\:'):
|
|
if forbidden in user_name:
|
|
return False
|
|
|
|
return True
|
|
|
|
|
|
def is_user_admin(request, cached=False):
|
|
"""Return whether user is an administrator."""
|
|
if not request.user.is_authenticated:
|
|
return False
|
|
|
|
if 'cache_user_is_admin' in request.session and cached:
|
|
return request.session['cache_user_is_admin']
|
|
|
|
user_is_admin = request.user.groups.filter(name='admin').exists()
|
|
request.session['cache_user_is_admin'] = user_is_admin
|
|
return user_is_admin
|
|
|
|
|
|
class YAMLFile:
|
|
"""A context management class for updating YAML files"""
|
|
|
|
def __init__(self, yaml_file):
|
|
"""Return a context object for the YAML file.
|
|
|
|
Parameters:
|
|
yaml_file - the YAML file to update.
|
|
updating the YAML file.
|
|
"""
|
|
self.yaml_file = yaml_file
|
|
self.conf = None
|
|
|
|
self.yaml = ruamel.yaml.YAML()
|
|
self.yaml.preserve_quotes = True
|
|
|
|
def __enter__(self):
|
|
with open(self.yaml_file, 'r', encoding='utf-8') as intro_conf:
|
|
if not self.is_file_empty():
|
|
self.conf = self.yaml.load(intro_conf)
|
|
else:
|
|
self.conf = {}
|
|
|
|
return self.conf
|
|
|
|
def __exit__(self, type_, value, traceback):
|
|
if not traceback:
|
|
with open(self.yaml_file, 'w', encoding='utf-8') as intro_conf:
|
|
self.yaml.dump(self.conf, intro_conf)
|
|
|
|
def is_file_empty(self):
|
|
return os.stat(self.yaml_file).st_size == 0
|
|
|
|
|
|
def random_string(size=8):
|
|
"""Generate a random alphanumeric string."""
|
|
chars = (random.SystemRandom().choice(string.ascii_letters)
|
|
for _ in range(size))
|
|
return ''.join(chars)
|
|
|
|
|
|
def generate_password(size=32):
|
|
"""Generate a random password using ascii alphabet and digits."""
|
|
chars = (random.SystemRandom().choice(string.ascii_letters + string.digits)
|
|
for _ in range(size))
|
|
return ''.join(chars)
|
|
|
|
|
|
def grep(pattern, file_name):
|
|
"""Return lines of a file matching a pattern."""
|
|
return [
|
|
line.rstrip() for line in open(file_name, encoding='utf-8')
|
|
if re.search(pattern, line)
|
|
]
|
|
|
|
|
|
def gunzip(gzip_file, output_file):
|
|
"""Utility to unzip a given gzip file and write it to an output file
|
|
|
|
gzip_file: string path to a gzip file
|
|
output_file: string path to the output file
|
|
mode: an octal number to specify file permissions
|
|
"""
|
|
output_dir = os.path.dirname(output_file)
|
|
if not os.path.exists(output_dir):
|
|
os.makedirs(output_dir, mode=0o755)
|
|
|
|
with gzip.open(gzip_file, 'rb') as file_handle:
|
|
contents = file_handle.read()
|
|
|
|
def opener(path, flags):
|
|
return os.open(path, flags, mode=0o644)
|
|
|
|
with open(output_file, 'wb', opener=opener) as file_handle:
|
|
file_handle.write(contents)
|
|
|
|
|
|
def is_non_empty_file(file_path):
|
|
return os.path.isfile(file_path) and os.path.getsize(file_path) > 0
|
|
|
|
|
|
def is_authenticated_user(username, password):
|
|
"""Return true if the user authentication succeeds."""
|
|
import pam # Minimize dependencies for running tests
|
|
pam_authenticator = pam.pam()
|
|
return bool(pam_authenticator.authenticate(username, password))
|