forked from SerpicoProject/Serpico
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathbasic.rb
190 lines (150 loc) · 4.86 KB
/
basic.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
require 'sinatra'
### Basic Routes
config_options = JSON.parse(File.read('./config.json'))
# Used for 404 responses
not_found do
"Sorry, I don't know this page."
end
# Error catches
error do
if settings.show_exceptions
'Error!' + env['sinatra.error'].name
else
'Error!! Check the process dump for the error or turn show_exceptions on to show in the web interface.'
end
end
# Run a session check on every route
['/info', '/reports/*', '/report/*', '/', '/logout', '/admin/*', '/master/*', '/mapping/*'].each do |path|
before path do
next if request.path_info == '/reports/list'
redirect '/reports/list' unless valid_session?
end
end
before '/master/*' do
redirect to('/no_access') unless is_administrator?
end
before '/mapping/*' do
redirect to('/no_access') unless is_administrator?
end
#######
get '/' do
redirect to('/reports/list')
end
get '/login' do
redirect to('/reports/list')
end
# Handles the consultant information settings
get '/info' do
@user = User.first(username: get_username)
unless @user
@user = User.new
@user.auth_type = 'AD'
@user.username = get_username
@user.type = 'User'
@user.save
end
@admin = true if is_administrator?
@plugin = true if is_plugin?
haml :info
end
# Save the consultant information into the database
post '/info' do
user = User.first(username: get_username)
unless user
user = User.new
user.auth_type = 'AD'
user.username = get_username
user.type = 'User'
end
user.consultant_email = params[:email]
user.consultant_phone = params[:phone]
user.consultant_title = params[:title]
user.consultant_name = params[:name]
user.consultant_company = params[:company]
user.save
serpico_log('Consultant info updated')
redirect to('/info')
end
# Handles password reset
get '/reset' do
redirect '/reports/list' unless valid_session?
@admin = true if is_administrator?
@plugin = true if is_plugin?
haml :reset
end
# Handles the password reset
post '/reset' do
redirect '/reports/list' unless valid_session?
# grab the user info
user = User.first(username: get_username)
# check if they are an LDAP user
if user.auth_type != 'Local'
return 'You are an LDAP user. You cannot change your password.'
end
# check if the password is greater than 3 chars. legit complexity rules =/
# TODO add password complexity requirements
if params[:new_pass].size < 4
return 'Srsly? Your password must be greater than 3 characters.'
end
if params[:new_pass] != params[:new_pass_confirm]
return 'New password does not match.'
end
unless User.authenticate(user.username, params[:old_pass])
return 'Old password is incorrect.'
end
user.update(password: params[:new_pass])
@message = 'success'
@admin = true if is_administrator?
@plugin = true if is_plugin?
serpico_log('Password successfully reset')
haml :reset
end
post '/login' do
user = User.first(username: params[:username])
if user && (user.auth_type == 'Local')
usern = User.authenticate(params['username'], params['password'])
if usern && session[:session_id]
# replace the session in the session table
# TODO : This needs an expiration, session fixation
@del_session = Sessions.first(username: usern.to_s)
@del_session.destroy if @del_session
@curr_session = Sessions.create(username: usern.to_s, session_key: session[:session_id].to_s)
@curr_session.save
serpico_log("Successful local login")
end
elsif user
if config_options['ldap'].to_s == 'true'
# try AD authentication
usern = params[:username]
data = url_escape_hash(request.POST)
redirect to('/') if (usern == '') || (params[:password] == '')
user = "#{config_options['ldap_domain']}\\#{data['username']}"
ldap = Net::LDAP.new host: (config_options['ldap_dc']).to_s, port: 636, encryption: :simple_tls, auth: { method: :simple, username: user, password: params[:password] }
if ldap.bind
# replace the session in the session table
@del_session = Sessions.first(username: usern.to_s)
@del_session.destroy if @del_session
@curr_session = Sessions.create(username: usern.to_s, session_key: session[:session_id].to_s)
@curr_session.save
serpico_log('Successful LDAP login')
end
end
end
redirect to('/')
end
## We use a persistent session table, one session per user; no end date
get '/logout' do
#hack to display username in log after session destroyed
user = User.first(:username => get_username)
if session[:session_id]
sess = Sessions.first(session_key: session[:session_id])
sess.destroy if sess
end
serpico_log('User #{user.username} logged out')
redirect to('/')
end
# rejected access (admin functionality)
get '/no_access' do
serpico_log('Low priv user tried to access admin resource')
return 'Sorry. You Do Not have access to this resource.'
end