summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorvuko <vuko@hackerspace.pl>2021-01-11 12:32:47 +0100
committervuko <vuko@hackerspace.pl>2021-01-11 12:32:47 +0100
commit6780e85614ddd1c3c196d2afeb74a8612f878a34 (patch)
treee8eb6c7a8d4d8a06689e8482301cf89176f5ea80
parent84e8475fc01782de779422e405348e18d983e2ac (diff)
downloadcheckinator-6780e85614ddd1c3c196d2afeb74a8612f878a34.tar.gz
checkinator-6780e85614ddd1c3c196d2afeb74a8612f878a34.tar.bz2
checkinator-6780e85614ddd1c3c196d2afeb74a8612f878a34.zip
authorization bypass in debug mode
-rw-r--r--at/web.py55
1 files changed, 44 insertions, 11 deletions
diff --git a/at/web.py b/at/web.py
index 098c5c8..e30c13e 100644
--- a/at/web.py
+++ b/at/web.py
@@ -5,7 +5,8 @@ from datetime import datetime
from typing import NamedTuple, Iterable, Iterator, List
from functools import wraps
from flask import Flask, render_template, abort, g, \
- redirect, request, url_for, make_response
+ redirect, request, url_for, make_response, send_file
+from base64 import b64decode
from spaceauth import SpaceAuth, login_required, current_user, cap_required
@@ -57,6 +58,37 @@ def app(instance_path, devices_api, config):
app.space_auth = SpaceAuth(app)
+
+ def auth_get_user():
+ if config.get('DEBUG', False):
+ if "User" in request.headers:
+ return request.headers.get("User")
+ if "Authorization" in request.headers:
+ raw = b64decode(request.headers.get('Authorization').split(' ')[1])
+ app.logger.info(f'Raw authorization: {raw!s}')
+ return raw.decode().split(':')[0]
+ app.logger.info(request.headers)
+ raise Exception('username not supplied')
+ else:
+ return current_user.id
+
+ def auth_login_required(f):
+ if config.get('DEBUG', False):
+ @wraps(f)
+ def wrapper(*args, **kwargs):
+ try:
+ auth_get_user()
+ except Exception:
+ app.logger.exception("auth get exception")
+ response = make_response('', 401)
+ response.headers['WWW-Authenticate'] = 'Basic realm="at.hackerspace.pl", charset="UTF-8"'
+ return response
+ return f(*args, **kwargs)
+ return wrapper
+ else:
+ return login_required(f)
+
+
def restrict_ip(prefixes : List[str] = [], exclude : List[str] = []):
def decorator(f):
@wraps(f)
@@ -165,7 +197,7 @@ def app(instance_path, devices_api, config):
@app.route('/claim', methods=['GET'])
@restrict_to_hs
- @login_required
+ @auth_login_required
def claim_form():
hwaddr, name = app.updater.get_device(v4addr())
return render_template('claim.html', hwaddr=hwaddr, name=name)
@@ -178,14 +210,14 @@ def app(instance_path, devices_api, config):
@app.route('/claim', methods=['POST'])
@restrict_to_hs
- @login_required
+ @auth_login_required
def claim():
hwaddr, lease_name = app.updater.get_device(v4addr())
ctx = None
if not hwaddr:
ctx = dict(error='Invalid device.')
else:
- login = current_user.id
+ login = auth_get_user()
try:
g.db.execute('''
insert into devices (hwaddr, name, owner, ignored) values (?, ?, ?, ?)''',
@@ -207,9 +239,9 @@ def app(instance_path, devices_api, config):
@app.route('/account', methods=['GET'])
- @login_required
+ @auth_login_required
def account():
- devices = get_user_devices(g.db, current_user.id)
+ devices = get_user_devices(g.db, auth_get_user())
return render_template('account.html', devices=devices)
@@ -225,9 +257,9 @@ def app(instance_path, devices_api, config):
[hwaddr, user])
@app.route('/devices/<id>/<action>/')
- @login_required
+ @auth_login_required
def device(id, action):
- user = current_user.id
+ user = auth_get_user()
if action == 'hide':
set_ignored(g.db, id, user, True)
if action == 'show':
@@ -242,8 +274,9 @@ def app(instance_path, devices_api, config):
def admin():
data = now_at()
return render_template('admin.html', data=data)
+
+ @app.route('/static/css/basic.css')
+ def css():
+ return send_file(str(Path('./static/css/basic.css').absolute()))
return app
-
-#if __name__ == '__main__':
-# app(Path.cwd().absolute()).run('0.0.0.0', 8080, debug=True)