- ServerName https:// %(project_url)s:443
+ ServerName https://%(project_url)s:443
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
# Possible values: debug, info, notice, warn, error, crit, alert, emerg.
diff --git a/app/redidropper/routes/api.py b/app/redidropper/routes/api.py
index 480d0f1..a08ce59 100644
--- a/app/redidropper/routes/api.py
+++ b/app/redidropper/routes/api.py
@@ -183,7 +183,9 @@ def download_file():
@app.route('/api/save_user', methods=['POST'])
@login_required
def api_save_user():
- """ Save a new user to the database """
+ """ Save a new user to the database
+ TODO: Add support for reading a password field
+ """
email = request.form['email']
first = request.form['first']
last = request.form['last']
@@ -201,11 +203,14 @@ def api_save_user():
return utils.jsonify_error(
{'message': 'Sorry. This email is already taken.'})
- # @TODO: fix hardcoded values
- # salt, hashed_pass = generate_auth(app.config['SECRET_KEY'], password)
+ # @TODO: use a non-gatorlink password here
+ password = email
+ salt, password_hash = utils.generate_auth(app.config['SECRET_KEY'],
+ password)
added_date = datetime.today()
access_end_date = utils.get_expiration_date(180)
+ # Note: we store the salt as a prefix
user = UserEntity.create(email=email,
first=first,
last=last,
@@ -213,7 +218,7 @@ def api_save_user():
added_at=added_date,
modified_at=added_date,
access_expires_at=access_end_date,
- password_hash="")
+ password_hash="{}:{}".format(salt, password_hash))
user_roles = []
try:
diff --git a/app/redidropper/routes/pages.py b/app/redidropper/routes/pages.py
index 5cbd46f..a109102 100644
--- a/app/redidropper/routes/pages.py
+++ b/app/redidropper/routes/pages.py
@@ -167,9 +167,14 @@ def render_login_local():
LogEntity.login(uuid, "No such email: {}".format(email))
return redirect(url_for('index'))
- # if utils.is_valid_auth(app.config['SECRET_KEY'], auth.uathSalt,
- # password, auth.uathPassword):
- if '' == user.password_hash:
+ password_hash = user.password_hash
+
+ # @TODO: enforce the `local password` policy
+ if '' == password_hash or \
+ utils.is_valid_auth(app.config['SECRET_KEY'],
+ password_hash[0:16],
+ password,
+ password_hash[17:]):
app.logger.info('Log login event for: {}'.format(user))
LogEntity.login(uuid, 'Successful login via email/password')
login_user(user, remember=False, force=False)
@@ -181,6 +186,7 @@ def render_login_local():
else:
app.logger.info('Incorrect pass for: {}'.format(user))
LogEntity.login_error(uuid, 'Incorrect pass for: {}'.format(user))
+ utils.flash_error("Incorrect username/password.")
# When sending a GET request render the login form
return render_template('index.html', form=form,
diff --git a/app/redidropper/routes/users.py b/app/redidropper/routes/users.py
index c8935ef..948811e 100644
--- a/app/redidropper/routes/users.py
+++ b/app/redidropper/routes/users.py
@@ -88,11 +88,11 @@ def get_user_links():
'logout': ('logout', 'Logout'),
}
role = get_highest_role()
+ # print "highest role: {}".format(role)
+
if role is None:
return []
- print "highest role: {}".format(role)
-
if ROLE_ADMIN == role:
links = [pages['admin'],
pages['upload_files'],
diff --git a/app/redidropper/utils.py b/app/redidropper/utils.py
index 3b7d310..a877afa 100644
--- a/app/redidropper/utils.py
+++ b/app/redidropper/utils.py
@@ -86,8 +86,8 @@ def generate_auth(pepper, password):
Note: requires a request context.
"""
salt = _create_salt()
- hashed_pass = _generate_sha512_hmac(pepper, salt, password)
- return (salt, hashed_pass)
+ password_hash = _generate_sha512_hmac(pepper, salt, password)
+ return (salt, password_hash)
def is_valid_auth(pepper, salt, candidate_password, correct_hash):
diff --git a/docs/README.md b/docs/README.md
index 4fd67f5..dc43253 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -26,16 +26,17 @@ This folder stores the code for RediDropper web application.
Optional step - create a self-signed certificate:
-
-cd redi-dropper-client/app/ssl
-./gen_cert.sh
-
+ $ cd redi-dropper-client/app/ssl
+ $ ./gen_cert.sh
The above command will produce two files used in debug mode:
- server.crt
- server.key
+Note: if you get errors related to mising "Guest Additions" please try:
+
+ vagrant plugin install vagrant-vbguest
## Developer's Workflow - Without Vagrant
@@ -54,8 +55,6 @@ manually using Python's embedded webserver.
The manual process requires the following commands for setup:
-```
-
brew install mysql
mysql --version
(mysql Ver 14.14 Distrib 5.6.24, for osx10.9 (x86_64) using EditLine wrapper)
@@ -74,8 +73,8 @@ The manual process requires the following commands for setup:
fab prep_develop
fab init_db
- # create and edit the settings file
- cp deploy/sample.settings.conf deploy/settings.conf
+ # create and edit the settings file to make it visible in config.py
+ cp deploy/sample.vagrant.settings.conf deploy/settings.conf
# run the application
fab run
@@ -84,7 +83,6 @@ The manual process requires the following commands for setup:
Finally you can open your browser at https://localhost:5000/ and login as
admin@example.com with any password
-```
# Initial Deployment
@@ -101,15 +99,13 @@ aginst the "staging" or "production" server specified as an argument.
After you clone the repository:
-- create three files in your local `deploy` folder:
-
-```
+- create the required files in your local `deploy` folder:
$ cd redi-dropper-client/app/deploy
$ cp sample.fabric.py staging/fabric.py
$ cp sample.deploy.settings.conf staging/settings.conf
$ cp sample.virtualhost.conf staging/virtualhost.conf
-```
+ $ cp sample.virtualhost-ssl.conf staging/virtualhost-ssl.conf
- edit the files in the staging (or production) folder to reflect
the proper username/passwords/hosts/paths
@@ -118,32 +114,23 @@ After you clone the repository:
- execute the initial deploy' command for staging (or production):
-```
-
$ cd redi-dropper-client/app/deploy
$ git fetch --tags upstream
$ ./deploy.sh -i -t tag_number -r ~/git staging
OR
$ ./deploy/deploy.sh -i -t tag_number -r ~/git production
-```
Once you have the fabric tool installed you can create the database tables
in staging or production databases:
-```
-
$ fab staging mysql_conf
$ fab staging mysql_list_tables
$ fab staging mysql_create_tables
-```
If tables already exist in the database and you wish to re-create them
please run:
-```
-
$ fab staging mysql_reset_tables
-```
Note: Reseting tables does not create a backup of the tables so please
make sure the existing data can be discarded.
@@ -159,12 +146,9 @@ Assumptions:
Re-upload configuration and code changes by executing one of the following:
-```
-
$ deploy/deploy.sh -t tag_number -r ~/git staging
OR
$ deploy/deploy.sh -t tag_number -r ~/git production
-```
Note: You might need to refresh the list of tags from the upstream
diff --git a/vagrant/bootstrap_functions.sh b/vagrant/bootstrap_functions.sh
index 5739752..59a45e8 100644
--- a/vagrant/bootstrap_functions.sh
+++ b/vagrant/bootstrap_functions.sh
@@ -20,25 +20,18 @@ function install_utils() {
cp $SHARED_FOLDER/dot_files/sqliterc /home/vagrant/.sqliterc
cp $SHARED_FOLDER/dot_files/sqliterc /root/.sqliterc
- apt-get install -y vim ack-grep
-}
-
-function install_redis() {
-
-}
-
-function install_openvas() {
-
+ apt-get install -y vim ack-grep nmap
}
function install_apache_for_python() {
- # https://www.digitalocean.com/community/tutorials/how-to-deploy-a-flask-application-on-an-ubuntu-vps
- apt-get install -y \
- apache2 libapache2-mod-wsgi \
- python-dev python-pip \
- mysql-server libmysqlclient-dev \
- libffi-dev \
- libsqlite3-dev
+ # https://www.digitalocean.com/community/tutorials/how-to-deploy-a-flask-application-on-an-ubuntu-vps
+ apt-get install -y \
+ libssl-dev \
+ apache2 libapache2-mod-wsgi \
+ python-dev python-pip \
+ mysql-server libmysqlclient-dev \
+ libffi-dev \
+ libsqlite3-dev
}
function install_dropper() {
@@ -51,10 +44,10 @@ function install_dropper() {
pushd /var/www/dropper
# Setting up a virtual environment will keep the application and its
# dependencies isolated from the main system.
-
log "Install via pip: virtualenv..."
pip install virtualenv
log "Creating virtual environment: /var/www/app/venv"
+
virtualenv venv
. venv/bin/activate
log "Installing required python packages..."
@@ -63,8 +56,8 @@ function install_dropper() {
popd
pushd /var/www/dropper/app/deploy
- log "Link app config file"
- ln -sfv sample.settings.conf settings.conf
+ log "Link app config file to make it visible in config.py... "
+ ln -sfv sample.vagrant.settings.conf settings.conf
popd
pushd /var/www/dropper/app