Admin user table, admin logging, multi user admin

[jderner-telware]

Create multiple admin user login
Create logging system for admin actions
Add install script for admin_users table
Manipulate entered password to use md5 for base level encryption storage

[devopsec]

@jderner-telware we have looked at this before and you are certainly on the right track here.
My issue with this pull is that it is not cryptographically secure, and this is why we have not tackled this feature yet.

A couple tips and resources that may get you on the right track:

• don't trust md5, this is not a cryptographically secure hashing algo anymore as collision can be calculated with ease.
  A better coice would be to use sha2 (512) or even better would be to use an encryption algo that includes hashing, such as PBKDF2 or HMAC, please see the following link about cyptographic hashing functions:
  https://en.wikipedia.org/wiki/Cryptographic_hash_function#MD5

• you must salt your passwords before encrypting/hashing and store the salt with them.
  This prevents dictionary and rainbow attacks if your DB is compromised.
  Here is a good security stack post about it:
  https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords/31846#31846

• Use asymmetric (one-way) encryption
  In case the private key is lost your passwords can't be decrpyted instantly.
  See the following link for some more best practices on password storage:
  https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html

[devopsec]

Implementation will be as follows:

API Doc’s built-into UI

Sphinx documentation generator

see the issue comments for more info on doc generation:
#190

Switch to production ready web server

nginx and apache support

see the following projects for example implementations:
https://git.flyball.co/detroitpbx/gui
https://github.com/devopsec/shomesec

Multi-User Support

group access control

the permissions won't be modifiable this release

• dsip_admin
  • read/write on all
• dsip_engineer
  • read on Dashboard,CGs,EGs,Domains,Inbound,Outbound
  • write on CGs,EGs,Domains,Inbound,Outbound
• dsip_guest
  • read on Dashboard,CGs,EGs,Domains,Inbound,Outbound
  • NO reading passwords for CGs,EGs,Domains,Inbound,Outbound

users api

groups_acl=('dsip_admin')

GET /api/v1/users

GET /api/v1/users?username=xxxx

GET /api/v1/users?group=xxxx

POST /api/v1/users

{
    'username': 'xxxx',
    'password': 'xxxx',
    'groups': 'xxxx'
}

PUT /api/v1/users

PUT /api/v1/users?username=xxxx

PUT /api/v1/users?group=xxxx

{
    'username': 'xxxx',
    'password': 'xxxx',
    'groups': 'xxxx'
}

DELETE /api/v1/users

DELETE /api/v1/users?username=xxxx

DELETE /api/v1/users?group=xxxx

DB schema

CREATE TABLE dsip_users (
  username varchar(255) NOT NULL,
  password varbinary(256) COLLATE 'binary' NOT NULL,
  groups varchar(255) NOT NULL,
  PRIMARY KEY (username)
) ENGINE = InnoDB
  DEFAULT CHARSET = utf8;

[devopsec]

Just an update here, this is pushed back to v0.70, planned for March 2021.
@jderner-telware this was a good start but needs some work to make it into production.
I wrapped a lot of the security functions into a module that might make it easier in developing this piece:
https://github.com/dOpensource/dsiprouter/blob/master/gui/util/security.py

[devopsec]

This was pushed back again... Aiming for release v0.72 now

[devopsec]

Bump to v0.73