Added Reset Password

- Missing: real password reset

Added Reset Password
- Missing: real password reset
60fc0d56 · Christian Dresen · 70a20679 · 60fc0d56 · 60fc0d56 · 60fc0d56
Commit 60fc0d56 authored 9 years ago by Christian Dresen
--- a/web/.idea/deployment.xml
+++ b/web/.idea/deployment.xml
 <?xml version="1.0" encoding="UTF-8"?>
 <project version="4">
-  <component name="PublishConfigData" autoUpload="Always" serverName="LocalDeb">
+  <component name="PublishConfigData" autoUpload="Always" serverName="warpauth">
    <serverData>
-      <paths name="LocalDeb">
+      <paths name="warpauth">
        <serverdata>
          <mappings>
            <mapping deploy="warpauth" local="$PROJECT_DIR$" web="/" />

--- a/web/.idea/misc.xml
+++ b/web/.idea/misc.xml
@@ -10,5 +10,5 @@
    <ConfirmationsSetting value="0" id="Add" />
    <ConfirmationsSetting value="0" id="Remove" />
  </component>
-  <component name="ProjectRootManager" version="2" project-jdk-name="Remote Python 2.7.9 (ssh://root@10.0.0.146:22/usr/bin/python)" project-jdk-type="Python SDK" />
+  <component name="ProjectRootManager" version="2" project-jdk-name="Python 2.7.6 (C:\Python27\python.exe)" project-jdk-type="Python SDK" />
 </project>
\ No newline at end of file
--- a/web/.idea/web.iml
+++ b/web/.idea/web.iml
@@ -12,7 +12,7 @@
  </component>
  <component name="NewModuleRootManager">
    <content url="file://$MODULE_DIR$" />
-    <orderEntry type="jdk" jdkName="Remote Python 2.7.9 (ssh://root@10.0.0.146:22/usr/bin/python)" jdkType="Python SDK" />
+    <orderEntry type="jdk" jdkName="Python 2.7.6 (C:\Python27\python.exe)" jdkType="Python SDK" />
    <orderEntry type="sourceFolder" forTests="false" />
  </component>
  <component name="TemplatesService">

--- a/web/.idea/workspace.xml
+++ b/web/.idea/workspace.xml
--- a/web/media/flaghunter_logo.png
+++ b/web/media/flaghunter_logo.png
--- a/web/media/flaghunter_logo2.png
+++ b/web/media/flaghunter_logo2.png
--- a/web/media/itsecteam_ms_logo.png
+++ b/web/media/itsecteam_ms_logo.png
--- a/web2/media/warpzone_logo.png
+++ b/web2/media/warpzone_logo.png
--- a/web/warpauth/urls.py
+++ b/web/warpauth/urls.py
-"""FlagHunter URL Configuration
-
-The `urlpatterns` list routes URLs to views. For more information please see:
-    https://docs.djangoproject.com/en/1.8/topics/http/urls/
-Examples:
-Function views
-    1. Add an import:  from my_app import views
-    2. Add a URL to urlpatterns:  url(r'^$', views.home, name='home')
-Class-based views
-    1. Add an import:  from other_app.views import Home
-    2. Add a URL to urlpatterns:  url(r'^$', Home.as_view(), name='home')
-Including another URLconf
-    1. Add an import:  from blog import urls as blog_urls
-    2. Add a URL to urlpatterns:  url(r'^blog/', include(blog_urls))
-"""
 from django.conf.urls import include, url
 from django.contrib import admin
 from django.conf import settings

--- a/web/warpauthWeb/models.py
+++ b/web/warpauthWeb/models.py
@@ -6,6 +6,9 @@ class PasswordResetToken(models.Model):
    user = models.CharField(max_length=100)
    email = models.CharField(max_length=100)
    hash = models.CharField(max_length=100)
+    created = models.DateTimeField(auto_now_add=True)
+
+# LDAP


 class LdapUser(ldapdb.models.Model):

--- a/web/warpauthWeb/templates/base.html
+++ b/web/warpauthWeb/templates/base.html
-<link rel="stylesheet" href="{{ MEDIA_URL }}/media/css/bootstrap.min.css"></link>
-<script type="text/javascript" src="{{ MEDIA_URL }}/media/js/jquery.js"></script>
-<script src="/media/js/bootstrap.js"></script>
+<link rel="stylesheet" href="{{ MEDIA_URL }}/media/css/bootstrap.min.css" />
+<script type="text/javascript" src="{{ MEDIA_URL }}/media/js/jquery.js" />
+<script src="/media/js/bootstrap.js" />
 <meta name="viewport" content="width=device-width, initial-scale=1.0">

 <style>
@@ -24,7 +24,7 @@
        <div class="container">
            <div class="navbar-header">
                <a class="navbar-brand" href="/">
-                    <img style="display: inline; text-align:left"  height="25" width="25" src='/media/warpzone_logo.png'/>WarpAuth
+                    <img style="display: inline; text-align:left"  height="25" width="25" src='/media/warpzone_logo.png'/>&nbsp;&nbsp;WarpAuth
                </a>
                <button type="button" class="navbar-toggle" data-toggle="collapse" data-target="#myNavbar">
                    <span class="icon-bar"></span>

--- a/web/warpauthWeb/templates/login.html
+++ b/web/warpauthWeb/templates/login.html
-{% extends "base.html" %} {% block content %}
-<form  class="form-signin" style="max-width: 330px; margin: 0 auto; padding: 40px">
-    {% csrf_token %}
-    <h2 class="form-signin-heading">Please sign in</h2>
-    <label for="inputUser" class="sr-only">User</label>
-    <input name="username" type="user" id="inputUser" class="form-control" placeholder="User" required autofocus>
-    <label for="inputPassword" class="sr-only">Password</label>
-    <input name="password" type="password" id="inputPassword" class="form-control" placeholder="Password" required>
-    {% if fail == True %}
-        <div class="alert alert-warning alert-dismissible" role="alert">
-            <strong>Invalid email or password.</strong>
-        </div>
-    {% else %}
-        <br>
-    {% endif %}
-    <button class="btn btn-lg btn-primary btn-block" type="submit" formmethod="post" class="btn btn-default">Sign in</button>
-</form>
-{% endblock %}
\ No newline at end of file
+{% extends "base.html" %}
+{% load i18n %}
+
+{% block content %}
+    <form  class="form-signin" style="max-width: 330px; margin: 0 auto; padding: 40px">
+        {% csrf_token %}
+        <h2 class="form-signin-heading">Please sign in</h2>
+        <label for="inputUser">User</label>
+        <input name="username" type="user" id="inputUser" class="form-control" placeholder="User" required autofocus>
+
+        <label for="inputPassword" style="padding-top:10px;">Password</label>
+        <input name="password" type="password" id="inputPassword" class="form-control" placeholder="Password" required>
+        {% if fail == True %}
+            <div class="alert alert-warning alert-dismissible" role="alert">
+                <strong>Invalid email or password.</strong>
+            </div>
+        {% else %}
+            <br>
+        {% endif %}
+        <button class="btn btn-lg btn-primary btn-block" type="submit" formmethod="post" class="btn btn-default">Sign in</button>
+        <a class="btn" href="/reset_password">{% trans "Forgot Password?" %}</a>
+    </form>
+{% endblock %}
--- a/web/warpauthWeb/templates/reset_password/change_password.html
+++ b/web/warpauthWeb/templates/reset_password/change_password.html
+{% extends "base.html" %} {% block content %}
+    {% if token_error %}
+        <h2 class="form-signin-heading">The Token was invalid</h2>
+    {% elif request.POST and not form_error%}
+        {{ request.POST }}
+    {% else %}
+        <form  class="form" style="max-width: 330px; margin: 0 auto; padding: 40px">
+            {% csrf_token %}
+            <h2 class="form-signin-heading">Please enter your new Password for user {{ username }}</h2>
+            <label for="inputPassword" class="sr-only">Password</label>
+            <input name="password" type="password" id="inputPassword" class="form-control" placeholder="Password"  required autofocus>
+            <label for="inputPassword2" class="sr-only">Repeat Password</label>
+            <input name="password2" type="password" id="inputPassword2" class="form-control" placeholder="Repeat Password" required>
+            {% if form_error == True %}
+                <div class="alert alert-warning alert-dismissible" role="alert">
+                    <strong>Passwords didnt match.</strong>
+                </div>
+            {% else %}
+                <br>
+            {% endif %}
+            <button class="btn btn-lg btn-primary btn-block" type="submit" formmethod="post" class="btn btn-default">Reset Password</button>
+
+        </form>
+    {% endif %}
+{% endblock %}
\ No newline at end of file
--- a/web/warpauthWeb/templates/reset_password.html
+++ b/web/warpauthWeb/templates/reset_password.html
--- a/web/warpauthWeb/urls.py
+++ b/web/warpauthWeb/urls.py
 from django.conf.urls import url
-from warpauthWeb import views
+from warpauthWeb.views import main,login,reset_password

 urlpatterns = [
    # Authentication Pages
-    url(r'^login/$', views.login_view, name='index'),
-    url(r'^logout/$', views.logout_view, name='index'),
-    url(r'^reset_password/$', views.reset_password, name='index'),
-    url(r'^reset_password/(?P<reset_hash>\w+)/$', views.reset_password, name='index'),
+    url(r'^login/$', login.login_view, name='index'),
+    url(r'^logout/$', login.logout_view, name='index'),
+    url(r'^reset_password/$', reset_password.gen_token, name='index'),
+    url(r'^reset_password/(?P<reset_hash>\w+)/$', reset_password.change_password, name='index'),
    # Main Page
-    url(r'^$', views.index, name='index'),
+    url(r'^$', main.index, name='index'),


 ]

--- a/web/warpauthWeb/util.py
+++ b/web/warpauthWeb/util.py
-#
-# Copyright (C) 2015  Sergej Schumilo - Muenster IT Security Team
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of the GNU General Public License
-# as published by the Free Software Foundation; either version 2
-# of the License, or (at your option) any later version.
-#
-# This file is part of FlagHunter.
-# See the file LICENSE for copying permission.
-#
-__author__ = 'Sergej Schumilo'
-
 pages = {'pages': [
-    {"link":"services", "name": "Services"},
-    {"link":"exploits", "name": "Exploits"},
-    {"link":"results", "name": "Results"},
-    {"link":"pcap_files", "name": "PCAP-Files"},
    {"link":"about", "name": "About"},
    {"link":"logout", "name": "Logout"},
    {"link":"admin", "name": "Admin"}

--- a/web/warpauthWeb/views/__init__.py
+++ b/web/warpauthWeb/views/__init__.py
+__author__ = 'chris'
--- a/web/warpauthWeb/views.py
+++ b/web/warpauthWeb/views.py
@@ -3,12 +3,8 @@ from django.http import HttpResponse, HttpResponseBadRequest, HttpResponseNotAll
 from django.contrib.auth import authenticate, login, logout
 from django.shortcuts import redirect
 from django.contrib.auth.decorators import login_required
-from django.views.decorators.cache import cache_page

 from warpauthWeb.util import *
-from warpauthWeb.models import PasswordResetToken, LdapUser
-import hashlib
-import logging

 def login_view(request):
    pages['body'] = "login"
@@ -34,33 +30,4 @@ def logout_view(request):
    logout(request)
    return redirect('/login/')

-def reset_password(request, reset_hash=None):
-    logger = logging.getLogger("reset_password")
-    if reset_hash is None:
-        if request.POST:
-            try:
-                usr = LdapUser.objects.get(uid=request.POST["username"])
-                if usr.email == request.POST["email"]:
-                  #  p = PasswordResetToken()
-                  #  p.user=usr.uid
-                  #  p.email=usr.email
-                 #   m = hashlib.sha512("asdasd").hexdigest()
-                 #   print (m)
-                    #p.save()
-                  #  print(p)
-                    logger.info("Success for %s", usr.uid)
-            except Exception as e:
-                logger.error("Failed for %s with %s", request.POST["username"],e)
-        else:
-            pass
-        return HttpResponse(render(request, 'reset_password.html', pages))
-    else:
-        passwordHash = PasswordResetToken.objects.get(hash=reset_hash)
-        print(passwordHash)
-        return HttpResponse(render(request, 'reset_password.html', pages))

-@login_required(login_url='/login/', redirect_field_name=None)
-def index(request):
-    pages['body'] = "index"
-    pages['body_text'] = "WarpAuth"
-    return HttpResponse(render(request, 'about.html', pages))
--- a/web/warpauthWeb/views/main.py
+++ b/web/warpauthWeb/views/main.py
+from django.shortcuts import render
+from django.http import HttpResponse, HttpResponseBadRequest, HttpResponseNotAllowed, HttpResponseNotFound
+from django.shortcuts import redirect
+from django.contrib.auth.decorators import login_required
+from warpauthWeb.util import *
+
+
+@login_required(login_url='/login/', redirect_field_name=None)
+def index(request):
+    pages['body'] = "index"
+    pages['body_text'] = "WarpAuth"
+    print(request.user.ldap_user.group_names)
+
+    
+    return HttpResponse(render(request, 'about.html', pages))
--- a/web/warpauthWeb/views/reset_password.py
+++ b/web/warpauthWeb/views/reset_password.py
+from django.shortcuts import render
+from django.http import HttpResponse, HttpResponseBadRequest, HttpResponseNotAllowed, HttpResponseNotFound
+from django.contrib.auth import authenticate, login, logout
+from django.shortcuts import redirect
+from django.contrib.auth.decorators import login_required
+from django.views.decorators.cache import cache_page
+
+from warpauthWeb.util import *
+from warpauthWeb.models import PasswordResetToken, LdapUser
+import hashlib
+import logging
+import os
+import datetime
+
+
+def gen_token(request):
+    logger = logging.getLogger("reset_password")
+    if request.POST:
+        try:
+            usr = LdapUser.objects.get(uid=request.POST["username"])
+            if usr.email == request.POST["email"]:
+                p = PasswordResetToken()
+                p.user=usr.uid
+                p.email=usr.email
+                p.hash = hashlib.sha1(os.urandom(128)).hexdigest()
+                print (p.hash)
+                p.save()
+
+                logger.info("Success for %s", usr.uid)
+        except Exception as e:
+            print(e)
+            logger.error("Failed for %s with %s", request.POST["username"],e)
+    else:
+        pass
+    return HttpResponse(render(request, 'reset_password/token_gen.html', pages))
+
+
+def change_password(request, reset_hash=None):
+    logger = logging.getLogger("reset_password")
+# Debug
+    for pw in PasswordResetToken.objects.all():
+        print (pw.hash)
+#
+    try:
+        passwordHash = PasswordResetToken.objects.get(hash=reset_hash)
+        timediff = datetime.datetime.now() - passwordHash.created
+        if timediff.seconds/60 > 5:
+        #    passwordHash.delete()
+            raise ValidationError("Token not valid")
+
+        if request.POST:
+            if request.POST["password"] != request.POST["password2"]:
+                pages["form_error"] = True
+            else:
+                pass
+        else:
+            pages["username"] = passwordHash.user
+    except (ObjectDoesNotExist, ValidationError) as e:
+        pages["token_error"] = True
+    except Exception as e:
+        print(e)
+
+
+
+    return HttpResponse(render(request, 'reset_password/change_password.html', pages))