initial commit

2024-02-22 13:40:14 -08:00
commit 4a6257ec6c
13 changed files with 310 additions and 0 deletions
--- a/accounts.py
+++ b/accounts.py
@@ -0,0 +1,174 @@
+from flask import Flask, url_for
+from flask_ldap3_login import LDAP3LoginManager
+from flask_login import LoginManager, login_user, UserMixin, current_user
+from flask import render_template_string, redirect, render_template
+from flask_ldap3_login.forms import LDAPLoginForm
+from mfa import generateOTP, generateSecret
+# from ad import updateMfaSecret
+from db import setupMfaSecret, updateMfaSecret, getMfaSecret, removeMfa
+import yamlcon
+
+app = Flask(__name__)
+app.config['SECRET_KEY'] = 'secret'
+app.config['DEBUG'] = True
+
+# Setup LDAP Configuration Variables. Change these to your own settings.
+# All configuration directives can be found in the documentation.
+
+# Hostname of your LDAP Server
+app.config['LDAP_HOST'] = 'corp.bbrunson.com'
+
+app.config['LDAP_PORT'] = 389
+
+# Base DN of your directory
+app.config['LDAP_BASE_DN'] = 'dc=corp,dc=bbrunson,dc=com'
+
+# Users DN to be prepended to the Base DN
+app.config['LDAP_USER_DN'] = 'cn=users'
+
+# Groups DN to be prepended to the Base DN
+# app.config['LDAP_GROUP_DN'] = 'cn=groups'
+
+# The RDN attribute for your user schema on LDAP
+app.config['LDAP_USER_RDN_ATTR'] = 'cn'
+
+# The Attribute you want users to authenticate to LDAP with.
+app.config['LDAP_USER_LOGIN_ATTR'] = 'sAMAccountName'
+
+adinfo = yamlcon.load("adinfo.yaml")
+
+# The Username to bind to LDAP with
+app.config['LDAP_BIND_USER_DN'] = adinfo.get('adbind_user', '')
+
+# The Password to bind to LDAP with
+app.config['LDAP_BIND_USER_PASSWORD'] = adinfo.get('adbind_pass', '')
+
+login_manager = LoginManager(app)              # Setup a Flask-Login Manager
+ldap_manager = LDAP3LoginManager(app)          # Setup a LDAP3 Login Manager.
+
+# Create a dictionary to store the users in when they authenticate
+# This example stores users in memory.
+users = {}
+
+
+# Declare an Object Model for the user, and make it comply with the
+# flask-login UserMixin mixin.
+class User(UserMixin):
+    def __init__(self, dn, username, data):
+        self.dn = dn
+        self.username = username
+        self.data = data
+
+    def __repr__(self):
+        return self.dn
+
+    def get_id(self):
+        return self.dn
+
+
+# Declare a User Loader for Flask-Login.
+# Simply returns the User if it exists in our 'database', otherwise
+# returns None.
+@login_manager.user_loader
+def load_user(id):
+    if id in users:
+        return users[id]
+    return None
+
+
+# Declare The User Saver for Flask-Ldap3-Login
+# This method is called whenever a LDAPLoginForm() successfully validates.
+# Here you have to save the user, and return it so it can be used in the
+# login controller.
+@ldap_manager.save_user
+def save_user(dn, username, data, memberships):
+    user = User(dn, username, data)
+    users[dn] = user
+    return user
+
+
+# Declare some routes for usage to show the authentication process.
+@app.route('/')
+def home():
+    # Redirect users who are not logged in.
+    if not current_user or current_user.is_anonymous:
+        return redirect(url_for('login'))
+
+    # User is logged in, so show them a page with their cn and dn.
+    # template = """
+    # <h1>Welcome, {{ current_user.data.givenName }}</h1>
+
+    # <h2> Email: {{ current_user.data.mail }}</h2>
+    # <h2>{{ current_user.dn }}</h2> 
+    # """
+    print(current_user)
+    print(current_user.data)
+    print(current_user.data['objectSid'])
+
+    # return render_template_string(template)
+    return render_template('home.html', current_user=current_user, mfaurl=url_for('two_factor'))
+
+@app.route('/2fa')
+def two_factor():
+    if not current_user or current_user.is_anonymous:
+        return redirect(url_for('login'))
+    
+    if getMfaSecret(user=current_user.data['sAMAccountName']):
+        currSecret = "MFA already setup"
+        code = generateOTP(getMfaSecret(user=current_user.data['sAMAccountName']))
+
+    elif not getMfaSecret(user=current_user.data['sAMAccountName']):
+        setupMfaSecret(user=current_user.data['sAMAccountName'], secret=generateSecret())
+        # currSecret = current_user.data['mfaSecret']
+        currSecret = getMfaSecret(user=current_user.data['sAMAccountName'])
+        code = ''
+    
+    print(currSecret)
+    return render_template('2fa.html', currSecret=currSecret, code=code, homeurl=url_for('home'), delurl=url_for('delTwoFactor'))
+
+@app.route('/del2fa')
+def delTwoFactor():
+    if not current_user or current_user.is_anonymous:
+        return redirect(url_for('login'))
+    
+    removeMfa(user=current_user.data['sAMAccountName'])
+
+    return redirect(url_for('home'))
+
+@app.route('/manual_login')
+def manual_login():
+    # Instead of using the form, you can alternatively authenticate
+    # using the authenticate method.
+    # This WILL NOT fire the save_user() callback defined above.
+    # You are responsible for saving your users.
+    app.ldap3_login_manager.authenticate('username', 'password')
+
+
+@app.route('/login', methods=['GET', 'POST'])
+def login():
+    template = """
+    {{ get_flashed_messages() }}
+    {{ form.errors }}
+    <form method="POST">
+        <label>Username{{ form.username() }}</label>
+        <label>Password{{ form.password() }}</label>
+        {{ form.submit() }}
+        {{ form.hidden_tag() }}
+    </form>
+    """
+
+    # Instantiate a LDAPLoginForm which has a validator to check if the user
+    # exists in LDAP.
+    form = LDAPLoginForm()
+
+    if form.validate_on_submit():
+        # Successfully logged in, We can now access the saved user object
+        # via form.user.
+        login_user(form.user)  # Tell flask-login to log them in.
+        return redirect('/')  # Send them home
+
+    return render_template_string(template, form=form)
+
+
+if __name__ == '__main__':
+    app.run()