active directory authentication, full mfa implementation, vpn generation

accounts.py

@@ -1,12 +1,17 @@
 from flask import Flask, url_for
 from flask_ldap3_login import LDAP3LoginManager
-from flask_login import LoginManager, login_user, UserMixin, current_user
-from flask import render_template_string, redirect, render_template
+from flask_login import LoginManager, login_user, UserMixin, current_user, logout_user
+from flask import render_template_string, redirect, render_template, request, send_file
 from flask_ldap3_login.forms import LDAPLoginForm
-from mfa import generateOTP, generateSecret
+from mfa import generateOTP, generateSecret, generateProvisioningUri
 # from ad import updateMfaSecret
 from db import setupMfaSecret, updateMfaSecret, getMfaSecret, removeMfa
 import yamlcon
+from wtforms import StringField
+from wtforms.validators import DataRequired
+import _forms
+from ad import updatePassword
+from vpn import genVPN, getVPN
 
 app = Flask(__name__)
 app.config['SECRET_KEY'] = 'secret'
@@ -64,7 +69,9 @@ class User(UserMixin):
 
     def get_id(self):
         return self.dn
-
+    
+class LDAPLoginForm0(LDAPLoginForm):
+    mfacode = StringField('MFA')
 
 # Declare a User Loader for Flask-Login.
 # Simply returns the User if it exists in our 'database', otherwise
@@ -93,6 +100,11 @@ def home():
     # Redirect users who are not logged in.
     if not current_user or current_user.is_anonymous:
         return redirect(url_for('login'))
+    
+    if getMfaSecret(user=current_user.data['sAMAccountName']):
+        mfaStatus = "MFA is active"
+    else:
+        mfaStatus = "MFA is not active"
 
     # User is logged in, so show them a page with their cn and dn.
     # template = """
@@ -101,12 +113,13 @@ def home():
     # <h2> Email: {{ current_user.data.mail }}</h2>
     # <h2>{{ current_user.dn }}</h2> 
     # """
-    print(current_user)
-    print(current_user.data)
-    print(current_user.data['objectSid'])
+    # print(current_user)
+    # print(current_user.data)
+    # print(current_user.data['objectSid'])
 
     # return render_template_string(template)
-    return render_template('home.html', current_user=current_user, mfaurl=url_for('two_factor'))
+    return render_template('home.html', current_user=current_user, mfaurl=url_for('two_factor'), \
+                           mfastatus=mfaStatus, logouturl=url_for('logout'), changepwurl=url_for('changepw'), vpnurl=url_for('vpn'))
 
 @app.route('/2fa')
 def two_factor():
@@ -121,10 +134,11 @@ def two_factor():
         setupMfaSecret(user=current_user.data['sAMAccountName'], secret=generateSecret())
         # currSecret = current_user.data['mfaSecret']
         currSecret = getMfaSecret(user=current_user.data['sAMAccountName'])
+        uri = generateProvisioningUri(currSecret=currSecret, cu=current_user.data['sAMAccountName'])
         code = ''
     
     print(currSecret)
-    return render_template('2fa.html', currSecret=currSecret, code=code, homeurl=url_for('home'), delurl=url_for('delTwoFactor'))
+    return render_template('2fa.html', currSecret=currSecret, uri=uri, code=code, homeurl=url_for('home'), delurl=url_for('delTwoFactor'))
 
 @app.route('/del2fa')
 def delTwoFactor():
@@ -152,6 +166,7 @@ def login():
     <form method="POST">
         <label>Username{{ form.username() }}</label>
         <label>Password{{ form.password() }}</label>
+        <label>MFA Code{{ form.mfacode() }}</label>
         {{ form.submit() }}
         {{ form.hidden_tag() }}
     </form>
@@ -159,16 +174,56 @@ def login():
 
     # Instantiate a LDAPLoginForm which has a validator to check if the user
     # exists in LDAP.
-    form = LDAPLoginForm()
+    form = LDAPLoginForm0()
 
     if form.validate_on_submit():
         # Successfully logged in, We can now access the saved user object
         # via form.user.
-        login_user(form.user)  # Tell flask-login to log them in.
-        return redirect('/')  # Send them home
-
+        login_user(form.user) # Tell flask-login to log them in.
+        if getMfaSecret(user=current_user.data['sAMAccountName']):
+            if form.mfacode.data == generateOTP(getMfaSecret(user=current_user.data['sAMAccountName'])):
+                return redirect('/')  # Send them home
+            else:
+                logout_user()
+                form.mfacode.errors.append("Invalid MFA Code")
+                return redirect('/')
+        elif not getMfaSecret(user=current_user.data['sAMAccountName']):
+            login_user(form.user) # Tell flask-login to log them in.
+            return redirect('/')
     return render_template_string(template, form=form)
 
+@app.route('/changepw', methods=['GET', 'POST'])
+def changepw():
+    if not current_user or current_user.is_anonymous:
+        return redirect(url_for('login'))
+    
+    form = _forms.ChangePasswordForm(request.form)
+    if request.method == 'POST' and form.validate():
+        new_password = form.newpw.data
+        if updatePassword(cu=current_user.data['sAMAccountName'], newpw=new_password, adinfo=adinfo):
+            print('Password changed successfully!')
+            # flash('Password changed successfully!', 'success')
+            return redirect(url_for('home'))
+        else:
+            print('Failed to change password. Please try again.')
+            # flash('Failed to change password. Please try again.', 'danger')
+    return render_template('changepw.html', form=form)
+
+@app.route('/vpn', methods=['GET', 'POST'])
+def vpn():
+    if not current_user or current_user.is_anonymous:
+        return redirect(url_for('login'))
+    
+    if request.args.get('dev'):
+        return send_file(genVPN(cu=current_user.data['sAMAccountName'], dev=request.args.get('dev')), as_attachment=True)
+
+    return render_template('vpn.html')
+
+@app.route('/logout')
+def logout():
+    logout_user()
+    return redirect('/')
+
 
 if __name__ == '__main__':
-    app.run()
+    app.run(host='0.0.0.0', port=81)