ZeroNet/plugins/disabled-UiPassword/UiPasswordPlugin.py

import string
import random
import time
import json
import re

from Config import config
from Plugin import PluginManager

if "sessions" not in locals().keys():  # To keep sessions between module reloads
    sessions = {}


def showPasswordAdvice(password):
    error_msgs = []
    if not password or not isinstance(password, (str, unicode)):
        error_msgs.append("You have enabled <b>UiPassword</b> plugin, but you forgot to set a password!")
    elif len(password) < 8:
        error_msgs.append("You are using a very short UI password!")
    return error_msgs

@PluginManager.registerTo("UiRequest")
class UiRequestPlugin(object):
    sessions = sessions
    last_cleanup = time.time()

    def route(self, path):
        # Restict Ui access by ip
        if config.ui_restrict and self.env['REMOTE_ADDR'] not in config.ui_restrict:
            return self.error403(details=False)
        if path.endswith("favicon.ico"):
            return self.actionFile("src/Ui/media/img/favicon.ico")
        else:
            if config.ui_password:
                if time.time() - self.last_cleanup > 60 * 60:  # Cleanup expired sessions every hour
                    self.cleanup()
                # Validate session
                session_id = self.getCookies().get("session_id")
                if session_id not in self.sessions:  # Invalid session id, display login
                    return self.actionLogin()
            return super(UiRequestPlugin, self).route(path)

    # Action: Login
    def actionLogin(self):
        template = open("plugins/UiPassword/login.html").read()
        self.sendHeader()
        posted = self.getPosted()
        if posted:  # Validate http posted data
            if self.checkPassword(posted.get("password")):
                # Valid password, create session
                session_id = self.randomString(26)
                self.sessions[session_id] = {
                    "added": time.time(),
                    "keep": posted.get("keep")
                }

                # Redirect to homepage or referer
                url = self.env.get("HTTP_REFERER", "")
                if not url or re.sub("\?.*", "", url).endswith("/Login"):
                    url = "/" + config.homepage
                cookie_header = ('Set-Cookie', "session_id=%s;path=/;max-age=2592000;" % session_id)  # Max age = 30 days
                self.start_response('301 Redirect', [('Location', url), cookie_header])
                yield "Redirecting..."

            else:
                # Invalid password, show login form again
                template = template.replace("{result}", "bad_password")
        yield template

    def checkPassword(self, password):
        return password == config.ui_password

    def randomString(self, nchars):
        return ''.join(random.choice(string.ascii_uppercase + string.ascii_lowercase + string.digits) for _ in range(nchars))

    @classmethod
    def cleanup(cls):
        cls.last_cleanup = time.time()
        for session_id, session in cls.sessions.items():
            if session["keep"] and time.time() - session["added"] > 60 * 60 * 24 * 60:  # Max 60days for keep sessions
                del(cls.sessions[session_id])
            elif not session["keep"] and time.time() - session["added"] > 60 * 60 * 24:  # Max 24h for non-keep sessions
                del(cls.sessions[session_id])

    # Action: Display sessions
    def actionSessions(self):
        self.sendHeader()
        yield "<pre>"
        yield json.dumps(self.sessions, indent=4)

    # Action: Logout
    def actionLogout(self):
        # Session id has to passed as get parameter or called without referer to avoid remote logout
        session_id = self.getCookies().get("session_id")
        if not self.env.get("HTTP_REFERER") or session_id == self.get.get("session_id"):
            if session_id in self.sessions:
                del self.sessions[session_id]
            self.start_response('301 Redirect', [
                ('Location', "/"),
                ('Set-Cookie', "session_id=deleted; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT")
            ])
            yield "Redirecting..."
        else:
            self.sendHeader()
            yield "Error: Invalid session id"


@PluginManager.registerTo("ConfigPlugin")
class ConfigPlugin(object):
    def createArguments(self):
        group = self.parser.add_argument_group("UiPassword plugin")
        group.add_argument('--ui_password', help='Password to access UiServer', default=None, metavar="password")

        return super(ConfigPlugin, self).createArguments()


from Translate import translate as lang
@PluginManager.registerTo("UiWebsocket")
class UiWebsocketPlugin(object):
    def actionUiLogout(self, to):
        permissions = self.getPermissions(to)
        if "ADMIN" not in permissions:
            return self.response(to, "You don't have permission to run this command")

        session_id = self.request.getCookies().get("session_id", "")
        message = "<script>document.location.href = '/Logout?session_id=%s'</script>" % session_id
        self.cmd("notification", ["done", message])

    def addHomepageNotifications(self):
        error_msgs = showPasswordAdvice(config.ui_password)
        for msg in error_msgs:
            self.site.notifications.append(["error", lang[msg]])

        return super(UiWebsocketPlugin, self).addHomepageNotifications()
rev307, Plugin for password protected web ui, Faster page load times by yielding wrapper html, Reworked configuration parser to support plugin extensions, Initial site sync bugfix, Test for configuration parsing, Parse posted data function 2015-07-17 00:28:43 +02:00			`import string`
			`import random`
			`import time`
			`import json`
			`import re`

			`from Config import config`
			`from Plugin import PluginManager`

			`if "sessions" not in locals().keys(): # To keep sessions between module reloads`
			`sessions = {}`


Weak password warning (#938) * Weak password warning * Update UiWebsocket.py * Don't implement print with an O(n^2) iteration * Rename method * Fix logging, uncaught exception in addNotes and pushes a notification when UI server is bound to the whole Internet. * Remove memo comments. Remove terminal hue. 2017-05-22 11:13:45 +02:00			`def showPasswordAdvice(password):`
			`error_msgs = []`
			`if not password or not isinstance(password, (str, unicode)):`
			`error_msgs.append("You have enabled <b>UiPassword</b> plugin, but you forgot to set a password!")`
			`elif len(password) < 8:`
			`error_msgs.append("You are using a very short UI password!")`
			`return error_msgs`

rev307, Plugin for password protected web ui, Faster page load times by yielding wrapper html, Reworked configuration parser to support plugin extensions, Initial site sync bugfix, Test for configuration parsing, Parse posted data function 2015-07-17 00:28:43 +02:00			`@PluginManager.registerTo("UiRequest")`
			`class UiRequestPlugin(object):`
			`sessions = sessions`
			`last_cleanup = time.time()`

			`def route(self, path):`
Fix: ui_restrict now working with ui_password https://github.com/HelloZeroNet/ZeroNet/issues/207 2017-08-18 21:42:14 +02:00			`# Restict Ui access by ip`
			`if config.ui_restrict and self.env['REMOTE_ADDR'] not in config.ui_restrict:`
			`return self.error403(details=False)`
rev307, Plugin for password protected web ui, Faster page load times by yielding wrapper html, Reworked configuration parser to support plugin extensions, Initial site sync bugfix, Test for configuration parsing, Parse posted data function 2015-07-17 00:28:43 +02:00			`if path.endswith("favicon.ico"):`
			`return self.actionFile("src/Ui/media/img/favicon.ico")`
			`else:`
			`if config.ui_password:`
			`if time.time() - self.last_cleanup > 60 * 60: # Cleanup expired sessions every hour`
			`self.cleanup()`
			`# Validate session`
			`session_id = self.getCookies().get("session_id")`
			`if session_id not in self.sessions: # Invalid session id, display login`
			`return self.actionLogin()`
			`return super(UiRequestPlugin, self).route(path)`

			`# Action: Login`
			`def actionLogin(self):`
			`template = open("plugins/UiPassword/login.html").read()`
			`self.sendHeader()`
			`posted = self.getPosted()`
			`if posted: # Validate http posted data`
			`if self.checkPassword(posted.get("password")):`
			`# Valid password, create session`
			`session_id = self.randomString(26)`
			`self.sessions[session_id] = {`
			`"added": time.time(),`
			`"keep": posted.get("keep")`
			`}`

			`# Redirect to homepage or referer`
			`url = self.env.get("HTTP_REFERER", "")`
			`if not url or re.sub("\?.*", "", url).endswith("/Login"):`
			`url = "/" + config.homepage`
			`cookie_header = ('Set-Cookie', "session_id=%s;path=/;max-age=2592000;" % session_id) # Max age = 30 days`
			`self.start_response('301 Redirect', [('Location', url), cookie_header])`
			`yield "Redirecting..."`

			`else:`
			`# Invalid password, show login form again`
			`template = template.replace("{result}", "bad_password")`
			`yield template`

			`def checkPassword(self, password):`
Weak password warning (#938) * Weak password warning * Update UiWebsocket.py * Don't implement print with an O(n^2) iteration * Rename method * Fix logging, uncaught exception in addNotes and pushes a notification when UI server is bound to the whole Internet. * Remove memo comments. Remove terminal hue. 2017-05-22 11:13:45 +02:00			`return password == config.ui_password`
rev307, Plugin for password protected web ui, Faster page load times by yielding wrapper html, Reworked configuration parser to support plugin extensions, Initial site sync bugfix, Test for configuration parsing, Parse posted data function 2015-07-17 00:28:43 +02:00
Weak password warning (#938) * Weak password warning * Update UiWebsocket.py * Don't implement print with an O(n^2) iteration * Rename method * Fix logging, uncaught exception in addNotes and pushes a notification when UI server is bound to the whole Internet. * Remove memo comments. Remove terminal hue. 2017-05-22 11:13:45 +02:00			`def randomString(self, nchars):`
			`return ''.join(random.choice(string.ascii_uppercase + string.ascii_lowercase + string.digits) for _ in range(nchars))`
rev307, Plugin for password protected web ui, Faster page load times by yielding wrapper html, Reworked configuration parser to support plugin extensions, Initial site sync bugfix, Test for configuration parsing, Parse posted data function 2015-07-17 00:28:43 +02:00
			`@classmethod`
			`def cleanup(cls):`
rev324, Store and display peers last found time, Fix UiPassword plugin cleanup bug, Experimental option to use tempfiles when downloading, Experimental option to stream files out of msgpack context, FileRequest streamFile command, Cleanup peers if not found for 4 hours, Don't reopen openssl in every 5min, Peer fileGet benchmark option 2015-07-25 13:38:58 +02:00			`cls.last_cleanup = time.time()`
rev307, Plugin for password protected web ui, Faster page load times by yielding wrapper html, Reworked configuration parser to support plugin extensions, Initial site sync bugfix, Test for configuration parsing, Parse posted data function 2015-07-17 00:28:43 +02:00			`for session_id, session in cls.sessions.items():`
			`if session["keep"] and time.time() - session["added"] > 60 * 60 * 24 * 60: # Max 60days for keep sessions`
			`del(cls.sessions[session_id])`
			`elif not session["keep"] and time.time() - session["added"] > 60 * 60 * 24: # Max 24h for non-keep sessions`
			`del(cls.sessions[session_id])`

			`# Action: Display sessions`
			`def actionSessions(self):`
			`self.sendHeader()`
			`yield "<pre>"`
			`yield json.dumps(self.sessions, indent=4)`

			`# Action: Logout`
			`def actionLogout(self):`
			`# Session id has to passed as get parameter or called without referer to avoid remote logout`
			`session_id = self.getCookies().get("session_id")`
			`if not self.env.get("HTTP_REFERER") or session_id == self.get.get("session_id"):`
			`if session_id in self.sessions:`
			`del self.sessions[session_id]`
			`self.start_response('301 Redirect', [`
			`('Location', "/"),`
			`('Set-Cookie', "session_id=deleted; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT")`
			`])`
			`yield "Redirecting..."`
			`else:`
			`self.sendHeader()`
			`yield "Error: Invalid session id"`


Weak password warning (#938) * Weak password warning * Update UiWebsocket.py * Don't implement print with an O(n^2) iteration * Rename method * Fix logging, uncaught exception in addNotes and pushes a notification when UI server is bound to the whole Internet. * Remove memo comments. Remove terminal hue. 2017-05-22 11:13:45 +02:00
rev307, Plugin for password protected web ui, Faster page load times by yielding wrapper html, Reworked configuration parser to support plugin extensions, Initial site sync bugfix, Test for configuration parsing, Parse posted data function 2015-07-17 00:28:43 +02:00			`@PluginManager.registerTo("ConfigPlugin")`
			`class ConfigPlugin(object):`
			`def createArguments(self):`
			`group = self.parser.add_argument_group("UiPassword plugin")`
			`group.add_argument('--ui_password', help='Password to access UiServer', default=None, metavar="password")`

			`return super(ConfigPlugin, self).createArguments()`


Weak password warning (#938) * Weak password warning * Update UiWebsocket.py * Don't implement print with an O(n^2) iteration * Rename method * Fix logging, uncaught exception in addNotes and pushes a notification when UI server is bound to the whole Internet. * Remove memo comments. Remove terminal hue. 2017-05-22 11:13:45 +02:00			`from Translate import translate as lang`
rev307, Plugin for password protected web ui, Faster page load times by yielding wrapper html, Reworked configuration parser to support plugin extensions, Initial site sync bugfix, Test for configuration parsing, Parse posted data function 2015-07-17 00:28:43 +02:00			`@PluginManager.registerTo("UiWebsocket")`
			`class UiWebsocketPlugin(object):`
			`def actionUiLogout(self, to):`
			`permissions = self.getPermissions(to)`
			`if "ADMIN" not in permissions:`
			`return self.response(to, "You don't have permission to run this command")`

			`session_id = self.request.getCookies().get("session_id", "")`
			`message = "<script>document.location.href = '/Logout?session_id=%s'</script>" % session_id`
			`self.cmd("notification", ["done", message])`
Weak password warning (#938) * Weak password warning * Update UiWebsocket.py * Don't implement print with an O(n^2) iteration * Rename method * Fix logging, uncaught exception in addNotes and pushes a notification when UI server is bound to the whole Internet. * Remove memo comments. Remove terminal hue. 2017-05-22 11:13:45 +02:00
			`def addHomepageNotifications(self):`
			`error_msgs = showPasswordAdvice(config.ui_password)`
			`for msg in error_msgs:`
			`self.site.notifications.append(["error", lang[msg]])`

			`return super(UiWebsocketPlugin, self).addHomepageNotifications()`