powerdns-admin/powerdnsadmin/routes/user.py

import datetime
import hashlib
import imghdr
import mimetypes

from flask import Blueprint, request, render_template, make_response, jsonify, redirect, url_for, g, session, \
    current_app, after_this_request, abort
from flask_login import current_user, login_required, login_manager

from ..models.user import User, Anonymous
from ..models.setting import Setting

user_bp = Blueprint('user',
                    __name__,
                    template_folder='templates',
                    url_prefix='/user')


@user_bp.before_request
def before_request():
    # Check if user is anonymous
    g.user = current_user
    login_manager.anonymous_user = Anonymous

    # Check site is in maintenance mode
    maintenance = Setting().get('maintenance')
    if maintenance and current_user.is_authenticated and current_user.role.name not in [
            'Administrator', 'Operator'
    ]:
        return render_template('maintenance.html')

    # Manage session timeout
    session.permanent = True
    current_app.permanent_session_lifetime = datetime.timedelta(
        minutes=int(Setting().get('session_timeout')))
    session.modified = True


@user_bp.route('/profile', methods=['GET', 'POST'])
@login_required
def profile():
    if request.method == 'GET':
        return render_template('user_profile.html')
    if request.method == 'POST':
        if session['authentication_type'] == 'LOCAL':
            firstname = request.form.get('firstname', '').strip()
            lastname = request.form.get('lastname', '').strip()
            email = request.form.get('email', '').strip()
            new_password = request.form.get('password', '')
        else:
            firstname = lastname = email = new_password = ''
            current_app.logger.warning(
                'Authenticated externally. User {0} information will not allowed to update the profile'
                .format(current_user.username))

        if request.data:
            jdata = request.json
            data = jdata['data']
            if jdata['action'] == 'enable_otp':
                if session['authentication_type'] in ['LOCAL', 'LDAP']:
                    enable_otp = data['enable_otp']
                    user = User(username=current_user.username)
                    user.update_profile(enable_otp=enable_otp)
                    return make_response(
                        jsonify({
                            'status':
                            'ok',
                            'msg':
                            'Change OTP Authentication successfully. Status: {0}'
                            .format(enable_otp)
                        }), 200)
                else:
                    return make_response(
                        jsonify({
                            'status':
                            'error',
                            'msg':
                            'User {0} is externally. You are not allowed to update the OTP'
                            .format(current_user.username)
                        }), 400)

        user = User(username=current_user.username,
                    plain_text_password=new_password,
                    firstname=firstname,
                    lastname=lastname,
                    email=email,
                    reload_info=False)
        user.update_profile()

        return render_template('user_profile.html')


@user_bp.route('/qrcode')
@login_required
def qrcode():
    if not current_user:
        return redirect(url_for('index'))

    return current_user.get_qrcode_value(), 200, {
        'Content-Type': 'image/svg+xml',
        'Cache-Control': 'no-cache, no-store, must-revalidate',
        'Pragma': 'no-cache',
        'Expires': '0'
    }


@user_bp.route('/image', methods=['GET'])
@login_required
def image():
    """Returns the user profile image or avatar."""

    @after_this_request
    def add_cache_headers(response_):
        """When the response is ok, add cache headers."""
        if 200 <= response_.status_code <= 399:
            response_.cache_control.private = True
            response_.cache_control.max_age = int(datetime.timedelta(days=1).total_seconds())
        return response_

    def return_image(content, content_type=None):
        """Return the given binary image content. Guess the type if not given."""
        if not content_type:
            guess = mimetypes.guess_type('example.' + imghdr.what(None, h=content))
            if guess and guess[0]:
                content_type = guess[0]

        return content, 200, {'Content-Type': content_type}

    # To prevent "cache poisoning", the username query parameter is required
    if request.args.get('username', None) != current_user.username:
        abort(400)

    setting = Setting()

    if session['authentication_type'] == 'LDAP':
        search_filter = '(&({0}={1}){2})'.format(setting.get('ldap_filter_username'),
                                                 current_user.username,
                                                 setting.get('ldap_filter_basic'))
        result = User().ldap_search(search_filter, setting.get('ldap_base_dn'))
        if result and result[0] and result[0][0] and result[0][0][1]:
            user_obj = result[0][0][1]
            for key in ['jpegPhoto', 'thumbnailPhoto']:
                if key in user_obj and user_obj[key] and user_obj[key][0]:
                    current_app.logger.debug(f'Return {key} from ldap as user image')
                    return return_image(user_obj[key][0])

    email = current_user.email
    if email and setting.get('gravatar_enabled'):
        hash_ = hashlib.md5(email.encode('utf-8')).hexdigest()
        url = f'https://s.gravatar.com/avatar/{hash_}?s=100'
        current_app.logger.debug('Redirect user image request to gravatar')
        return redirect(url, 307)

    # Fallback to the local default image
    return current_app.send_static_file('img/user_image.png')
User session improvement - Add session handler on other blueprint's before request - Adjustment in using jTimeout to close warning popup on other tabs when we extend the session 2019-12-18 08:25:20 +00:00			`import datetime`
Rework user image handling Moved all the logic out of the template into a separate endpoint. This makes it easy to extend to also support images from different sources like LDAP/SAML/OIDC. Session-based caching is hard to do, so to allow time-based caching in the browser, the url needs to be unique for every user by using a query parameter. Replaced the default/fallback user image with a new one. It is based on the old one, but does not need css to be visible. And removed said css. Gravatar has now its own setting named `gravatar_enabled`, which is disabled by default. 2022-05-27 11:01:46 +00:00			`import hashlib`
Add LDAP user images 2022-05-27 11:01:51 +00:00			`import imghdr`
			`import mimetypes`
Rework user image handling Moved all the logic out of the template into a separate endpoint. This makes it easy to extend to also support images from different sources like LDAP/SAML/OIDC. Session-based caching is hard to do, so to allow time-based caching in the browser, the url needs to be unique for every user by using a query parameter. Replaced the default/fallback user image with a new one. It is based on the old one, but does not need css to be visible. And removed said css. Gravatar has now its own setting named `gravatar_enabled`, which is disabled by default. 2022-05-27 11:01:46 +00:00
			`from flask import Blueprint, request, render_template, make_response, jsonify, redirect, url_for, g, session, \`
			`current_app, after_this_request, abort`
User session improvement - Add session handler on other blueprint's before request - Adjustment in using jTimeout to close warning popup on other tabs when we extend the session 2019-12-18 08:25:20 +00:00			`from flask_login import current_user, login_required, login_manager`
Refactoring the code - Use Flask blueprint - Split model and views into smaller parts - Bug fixes - API adjustment 2019-12-02 03:32:03 +00:00
User session improvement - Add session handler on other blueprint's before request - Adjustment in using jTimeout to close warning popup on other tabs when we extend the session 2019-12-18 08:25:20 +00:00			`from ..models.user import User, Anonymous`
			`from ..models.setting import Setting`
Refactoring the code - Use Flask blueprint - Split model and views into smaller parts - Bug fixes - API adjustment 2019-12-02 03:32:03 +00:00
			`user_bp = Blueprint('user',`
			`__name__,`
			`template_folder='templates',`
			`url_prefix='/user')`


User session improvement - Add session handler on other blueprint's before request - Adjustment in using jTimeout to close warning popup on other tabs when we extend the session 2019-12-18 08:25:20 +00:00			`@user_bp.before_request`
			`def before_request():`
			`# Check if user is anonymous`
			`g.user = current_user`
			`login_manager.anonymous_user = Anonymous`

			`# Check site is in maintenance mode`
			`maintenance = Setting().get('maintenance')`
			`if maintenance and current_user.is_authenticated and current_user.role.name not in [`
			`'Administrator', 'Operator'`
			`]:`
			`return render_template('maintenance.html')`

			`# Manage session timeout`
			`session.permanent = True`
			`current_app.permanent_session_lifetime = datetime.timedelta(`
			`minutes=int(Setting().get('session_timeout')))`
			`session.modified = True`


Refactoring the code - Use Flask blueprint - Split model and views into smaller parts - Bug fixes - API adjustment 2019-12-02 03:32:03 +00:00			`@user_bp.route('/profile', methods=['GET', 'POST'])`
			`@login_required`
			`def profile():`
			`if request.method == 'GET':`
			`return render_template('user_profile.html')`
			`if request.method == 'POST':`
			`if session['authentication_type'] == 'LOCAL':`
strip() whitespace from new local user master data (#1019) When creating a new local user, there is a chance that, due to a copy & paste or typing error, whitespace will be introduced at the start or end of the username. This can lead to issues when trying to log in using the affected username, as such a condition can easily be overlooked - no user will be found in the database if entering the username without the aforementioned whitespace. This commit therefore strip()s the username string within routes/{admin,index}.py. The firstname, lastname and email strings within routes/{admin,index,user}.py are also strip()ped on this occasion. 2021-11-05 15:04:35 +00:00			`firstname = request.form.get('firstname', '').strip()`
			`lastname = request.form.get('lastname', '').strip()`
			`email = request.form.get('email', '').strip()`
			`new_password = request.form.get('password', '')`
Refactoring the code - Use Flask blueprint - Split model and views into smaller parts - Bug fixes - API adjustment 2019-12-02 03:32:03 +00:00			`else:`
			`firstname = lastname = email = new_password = ''`
Code refactoring and bug fixes 2020-06-19 01:47:51 +00:00			`current_app.logger.warning(`
Refactoring the code - Use Flask blueprint - Split model and views into smaller parts - Bug fixes - API adjustment 2019-12-02 03:32:03 +00:00			`'Authenticated externally. User {0} information will not allowed to update the profile'`
			`.format(current_user.username))`

			`if request.data:`
			`jdata = request.json`
			`data = jdata['data']`
			`if jdata['action'] == 'enable_otp':`
			`if session['authentication_type'] in ['LOCAL', 'LDAP']:`
			`enable_otp = data['enable_otp']`
			`user = User(username=current_user.username)`
			`user.update_profile(enable_otp=enable_otp)`
			`return make_response(`
			`jsonify({`
			`'status':`
			`'ok',`
			`'msg':`
			`'Change OTP Authentication successfully. Status: {0}'`
			`.format(enable_otp)`
			`}), 200)`
			`else:`
			`return make_response(`
			`jsonify({`
			`'status':`
			`'error',`
			`'msg':`
			`'User {0} is externally. You are not allowed to update the OTP'`
			`.format(current_user.username)`
			`}), 400)`

			`user = User(username=current_user.username,`
			`plain_text_password=new_password,`
			`firstname=firstname,`
			`lastname=lastname,`
			`email=email,`
			`reload_info=False)`
			`user.update_profile()`

			`return render_template('user_profile.html')`


			`@user_bp.route('/qrcode')`
			`@login_required`
			`def qrcode():`
			`if not current_user:`
			`return redirect(url_for('index'))`

Add 'otp_force' basic setting (#1051) If the 'otp_force' and 'otp_field_enabled' basic settings are both enabled, automatically enable 2FA for the user after login or signup, if needed, by setting a new OTP secret. Redirect the user to a welcome page for scanning the QR code. Also show the secret key in ASCII form on the user profile page for easier copying into other applications. 2021-12-17 10:41:51 +00:00			`return current_user.get_qrcode_value(), 200, {`
Refactoring the code - Use Flask blueprint - Split model and views into smaller parts - Bug fixes - API adjustment 2019-12-02 03:32:03 +00:00			`'Content-Type': 'image/svg+xml',`
			`'Cache-Control': 'no-cache, no-store, must-revalidate',`
			`'Pragma': 'no-cache',`
			`'Expires': '0'`
Rework user image handling Moved all the logic out of the template into a separate endpoint. This makes it easy to extend to also support images from different sources like LDAP/SAML/OIDC. Session-based caching is hard to do, so to allow time-based caching in the browser, the url needs to be unique for every user by using a query parameter. Replaced the default/fallback user image with a new one. It is based on the old one, but does not need css to be visible. And removed said css. Gravatar has now its own setting named `gravatar_enabled`, which is disabled by default. 2022-05-27 11:01:46 +00:00			`}`


			`@user_bp.route('/image', methods=['GET'])`
			`@login_required`
			`def image():`
			`"""Returns the user profile image or avatar."""`

			`@after_this_request`
			`def add_cache_headers(response_):`
			`"""When the response is ok, add cache headers."""`
			`if 200 <= response_.status_code <= 399:`
			`response_.cache_control.private = True`
			`response_.cache_control.max_age = int(datetime.timedelta(days=1).total_seconds())`
			`return response_`

Add LDAP user images 2022-05-27 11:01:51 +00:00			`def return_image(content, content_type=None):`
			`"""Return the given binary image content. Guess the type if not given."""`
			`if not content_type:`
			`guess = mimetypes.guess_type('example.' + imghdr.what(None, h=content))`
			`if guess and guess[0]:`
			`content_type = guess[0]`

			`return content, 200, {'Content-Type': content_type}`

Rework user image handling Moved all the logic out of the template into a separate endpoint. This makes it easy to extend to also support images from different sources like LDAP/SAML/OIDC. Session-based caching is hard to do, so to allow time-based caching in the browser, the url needs to be unique for every user by using a query parameter. Replaced the default/fallback user image with a new one. It is based on the old one, but does not need css to be visible. And removed said css. Gravatar has now its own setting named `gravatar_enabled`, which is disabled by default. 2022-05-27 11:01:46 +00:00			`# To prevent "cache poisoning", the username query parameter is required`
			`if request.args.get('username', None) != current_user.username:`
			`abort(400)`

			`setting = Setting()`

Add LDAP user images 2022-05-27 11:01:51 +00:00			`if session['authentication_type'] == 'LDAP':`
			`search_filter = '(&({0}={1}){2})'.format(setting.get('ldap_filter_username'),`
			`current_user.username,`
			`setting.get('ldap_filter_basic'))`
			`result = User().ldap_search(search_filter, setting.get('ldap_base_dn'))`
			`if result and result[0] and result[0][0] and result[0][0][1]:`
			`user_obj = result[0][0][1]`
			`for key in ['jpegPhoto', 'thumbnailPhoto']:`
			`if key in user_obj and user_obj[key] and user_obj[key][0]:`
			`current_app.logger.debug(f'Return {key} from ldap as user image')`
			`return return_image(user_obj[key][0])`

Rework user image handling Moved all the logic out of the template into a separate endpoint. This makes it easy to extend to also support images from different sources like LDAP/SAML/OIDC. Session-based caching is hard to do, so to allow time-based caching in the browser, the url needs to be unique for every user by using a query parameter. Replaced the default/fallback user image with a new one. It is based on the old one, but does not need css to be visible. And removed said css. Gravatar has now its own setting named `gravatar_enabled`, which is disabled by default. 2022-05-27 11:01:46 +00:00			`email = current_user.email`
			`if email and setting.get('gravatar_enabled'):`
			`hash_ = hashlib.md5(email.encode('utf-8')).hexdigest()`
			`url = f'https://s.gravatar.com/avatar/{hash_}?s=100'`
			`current_app.logger.debug('Redirect user image request to gravatar')`
			`return redirect(url, 307)`

			`# Fallback to the local default image`
			`return current_app.send_static_file('img/user_image.png')`