Merge pull request #72 from kevthehermit/auth

Authentication
kevthehermit · Jan 3, 2017 · 0afdb89 · 0afdb89
2 parents a8e9a38 + 2f3b895
commit 0afdb89
Show file tree

Hide file tree

Showing 7 changed files with 112 additions and 8 deletions.
diff --git a/.gitignore b/.gitignore
@@ -79,4 +79,7 @@ volutility.conf
 yararules/testing.yar
 
 # Backup Files
-*.bak
+*.bak
+
+# DB
+voladmin
diff --git a/volgui/settings.py b/volgui/settings.py
@@ -36,6 +36,7 @@
     'django.contrib.sessions',
     'django.contrib.messages',
     'django.contrib.staticfiles',
+    'django.contrib.admin',
     'web'
 ]
 
@@ -79,7 +80,12 @@
 # Database
 # https://docs.djangoproject.com/en/1.9/ref/settings/#databases
 
-DATABASES = {}
+DATABASES = {
+    'default': {
+        'ENGINE': 'django.db.backends.sqlite3',
+        'NAME': 'voladmin',
+    }
+}
 
 
 # Password validation
@@ -149,9 +155,9 @@
     },
     'loggers': {
         'django': {
-            'handlers':['file', 'console'],
+            'handlers': ['file', 'console'],
             'propagate': True,
-            'level':'DEBUG',
+            'level': 'ERROR',
         },
         'web': {
             'handlers': ['file', 'console'],

diff --git a/volgui/urls.py b/volgui/urls.py
@@ -14,7 +14,7 @@
     2. Add a URL to urlpatterns:  url(r'^blog/', include('blog.urls'))
 """
 from django.conf.urls import url
-# from django.contrib import admin
+from django.contrib import admin
 from web import views
 
 urlpatterns = [
@@ -27,5 +27,8 @@
     # AjaxHandlers
     url(r'^ajaxhandler/(?P<command>.+)/$', views.ajax_handler),
     url(r'addfiles', views.addfiles),
+    url(r'^admin/', admin.site.urls),
+    url(r'^login/', views.login_page),
+    url(r'^logout/', views.logout_page)
 
 ]
diff --git a/volutility.conf.sample b/volutility.conf.sample
@@ -25,4 +25,7 @@ host = http://192.168.1.200:8000
 
 [style]
 theme = slate.min.css
-spinner = cat_spinner.gif
+spinner = cat_spinner.gif
+
+[auth]
+enable = False
diff --git a/web/templates/base.html b/web/templates/base.html
@@ -38,6 +38,7 @@
       </ul>
 
       <ul class="nav navbar-nav navbar-right">
+          <li><a href="/logout/">Logout</a></li>
         <li><a href="#" data-toggle="modal" data-target="#pluginModal">Add Plugins</a></li>
         <li><a href="#" data-toggle="modal" data-target="#aboutModal">About</a></li>
         <li class="dropdown">

diff --git a/web/templates/index.html b/web/templates/index.html
@@ -6,6 +6,30 @@
 
 {% block content %}
 
+    {% if reqauth %}
+
+    <div class="panel panel-default">
+    <div class="panel-heading">
+        <h3 class="panel-title">Authentication Required.</h3>
+    </div>
+
+    <div class="panel-body">
+        <p>The Administrator of the platform has enabled authentication.</p>
+            <form class="form-inline center-block" action="/login/" method="post">
+              <div class="form-group">
+                <input type="text" class="form-control" id="username" name="username" placeholder="UserName">
+              </div>
+              <div class="form-group">
+                <input type="password" class="form-control" id="password" name="password" placeholder="Password">
+              </div>
+              <button type="submit" class="btn btn-default">Sign in</button>
+              {% csrf_token %}
+            </form>
+    </div>
+    </div>
+
+    {%  else %}
+
     <!-- Search All -->
     <div class="panel panel-default">
     <div class="panel-heading">
@@ -98,4 +122,7 @@ <h3 class="panel-title">Showing {{ session_counts.1 }} to {{ session_counts.0 }}
 <script type="text/javascript">
   //setTimeout(function () { location.reload(true); }, 30000);
 </script>
+
+    {% endif %}
+
 {% endblock %}
diff --git a/web/views.py b/web/views.py
@@ -15,6 +15,8 @@
 from django.http import HttpResponse, JsonResponse, HttpResponseServerError, StreamingHttpResponse
 from django.core.paginator import Paginator, EmptyPage, PageNotAnInteger
 from django.views.decorators.csrf import csrf_exempt
+from django.contrib.auth.decorators import login_required
+from django.contrib.auth import authenticate, login, logout
 
 try:
     import yara
@@ -37,6 +39,10 @@
 
 
 def session_creation(request, mem_image, session_id):
+    if 'auth' in config:
+        if config['auth']['enable'].lower() == 'true' and not request.user.is_authenticated:
+            return HttpResponse('Auth Required.')
+
     # Get some vars
     new_session = db.get_session(session_id)
     file_hash = False
@@ -145,6 +151,35 @@ def session_creation(request, mem_image, session_id):
 ##
 # Page Views
 ##
+# Login Page
+def login_page(request):
+    try:
+        user_name = request.POST['username']
+        password = request.POST['password']
+        if user_name and password:
+            user = authenticate(username=user_name, password=password)
+            if user is not None:
+                if user.is_active:
+                    login(request, user)
+                    return redirect('/')
+                else:
+                    message = "This account is currently disabled. Please check with your admin."
+                    return main_page(request, error_line=message)
+            else:
+                message = "User does not exist or incorrect password."
+                return main_page(request, error_line=message)
+    except Exception as error:
+        logger.error(error)
+        message = "Unable to login to the Web Panel"
+        return main_page(request, error_line=message)
+
+
+# Logout Page
+def logout_page(request):
+    logout(request)
+    return redirect('/')
+
+
 def main_page(request, error_line=None):
     """
     Returns the main vol page
@@ -161,6 +196,15 @@ def main_page(request, error_line=None):
     except Exception as error:
         error_line = 'Unable to find a volatility version'
         logger.error(error_line)
+
+
+    if 'auth' in config:
+        if config['auth']['enable'].lower() == 'true' and not request.user.is_authenticated:
+            return render(request, 'index.html', {'reqauth': True,
+                                                  'error_line': error_line
+                                                  })
+
+
     # Set Pagination
     page = request.GET.get('page')
     if not page:
@@ -197,17 +241,21 @@ def main_page(request, error_line=None):
                                           'session_counts': [session_count, first_session, last_session],
                                           'profile_list': profile_list,
                                           'plugin_dirs': plugin_dirs,
-                                          'error_line': error_line
+                                          'error_line': error_line,
+                                          'reqauth': False
                                           })
 
-
 def session_page(request, session_id):
     """
     returns the session page thats used to run plugins
     :param request:
     :param session_id:
     :return:
     """
+    if 'auth' in config:
+        if config['auth']['enable'].lower() == 'true' and not request.user.is_authenticated:
+            return HttpResponse('Auth Required.')
+
     error_line = False
     includes = []
 
@@ -249,6 +297,9 @@ def create_session(request):
     :param request:
     :return:
     """
+    if 'auth' in config:
+        if config['auth']['enable'].lower() == 'true' and not request.user.is_authenticated:
+            return HttpResponse('Auth Required.')
 
     if 'process_dir' in request.POST:
         recursive_dir = True
@@ -608,6 +659,10 @@ def file_download(request, query_type, object_id):
     :return:
     """
 
+    if 'auth' in config:
+        if config['auth']['enable'].lower() == 'true' and not request.user.is_authenticated:
+            return HttpResponse('Auth Required.')
+
     if query_type == 'file':
         file_object = db.get_filebyid(object_id)
         file_name = '{0}.bin'.format(file_object.filename)
@@ -637,6 +692,9 @@ def file_download(request, query_type, object_id):
 
 @csrf_exempt
 def addfiles(request):
+    if 'auth' in config:
+        if config['auth']['enable'].lower() == 'true' and not request.user.is_authenticated:
+            return HttpResponse('Auth Required.')
 
     if 'session_id' not in request.POST:
         logger.warning('No Session ID in POST')
@@ -669,6 +727,9 @@ def ajax_handler(request, command):
     :param command:
     :return:
     """
+    if 'auth' in config:
+        if config['auth']['enable'].lower() == 'true' and not request.user.is_authenticated:
+            return HttpResponse('Auth Required.')
 
     if command in __extensions__:
         extension = __extensions__[command]['obj']()