From f899a04252f4661a9716af20f30547e9e1f597f6 Mon Sep 17 00:00:00 2001 From: zhuyj17 Date: Sun, 9 Dec 2018 23:50:57 +0800 Subject: [PATCH 1/7] update nginx_docklet.conf to forbid double slashes url --- conf/nginx_docklet.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/conf/nginx_docklet.conf b/conf/nginx_docklet.conf index 64cf178..3e75daf 100644 --- a/conf/nginx_docklet.conf +++ b/conf/nginx_docklet.conf @@ -3,6 +3,8 @@ server listen %NGINX_PORT; server_name nginx_docklet.conf; charset UTF-8; + merge_slashes off; + rewrite (.*)//+(.*) $1/$2 permanent; index index.html index.htm; client_max_body_size 20m; location ~ ^/NginxStatus/ { From 11f0fe14d3548c8dcae2e6ffb7872086efae7df6 Mon Sep 17 00:00:00 2001 From: zhuyj17 Date: Mon, 10 Dec 2018 00:00:29 +0800 Subject: [PATCH 2/7] add header into nginx to defend clickjacking --- conf/nginx_docklet.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/conf/nginx_docklet.conf b/conf/nginx_docklet.conf index 3e75daf..aa3d0a1 100644 --- a/conf/nginx_docklet.conf +++ b/conf/nginx_docklet.conf @@ -3,6 +3,7 @@ server listen %NGINX_PORT; server_name nginx_docklet.conf; charset UTF-8; + add_header X-Frame-Options SAMEORIGIN; merge_slashes off; rewrite (.*)//+(.*) $1/$2 permanent; index index.html index.htm; From 186a9003b2a42ec92d17581f24107fa7863dcf3c Mon Sep 17 00:00:00 2001 From: zhuyj17 Date: Mon, 10 Dec 2018 01:14:28 +0800 Subject: [PATCH 3/7] Add CsrfProtect --- prepare.sh | 1 + web/templates/addCluster.html | 4 ++-- web/templates/base_AdminLTE.html | 4 ++++ web/templates/beansapplication.html | 1 + web/templates/cloud.html | 1 + web/templates/config.html | 4 ++++ web/templates/create_notification.html | 1 + web/templates/listcontainer.html | 1 + web/templates/login.html | 1 + web/templates/notification.html | 2 ++ web/templates/register.html | 1 + web/templates/saveconfirm.html | 1 + web/templates/settings.html | 9 +++++++++ web/templates/user/activate.html | 1 + web/templates/user/info.html | 1 + web/templates/user_list.html | 3 +++ web/web.py | 3 ++- 17 files changed, 36 insertions(+), 3 deletions(-) diff --git a/prepare.sh b/prepare.sh index 0025f5b..f7b4208 100755 --- a/prepare.sh +++ b/prepare.sh @@ -23,6 +23,7 @@ apt-get install -y nodejs nodejs-legacy npm apt-get install -y etcd apt-get install -y glusterfs-client attr apt-get install -y nginx +pip3 install Flask-WTF #add ip forward echo "net.ipv4.ip_forward=1" >>/etc/sysctl.conf diff --git a/web/templates/addCluster.html b/web/templates/addCluster.html index de6ac2e..950e68d 100644 --- a/web/templates/addCluster.html +++ b/web/templates/addCluster.html @@ -38,7 +38,7 @@
- +
@@ -94,7 +94,7 @@ {{image['name']}} public {{p_user}} - {{image['size_format']}} + {{image['size_format']}} {{image['description']}}
diff --git a/web/templates/base_AdminLTE.html b/web/templates/base_AdminLTE.html index 8e6d747..b1ac314 100644 --- a/web/templates/base_AdminLTE.html +++ b/web/templates/base_AdminLTE.html @@ -117,6 +117,7 @@
    +
  • @@ -290,6 +291,9 @@ - - + - + - + - - - + + + - - + + + - + {% endblock %} diff --git a/web/templates/config.html b/web/templates/config.html index a64209c..2020582 100755 --- a/web/templates/config.html +++ b/web/templates/config.html @@ -449,9 +449,9 @@ {% block script_src %} - - - + + + - + + diff --git a/web/templates/monitor/historyVNode.html b/web/templates/monitor/historyVNode.html index 663561e..bd0ae83 100644 --- a/web/templates/monitor/historyVNode.html +++ b/web/templates/monitor/historyVNode.html @@ -69,9 +69,9 @@ {% block script_src %} - - - + + + {% endblock %} - diff --git a/web/templates/monitor/hosts.html b/web/templates/monitor/hosts.html index af7afd0..3df9d13 100644 --- a/web/templates/monitor/hosts.html +++ b/web/templates/monitor/hosts.html @@ -156,10 +156,9 @@ function updateAll() { var host = window.location.host; - // var url0 = "http://" + host + "/monitor/hosts/"; {% for master in allmachines %} {% for phym in allmachines[master] %} - url = "http://" + host + "/monitor/" + '{{master.split("@")[0]}}' + "/hosts/" + '{{phym["ip"]}}'; + url = "//" + host + "/monitor/" + '{{master.split("@")[0]}}' + "/hosts/" + '{{phym["ip"]}}'; // url = url0 + '{{ phym['ip'] }}'; update(url,'{{master.split("@")[1]}}_{{ loop.index }}'); {% endfor %} diff --git a/web/templates/monitor/hostsConAll.html b/web/templates/monitor/hostsConAll.html index 6b6e841..0ae194b 100644 --- a/web/templates/monitor/hostsConAll.html +++ b/web/templates/monitor/hostsConAll.html @@ -133,10 +133,8 @@ function updateAll() { var host = window.location.host; - // var url0 = "http://" + host + "/monitor/vnodes/"; - {% for container in containerslist %} - url = "http://" + host + "/monitor/" + '{{masterip}}' + "/vnodes/" + '{{container["Name"]}}'; + url = "//" + host + "/monitor/" + '{{masterip}}' + "/vnodes/" + '{{container["Name"]}}'; //url = url0 + '{{ container['Name'] }}'; update(url,'{{ container['Name'] }}'); {% endfor %} @@ -144,7 +142,7 @@ var info = data.monitor.concpuinfo; for(container in info) { - $("#"+container+"_cpupercent").html(info[container]); + $("#"+container+"_cpupercent").html(info[container]); } },"json");*/ } diff --git a/web/templates/monitor/status.html b/web/templates/monitor/status.html index e20f930..a1b8f71 100644 --- a/web/templates/monitor/status.html +++ b/web/templates/monitor/status.html @@ -273,9 +273,9 @@ {% block script_src %} - - - + + + - + + + diff --git a/web/webViews/authenticate/login.py b/web/webViews/authenticate/login.py index efc5252..c8fe6c7 100755 --- a/web/webViews/authenticate/login.py +++ b/web/webViews/authenticate/login.py @@ -47,7 +47,7 @@ class loginView(normalView): else: link = '' url = '' - return render_template(self.template_path, link = link, url = url, open_registry=self.open_registry) + return render_template(self.template_path, loginMsg="", link = link, url = url, open_registry=self.open_registry) @classmethod def post(self): @@ -70,7 +70,14 @@ class loginView(normalView): session['token'] = result['data']['token'] return resp else: - return redirect('/login/') + if (env.getenv('EXTERNAL_LOGIN') == 'True'): + url = external_generate.external_login_url + link = external_generate.external_login_link + else: + link = '' + url = '' + loginMsg = result.get('message', '') + return render_template(self.template_path, loginMsg=loginMsg, link = link, url = url, open_registry=self.open_registry) else: return redirect('/login/') From d5f6b2b41455377b9db65a1ad05558227c7dcf56 Mon Sep 17 00:00:00 2001 From: Firmlyzhu Date: Wed, 12 Dec 2018 19:10:05 +0800 Subject: [PATCH 7/7] Add LoginFailMsg into model & Ban user if he input wrong password for many times. --- conf/nginx_docklet.conf | 5 ++++- src/master/userManager.py | 31 ++++++++++++++++++++++++++++--- src/utils/model.py | 14 ++++++++++++++ 3 files changed, 46 insertions(+), 4 deletions(-) diff --git a/conf/nginx_docklet.conf b/conf/nginx_docklet.conf index 1ab42ad..d97042a 100644 --- a/conf/nginx_docklet.conf +++ b/conf/nginx_docklet.conf @@ -1,6 +1,9 @@ server { - listen %NGINX_PORT; + listen %NGINX_PORT; + #ssl on; + #ssl_certificate /etc/nginx/ssl/1604242_iwork.pku.edu.cn.pem; + #ssl_certificate_key /etc/nginx/ssl/1604242_iwork.pku.edu.cn.key; server_name nginx_docklet.conf; charset UTF-8; add_header X-Frame-Options SAMEORIGIN; diff --git a/src/master/userManager.py b/src/master/userManager.py index 782217f..4f7d5f1 100755 --- a/src/master/userManager.py +++ b/src/master/userManager.py @@ -7,7 +7,7 @@ Warning: in some early versions, "token" stand for the instance of class model.U Original author: Liu Peidong ''' -from utils.model import db, User, UserGroup, Notification, UserUsage, LoginMsg +from utils.model import db, User, UserGroup, Notification, UserUsage, LoginMsg, LoginFailMsg from functools import wraps import os, subprocess, math import hashlib @@ -19,7 +19,7 @@ import smtplib from email.mime.text import MIMEText from email.mime.multipart import MIMEMultipart from email.header import Header -from datetime import datetime +from datetime import datetime, timedelta import json from utils.log import logger from utils.lvmtool import * @@ -144,7 +144,6 @@ class userManager: ''' try: User.query.all() - LoginMsg.query.all() except: db.create_all() if password == None: @@ -202,6 +201,8 @@ class userManager: try: UserUsage.query.all() + LoginMsg.query.all() + LoginFailMsg.query.all() except: db.create_all() @@ -327,7 +328,22 @@ class userManager: return a token as well as some user information ''' user = User.query.filter_by(username = username).first() + failmsg = LoginFailMsg.query.filter_by(username = username).first() result = {} + if failmsg == None: + newfailmsg = LoginFailMsg(username) + db.session.add(newfailmsg) + db.session.commit() + failmsg = newfailmsg + elif failmsg.failcnt > 40: + reason = "You have been input wrong password over 40 times. You account will be locked. Please contact administrators for help." + logger.info("Login failed: userip=%s reason:%s" % (userip,reason)) + return {'success':'false', 'reason':reason} + elif datetime.now() < failmsg.bantime: + reason = "You have been input wrong password %d times. Please try after %s." % (failmsg.failcnt, failmsg.bantime.strftime("%Y-%m-%d %H:%M:%S")) + logger.info("Login failed: userip=%s reason:%s" % (userip,reason)) + return {'success':'false', 'reason':reason} + if (user == None or user.auth_method =='local'): result = self.auth_local(username, password) elif (user.auth_method == 'pam'): @@ -337,11 +353,20 @@ class userManager: if result['success'] == 'true': loginmsg = LoginMsg(result['data']['username'],userip) + failmsg.failcnt = 0 db.session.add(loginmsg) db.session.commit() logger.info("Login success: username=%s, userip=%s" % (result['data']['username'], userip)) else: logger.info("Login failed: userip=%s" % (userip)) + failmsg.failcnt += 1 + if failmsg.failcnt == 10: + failmsg.bantime = datetime.now() + timedelta(minutes=10) + elif failmsg.failcnt == 20: + failmsg.bantime = datetime.now() + timedelta(minutes=100) + elif failmsg.failcnt == 30: + failmsg.bantime = datetime.now() + timedelta(days=1) + db.session.commit() return result def auth_token(self, token): diff --git a/src/utils/model.py b/src/utils/model.py index f8e9651..37ef56c 100755 --- a/src/utils/model.py +++ b/src/utils/model.py @@ -221,6 +221,20 @@ class LoginMsg(db.Model): def __repr__(self): return '' % (self.id,self.username,self.userip,self.time.strftime("%Y-%m-%d %H:%M:%S")) +class LoginFailMsg(db.Model): + id = db.Column(db.Integer, primary_key=True) + username = db.Column(db.String(10), unique=True) + failcnt = db.Column(db.Integer) + bantime = db.Column(db.DateTime) + + def __init__(self, username): + self.username = username + self.failcnt = 0 + self.bantime = datetime.now() + + def __repr__(self): + return '' % (self.id,self.username,self.failcnt,self.bantime.strftime("%Y-%m-%d %H:%M:%S")) + class VNode(db.Model): __bind_key__ = 'history' name = db.Column(db.String(100), primary_key=True)