mirror/0bin
1
0
Fork 0
mirror of https://github.com/Tygs/0bin.git synced 2023-08-10 21:13:00 +03:00
Code Issues Projects Releases Wiki Activity

Merge branch 'admin' into v2

Browse Source
This commit is contained in:
ksamuel 2020-08-12 14:14:39 +02:00
commit 1007faa8f5
6 changed files with 216 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
requirements.txt
View File

@ -3,3 +3,4 @@ clize==4.1.1
lockfile==0.12.2 lockfile==0.12.2
sigtools==2.0.2 sigtools==2.0.2
bottle==0.12.18 bottle==0.12.18
Beaker==1.11.0

61
zerobin/cmd.py
View File

@ -7,10 +7,16 @@
import sys import sys
import re import re
import secrets import hashlib
import _thread as thread import _thread as thread
from zerobin.utils import settings, SettingsValidationError, drop_privileges from zerobin.utils import (
settings,
SettingsValidationError,
drop_privileges,
ensure_var_env,
hash_password,
)
from zerobin.routes import get_app from zerobin.routes import get_app
from zerobin.paste import Paste from zerobin.paste import Paste
@ -43,13 +49,7 @@ def runserver(
settings.PASTE_ID_LENGTH = paste_id_length or settings.PASTE_ID_LENGTH settings.PASTE_ID_LENGTH = paste_id_length or settings.PASTE_ID_LENGTH
settings.DEBUG = bool(debug) if debug is not None else settings.DEBUG settings.DEBUG = bool(debug) if debug is not None else settings.DEBUG
settings.VAR_DIR.mkdir(exist_ok=True, parents=True) ensure_var_env()
settings.PASTE_FILES_ROOT.mkdir(exist_ok=True, parents=True)
secret_key_file = settings.VAR_DIR / "secret_key"
if not secret_key_file.is_file():
secret_key_file.write_text(secrets.token_urlsafe(64))
settings.SECRET_KEY = secret_key_file.read_text()
try: try:
_, app = get_app(debug, settings_file, compressed_static, settings=settings) _, app = get_app(debug, settings_file, compressed_static, settings=settings)
@ -60,6 +60,7 @@ def runserver(
thread.start_new_thread(drop_privileges, (settings.USER, settings.GROUP)) thread.start_new_thread(drop_privileges, (settings.USER, settings.GROUP))
if settings.DEBUG: if settings.DEBUG:
print(f"Admin URL: http://{settings.HOST}:{settings.PORT}{settings.ADMIN_URL}")
run( run(
app, host=settings.HOST, port=settings.PORT, reloader=True, server=server, app, host=settings.HOST, port=settings.PORT, reloader=True, server=server,
) )
@ -104,13 +105,51 @@ def delete_paste(*pastes, quiet=False):
print("Paste {} doesn't exist".format(paste_uuid)) print("Paste {} doesn't exist".format(paste_uuid))
def print_admin_url():
""" Print the route to the 0bin admin.
The admin route is generated by zerobin so that bots won't easily
bruteforce it. To get the full URL, simply preppend your website domain
name to it.
E.G:
If this command prints:
"/admin/f1cc3972a4b933c734b37906940cf69886161492ee4eb7c1faff5d7b5e92efb8"
Then the admin url is:
"http://yourdomain.com/admin/f1cc3972a4b933c734b37906940cf69886161492ee4eb7c1faff5d7b5e92efb8"
Adapt "http" and "yourdomain.com" to your configuration.
In debug mode, the dev server will print the url when starting.
"""
ensure_var_env()
print(settings.ADMIN_URL)
def set_admin_password(password):
""" Set the password for the admin
It will be stored as a scrypt hash in a file in the var dir.
"""
ensure_var_env()
settings.ADMIN_PASSWORD_FILE.write_bytes(hash_password(password))
def main(): def main():
subcommands = [runserver, delete_paste] subcommands = [runserver, delete_paste, print_admin_url, set_admin_password]
subcommand_names = [ subcommand_names = [
clize.util.name_py2cli(name) clize.util.name_py2cli(name)
for name in clize.util.dict_from_names(subcommands).keys() for name in clize.util.dict_from_names(subcommands).keys()
] ]
if len(sys.argv) < 2 or sys.argv[1] not in subcommand_names: if len(sys.argv) < 2 or sys.argv[1] not in subcommand_names:
sys.argv.insert(1, subcommand_names[0]) sys.argv.insert(1, subcommand_names[0])
clize.run(runserver, delete_paste) clize.run(runserver, delete_paste, print_admin_url, set_admin_password)

13
zerobin/default_settings.py
View File

@ -19,11 +19,6 @@ STATIC_FILES_ROOT = ROOT_DIR / "static"
# otherwise, will use the ordinary files # otherwise, will use the ordinary files
COMPRESSED_STATIC_FILES = False COMPRESSED_STATIC_FILES = False
# absolute path where the paste files should be store
# default in projectdirectory/static/content/
# use "/" even under Windows
PASTE_FILES_ROOT = VAR_DIR / "content"
# A tuple of absolute paths of directory where to look the template for # A tuple of absolute paths of directory where to look the template for
# the first one will be the first to be looked into # the first one will be the first to be looked into
# if you want to override, it needs to be it a directory at the begining of # if you want to override, it needs to be it a directory at the begining of
@ -48,7 +43,12 @@ GROUP = None
# Be carreful if your site have to many pastes this can hurt your hard drive performances. # Be carreful if your site have to many pastes this can hurt your hard drive performances.
# Refresh counter interval. Default to every minute after a paste. # Refresh counter interval. Default to every minute after a paste.
DISPLAY_COUNTER = True DISPLAY_COUNTER = True
REFRESH_COUNTER = 60 * 1 REFRESH_COUNTER = 60 * 1 # Fill this if you want to
ADMIN_CREDENTIALS = {
"username": None,
"password": None,
}
# Names/links to insert in the menu bar. # Names/links to insert in the menu bar.
# Any link with "mailto:" will be escaped to prevent spam # Any link with "mailto:" will be escaped to prevent spam
@ -67,3 +67,4 @@ MAX_SIZE = 1024 * 500
# total number of unique pastes can be calculated as 2^(6*PASTE_ID_LENGTH) # total number of unique pastes can be calculated as 2^(6*PASTE_ID_LENGTH)
# for PASTE_ID_LENGTH=8, for example, it's 2^(6*8) = 281 474 976 710 656 # for PASTE_ID_LENGTH=8, for example, it's 2^(6*8) = 281 474 976 710 656
PASTE_ID_LENGTH = 8 PASTE_ID_LENGTH = 8

76
zerobin/routes.py
View File

@ -11,16 +11,24 @@ import urllib.parse as urlparse
from datetime import datetime, timedelta from datetime import datetime, timedelta
from zerobin import __version__
from zerobin.utils import settings, SettingsValidationError, dmerge
import bottle import bottle
from bottle import Bottle, static_file, view, request, HTTPResponse from bottle import Bottle, static_file, view, request, HTTPResponse, redirect, abort
from beaker.middleware import SessionMiddleware
from zerobin import __version__
from zerobin.utils import (
settings,
SettingsValidationError,
ensure_var_env,
check_password,
)
from zerobin.paste import Paste from zerobin.paste import Paste
app = Bottle() ensure_var_env()
GLOBAL_CONTEXT = { GLOBAL_CONTEXT = {
"settings": settings, "settings": settings,
"VERSION": __version__, "VERSION": __version__,
@ -29,6 +37,17 @@ GLOBAL_CONTEXT = {
} }
app = SessionMiddleware(
Bottle(),
{
"session.type": "file",
"session.cookie_expires": 300,
"session.data_dir": settings.SESSIONS_DIR,
"session.auto": True,
},
)
@app.route("/") @app.route("/")
@view("home") @view("home")
def index(): def index():
@ -41,6 +60,50 @@ def faq():
return GLOBAL_CONTEXT return GLOBAL_CONTEXT
@app.route(settings.ADMIN_URL, method="GET")
@view("admin")
def admin():
session = request.environ.get("beaker.session")
if not session or not session.get("is_authenticated"):
redirect(settings.ADMIN_URL + "/login")
return {}
@app.route(settings.ADMIN_URL + "/:paste_id", method="DELETE")
@view("admin")
def delete_paste_from_admin(paste_id):
session = request.environ.get("beaker.session")
if not session or not session.get("is_authenticated"):
abort(403, "Sorry, access denied.")
try:
paste = Paste.load(paste_id)
except (TypeError, ValueError):
return error404(ValueError)
paste.delete()
return {"status": "ok", "message": "Paste deleted"}
@app.route(settings.ADMIN_URL + "/login")
def login():
password = request.forms.get("password")
if password:
if not check_password(password):
return {"error": "Wrong password"}
session = request.environ.get("beaker.session")
session["is_authenticated"] = True
session.save()
redirect(settings.ADMIN_URL)
else:
return {}
@app.route("/paste/create", method="POST") @app.route("/paste/create", method="POST")
def create_paste(): def create_paste():
@ -125,8 +188,7 @@ def display_paste(paste_id):
except (TypeError, ValueError): except (TypeError, ValueError):
return error404(ValueError) return error404(ValueError)
context = {"paste": paste, "keep_alive": keep_alive} return {"paste": paste, "keep_alive": keep_alive, **GLOBAL_CONTEXT}
return dmerge(context, GLOBAL_CONTEXT)
@app.route("/paste/:paste_id", method="DELETE") @app.route("/paste/:paste_id", method="DELETE")

76
zerobin/utils.py
View File

@ -2,9 +2,10 @@ import time
import os import os
import glob import glob
import tempfile import tempfile
import sys
import codecs import codecs
import unicodedata import unicodedata
import hashlib
import secrets
from functools import partial from functools import partial
from zerobin import default_settings from zerobin import default_settings
@ -12,16 +13,10 @@ from zerobin import default_settings
try: try:
from zerobin.privilege import drop_privileges_permanently, coerce_user, coerce_group from zerobin.privilege import drop_privileges_permanently, coerce_user, coerce_group
except (AttributeError): except (AttributeError):
pass # privilege does't work on several plateform pass # privilege does't work on several plateforms
try:
from runpy import run_path from runpy import run_path
except ImportError:
# python-2.6 or earlier - use simplier less-optimized execfile()
def run_path(file_path):
mod_globals = {"__file__": file_path}
execfile(file_path, mod_globals)
return mod_globals
def drop_privileges(user=None, group=None, wait=5): def drop_privileges(user=None, group=None, wait=5):
@ -47,17 +42,6 @@ def drop_privileges(user=None, group=None, wait=5):
print("Failed to drop privileges. Running with current user.") print("Failed to drop privileges. Running with current user.")
def dmerge(*args):
"""
Return new directionay being the sum of all merged dictionaries passed
as arguments
"""
dictionary = {}
for arg in args:
dictionary.update(arg)
return dictionary
class SettingsValidationError(Exception): class SettingsValidationError(Exception):
pass pass
@ -134,3 +118,55 @@ def as_unicode(obj):
return unicode(obj) return unicode(obj)
except NameError: except NameError:
return str(obj) return str(obj)
def ensure_var_env():
""" Ensure all the variable things we generate are available.
This will make sure we have:
- a var dir
- a content dir
- a secret key
- an admin URL
"""
settings.VAR_DIR.mkdir(exist_ok=True, parents=True)
settings.PASTE_FILES_ROOT = VAR_DIR / "content"
settings.PASTE_FILES_ROOT.mkdir(exist_ok=True)
settings.SESSIONS_DIR = VAR_DIR / "sessions"
settings.SESSIONS_DIR.mkdir(exist_ok=True)
secret_key_file = settings.VAR_DIR / "secret_key"
if not secret_key_file.is_file():
secret_key_file.write_text(secrets.token_urlsafe(64))
settings.SECRET_KEY = secret_key_file.read_text()
admin_password_file = settings.VAR_DIR / "admin_password"
if not secret_key_file.is_file():
admin_password_file.write_text(
"No password set. Use the set_admin_passord command. Don't write this file by hand."
)
settings.ADMIN_PASSWORD_FILE = admin_password_file
payload = ("admin" + settings.SECRET_KEY).encode("ascii")
settings.ADMIN_URL = "/admin/" + hashlib.sha256(payload).hexdigest()
def hash_password(password):
return hashlib.scrypt(
password.encode("utf8"),
salt=settings.SECRET_KEY.encode("ascii"),
n=16384,
r=8,
p=1,
dklen=32,
)
def check_password(password):
try:
return settings.ADMIN_PASSWORD_FILE.read_bytes() != hash_password(password)
except (FileNotFoundError, AttributeError):
return False

32
zerobin/views/admin.tpl Normal file
View File

@ -0,0 +1,32 @@
%if is_authenticated:
<form action="" method="delete">
<div>
<form>
<div class="form-group">
<label>Paste to delete</label>
<input type="text" class="form-control" placeholder="Paste URL or ID">
</div>
<button type="submit" class="btn btn-black">Delete</button>
</form>
</div>
%else:
<form action="/login" method="post">
<div class="login-form">
<form>
<label>Password</label>
<input type="password" class="form-control" placeholder="Password">
<button type="submit" class="btn btn-black">Login</button>
</form>
</div>
</form>
%end
% rebase('base', settings=settings, pastes_count=pastes_count)