pywebexec 1.7.2__py3-none-any.whl → 1.7.4__py3-none-any.whl

pywebexec/pywebexec.py

@@ -33,10 +33,12 @@ if os.environ.get('PYWEBEXEC_LDAP_SERVER'):
 app = Flask(__name__)
 app.secret_key = os.urandom(24)  # Secret key for session management
 app.config['SESSION_COOKIE_SAMESITE'] = 'Lax'  # Add SameSite attribute to session cookies
+app.config['SESSION_COOKIE_SECURE'] = True
+app.config['SESSION_COOKIE_HTTPONLY'] = True
 auth = HTTPBasicAuth()
 
 app.config['LDAP_SERVER'] = os.environ.get('PYWEBEXEC_LDAP_SERVER')
-app.config['LDAP_USER_ID'] = os.environ.get('PYWEBEXEC_LDAP_USER_ID', "uid")
+app.config['LDAP_USER_ID'] = os.environ.get('PYWEBEXEC_LDAP_USER_ID', "uid") # sAMAccountName
 app.config['LDAP_GROUPS'] = os.environ.get('PYWEBEXEC_LDAP_GROUPS')
 app.config['LDAP_BASE_DN'] = os.environ.get('PYWEBEXEC_LDAP_BASE_DN')
 app.config['LDAP_BIND_DN'] = os.environ.get('PYWEBEXEC_LDAP_BIND_DN')
@@ -112,7 +114,7 @@ def generate_selfsigned_cert(hostname, ip_addresses=None, key=None):
     from cryptography.hazmat.backends import default_backend
     from cryptography.hazmat.primitives import serialization
     from cryptography.hazmat.primitives.asymmetric import rsa
-    
+
     # Generate our key
     if key is None:
         key = rsa.generate_private_key(
@@ -120,16 +122,16 @@ def generate_selfsigned_cert(hostname, ip_addresses=None, key=None):
             key_size=2048,
             backend=default_backend(),
         )
-    
+
     name = x509.Name([
         x509.NameAttribute(NameOID.COMMON_NAME, hostname)
     ])
- 
-    # best practice seem to be to include the hostname in the SAN, which *SHOULD* mean COMMON_NAME is ignored.    
+
+    # best practice seem to be to include the hostname in the SAN, which *SHOULD* mean COMMON_NAME is ignored.
     alt_names = [x509.DNSName(hostname)]
     alt_names.append(x509.DNSName("localhost"))
-    
-    # allow addressing by IP, for when you don't have real DNS (common in most testing scenarios 
+
+    # allow addressing by IP, for when you don't have real DNS (common in most testing scenarios
     if ip_addresses:
         for addr in ip_addresses:
             # openssl wants DNSnames for ips...
@@ -138,7 +140,7 @@ def generate_selfsigned_cert(hostname, ip_addresses=None, key=None):
             # note: older versions of cryptography do not understand ip_address objects
             alt_names.append(x509.IPAddress(ipaddress.ip_address(addr)))
     san = x509.SubjectAlternativeName(alt_names)
-    
+
     # path_len=0 means this cert can only sign itself, not other certs.
     basic_contraints = x509.BasicConstraints(ca=True, path_length=0)
     now = datetime.now(timezone.utc)
@@ -225,7 +227,7 @@ def get_last_line(file_path, cols=None, rows=None, maxsize=2048):
         except OSError:
             fd.seek(0)
         return get_visible_output(fd.read(), cols, rows)
-    
+
 
 def start_gunicorn(daemonized=False, baselog=None):
     check_processes()
@@ -304,7 +306,7 @@ def daemon_d(action, pidfilepath, silent=False, hostname=None, args=None):
 def start_term():
     os.environ["PYWEBEXEC"] = " (shared)"
     os.chdir(CWD)
-    start_time = datetime.now().isoformat()
+    start_time = datetime.now(timezone.utc).isoformat()
     user = pwd.getpwuid(os.getuid())[0]
     print(f"Starting terminal session for {user} : {term_command_id}")
     update_command_status(term_command_id, {
@@ -316,7 +318,7 @@ def start_term():
     })
     output_file_path = get_output_file_path(term_command_id)
     res = script(output_file_path)
-    end_time = datetime.now().isoformat()
+    end_time = datetime.now(timezone.utc).isoformat()
     update_command_status(term_command_id, {
         'status': 'success',
         'end_time': end_time,
@@ -488,7 +490,7 @@ def script(output_file):
         sigwinch_passthrough(None, None)
         signal.signal(signal.SIGWINCH, sigwinch_passthrough)
         p.interact()
-    
+
 
 def run_command(fromip, user, command, params, command_id):
     # app.logger.info(f'{fromip} run_command {command_id} {user}: {command} {params}')
@@ -593,6 +595,7 @@ def read_commands():
                     'start_time': status.get('start_time', 'N/A'),
                     'end_time': status.get('end_time', 'N/A'),
                     'command': command,
+                    'user': status.get('user'),
                     'exit_code': status.get('exit_code', 'N/A'),
                     'last_output_line': status.get('last_output_line'),
                 })
@@ -662,7 +665,7 @@ def check_authentication():
         if request.args.get('token') == token:
             return
         return jsonify({'error': 'Forbidden'}), 403
-    
+
     if not app.config['USER'] and not app.config['LDAP_SERVER']:
         return
 
@@ -687,30 +690,30 @@ def verify_ldap(username, password):
     tls_configuration = Tls(validate=ssl.CERT_NONE, version=ssl.PROTOCOL_TLSv1_2) if app.config['LDAP_SERVER'].startswith("ldaps:") else None
     server = Server(app.config['LDAP_SERVER'], tls=tls_configuration, get_info=ALL)
     user_filter = f"({app.config['LDAP_USER_ID']}={username})"
+    group_filter = ""
+    if app.config["LDAP_GROUPS"]:
+        group_filter = "".join(f"(memberOf={group})" for group in app.config['LDAP_GROUPS'].split(" "))
+        group_filter = f"(|{group_filter})"
+    ldap_filter = f"(&(objectClass=person){user_filter}{group_filter})"
     try:
         # Bind with the bind DN and password
         conn = Connection(server, user=app.config['LDAP_BIND_DN'], password=app.config['LDAP_BIND_PASSWORD'], authentication=SIMPLE, auto_bind=True, read_only=True)
         try:
-            conn.search(search_base=app.config['LDAP_BASE_DN'], search_filter=user_filter, search_scope=SUBTREE)
+            conn.search(search_base=app.config['LDAP_BASE_DN'], search_filter=ldap_filter, search_scope=SUBTREE)
             if len(conn.entries) == 0:
-                print(f"User {username} not found in LDAP.")
+                print(f"User {username} not found in LDAP in allowed groups.")
                 return False
             user_dn = conn.entries[0].entry_dn
         finally:
             conn.unbind()
-        
+
         # Bind with the user DN and password to verify credentials
         conn = Connection(server, user=user_dn, password=password, authentication=SIMPLE, auto_bind=True, read_only=True)
         try:
-            if not app.config['LDAP_GROUPS'] and conn.result["result"] == 0:
+            if conn.result["result"] == 0:
                 return True
-            group_filter = "".join([f'({group})' for group in app.config['LDAP_GROUPS'].split(",")])
-            group_filter = f"(&{group_filter}(|(member={user_dn})(uniqueMember={user_dn})))"
-            conn.search(search_base=app.config['LDAP_BASE_DN'], search_filter=group_filter, search_scope=SUBTREE)
-            result = len(conn.entries) > 0
-            if not result:
-                print(f"User {username} is not a member of groups {app.config['LDAP_GROUPS']}.")
-            return result
+            print(f"{username}: Password mismatch")
+            return False
         finally:
             conn.unbind()
     except Exception as e:

pywebexec/static/js/popup.js

@@ -117,7 +117,7 @@ async function fetchOutput(url) {
     try {
         const response = await fetch(url);
         if (!response.ok) {
-            document.getElementById('dimmer').style.display = 'none';
+            document.getElementById('dimmer').style.display = 'block';
             return;
         }
         const data = await response.json();
@@ -151,6 +151,7 @@ async function fetchOutput(url) {
                 toggleButton.style.display = 'block';
                 setCommandStatus(data.status)
             }
+            document.getElementById('dimmer').style.display = 'none';
         }
     } catch (error) {
         document.getElementById('dimmer').style.display = 'block';

pywebexec/static/js/script.js

@@ -186,7 +186,7 @@ async function fetchCommands(hide=false) {
                 <td>
                     ${command.command.startsWith('term') ? '' : command.status === 'running' ? `<button onclick="stopCommand('${command.command_id}', event)">Stop</button>` : `<button onclick="relaunchCommand('${command.command_id}', event)">Run</button>`}
                 </td>
-                <td class="system-font">${command.command.replace(/^\.\//, '')}</td>
+                <td class="system-font" title="${command.user == '-' ? '' : command.user}">${command.command.replace(/^\.\//, '')}</td>
                 <td class="monospace outcol">
                     <button class="popup-button" onclick="openPopup('${command.command_id}', event)"></button>
                     ${command.last_output_line || ''}
@@ -361,7 +361,7 @@ async function stopCommand(command_id, event) {
 function formatTime(time) {
     if (!time || time === 'N/A') return 'N/A';
     const date = new Date(time);
-    return date.toISOString().slice(0, 16).replace('T', ' ');
+    return date.toLocaleString().slice(0, 16).replace('T', ' ');
 }
 
 function formatDuration(startTime, endTime) {

pywebexec/version.py

@@ -12,5 +12,5 @@ __version__: str
 __version_tuple__: VERSION_TUPLE
 version_tuple: VERSION_TUPLE
 
-__version__ = version = '1.7.2'
-__version_tuple__ = version_tuple = (1, 7, 2)
+__version__ = version = '1.7.4'
+__version_tuple__ = version_tuple = (1, 7, 4)

{pywebexec-1.7.2.dist-info → pywebexec-1.7.4.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.2
 Name: pywebexec
-Version: 1.7.2
+Version: 1.7.4
 Summary: Simple Python HTTP Exec Server
 Home-page: https://github.com/joknarf/pywebexec
 Author: Franck Jouvanceau
@@ -153,13 +153,14 @@ $ pywebexec -u myuser [-P mypass]
 Generated password is given if no `--pasword` option
 
 * ldap(s) password check / group member
+ldap server must accept memberOf attribute for group members
 ```shell
-$ export PYWEBEXEC_LDAP_SERVER=ldap://ldap.forumsys.com:389
+$ export PYWEBEXEC_LDAP_SERVER=ldaps://ldap.mydomain.com:389
 $ export PYWEBEXEC_LDAP_BIND_DN="cn=read-only-admin,dc=example,dc=com"
 $ export PYWEBEXEC_LDAP_BIND_PASSWORD="password"
-$ export PYWEBEXEC_LDAP_GROUPS="ou=mathematicians,ou=scientists"
-$ export PYWEBEXEC_LDAP_USER_ID="uid"
 $ export PYWEBEXEC_LDAP_BASE_DN="dc=example,dc=com"
+$ export PYWEBEXEC_LDAP_USER_ID="uid" # sAMAccountName for AD
+$ export PYWEBEXEC_LDAP_GROUPS="ou=mathematicians,dc=example,dc=com ou=scientists,dc=example,dc=com"
 $ pywebexec
 ```
 ## HTTPS server

{pywebexec-1.7.2.dist-info → pywebexec-1.7.4.dist-info}/RECORD

@@ -1,6 +1,6 @@
 pywebexec/__init__.py,sha256=4spIsVaF8RJt8S58AG_wWoORRNkws9Iwqprj27C3ljM,99
-pywebexec/pywebexec.py,sha256=gJsI7kob3IyB6DVoWWSyEHOcxpWlsZz-b7jQUyePA-A,33555
-pywebexec/version.py,sha256=Qj1rYkRQ0hSV6NX03bgvPhjsn6HWrQ8maBXi446C5ZM,411
+pywebexec/pywebexec.py,sha256=VBR6KmRiHNCd0ZvGEu_5sTqzVrUEPBhM8Hi6knS1QcA,33526
+pywebexec/version.py,sha256=RXCVfb--6hzsLq9eHm4YOs9d-j0v74-HRGs2DFWnpjQ,411
 pywebexec/static/css/Consolas NF.ttf,sha256=DJEOzF0eqZ-kxu3Gs_VE8X0NJqiobBzmxWDGpdgGRxI,1313900
 pywebexec/static/css/style.css,sha256=3s7QgbCh4wb7kfZ7Pjo-B6o3lDIBogZ-3j6AfaPdpzU,8209
 pywebexec/static/css/xterm.css,sha256=uo5phWaUiJgcz0DAzv46uoByLLbJLeetYosL1xf68rY,5559
@@ -21,8 +21,8 @@ pywebexec/static/images/resume.svg,sha256=99LP1Ya2JXakRCO9kW8JMuT_4a_CannF65Eiuw
 pywebexec/static/images/running.svg,sha256=fBCYwYb2O9K4N3waC2nURP25NRwZlqR4PbDZy6JQMww,610
 pywebexec/static/images/success.svg,sha256=NVwezvVMplt46ElW798vqGfrL21Mw_DWHUp_qiD_FU8,489
 pywebexec/static/js/commands.js,sha256=h2fkd9qpypLBxvhEEbay23nwuqUwcKJA0vHugcyL8pU,7961
-pywebexec/static/js/popup.js,sha256=UPKtjPLIR5KaAV2i1iWUGwcCTX1tT3vnOIMc8VKQqag,9311
-pywebexec/static/js/script.js,sha256=W5NfzFYdyfQpALx_bjeppQFVWxvZGMoVTTq0VOnITxw,18147
+pywebexec/static/js/popup.js,sha256=oVkwnOKHae11omBiTZs-00NVeS9HGNEiUo71JSwOqn4,9382
+pywebexec/static/js/script.js,sha256=hT50gLRs-GRQoxDNJN__X3UQxk003M1ZPlvmzj8BZtc,18201
 pywebexec/static/js/xterm/LICENSE,sha256=EU1P4eXTull-_T9I80VuwnJXubB-zLzUl3xpEYj2T1M,1083
 pywebexec/static/js/xterm/addon-canvas.js,sha256=ez6QTVvsmLVNJmdJlM-ZQ5bErwlxAQ_9DUmDIptl2TM,94607
 pywebexec/static/js/xterm/addon-canvas.js.map,sha256=ECBA4B-BqUpdFeRzlsEWLSQnudnhLP-yPQJ8_hKquMo,379537
@@ -35,9 +35,9 @@ pywebexec/static/js/xterm/xterm.js.map,sha256=Y7O2Pb-fIS7Z8AC1D5s04_aiW_Jf1f4mCf
 pywebexec/templates/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 pywebexec/templates/index.html,sha256=2fEN8cggHBEd8-RamDFpnekVJtIbRembFSw0-1YEptc,2979
 pywebexec/templates/popup.html,sha256=GT2jY7oOxpCaBaRl924QJWdFBmfSOP952T13d37R_pY,1506
-pywebexec-1.7.2.dist-info/LICENSE,sha256=gRJf0JPT_wsZJsUGlWPTS8Vypfl9vQ1qjp6sNbKykuA,1064
-pywebexec-1.7.2.dist-info/METADATA,sha256=NudV7MvLxsTsIZzpTjzNuLJNijAmoK0C9o5VDIg0oRI,8000
-pywebexec-1.7.2.dist-info/WHEEL,sha256=In9FTNxeP60KnTkGw7wk6mJPYd_dQSjEZmXdBdMCI-8,91
-pywebexec-1.7.2.dist-info/entry_points.txt,sha256=l52GBkPCXRkmlHfEyoVauyfBdg8o-CAtC8qQpOIjJK0,55
-pywebexec-1.7.2.dist-info/top_level.txt,sha256=vHoHyzngrfGdm_nM7Xn_5iLmaCrf10XO1EhldgNLEQ8,10
-pywebexec-1.7.2.dist-info/RECORD,,
+pywebexec-1.7.4.dist-info/LICENSE,sha256=gRJf0JPT_wsZJsUGlWPTS8Vypfl9vQ1qjp6sNbKykuA,1064
+pywebexec-1.7.4.dist-info/METADATA,sha256=Cui8J6P2uQXqzD43UuHSypY2oQCrp3palZ34daD_Gfg,8122
+pywebexec-1.7.4.dist-info/WHEEL,sha256=In9FTNxeP60KnTkGw7wk6mJPYd_dQSjEZmXdBdMCI-8,91
+pywebexec-1.7.4.dist-info/entry_points.txt,sha256=l52GBkPCXRkmlHfEyoVauyfBdg8o-CAtC8qQpOIjJK0,55
+pywebexec-1.7.4.dist-info/top_level.txt,sha256=vHoHyzngrfGdm_nM7Xn_5iLmaCrf10XO1EhldgNLEQ8,10
+pywebexec-1.7.4.dist-info/RECORD,,