diff --git a/burpui/api/admin.py b/burpui/api/admin.py index 6769659b..af4233a8 100644 --- a/burpui/api/admin.py +++ b/burpui/api/admin.py @@ -1492,7 +1492,10 @@ class MySessions(Resource): store = session_manager.get_session_by_id(str(id)) if not store: self.abort('Session not found') - if store.user != user: + if store.user != user and \ + not current_user.is_anonymous and \ + not current_user.acl.is_admin() and \ + not current_user.acl.is_moderator(): self.abort(403, 'Insufficient permissions') if session_manager.invalidate_session_by_id(store.uuid): session_manager.delete_session_by_id(store.uuid) diff --git a/burpui/routes.py b/burpui/routes.py index 296d968f..44f01e04 100644 --- a/burpui/routes.py +++ b/burpui/routes.py @@ -128,6 +128,16 @@ def settings(server=None, conf=None): ) +@view.route('/admin/sessions/') +@login_required +def admin_sessions(user): + # Only the admin can access this page + if not current_user.is_anonymous and not current_user.acl.is_admin() and \ + not current_user.acl.is_moderator(): + abort(403) + return render_template('admin/sessions.html', admin=True, sessions=True, user=user, ng_controller='AdminCtrl') + + @view.route('/admin/authentication/') @login_required def admin_authentication(user): diff --git a/burpui/static/dashboard.css b/burpui/static/dashboard.css index 1f98ad36..ef6b0d5f 100644 --- a/burpui/static/dashboard.css +++ b/burpui/static/dashboard.css @@ -396,7 +396,7 @@ td { -o-transition: all 0.3s ease; transition: all 0.3s ease; } -#back-to-top span { +#back-to-top i { color: #fff; margin: 0; position: relative; @@ -412,7 +412,7 @@ td { #back-to-top:hover { background: #428bca; } -#back-to-top:hover span { +#back-to-top:hover i { color: #fff; top: 5px; } diff --git a/burpui/templates/admin.html b/burpui/templates/admin.html index d271062f..a4913592 100644 --- a/burpui/templates/admin.html +++ b/burpui/templates/admin.html @@ -11,7 +11,7 @@
{{ _('Authentication') }}
-  {{ _('Loading, Please wait...') }} + {{ _('Loading, Please wait...') }}
@@ -46,14 +46,14 @@
-  {{ _('You are about to delete a user, are you sure?') }} + {{ _('You are about to delete a user, are you sure?') }}
diff --git a/burpui/templates/admin/authentication.html b/burpui/templates/admin/authentication.html new file mode 100644 index 00000000..18c031f8 --- /dev/null +++ b/burpui/templates/admin/authentication.html @@ -0,0 +1,34 @@ +{% extends "layout.html" %} +{% block body %} + {% include "notifications.html" %} +
+ {% include "small_topbar.html" %} + +
+
+ {{ _('Authentication') }} +
+
+ {{ _('Password of user %(user)s on %(backend)s', user=user, backend=backend) }} + +
+ +
+ +
+
+
+
+ + +
+
+
+
+
+
+{% endblock %} diff --git a/burpui/templates/admin/sessions.html b/burpui/templates/admin/sessions.html new file mode 100644 index 00000000..5c794cc1 --- /dev/null +++ b/burpui/templates/admin/sessions.html @@ -0,0 +1,55 @@ +{% extends "layout.html" %} +{% block body %} + {% include "notifications.html" %} +
+ {% include "small_topbar.html" %} + +
+
+ {{ _('Sessions') }} +
+ + + + + + + + + + + + + +
{{ _('IP') }}{{ _('Last seen') }}{{ _('User-Agent') }}{{ _('API Login') }}{{ _('Current session') }}{{ _('Expire') }}
+
+
+
+ +{% endblock %} diff --git a/burpui/templates/gerard.js b/burpui/templates/gerard.js index edef9b73..82817623 100644 --- a/burpui/templates/gerard.js +++ b/burpui/templates/gerard.js @@ -90,20 +90,20 @@ var notif = function(type, message, timeout) { switch(type) { case NOTIF_SUCCESS: t = 'success'; - i = ' '; + i = ' '; break; case NOTIF_WARNING: t = 'warning'; - i = ' '; + i = ' '; break; case NOTIF_ERROR: t = 'danger'; - i = ' '; + i = ' '; break; case NOTIF_INFO: default: t = 'info'; - i = ' '; + i = ' '; break; } e = $('
'+ @@ -359,7 +359,15 @@ $('#input-client').typeahead({ {% endif -%} {% if admin -%} + {% if authentication -%} +{% include "js/admin/authentication.js" %} + {% elif authorization -%} +{% include "js/admin/authorization.js" %} + {% elif sessions -%} +{% include "js/admin/sessions.js" %} + {% else -%} {% include "js/admin.js" %} + {% endif -%} {% endif -%} var _fit_menu = function() { @@ -440,25 +448,25 @@ $(function() { */ $('#refresh').on('click', function(e) { e.preventDefault(); - {% if clients -%} AJAX_CACHE = false; + {% if clients -%} _clients(); {% endif -%} {% if client and is_client_func -%} - AJAX_CACHE = false; _client(); {% endif -%} {% if not login -%} _check_running(); {% endif -%} {% if servers -%} - AJAX_CACHE = false; _servers(); {% endif -%} {% if me -%} - AJAX_CACHE = false; _sessions(); {% endif -%} + {% if admin -%} + _admin(); + {% endif -%} }); /*** @@ -502,6 +510,9 @@ $(function() { {% if me -%} _sessions(); {% endif -%} + {% if admin -%} + _admin(); + {% endif -%} {% if not report and not login -%} /*** diff --git a/burpui/templates/js/admin.js b/burpui/templates/js/admin.js index 50781ab0..7c98a3f8 100644 --- a/burpui/templates/js/admin.js +++ b/burpui/templates/js/admin.js @@ -112,8 +112,10 @@ app.controller('AdminCtrl', ['$scope', '$http', '$scrollspy', 'DTOptionsBuilder' var _me = undefined; var _users = {}; +var _auth_backends = {}; var _users_array = []; var __promises = []; +var __globals_promises = []; var _users_table = $('#table-users').DataTable( { {{ macros.translate_datatable() }} @@ -181,15 +183,22 @@ var _users_table = $('#table-users').DataTable( { { data: null, render: function ( data, type, row ) { - return ' '; + return '  '; } }, ], }); -$.getJSON('{{ url_for("api.admin_me") }}').done(function (data) { +var g = $.getJSON('{{ url_for("api.admin_me") }}').done(function (data) { _me = data; }); +__globals_promises.push(g); +g = $.getJSON('{{ url_for("api.auth_backends") }}').done(function (data) { + $.each(data, function(i, back) { + _auth_backends[back.name] = back; + }); +}); +__globals_promises.push(g); var _authentication = function() { $('#waiting-user-container').show(); @@ -260,7 +269,6 @@ var _authentication = function() { var _admin = function() { _authentication(); }; -_admin(); {{ macros.page_length('#table-list-clients') }} {{ macros.page_length('#table-list-templates') }} @@ -273,13 +281,19 @@ $( document ).ready(function () { }); /* Delete user */ +var _remove_selected = 0; $( document ).on('click', '.btn-delete-user', function(e) { var user_id = $(this).data('member'); var user = _users[user_id]; - var content = '{{ _("Please select the backend(s) from which to remove the user from:") }}'; + var content = '{{ _("Please select the backend(s) from which to remove the user:") }}'; $.each(user['backends'], function(i, back) { - content += '
'; + var disabled_legend = '{{ _("The backend does not support user removal") }}'; + var disabled = 'disabled title="'+disabled_legend+'"'; + var is_enabled = _auth_backends[back]['del']; + content += '
'; }); + /* disable submit button while we did not select a backend */ + $('#perform-delete').prop('disabled', true); $('#delete-details').html(content); $('#delete-user-modal').modal('toggle'); }); @@ -293,6 +307,16 @@ $( document ).on('change', 'input[name=user_backend]', function(e) { $('#delete-confirm').hide(); } } + if ($(this).is(':checked')) { + _remove_selected++; + } else { + _remove_selected--; + } + if (_remove_selected > 0) { + $('#perform-delete').prop('disabled', false); + } else { + $('#perform-delete').prop('disabled', true); + } }); $('#perform-delete').on('click', function(e) { $.each($('input[name=user_backend]'), function(i, elmt) { @@ -315,11 +339,27 @@ $( document ).on('click', '.btn-edit-user', function(e) { var user = _users[user_id]; var content = '{{ _("Please select the backend from which to edit the user from:") }}'; content += '
'; - content += '
'; $.each(user['backends'], function(i, back) { - content += ''; + is_enabled = _auth_backends[back]['mod']; + content += ''+back+''; }); content += '
'; + $('#perform-edit').prop('disabled', true); $('#edit-details').html(content); $('#edit-user-modal').modal('toggle'); }); +$( document ).on('change', '#edit_backend', function(e) { + if ($('#edit_backend option:selected').text() != '{{ _("Please select a backend") }}') { + $('#perform-edit').prop('disabled', false); + } +}); +$('#perform-edit').on('click', function(e) { + location = "{{ url_for('view.admin_authentication', user='') }}"+$('#edit_backend').data('id')+'?backend='+$('#edit_backend option:selected').text(); +}); + +/* user sessions */ +$( document ).on('click', '.btn-sessions-user', function(e) { + var user_id = $(this).data('member'); + location = "{{ url_for('view.admin_sessions', user='') }}"+user_id; +}); diff --git a/burpui/templates/js/admin/authentication.js b/burpui/templates/js/admin/authentication.js new file mode 100644 index 00000000..eb292281 --- /dev/null +++ b/burpui/templates/js/admin/authentication.js @@ -0,0 +1,42 @@ +var _admin = function() { + // do nothing + return true; +}; + +$('form[name=changePassword]').on('submit', function(e) { + e.preventDefault(); + var form = $(e.target); + submit = form.find('button[type="submit"]'); + sav = submit.text(); + submit.html(' {{ _("Saving...") }}'); + submit.attr('disabled', true); + /* submit the data */ + $.ajax({ + url: form.attr('action'), + type: 'POST', + data: { + 'password': $('input[name=password]').val(), + 'backend': "{{ backend }}" + }, + headers: { 'X-From-UI': true }, + }) + .fail(myFail) + .done(function(data) { + notifAll(data); + }) + .always(function() { + /* reset the submit button state */ + submit.text(sav); + submit.attr('disabled', false); + }); +}); + +/* placeholder */ +var app = angular.module('MainApp', ['ngSanitize', 'ui.select', 'mgcrea.ngStrap', 'datatables']); + +app.config(function(uiSelectConfig) { + uiSelectConfig.theme = 'bootstrap'; +}); + +app.controller('AdminCtrl', ['$scope', '$http', '$scrollspy', 'DTOptionsBuilder', 'DTColumnDefBuilder', function($scope, $http, $scrollspy, DTOptionsBuilder, DTColumnDefBuilder) { +}]); diff --git a/burpui/templates/js/admin/sessions.js b/burpui/templates/js/admin/sessions.js new file mode 100644 index 00000000..8c594b76 --- /dev/null +++ b/burpui/templates/js/admin/sessions.js @@ -0,0 +1,284 @@ +/*** + * The session part is handled by datatables + * the resulting JSON looks like: + * [ + * { + * "api": false, + * "current": false, + * "expire": "1970-01-01T00:00:00+01:00", + * "ip": "::ffff:10.0.0.100", + * "permanent": false, + * "timestamp": "2016-09-01T15:28:59.222028+02:00", + * "ua": "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0", + * "uuid": "feaac9c7-6f61-4103-9536-d65aba335892" + * } + * ] + */ +{% import 'macros.html' as macros %} + +var _cache_id = _EXTRA; + +{{ macros.timestamp_filter() }} + +var _sessions_table = $('#table-sessions').DataTable( { + {{ macros.translate_datatable() }} + {{ macros.get_page_length() }} + responsive: true, + processing: true, + fixedHeader: true, + select: { + style: 'os', + }, + ajax: { + url: '{{ url_for("api.other_sessions", user=user) }}', + headers: { 'X-From-UI': true }, + cache: AJAX_CACHE, + error: myFail, + data: function (request) { + request._extra = _cache_id; + }, + dataSrc: function (data) { + return data; + } + }, + dom: "<'row'<'col-sm-6'l><'col-sm-6'f>>" + + "<'row'<'col-sm-12'tr>>" + + "<'row'<'col-sm-5'><'col-sm-7'p>>" + + "<'row'<'col-sm-5'i>>" + + "<'row'B>", + buttons: [ + { + text: '', + titleAttr: '{{ _("Select all") }}', + extend: 'selectAll', + }, + { + text: ' ', + titleAttr: '{{ _("Select all filtered") }}', + extend: 'selectAll', + action: function ( e, dt, node, config ) { + dt.rows( { search: 'applied' } ).select(); + } + }, + { + text: '', + titleAttr: '{{ _("Deselect all") }}', + extend: 'selectNone', + }, + { + text : ' ', + titleAttr: '{{ _("Deselect all filtered") }}', + extend: 'selectNone', + action: function ( e, dt, node, config ) { + dt.rows( { search: 'applied' } ).deselect(); + } + }, + { + text: '', + titleAttr: '{{ _("Revoke selected") }}', + className: 'btn-danger', + action: function ( e, dt, node, config ) { + var rows = dt.rows( { selected: true } ).data(); + var current = false; + var output = ''; + $.each(rows, function(i, row) { + output += JSON.stringify(row, null, 4)+'\n'; + if (row.current) { + current = true; + } + }); + if (current) { + $('#error-confirm').show(); + } else { + $('#error-confirm').hide(); + } + $('#session-details').empty().text(output); + $('#perform-revoke').data('multi', true); + $('#confirmation-modal').modal('toggle'); + }, + enabled: false + } + ], + order: [[1, 'desc']], + rowId: 'uuid', + columns: [ + { data: 'ip' }, + { + data: 'timestamp', + type: 'timestamp', + render: function( data, type, row ) { + if (type === 'filter') { + return data; + } + return ''+moment(data, moment.ISO_8601).subtract(3, 'seconds').fromNow()+''; + } + }, + { + data: 'ua', + render: function( data, type, row ) { + if (type === 'filter' || type === 'sort') { + return data; + } + ret = ''; + // Browser version + if (data.lastIndexOf('MSIE') > 0 || data.lastIndexOf('Trident') > 0) { + ret += ''; + } else if (data.lastIndexOf('Edge') > 0) { + ret += ''; + } else if (/Firefox[\/\s](\d+\.\d+)/.test(data)) { + ret += ''; + } else if (data.lastIndexOf('Chrome/') > 0) { + ret += ''; + } else if (data.lastIndexOf('Safari/') > 0) { + ret += ''; + } else { + ret += ''; + } + // Optionally add OS version + if (data.lastIndexOf('Android') > 0) { + ret += ' '; + } else if (data.lastIndexOf('iPhone') > 0 || data.lastIndexOf('iPad') > 0 || data.lastIndexOf('Macintosh') > 0) { + ret += ' '; + if (data.lastIndexOf('iPhone') > 0) { + ret += ' '; + } else if (data.lastIndexOf('iPad') > 0) { + ret += ' '; + } + } else if (data.lastIndexOf('Linux') > 0) { + ret += ' '; + } else if (data.lastIndexOf('Windows') > 0) { + ret += ' '; + } + return ''+ret+''; + } + }, + { + data: 'api', + render: function( data, type, row ) { + return ''; + } + }, + { + data: 'current', + render: function( data, type, row ) { + return ''; + } + }, + { + data: 'expire', + type: 'timestamp', + render: function( data, type, row ) { + if (type === 'filter') { + return data; + } + return ''+moment(data, moment.ISO_8601).fromNow()+''; + } + }, + ], +}); +var first = true; + +var _sessions = function() { + if (first) { + first = false; + } else { + if (!AJAX_CACHE) { + _cache_id = new Date().getTime(); + } + _sessions_table.ajax.reload( null, false ); + AJAX_CACHE = true; + } +}; + +var _events_callback = function() { + $('[data-toggle="tooltip"]').tooltip(); + $('[data-toggle="revoke-session"]').on('click', function(e) { + $me = $(this); + if ($me.data('current')) { + $('#error-confirm').show(); + } else { + $('#error-confirm').hide(); + } + $('#session-details').empty().text(unescape($me.data('misc'))); + $('#perform-revoke').data('id', $me.data('id')); + $('#perform-revoke').data('current', $me.data('current')); + $('#confirmation-modal').modal('toggle'); + }); +}; + +var select_event = function( e, dt, type, indexes ) { + var selectedRows = _sessions_table.rows( { selected: true } ).count(); + _sessions_table.buttons( [3, 4] ).enable( selectedRows > 0 ); +}; + +_sessions_table.on('select.dt', select_event); +_sessions_table.on('deselect.dt', select_event); +_sessions_table.on('draw.dt', _events_callback); +_sessions_table.on('responsive-display.dt', function ( e, datatable, row, showHide, update ) { + _events_callback(); +}); +{{ macros.page_length('#table-sessions') }} + +var revoke_session = function(id, refresh) { + return $.ajax({ + url: '{{ url_for("api.user_sessions") }}/'+id, + headers: { 'X-From-UI': true }, + type: 'DELETE' + }).done(function(data) { + notifAll(data); + if (refresh && data[0] == NOTIF_SUCCESS) { + AJAX_CACHE = false; + _sessions(); + } + }).fail(myFail); +}; + +$('#perform-revoke').on('click', function(e) { + $me = $(this); + if ($me.data('multi')) { + var rows = _sessions_table.rows( { selected: true } ).data(); + var current = undefined; + var requests = []; + var last; + $.each(rows, function(i, row) { + if (row.current) { + current = row; + return; + } + last = revoke_session(row.uuid, false); + requests.push(last); + }); + if (current) { + $.when.apply( $, requests ).done(function() { + window.location = '{{ url_for("view.logout") }}'; + return; + }); + } else { + $.when.apply( $, requests ).done(function() { + AJAX_CACHE = false; + _sessions(); + }); + } + return; + } + if ($me.data('current')) { + window.location = '{{ url_for("view.logout") }}'; + return; + } + revoke_session($me.data('id'), true); +}); + +var _admin = function() { + _sessions(); +}; + + +/* placeholder */ +var app = angular.module('MainApp', ['ngSanitize', 'ui.select', 'mgcrea.ngStrap', 'datatables']); + +app.config(function(uiSelectConfig) { + uiSelectConfig.theme = 'bootstrap'; +}); + +app.controller('AdminCtrl', ['$scope', '$http', '$scrollspy', 'DTOptionsBuilder', 'DTColumnDefBuilder', function($scope, $http, $scrollspy, DTOptionsBuilder, DTColumnDefBuilder) { +}]); diff --git a/burpui/templates/js/user.js b/burpui/templates/js/user.js index e7c803a1..0fa0d0cb 100644 --- a/burpui/templates/js/user.js +++ b/burpui/templates/js/user.js @@ -84,7 +84,7 @@ app.controller('UserCtrl', function($timeout, $scope, $http, $scrollspy) { var form = $(e.target); submit = form.find('button[type="submit"]'); sav = submit.text(); - submit.text('Saving...'); + submit.html(' {{ _("Saving...") }}'); submit.attr('disabled', true); /* submit the data */ $.ajax({ diff --git a/burpui/templates/layout.html b/burpui/templates/layout.html index 85e7b9c2..76faaead 100644 --- a/burpui/templates/layout.html +++ b/burpui/templates/layout.html @@ -21,7 +21,7 @@ - {% if me -%} + {% if me or sessions -%} {% endif -%} @@ -50,8 +50,10 @@
- {% if not live and not login and not about and not authentication and not authorization -%} + {% if not live and not login and not about and not authentication and not authorization and not sessions -%} {% include "sidebar.html" %} + {% else -%} + {% set no_sidebar = True %} {% endif -%} {% block body %}{% endblock %} @@ -89,7 +91,7 @@ - {% if me -%} + {% if me or sessions -%} diff --git a/burpui/templates/notifications.html b/burpui/templates/notifications.html index 6455df38..b12a51b7 100644 --- a/burpui/templates/notifications.html +++ b/burpui/templates/notifications.html @@ -1,5 +1,5 @@
-
+
{% with messages = get_flashed_messages(with_categories=true) -%} {% if messages -%}