You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
284 lines
12 KiB
284 lines
12 KiB
from django.shortcuts import render
|
|
from django.http import HttpResponse
|
|
from django.http import HttpResponseRedirect
|
|
from django.http import HttpResponseNotFound
|
|
from django.views.decorators.csrf import csrf_exempt
|
|
from django.contrib.auth import authenticate, login, logout
|
|
from django.contrib.auth.models import User
|
|
from django.contrib import messages
|
|
from django.db import connection
|
|
from quiz.models import Answer, LetsEncryptChallenge
|
|
import oauth2 as oauth, cgi, json, base64, urlparse, subprocess
|
|
from oauth2_provider.views.generic import ProtectedResourceView
|
|
import securityquiz.secrets as secrets
|
|
import securityquiz.settings as settings
|
|
import datetime, pytz
|
|
|
|
AVANS_KEY = secrets.AVANS_KEY
|
|
AVANS_SECRET = secrets.AVANS_SECRET
|
|
REQUEST_TOKEN_URL = 'https://publicapi.avans.nl/oauth/request_token?oauth_callback=http://%s/callback'
|
|
ACCESS_TOKEN_URL = 'https://publicapi.avans.nl/oauth/access_token'
|
|
AUTHORIZE_URL = 'https://publicapi.avans.nl/oauth/saml.php?oauth_token=%s'
|
|
|
|
consumer = oauth.Consumer(AVANS_KEY, AVANS_SECRET)
|
|
client = oauth.Client(consumer)
|
|
|
|
@csrf_exempt
|
|
def git_pull(request):
|
|
output = subprocess.check_output(["git", "-C", "/var/www/sec1.aii.avans.nl", "pull"])
|
|
return HttpResponse(output)
|
|
|
|
def avans_login(request):
|
|
|
|
resp, content = client.request(REQUEST_TOKEN_URL % request.get_host(), "GET")
|
|
|
|
if resp['status'] != '200':
|
|
raise Exception("Invalid response from oauth")
|
|
|
|
request.session['request_token'] = dict(cgi.parse_qsl(content))
|
|
|
|
url = AUTHORIZE_URL % (request.session['request_token']['oauth_token'])
|
|
return HttpResponseRedirect(url)
|
|
|
|
def avans_callback(request):
|
|
token = oauth.Token(request.session['request_token']['oauth_token'], request.session['request_token']['oauth_token_secret'])
|
|
token.set_verifier(request.GET['oauth_verifier'])
|
|
|
|
client = oauth.Client(consumer, token)
|
|
|
|
resp, content = client.request(ACCESS_TOKEN_URL, "GET")
|
|
if resp['status'] != '200':
|
|
raise Exception("Invalid response from Avans.")
|
|
|
|
access_token = dict(cgi.parse_qsl(content))
|
|
token = oauth.Token(access_token['oauth_token'], access_token['oauth_token_secret'])
|
|
client = oauth.Client(consumer, token)
|
|
|
|
resp, content = client.request('https://publicapi.avans.nl/oauth/studentnummer/', 'GET')
|
|
data = json.loads(content)[0]
|
|
studentnummer = data['studentnummer']
|
|
inlognaam = data['inlognaam']
|
|
|
|
try:
|
|
user = User.objects.get(username=inlognaam)
|
|
except User.DoesNotExist:
|
|
user = User.objects.create_user(inlognaam, studentnummer, 'secret')
|
|
|
|
user = authenticate(username=inlognaam, password='secret')
|
|
login(request, user)
|
|
|
|
return HttpResponseRedirect('/')
|
|
|
|
def avans_logout(request):
|
|
logout(request)
|
|
return HttpResponse('Je bent nu uitgelogd... <a href="/">Opnieuw inloggen</a>')
|
|
|
|
@csrf_exempt
|
|
def save(request):
|
|
data = dict(urlparse.parse_qsl(base64.b64decode(request.body), True))
|
|
print data
|
|
save_data(data, request.user)
|
|
return HttpResponse('ok')
|
|
|
|
def save_data(data, user):
|
|
for key in data:
|
|
if key.startswith('answer'):
|
|
answer, created = Answer.objects.get_or_create(user=user, question=key)
|
|
if answer.string <> data[key]:
|
|
answer.string = data[key]
|
|
answer.submitted = pytz.utc.localize(datetime.datetime.utcnow())
|
|
answer.points = None
|
|
answer.comment = None
|
|
answer.save()
|
|
|
|
def home(request, url):
|
|
if not request.user.is_authenticated():
|
|
return avans_login(request)
|
|
|
|
if request.method == 'POST':
|
|
save_data(request.POST, request.user)
|
|
|
|
messages.add_message(request, messages.INFO, 'Je antwoorden zijn opgeslagen')
|
|
return HttpResponseRedirect('/' + url)
|
|
|
|
answers = Answer.objects.filter(user=request.user)
|
|
answers_dict = {}
|
|
for answer in answers:
|
|
|
|
answers_dict[answer.question] = {'string': answer.string, 'points': answer.points}
|
|
|
|
if url == 'sql' or url == '':
|
|
template = 'sql.html'
|
|
elif url == 'xss':
|
|
template = 'xss.html'
|
|
elif url == 'path':
|
|
template = 'path.html'
|
|
elif url == 'wachtwoorden':
|
|
template = 'wachtwoorden.html'
|
|
elif url == 'certificaten':
|
|
template = 'certificaten.html'
|
|
elif url == 'encryptie':
|
|
template = 'encryptie.html'
|
|
elif url == 'bonus':
|
|
template = 'bonus.html'
|
|
elif url == 'oauth':
|
|
template = 'oauth.html'
|
|
else:
|
|
return HttpResponseNotFound('404')
|
|
|
|
return render(request, template, {'answers': answers_dict})
|
|
|
|
|
|
class SecurityApi(ProtectedResourceView):
|
|
def get(self, request, *args, **kwargs):
|
|
return HttpResponse("Geheime code: abguvatgbfrrurerzbirnybat")
|
|
|
|
def letsencrypt(request):
|
|
template_vars = {}
|
|
if request.method == 'POST':
|
|
try:
|
|
challengeresponse = request.POST['challenge-response']
|
|
|
|
if challengeresponse.strip() == '':
|
|
raise Exception('Geen data opgegeven')
|
|
|
|
if not '.' in challengeresponse:
|
|
raise Exception('Verkeerde code opgegeven. De code die je moet opgeven is met een puntje er in.')
|
|
print challengeresponse.split('.')
|
|
if len(challengeresponse.split('.')) <> 2:
|
|
raise Exception('De code moet maar 1 puntje bevatten')
|
|
|
|
challenge, response = challengeresponse.split('.')
|
|
|
|
if len(challenge) < 40 or len(response) < 40:
|
|
raise Exception('De code is te kort')
|
|
|
|
expiry_date = pytz.utc.localize(datetime.datetime.utcnow() + datetime.timedelta(minutes=10))
|
|
challengeresponse, created = LetsEncryptChallenge.objects.get_or_create(challenge=challenge, defaults={
|
|
'response': response,
|
|
'expiry_date': expiry_date
|
|
})
|
|
|
|
challengeresponse.response = response
|
|
challengeresponse.expiry_date = expiry_date
|
|
challengeresponse.save()
|
|
|
|
template_vars['challenge'] = challenge
|
|
template_vars['response'] = response
|
|
except str as e:
|
|
template_vars['error'] = e.message
|
|
raise e
|
|
|
|
return render(request, 'letsencrypt.html', template_vars)
|
|
|
|
def letsencrypt_challenge(request, challenge):
|
|
try:
|
|
# Delete old challenges
|
|
LetsEncryptChallenge.objects.filter(expiry_date__lte=datetime.datetime.utcnow()).delete()
|
|
|
|
challengeresponse = LetsEncryptChallenge.objects.get(challenge=challenge)
|
|
|
|
response = HttpResponse(challengeresponse.challenge + "." + challengeresponse.response)
|
|
response['Content-Type'] = 'text/plain'
|
|
return response
|
|
except LetsEncryptChallenge.DoesNotExist:
|
|
return HttpResponseNotFound('404')
|
|
|
|
|
|
|
|
def sign(request):
|
|
if request.method == 'POST':
|
|
from OpenSSL import crypto
|
|
import time
|
|
|
|
ca_cert_file = """-----BEGIN CERTIFICATE-----
|
|
MIIEjzCCA3egAwIBAgIJAIyZIB4fbN2mMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD
|
|
VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLTG9zIEFuZ2Vs
|
|
ZXMxDzANBgNVBAoTBlNwYWNlWDEMMAoGA1UECxMDQ0VPMRIwEAYDVQQDEwlFbG9u
|
|
IE11c2sxHjAcBgkqhkiG9w0BCQEWD2Vsb25Ac3BhY2V4LmNvbTAeFw0xNTA1Mjgx
|
|
NjEyMjFaFw0yNTA1MjUxNjEyMjFaMIGLMQswCQYDVQQGEwJVUzETMBEGA1UECBMK
|
|
Q2FsaWZvcm5pYTEUMBIGA1UEBxMLTG9zIEFuZ2VsZXMxDzANBgNVBAoTBlNwYWNl
|
|
WDEMMAoGA1UECxMDQ0VPMRIwEAYDVQQDEwlFbG9uIE11c2sxHjAcBgkqhkiG9w0B
|
|
CQEWD2Vsb25Ac3BhY2V4LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
|
|
ggEBAMWr64mMZDfWUuYmROz+FszmwjGZvFz0CGxiExHEAFfzZfF60Rts2Qm+o7cc
|
|
bZ/UtAaIgIve5WiWhQ5mqDoyECfuVOTcddWCrskLgLafoP6nPVdTDIXsPtsjtRuV
|
|
D1ptsduDVCeQkcKFUcfLd6QXJaOAYU20gb7FJ8KFUmJXn4HXg6BsZvu8grJgh51O
|
|
29JRw83I0FxzBZw4JSvETW968NexO+aliR/inK4GQQqk4joxuT6MSVsd+17ss6wn
|
|
WO1nUNxhSW3MQePrfphkQbNZn/l1T1MfN6XAs4P9boqgENHZ2WskGIeZ5g1I4MVE
|
|
WPFTZ8HwprCvybM8mneqVp/P+FcCAwEAAaOB8zCB8DAdBgNVHQ4EFgQUHvGJ8tZM
|
|
owfGFNeyuhsYq8JN/o8wgcAGA1UdIwSBuDCBtYAUHvGJ8tZMowfGFNeyuhsYq8JN
|
|
/o+hgZGkgY4wgYsxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRQw
|
|
EgYDVQQHEwtMb3MgQW5nZWxlczEPMA0GA1UEChMGU3BhY2VYMQwwCgYDVQQLEwND
|
|
RU8xEjAQBgNVBAMTCUVsb24gTXVzazEeMBwGCSqGSIb3DQEJARYPZWxvbkBzcGFj
|
|
ZXguY29tggkAjJkgHh9s3aYwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
|
|
AQEAfe9TXLrrwA/3xf85HB+i7CxaFNTmWZvsN2Ico9Ks1/Dt7eAB61ghHFIxCqHz
|
|
LQGa77wFAI5kgzv3TembXV1kHz4pGigPC6EkNEh0Kc2O3fwz6CryK7/OrjkElKEn
|
|
ti/9loLr8+rhQKF0c2NS3qiAoYsR/kkdBZ+niT+yXCIekpQNybfDT8WqDm4Rv2s+
|
|
u/6pZa7zZLLlORpxnuFfjjo+n/06b4+xHn+xvyGWijMcOqZdyhU0UjZ7OAW/ZEQp
|
|
3uvp8fso+Esov+Abl0Lxtr/Gk7utH/h0AD6vWJJwDlS65uqKBeuIOUoCAHy3oPH5
|
|
p+BxtuhS2Lv5g2jHRgIxVt22rg==
|
|
-----END CERTIFICATE-----
|
|
"""
|
|
ca_key_file = """-----BEGIN RSA PRIVATE KEY-----
|
|
MIIEogIBAAKCAQEAxavriYxkN9ZS5iZE7P4WzObCMZm8XPQIbGITEcQAV/Nl8XrR
|
|
G2zZCb6jtxxtn9S0BoiAi97laJaFDmaoOjIQJ+5U5Nx11YKuyQuAtp+g/qc9V1MM
|
|
hew+2yO1G5UPWm2x24NUJ5CRwoVRx8t3pBclo4BhTbSBvsUnwoVSYlefgdeDoGxm
|
|
+7yCsmCHnU7b0lHDzcjQXHMFnDglK8RNb3rw17E75qWJH+KcrgZBCqTiOjG5PoxJ
|
|
Wx37XuyzrCdY7WdQ3GFJbcxB4+t+mGRBs1mf+XVPUx83pcCzg/1uiqAQ0dnZayQY
|
|
h5nmDUjgxURY8VNnwfCmsK/Jszyad6pWn8/4VwIDAQABAoIBAHkzyOA17N0v1PS5
|
|
UlneEizg8QFouk5kcyXBnN+vxmYnH8LJA55FR27qLYgBLlZqHVhEKk2ZBiDy6fLC
|
|
jzPfrnhNclBBvR6FWpZ7LxjLF/QMp1f73BnhmUjUxB99bkSMLhnilJ8NzdHv3Q0c
|
|
fOdoKfPuq7rxivxl9tMW3ETgZTU+0dSeJH8ZkkcQblckNpqP//oWFpXYrgftgyR3
|
|
kM+uZya2kwaZ15XC2O1IXbvFVjppw4z/z8KMBc6azGrSFJ6xGkve+1KKBuVQ1Vpg
|
|
sFXBaKHoVG5NpGiwiBkbERkn1Jp+lgJkstDyzGtIVmhzT7g5+YIvXE5uWU/NVRDp
|
|
0n8n6UECgYEA/hgkUfJ/uVlORhkIyW+thG9VPO1k35BdOjw5f7xDN6DSyYNSRubi
|
|
q6F3KWW807fEubGYzXaTh5QCB9z+gUuVAtjo9Mb0RPBEyWwXFi0ynxLzNQxA692U
|
|
Id67JHVPK4gsgP7jZi8+pAbN3xSfRG1BXdsp+RUJdWNiaLeWOsHI+bMCgYEAxydy
|
|
enmg+dzz8qz6my9G9uH0dqoG8BHlwPp7h/vmSbhWAD4+BIGCHbGt2zk/Zh7w6PsQ
|
|
9nMrWSwAkStdpW0WLz/oNIijVN8dInlFnB3qq6o1t0Jrz2K4ngUN1PAA19Ft1s+r
|
|
VZpSM+uKViKKuthORNeVM0D3D3gfrisdAZAV7M0CgYBguef5mgqtECYP4S/LHsw7
|
|
Afa8vtILmPUkWhC5Y31jC8GyHF+Rxgq7szeddrEvF2G4HrdAX8dBcUJko+fuaEtN
|
|
Ti1AIQyTwbMtygvv0TzX+WrD4upD35GoYxVyh4Wf2LK4WE9QcuOxpTVxmnQWpFCh
|
|
3fBYdX2oRjEME/cIXwSWqQKBgEpc0WMn/VKvDSvlKSI+8fmHf3e7nyGPHUIEhZHO
|
|
HjwSp5Ipq5CVJxedW7SK2MBx9zSXYssTT/FY+9E45xu48tqruzG6f3pWYROZQsO7
|
|
a/+za6FFHOpwC019x59mCnqLib73BhvNproaTipBdZm04OzVrrFXpajSCspG8Oq/
|
|
eWBVAoGACI+4ROdYWCprQRgH2Qr5nKnRkN1mZzBl4hgodSGCZa3TWnBVHtXacluF
|
|
KJ8dp3ZgjiQ9aQujFD5oPnmSJ8wvJijF8ngEFw60+axRrWnUmejWkrexA1Hlv0Er
|
|
tq9DcELddZK2gJXaXpL1wOL+Ex5RzzRmjqKmmkkn1//ikn+nrZU=
|
|
-----END RSA PRIVATE KEY-----
|
|
"""
|
|
csr = crypto.load_certificate_request(crypto.FILETYPE_PEM, request.FILES['csr'].read())
|
|
ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, ca_cert_file)
|
|
ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, ca_key_file)
|
|
|
|
signed_cert = crypto.X509()
|
|
signed_cert.set_serial_number(1)
|
|
signed_cert.gmtime_adj_notBefore(0)
|
|
signed_cert.gmtime_adj_notAfter(60 * 60 * 24 * 365 * 5)
|
|
signed_cert.set_issuer(ca_cert.get_subject())
|
|
signed_cert.set_subject(csr.get_subject())
|
|
signed_cert.set_pubkey(csr.get_pubkey())
|
|
signed_cert.sign(ca_key, 'sha256')
|
|
|
|
response = HttpResponse(crypto.dump_certificate(crypto.FILETYPE_PEM, signed_cert), content_type='application/zip')
|
|
response['Content-Disposition'] = 'attachment; filename=signed-certificaat.crt'
|
|
return response
|
|
|
|
return render(request, 'sign.html')
|
|
|
|
def graderhelper(request):
|
|
cursor = connection.cursor()
|
|
if request.GET['mode'] == 'oauth_app':
|
|
cursor.execute("SELECT COUNT(id) FROM oauth2_provider_application WHERE client_id = %s", [request.GET['answer']])
|
|
return HttpResponse(cursor.fetchone())
|
|
|
|
elif request.GET['mode'] == 'access_token':
|
|
cursor.execute("SELECT COUNT(id) FROM oauth2_provider_accesstoken WHERE token = %s", [request.GET['answer']])
|
|
return HttpResponse(cursor.fetchone())
|
|
|
|
elif request.GET['mode'] == 'auth_code':
|
|
cursor.execute("SELECT COUNT(id) FROM oauth2_provider_grant WHERE code = %s", [request.GET['answer']])
|
|
return HttpResponse(cursor.fetchone())
|
|
|
|
|
|
return HttpResponse('404') |