new: [authentication] Flask-login authentication via MISP.

[VVX7]

This patch provides authentication for misp-dashboard. It authenticates users to a MISP instance specified in the config without needing to maintain a separate user db.

1. Unauthenticated user is redirected to /login route.
2. WTForms login form validates username and password requirements.
3. Flask-login User object created using form credentials.
4. User.misp_login() uses requests library to; a. GET MISP login page b. Parse hidden form data from GET request. c. POST hidden form data + User credentials. d. Verify 302 redirect in requests session.history to MISP /users/routeafterlogin endpoint.
5. If the user is authenticated to MISP Flask-login provides a User session.

All Flask routes must be marked with the @login_required decorator to enforce authentication.

[mokaddem]

This. is. awesome! I love the idea to use MISP for the login, it's clever. Thanks a lot!

My only fear is that if the dashboard where to have authentication, it would most probably be more exposed alongside MISP. However, the dashboard does not apply any ACL rules, meaning that a normal user could have access to all the data if the setup is not done correctly.

One solution for this issue could be:

• We create a new MISP permission misp-dashboard
• When a user logs in misp-dashboard an additional check is performed and only users having the misp-dashboard permission would be allowed to proceed.

Let me know what you think!

[mokaddem]

Maybe something else, I would make the login optional. If users don't want to setup their MISP credential or simply don't want to have it enabled, it could be turned off by a flag that would be in the configuration. I guess adding one check in the misp_login function is doable. What do you think?

[VVX7]

I added a flag in the config so that user auth is now optional. When authentication is disabled a randomly generated user account name is automatically provided and the user is redirected to /index.

I like the idea of using a designated user permission for misp-dashboard. Is there a simple way to get user permissions from MISP without parsing html pages or making a db query? It would be simple enough to get the misp.local/users/view/me endpoint, and then lookup the role via ```/roles/view/```` but it's ugly and there's probably a better way.

[mokaddem]

You can check in /users/view/me.json. However, you only have access to the role_id and you have no access to the perm_*. I'll will extend the endpoint today so that you can quickly fetch this information. And btw, thanks for the auth_enabled patch!

[mokaddem]

/users/view/me.json now includes the Role object. You will be able to access the dashboard permission from it. I'll create a new permission/role for the dashboard. I'll keep you posted!

[mokaddem]

Hey @VVX7, In the end, we ended up using the new UserSetting feature to record the misp-dashboard access permission (So that MISP itself doesn't contain permission flags not linked to its internals). I'll merge your PR and implement the changes myself ;) Feel free to open a new PR if you disagree or if you see potential improvements. Thanks again for your contribution!

[mokaddem]

Related PR #130