add authentication on web interface

[sabriedd]

This is a feature request, opened to discussion of the community.

On malwr.com you have the ability to :

• login/sign-up
• make an analysis private (meaning that only the user that submitted can view it)
• display and search through your analysis

Those would be interesting features that could be added to cuckoo sandbox. This would enable the possibility to share a platform between a circle of acquaintances. Having a virtualization platform might not be possible for everybody.

I know it will involve important modifications, on the web interface itself, but also on the databases. It's just a reminder of "cool features from malwr.com" that will be appreciated, probably for milestone 2.0 ?

[jhg]

@SpoonBoy Django has by default Auth (and admin, login, permission, etc), and can read from Django models the Cuckoo database https://docs.djangoproject.com/en/1.8/howto/legacy-databases/ I think that this issue is easy if enable auth in Django, use auth decorators in views, Django use other database and read Cuckoo database with legacy integration for can from Django models read all, with a int field store Cuckoo task ID. Without legacy integration is possible store Cuckoo task ID without problem.

I look this easy with a database for Django (can be same database but Django need this configuration, that now Cuckoo not has in settings). If @jbremer @botherder @jekil look this well, start and do this is easy, I think, and I can help with this as part of https://github.com/cuckoobox/cuckoo/pull/566 and this don't need change schema in Cuckoo tables.

[botherder]

Indeed, having an authentication would be nice, but at that point you also need to have "ownership" of the analysis tasks. That would mean change the Cuckoo schema as well.

[KillerInstinct]

I think it would be worth implimenting groups at the same time, if you're going to impliment ownership. Auth by itself doesn't require a schema change if you only want authenticated users to be able to submit tasks or something similar. Needs configuration options too.

[jhg]

@botherder the Cuckoo schema is as @SpoonBoy comment in #584 and is easy, Django has a legacy for make automatic models of a DB (https://docs.djangoproject.com/en/1.8/howto/legacy-databases/). It can be use for migrate Cuckoo to Django ORM or for integrate Django with Cuckoo DB and do "ownership" without change Cuckoo schema, exist this two ways.

As @KillerInstinct say, is possible do a auth without change Cuckoo schema, is one of two ways that I say before, also is possible in Django save Cuckoo ID without legacy DB, now we has three ways to do this. And idea of groups is so good, I like it, and Django also has groups by default in auth Django app.

It is possible in three ways, please, that way for do this we would do? when is decided a way for do this, I can help to do this, with Django is easy, and is relevant for #584 #578 #564 #565 #585 (https://github.com/cuckoobox/cuckoo/pull/566 https://github.com/cuckoobox/cuckoo/pull/570 https://github.com/cuckoobox/cuckoo/pull/542)

[jbremer]

@botherder For what it's worth, tasks already have an owner field for this exact purpose. Functionality for this is also present in the Cuckoo API, although if the API is exposed to an attacker they can still just leave the owner blank after which the attacker will have access to all tasks.

[jhg]

I am adding login in views with https://github.com/jhg/cuckoo/tree/feature-classView for https://github.com/cuckoobox/cuckoo/issues/584 after only need a custom login for it work with owner define in Cuckoo. @jbremer How can I check an user and password in Cuckoo, for build a custom login in Django? and PR this and https://github.com/cuckoobox/cuckoo/issues/584 together.

[jhg]

https://github.com/jhg/cuckoo/commit/8809e2b5c7611b5657f8f0f785ddb670e8b27808 add Auth to URLs and views, but I need or "how" auth a user and password for add a custom auth, else setting DB and using Django admin can use users of Django admin. https://github.com/cuckoobox/cuckoo/pull/652