Merge branch 'master' into stable

.gitignore

@@ -64,9 +64,16 @@ target/
 
 conf/runners
 conf/conf.json
+conf/.htpasswd
 logs
 .idea
 temp
 /web
 web-src/node_modules
-web-src/package-lock.json
+web-src/package-lock.json
+web-src/tests/e2e/reports/
+web-src/selenium-debug.log
+web-src/chromedriver.log
+web-src/geckodriver.log
+
+venv/

.travis.yml

@@ -3,7 +3,7 @@ sudo: required
 dist: xenial
 language: node_js
 node_js:
-- '6'
+- '11'
 cache:
   directories:
   - web-src/node_modules
@@ -19,10 +19,10 @@ env:
   # DOCKER_PASSWORD
   - secure: S22ffhnZOs1yFdBwJO9+uzy9DB3e7ehLWbj47U1zavsMKMDyDw0lkOIy8PMERFh4roBoM5dG95RIVbfNbrPXQxnY5Og2w7RTTv3eeHGdYzh+34Dppfk8mhEAhn3NL98sOe6is/5sEDvZ2ykPFLvoJmyV15V7Wvtuy1Zx+0lyZ0R0tX6sVJUWDlClHspCuSIKK+iptL5yLu4TtvX9Wks/c3kH6GIXYIJIeC63D+RRhuetbtGKND/RtFkq5IDP9qMZNXUAT/Mb8hrsk9HntFgl79dG2ChvBpDE8/LqjYDBiFTiUAtJfBhC0pVB3WaEwGTU/hWe8WTjl29JIkGcoaeT7+wncJ72lEPJoO60YWSdtWfTlNlUiN27AcxGqk39MDhB5NAbuJpKvcFLMmWFY2uJefrR6XVEXBZ+9yAwzuZmj0GYFOQTuczAqncyj/3BuOEqfIkkQ5BLAS5BUuzSEbHOjwasqbTVcWM1H3cv2ZYATXQQN8KhcZ5c5lxy8eD0NXHKvBFlS3HOXOXn3P6PqGgFHzjL+yyHMvzIXBJY4jEr8FIH16dwbXDqb4gi4lrrCZHDeIhVKsmLSUJjhmiKeP7dWcfUOGMxzLRmqA8r58TXcN3OvBrqNN63nUSG+Wb6XxmzLwE4PrlBy0fTRymG8WXrdE/Z2lglBhc8J3A8ER9c46s=
 before_install:
-- sudo apt-get -y install python3-pip python3-setuptools
+- sudo apt-get -y install python3-pip python3-setuptools apache2-utils
 install:
 - sudo pip3 install -r requirements.txt
-- sudo pip3 install ldap3 parameterized
+- sudo pip3 install ldap3 parameterized bcrypt
 - sudo pip3 install requests --upgrade
 - sudo pip3 install pyasn1 --upgrade
 - cd web-src
@@ -32,7 +32,7 @@ before_script:
 - cd src
 - python3 -m unittest discover -s tests -p "*.py" -t .
 - cd ../web-src
-- npm run test
+- npm run test:unit-ci
 - cd ..
 script:
 - python3 tools/build.py

LICENSE

@@ -1,5 +1,5 @@
    Script-server
-   Copyright 2016-2019 [email protected]
+   Copyright 2016-2020 [email protected]
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
@@ -32,6 +32,10 @@ images/github.png (modified)
 images/titleBackground.jpg
 The image is from free set of material design backgrounds, published by oxygenna.com and absolutely free to use (Source: http://www.oxygenna.com/news/brand-new-set-of-40-material-design-backgrounds)
 
+images/titleBackground_small.jpg
+images/titleBackground_login.jpg
+Same as above, but the image sizes was changed for Script server project
+
 images/cookie.png (modified)
 https://github.com/whitebird/FontAwesome-cookie
 Licensed under http://creativecommons.org/publicdomain/zero/1.0

README.md

@@ -1,46 +1,48 @@
-[![Build Status](https://travis-ci.org/bugy/script-server.svg?branch=master)](https://travis-ci.org/bugy/script-server)
+[![Build Status](https://travis-ci.org/bugy/script-server.svg?branch=master)](https://travis-ci.org/bugy/script-server) [![Gitter](https://badges.gitter.im/script-server/community.svg)](https://gitter.im/script-server/community?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge)
 
 # script-server
-Script-server is a Web GUI and a web server for scripts.  
+Script-server is a Web UI for scripts.  
 
-For users it's just a web page, where he specifies script parameters and executes them.  
-For system administrators it's a possibility to share their scripts with users, without the need to set up an environment or properly adjust ssh access rights.  
+As an administrator, you add your existing scripts into Script server and other users would be able to execute them via a web interface.
+The UI is very straightforward and can be used by non-tech people.
 
-No script modifications are needed - you add a configuration for each script to the script-server and it takes care of proper UI, validation, execution, etc.  
+No script modifications are needed - you configure each script in Script server and it creates the corresponding UI with parameters and takes care of validation, execution, etc.  
 
+[DEMO server](https://script-server.net/)
 
-[DEMO server](https://script-server.net)
+[Admin interface screenshots](https://github.com/bugy/script-server/wiki/Admin-interface)
 
 ## Features
-- Interactive output/input web console
-- Configurable Access
-- Auth (optional): LDAP and Google OAuth
-- Different script parameter types
+- Different types of script parameters (text, flag, dropdown, file upload, etc.)
+- Real-time script output
+- Users can send input during script execution
+- Auth (optional): LDAP, Google OAuth, htpasswd file
+- Access control
 - Alerts
 - Logging and auditing
 - Formatted output support (colors, styles, cursor positioning, clearing)
 - Download of script output files
-- Admin page (admin.html) with script execution logs
+- Execution history
+- Admin page for script configuration
 
-The features can be configured [per-script](https://github.com/bugy/script-server/wiki/Script-config) or for [the server](https://github.com/bugy/script-server/wiki/Server-configuration)
+For more details check [how to configure a script](https://github.com/bugy/script-server/wiki/Script-config) or [how to configure the server](https://github.com/bugy/script-server/wiki/Server-configuration)
 
 ## Requirements
 ### Server-side
-Python 3.4 or higher with the following modules:
+Python 3.5 or higher with the following modules:
 * Tornado 4 / 5 / 6
-* typing *(for python 3.4 only)*
 
 Some features can require additional modules. Such requirements are specified in a corresponding feature description.
 
 OS support:
 - Linux (main). Tested and working on Debian 9,10
-- Windows (additional). Light testing on Windows 7
-- MacOS (additional). Not tested. Most probably some fixes are needed
+- Windows (additional). Light testing
+- macOS (additional). Light testing
 
 ### Client-side
 Any more or less up to date browser with enabled JS
 
-Internet connection is not needed. All the files are loaded from the server.
+Internet connection is **not** needed. All the files are loaded from the server.
 
 ## Installation
 ### For production
@@ -55,23 +57,25 @@ For the usage please check [this ticket](https://github.com/bugy/script-server/i
 
 ### For development
 1. Clone/download the repository
-2. Run 'tools/init.py --dev --no-npm' script
+2. Run 'tools/init.py --no-npm' script
 
 `init.py` script should be run after pulling any new changes
 
-If you are making changes to web files, use `npm run build:dev` or `npm run start:dev`
+If you are making changes to web files, use `npm run build` or `npm run serve`
+
 
 ## Setup and run
 1. Create configurations for your scripts in *conf/runners/* folder (see [script config page](https://github.com/bugy/script-server/wiki/Script-config) for details)
 2. Launch launcher.py from script-server folder
   * Windows command: launcher.py
   * Linux command: ./launcher.py
+3. Add/edit scripts on the admin page
 
-By default, server will run on http://localhost:5000
+By default, the server will run on http://localhost:5000
 
 ### Server config
 All the features listed above and some other minor features can be configured in *conf/conf.json* file. 
-It is allowed not to create this file. In this case default values will be used.
+It is allowed not to create this file. In this case, default values will be used.
 See [server config page](https://github.com/bugy/script-server/wiki/Server-configuration) for details
 
 ### Admin panel
@@ -85,29 +89,35 @@ Additionally each script logs are written to separate file in *logs/processes*.
 Script-server has bundled configs/scripts for testing/demo purposes, which are located in samples folder. You can link/copy these config files (samples/configs/\*.json) to server config folder (conf/runners).
 
 ## Security
-I do my best to make script-server secure and invulnerable to attacks, injections or user data security. However to be on safe side, it's better to run script server only on a trusted network.  
+I do my best to make script-server secure and invulnerable to attacks, injections or user data security. However to be on the safe side, it's better to run Script server only on a trusted network.  
 Any security leaks report or recommendations are greatly appreciated!
 ### Shell commands injection
-Script server guarantees that all user parameters are passed to an executable script as arguments and won't be executed under any conditions. There is no way to inject fraud command from a client side.
-However user parameters are not escaped, so scripts should take care of not executing them also (general recommendation for bash is at least to wrap all arguments in double quotes).
-It's recommended to use typed parameters when 	appropriate, because they are validated for proper values and so they are harder to be subject of commands injection. Such attempts would be easier to detect also.
+Script server guarantees that all user parameters are passed to an executable script as arguments and won't be executed under any conditions. There is no way to inject fraud command from a client-side.
+However user parameters are not escaped, so scripts should take care of not executing them also (general recommendation for bash is at least to wrap all arguments in double-quotes).
+It's recommended to use typed parameters when appropriate, because they are validated for proper values and so they are harder to be subject of commands injection. Such attempts would be easier to detect also.
 
-_Important!_ Command injection protection is fully supported for linux, but _only_ for .bat and .exe files on Windows
+_Important!_ Command injection protection is fully supported for Linux, but _only_ for .bat and .exe files on Windows
 
 ### XSS and CSRF
 At the moment script server _is_ vulnerable to these attacks.
 
 ## Contribution
 If you like the project and think you could help with making it better, there are many ways you can do it:
-- Create new issue for new feature proposal or a bug
+- Create a new issue for new feature proposal or a bug
 - Implement existing issues (there are quite some of them: frontend/backend, simple/complex, choose whatever you like)
 - Help with improving the documentation
 - Set up a demo server
-- Spread a word about the project to your collegues, friends, blogs or any other channels
+- Spread a word about the project to your colleagues, friends, blogs or any other channels
 - Any other things you could imagine
 
 Any contribution would be of great help and I will highly appreciate it! 
-If you have any questions, please create a new issue, or concact me via [email protected]
+If you have any questions, please create a new issue, or contact me via [email protected]
+
+## Asking questions
+If you have any questions, feel free to:
+- Ask in gitter: https://gitter.im/script-server/community
+- or [create a ticket](https://github.com/bugy/script-server/issues/new)
+- or contact me via email: [email protected] (for some non-shareable questions)
 
 ## Special thanks
 ![JetBrains logo](https://github.com/JetBrains/logos/blob/master/web/jetbrains/jetbrains.svg)

samples/configs/download_kittens.json

@@ -0,0 +1,11 @@
+{
+  "name": "Download kittens",
+  "description": "Downloads several random kitten images, with a delay. \nAll the images are kindly provided by https://cataas.com/",
+  "script_path": "python -u samples/scripts/download_kittens.py",
+  "output_files": [
+    {
+      "type": "inline-image",
+      "path": "##any_path#"
+    }
+  ]
+}

samples/ldap/bootstrap.ldif

@@ -0,0 +1,37 @@
+dn: ou=People,dc=script-server,dc=net
+objectClass: organizationalUnit
+ou: People
+
+dn: uid=user1,ou=People,dc=script-server,dc=net
+objectClass: inetOrgPerson
+objectClass: posixAccount
+cn: John Smith
+sn: Smith
+uid: user1
+uidNumber: 1000
+gidNumber: 1000
+homeDirectory: /home/user1
+userPassword: qwerty
+
+dn: uid=user with space,ou=People,dc=script-server,dc=net
+objectClass: inetOrgPerson
+cn: user with space
+sn: Uws
+uid: user with space
+userPassword: 123 456
+
+dn: uid=user (with brackets),ou=People,dc=script-server,dc=net
+objectClass: inetOrgPerson
+cn: user with brackets
+sn: UwB
+uid: user (with brackets)
+userPassword: 666
+
+dn: cn=all_users,dc=script-server,dc=net
+objectClass: posixGroup
+cn: all_users
+description: All users group
+gidNumber: 10000
+memberUid: user1
+memberUid: user with space
+memberUid: user (with brackets)

samples/ldap/start-ldap-docker.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+docker stop script-server-ldap
+docker rm script-server-ldap
+
+set -e
+
+docker run \
+--name script-server-ldap \
+--env LDAP_ORGANISATION="Script server" \
+--env LDAP_DOMAIN="script-server.net" \
+--env LDAP_ADMIN_PASSWORD="admin_passw" \
+--volume "$PWD"/bootstrap.ldif:/container/service/slapd/assets/config/bootstrap/ldif/50-bootstrap.ldif \
+--detach \
+osixia/openldap:1.4.0 \
+--copy-service \
+--loglevel debug

samples/scripts/download_kittens.py

@@ -0,0 +1,39 @@
+#!/usr/bin/python3
+import sys
+import tempfile
+import time
+
+import requests
+
+# api_key = os.environ.get('KITTENS_API_KEY')
+# if not api_key:
+#     print('Please request api_key from http://requestkittens.com and put it into KITTENS_API_KEY env. variable')
+#     sys.exit(-1)
+
+for i in range(1, 6):
+    # response = requests.get('http://requestkittens.com/cats?numOfResults=1', headers={'Authorization': api_key})
+    # if (response.status_code != 200):
+    #     print('Ooops, all kittens are hiding today :(')
+    #     sys.exit(-2)
+    #
+    # response_json = response.json()
+    #
+    # image_url = response_json['_items'][0]['url']
+    # image_id = response_json['_items'][0]['id']
+    # file_name = str(uuid.uuid4()) + '.png'
+    # file_path = os.path.join('/tmp', 'script-server', file_name)
+
+    image_response = requests.get('https://cataas.com/cat/kitten?type=medium')
+    if (image_response.status_code != 200):
+        print('Ooops, all kittens are hiding today :(')
+        sys.exit(-2)
+
+    f = tempfile.NamedTemporaryFile()
+    f.write(image_response.content)
+    file_path = f.name
+    open(file_path, 'wb').write(image_response.content)
+    print(file_path)
+
+    time.sleep(3)
+
+    f.close()