move user_s to pi2-sso

This commit is contained in:
Daniel Tsvetkov 2021-05-09 13:43:51 +02:00
parent 44b409d886
commit 517bdc32fe
11 changed files with 44 additions and 69 deletions

View File

@ -1,2 +0,0 @@
name
admin
1 name
2 admin

View File

@ -1,2 +0,0 @@
email,password,role_names
admin@app,__SENSITIVE__.ADMIN_PASSWORD,admin
1 email password role_names
2 admin@app __SENSITIVE__.ADMIN_PASSWORD admin

View File

@ -1,2 +0,0 @@
Role
User

View File

@ -1,3 +1,2 @@
ADMIN_PASSWORD = "password"
SSO_CLIENT_ID = '123456' SSO_CLIENT_ID = '123456'
SSO_CLIENT_SECRET = 'secret' SSO_CLIENT_SECRET = 'secret'

View File

@ -4,6 +4,6 @@
<a href="#">{{ current_user.email }}</a> | <a href="#">{{ current_user.email }}</a> |
<a href="{{ url_for('security.logout') }}">{{ _("Logout") }}</a> | <a href="{{ url_for('security.logout') }}">{{ _("Logout") }}</a> |
{% else %} {% else %}
<a href="{{ url_for('security.login') }}">{{ _("Login") }}</a> | <a href="{{ url_for('security.login') }}">{{ _("SSO Login") }}</a> |
{% endif %} {% endif %}
</div> </div>

View File

@ -1,4 +1,3 @@
import base64
import csv import csv
import datetime import datetime
import json import json
@ -9,7 +8,6 @@ from importlib import import_module
from json import JSONEncoder from json import JSONEncoder
from uuid import uuid4 from uuid import uuid4
import onetimepass
from flask import request from flask import request
from flask_migrate import Migrate from flask_migrate import Migrate
from flask_migrate import init as migrate_init from flask_migrate import init as migrate_init
@ -17,7 +15,6 @@ from flask_migrate import upgrade as migrate_upgrade
from flask_security import RoleMixin, UserMixin from flask_security import RoleMixin, UserMixin
from flask_security import Security, SQLAlchemyUserDatastore from flask_security import Security, SQLAlchemyUserDatastore
from flask_security import current_user from flask_security import current_user
from flask_security.utils import hash_password
from flask_sqlalchemy import SQLAlchemy from flask_sqlalchemy import SQLAlchemy
from flask_wtf import CSRFProtect from flask_wtf import CSRFProtect
from markupsafe import escape, Markup from markupsafe import escape, Markup
@ -27,7 +24,6 @@ from sqlalchemy.ext.declarative import declared_attr, DeclarativeMeta
from sqlalchemy.orm.collections import InstrumentedList from sqlalchemy.orm.collections import InstrumentedList
from sqlalchemy_utils import Choice from sqlalchemy_utils import Choice
from tww.lib import solve_query, resolve_timezone, dt_tz_translation, time_ago from tww.lib import solve_query, resolve_timezone, dt_tz_translation, time_ago
from werkzeug.security import generate_password_hash, check_password_hash
from whooshalchemy import IndexService from whooshalchemy import IndexService
from config import SQLALCHEMY_DATABASE_URI, MAKEDIRS, DATABASE_FILE, SEARCH_INDEX_PATH, STATIC_DATA_DIR, MEDIA_DIR, \ from config import SQLALCHEMY_DATABASE_URI, MAKEDIRS, DATABASE_FILE, SEARCH_INDEX_PATH, STATIC_DATA_DIR, MEDIA_DIR, \
@ -69,6 +65,7 @@ roles_users = db.Table('roles_users',
db.Column('user_id', db.Integer(), db.ForeignKey('user.id')), db.Column('user_id', db.Integer(), db.ForeignKey('user.id')),
db.Column('role_id', db.Integer(), db.ForeignKey('role.id'))) db.Column('role_id', db.Integer(), db.ForeignKey('role.id')))
class ModelJsonEncoder(JSONEncoder): class ModelJsonEncoder(JSONEncoder):
def default(self, o): def default(self, o):
if isinstance(o, datetime.datetime): if isinstance(o, datetime.datetime):
@ -177,11 +174,10 @@ class Role(db.Model, ModelController, RoleMixin):
class User(db.Model, ModelController, UserMixin): class User(db.Model, ModelController, UserMixin):
email = db.Column(db.Unicode, unique=True) username = db.Column(db.Unicode, unique=True)
password = db.Column(db.Unicode) token = db.Column(db.Unicode)
active = db.Column(db.Boolean(), default=True) active = db.Column(db.Boolean(), default=True)
confirmed_at = db.Column(db.DateTime())
timezone = db.Column(db.String, default='UTC') timezone = db.Column(db.String, default='UTC')
tz_offset_seconds = db.Column(db.Integer, default=0) tz_offset_seconds = db.Column(db.Integer, default=0)
@ -194,49 +190,6 @@ class User(db.Model, ModelController, UserMixin):
backref=db.backref('users', lazy='dynamic')) backref=db.backref('users', lazy='dynamic'))
class Credential(db.Model, ModelController):
name = db.Column(db.Unicode)
date_added = db.Column(db.DateTime)
device = db.Column(db.Unicode)
user_sso_id = db.Column(db.Integer, db.ForeignKey('user_s.id'))
user_sso = db.relationship('UserS',
backref=db.backref("credentials"),
)
class UserS(db.Model, ModelController):
username = db.Column(db.Unicode, unique=True)
email = db.Column(db.Unicode, unique=True)
password_hash = db.Column(db.Unicode)
otp_secret = db.Column(db.String(16))
def __init__(self, **kwargs):
super(UserS, self).__init__(**kwargs)
if self.otp_secret is None:
# generate a random secret
self.otp_secret = base64.b32encode(os.urandom(10)).decode('utf-8')
@property
def password(self):
raise AttributeError('password is not a readable attribute')
@password.setter
def password(self, password):
self.password_hash = generate_password_hash(password)
def verify_password(self, password):
return check_password_hash(self.password_hash, password)
def get_totp_uri(self, client_name):
return 'otpauth://totp/{client_name}:{username}?secret={secret}&issuer={client_name}' \
.format(username=self.username, secret=self.otp_secret, client_name=client_name)
def verify_totp(self, token):
return onetimepass.valid_totp(token, self.otp_secret)
security = Security() security = Security()
user_datastore = SQLAlchemyUserDatastore(db, User, Role) user_datastore = SQLAlchemyUserDatastore(db, User, Role)
@ -437,7 +390,6 @@ def populate_static(app):
role_names = row.pop('role_names') role_names = row.pop('role_names')
else: else:
role_names = "" role_names = ""
row['password'] = hash_password(row['password'])
user = user_datastore.create_user(**row) user = user_datastore.create_user(**row)
for role_name in role_names.split(';'): for role_name in role_names.split(';'):
role = Role.query.filter_by(name=role_name).first() role = Role.query.filter_by(name=role_name).first()

View File

@ -2,9 +2,11 @@ import urllib
import requests import requests
from flask import send_from_directory, redirect, request, url_for, session, jsonify from flask import send_from_directory, redirect, request, url_for, session, jsonify
from flask_security import login_user
from oshipka.persistance import User, db
from oshipka.util.strings import random_string_generator from oshipka.util.strings import random_string_generator
from oshipka.webapp import oshipka_bp from oshipka.webapp import oshipka_bp, app
from config import MEDIA_DIR, APP_BASE_URL from config import MEDIA_DIR, APP_BASE_URL
from sensitive import SSO_CLIENT_ID, SSO_CLIENT_SECRET from sensitive import SSO_CLIENT_ID, SSO_CLIENT_SECRET
@ -15,16 +17,17 @@ def get_media(filepath):
return send_from_directory(MEDIA_DIR, filepath) return send_from_directory(MEDIA_DIR, filepath)
SSO_BASE_URL = 'http://localhost:5008' SSO_BASE_URL = 'http://sso.localhost:5008'
SSO_AUTH_URL = '/oidc/auth' SSO_AUTH_URL = '/oidc/auth'
SSO_TOKEN_URL = '/oidc/token' SSO_TOKEN_URL = '/oidc/token'
SSO_USERINFO_URL = "/endpoints/userinfo" SSO_USERINFO_URL = "/endpoints/userinfo"
@app.route('/login')
@oshipka_bp.route('/sso') @oshipka_bp.route('/sso')
def sso(): def sso():
callback_url = APP_BASE_URL + url_for('oshipka_bp.oidc_callback') callback_url = APP_BASE_URL + url_for('oshipka_bp.oidc_callback')
state = random_string_generator() state = request.referrer or url_for('home')
session['oidc_state'] = state session['oidc_state'] = state
params = urllib.parse.urlencode({ params = urllib.parse.urlencode({
'redirect_uri': callback_url, 'redirect_uri': callback_url,
@ -66,6 +69,17 @@ def oidc_callback():
}, },
) )
if response.status_code == 200: if response.status_code == 200:
return response.json() response_json = response.json()
return 'got code for userinfo: {}'.format(response.status_code) username = response_json.get('user', {}).get('username')
return 'got response for token: {}'.format(response.status_code) user = User.query.filter_by(username=username).first()
redirect_uri = url_for('home')
if not user:
user = User(username=username)
db.session.add(user)
db.session.commit()
login_user(user)
if 'oidc_state' in session:
redirect_uri = session['oidc_state']
del session['oidc_state']
return redirect(redirect_uri)
return response.json()

View File

@ -24,7 +24,6 @@ inflect==4.1.0
itsdangerous==1.1.0 itsdangerous==1.1.0
Jinja2==2.11.1 Jinja2==2.11.1
MarkupSafe==1.1.1 MarkupSafe==1.1.1
onetimepass==1.0.1
passlib==1.7.2 passlib==1.7.2
pathtools==0.1.2 pathtools==0.1.2
pycparser==2.20 pycparser==2.20

View File

@ -2,6 +2,10 @@
from sqlalchemy_utils import ChoiceType from sqlalchemy_utils import ChoiceType
[%- endif %] [%- endif %]
[%- if _password_types %]
from werkzeug.security import generate_password_hash
[%- endif %]
class [[ name ]](db.Model, ModelController[% for inherit in interits %], [[ inherit ]][% endfor %]): class [[ name ]](db.Model, ModelController[% for inherit in interits %], [[ inherit ]][% endfor %]):
[%- include "_model_choice_header_py" %] [%- include "_model_choice_header_py" %]
[%- include "_model_searchable_header_py" %] [%- include "_model_searchable_header_py" %]
@ -17,6 +21,17 @@ class [[ name ]](db.Model, ModelController[% for inherit in interits %], [[ inhe
[[ column.name ]] = db.Column([[ column._type ]], [[ column.name ]] = db.Column([[ column._type ]],
[%- if column.default %]default="[[ column.default ]]",[%- endif %] [%- if column.default %]default="[[ column.default ]]",[%- endif %]
[%- if column.index %]index=True,[%- endif %]) [%- if column.index %]index=True,[%- endif %])
[%- if column.type == 'password' %]
@property
def [[ column.name ]]__password(self):
raise AttributeError('password is not a readable attribute')
@[[ column.name ]]__password.setter
def [[ column.name ]]__password(self, password):
self.password_hash = generate_password_hash(password)
[% endif %]
[%- endif %] [%- endif %]
[%- endfor %] [%- endfor %]

View File

@ -11,10 +11,9 @@
<div class="pull-right"> <div class="pull-right">
{% if current_user.is_authenticated %} {% if current_user.is_authenticated %}
<a href="#">{{ current_user.email }}</a> | <a href="#">{{ current_user.username }}</a> |
<a href="{{ url_for('security.logout') }}">{{ _("Logout") }}</a> | <a href="{{ url_for('security.logout') }}">{{ _("Logout") }}</a> |
{% else %} {% else %}
<a href="{{ url_for('security.login') }}">{{ _("Login") }}</a> | <a href="{{ url_for('security.login') }}">{{ _("Login SSO") }}</a>
<a href="{{ url_for('oshipka_bp.sso') }}">{{ _("SSO") }}</a>
{% endif %} {% endif %}
</div> </div>

View File

@ -94,6 +94,9 @@ def enrich_view_model(view_model):
column_type = column.get('type') column_type = column.get('type')
if column_type in ['text', 'long_text', ]: if column_type in ['text', 'long_text', ]:
_column_type = 'db.UnicodeText' _column_type = 'db.UnicodeText'
elif column_type in ['password', ]:
_column_type = 'db.UnicodeText'
view_model['_password_types'] = True
elif column_type in ['number', 'int', 'integer', ]: elif column_type in ['number', 'int', 'integer', ]:
_column_type = 'db.Integer' _column_type = 'db.Integer'
elif column_type in ['bool', 'boolean', ] or column_name.startswith('is_'): elif column_type in ['bool', 'boolean', ] or column_name.startswith('is_'):