From 55742c2104fd910a71f98b9c261f464e59777a8b Mon Sep 17 00:00:00 2001 From: Daniel Tsvetkov Date: Sun, 9 May 2021 17:07:34 +0200 Subject: [PATCH] test sso flows --- README.md | 3 ++- bootstrap/config.py | 2 ++ bootstrap/sensitive_dev.py | 2 +- bootstrap/webapp/templates/navigation.html | 5 ++--- oshipka/webapp/default_routes.py | 18 +++++++++++------- vm_gen/templates/html/navigation.html | 2 +- 6 files changed, 19 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index dd25f2b..1c0e895 100644 --- a/README.md +++ b/README.md @@ -8,12 +8,13 @@ PaaS - creates easily deployable declarative web applications with (moslty) file * Frontend niceties such chosen.js, datatables.js and lightbox.js - but apps should still work without JS. * Off-request worker based on a file-system persistence and streaming intermediary results (if js is supported, or upon refresh) * Whooshalchemy search +* SSO Sign in through [pi2-sso]() * Installation with gunicorn, generates nginx config and letsencrypt certificate * Based on [Flask](), [Sqlalchemy](), [TWW](https://gitlab.com/pisquared/tww) and others ## TODO -* [ ] [list] pagination of many items +* [X] [list] pagination of many items * [ ] [prod_install] Download sensitive prompt * [ ] [vm_gen] Auto generate dependency graph for `view_models/_process_order` * [ ] [auto_dns] Start and test `auto_dns.service` diff --git a/bootstrap/config.py b/bootstrap/config.py index d31d234..1283a33 100644 --- a/bootstrap/config.py +++ b/bootstrap/config.py @@ -26,3 +26,5 @@ MAKEDIRS = [ APP_BASE_URL = "http://localhost:5000" SECURITY_ENABLED = True +SSO_BASE_URL = 'https://sso.localhost:5008' +SSO_CLIENT_ID = APP_BASE_URL diff --git a/bootstrap/sensitive_dev.py b/bootstrap/sensitive_dev.py index b2c3864..180cf69 100644 --- a/bootstrap/sensitive_dev.py +++ b/bootstrap/sensitive_dev.py @@ -1,2 +1,2 @@ SSO_CLIENT_ID = '123456' -SSO_CLIENT_SECRET = 'secret' \ No newline at end of file +SSO_CLIENT_SECRET = 'secret' diff --git a/bootstrap/webapp/templates/navigation.html b/bootstrap/webapp/templates/navigation.html index 5e36469..a32d1a1 100644 --- a/bootstrap/webapp/templates/navigation.html +++ b/bootstrap/webapp/templates/navigation.html @@ -1,9 +1,8 @@ -{{ _("Home") }} |
{% if current_user.is_authenticated %} - {{ current_user.email }} | + {{ current_user.username }} | {{ _("Logout") }} | {% else %} - {{ _("SSO Login") }} | + {{ _("Login SSO") }} {% endif %}
\ No newline at end of file diff --git a/oshipka/webapp/default_routes.py b/oshipka/webapp/default_routes.py index 9372f0a..f313440 100644 --- a/oshipka/webapp/default_routes.py +++ b/oshipka/webapp/default_routes.py @@ -6,8 +6,8 @@ from flask_security import login_user from oshipka.util.strings import random_string_generator from oshipka.webapp import oshipka_bp, app -from config import MEDIA_DIR, APP_BASE_URL, SECURITY_ENABLED -from sensitive import SSO_CLIENT_ID, SSO_CLIENT_SECRET +from config import MEDIA_DIR, APP_BASE_URL, SECURITY_ENABLED, SSO_BASE_URL, SSO_CLIENT_ID +from sensitive import SSO_CLIENT_SECRET # TODO: VULNZ - EVERYONE HAS ACCESS TO THIS @@ -15,9 +15,11 @@ from sensitive import SSO_CLIENT_ID, SSO_CLIENT_SECRET def get_media(filepath): return send_from_directory(MEDIA_DIR, filepath) + if SECURITY_ENABLED: from oshipka.persistance import User, db - SSO_BASE_URL = 'http://sso.localhost:5008' + app.config['SSO_BASE_URL'] = SSO_BASE_URL + SSO_AUTH_URL = '/oidc/auth' SSO_TOKEN_URL = '/oidc/token' SSO_USERINFO_URL = "/endpoints/userinfo" @@ -27,7 +29,7 @@ if SECURITY_ENABLED: @oshipka_bp.route('/sso') def sso(): callback_url = APP_BASE_URL + url_for('oshipka_bp.oidc_callback') - state = request.referrer or url_for('home') + state = request.referrer or url_for('home') + "|" + random_string_generator() session['oidc_state'] = state params = urllib.parse.urlencode({ 'redirect_uri': callback_url, @@ -58,6 +60,7 @@ if SECURITY_ENABLED: 'client_secret': SSO_CLIENT_SECRET, 'grant_type': 'authorization_code' }, + verify=False, ) if response.status_code == 200: response_json = response.json() @@ -67,6 +70,7 @@ if SECURITY_ENABLED: headers={ 'Authorization': "Bearer {}".format(access_token) }, + verify=False, ) if response.status_code == 200: response_json = response.json() @@ -74,12 +78,12 @@ if SECURITY_ENABLED: user = User.query.filter_by(username=username).first() redirect_uri = url_for('home') if not user: - user = User(username=username) + user = User(username=username, token=access_token) db.session.add(user) db.session.commit() login_user(user) if 'oidc_state' in session: - redirect_uri = session['oidc_state'] + redirect_uri = session['oidc_state'].split('|')[0] or url_for('home') del session['oidc_state'] return redirect(redirect_uri) - return response.json() + return response.text diff --git a/vm_gen/templates/html/navigation.html b/vm_gen/templates/html/navigation.html index 07660e8..cdd5214 100644 --- a/vm_gen/templates/html/navigation.html +++ b/vm_gen/templates/html/navigation.html @@ -11,7 +11,7 @@
{% if current_user.is_authenticated %} - {{ current_user.username }} | + {{ current_user.username }} | {{ _("Logout") }} | {% else %} {{ _("Login SSO") }}