create dev certs
This commit is contained in:
parent
8230dd4950
commit
7f2da24224
1
.gitignore
vendored
1
.gitignore
vendored
@ -6,3 +6,4 @@ __pycache__
|
|||||||
oshipka.egg-info
|
oshipka.egg-info
|
||||||
provision/tmp
|
provision/tmp
|
||||||
provision/auto_dns/sensitive.py
|
provision/auto_dns/sensitive.py
|
||||||
|
ssl/
|
1
bootstrap/.gitignore
vendored
1
bootstrap/.gitignore
vendored
@ -4,3 +4,4 @@ venv
|
|||||||
data/
|
data/
|
||||||
__pycache__
|
__pycache__
|
||||||
sensitive.py
|
sensitive.py
|
||||||
|
webapp/ssl
|
@ -24,7 +24,7 @@ MAKEDIRS = [
|
|||||||
DATA_DIR, STATIC_DATA_DIR, MEDIA_DIR, TASKS_DIR, TASKS_IN_DIR, TASKS_PROC_DIR, TASKS_BUF_DIR,
|
DATA_DIR, STATIC_DATA_DIR, MEDIA_DIR, TASKS_DIR, TASKS_IN_DIR, TASKS_PROC_DIR, TASKS_BUF_DIR,
|
||||||
]
|
]
|
||||||
|
|
||||||
APP_BASE_URL = "http://localhost:5000"
|
APP_BASE_URL = "https://PROJECT_NAME.localhost:5000"
|
||||||
SECURITY_ENABLED = True
|
SECURITY_ENABLED = True
|
||||||
SSO_BASE_URL = 'https://sso.localhost:5008'
|
SSO_BASE_URL = 'https://sso.localhost:5008'
|
||||||
SSO_CLIENT_ID = APP_BASE_URL
|
SSO_CLIENT_ID = APP_BASE_URL
|
||||||
|
@ -1,2 +1,2 @@
|
|||||||
username
|
username,_m_n_roles
|
||||||
daniel
|
admin,1
|
|
@ -12,4 +12,4 @@ app.template_folder = TEMPLATES_FOLDER
|
|||||||
app.static_folder = STATIC_FOLDER
|
app.static_folder = STATIC_FOLDER
|
||||||
|
|
||||||
if __name__ == "__main__":
|
if __name__ == "__main__":
|
||||||
app.run(debug=True)
|
app.run(port=5000, debug=True, ssl_context=('webapp/ssl/cert.crt', 'webapp/ssl/cert.key'))
|
||||||
|
61
oshipka.sh
61
oshipka.sh
@ -23,6 +23,9 @@ Usage $0 [ bootstrap | model | db_migrate | db_upgrade | db_populate | db_recrea
|
|||||||
|
|
||||||
translate Translations subcommand
|
translate Translations subcommand
|
||||||
|
|
||||||
|
ca Create oshipka certificate authority (Oshipka CA)
|
||||||
|
cert_dev [DOMAIN] Generate dev certificate signed by Oshipka CA
|
||||||
|
|
||||||
worker Start worker
|
worker Start worker
|
||||||
web Start webapp
|
web Start webapp
|
||||||
|
|
||||||
@ -64,6 +67,56 @@ command_translate() {
|
|||||||
return $?
|
return $?
|
||||||
}
|
}
|
||||||
|
|
||||||
|
ca () {
|
||||||
|
if [ -f ${OSHIPKA_PATH}/ssl/oshipka_ca.pem ]; then
|
||||||
|
echo "Oshipka CA already exists"
|
||||||
|
exit 1;
|
||||||
|
fi
|
||||||
|
echo "Creating Oshipka CA..."
|
||||||
|
|
||||||
|
mkdir -p ${OSHIPKA_PATH}/ssl
|
||||||
|
cd ${OSHIPKA_PATH}/ssl || exit
|
||||||
|
openssl genrsa -out oshipka_ca.key 2048
|
||||||
|
openssl req -x509 -new -nodes -key oshipka_ca.key -sha256 -days 1825 -out oshipka_ca.pem -subj "/C=/ST=/L=/O=Oshipka Web Development CA/OU=/CN=oshipka_web_development_ca"
|
||||||
|
}
|
||||||
|
|
||||||
|
cert_dev () {
|
||||||
|
shift
|
||||||
|
DOMAIN=$1
|
||||||
|
|
||||||
|
if [ -f webapp/ssl/cert.crt ]; then
|
||||||
|
echo "Certificate already exists"
|
||||||
|
exit 1;
|
||||||
|
elif [ ! -f ${OSHIPKA_PATH}/ssl/oshipka_ca.key ]; then
|
||||||
|
echo "Oshipka CA not found, generating..."
|
||||||
|
ca
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -z "${DOMAIN}" ]; then
|
||||||
|
DOMAIN=$(basename `pwd`)
|
||||||
|
fi
|
||||||
|
|
||||||
|
mkdir -p webapp/ssl
|
||||||
|
echo "Create CSR for ${DOMAIN}"
|
||||||
|
openssl genrsa -out "webapp/ssl/cert.key" 2048
|
||||||
|
openssl req -new -key "webapp/ssl/cert.key" -out "webapp/ssl/cert.csr" -subj "/C=/ST=/L=/O=Oshipka Web Development/OU=/CN=${DOMAIN}.localhost"
|
||||||
|
|
||||||
|
cat > "webapp/ssl/cert.ext" << EOF
|
||||||
|
authorityKeyIdentifier=keyid,issuer
|
||||||
|
basicConstraints=CA:FALSE
|
||||||
|
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
|
||||||
|
subjectAltName = @alt_names
|
||||||
|
|
||||||
|
[alt_names]
|
||||||
|
DNS.1 = ${DOMAIN}.localhost
|
||||||
|
EOF
|
||||||
|
|
||||||
|
echo "Create self-signed certificate"
|
||||||
|
openssl x509 -req -in "webapp/ssl/cert.csr" -CA ${OSHIPKA_PATH}/ssl/oshipka_ca.pem -CAkey ${OSHIPKA_PATH}/ssl/oshipka_ca.key -CAcreateserial -out "webapp/ssl/cert.crt" -days 825 -sha256 -extfile "webapp/ssl/cert.ext"
|
||||||
|
|
||||||
|
rm "webapp/ssl/cert.ext" "webapp/ssl/cert.csr"
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
worker () {
|
worker () {
|
||||||
source venv/bin/activate
|
source venv/bin/activate
|
||||||
@ -150,8 +203,9 @@ bootstrap() {
|
|||||||
cp -r ${OSHIPKA_PATH}/bootstrap/* ${PROJECT_PATH}/
|
cp -r ${OSHIPKA_PATH}/bootstrap/* ${PROJECT_PATH}/
|
||||||
cp ${OSHIPKA_PATH}/bootstrap/.gitignore ${PROJECT_PATH}/.gitignore
|
cp ${OSHIPKA_PATH}/bootstrap/.gitignore ${PROJECT_PATH}/.gitignore
|
||||||
mkdir ${PROJECT_PATH}/data
|
mkdir ${PROJECT_PATH}/data
|
||||||
mkdir ${PROJECT_PATH}/webapp/view_models
|
|
||||||
cd ${PROJECT_PATH}
|
cd ${PROJECT_PATH}
|
||||||
|
sed -i "s/PROJECT_NAME.localhost:5000/${PROJECT_NAME}.localhost:5000/" config.py
|
||||||
|
cert_dev
|
||||||
init_venv
|
init_venv
|
||||||
link_dev_oshipka
|
link_dev_oshipka
|
||||||
source venv/bin/activate
|
source venv/bin/activate
|
||||||
@ -286,6 +340,7 @@ db_purge_recreate() {
|
|||||||
source venv/bin/activate
|
source venv/bin/activate
|
||||||
rm -rf data/db.sqlite data/search_index migrations/ data/media
|
rm -rf data/db.sqlite data/search_index migrations/ data/media
|
||||||
python manager.py db init
|
python manager.py db init
|
||||||
|
model
|
||||||
db_migrate
|
db_migrate
|
||||||
db_upgrade
|
db_upgrade
|
||||||
db_populate
|
db_populate
|
||||||
@ -341,6 +396,10 @@ command_main() {
|
|||||||
;;
|
;;
|
||||||
venv) init_venv "$@"
|
venv) init_venv "$@"
|
||||||
;;
|
;;
|
||||||
|
ca) ca "$@"
|
||||||
|
;;
|
||||||
|
cert_dev) cert_dev "$@"
|
||||||
|
;;
|
||||||
install) install_reqs "$@"
|
install) install_reqs "$@"
|
||||||
;;
|
;;
|
||||||
link) link_dev_oshipka "$@"
|
link) link_dev_oshipka "$@"
|
||||||
|
@ -338,7 +338,7 @@ SENSITIVE_PREFIX = "__SENSITIVE__."
|
|||||||
DEFAULT_PERMISSION_PERMISSIONS = ['get', 'add_user', 'add_role', 'remove_user', 'remove_role']
|
DEFAULT_PERMISSION_PERMISSIONS = ['get', 'add_user', 'add_role', 'remove_user', 'remove_role']
|
||||||
DEFAULT_MODEL_PERMISSIONS = ['get', 'list', 'search', 'create', 'update', 'delete']
|
DEFAULT_MODEL_PERMISSIONS = ['get', 'list', 'search', 'create', 'update', 'delete']
|
||||||
DEFAULT_COLUMN_PERMISSIONS = ['read', 'write']
|
DEFAULT_COLUMN_PERMISSIONS = ['read', 'write']
|
||||||
DEFAULT_SUBJECTS = ['public', 'logged']
|
DEFAULT_SUBJECTS = [('0', 'public'), ('1', 'logged')]
|
||||||
|
|
||||||
|
|
||||||
def generate_permissions():
|
def generate_permissions():
|
||||||
@ -351,24 +351,27 @@ def generate_permissions():
|
|||||||
if model in ['permission']:
|
if model in ['permission']:
|
||||||
continue
|
continue
|
||||||
is_ownable = 'Ownable' in model_view.definitions.get('inherits', [])
|
is_ownable = 'Ownable' in model_view.definitions.get('inherits', [])
|
||||||
subjects = DEFAULT_SUBJECTS + ['owner']if is_ownable else DEFAULT_SUBJECTS
|
subjects = DEFAULT_SUBJECTS + [('1', 'owner')] if is_ownable else DEFAULT_SUBJECTS
|
||||||
f.write("role,1,permission.update,models.{},,1\n".format(model))
|
f.write("role,1,permission.update,models.{},,1\n".format(model))
|
||||||
f.write("role,1,permission.remove_user_self,models.{},,1\n".format(model))
|
f.write("role,1,permission.remove_user_self,models.{},,1\n".format(model))
|
||||||
for subject in subjects:
|
for perm, subject in subjects:
|
||||||
for permission in DEFAULT_PERMISSION_PERMISSIONS:
|
for permission in DEFAULT_PERMISSION_PERMISSIONS:
|
||||||
f.write("{},,permission.{},models.{},,0\n".format(subject, permission, model))
|
f.write("{},,permission.{},models.{},,0\n".format(subject, permission, model))
|
||||||
f.write("role,1,permission.{},models.{},,1\n".format(permission, model))
|
f.write("role,1,permission.{},models.{},,1\n".format(permission, model))
|
||||||
f.write("{},,permission.update,models.{},,0\n".format(subject, model))
|
f.write("{},,permission.update,models.{},,0\n".format(subject, model))
|
||||||
f.write("{},,permission.remove_user_self,models.{},,0\n".format(subject, model))
|
f.write("{},,permission.remove_user_self,models.{},,0\n".format(subject, model))
|
||||||
if is_ownable:
|
if is_ownable:
|
||||||
f.write("{},,permission.change_owner,models.{},,1\n".format(subject, model))
|
if subject in ['owner']:
|
||||||
|
f.write("{},,permission.change_owner,models.{},,1\n".format(subject, model))
|
||||||
|
else:
|
||||||
|
f.write("{},,permission.change_owner,models.{},,0\n".format(subject, model))
|
||||||
for permission in DEFAULT_MODEL_PERMISSIONS:
|
for permission in DEFAULT_MODEL_PERMISSIONS:
|
||||||
f.write("{},,model.{},models.{},,1\n".format(subject, permission, model))
|
f.write("{},,model.{},models.{},,{}\n".format(subject, permission, model, perm))
|
||||||
for column in model_view.definitions.get('columns'):
|
for column in model_view.definitions.get('columns'):
|
||||||
column_name = column.get('name')
|
column_name = column.get('name')
|
||||||
for permission in DEFAULT_COLUMN_PERMISSIONS:
|
for permission in DEFAULT_COLUMN_PERMISSIONS:
|
||||||
f.write("{},,column.{}.{},columns.{},,1\n".format(subject, column_name, permission, model))
|
f.write("{},,column.{}.{},columns.{},,{}\n".format(subject, column_name, permission, model, perm))
|
||||||
f.write("role,1,column.{}.{},columns.{},,1\n".format(subject, column_name, permission, model))
|
f.write("role,1,column.{}.{},columns.{},,{}\n".format(subject, column_name, permission, model, perm))
|
||||||
|
|
||||||
|
|
||||||
def populate_static(app):
|
def populate_static(app):
|
||||||
|
@ -15,11 +15,10 @@ from oshipka.persistance import db, filter_m_n, update_m_ns, SHARING_TYPE_TYPES_
|
|||||||
SHARING_TYPE_TYPES_TYPE_AUTHZ, SHARING_TYPE_TYPES_TYPE_AUTHN
|
SHARING_TYPE_TYPES_TYPE_AUTHZ, SHARING_TYPE_TYPES_TYPE_AUTHN
|
||||||
from oshipka.util.strings import camel_case_to_snake_case
|
from oshipka.util.strings import camel_case_to_snake_case
|
||||||
from config import MEDIA_DIR, SECURITY_ENABLED
|
from config import MEDIA_DIR, SECURITY_ENABLED
|
||||||
|
from webapp.models import Permission
|
||||||
|
|
||||||
webapp_models = importlib.import_module("webapp.models")
|
webapp_models = importlib.import_module("webapp.models")
|
||||||
|
|
||||||
if SECURITY_ENABLED:
|
|
||||||
from webapp.models import Permission
|
|
||||||
|
|
||||||
MODEL_VIEWS = dict()
|
MODEL_VIEWS = dict()
|
||||||
|
|
||||||
@ -55,14 +54,15 @@ def has_permission(obj, action, instance=None, object_prefix="models", action_pr
|
|||||||
return True
|
return True
|
||||||
|
|
||||||
# ROLE PERMISSIONS
|
# ROLE PERMISSIONS
|
||||||
roles_ids = [r.id for r in current_user.roles]
|
if hasattr(current_user, "roles"):
|
||||||
role_permissions = Permission.query.filter(Permission.object == "{}.{}".format(object_prefix, obj),
|
roles_ids = [r.id for r in current_user.roles]
|
||||||
Permission.action == "{}.{}".format(action_prefix, action),
|
role_permissions = Permission.query.filter(Permission.object == "{}.{}".format(object_prefix, obj),
|
||||||
Permission.subject == "user",
|
Permission.action == "{}.{}".format(action_prefix, action),
|
||||||
Permission.subject_id.in_(roles_ids)).all()
|
Permission.subject == "user",
|
||||||
for role_permission in role_permissions:
|
Permission.subject_id.in_(roles_ids)).all()
|
||||||
if role_permission.is_allowed:
|
for role_permission in role_permissions:
|
||||||
return True
|
if role_permission.is_allowed:
|
||||||
|
return True
|
||||||
|
|
||||||
# USER PERMISSIONS
|
# USER PERMISSIONS
|
||||||
user_id = current_user.id
|
user_id = current_user.id
|
||||||
|
Loading…
Reference in New Issue
Block a user