create dev certs
This commit is contained in:
parent
8230dd4950
commit
7f2da24224
1
.gitignore
vendored
1
.gitignore
vendored
@ -6,3 +6,4 @@ __pycache__
|
||||
oshipka.egg-info
|
||||
provision/tmp
|
||||
provision/auto_dns/sensitive.py
|
||||
ssl/
|
1
bootstrap/.gitignore
vendored
1
bootstrap/.gitignore
vendored
@ -4,3 +4,4 @@ venv
|
||||
data/
|
||||
__pycache__
|
||||
sensitive.py
|
||||
webapp/ssl
|
@ -24,7 +24,7 @@ MAKEDIRS = [
|
||||
DATA_DIR, STATIC_DATA_DIR, MEDIA_DIR, TASKS_DIR, TASKS_IN_DIR, TASKS_PROC_DIR, TASKS_BUF_DIR,
|
||||
]
|
||||
|
||||
APP_BASE_URL = "http://localhost:5000"
|
||||
APP_BASE_URL = "https://PROJECT_NAME.localhost:5000"
|
||||
SECURITY_ENABLED = True
|
||||
SSO_BASE_URL = 'https://sso.localhost:5008'
|
||||
SSO_CLIENT_ID = APP_BASE_URL
|
||||
|
@ -1,2 +1,2 @@
|
||||
username
|
||||
daniel
|
||||
username,_m_n_roles
|
||||
admin,1
|
|
@ -12,4 +12,4 @@ app.template_folder = TEMPLATES_FOLDER
|
||||
app.static_folder = STATIC_FOLDER
|
||||
|
||||
if __name__ == "__main__":
|
||||
app.run(debug=True)
|
||||
app.run(port=5000, debug=True, ssl_context=('webapp/ssl/cert.crt', 'webapp/ssl/cert.key'))
|
||||
|
61
oshipka.sh
61
oshipka.sh
@ -23,6 +23,9 @@ Usage $0 [ bootstrap | model | db_migrate | db_upgrade | db_populate | db_recrea
|
||||
|
||||
translate Translations subcommand
|
||||
|
||||
ca Create oshipka certificate authority (Oshipka CA)
|
||||
cert_dev [DOMAIN] Generate dev certificate signed by Oshipka CA
|
||||
|
||||
worker Start worker
|
||||
web Start webapp
|
||||
|
||||
@ -64,6 +67,56 @@ command_translate() {
|
||||
return $?
|
||||
}
|
||||
|
||||
ca () {
|
||||
if [ -f ${OSHIPKA_PATH}/ssl/oshipka_ca.pem ]; then
|
||||
echo "Oshipka CA already exists"
|
||||
exit 1;
|
||||
fi
|
||||
echo "Creating Oshipka CA..."
|
||||
|
||||
mkdir -p ${OSHIPKA_PATH}/ssl
|
||||
cd ${OSHIPKA_PATH}/ssl || exit
|
||||
openssl genrsa -out oshipka_ca.key 2048
|
||||
openssl req -x509 -new -nodes -key oshipka_ca.key -sha256 -days 1825 -out oshipka_ca.pem -subj "/C=/ST=/L=/O=Oshipka Web Development CA/OU=/CN=oshipka_web_development_ca"
|
||||
}
|
||||
|
||||
cert_dev () {
|
||||
shift
|
||||
DOMAIN=$1
|
||||
|
||||
if [ -f webapp/ssl/cert.crt ]; then
|
||||
echo "Certificate already exists"
|
||||
exit 1;
|
||||
elif [ ! -f ${OSHIPKA_PATH}/ssl/oshipka_ca.key ]; then
|
||||
echo "Oshipka CA not found, generating..."
|
||||
ca
|
||||
fi
|
||||
|
||||
if [ -z "${DOMAIN}" ]; then
|
||||
DOMAIN=$(basename `pwd`)
|
||||
fi
|
||||
|
||||
mkdir -p webapp/ssl
|
||||
echo "Create CSR for ${DOMAIN}"
|
||||
openssl genrsa -out "webapp/ssl/cert.key" 2048
|
||||
openssl req -new -key "webapp/ssl/cert.key" -out "webapp/ssl/cert.csr" -subj "/C=/ST=/L=/O=Oshipka Web Development/OU=/CN=${DOMAIN}.localhost"
|
||||
|
||||
cat > "webapp/ssl/cert.ext" << EOF
|
||||
authorityKeyIdentifier=keyid,issuer
|
||||
basicConstraints=CA:FALSE
|
||||
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
|
||||
subjectAltName = @alt_names
|
||||
|
||||
[alt_names]
|
||||
DNS.1 = ${DOMAIN}.localhost
|
||||
EOF
|
||||
|
||||
echo "Create self-signed certificate"
|
||||
openssl x509 -req -in "webapp/ssl/cert.csr" -CA ${OSHIPKA_PATH}/ssl/oshipka_ca.pem -CAkey ${OSHIPKA_PATH}/ssl/oshipka_ca.key -CAcreateserial -out "webapp/ssl/cert.crt" -days 825 -sha256 -extfile "webapp/ssl/cert.ext"
|
||||
|
||||
rm "webapp/ssl/cert.ext" "webapp/ssl/cert.csr"
|
||||
}
|
||||
|
||||
|
||||
worker () {
|
||||
source venv/bin/activate
|
||||
@ -150,8 +203,9 @@ bootstrap() {
|
||||
cp -r ${OSHIPKA_PATH}/bootstrap/* ${PROJECT_PATH}/
|
||||
cp ${OSHIPKA_PATH}/bootstrap/.gitignore ${PROJECT_PATH}/.gitignore
|
||||
mkdir ${PROJECT_PATH}/data
|
||||
mkdir ${PROJECT_PATH}/webapp/view_models
|
||||
cd ${PROJECT_PATH}
|
||||
sed -i "s/PROJECT_NAME.localhost:5000/${PROJECT_NAME}.localhost:5000/" config.py
|
||||
cert_dev
|
||||
init_venv
|
||||
link_dev_oshipka
|
||||
source venv/bin/activate
|
||||
@ -286,6 +340,7 @@ db_purge_recreate() {
|
||||
source venv/bin/activate
|
||||
rm -rf data/db.sqlite data/search_index migrations/ data/media
|
||||
python manager.py db init
|
||||
model
|
||||
db_migrate
|
||||
db_upgrade
|
||||
db_populate
|
||||
@ -341,6 +396,10 @@ command_main() {
|
||||
;;
|
||||
venv) init_venv "$@"
|
||||
;;
|
||||
ca) ca "$@"
|
||||
;;
|
||||
cert_dev) cert_dev "$@"
|
||||
;;
|
||||
install) install_reqs "$@"
|
||||
;;
|
||||
link) link_dev_oshipka "$@"
|
||||
|
@ -338,7 +338,7 @@ SENSITIVE_PREFIX = "__SENSITIVE__."
|
||||
DEFAULT_PERMISSION_PERMISSIONS = ['get', 'add_user', 'add_role', 'remove_user', 'remove_role']
|
||||
DEFAULT_MODEL_PERMISSIONS = ['get', 'list', 'search', 'create', 'update', 'delete']
|
||||
DEFAULT_COLUMN_PERMISSIONS = ['read', 'write']
|
||||
DEFAULT_SUBJECTS = ['public', 'logged']
|
||||
DEFAULT_SUBJECTS = [('0', 'public'), ('1', 'logged')]
|
||||
|
||||
|
||||
def generate_permissions():
|
||||
@ -351,24 +351,27 @@ def generate_permissions():
|
||||
if model in ['permission']:
|
||||
continue
|
||||
is_ownable = 'Ownable' in model_view.definitions.get('inherits', [])
|
||||
subjects = DEFAULT_SUBJECTS + ['owner']if is_ownable else DEFAULT_SUBJECTS
|
||||
subjects = DEFAULT_SUBJECTS + [('1', 'owner')] if is_ownable else DEFAULT_SUBJECTS
|
||||
f.write("role,1,permission.update,models.{},,1\n".format(model))
|
||||
f.write("role,1,permission.remove_user_self,models.{},,1\n".format(model))
|
||||
for subject in subjects:
|
||||
for perm, subject in subjects:
|
||||
for permission in DEFAULT_PERMISSION_PERMISSIONS:
|
||||
f.write("{},,permission.{},models.{},,0\n".format(subject, permission, model))
|
||||
f.write("role,1,permission.{},models.{},,1\n".format(permission, model))
|
||||
f.write("{},,permission.update,models.{},,0\n".format(subject, model))
|
||||
f.write("{},,permission.remove_user_self,models.{},,0\n".format(subject, model))
|
||||
if is_ownable:
|
||||
if subject in ['owner']:
|
||||
f.write("{},,permission.change_owner,models.{},,1\n".format(subject, model))
|
||||
else:
|
||||
f.write("{},,permission.change_owner,models.{},,0\n".format(subject, model))
|
||||
for permission in DEFAULT_MODEL_PERMISSIONS:
|
||||
f.write("{},,model.{},models.{},,1\n".format(subject, permission, model))
|
||||
f.write("{},,model.{},models.{},,{}\n".format(subject, permission, model, perm))
|
||||
for column in model_view.definitions.get('columns'):
|
||||
column_name = column.get('name')
|
||||
for permission in DEFAULT_COLUMN_PERMISSIONS:
|
||||
f.write("{},,column.{}.{},columns.{},,1\n".format(subject, column_name, permission, model))
|
||||
f.write("role,1,column.{}.{},columns.{},,1\n".format(subject, column_name, permission, model))
|
||||
f.write("{},,column.{}.{},columns.{},,{}\n".format(subject, column_name, permission, model, perm))
|
||||
f.write("role,1,column.{}.{},columns.{},,{}\n".format(subject, column_name, permission, model, perm))
|
||||
|
||||
|
||||
def populate_static(app):
|
||||
|
@ -15,11 +15,10 @@ from oshipka.persistance import db, filter_m_n, update_m_ns, SHARING_TYPE_TYPES_
|
||||
SHARING_TYPE_TYPES_TYPE_AUTHZ, SHARING_TYPE_TYPES_TYPE_AUTHN
|
||||
from oshipka.util.strings import camel_case_to_snake_case
|
||||
from config import MEDIA_DIR, SECURITY_ENABLED
|
||||
from webapp.models import Permission
|
||||
|
||||
webapp_models = importlib.import_module("webapp.models")
|
||||
|
||||
if SECURITY_ENABLED:
|
||||
from webapp.models import Permission
|
||||
|
||||
MODEL_VIEWS = dict()
|
||||
|
||||
@ -55,6 +54,7 @@ def has_permission(obj, action, instance=None, object_prefix="models", action_pr
|
||||
return True
|
||||
|
||||
# ROLE PERMISSIONS
|
||||
if hasattr(current_user, "roles"):
|
||||
roles_ids = [r.id for r in current_user.roles]
|
||||
role_permissions = Permission.query.filter(Permission.object == "{}.{}".format(object_prefix, obj),
|
||||
Permission.action == "{}.{}".format(action_prefix, action),
|
||||
|
Loading…
Reference in New Issue
Block a user