powerdns-admin/app/lib/utils.py

import re
import json
import requests
import hashlib
import ipaddress
import os

from app import app
from distutils.version import StrictVersion
from urllib.parse import urlparse
from datetime import datetime, timedelta
from threading import Thread

from .certutil import KEY_FILE, CERT_FILE
import logging as logger

logging = logger.getLogger(__name__)


if app.config['SAML_ENABLED']:
    from onelogin.saml2.auth import OneLogin_Saml2_Auth
    from onelogin.saml2.idp_metadata_parser import OneLogin_Saml2_IdPMetadataParser
    idp_timestamp = datetime(1970, 1, 1)
    idp_data = None
    if 'SAML_IDP_ENTITY_ID' in app.config:
        idp_data = OneLogin_Saml2_IdPMetadataParser.parse_remote(app.config['SAML_METADATA_URL'], entity_id=app.config.get('SAML_IDP_ENTITY_ID', None), required_sso_binding=app.config['SAML_IDP_SSO_BINDING'])
    else:
        idp_data = OneLogin_Saml2_IdPMetadataParser.parse_remote(app.config['SAML_METADATA_URL'], entity_id=app.config.get('SAML_IDP_ENTITY_ID', None))
    if idp_data is None:
        print('SAML: IDP Metadata initial load failed')
        exit(-1)
    idp_timestamp = datetime.now()


def get_idp_data():
    global idp_data, idp_timestamp
    lifetime = timedelta(minutes=app.config['SAML_METADATA_CACHE_LIFETIME'])
    if idp_timestamp+lifetime < datetime.now():
        background_thread = Thread(target=retrieve_idp_data)
        background_thread.start()
    return idp_data


def retrieve_idp_data():
    global idp_data, idp_timestamp
    if 'SAML_IDP_SSO_BINDING' in app.config:
        new_idp_data = OneLogin_Saml2_IdPMetadataParser.parse_remote(app.config['SAML_METADATA_URL'], entity_id=app.config.get('SAML_IDP_ENTITY_ID', None), required_sso_binding=app.config['SAML_IDP_SSO_BINDING'])
    else:
        new_idp_data = OneLogin_Saml2_IdPMetadataParser.parse_remote(app.config['SAML_METADATA_URL'], entity_id=app.config.get('SAML_IDP_ENTITY_ID', None))
    if new_idp_data is not None:
        idp_data = new_idp_data
        idp_timestamp = datetime.now()
        print("SAML: IDP Metadata successfully retrieved from: " + app.config['SAML_METADATA_URL'])
    else:
        print("SAML: IDP Metadata could not be retrieved")


if 'TIMEOUT' in app.config.keys():
    TIMEOUT = app.config['TIMEOUT']
else:
    TIMEOUT = 10


def auth_from_url(url):
    auth = None
    parsed_url = urlparse(url).netloc
    if '@' in parsed_url:
        auth = parsed_url.split('@')[0].split(':')
        auth = requests.auth.HTTPBasicAuth(auth[0], auth[1])
    return auth


def fetch_remote(remote_url, method='GET', data=None, accept=None, params=None, timeout=None, headers=None):
    if data is not None and type(data) != str:
        data = json.dumps(data)

    if timeout is None:
        timeout = TIMEOUT

    verify = False

    our_headers = {
        'user-agent': 'powerdnsadmin/0',
        'pragma': 'no-cache',
        'cache-control': 'no-cache'
    }
    if accept is not None:
        our_headers['accept'] = accept
    if headers is not None:
        our_headers.update(headers)

    r = requests.request(
        method,
        remote_url,
        headers=headers,
        verify=verify,
        auth=auth_from_url(remote_url),
        timeout=timeout,
        data=data,
        params=params
        )
    try:
        if r.status_code not in (200, 201, 204, 400, 422):
            r.raise_for_status()
    except Exception as e:
        msg = "Returned status {0} and content {1}"
        logging.error(msg.format(r.status_code, r.content))
        raise RuntimeError('Error while fetching {0}'.format(remote_url))

    return r


def fetch_json(remote_url, method='GET', data=None, params=None, headers=None):
    r = fetch_remote(remote_url, method=method, data=data, params=params, headers=headers,
                     accept='application/json; q=1')

    if method == "DELETE":
        return True

    if r.status_code == 204:
        return {}

    try:
        assert('json' in r.headers['content-type'])
    except Exception as e:
        raise RuntimeError('Error while fetching {0}'.format(remote_url)) from e

    # don't use r.json here, as it will read from r.text, which will trigger
    # content encoding auto-detection in almost all cases, WHICH IS EXTREMELY
    # SLOOOOOOOOOOOOOOOOOOOOOOW. just don't.
    data = None
    try:
        data = json.loads(r.content.decode('utf-8'))
    except Exception as e:
        raise RuntimeError('Error while loading JSON data from {0}'.format(remote_url)) from e
    return data


def display_record_name(data):
    record_name, domain_name = data
    if record_name == domain_name:
        return '@'
    else:
        return re.sub('\.{}$'.format(domain_name), '', record_name)


def display_master_name(data):
    """
    input data: "[u'127.0.0.1', u'8.8.8.8']"
    """
    matches = re.findall(r'\'(.+?)\'', data)
    return ", ".join(matches)


def display_time(amount, units='s', remove_seconds=True):
    """
    Convert timestamp to normal time format
    """
    amount = int(amount)
    INTERVALS = [(lambda mlsec:divmod(mlsec, 1000), 'ms'),
                 (lambda seconds:divmod(seconds, 60), 's'),
                 (lambda minutes:divmod(minutes, 60), 'm'),
                 (lambda hours:divmod(hours, 24), 'h'),
                 (lambda days:divmod(days, 7), 'D'),
                 (lambda weeks:divmod(weeks, 4), 'W'),
                 (lambda years:divmod(years, 12), 'M'),
                 (lambda decades:divmod(decades, 10), 'Y')]

    for index_start, (interval, unit) in enumerate(INTERVALS):
        if unit == units:
            break

    amount_abrev = []
    last_index = 0
    amount_temp = amount
    for index, (formula, abrev) in enumerate(INTERVALS[index_start: len(INTERVALS)]):
        divmod_result = formula(amount_temp)
        amount_temp = divmod_result[0]
        amount_abrev.append((divmod_result[1], abrev))
        if divmod_result[1] > 0:
            last_index = index
    amount_abrev_partial = amount_abrev[0: last_index + 1]
    amount_abrev_partial.reverse()

    final_string = ''
    for amount, abrev in amount_abrev_partial:
        final_string += str(amount) + abrev + ' '

    if remove_seconds and 'm' in final_string:
        final_string = final_string[:final_string.rfind(' ')]
        return final_string[:final_string.rfind(' ')]

    return final_string


def pdns_api_extended_uri(version):
    """
    Check the pdns version
    """
    if StrictVersion(version) >= StrictVersion('4.0.0'):
        return "/api/v1"
    else:
        return ""


def email_to_gravatar_url(email="", size=100):
    """
    AD doesn't necessarily have email
    """
    if email is None:
        email = ""

    hash_string = hashlib.md5(email.encode('utf-8')).hexdigest()
    return "https://s.gravatar.com/avatar/{0}?s={1}".format(hash_string, size)


def prepare_flask_request(request):
    # If server is behind proxys or balancers use the HTTP_X_FORWARDED fields
    url_data = urlparse(request.url)
    return {
        'https': 'on' if request.scheme == 'https' else 'off',
        'http_host': request.host,
        'server_port': url_data.port,
        'script_name': request.path,
        'get_data': request.args.copy(),
        'post_data': request.form.copy(),
        # Uncomment if using ADFS as IdP, https://github.com/onelogin/python-saml/pull/144
        'lowercase_urlencoding': True,
        'query_string': request.query_string
    }


def init_saml_auth(req):
    own_url = ''
    if req['https'] == 'on':
        own_url = 'https://'
    else:
        own_url = 'http://'
    own_url += req['http_host']
    metadata = get_idp_data()
    settings = {}
    settings['sp'] = {}
    if 'SAML_NAMEID_FORMAT' in app.config:
      settings['sp']['NameIDFormat'] = app.config['SAML_NAMEID_FORMAT']
    else:
        settings['sp']['NameIDFormat'] = idp_data.get('sp', {}).get('NameIDFormat', 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified')
    settings['sp']['entityId'] = app.config['SAML_SP_ENTITY_ID']
    if os.path.isfile(CERT_FILE):
      cert = open(CERT_FILE, "r").readlines()
      settings['sp']['x509cert'] = "".join(cert)
    if os.path.isfile(KEY_FILE):
      key = open(KEY_FILE, "r").readlines()
      settings['sp']['privateKey'] = "".join(key)
    settings['sp']['assertionConsumerService'] = {}
    settings['sp']['assertionConsumerService']['binding'] = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
    settings['sp']['assertionConsumerService']['url'] = own_url+'/saml/authorized'
    settings['sp']['attributeConsumingService'] = {}
    settings['sp']['singleLogoutService'] = {}
    settings['sp']['singleLogoutService']['binding'] = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
    settings['sp']['singleLogoutService']['url'] = own_url+'/saml/sls'
    settings['idp'] = metadata['idp']
    settings['strict'] = True
    settings['debug'] = app.config['SAML_DEBUG']
    settings['security'] = {}
    settings['security']['digestAlgorithm'] = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
    settings['security']['metadataCacheDuration'] = None
    settings['security']['metadataValidUntil'] = None
    settings['security']['requestedAuthnContext'] = True
    settings['security']['signatureAlgorithm'] = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
    settings['security']['wantAssertionsEncrypted'] = False
    settings['security']['wantAttributeStatement'] = True
    settings['security']['wantNameId'] = True
    settings['security']['authnRequestsSigned'] = app.config['SAML_SIGN_REQUEST']
    settings['security']['logoutRequestSigned'] = app.config['SAML_SIGN_REQUEST']
    settings['security']['logoutResponseSigned'] = app.config['SAML_SIGN_REQUEST']
    settings['security']['nameIdEncrypted'] = False
    settings['security']['signMetadata'] = True
    settings['security']['wantAssertionsSigned'] = True
    settings['security']['wantMessagesSigned'] = app.config.get('SAML_WANT_MESSAGE_SIGNED', True)
    settings['security']['wantNameIdEncrypted'] = False
    settings['contactPerson'] = {}
    settings['contactPerson']['support'] = {}
    settings['contactPerson']['support']['emailAddress'] = app.config['SAML_SP_CONTACT_NAME']
    settings['contactPerson']['support']['givenName'] = app.config['SAML_SP_CONTACT_MAIL']
    settings['contactPerson']['technical'] = {}
    settings['contactPerson']['technical']['emailAddress'] = app.config['SAML_SP_CONTACT_NAME']
    settings['contactPerson']['technical']['givenName'] = app.config['SAML_SP_CONTACT_MAIL']
    settings['organization'] = {}
    settings['organization']['en-US'] = {}
    settings['organization']['en-US']['displayname'] = 'PowerDNS-Admin'
    settings['organization']['en-US']['name'] = 'PowerDNS-Admin'
    settings['organization']['en-US']['url'] = own_url
    auth = OneLogin_Saml2_Auth(req, settings)
    return auth


def display_setting_state(value):
    if value == 1:
        return "ON"
    elif value == 0:
        return "OFF"
    else:
        return "UNKNOWN"


def validate_ipaddress(address):
        try:
            ip = ipaddress.ip_address(address)
        except ValueError:
            pass
        else:
            if isinstance(ip, (ipaddress.IPv4Address, ipaddress.IPv6Address)):
                return [ip]
        return []
Initial commit 2015-12-13 09:34:12 +00:00			`import re`
			`import json`
			`import requests`
Add Gravatar to display user's avatar 2016-07-13 14:33:21 +00:00			`import hashlib`
dyndns: accept and validate both A and AAAA records; default to client address 2019-02-02 12:28:56 +00:00			`import ipaddress`
Improve SAML support - Make SAML_WANT_MESSAGE_SIGNED configurable, AzureAD signs the assertion but wouldn't sign the message - Add support for a name attribute, i.e. 'Tim Jacomb' using `SAML_ATTRIBUTE_NAME`, which will be mapped into the given and surname fields, AzureAD only has displayname - Add support for group based admin `SAML_ATTRIBUTE_GROUP` and `SAML_GROUP_ADMIN_NAME` - Add support for group based accounts `SAML_GROUP_TO_ACCOUNT_MAPPING` - Don't fail if cert and key aren't present 2019-02-23 14:42:08 +00:00			`import os`
Add Gravatar to display user's avatar 2016-07-13 14:33:21 +00:00
Update utils.py add timeout requests.request for large zones 2016-03-17 05:00:33 +00:00			`from app import app`
Adjustment to support new api url format in pdns 4.x.x 2016-06-07 06:50:31 +00:00			`from distutils.version import StrictVersion`
Adjustment to work with Python3 2018-03-30 06:49:35 +00:00			`from urllib.parse import urlparse`
fixed build issues. refactored PEP8 2018-03-27 23:52:48 +00:00			`from datetime import datetime, timedelta`
implemented dynamic metadata lookup removed saml json-templates 2017-11-01 16:31:51 +00:00			`from threading import Thread`

Fix python code as suggestion from LGTM 2018-08-31 11:00:41 +00:00			`from .certutil import KEY_FILE, CERT_FILE`
Add Api to PowerDNS-Admin 2019-03-01 22:49:31 +00:00			`import logging as logger`

			`logging = logger.getLogger(__name__)`

Resolve the conflicts for #228 2018-04-02 06:38:53 +00:00
implemented dynamic metadata lookup removed saml json-templates 2017-11-01 16:31:51 +00:00			`if app.config['SAML_ENABLED']:`
fixed build issues. refactored PEP8 2018-03-27 23:52:48 +00:00			`from onelogin.saml2.auth import OneLogin_Saml2_Auth`
			`from onelogin.saml2.idp_metadata_parser import OneLogin_Saml2_IdPMetadataParser`
			`idp_timestamp = datetime(1970, 1, 1)`
			`idp_data = None`
Allow specifying SAML2 SSO binding format. 2018-08-11 13:12:06 +00:00			`if 'SAML_IDP_ENTITY_ID' in app.config:`
			`idp_data = OneLogin_Saml2_IdPMetadataParser.parse_remote(app.config['SAML_METADATA_URL'], entity_id=app.config.get('SAML_IDP_ENTITY_ID', None), required_sso_binding=app.config['SAML_IDP_SSO_BINDING'])`
			`else:`
			`idp_data = OneLogin_Saml2_IdPMetadataParser.parse_remote(app.config['SAML_METADATA_URL'], entity_id=app.config.get('SAML_IDP_ENTITY_ID', None))`
fixed build issues. refactored PEP8 2018-03-27 23:52:48 +00:00			`if idp_data is None:`
implemented dynamic metadata lookup removed saml json-templates 2017-11-01 16:31:51 +00:00			`print('SAML: IDP Metadata initial load failed')`
			`exit(-1)`
			`idp_timestamp = datetime.now()`

fixed build issues. refactored PEP8 2018-03-27 23:52:48 +00:00
implemented dynamic metadata lookup removed saml json-templates 2017-11-01 16:31:51 +00:00			`def get_idp_data():`
			`global idp_data, idp_timestamp`
			`lifetime = timedelta(minutes=app.config['SAML_METADATA_CACHE_LIFETIME'])`
			`if idp_timestamp+lifetime < datetime.now():`
spelling: retrieve 2018-10-02 07:25:36 +00:00			`background_thread = Thread(target=retrieve_idp_data)`
implemented dynamic metadata lookup removed saml json-templates 2017-11-01 16:31:51 +00:00			`background_thread.start()`
			`return idp_data`

fixed build issues. refactored PEP8 2018-03-27 23:52:48 +00:00
spelling: retrieve 2018-10-02 07:25:36 +00:00			`def retrieve_idp_data():`
implemented dynamic metadata lookup removed saml json-templates 2017-11-01 16:31:51 +00:00			`global idp_data, idp_timestamp`
Allow specifying SAML2 SSO binding format. 2018-08-11 13:12:06 +00:00			`if 'SAML_IDP_SSO_BINDING' in app.config:`
			`new_idp_data = OneLogin_Saml2_IdPMetadataParser.parse_remote(app.config['SAML_METADATA_URL'], entity_id=app.config.get('SAML_IDP_ENTITY_ID', None), required_sso_binding=app.config['SAML_IDP_SSO_BINDING'])`
			`else:`
			`new_idp_data = OneLogin_Saml2_IdPMetadataParser.parse_remote(app.config['SAML_METADATA_URL'], entity_id=app.config.get('SAML_IDP_ENTITY_ID', None))`
fixed build issues. refactored PEP8 2018-03-27 23:52:48 +00:00			`if new_idp_data is not None:`
implemented dynamic metadata lookup removed saml json-templates 2017-11-01 16:31:51 +00:00			`idp_data = new_idp_data`
			`idp_timestamp = datetime.now()`
spelling: retrieve 2018-10-02 07:25:36 +00:00			`print("SAML: IDP Metadata successfully retrieved from: " + app.config['SAML_METADATA_URL'])`
implemented dynamic metadata lookup removed saml json-templates 2017-11-01 16:31:51 +00:00			`else:`
spelling: retrieve 2018-10-02 07:25:36 +00:00			`print("SAML: IDP Metadata could not be retrieved")`
added SAML auth basics and metadata 2017-10-31 18:21:22 +00:00
Update utils.py add timeout requests.request for large zones 2016-03-17 05:00:33 +00:00
Adjustment in application config 2016-04-13 04:13:59 +00:00			`if 'TIMEOUT' in app.config.keys():`
			`TIMEOUT = app.config['TIMEOUT']`
			`else:`
			`TIMEOUT = 10`
Initial commit 2015-12-13 09:34:12 +00:00
Adjustment to work with Python3 2018-03-30 06:49:35 +00:00
Initial commit 2015-12-13 09:34:12 +00:00			`def auth_from_url(url):`
			`auth = None`
Adjustment to work with Python3 2018-03-30 06:49:35 +00:00			`parsed_url = urlparse(url).netloc`
Initial commit 2015-12-13 09:34:12 +00:00			`if '@' in parsed_url:`
			`auth = parsed_url.split('@')[0].split(':')`
			`auth = requests.auth.HTTPBasicAuth(auth[0], auth[1])`
			`return auth`


			`def fetch_remote(remote_url, method='GET', data=None, accept=None, params=None, timeout=None, headers=None):`
			`if data is not None and type(data) != str:`
			`data = json.dumps(data)`

			`if timeout is None:`
Update utils.py add timeout requests.request for large zones 2016-03-17 05:00:33 +00:00			`timeout = TIMEOUT`
Initial commit 2015-12-13 09:34:12 +00:00
			`verify = False`

			`our_headers = {`
			`'user-agent': 'powerdnsadmin/0',`
			`'pragma': 'no-cache',`
			`'cache-control': 'no-cache'`
			`}`
			`if accept is not None:`
			`our_headers['accept'] = accept`
			`if headers is not None:`
			`our_headers.update(headers)`

			`r = requests.request(`
			`method,`
			`remote_url,`
			`headers=headers,`
			`verify=verify,`
			`auth=auth_from_url(remote_url),`
			`timeout=timeout,`
			`data=data,`
			`params=params`
			`)`
			`try:`
Add Api to PowerDNS-Admin 2019-03-01 22:49:31 +00:00			`if r.status_code not in (200, 201, 204, 400, 422):`
Initial commit 2015-12-13 09:34:12 +00:00			`r.raise_for_status()`
			`except Exception as e:`
Add Api to PowerDNS-Admin 2019-03-01 22:49:31 +00:00			`msg = "Returned status {0} and content {1}"`
			`logging.error(msg.format(r.status_code, r.content))`
			`raise RuntimeError('Error while fetching {0}'.format(remote_url))`
Initial commit 2015-12-13 09:34:12 +00:00
			`return r`


			`def fetch_json(remote_url, method='GET', data=None, params=None, headers=None):`
fixed build issues. refactored PEP8 2018-03-27 23:52:48 +00:00			`r = fetch_remote(remote_url, method=method, data=data, params=params, headers=headers,`
			`accept='application/json; q=1')`
Initial commit 2015-12-13 09:34:12 +00:00
			`if method == "DELETE":`
			`return True`

fix for updates on pdns 4.0.0-rc2+ and remove flask.ext deprecation warnings 2016-07-01 19:41:41 +00:00			`if r.status_code == 204:`
			`return {}`

Initial commit 2015-12-13 09:34:12 +00:00			`try:`
			`assert('json' in r.headers['content-type'])`
			`except Exception as e:`
Adjustment to work with Python3 2018-03-30 06:49:35 +00:00			`raise RuntimeError('Error while fetching {0}'.format(remote_url)) from e`
Initial commit 2015-12-13 09:34:12 +00:00
			`# don't use r.json here, as it will read from r.text, which will trigger`
			`# content encoding auto-detection in almost all cases, WHICH IS EXTREMELY`
			`# SLOOOOOOOOOOOOOOOOOOOOOOW. just don't.`
			`data = None`
			`try:`
Adjustment to work with Python3 2018-03-30 06:49:35 +00:00			`data = json.loads(r.content.decode('utf-8'))`
			`except Exception as e:`
			`raise RuntimeError('Error while loading JSON data from {0}'.format(remote_url)) from e`
Initial commit 2015-12-13 09:34:12 +00:00			`return data`


			`def display_record_name(data):`
			`record_name, domain_name = data`
			`if record_name == domain_name:`
			`return '@'`
			`else:`
domain stripping was not limited to the end of a name 2018-04-12 00:20:49 +00:00			`return re.sub('\.{}$'.format(domain_name), '', record_name)`
Initial commit 2015-12-13 09:34:12 +00:00
Adjustment to work with Python3 2018-03-30 06:49:35 +00:00
Initial commit 2015-12-13 09:34:12 +00:00			`def display_master_name(data):`
			`"""`
			`input data: "[u'127.0.0.1', u'8.8.8.8']"`
			`"""`
			`matches = re.findall(r'\'(.+?)\'', data)`
			`return ", ".join(matches)`

Adjustment to work with Python3 2018-03-30 06:49:35 +00:00
Initial commit 2015-12-13 09:34:12 +00:00			`def display_time(amount, units='s', remove_seconds=True):`
			`"""`
			`Convert timestamp to normal time format`
			`"""`
			`amount = int(amount)`
			`INTERVALS = [(lambda mlsec:divmod(mlsec, 1000), 'ms'),`
			`(lambda seconds:divmod(seconds, 60), 's'),`
			`(lambda minutes:divmod(minutes, 60), 'm'),`
			`(lambda hours:divmod(hours, 24), 'h'),`
			`(lambda days:divmod(days, 7), 'D'),`
			`(lambda weeks:divmod(weeks, 4), 'W'),`
			`(lambda years:divmod(years, 12), 'M'),`
			`(lambda decades:divmod(decades, 10), 'Y')]`

			`for index_start, (interval, unit) in enumerate(INTERVALS):`
			`if unit == units:`
			`break`

			`amount_abrev = []`
			`last_index = 0`
			`amount_temp = amount`
			`for index, (formula, abrev) in enumerate(INTERVALS[index_start: len(INTERVALS)]):`
			`divmod_result = formula(amount_temp)`
			`amount_temp = divmod_result[0]`
			`amount_abrev.append((divmod_result[1], abrev))`
			`if divmod_result[1] > 0:`
			`last_index = index`
			`amount_abrev_partial = amount_abrev[0: last_index + 1]`
			`amount_abrev_partial.reverse()`

			`final_string = ''`
			`for amount, abrev in amount_abrev_partial:`
			`final_string += str(amount) + abrev + ' '`

			`if remove_seconds and 'm' in final_string:`
			`final_string = final_string[:final_string.rfind(' ')]`
			`return final_string[:final_string.rfind(' ')]`

Update utils.py add timeout requests.request for large zones 2016-03-17 05:00:33 +00:00			`return final_string`
Adjustment to support new api url format in pdns 4.x.x 2016-06-07 06:50:31 +00:00
Adjustment to work with Python3 2018-03-30 06:49:35 +00:00
Adjustment to support new api url format in pdns 4.x.x 2016-06-07 06:50:31 +00:00			`def pdns_api_extended_uri(version):`
			`"""`
			`Check the pdns version`
			`"""`
			`if StrictVersion(version) >= StrictVersion('4.0.0'):`
			`return "/api/v1"`
			`else:`
			`return ""`
Add Gravatar to display user's avatar 2016-07-13 14:33:21 +00:00
Adjustment to work with Python3 2018-03-30 06:49:35 +00:00
			`def email_to_gravatar_url(email="", size=100):`
Fix NoneType error when logging in with AD 2016-08-16 01:47:33 +00:00			`"""`
			`AD doesn't necessarily have email`
			`"""`
Fix #236 2018-04-09 11:50:55 +00:00			`if email is None:`
			`email = ""`

Adjustment to work with Python3 2018-03-30 06:49:35 +00:00			`hash_string = hashlib.md5(email.encode('utf-8')).hexdigest()`
			`return "https://s.gravatar.com/avatar/{0}?s={1}".format(hash_string, size)`
added SAML auth basics and metadata 2017-10-31 18:21:22 +00:00
added application certificate handling for signed SAML messages 2018-01-20 16:17:02 +00:00
added SAML auth basics and metadata 2017-10-31 18:21:22 +00:00			`def prepare_flask_request(request):`
updated preapre_flask_request to support frontend-ssl 2017-10-31 19:42:13 +00:00			`# If server is behind proxys or balancers use the HTTP_X_FORWARDED fields`
Improve SAML support Accept IdP EntityID to use when metadata contains more than one IdP. Allow specifying attribute names to get given name, surname, and email address. Allow specifying NameIDFormat to request. Allow specifying whether to get username from a named attribute, or NameID. Allow getting administrator state from attribute. 2018-05-02 22:45:28 +00:00			`url_data = urlparse(request.url)`
added SAML auth basics and metadata 2017-10-31 18:21:22 +00:00			`return {`
updated preapre_flask_request to support frontend-ssl 2017-10-31 19:42:13 +00:00			`'https': 'on' if request.scheme == 'https' else 'off',`
added SAML auth basics and metadata 2017-10-31 18:21:22 +00:00			`'http_host': request.host,`
			`'server_port': url_data.port,`
			`'script_name': request.path,`
			`'get_data': request.args.copy(),`
updated preapre_flask_request to support frontend-ssl 2017-10-31 19:42:13 +00:00			`'post_data': request.form.copy(),`
			`# Uncomment if using ADFS as IdP, https://github.com/onelogin/python-saml/pull/144`
added application certificate handling for signed SAML messages 2018-01-20 16:17:02 +00:00			`'lowercase_urlencoding': True,`
updated preapre_flask_request to support frontend-ssl 2017-10-31 19:42:13 +00:00			`'query_string': request.query_string`
added SAML auth basics and metadata 2017-10-31 18:21:22 +00:00			`}`

fixed build issues. refactored PEP8 2018-03-27 23:52:48 +00:00
added SAML auth basics and metadata 2017-10-31 18:21:22 +00:00			`def init_saml_auth(req):`
implemented dynamic metadata lookup removed saml json-templates 2017-11-01 16:31:51 +00:00			`own_url = ''`
Fix python code as suggestion from LGTM 2018-08-31 11:00:41 +00:00			`if req['https'] == 'on':`
implemented dynamic metadata lookup removed saml json-templates 2017-11-01 16:31:51 +00:00			`own_url = 'https://'`
			`else:`
			`own_url = 'http://'`
			`own_url += req['http_host']`
			`metadata = get_idp_data()`
			`settings = {}`
			`settings['sp'] = {}`
Improve SAML support Accept IdP EntityID to use when metadata contains more than one IdP. Allow specifying attribute names to get given name, surname, and email address. Allow specifying NameIDFormat to request. Allow specifying whether to get username from a named attribute, or NameID. Allow getting administrator state from attribute. 2018-05-02 22:45:28 +00:00			`if 'SAML_NAMEID_FORMAT' in app.config:`
			`settings['sp']['NameIDFormat'] = app.config['SAML_NAMEID_FORMAT']`
			`else:`
			`settings['sp']['NameIDFormat'] = idp_data.get('sp', {}).get('NameIDFormat', 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified')`
implemented dynamic metadata lookup removed saml json-templates 2017-11-01 16:31:51 +00:00			`settings['sp']['entityId'] = app.config['SAML_SP_ENTITY_ID']`
Improve SAML support - Make SAML_WANT_MESSAGE_SIGNED configurable, AzureAD signs the assertion but wouldn't sign the message - Add support for a name attribute, i.e. 'Tim Jacomb' using `SAML_ATTRIBUTE_NAME`, which will be mapped into the given and surname fields, AzureAD only has displayname - Add support for group based admin `SAML_ATTRIBUTE_GROUP` and `SAML_GROUP_ADMIN_NAME` - Add support for group based accounts `SAML_GROUP_TO_ACCOUNT_MAPPING` - Don't fail if cert and key aren't present 2019-02-23 14:42:08 +00:00			`if os.path.isfile(CERT_FILE):`
			`cert = open(CERT_FILE, "r").readlines()`
			`settings['sp']['x509cert'] = "".join(cert)`
			`if os.path.isfile(KEY_FILE):`
			`key = open(KEY_FILE, "r").readlines()`
			`settings['sp']['privateKey'] = "".join(key)`
implemented dynamic metadata lookup removed saml json-templates 2017-11-01 16:31:51 +00:00			`settings['sp']['assertionConsumerService'] = {}`
			`settings['sp']['assertionConsumerService']['binding'] = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'`
			`settings['sp']['assertionConsumerService']['url'] = own_url+'/saml/authorized'`
			`settings['sp']['attributeConsumingService'] = {}`
			`settings['sp']['singleLogoutService'] = {}`
			`settings['sp']['singleLogoutService']['binding'] = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'`
			`settings['sp']['singleLogoutService']['url'] = own_url+'/saml/sls'`
			`settings['idp'] = metadata['idp']`
			`settings['strict'] = True`
			`settings['debug'] = app.config['SAML_DEBUG']`
			`settings['security'] = {}`
added application certificate handling for signed SAML messages 2018-01-20 16:17:02 +00:00			`settings['security']['digestAlgorithm'] = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'`
implemented dynamic metadata lookup removed saml json-templates 2017-11-01 16:31:51 +00:00			`settings['security']['metadataCacheDuration'] = None`
			`settings['security']['metadataValidUntil'] = None`
			`settings['security']['requestedAuthnContext'] = True`
added application certificate handling for signed SAML messages 2018-01-20 16:17:02 +00:00			`settings['security']['signatureAlgorithm'] = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'`
implemented dynamic metadata lookup removed saml json-templates 2017-11-01 16:31:51 +00:00			`settings['security']['wantAssertionsEncrypted'] = False`
			`settings['security']['wantAttributeStatement'] = True`
			`settings['security']['wantNameId'] = True`
added application certificate handling for signed SAML messages 2018-01-20 16:17:02 +00:00			`settings['security']['authnRequestsSigned'] = app.config['SAML_SIGN_REQUEST']`
			`settings['security']['logoutRequestSigned'] = app.config['SAML_SIGN_REQUEST']`
			`settings['security']['logoutResponseSigned'] = app.config['SAML_SIGN_REQUEST']`
implemented dynamic metadata lookup removed saml json-templates 2017-11-01 16:31:51 +00:00			`settings['security']['nameIdEncrypted'] = False`
added application certificate handling for signed SAML messages 2018-01-20 16:17:02 +00:00			`settings['security']['signMetadata'] = True`
implemented dynamic metadata lookup removed saml json-templates 2017-11-01 16:31:51 +00:00			`settings['security']['wantAssertionsSigned'] = True`
Improve SAML support - Make SAML_WANT_MESSAGE_SIGNED configurable, AzureAD signs the assertion but wouldn't sign the message - Add support for a name attribute, i.e. 'Tim Jacomb' using `SAML_ATTRIBUTE_NAME`, which will be mapped into the given and surname fields, AzureAD only has displayname - Add support for group based admin `SAML_ATTRIBUTE_GROUP` and `SAML_GROUP_ADMIN_NAME` - Add support for group based accounts `SAML_GROUP_TO_ACCOUNT_MAPPING` - Don't fail if cert and key aren't present 2019-02-23 14:42:08 +00:00			`settings['security']['wantMessagesSigned'] = app.config.get('SAML_WANT_MESSAGE_SIGNED', True)`
implemented dynamic metadata lookup removed saml json-templates 2017-11-01 16:31:51 +00:00			`settings['security']['wantNameIdEncrypted'] = False`
			`settings['contactPerson'] = {}`
			`settings['contactPerson']['support'] = {}`
			`settings['contactPerson']['support']['emailAddress'] = app.config['SAML_SP_CONTACT_NAME']`
			`settings['contactPerson']['support']['givenName'] = app.config['SAML_SP_CONTACT_MAIL']`
			`settings['contactPerson']['technical'] = {}`
			`settings['contactPerson']['technical']['emailAddress'] = app.config['SAML_SP_CONTACT_NAME']`
			`settings['contactPerson']['technical']['givenName'] = app.config['SAML_SP_CONTACT_MAIL']`
			`settings['organization'] = {}`
			`settings['organization']['en-US'] = {}`
			`settings['organization']['en-US']['displayname'] = 'PowerDNS-Admin'`
			`settings['organization']['en-US']['name'] = 'PowerDNS-Admin'`
			`settings['organization']['en-US']['url'] = own_url`
			`auth = OneLogin_Saml2_Auth(req, settings)`
Improve SAML support Accept IdP EntityID to use when metadata contains more than one IdP. Allow specifying attribute names to get given name, surname, and email address. Allow specifying NameIDFormat to request. Allow specifying whether to get username from a named attribute, or NameID. Allow getting administrator state from attribute. 2018-05-02 22:45:28 +00:00			`return auth`
Adjustment in setting handler to work without initial DB. Discussed in #350 2018-09-03 10:27:09 +00:00

			`def display_setting_state(value):`
			`if value == 1:`
			`return "ON"`
			`elif value == 0:`
			`return "OFF"`
			`else:`
			`return "UNKNOWN"`
dyndns: accept and validate both A and AAAA records; default to client address 2019-02-02 12:28:56 +00:00

			`def validate_ipaddress(address):`
			`try:`
			`ip = ipaddress.ip_address(address)`
			`except ValueError:`
			`pass`
			`else:`
			`if isinstance(ip, (ipaddress.IPv4Address, ipaddress.IPv6Address)):`
			`return [ip]`
			`return []`