cwinfo/powerdns-admin
5
0
Fork 0
mirror of https://github.com/cwinfo/powerdns-admin.git synced 2024-12-28 14:05:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

added saml authentication

Browse Source
This commit is contained in:
thomasDOTde 2017-10-31 22:38:26 +01:00
parent 805439e6ee
commit 31eaee8e0b
3 changed files with 106 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
app/views.py
View File

@ -172,10 +172,15 @@ def github_login():
def saml_login(): def saml_login():
if not app.config.get('SAML_ENABLED'): if not app.config.get('SAML_ENABLED'):
return abort(400) return abort(400)
return abort(400) req = utils.prepare_flask_request(request)
auth = utils.init_saml_auth(req)
redirect_url=OneLogin_Saml2_Utils.get_self_url(req) + url_for('saml_authorized')
return redirect(auth.login(return_to=redirect_url))
@app.route('/saml/metadata/') @app.route('/saml/metadata')
def saml_metadata(): def saml_metadata():
if not app.config.get('SAML_ENABLED'):
return abort(400)
req = utils.prepare_flask_request(request) req = utils.prepare_flask_request(request)
auth = utils.init_saml_auth(req) auth = utils.init_saml_auth(req)
settings = auth.get_settings() settings = auth.get_settings()
@ -189,6 +194,45 @@ def saml_metadata():
resp = make_response(errors.join(', '), 500) resp = make_response(errors.join(', '), 500)
return resp return resp
@app.route('/saml/authorized', methods=['GET', 'POST'])
def saml_authorized():
errors = []
if not app.config.get('SAML_ENABLED'):
return abort(400)
req = utils.prepare_flask_request(request)
auth = utils.init_saml_auth(req)
auth.process_response()
attributes = auth.get_attributes();
not_auth_warn = not auth.is_authenticated()
if len(errors) == 0:
session['samlUserdata'] = auth.get_attributes()
session['samlNameId'] = auth.get_nameid()
session['samlSessionIndex'] = auth.get_session_index()
self_url = OneLogin_Saml2_Utils.get_self_url(req)
self_url = self_url+req['script_name']
if 'RelayState' in request.form and self_url != request.form['RelayState']:
return redirect(auth.redirect_to(request.form['RelayState']))
user = User.query.filter_by(username=session['samlNameId'].lower()).first()
if not user:
# create user
user = User(username=session['samlNameId'],
plain_text_password=gen_salt(7),
email=session['samlNameId'])
user.create_local_user()
session['user_id'] = user.id
if session['samlUserdata'].has_key("email"):
user.email = session['samlUserdata']["email"][0].lower()
if session['samlUserdata'].has_key("givenname"):
user.firstname = session['samlUserdata']["givenname"][0]
if session['samlUserdata'].has_key("surname"):
user.lastname = session['samlUserdata']["surname"][0]
user.plain_text_password = gen_salt(7)
user.update_profile()
login_user(user, remember=False)
return redirect(url_for('index'))
else:
return error(401,"an error occourred processing SAML response")
@app.route('/login', methods=['GET', 'POST']) @app.route('/login', methods=['GET', 'POST'])
@login_manager.unauthorized_handler @login_manager.unauthorized_handler
def login(): def login():
@ -288,6 +332,7 @@ def login():
def logout(): def logout():
session.pop('user_id', None) session.pop('user_id', None)
session.pop('github_token', None) session.pop('github_token', None)
session.clear()
logout_user() logout_user()
return redirect(url_for('login')) return redirect(url_for('login'))

29
saml/advanced_settings.json Normal file
View File

@ -0,0 +1,29 @@
{
"security": {
"nameIdEncrypted": false,
"authnRequestsSigned": false,
"logoutRequestSigned": false,
"logoutResponseSigned": false,
"signMetadata": false,
"wantMessagesSigned": true,
"wantAssertionsSigned": true,
"wantNameIdEncrypted": false
},
"contactPerson": {
"technical": {
"givenName": "ahd Service Operation Center",
"emailAddress": "servicedesk@ahd.de"
},
"support": {
"givenName" : "ahd Service Operation Center",
"emailAddress": "servicedesk@ahd.de"
}
},
"organization": {
"en-US": {
"name": "PowerDNS-Admin",
"displayname": "PowerDNS-Admin",
"url": "https://10.12.95.95"
}
}
}

30
saml/settings.json Normal file
View File

@ -0,0 +1,30 @@
{
"strict": true,
"debug": true,
"sp": {
"entityId": "http://10.12.95.95",
"assertionConsumerService": {
"url": "https://10.12.95.95/saml/authorized",
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
},
"singleLogoutService": {
"url": "https://10.12.95.95/saml/sls",
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
},
"NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
"x509cert": "",
"privateKey": ""
},
"idp": {
"entityId": "http://fs.ahd-vcloud.biz/adfs/services/trust",
"singleSignOnService": {
"url": "https://fs.ahd-vcloud.biz/adfs/ls/",
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
},
"singleLogoutService": {
"url": "https://fs.ahd-vcloud.biz/adfs/ls/",
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
},
"x509cert": "-----BEGIN CERTIFICATE-----MIIC3jCCAcagAwIBAgIQPD7o11EBtLZDvWevCYeIGjANBgkqhkiG9w0BAQsFADArMSkwJwYDVQQDEyBBREZTIFNpZ25pbmcgLSBmcy5haGQtdmNsb3VkLmJpejAeFw0xNzAyMjQwOTI5MTBaFw0xODAyMjQwOTI5MTBaMCsxKTAnBgNVBAMTIEFERlMgU2lnbmluZyAtIGZzLmFoZC12Y2xvdWQuYml6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs8c+Yde1AQpBSikjKMXRY3FmvG64YT8MgJGPJ0CuTr0jyvsARvK51v0FiMsQh48uQ+KtXWNfBTrFee1CkpHQHw1UVRWQVToZzhiTgVBWc3XXzjfxThUe5IGfSQa11+s+/qxlfQZi2V1JhKUpXfYehbQIEJ5n0kzRzGfmZwZ8/A4gSOJGvFOLx0QTQ6scRUvgsDKJbmD3YWDweZwUGZkKSjKDbyNNNQKhwmpwFT2BLNadlscrgxjzDUQIaLnMQabE+DlQqYkxhM4LPvWcwL23dBIRRxIZlJ4oE/ZohtWtaHJewUTtWT3yfeDRD4d4Gxr5cgczwDhhlJtcrcmEmpHzkwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBU0ADCWI+W1uwXUPL7OXw90VHHQMxuMdClIK2Bwc0De0eaFFHvKWCk3mkdNf+SwxtPHnfAWDO7daxnY6HrqQbcO66gcMgDvgFkC3o5Ml9LBsFv/NmNCeB7+9xxkiYiCe68oitN5iR50JcwhZekpM9MtH8t36p6AWmnhfBt8LMxreuWobDRefx4aIIst8SPP13p4AOk5gTz07YbdMLYsUiTImBbLCcbqdFNMYPiZmUo7jEUnax05oh9vruFj3SltsR21S78ifUN/AmlpYvm+q3mW1q6ikltp6/HoVNMOCsEJqq7VL5jtdOmj2YpFf/twZF5pnbSqe3AZClBp4BufsKp-----END CERTIFICATE-----"
}
}