mirror of
https://github.com/cwinfo/powerdns-admin.git
synced 2024-11-08 14:40:27 +00:00
Merge pull request #800 from cyso/pr/oidc-account
OIDC User and Account management during login
This commit is contained in:
commit
55ad73d92e
@ -95,10 +95,13 @@ class Setting(db.Model):
|
||||
'oidc_oauth_api_url': '',
|
||||
'oidc_oauth_token_url': '',
|
||||
'oidc_oauth_authorize_url': '',
|
||||
'oidc_oauth_logout_url': '',
|
||||
'oidc_oauth_username': 'preferred_username',
|
||||
'oidc_oauth_firstname': 'given_name',
|
||||
'oidc_oauth_last_name': 'family_name ',
|
||||
'oidc_oauth_email': 'email',
|
||||
'oidc_oauth_account_name_property': '',
|
||||
'oidc_oauth_account_description_property': '',
|
||||
'forward_records_allow_edit': {
|
||||
'A': True,
|
||||
'AAAA': True,
|
||||
|
@ -473,7 +473,7 @@ class User(db.Model):
|
||||
user.email = self.email
|
||||
|
||||
# store new password hash (only if changed)
|
||||
if self.plain_text_password != "":
|
||||
if self.plain_text_password:
|
||||
user.password = self.get_hashed_password(
|
||||
self.plain_text_password).decode("utf-8")
|
||||
|
||||
@ -589,3 +589,21 @@ class User(db.Model):
|
||||
return {'status': True, 'msg': 'Set user role successfully'}
|
||||
else:
|
||||
return {'status': False, 'msg': 'Role does not exist'}
|
||||
|
||||
def get_accounts(self):
|
||||
"""
|
||||
Get accounts associated with this user
|
||||
"""
|
||||
from .account import Account
|
||||
from .account_user import AccountUser
|
||||
accounts = []
|
||||
query = db.session\
|
||||
.query(
|
||||
AccountUser,
|
||||
Account)\
|
||||
.filter(User.id == AccountUser.user_id)\
|
||||
.filter(Account.id == AccountUser.account_id)\
|
||||
.all()
|
||||
for q in query:
|
||||
accounts.append(q[1])
|
||||
return accounts
|
||||
|
@ -953,6 +953,10 @@ def setting_authentication():
|
||||
request.form.get('oidc_oauth_last_name'))
|
||||
Setting().set('oidc_oauth_email',
|
||||
request.form.get('oidc_oauth_email'))
|
||||
Setting().set('oidc_oauth_account_name_property',
|
||||
request.form.get('oidc_oauth_account_name_property'))
|
||||
Setting().set('oidc_oauth_account_description_property',
|
||||
request.form.get('oidc_oauth_account_description_property'))
|
||||
result = {
|
||||
'status': True,
|
||||
'msg':
|
||||
|
@ -380,11 +380,28 @@ def login():
|
||||
firstname=oidc_givenname,
|
||||
lastname=oidc_familyname,
|
||||
email=oidc_email)
|
||||
|
||||
result = user.create_local_user()
|
||||
if not result['status']:
|
||||
session.pop('oidc_token', None)
|
||||
return redirect(url_for('index.login'))
|
||||
else:
|
||||
user.firstname = oidc_givenname
|
||||
user.lastname = oidc_familyname
|
||||
user.email = oidc_email
|
||||
user.plain_text_password = None
|
||||
result = user.update_local_user()
|
||||
|
||||
if not result['status']:
|
||||
session.pop('oidc_token', None)
|
||||
return redirect(url_for('index.login'))
|
||||
|
||||
if Setting().get('oidc_oauth_account_name_property') and Setting().get('oidc_oauth_account_description_property'):
|
||||
name_prop = Setting().get('oidc_oauth_account_name_property')
|
||||
desc_prop = Setting().get('oidc_oauth_account_description_property')
|
||||
if name_prop in me and desc_prop in me:
|
||||
account = handle_account(me[name_prop], me[desc_prop])
|
||||
account.add_user(user)
|
||||
user_accounts = user.get_accounts()
|
||||
for ua in user_accounts:
|
||||
if ua.name != account.name:
|
||||
ua.remove_user(user)
|
||||
|
||||
session['user_id'] = user.id
|
||||
session['authentication_type'] = 'OAuth'
|
||||
@ -519,6 +536,13 @@ def logout():
|
||||
session_index=session['samlSessionIndex'],
|
||||
name_id=session['samlNameId']))
|
||||
|
||||
redirect_uri = url_for('index.login')
|
||||
oidc_logout = Setting().get('oidc_oauth_logout_url')
|
||||
|
||||
if 'oidc_token' in session and oidc_logout:
|
||||
redirect_uri = "{}?redirect_uri={}".format(
|
||||
oidc_logout, url_for('index.login', _external=True))
|
||||
|
||||
# Clean cookies and flask session
|
||||
clear_session()
|
||||
|
||||
@ -542,7 +566,7 @@ def logout():
|
||||
|
||||
return res
|
||||
|
||||
return redirect(url_for('index.login'))
|
||||
return redirect(redirect_uri)
|
||||
|
||||
|
||||
@index_bp.route('/register', methods=['GET', 'POST'])
|
||||
@ -956,7 +980,7 @@ def create_group_to_account_mapping():
|
||||
return group_to_account_mapping
|
||||
|
||||
|
||||
def handle_account(account_name):
|
||||
def handle_account(account_name, account_description=""):
|
||||
clean_name = ''.join(c for c in account_name.lower()
|
||||
if c in "abcdefghijklmnopqrstuvwxyz0123456789")
|
||||
if len(clean_name) > Account.name.type.length:
|
||||
@ -965,13 +989,16 @@ def handle_account(account_name):
|
||||
account = Account.query.filter_by(name=clean_name).first()
|
||||
if not account:
|
||||
account = Account(name=clean_name.lower(),
|
||||
description='',
|
||||
description=account_description,
|
||||
contact='',
|
||||
mail='')
|
||||
account.create_account()
|
||||
history = History(msg='Account {0} created'.format(account.name),
|
||||
created_by='SAML Assertion')
|
||||
created_by='OIDC/SAML Assertion')
|
||||
history.add()
|
||||
else:
|
||||
account.description = account_description
|
||||
account.update_account()
|
||||
return account
|
||||
|
||||
|
||||
|
@ -538,9 +538,6 @@
|
||||
<input type="text" class="form-control" name="oidc_oauth_secret" id="oidc_oauth_secret" placeholder="OIDC OAuth client secret" data-error="Please input Client secret" value="{{ SETTING.get('oidc_oauth_secret') }}">
|
||||
<span class="help-block with-errors"></span>
|
||||
</div>
|
||||
</fieldset>
|
||||
<fieldset>
|
||||
<legend>ADVANCE</legend>
|
||||
<div class="form-group">
|
||||
<label for="oidc_oauth_scope">Scope</label>
|
||||
<input type="text" class="form-control" name="oidc_oauth_scope" id="oidc_oauth_scope" placeholder="e.g. email" data-error="Please input scope" value="{{ SETTING.get('oidc_oauth_scope') }}">
|
||||
@ -561,6 +558,11 @@
|
||||
<input type="text" class="form-control" name="oidc_oauth_authorize_url" id="oidc_oauth_authorize_url" placeholder="e.g. https://oidc.com/login/oauth/authorize" data-error="Plesae input Authorize URL" value="{{ SETTING.get('oidc_oauth_authorize_url') }}">
|
||||
<span class="help-block with-errors"></span>
|
||||
</div>
|
||||
<div class="form-group">
|
||||
<label for="oidc_oauth_logout_url">Logout URL</label>
|
||||
<input type="text" class="form-control" name="oidc_oauth_logout_url" id="oidc_oauth_authorize_url" placeholder="e.g. https://oidc.com/login/oauth/logout" data-error="Please input Logout URL" value="{{ SETTING.get('oidc_oauth_logout_url') }}">
|
||||
<span class="help-block with-errors"></span>
|
||||
</div>
|
||||
</fieldset>
|
||||
<fieldset>
|
||||
<legend>CLAIMS</legend>
|
||||
@ -585,6 +587,19 @@
|
||||
<span class="help-block with-errors"></span>
|
||||
</div>
|
||||
</fieldset>
|
||||
<fieldset>
|
||||
<legend>ADVANCE</legend>
|
||||
<div class="form-group">
|
||||
<label for="oidc_oauth_account_name_property">Autoprovision Account Name property</label>
|
||||
<input type="text" class="form-control" name="oidc_oauth_account_name_property" id="oidc_oauth_account_name_property" placeholder="e.g. account_name" data-error="Please input property containing account_name" value="{{ SETTING.get('oidc_oauth_account_name_property') }}">
|
||||
<span class="help-block with-errors"></span>
|
||||
</div>
|
||||
<div class="form-group">
|
||||
<label for="oidc_oauth_account_description_property">Autoprovision Account Description property</label>
|
||||
<input type="text" class="form-control" name="oidc_oauth_account_description_property" id="oidc_oauth_account_description_property" placeholder="e.g. account_description" data-error="Please input property containing account_description" value="{{ SETTING.get('oidc_oauth_account_description_property') }}">
|
||||
<span class="help-block with-errors"></span>
|
||||
</div>
|
||||
</fieldset>
|
||||
<div class="form-group">
|
||||
<button type="submit" class="btn btn-flat btn-primary">Save</button>
|
||||
</div>
|
||||
|
Loading…
Reference in New Issue
Block a user