cwinfo/powerdns-admin
5
0
Fork 0
mirror of https://github.com/cwinfo/powerdns-admin.git synced 2025-01-07 19:05:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #800 from cyso/pr/oidc-account

Browse Source 
OIDC User and Account management during login
This commit is contained in:
Khanh Ngo 2020-10-10 14:32:14 +02:00 committed by GitHub
commit 55ad73d92e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 79 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
powerdnsadmin/models/setting.py
View File

@ -95,10 +95,13 @@ class Setting(db.Model):
'oidc_oauth_api_url': '', 'oidc_oauth_api_url': '',
'oidc_oauth_token_url': '', 'oidc_oauth_token_url': '',
'oidc_oauth_authorize_url': '', 'oidc_oauth_authorize_url': '',
'oidc_oauth_logout_url': '',
'oidc_oauth_username': 'preferred_username', 'oidc_oauth_username': 'preferred_username',
'oidc_oauth_firstname': 'given_name', 'oidc_oauth_firstname': 'given_name',
'oidc_oauth_last_name': 'family_name ', 'oidc_oauth_last_name': 'family_name ',
'oidc_oauth_email': 'email', 'oidc_oauth_email': 'email',
'oidc_oauth_account_name_property': '',
'oidc_oauth_account_description_property': '',
'forward_records_allow_edit': { 'forward_records_allow_edit': {
'A': True, 'A': True,
'AAAA': True, 'AAAA': True,

20
powerdnsadmin/models/user.py
View File

@ -473,7 +473,7 @@ class User(db.Model):
user.email = self.email user.email = self.email
# store new password hash (only if changed) # store new password hash (only if changed)
if self.plain_text_password != "": if self.plain_text_password:
user.password = self.get_hashed_password( user.password = self.get_hashed_password(
self.plain_text_password).decode("utf-8") self.plain_text_password).decode("utf-8")
@ -589,3 +589,21 @@ class User(db.Model):
return {'status': True, 'msg': 'Set user role successfully'} return {'status': True, 'msg': 'Set user role successfully'}
else: else:
return {'status': False, 'msg': 'Role does not exist'} return {'status': False, 'msg': 'Role does not exist'}
def get_accounts(self):
"""
Get accounts associated with this user
"""
from .account import Account
from .account_user import AccountUser
accounts = []
query = db.session\
.query(
AccountUser,
Account)\
.filter(User.id == AccountUser.user_id)\
.filter(Account.id == AccountUser.account_id)\
.all()
for q in query:
accounts.append(q[1])
return accounts

4
powerdnsadmin/routes/admin.py
View File

@ -953,6 +953,10 @@ def setting_authentication():
request.form.get('oidc_oauth_last_name')) request.form.get('oidc_oauth_last_name'))
Setting().set('oidc_oauth_email', Setting().set('oidc_oauth_email',
request.form.get('oidc_oauth_email')) request.form.get('oidc_oauth_email'))
Setting().set('oidc_oauth_account_name_property',
request.form.get('oidc_oauth_account_name_property'))
Setting().set('oidc_oauth_account_description_property',
request.form.get('oidc_oauth_account_description_property'))
result = { result = {
'status': True, 'status': True,
'msg': 'msg':

43
powerdnsadmin/routes/index.py
View File

@ -380,11 +380,28 @@ def login():
firstname=oidc_givenname, firstname=oidc_givenname,
lastname=oidc_familyname, lastname=oidc_familyname,
email=oidc_email) email=oidc_email)
result = user.create_local_user() result = user.create_local_user()
if not result['status']: else:
session.pop('oidc_token', None) user.firstname = oidc_givenname
return redirect(url_for('index.login')) user.lastname = oidc_familyname
user.email = oidc_email
user.plain_text_password = None
result = user.update_local_user()
if not result['status']:
session.pop('oidc_token', None)
return redirect(url_for('index.login'))
if Setting().get('oidc_oauth_account_name_property') and Setting().get('oidc_oauth_account_description_property'):
name_prop = Setting().get('oidc_oauth_account_name_property')
desc_prop = Setting().get('oidc_oauth_account_description_property')
if name_prop in me and desc_prop in me:
account = handle_account(me[name_prop], me[desc_prop])
account.add_user(user)
user_accounts = user.get_accounts()
for ua in user_accounts:
if ua.name != account.name:
ua.remove_user(user)
session['user_id'] = user.id session['user_id'] = user.id
session['authentication_type'] = 'OAuth' session['authentication_type'] = 'OAuth'
@ -519,6 +536,13 @@ def logout():
session_index=session['samlSessionIndex'], session_index=session['samlSessionIndex'],
name_id=session['samlNameId'])) name_id=session['samlNameId']))
redirect_uri = url_for('index.login')
oidc_logout = Setting().get('oidc_oauth_logout_url')
if 'oidc_token' in session and oidc_logout:
redirect_uri = "{}?redirect_uri={}".format(
oidc_logout, url_for('index.login', _external=True))
# Clean cookies and flask session # Clean cookies and flask session
clear_session() clear_session()
@ -542,7 +566,7 @@ def logout():
return res return res
return redirect(url_for('index.login')) return redirect(redirect_uri)
@index_bp.route('/register', methods=['GET', 'POST']) @index_bp.route('/register', methods=['GET', 'POST'])
@ -956,7 +980,7 @@ def create_group_to_account_mapping():
return group_to_account_mapping return group_to_account_mapping
def handle_account(account_name): def handle_account(account_name, account_description=""):
clean_name = ''.join(c for c in account_name.lower() clean_name = ''.join(c for c in account_name.lower()
if c in "abcdefghijklmnopqrstuvwxyz0123456789") if c in "abcdefghijklmnopqrstuvwxyz0123456789")
if len(clean_name) > Account.name.type.length: if len(clean_name) > Account.name.type.length:
@ -965,13 +989,16 @@ def handle_account(account_name):
account = Account.query.filter_by(name=clean_name).first() account = Account.query.filter_by(name=clean_name).first()
if not account: if not account:
account = Account(name=clean_name.lower(), account = Account(name=clean_name.lower(),
description='', description=account_description,
contact='', contact='',
mail='') mail='')
account.create_account() account.create_account()
history = History(msg='Account {0} created'.format(account.name), history = History(msg='Account {0} created'.format(account.name),
created_by='SAML Assertion') created_by='OIDC/SAML Assertion')
history.add() history.add()
else:
account.description = account_description
account.update_account()
return account return account

21
powerdnsadmin/templates/admin_setting_authentication.html
View File

@ -538,9 +538,6 @@
<input type="text" class="form-control" name="oidc_oauth_secret" id="oidc_oauth_secret" placeholder="OIDC OAuth client secret" data-error="Please input Client secret" value="{{ SETTING.get('oidc_oauth_secret') }}"> <input type="text" class="form-control" name="oidc_oauth_secret" id="oidc_oauth_secret" placeholder="OIDC OAuth client secret" data-error="Please input Client secret" value="{{ SETTING.get('oidc_oauth_secret') }}">
<span class="help-block with-errors"></span> <span class="help-block with-errors"></span>
</div> </div>
</fieldset>
<fieldset>
<legend>ADVANCE</legend>
<div class="form-group"> <div class="form-group">
<label for="oidc_oauth_scope">Scope</label> <label for="oidc_oauth_scope">Scope</label>
<input type="text" class="form-control" name="oidc_oauth_scope" id="oidc_oauth_scope" placeholder="e.g. email" data-error="Please input scope" value="{{ SETTING.get('oidc_oauth_scope') }}"> <input type="text" class="form-control" name="oidc_oauth_scope" id="oidc_oauth_scope" placeholder="e.g. email" data-error="Please input scope" value="{{ SETTING.get('oidc_oauth_scope') }}">
@ -561,6 +558,11 @@
<input type="text" class="form-control" name="oidc_oauth_authorize_url" id="oidc_oauth_authorize_url" placeholder="e.g. https://oidc.com/login/oauth/authorize" data-error="Plesae input Authorize URL" value="{{ SETTING.get('oidc_oauth_authorize_url') }}"> <input type="text" class="form-control" name="oidc_oauth_authorize_url" id="oidc_oauth_authorize_url" placeholder="e.g. https://oidc.com/login/oauth/authorize" data-error="Plesae input Authorize URL" value="{{ SETTING.get('oidc_oauth_authorize_url') }}">
<span class="help-block with-errors"></span> <span class="help-block with-errors"></span>
</div> </div>
<div class="form-group">
<label for="oidc_oauth_logout_url">Logout URL</label>
<input type="text" class="form-control" name="oidc_oauth_logout_url" id="oidc_oauth_authorize_url" placeholder="e.g. https://oidc.com/login/oauth/logout" data-error="Please input Logout URL" value="{{ SETTING.get('oidc_oauth_logout_url') }}">
<span class="help-block with-errors"></span>
</div>
</fieldset> </fieldset>
<fieldset> <fieldset>
<legend>CLAIMS</legend> <legend>CLAIMS</legend>
@ -585,6 +587,19 @@
<span class="help-block with-errors"></span> <span class="help-block with-errors"></span>
</div> </div>
</fieldset> </fieldset>
<fieldset>
<legend>ADVANCE</legend>
<div class="form-group">
<label for="oidc_oauth_account_name_property">Autoprovision Account Name property</label>
<input type="text" class="form-control" name="oidc_oauth_account_name_property" id="oidc_oauth_account_name_property" placeholder="e.g. account_name" data-error="Please input property containing account_name" value="{{ SETTING.get('oidc_oauth_account_name_property') }}">
<span class="help-block with-errors"></span>
</div>
<div class="form-group">
<label for="oidc_oauth_account_description_property">Autoprovision Account Description property</label>
<input type="text" class="form-control" name="oidc_oauth_account_description_property" id="oidc_oauth_account_description_property" placeholder="e.g. account_description" data-error="Please input property containing account_description" value="{{ SETTING.get('oidc_oauth_account_description_property') }}">
<span class="help-block with-errors"></span>
</div>
</fieldset>
<div class="form-group"> <div class="form-group">
<button type="submit" class="btn btn-flat btn-primary">Save</button> <button type="submit" class="btn btn-flat btn-primary">Save</button>
</div> </div>