Merge pull request #800 from cyso/pr/oidc-account

OIDC User and Account management during login
This commit is contained in:
Khanh Ngo 2020-10-10 14:32:14 +02:00 committed by GitHub
commit 55ad73d92e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 79 additions and 12 deletions

View File

@ -95,10 +95,13 @@ class Setting(db.Model):
'oidc_oauth_api_url': '',
'oidc_oauth_token_url': '',
'oidc_oauth_authorize_url': '',
'oidc_oauth_logout_url': '',
'oidc_oauth_username': 'preferred_username',
'oidc_oauth_firstname': 'given_name',
'oidc_oauth_last_name': 'family_name ',
'oidc_oauth_email': 'email',
'oidc_oauth_account_name_property': '',
'oidc_oauth_account_description_property': '',
'forward_records_allow_edit': {
'A': True,
'AAAA': True,

View File

@ -473,7 +473,7 @@ class User(db.Model):
user.email = self.email
# store new password hash (only if changed)
if self.plain_text_password != "":
if self.plain_text_password:
user.password = self.get_hashed_password(
self.plain_text_password).decode("utf-8")
@ -589,3 +589,21 @@ class User(db.Model):
return {'status': True, 'msg': 'Set user role successfully'}
else:
return {'status': False, 'msg': 'Role does not exist'}
def get_accounts(self):
"""
Get accounts associated with this user
"""
from .account import Account
from .account_user import AccountUser
accounts = []
query = db.session\
.query(
AccountUser,
Account)\
.filter(User.id == AccountUser.user_id)\
.filter(Account.id == AccountUser.account_id)\
.all()
for q in query:
accounts.append(q[1])
return accounts

View File

@ -953,6 +953,10 @@ def setting_authentication():
request.form.get('oidc_oauth_last_name'))
Setting().set('oidc_oauth_email',
request.form.get('oidc_oauth_email'))
Setting().set('oidc_oauth_account_name_property',
request.form.get('oidc_oauth_account_name_property'))
Setting().set('oidc_oauth_account_description_property',
request.form.get('oidc_oauth_account_description_property'))
result = {
'status': True,
'msg':

View File

@ -380,12 +380,29 @@ def login():
firstname=oidc_givenname,
lastname=oidc_familyname,
email=oidc_email)
result = user.create_local_user()
else:
user.firstname = oidc_givenname
user.lastname = oidc_familyname
user.email = oidc_email
user.plain_text_password = None
result = user.update_local_user()
if not result['status']:
session.pop('oidc_token', None)
return redirect(url_for('index.login'))
if Setting().get('oidc_oauth_account_name_property') and Setting().get('oidc_oauth_account_description_property'):
name_prop = Setting().get('oidc_oauth_account_name_property')
desc_prop = Setting().get('oidc_oauth_account_description_property')
if name_prop in me and desc_prop in me:
account = handle_account(me[name_prop], me[desc_prop])
account.add_user(user)
user_accounts = user.get_accounts()
for ua in user_accounts:
if ua.name != account.name:
ua.remove_user(user)
session['user_id'] = user.id
session['authentication_type'] = 'OAuth'
login_user(user, remember=False)
@ -519,6 +536,13 @@ def logout():
session_index=session['samlSessionIndex'],
name_id=session['samlNameId']))
redirect_uri = url_for('index.login')
oidc_logout = Setting().get('oidc_oauth_logout_url')
if 'oidc_token' in session and oidc_logout:
redirect_uri = "{}?redirect_uri={}".format(
oidc_logout, url_for('index.login', _external=True))
# Clean cookies and flask session
clear_session()
@ -542,7 +566,7 @@ def logout():
return res
return redirect(url_for('index.login'))
return redirect(redirect_uri)
@index_bp.route('/register', methods=['GET', 'POST'])
@ -956,7 +980,7 @@ def create_group_to_account_mapping():
return group_to_account_mapping
def handle_account(account_name):
def handle_account(account_name, account_description=""):
clean_name = ''.join(c for c in account_name.lower()
if c in "abcdefghijklmnopqrstuvwxyz0123456789")
if len(clean_name) > Account.name.type.length:
@ -965,13 +989,16 @@ def handle_account(account_name):
account = Account.query.filter_by(name=clean_name).first()
if not account:
account = Account(name=clean_name.lower(),
description='',
description=account_description,
contact='',
mail='')
account.create_account()
history = History(msg='Account {0} created'.format(account.name),
created_by='SAML Assertion')
created_by='OIDC/SAML Assertion')
history.add()
else:
account.description = account_description
account.update_account()
return account

View File

@ -538,9 +538,6 @@
<input type="text" class="form-control" name="oidc_oauth_secret" id="oidc_oauth_secret" placeholder="OIDC OAuth client secret" data-error="Please input Client secret" value="{{ SETTING.get('oidc_oauth_secret') }}">
<span class="help-block with-errors"></span>
</div>
</fieldset>
<fieldset>
<legend>ADVANCE</legend>
<div class="form-group">
<label for="oidc_oauth_scope">Scope</label>
<input type="text" class="form-control" name="oidc_oauth_scope" id="oidc_oauth_scope" placeholder="e.g. email" data-error="Please input scope" value="{{ SETTING.get('oidc_oauth_scope') }}">
@ -561,6 +558,11 @@
<input type="text" class="form-control" name="oidc_oauth_authorize_url" id="oidc_oauth_authorize_url" placeholder="e.g. https://oidc.com/login/oauth/authorize" data-error="Plesae input Authorize URL" value="{{ SETTING.get('oidc_oauth_authorize_url') }}">
<span class="help-block with-errors"></span>
</div>
<div class="form-group">
<label for="oidc_oauth_logout_url">Logout URL</label>
<input type="text" class="form-control" name="oidc_oauth_logout_url" id="oidc_oauth_authorize_url" placeholder="e.g. https://oidc.com/login/oauth/logout" data-error="Please input Logout URL" value="{{ SETTING.get('oidc_oauth_logout_url') }}">
<span class="help-block with-errors"></span>
</div>
</fieldset>
<fieldset>
<legend>CLAIMS</legend>
@ -585,6 +587,19 @@
<span class="help-block with-errors"></span>
</div>
</fieldset>
<fieldset>
<legend>ADVANCE</legend>
<div class="form-group">
<label for="oidc_oauth_account_name_property">Autoprovision Account Name property</label>
<input type="text" class="form-control" name="oidc_oauth_account_name_property" id="oidc_oauth_account_name_property" placeholder="e.g. account_name" data-error="Please input property containing account_name" value="{{ SETTING.get('oidc_oauth_account_name_property') }}">
<span class="help-block with-errors"></span>
</div>
<div class="form-group">
<label for="oidc_oauth_account_description_property">Autoprovision Account Description property</label>
<input type="text" class="form-control" name="oidc_oauth_account_description_property" id="oidc_oauth_account_description_property" placeholder="e.g. account_description" data-error="Please input property containing account_description" value="{{ SETTING.get('oidc_oauth_account_description_property') }}">
<span class="help-block with-errors"></span>
</div>
</fieldset>
<div class="form-group">
<button type="submit" class="btn btn-flat btn-primary">Save</button>
</div>