diff --git a/README.md b/README.md
index 1955d8b..4512b08 100644
--- a/README.md
+++ b/README.md
@@ -87,3 +87,34 @@ resources to aid you further:
- **User handbook**: [https://dd.digitalitzacio-democratica.xnet-x.net/manual-usuari/](https://dd.digitalitzacio-democratica.xnet-x.net/manual-usuari/)
- **Admin/developer docs**: [https://dd.digitalitzacio-democratica.xnet-x.net/docs/](https://dd.digitalitzacio-democratica.xnet-x.net/docs/)
- **Source code**: [https://gitlab.com/DD-workspace/DD](https://gitlab.com/DD-workspace/DD)
+
+# Why does git history start here?
+
+Why does git history start here?
+
+A lot of work went into stabilising the code and cleaning the repo before the
+public announcement on the
+[1st International Congress on Democratic Digital Education and Open Edtech](https://congress.democratic-digitalisation.xnet-x.net/).
+
+Using that version as a clean slate got us to the repo you see here, where
+changes will be reviewed before going in and anyone is welcome.
+
+When in doubt about authorship, please check each file's license headers.
+
+The authorship of the previous commits is from:
+
+- Josep Maria Viñolas Auquer
+- Simó Albert i Beltran
+- Alberto Larraz Dalmases
+- Yoselin Ribero
+- Elena Barrios Galán
+- Melina Gamboa
+- Antonio Manzano
+- Cecilia Bayo
+- Naomi Hidalgo
+- Joan Cervan Andreu
+- Jose Antonio Exposito Garcia
+- Raúl FS
+- Unai Tolosa Pontesta
+- Evilham
+
" + text
- app.socketio.emit(
+ self.app.socketio.emit(
"notify-update",
json.dumps(
{
@@ -120,10 +133,10 @@ class Events:
)
sleep(0.001)
- def increment(self, data={"name": "", "data": []}):
+ def increment(self, data : Dict[str, Any]={"name": "", "data": []}) -> None:
self.item += 1
log.info("INCREMENT " + self.eid + ": " + self.text)
- app.socketio.emit(
+ self.app.socketio.emit(
"notify-increment",
json.dumps(
{
@@ -149,10 +162,10 @@ class Events:
)
sleep(0.0001)
- def decrement(self, data={"name": "", "data": []}):
+ def decrement(self, data : Dict[str, Any]={"name": "", "data": []}) -> None:
self.item -= 1
log.info("DECREMENT " + self.eid + ": " + self.text)
- app.socketio.emit(
+ self.app.socketio.emit(
"notify-decrement",
json.dumps(
{
@@ -178,13 +191,13 @@ class Events:
)
sleep(0.001)
- def reload(self):
- app.socketio.emit("reload", json.dumps({}), namespace="/sio", room="admin")
+ def reload(self) -> None:
+ self.app.socketio.emit("reload", json.dumps({}), namespace="/sio", room="admin")
sleep(0.0001)
- def table(self, event, table, data={}):
+ def table(self, event : str, table : str, data : Dict[str, Any]={}) -> None:
# refresh, add, delete, update
- app.socketio.emit(
+ self.app.socketio.emit(
"table_" + event,
json.dumps({"table": table, "data": data}),
namespace="/sio",
diff --git a/dd-sso/admin/src/admin/lib/helpers.py b/dd-sso/admin/src/admin/lib/helpers.py
index 80b7ea7..ab57de7 100644
--- a/dd-sso/admin/src/admin/lib/helpers.py
+++ b/dd-sso/admin/src/admin/lib/helpers.py
@@ -1,5 +1,6 @@
#
# Copyright © 2021,2022 IsardVDI S.L.
+# Copyright © 2022 Evilham
#
# This file is part of DD
#
@@ -22,8 +23,11 @@ import string
from collections import Counter
from pprint import pprint
+from typing import Any, Dict, Generator, Iterable, Optional, List
-def get_recursive_groups(l_groups, l):
+DDGroup = Dict[str, Any]
+
+def get_recursive_groups(l_groups : Iterable[DDGroup], l : List[DDGroup]) -> List[DDGroup]:
for d_group in l_groups:
data = {}
for key, value in d_group.items():
@@ -35,11 +39,11 @@ def get_recursive_groups(l_groups, l):
return l
-def get_group_with_childs(keycloak_group):
+def get_group_with_childs(keycloak_group : DDGroup) -> List[str]:
return [g["path"] for g in get_recursive_groups([keycloak_group], [])]
-def system_username(username):
+def system_username(username : str) -> bool:
return (
True
if username in ["guest", "ddadmin", "admin"] or username.startswith("system_")
@@ -47,41 +51,43 @@ def system_username(username):
)
-def system_group(groupname):
+def system_group(groupname : str) -> bool:
return True if groupname in ["admin", "manager", "teacher", "student"] else False
-def get_group_from_group_id(group_id, groups):
+def get_group_from_group_id(group_id : str, groups : Iterable[DDGroup]) -> Optional[DDGroup]:
return next((d for d in groups if d.get("id") == group_id), None)
-def get_kid_from_kpath(kpath, groups):
- ids = [g["id"] for g in groups if g["path"] == kpath]
- if not len(ids) or len(ids) > 1:
- return False
+def get_kid_from_kpath(kpath : str, groups : Iterable[DDGroup]) -> Optional[str]:
+ ids : List[str] = [g["id"] for g in groups if g["path"] == kpath]
+ if len(ids) != 1:
+ return None
return ids[0]
-def get_gid_from_kgroup_id(kgroup_id, groups):
- return [
+def get_gid_from_kgroup_id(kgroup_id : str, groups : Iterable[DDGroup]) -> str:
+ # TODO: Why is this interface different from get_kid_from_kpath?
+ o : List[str] = [
g["path"].replace("/", ".")[1:] if len(g["path"].split("/")) else g["path"][1:]
for g in groups
if g["id"] == kgroup_id
- ][0]
+ ]
+ return o[0]
-def get_gids_from_kgroup_ids(kgroup_ids, groups):
+def get_gids_from_kgroup_ids(kgroup_ids : Iterable[str], groups : Iterable[DDGroup]) -> List[str]:
return [get_gid_from_kgroup_id(kgroup_id, groups) for kgroup_id in kgroup_ids]
-def kpath2gid(path):
+def kpath2gid(path : str) -> str:
# print(path.replace('/','.')[1:])
if path.startswith("/"):
return path.replace("/", ".")[1:]
return path.replace("/", ".")
-def kpath2gids(path):
+def kpath2gids(path : str) -> List[str]:
path = kpath2gid(path)
l = []
for i in range(len(path.split("."))):
@@ -89,44 +95,45 @@ def kpath2gids(path):
return l
-def kpath2kpaths(path):
+def kpath2kpaths(path : str) -> List[str]:
l = []
for i in range(len(path.split("/"))):
l.append("/".join(path.split("/")[: i + 1]))
return l[1:]
-def gid2kpath(gid):
+def gid2kpath(gid : str) -> str:
return "/" + gid.replace(".", "/")
-def count_repeated(itemslist):
+def count_repeated(itemslist : Iterable[Any]) -> None:
print(Counter(itemslist))
-def groups_kname2gid(groups):
+def groups_kname2gid(groups : Iterable[str]) -> List[str]:
return [name.replace(".", "/") for name in groups]
-def groups_path2id(groups):
+def groups_path2id(groups : Iterable[str]) -> List[str]:
return [g.replace("/", ".")[1:] for g in groups]
-def groups_id2path(groups):
+def groups_id2path(groups : Iterable[str]) -> List[str]:
return ["/" + g.replace(".", "/") for g in groups]
-def filter_roles_list(role_list):
+def filter_roles_list(role_list : Iterable[str]) -> List[str]:
client_roles = ["admin", "manager", "teacher", "student"]
return [r for r in role_list if r in client_roles]
-def filter_roles_listofdicts(role_listofdicts):
+def filter_roles_listofdicts(role_listofdicts : Iterable[Dict[str, Any]]) -> List[Dict[str, Any]]:
client_roles = ["admin", "manager", "teacher", "student"]
return [r for r in role_listofdicts if r["name"] in client_roles]
-def rand_password(lenght):
+def rand_password(lenght : int) -> str:
+ # TODO: why is this not using py3's secrets?
characters = string.ascii_letters + string.digits + string.punctuation
passwd = "".join(random.choice(characters) for i in range(lenght))
while not any(ele.isupper() for ele in passwd):
diff --git a/dd-sso/admin/src/admin/lib/keycloak_client.py b/dd-sso/admin/src/admin/lib/keycloak_client.py
index 5641a6b..44b9be2 100644
--- a/dd-sso/admin/src/admin/lib/keycloak_client.py
+++ b/dd-sso/admin/src/admin/lib/keycloak_client.py
@@ -1,5 +1,6 @@
#
# Copyright © 2021,2022 IsardVDI S.L.
+# Copyright © 2022 Evilham
#
# This file is part of DD
#
@@ -34,23 +35,33 @@ from .api_exceptions import Error
from .helpers import get_recursive_groups, kpath2kpaths
from .postgres import Postgres
-# from admin import app
+from typing import cast, Any, Dict, Iterable, List, Optional
+DDUser = Dict[str, Any]
+
+# TODO: Improve typing of these class and simplify it
class KeycloakClient:
"""https://www.keycloak.org/docs-api/13.0/rest-api/index.html
https://github.com/marcospereirampj/python-keycloak
https://gist.github.com/kaqfa/99829941121188d7cef8271f93f52f1f
"""
+ url : str
+ username : str
+ password : str
+ realm : str
+ verify : bool
+ keycloak_pg : Postgres
+ keycloak_admin : KeycloakAdmin
def __init__(
self,
- url="http://dd-sso-keycloak:8080/auth/",
- username=os.environ["KEYCLOAK_USER"],
- password=os.environ["KEYCLOAK_PASSWORD"],
- realm="master",
- verify=True,
- ):
+ url : str="http://dd-sso-keycloak:8080/auth/",
+ username : str=os.environ["KEYCLOAK_USER"],
+ password : str=os.environ["KEYCLOAK_PASSWORD"],
+ realm : str="master",
+ verify : bool=True,
+ ) -> None:
self.url = url
self.username = username
self.password = password
@@ -64,7 +75,7 @@ class KeycloakClient:
os.environ["KEYCLOAK_DB_PASSWORD"],
)
- def connect(self):
+ def connect(self) -> None:
self.keycloak_admin = KeycloakAdmin(
server_url=self.url,
username=self.username,
@@ -78,15 +89,19 @@ class KeycloakClient:
""" USERS """
- def get_user_id(self, username):
+ def get_user_id(self, username : str) -> str:
self.connect()
- return self.keycloak_admin.get_user_id(username)
+ uid : str = self.keycloak_admin.get_user_id(username)
+ return uid
- def get_users(self):
+ def get_users(self) -> Iterable[Dict[str, Any]]:
+ # https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_userrepresentation
self.connect()
- return self.keycloak_admin.get_users({})
+ o : Iterable[Dict[str, Any]] = self.keycloak_admin.get_users({})
+ return o
- def get_users_with_groups_and_roles(self):
+ # TODO: what is this actually doing?
+ def get_users_with_groups_and_roles(self) -> List[DDUser]:
q = """select u.id, u.username, u.email, u.first_name, u.last_name, u.realm_id, u.enabled, ua.value as quota
,json_agg(g."id") as group, json_agg(g_parent."name") as group_parent1, json_agg(g_parent2."name") as group_parent2
,json_agg(r.name) as role
@@ -125,7 +140,7 @@ class KeycloakClient:
return list_dict_users
- def getparent(self, group_id, data):
+ def getparent(self, group_id : str, data : Iterable[Any]) -> str:
# Recursively get full path from any group_id in the tree
path = ""
for item in data:
@@ -134,14 +149,14 @@ class KeycloakClient:
path = f"{path}/{item[1]}"
return path
- def get_group_path(self, group_id):
+ def get_group_path(self, group_id : str) -> str:
# Get full path using getparent recursive func
# RETURNS: String with full path
q = """SELECT * FROM keycloak_group"""
groups = self.keycloak_pg.select(q)
return self.getparent(group_id, groups)
- def get_user_groups_paths(self, user_id):
+ def get_user_groups_paths(self, user_id : str) -> List[str]:
# Get full paths for user grups
# RETURNS list of paths
q = """SELECT group_id FROM user_group_membership WHERE user_id = '%s'""" % (
@@ -165,20 +180,20 @@ class KeycloakClient:
def add_user(
self,
- username,
- first,
- last,
- email,
- password,
- group=False,
- password_temporary=True,
- enabled=True,
- ):
+ username : str,
+ first : str,
+ last : str,
+ email : str,
+ password : str,
+ group : Any=False,
+ password_temporary : bool=True,
+ enabled : bool=True,
+ ) -> Any:
# RETURNS string with keycloak user id (the main id in this app)
self.connect()
username = username.lower()
try:
- uid = self.keycloak_admin.create_user(
+ uid : Any = self.keycloak_admin.create_user(
{
"email": email,
"username": username,
@@ -213,7 +228,7 @@ class KeycloakClient:
self.keycloak_admin.group_user_add(uid, gid)
return uid
- def update_user_pwd(self, user_id, password, password_temporary=True):
+ def update_user_pwd(self, user_id : str, password : str, password_temporary : bool=True) -> Any:
# Updates
payload = {
"credentials": [
@@ -223,7 +238,7 @@ class KeycloakClient:
self.connect()
return self.keycloak_admin.update_user(user_id, payload)
- def user_update(self, user_id, enabled, email, first, last, groups=[], roles=[]):
+ def user_update(self, user_id : str, enabled : bool, email : str, first : str, last : str, groups : Iterable[str]=[], roles : Iterable[str]=[]) -> Any:
## NOTE: Roles didn't seem to be updated/added. Also not confident with groups
# Updates
payload = {
@@ -237,17 +252,17 @@ class KeycloakClient:
self.connect()
return self.keycloak_admin.update_user(user_id, payload)
- def user_enable(self, user_id):
+ def user_enable(self, user_id : str) -> Any:
payload = {"enabled": True}
self.connect()
return self.keycloak_admin.update_user(user_id, payload)
- def user_disable(self, user_id):
+ def user_disable(self, user_id : str) -> Any:
payload = {"enabled": False}
self.connect()
return self.keycloak_admin.update_user(user_id, payload)
- def group_user_remove(self, user_id, group_id):
+ def group_user_remove(self, user_id : str, group_id : str) -> Any:
self.connect()
return self.keycloak_admin.group_user_remove(user_id, group_id)
@@ -255,7 +270,7 @@ class KeycloakClient:
# self.connect()
# return self.keycloak_admin.assign_role(client_id=client_id, user_id=user_id, role_id=role_id, role_name="test")
- def remove_user_realm_roles(self, user_id, roles):
+ def remove_user_realm_roles(self, user_id : str, roles : Iterable[str]) -> Any:
self.connect()
roles = [
r
@@ -264,66 +279,66 @@ class KeycloakClient:
]
return self.keycloak_admin.delete_user_realm_role(user_id, roles)
- def delete_user(self, userid):
+ def delete_user(self, userid : str) -> Any:
self.connect()
return self.keycloak_admin.delete_user(user_id=userid)
- def get_user_groups(self, userid):
+ def get_user_groups(self, userid : str) -> Any:
self.connect()
return self.keycloak_admin.get_user_groups(user_id=userid)
- def get_user_realm_roles(self, userid):
+ def get_user_realm_roles(self, userid : str) -> Any:
self.connect()
return self.keycloak_admin.get_realm_roles_of_user(user_id=userid)
- def add_user_client_role(self, client_id, user_id, role_id, role_name):
+ def add_user_client_role(self, client_id : str, user_id : str, role_id : str, role_name : str) -> Any:
self.connect()
return self.keycloak_admin.assign_client_role(
client_id=client_id, user_id=user_id, role_id=role_id, role_name="test"
)
## GROUPS
- def get_all_groups(self):
+ def get_all_groups(self) -> Iterable[Any]:
## RETURNS ONLY MAIN GROUPS WITH NESTED subGroups list
self.connect()
- return self.keycloak_admin.get_groups()
+ return cast(Iterable[Any], self.keycloak_admin.get_groups())
- def get_groups(self, with_subgroups=True):
+ def get_groups(self, with_subgroups : bool=True) -> Iterable[Any]:
## RETURNS ALL GROUPS in root list
self.connect()
groups = self.keycloak_admin.get_groups()
return get_recursive_groups(groups, [])
- def get_group_by_id(self, group_id):
+ def get_group_by_id(self, group_id : str) -> Any:
self.connect()
return self.keycloak_admin.get_group(group_id=group_id)
- def get_group_by_path(self, path, recursive=True):
+ def get_group_by_path(self, path : str, recursive : bool=True) -> Any:
self.connect()
return self.keycloak_admin.get_group_by_path(
path=path, search_in_subgroups=recursive
)
- def add_group(self, name, parent=None, skip_exists=False):
+ def add_group(self, name : str, parent : str="", skip_exists : bool=False) -> Any:
self.connect()
- if parent != None:
+ if parent:
parent = self.get_group_by_path(parent)["id"]
return self.keycloak_admin.create_group({"name": name}, parent=parent)
- def delete_group(self, group_id):
+ def delete_group(self, group_id : str) -> Any:
self.connect()
return self.keycloak_admin.delete_group(group_id=group_id)
- def group_user_add(self, user_id, group_id):
+ def group_user_add(self, user_id : str, group_id : str) -> Any:
self.connect()
return self.keycloak_admin.group_user_add(user_id, group_id)
- def add_group_tree(self, path):
+ def add_group_tree(self, path : str) -> None:
paths = kpath2kpaths(path)
parent = "/"
for path in paths:
try:
- parent_path = None if parent == "/" else parent
+ parent_path = "" if parent == "/" else parent
# print("parent: "+str(parent_path)+" path: "+path.split("/")[-1])
self.add_group(path.split("/")[-1], parent_path, skip_exists=True)
parent = path
@@ -333,8 +348,8 @@ class KeycloakClient:
parent = path
def add_user_with_groups_and_role(
- self, username, first, last, email, password, role, groups
- ):
+ self, username : str, first : str, last : str, email : str, password : str, role : str, groups : Iterable[str]
+ ) -> None:
## Add user
uid = self.add_user(username, first, last, email, password)
## Add user to role
@@ -348,7 +363,7 @@ class KeycloakClient:
for g in groups:
log.warning("Creating keycloak group: " + g)
parts = g.split("/")
- parent_path = None
+ parent_path = ""
for i in range(1, len(parts)):
# parent_id=None if parent_path==None else self.get_group(parent_path)['id']
try:
@@ -360,10 +375,7 @@ class KeycloakClient:
+ " already exists. Skipping creation"
)
pass
- if parent_path is None:
- thepath = "/" + parts[i]
- else:
- thepath = parent_path + "/" + parts[i]
+ thepath = parent_path + "/" + parts[i]
if thepath == "/":
log.warning(
"Not adding the user "
@@ -385,53 +397,51 @@ class KeycloakClient:
)
self.keycloak_admin.group_user_add(uid, gid)
- if parent_path == None:
- parent_path = ""
- parent_path = parent_path + "/" + parts[i]
+ parent_path += "/" + parts[i]
# self.group_user_add(uid,gid)
## ROLES
- def get_roles(self):
+ def get_roles(self) -> Iterable[Any]:
self.connect()
- return self.keycloak_admin.get_realm_roles()
+ return cast(Iterable[Any], self.keycloak_admin.get_realm_roles())
- def get_role(self, name):
+ def get_role(self, name : str) -> Any:
self.connect()
return self.keycloak_admin.get_realm_role(name)
- def add_role(self, name, description=""):
+ def add_role(self, name : str, description : str="") -> Any:
self.connect()
return self.keycloak_admin.create_realm_role(
{"name": name, "description": description}
)
- def delete_role(self, name):
+ def delete_role(self, name : str) -> Any:
self.connect()
return self.keycloak_admin.delete_realm_role(name)
## CLIENTS
- def get_client_roles(self, client_id):
+ def get_client_roles(self, client_id : str) -> Any:
self.connect()
return self.keycloak_admin.get_client_roles(client_id=client_id)
- def add_client_role(self, client_id, name, description=""):
+ def add_client_role(self, client_id : str, name : str, description : str="") -> Any:
self.connect()
return self.keycloak_admin.create_client_role(
client_id, {"name": name, "description": description, "clientRole": True}
)
## SYSTEM
- def get_server_info(self):
+ def get_server_info(self) -> Any:
self.connect()
return self.keycloak_admin.get_server_info()
- def get_server_clients(self):
+ def get_server_clients(self) -> Any:
self.connect()
return self.keycloak_admin.get_clients()
- def get_server_rsa_key(self):
+ def get_server_rsa_key(self) -> Any:
self.connect()
rsa_key = [
k for k in self.keycloak_admin.get_keys()["keys"] if k["type"] == "RSA"
@@ -439,22 +449,21 @@ class KeycloakClient:
return {"name": rsa_key["kid"], "certificate": rsa_key["certificate"]}
## REALM
- def assign_realm_roles(self, user_id, role):
+ def assign_realm_roles(self, user_id : str, role : str) -> Any:
self.connect()
try:
- role = [
+ kcroles = [
r for r in self.keycloak_admin.get_realm_roles() if r["name"] == role
]
except:
return False
- return self.keycloak_admin.assign_realm_roles(user_id=user_id, roles=role)
- # return self.keycloak_admin.assign_realm_roles(user_id=user_id, client_id=None, roles=role)
+ return self.keycloak_admin.assign_realm_roles(user_id=user_id, roles=kcroles)
## CLIENTS
- def delete_client(self, clientid):
+ def delete_client(self, clientid : str) -> Any:
self.connect()
return self.keycloak_admin.delete_client(clientid)
- def add_client(self, client):
+ def add_client(self, client : str) -> Any:
self.connect()
return self.keycloak_admin.create_client(client)
diff --git a/dd-sso/admin/src/admin/lib/keys.py b/dd-sso/admin/src/admin/lib/keys.py
new file mode 100644
index 0000000..076387b
--- /dev/null
+++ b/dd-sso/admin/src/admin/lib/keys.py
@@ -0,0 +1,411 @@
+#
+# Copyright © 2022 Evilham
+#
+# This file is part of DD
+#
+# DD is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or (at your
+# option) any later version.
+#
+# DD is distributed in the hope that it will be useful, but WITHOUT ANY
+# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
+# details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with DD. If not, see .
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+
+"""
+This file only depends on:
+ - attrs
+ - cryptography
+ - requests
+
+Integrations should be able to copy this file and use it verbatim on their
+codebase without using anything else from DD.
+
+To check for changes or to update this file, head to:
+ https://gitlab.com/DD-workspace/DD/-/blob/main/dd-sso/admin/src/admin/lib/keys.py
+"""
+
+import json
+import stat
+from copy import deepcopy
+from datetime import datetime, timedelta
+from pathlib import Path
+from typing import Any, Dict, List, Optional, Union
+
+import requests
+from attr import field, frozen
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives.asymmetric import rsa
+from cryptography.hazmat.primitives.serialization.base import (
+ PRIVATE_KEY_TYPES,
+ PUBLIC_KEY_TYPES,
+)
+from jose import jwe, jws, jwt
+from jose.backends.rsa_backend import RSAKey
+from jose.constants import ALGORITHMS
+
+try:
+ # Python 3.8
+ from functools import cached_property as cache
+except ImportError:
+ from functools import cache # type: ignore # Python 3.9+
+
+
+Data = Union[str, bytes]
+Json = Union[Dict, str, List[Dict]]
+
+
+@frozen(slots=False)
+class ThirdPartyIntegrationKeys(object):
+ """
+ This represents the keys for a a third-party integration that interacts
+ with us.
+
+
+ These services must publish their public key on an agreed endpoint.
+ See: {their_remote_pubkey_url}
+
+ Their key is cached in the file system: '{key_store}/their.pubkey'.
+ Key rotation can happen if requested by the third-party service, by
+ manually removing the public key file from the data store.
+
+
+ We also generate a private key for each third-party service.
+ This key is read from or generated to if needed in the file system:
+ '{key_store}/our.privkey'
+
+ Rotating our private key can only happen by removing the private key file
+ and restarting the service.
+
+ In order to use the private key, you get full access to the cryptography
+ primitive with {our_privkey}.
+
+ In order to publish your public key, you get it serialised with
+ {our_pubkey_pem}.
+ """
+
+ #
+ # Standard attributes
+ #
+ our_name: str
+ """
+ The identifier of our service.
+ """
+
+ key_store: Path = field(converter=Path)
+ """
+ Local path to a directory containing service keys.
+ """
+
+ #
+ # Attributes related to the third party
+ #
+ their_name: str
+ """
+ The identifier of the third-party.
+ """
+
+ their_service_domain: str
+ """
+ The domain on which the third party integration is running.
+ """
+
+ their_pubkey_endpoint: str = "/pubkey/"
+ """
+ The absolute path (starting with /) on {their_service_domain} that will
+ serve the pubkey.
+ """
+ #
+ # Cryptography attributes
+ #
+
+ key_size_bits: int = 4096
+ """
+ When generating private keys, how many bits will be used.
+ """
+
+ key_chmod: int = 0o600
+ """
+ Permissions to apply to private keys.
+ """
+
+ encrypt_algorithm: str = ALGORITHMS.RSA_OAEP_256
+ """
+ The encryption algorithm.
+ """
+
+ sign_algorithm: str = ALGORITHMS.RS512
+ """
+ The signature algorithm.
+ """
+
+ validity: timedelta = timedelta(minutes=1)
+ """
+ The validity of a signed token.
+ """
+
+ @property
+ def validity_half(self) -> timedelta:
+ return self.validity / 2
+
+ #
+ # Properties related to the third party keys
+ #
+ @property
+ def their_pubkey_path(self) -> Path:
+ """
+ Helper returning the full path to the cached pubkey.
+ """
+ return self.key_store.joinpath("their.pubkey")
+
+ @property
+ def their_remote_pubkey_url(self) -> str:
+ """
+ Helper returning the full remote URL to the service's pubkey endpoint.
+ """
+ return f"https://{self.their_service_domain}{self.their_pubkey_endpoint}"
+
+ @property
+ def their_pubkey_bytes(self) -> bytes:
+ """
+ Return the service's pubkey by fetching it only if necessary.
+ That means the key is fetched exactly once and saved to
+ their_pubkey_path.
+ In order to rotate keys, their_pubkey_path must be manually deleted.
+
+ If the key has never been fetched and downloading it fails, an empty
+ bytestring will be returned.
+
+ Note we do not cache this property since there might be temporary
+ failures.
+ """
+ if not self.their_pubkey_path.exists():
+ # Download if not available
+ try:
+ res = requests.get(self.their_remote_pubkey_url)
+ except:
+ # The service is currently unavailable
+ return b""
+ self.their_pubkey_path.write_bytes(res.content)
+ return self.their_pubkey_path.read_bytes()
+
+ @property
+ def their_pubkey_jwk(self) -> Dict[str, Any]:
+ """
+ Return the service's PublicKey in JWK form fetching if necessary or
+ empty dict if it was not in the store and we were unable to fetch it.
+ """
+ pk_b = self.their_pubkey_bytes
+ if not pk_b:
+ return dict()
+ rsak = RSAKey(json.loads(pk_b), self.sign_algorithm)
+ return rsak.to_dict()
+
+ #
+ # Properties related to our own keys
+ #
+ @property
+ def our_privkey_path(self) -> Path:
+ """
+ Helper returning the full path to our private key.
+ """
+ return self.key_store.joinpath("our.privkey")
+
+ @cache
+ def our_privkey_bytes(self) -> bytes:
+ """
+ Helper that returns our private key, generating it if necessary.
+
+ This property is cached to avoid expensive operations.
+ That does mean that on key rotation the service must be restarted.
+ """
+ return self._load_privkey(self.our_privkey_path)
+
+ @cache
+ def our_privkey(self) -> RSAKey:
+ """
+ Helper that returns our private key in cryptography form, generating
+ it if necessary.
+ """
+ pk_b = self.our_privkey_bytes
+ return RSAKey(json.loads(pk_b), self.sign_algorithm)
+
+ @cache
+ def our_privkey_jwk(self) -> Dict[str, Any]:
+ """
+ Return our PrivateKey in JWK for this third-party service, generating
+ it if necessary.
+ """
+ return self.our_privkey.to_dict()
+
+ @cache
+ def our_pubkey(self) -> RSAKey:
+ """
+ Helper that returns our public key, generating the privkey if necessary.
+ """
+ return self.our_privkey.public_key()
+
+ @cache
+ def our_pubkey_jwk(self) -> Dict[str, Any]:
+ """
+ Helper that returns our public key in JWK form.
+ """
+ return self.our_pubkey.to_dict()
+
+ #
+ # Message-passing methods
+ #
+ def encrypt_outgoing_data(self, data: bytes) -> str:
+ return jwe.encrypt(
+ data,
+ self.their_pubkey_jwk,
+ algorithm=self.encrypt_algorithm,
+ kid=self.our_name,
+ ).decode("utf-8")
+
+ def encrypt_outgoing_json(self, data: Json) -> str:
+ return self.encrypt_outgoing_data(json.dumps(data).encode("utf-8"))
+
+ def decrypt_incoming_data(self, enc_data: Data) -> bytes:
+ return jwe.decrypt(enc_data, self.our_privkey_jwk) # type: ignore # Wrong hint
+
+ def decrypt_incoming_json(self, enc_data: Data) -> Json:
+ d: Json = json.loads(self.decrypt_incoming_data(enc_data))
+ return d
+
+ def sign_outgoing_json(self, data: Json) -> str:
+ now = datetime.utcnow()
+ claims = {
+ "data": data,
+ "aud": self.their_name,
+ "iss": self.our_name,
+ "iat": now,
+ "nbf": now - self.validity_half,
+ "exp": now + self.validity_half,
+ }
+ return jwt.encode(
+ claims,
+ self.our_privkey_jwk,
+ algorithm=self.sign_algorithm,
+ headers={
+ "kid": self.our_name,
+ },
+ )
+
+ def sign_outgoing_data(self, data: Json) -> str:
+ return self.sign_outgoing_json(data)
+
+ def verify_incoming_data(self, data: Data) -> Any:
+ signed_data: Dict = jwt.decode(
+ data,
+ self.their_pubkey_jwk,
+ algorithms=[self.sign_algorithm],
+ audience=self.our_name,
+ issuer=self.their_name,
+ options={
+ "require_aud": True,
+ "require_iat": True,
+ "require_iss": True,
+ "require_nbf": True,
+ "require_exp": True,
+ },
+ )
+ return signed_data["data"]
+
+ def verify_incoming_json(self, data: bytes) -> Json:
+ d: Json = json.loads(self.verify_incoming_data(data))
+ return d
+
+ def sign_and_encrypt_outgoing_data(self, data: bytes) -> str:
+ return self.sign_outgoing_data(self.encrypt_outgoing_data(data))
+
+ def sign_and_encrypt_outgoing_json(self, data: Json) -> str:
+ return self.sign_outgoing_data(self.encrypt_outgoing_json(data))
+
+ def verify_and_decrypt_incoming_data(self, data: Data) -> bytes:
+ enc_data: str = self.verify_incoming_data(data)
+ return self.decrypt_incoming_data(enc_data.encode("utf-8"))
+
+ def verify_and_decrypt_incoming_json(self, data: Data) -> Json:
+ enc_data: str = self.verify_incoming_data(data)
+ return self.decrypt_incoming_json(enc_data.encode("utf-8"))
+
+ def get_outgoing_request_headers(self) -> Dict[str, str]:
+ # Use current time as ever-changing payload
+ now = datetime.utcnow().isoformat()
+ return {"Authorization": self.sign_outgoing_data(now)}
+
+ #
+ # Helper methods
+ #
+ def _load_privkey(self, path: Path, force_generation: bool = False) -> bytes:
+ # Check recommendations here
+ # https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/#cryptography.hazmat.primitives.asymmetric.rsa.generate_private_key
+ #
+ needs_generation = force_generation or not path.exists()
+
+ # Perform further sanity checks
+ # by re-using needs_generation we save checking the file system
+ if not needs_generation:
+ path_st = path.stat()
+ # Check and fix permissions if necessary
+ if stat.S_IMODE(path_st.st_mode) != self.key_chmod:
+ path.touch(mode=self.key_chmod, exist_ok=True)
+ # Force generation if file is empty
+ needs_generation = path_st == 0
+
+ if needs_generation:
+ # Generate the key as needed
+ gpk = rsa.generate_private_key(
+ public_exponent=65537, key_size=self.key_size_bits
+ )
+ enc_gpk = gpk.private_bytes(
+ encoding=serialization.Encoding.PEM,
+ format=serialization.PrivateFormat.PKCS8,
+ encryption_algorithm=serialization.NoEncryption(),
+ )
+ enc_jwk = json.dumps(RSAKey(enc_gpk, self.sign_algorithm).to_dict())
+ # Ensure permissions
+ path.touch(mode=self.key_chmod, exist_ok=True)
+ # Write private key
+ path.write_text(enc_jwk)
+
+ # Return key
+ return path.read_bytes()
+
+
+if __name__ == "__main__":
+ # TODO: convert into real tests
+ a = ThirdPartyIntegrationKeys(
+ our_name="a", their_name="b", their_service_domain="b.com", key_store="tmpa"
+ )
+ b = ThirdPartyIntegrationKeys(
+ our_name="b", their_name="a", their_service_domain="a.com", key_store="tmpb"
+ )
+ Path("tmpa/their.pubkey").write_text(json.dumps(b.our_pubkey_jwk))
+ Path("tmpb/their.pubkey").write_text(json.dumps(a.our_pubkey_jwk))
+
+ m1 = b"test message"
+ print("out", m1)
+ o1 = a.sign_and_encrypt_outgoing_data(m1)
+ print("enc", o1)
+ r1 = b.verify_and_decrypt_incoming_data(o1)
+ print("got", r1)
+ assert m1 == r1, f"Wrong result. Got: {r1!r}. Expected: {m1!r}"
+
+ m2 = {"test": 1, "hello": "world"}
+ m2 = {}
+ print("out", m2)
+ o2 = a.sign_and_encrypt_outgoing_json(m2)
+ print(jwt.get_unverified_headers(o2))
+ print("enc", o2)
+ r2 = b.verify_and_decrypt_incoming_json(o2)
+ print("got", r2)
+ assert m2 == r2, f"Wrong result. Got: {r2!r}. Expected: {m2!r}"
diff --git a/dd-sso/admin/src/admin/lib/legal.py b/dd-sso/admin/src/admin/lib/legal.py
index 70c27c2..4e7ce80 100644
--- a/dd-sso/admin/src/admin/lib/legal.py
+++ b/dd-sso/admin/src/admin/lib/legal.py
@@ -1,5 +1,6 @@
#
# Copyright © 2021,2022 IsardVDI S.L.
+# Copyright © 2022 Evilham
#
# This file is part of DD
#
@@ -21,7 +22,6 @@ import logging as log
import os
import traceback
-from admin import app
from pprint import pprint
from minio import Minio
@@ -29,18 +29,22 @@ from minio.commonconfig import REPLACE, CopySource
from minio.deleteobjects import DeleteObject
from requests import get, post
-legal_path= os.path.join(app.root_path, "static/templates/pages/legal/")
+from typing import TYPE_CHECKING
+if TYPE_CHECKING:
+ from admin.flaskapp import AdminFlaskApp
-def get_legal(lang):
- with open(legal_path+lang, "r") as languagefile:
+
+# TODO: Fix all this
+def get_legal(app : "AdminFlaskApp", lang : str) -> str:
+ with open(app.legal_path+lang, "r") as languagefile:
return languagefile.read()
-def gen_legal_if_not_exists(lang):
- if not os.path.isfile(legal_path+lang):
+def gen_legal_if_not_exists(app : "AdminFlaskApp", lang : str) -> None:
+ if not os.path.isfile(app.legal_path+lang):
log.debug("Creating new language file")
- with open(legal_path+lang, "w") as languagefile:
+ with open(app.legal_path+lang, "w") as languagefile:
languagefile.write("Legal
This is the default legal page for language " + lang)
-def new_legal(lang,html):
- with open(legal_path+lang, "w") as languagefile:
- languagefile.write(html)
\ No newline at end of file
+def new_legal(app : "AdminFlaskApp", lang : str, html : str) -> None:
+ with open(app.legal_path+lang, "w") as languagefile:
+ languagefile.write(html)
diff --git a/dd-sso/admin/src/admin/lib/load_config.py b/dd-sso/admin/src/admin/lib/load_config.py
deleted file mode 100644
index 19ae22d..0000000
--- a/dd-sso/admin/src/admin/lib/load_config.py
+++ /dev/null
@@ -1,94 +0,0 @@
-#
-# Copyright © 2021,2022 IsardVDI S.L.
-#
-# This file is part of DD
-#
-# DD is free software: you can redistribute it and/or modify
-# it under the terms of the GNU Affero General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or (at your
-# option) any later version.
-#
-# DD is distributed in the hope that it will be useful, but WITHOUT ANY
-# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
-# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
-# details.
-#
-# You should have received a copy of the GNU Affero General Public License
-# along with DD. If not, see .
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
-
-import logging as log
-import os
-import sys
-import traceback
-
-import yaml
-from cerberus import Validator, rules_set_registry, schema_registry
-
-from admin import app
-
-
-class AdminValidator(Validator):
- None
- # def _normalize_default_setter_genid(self, document):
- # return _parse_string(document["name"])
-
- # def _normalize_default_setter_genidlower(self, document):
- # return _parse_string(document["name"]).lower()
-
- # def _normalize_default_setter_gengroupid(self, document):
- # return _parse_string(
- # document["parent_category"] + "-" + document["uid"]
- # ).lower()
-
-
-def load_validators(purge_unknown=True):
- validators = {}
- schema_path = os.path.join(app.root_path, "schemas")
- for schema_filename in os.listdir(schema_path):
- try:
- with open(os.path.join(schema_path, schema_filename)) as file:
- schema_yml = file.read()
- schema = yaml.load(schema_yml, Loader=yaml.FullLoader)
- validators[schema_filename.split(".")[0]] = AdminValidator(
- schema, purge_unknown=purge_unknown
- )
- except IsADirectoryError:
- None
- return validators
-
-
-app.validators = load_validators()
-
-
-class loadConfig:
- def __init__(self, app=None):
- try:
- app.config.setdefault("DOMAIN", os.environ["DOMAIN"])
- app.config.setdefault(
- "KEYCLOAK_POSTGRES_USER", os.environ["KEYCLOAK_DB_USER"]
- )
- app.config.setdefault(
- "KEYCLOAK_POSTGRES_PASSWORD", os.environ["KEYCLOAK_DB_PASSWORD"]
- )
- app.config.setdefault(
- "MOODLE_POSTGRES_USER", os.environ["MOODLE_POSTGRES_USER"]
- )
- app.config.setdefault(
- "MOODLE_POSTGRES_PASSWORD", os.environ["MOODLE_POSTGRES_PASSWORD"]
- )
- app.config.setdefault(
- "NEXTCLOUD_POSTGRES_USER", os.environ["NEXTCLOUD_POSTGRES_USER"]
- )
- app.config.setdefault(
- "NEXTCLOUD_POSTGRES_PASSWORD", os.environ["NEXTCLOUD_POSTGRES_PASSWORD"]
- )
- app.config.setdefault(
- "VERIFY", True if os.environ["VERIFY"] == "true" else False
- )
- app.config.setdefault("API_SECRET", os.environ.get("API_SECRET"))
- except Exception as e:
- log.error(traceback.format_exc())
- raise
diff --git a/dd-sso/admin/src/admin/lib/moodle.py b/dd-sso/admin/src/admin/lib/moodle.py
index 9ee12f0..24e1a12 100644
--- a/dd-sso/admin/src/admin/lib/moodle.py
+++ b/dd-sso/admin/src/admin/lib/moodle.py
@@ -1,5 +1,6 @@
#
-# Copyright © 2021,2022 IsardVDI S.L.
+# Copyright © 2021,2022 IsardVDI S.L.
+# Copyright © 2022 Evilham
#
# This file is part of DD
#
@@ -23,11 +24,15 @@ from pprint import pprint
from requests import get, post
-from admin import app
from .exceptions import UserExists, UserNotFound
from .postgres import Postgres
+from typing import TYPE_CHECKING, cast, Any, Dict, Iterable, List, Optional
+
+if TYPE_CHECKING:
+ from admin.flaskapp import AdminFlaskApp
+
# Module variables to connect to moodle api
@@ -36,18 +41,20 @@ class Moodle:
https://docs.moodle.org/dev/Web_service_API_functions
https://docs.moodle.org/311/en/Using_web_services
"""
-
+ key: str
+ url : str
+ endpoint : str
+ verify : bool
+ moodle_pg : Postgres
def __init__(
self,
- key=app.config["MOODLE_WS_TOKEN"],
- url="https://moodle." + app.config["DOMAIN"],
- endpoint="/webservice/rest/server.php",
- verify=app.config["VERIFY"],
- ):
- self.key = key
- self.url = url
+ app : "AdminFlaskApp",
+ endpoint : str="/webservice/rest/server.php",
+ ) -> None:
+ self.key = app.config["MOODLE_WS_TOKEN"]
+ self.url = f"https://moodle.{ app.config['DOMAIN'] }"
self.endpoint = endpoint
- self.verify = verify
+ self.verify = cast(bool, app.config["VERIFY"])
self.moodle_pg = Postgres(
"dd-apps-postgresql",
@@ -56,7 +63,7 @@ class Moodle:
app.config["MOODLE_POSTGRES_PASSWORD"],
)
- def rest_api_parameters(self, in_args, prefix="", out_dict=None):
+ def rest_api_parameters(self, in_args : Any, prefix : str="", out_dict : Optional[Dict]=None) -> Dict[Any, Any]:
"""Transform dictionary/array structure to a flat dictionary, with key names
defining the structure.
Example usage:
@@ -64,24 +71,23 @@ class Moodle:
{'courses[0][id]':1,
'courses[0][name]':'course1'}
"""
- if out_dict == None:
- out_dict = {}
+ o : Dict[Any, Any] = {} if out_dict is None else out_dict
if not type(in_args) in (list, dict):
- out_dict[prefix] = in_args
- return out_dict
+ o[prefix] = in_args
+ return o
if prefix == "":
prefix = prefix + "{0}"
else:
prefix = prefix + "[{0}]"
if type(in_args) == list:
for idx, item in enumerate(in_args):
- self.rest_api_parameters(item, prefix.format(idx), out_dict)
+ self.rest_api_parameters(item, prefix.format(idx), o)
elif type(in_args) == dict:
for key, item in in_args.items():
- self.rest_api_parameters(item, prefix.format(key), out_dict)
- return out_dict
+ self.rest_api_parameters(item, prefix.format(key), o)
+ return o
- def call(self, fname, **kwargs):
+ def call(self, fname : str, **kwargs : Any) -> Any:
"""Calls moodle API function with function name fname and keyword arguments.
Example:
>>> call_mdl_function('core_course_update_courses',
@@ -97,7 +103,7 @@ class Moodle:
raise SystemError(response)
return response
- def create_user(self, email, username, password, first_name="-", last_name="-"):
+ def create_user(self, email : str, username : str, password : str, first_name : str="-", last_name : str="-") -> Any:
if len(self.get_user_by("username", username)["users"]):
raise UserExists
try:
@@ -115,7 +121,7 @@ class Moodle:
except SystemError as se:
raise SystemError(se.args[0]["message"])
- def update_user(self, username, email, first_name, last_name, enabled=True):
+ def update_user(self, username : str, email : str, first_name : str, last_name : str, enabled : bool=True) -> Any:
user = self.get_user_by("username", username)["users"][0]
if not len(user):
raise UserNotFound
@@ -135,15 +141,15 @@ class Moodle:
except SystemError as se:
raise SystemError(se.args[0]["message"])
- def delete_user(self, user_id):
+ def delete_user(self, user_id : str) -> Any:
user = self.call("core_user_delete_users", userids=[user_id])
return user
- def delete_users(self, userids):
+ def delete_users(self, userids : List[str]) -> Any:
user = self.call("core_user_delete_users", userids=userids)
return user
- def get_user_by(self, key, value):
+ def get_user_by(self, key : str, value : str) -> Any:
criteria = [{"key": key, "value": value}]
try:
user = self.call("core_user_get_users", criteria=criteria)
@@ -152,7 +158,7 @@ class Moodle:
return user
# {'users': [{'id': 8, 'username': 'asdfw', 'firstname': 'afowie', 'lastname': 'aokjdnfwe', 'fullname': 'afowie aokjdnfwe', 'email': 'awfewe@ads.com', 'department': '', 'firstaccess': 0, 'lastaccess': 0, 'auth': 'manual', 'suspended': False, 'confirmed': True, 'lang': 'ca', 'theme': '', 'timezone': '99', 'mailformat': 1, 'profileimageurlsmall': 'https://moodle.mydomain.duckdns.org/theme/image.php/cbe/core/1630941606/u/f2', 'profileimageurl': 'https://DOMAIN/theme/image.php/cbe/core/1630941606/u/f1'}], 'warnings': []}
- def get_users_with_groups_and_roles(self):
+ def get_users_with_groups_and_roles(self) -> List[Dict[Any, Any]]:
q = """select u.id as id, username, firstname as first, lastname as last, email, json_agg(h.name) as groups, json_agg(r.shortname) as roles
from mdl_user as u
LEFT JOIN mdl_cohort_members AS hm on hm.userid = u.id
@@ -179,31 +185,31 @@ class Moodle:
# user['roles']=[]
# return users
- def enroll_user_to_course(self, user_id, course_id, role_id=5):
+ def enroll_user_to_course(self, user_id : str, course_id : str, role_id : int=5) -> Any:
# 5 is student
data = [{"roleid": role_id, "userid": user_id, "courseid": course_id}]
enrolment = self.call("enrol_manual_enrol_users", enrolments=data)
return enrolment
- def get_quiz_attempt(self, quiz_id, user_id):
+ def get_quiz_attempt(self, quiz_id : str, user_id : str) -> Any:
attempts = self.call(
"mod_quiz_get_user_attempts", quizid=quiz_id, userid=user_id
)
return attempts
- def get_cohorts(self):
+ def get_cohorts(self) -> List[Dict[str, Any]]:
cohorts = self.call("core_cohort_get_cohorts")
- return cohorts
+ return cast(List[Dict[str, Any]], cohorts)
- def add_system_cohort(self, name, description="", visible=True):
- visible = 1 if visible else 0
+ def add_system_cohort(self, name : str, description : str ="", visible : bool=True) -> Any:
+ bit_visible = 1 if visible else 0
data = [
{
"categorytype": {"type": "system", "value": ""},
"name": name,
"idnumber": name,
"description": description,
- "visible": visible,
+ "visible": bit_visible,
}
]
cohort = self.call("core_cohort_create_cohorts", cohorts=data)
@@ -214,7 +220,7 @@ class Moodle:
# user = self.call('core_cohort_add_cohort_members', criteria=criteria)
# return user
- def add_user_to_cohort(self, userid, cohortid):
+ def add_user_to_cohort(self, userid : str, cohortid : str) -> Any:
members = [
{
"cohorttype": {"type": "id", "value": cohortid},
@@ -224,21 +230,21 @@ class Moodle:
user = self.call("core_cohort_add_cohort_members", members=members)
return user
- def delete_user_in_cohort(self, userid, cohortid):
+ def delete_user_in_cohort(self, userid : str, cohortid : str) -> Any:
members = [{"cohortid": cohortid, "userid": userid}]
user = self.call("core_cohort_delete_cohort_members", members=members)
return user
- def get_cohort_members(self, cohort_ids):
+ def get_cohort_members(self, cohort_ids : str) -> Any:
members = self.call("core_cohort_get_cohort_members", cohortids=cohort_ids)
# [0]['userids']
return members
- def delete_cohorts(self, cohortids):
+ def delete_cohorts(self, cohortids : Iterable[str]) -> Any:
deleted = self.call("core_cohort_delete_cohorts", cohortids=cohortids)
return deleted
- def get_user_cohorts(self, user_id):
+ def get_user_cohorts(self, user_id : str) -> Any:
user_cohorts = []
cohorts = self.get_cohorts()
for cohort in cohorts:
@@ -246,7 +252,7 @@ class Moodle:
user_cohorts.append(cohort)
return user_cohorts
- def add_user_to_siteadmin(self, user_id):
+ def add_user_to_siteadmin(self, user_id : str) -> Any:
q = """SELECT value FROM mdl_config WHERE name='siteadmins'"""
value = self.moodle_pg.select(q)[0][0]
if str(user_id) not in value:
@@ -258,6 +264,7 @@ class Moodle:
log.warning(
"MOODLE:ADDING THE USER TO ADMINS: This needs a purge cache in moodle!"
)
+
def unassign_user_rol(self, user_id, role_id):
unassignments = [{"roleid": role_id, "userid": user_id, "contextlevel": 'system', "instanceid": 0}]
return self.call("core_role_unassign_roles", unassignments=unassignments)
diff --git a/dd-sso/admin/src/admin/lib/mysql.py b/dd-sso/admin/src/admin/lib/mysql.py
index 9f3f140..7fdad2a 100644
--- a/dd-sso/admin/src/admin/lib/mysql.py
+++ b/dd-sso/admin/src/admin/lib/mysql.py
@@ -1,5 +1,6 @@
#
# Copyright © 2021,2022 IsardVDI S.L.
+# Copyright © 2022 Evilham
#
# This file is part of DD
#
@@ -18,32 +19,29 @@
#
# SPDX-License-Identifier: AGPL-3.0-or-later
-import json
-import logging as log
-import time
-import traceback
-from datetime import datetime, timedelta
-
import mysql.connector
-import yaml
-# from admin import app
+from typing import List, Tuple
class Mysql:
- def __init__(self, host, database, user, password):
+ # TODO: Fix this whole class
+ cur : mysql.connector.MySQLCursor
+ conn : mysql.connector.MySQLConnection
+ def __init__(self, host : str, database : str, user : str, password : str) -> None:
self.conn = mysql.connector.connect(
host=host, database=database, user=user, password=password
)
- def select(self, sql):
+ def select(self, sql : str) -> List[Tuple]:
self.cur = self.conn.cursor()
self.cur.execute(sql)
- data = self.cur.fetchall()
+ data : List[Tuple] = self.cur.fetchall()
self.cur.close()
return data
- def update(self, sql):
+ def update(self, sql : str) -> None:
+ # TODO: Fix this whole method
self.cur = self.conn.cursor()
self.cur.execute(sql)
self.conn.commit()
diff --git a/dd-sso/admin/src/admin/lib/nextcloud.py b/dd-sso/admin/src/admin/lib/nextcloud.py
index 9e2a130..1a28d13 100644
--- a/dd-sso/admin/src/admin/lib/nextcloud.py
+++ b/dd-sso/admin/src/admin/lib/nextcloud.py
@@ -1,5 +1,6 @@
#
# Copyright © 2021,2022 IsardVDI S.L.
+# Copyright © 2022 Evilham
#
# This file is part of DD
#
@@ -30,21 +31,31 @@ import urllib
import requests
from psycopg2 import sql
-# from ..lib.log import *
-from admin import app
-
from .nextcloud_exc import *
from .postgres import Postgres
+from typing import TYPE_CHECKING, Any, Dict, List, Optional, Tuple
+if TYPE_CHECKING:
+ from admin.flaskapp import AdminFlaskApp
+
+DDUser = Dict[Any, Any]
class Nextcloud:
+ verify_cert : bool
+ apiurl : str
+ shareurl : str
+ davurl : str
+ auth : Tuple[str, str]
+ user : str
+ nextcloud_pg : Postgres
def __init__(
self,
- url="https://nextcloud." + app.config["DOMAIN"],
- username=os.environ["NEXTCLOUD_ADMIN_USER"],
- password=os.environ["NEXTCLOUD_ADMIN_PASSWORD"],
- verify=True,
- ):
+ app : "AdminFlaskApp",
+ username : str=os.environ["NEXTCLOUD_ADMIN_USER"],
+ password : str=os.environ["NEXTCLOUD_ADMIN_PASSWORD"],
+ verify : bool=True,
+ ) -> None:
+ url = "https://nextcloud." + app.config["DOMAIN"]
self.verify_cert = verify
self.apiurl = url + "/ocs/v1.php/cloud/"
@@ -61,9 +72,9 @@ class Nextcloud:
)
def _request(
- self, method, url, data={}, headers={"OCS-APIRequest": "true"}, auth=False
- ):
- if auth == False:
+ self, method : str, url : str, data : Any={}, headers : Dict[str, str]={"OCS-APIRequest": "true"}, auth : Optional[Tuple[str, str]]=None
+ ) -> str:
+ if auth is None:
auth = self.auth
try:
response = requests.request(
@@ -96,7 +107,7 @@ class Nextcloud:
raise ProviderConnError
raise ProviderError
- def check_connection(self):
+ def check_connection(self) -> bool:
url = self.apiurl + "users/" + self.user + "?format=json"
try:
result = self._request("GET", url)
@@ -118,7 +129,7 @@ class Nextcloud:
raise ProviderConnError
raise ProviderError
- def get_user(self, userid):
+ def get_user(self, userid : str) -> Any:
url = self.apiurl + "users/" + userid + "?format=json"
try:
result = json.loads(self._request("GET", url))
@@ -148,7 +159,7 @@ class Nextcloud:
# users_with_lists = [list(l[:-2])+([[]] if l[-2] == [None] else [list(set(l[-2]))]) + ([[]] if l[-1] == [None] else [list(set(l[-1]))]) for l in users]
# users_with_lists = [list(l[:-2])+([[]] if l[-2] == [None] else [list(set(l[-2]))]) + ([[]] if l[-1] == [None] else [list(set(l[-1]))]) for l in users_with_lists]
# list_dict_users = [dict(zip(fields, r)) for r in users_with_lists]
- def get_users_list(self):
+ def get_users_list(self) -> List[DDUser]:
# q = """select u.uid as username, adn.value as displayname, ade.value as email, json_agg(gg.displayname) as admin_groups,json_agg(g.displayname) as groups
# from oc_users as u
# left join oc_group_user as gu on gu.uid = u.uid
@@ -200,9 +211,10 @@ class Nextcloud:
# log.error(traceback.format_exc())
# raise
+ # TODO: Improve typing of these functions...
def add_user(
- self, userid, userpassword, quota=False, group=False, email="", displayname=""
- ):
+ self, userid : str, userpassword : str, quota : Any=False, group : Any=False, email : str="", displayname : str=""
+ ) -> bool:
data = {
"userid": userid,
"password": userpassword,
@@ -247,7 +259,7 @@ class Nextcloud:
# 106 - no group specified (required for subadmins)
# 107 - all errors that contain a hint - for example “Password is among the 1,000,000 most common ones. Please make it unique.” (this code was added in 12.0.6 & 13.0.1)
- def update_user(self, userid, key_values):
+ def update_user(self, userid : str, key_values : Dict[str, Any]) -> bool:
# key_values={'quota':quota,'email':email,'displayname':displayname}
url = self.apiurl + "users/" + userid + "?format=json"
@@ -262,6 +274,8 @@ class Nextcloud:
result = json.loads(
self._request("PUT", url, data=data, headers=headers)
)
+ # TODO: It seems like this only sets the first item in key_values
+ # This function probably doesn't do what it is supposed to
if result["ocs"]["meta"]["statuscode"] == 100:
return True
if result["ocs"]["meta"]["statuscode"] == 102:
@@ -273,8 +287,9 @@ class Nextcloud:
except:
# log.error(traceback.format_exc())
raise
+ return False
- def add_user_to_group(self, userid, group_id):
+ def add_user_to_group(self, userid : str, group_id : str) -> bool:
data = {"groupid": group_id}
url = self.apiurl + "users/" + userid + "/groups?format=json"
@@ -296,7 +311,7 @@ class Nextcloud:
# log.error(traceback.format_exc())
raise
- def remove_user_from_group(self, userid, group_id):
+ def remove_user_from_group(self, userid : str, group_id : str) -> bool:
data = {"groupid": group_id}
url = self.apiurl + "users/" + userid + "/groups?format=json"
@@ -312,18 +327,21 @@ class Nextcloud:
return True
if result["ocs"]["meta"]["statuscode"] == 102:
raise ProviderItemExists
- if result["ocs"]["meta"]["statuscode"] == 104:
- self.add_group(group)
- # raise ProviderGroupNotExists
+ # TODO: It is unclear what status code 104 is, it certainly
+ # shouldn't the group if it doesn't exist
+ #if result["ocs"]["meta"]["statuscode"] == 104:
+ # self.add_group(group)
+ # # raise ProviderGroupNotExists
log.error("Get Nextcloud provider user add error: " + str(result))
raise ProviderOpError
except:
# log.error(traceback.format_exc())
raise
+ # TODO: Improve typing of these functions...
def add_user_with_groups(
- self, userid, userpassword, quota=False, groups=[], email="", displayname=""
- ):
+ self, userid : str, userpassword : str, quota : Any=False, groups : Any=[], email : str="", displayname : str=""
+ ) -> bool:
data = {
"userid": userid,
"password": userpassword,
@@ -352,7 +370,7 @@ class Nextcloud:
raise ProviderItemExists
if result["ocs"]["meta"]["statuscode"] == 104:
# self.add_group(group)
- None
+ pass
# raise ProviderGroupNotExists
log.error("Get Nextcloud provider user add error: " + str(result))
raise ProviderOpError
@@ -368,7 +386,7 @@ class Nextcloud:
# 106 - no group specified (required for subadmins)
# 107 - all errors that contain a hint - for example “Password is among the 1,000,000 most common ones. Please make it unique.” (this code was added in 12.0.6 & 13.0.1)
- def delete_user(self, userid):
+ def delete_user(self, userid : str) -> bool:
url = self.apiurl + "users/" + userid + "?format=json"
try:
result = json.loads(self._request("DELETE", url))
@@ -384,13 +402,13 @@ class Nextcloud:
# 100 - successful
# 101 - failure
- def enable_user(self, userid):
- None
+ def enable_user(self, userid : str) -> None:
+ pass
- def disable_user(self, userid):
- None
+ def disable_user(self, userid : str) -> None:
+ pass
- def exists_user_folder(self, userid, userpassword, folder="IsardVDI"):
+ def exists_user_folder(self, userid : str, userpassword : str, folder : str="IsardVDI") -> bool:
auth = (userid, userpassword)
url = self.davurl + userid + "/" + folder + "?format=json"
headers = {
@@ -407,7 +425,7 @@ class Nextcloud:
# log.error(traceback.format_exc())
raise
- def add_user_folder(self, userid, userpassword, folder="IsardVDI"):
+ def add_user_folder(self, userid : str, userpassword : str, folder : str="IsardVDI") -> bool:
auth = (userid, userpassword)
url = self.davurl + userid + "/" + folder + "?format=json"
headers = {
@@ -429,7 +447,7 @@ class Nextcloud:
# log.error(traceback.format_exc())
raise
- def exists_user_share_folder(self, userid, userpassword, folder="IsardVDI"):
+ def exists_user_share_folder(self, userid : str, userpassword : str, folder : str="IsardVDI") -> Dict[str, str]:
auth = (userid, userpassword)
url = self.shareurl + "shares?format=json"
headers = {
@@ -449,7 +467,7 @@ class Nextcloud:
# log.error(traceback.format_exc())
raise
- def add_user_share_folder(self, userid, userpassword, folder="IsardVDI"):
+ def add_user_share_folder(self, userid : str, userpassword : str, folder : str="IsardVDI") -> Dict[str, str]:
auth = (userid, userpassword)
data = {"path": "/" + folder, "shareType": 3}
url = self.shareurl + "shares?format=json"
@@ -477,10 +495,10 @@ class Nextcloud:
# log.error(traceback.format_exc())
raise
- def get_group(self, userid):
- None
+ def get_group(self, userid : str) -> None:
+ pass
- def get_groups_list(self):
+ def get_groups_list(self) -> List[Any]:
url = self.apiurl + "groups?format=json"
try:
result = json.loads(self._request("GET", url))
@@ -491,7 +509,7 @@ class Nextcloud:
# log.error(traceback.format_exc())
raise
- def add_group(self, groupid):
+ def add_group(self, groupid : str) -> bool:
data = {"groupid": groupid}
url = self.apiurl + "groups?format=json"
headers = {
@@ -515,7 +533,7 @@ class Nextcloud:
# 102 - group already exists
# 103 - failed to add the group
- def delete_group(self, groupid):
+ def delete_group(self, groupid : str) -> bool:
group = urllib.parse.quote(groupid, safe="")
url = self.apiurl + "groups/" + group + "?format=json"
headers = {
@@ -538,7 +556,7 @@ class Nextcloud:
# 102 - group already exists
# 103 - failed to add the group
- def set_user_mail(self, data):
+ def set_user_mail(self, data : DDUser) -> None:
query = """SELECT * FROM "oc_mail_accounts" WHERE "email" = '%s'"""
sql_query = sql.SQL(query.format(data["email"]))
if not len(self.nextcloud_pg.select(sql_query)):
diff --git a/dd-sso/admin/src/admin/lib/nextcloud_exc.py b/dd-sso/admin/src/admin/lib/nextcloud_exc.py
index ec1f290..51ff233 100644
--- a/dd-sso/admin/src/admin/lib/nextcloud_exc.py
+++ b/dd-sso/admin/src/admin/lib/nextcloud_exc.py
@@ -1,5 +1,6 @@
#
# Copyright © 2021,2022 IsardVDI S.L.
+# Copyright © 2022 Evilham
#
# This file is part of DD
#
@@ -46,6 +47,10 @@ class ProviderItemNotExists(Exception):
pass
+class ProviderUserNotExists(Exception):
+ pass
+
+
class ProviderGroupNotExists(Exception):
pass
diff --git a/dd-sso/admin/src/admin/lib/postgres.py b/dd-sso/admin/src/admin/lib/postgres.py
index 84b82ad..10febce 100644
--- a/dd-sso/admin/src/admin/lib/postgres.py
+++ b/dd-sso/admin/src/admin/lib/postgres.py
@@ -1,5 +1,6 @@
#
# Copyright © 2021,2022 IsardVDI S.L.
+# Copyright © 2022 Evilham
#
# This file is part of DD
#
@@ -18,54 +19,41 @@
#
# SPDX-License-Identifier: AGPL-3.0-or-later
-import json
-import logging as log
-import time
-import traceback
-from datetime import datetime, timedelta
-
import psycopg2
-import yaml
+import psycopg2.sql
+from psycopg2.extensions import connection, cursor
-# from admin import app
+from typing import Any, List, Tuple, Union
+query = Union[str, psycopg2.sql.SQL]
class Postgres:
- def __init__(self, host, database, user, password):
+ # TODO: Fix this whole class
+ cur : cursor
+ conn : connection
+ def __init__(self, host : str, database : str, user : str, password : str) -> None:
self.conn = psycopg2.connect(
host=host, database=database, user=user, password=password
)
- # def __del__(self):
- # self.cur.close()
- # self.conn.close()
-
- def select(self, sql):
+ def select(self, sql: query) -> List[Tuple[Any, ...]]:
self.cur = self.conn.cursor()
self.cur.execute(sql)
data = self.cur.fetchall()
- self.cur.close()
+ self.cur.close() # type: ignore # psycopg2 type hint missing
return data
- def update(self, sql):
+ def update(self, sql : query) -> None:
self.cur = self.conn.cursor()
self.cur.execute(sql)
self.conn.commit()
- self.cur.close()
+ self.cur.close() # type: ignore # psycopg2 type hint missing
# return self.cur.fetchall()
- def select_with_headers(self, sql):
+ def select_with_headers(self, sql : query) -> Tuple[List[Any], List[Tuple[Any, ...]]]:
self.cur = self.conn.cursor()
self.cur.execute(sql)
data = self.cur.fetchall()
fields = [a.name for a in self.cur.description]
- self.cur.close()
+ self.cur.close() # type: ignore # psycopg2 type hint missing
return (fields, data)
-
- # def update_moodle_saml_plugin(self):
- # plugin[('idpmetadata', 'NrtA5ynG0htowP3SXw7dBJRIAMxn-1PwuuXwOwNhlRwMIICmzCCAYMCBgF5jb0RCTANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0ZXIwHhcNMjEwNTIxMDcwMjI4WhcNMzEwNTIxMDcwNDA4WjARMQ8wDQYDVQQDDAZtYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCI8xh/C0+frz3kgWiUbziTDls71R2YiXLSVE+bw7gbEgZUGCLhoEI679azMtIxmnzM/snIX+yTb12+XoYkgbiLTMPQfnH+Kiab6g3HL3KPfhqS+yWkFxOoCp6Ibmp7yPlVWuHH+MBfO8OBr/r8Ao7heFbuzjiLd1KG67rcoaxfDgMuBoEomg1bgEjFgHaQIrSC6OZzH0h987/arqufZXeXlfyiqScMPUi+u5IpDWSwz06UKP0k8mxzNSlpZ93CKOUSsV0SMLxqg7FQ3SGiOk577bGW9o9BDTkkmSo3Up6smc0LzwvvUwuNd0B1irGkWZFQN9OXJnJYf1InEebIMtmPAgMBAAEwDQYJKoZIhvcNAQELBQADggEBADM34+qEGeBQ22luphVTuVJtGxcbxLx7DfsT0QfJD/OuxTTbNAa1VRyarb5juIAkqdj4y2quZna9ZXLecVo4RkwpzPoKoAkYA8b+kHnWqEwJi9iPrDvKb+GR0bBkLPN49YxIZ8IdKX/PRa3yuLHe+loiNsCaS/2ZK2KO46COsqU4QX1iVhF9kWphNLybjNAX45B6cJLsa1g0vXLdm3kv3SB4I2fErFVaOoDtFIjttoYlXdpUiThkPXBfr7N67P3dZHaS4tjJh+IZ8I6TINpcsH8dBkUhzYEIPHCePwSiC1w6WDBLNDuKt1mj1CZrLq+1x+Yhrs+QNRheEKGi89HZ8N0=urn:oasis:names:tc:SAML:2.0:nameid-format:persistenturn:oasis:names:tc:SAML:2.0:nameid-format:transienturn:oasis:names:tc:SAML:1.1:nameid-format:unspecifiedurn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress')]
- # pg_update = """UPDATE mdl_config_plugins set title = %s where plugin = auth_saml2 and name ="""
- # cursor.execute(pg_update, (title, bookid))
- # connection.commit()
- # count = cursor.rowcount
- # print(count, "Successfully Updated!")
diff --git a/dd-sso/admin/src/admin/lib/postup.py b/dd-sso/admin/src/admin/lib/postup.py
index ac50e62..81615ef 100644
--- a/dd-sso/admin/src/admin/lib/postup.py
+++ b/dd-sso/admin/src/admin/lib/postup.py
@@ -1,5 +1,6 @@
#
-# Copyright © 2021,2022 IsardVDI S.L.
+# Copyright © 2021,2022 IsardVDI S.L.
+# Copyright © 2022 Evilham
#
# This file is part of DD
#
@@ -23,8 +24,6 @@ import logging as log
import os
import random
-# from .keycloak import Keycloak
-# from .moodle import Moodle
import string
import time
import traceback
@@ -33,18 +32,21 @@ from datetime import datetime, timedelta
import psycopg2
import yaml
-from admin import app
+from typing import TYPE_CHECKING
+
+if TYPE_CHECKING:
+ from admin.flaskapp import AdminFlaskApp
from .postgres import Postgres
class Postup:
- def __init__(self):
+ def __init__(self, app: "AdminFlaskApp") -> None:
ready = False
while not ready:
try:
self.pg = Postgres(
- "isard-apps-postgresql",
+ "dd-apps-postgresql",
"moodle",
app.config["MOODLE_POSTGRES_USER"],
app.config["MOODLE_POSTGRES_PASSWORD"],
@@ -93,9 +95,9 @@ class Postup:
self.select_and_configure_theme()
self.configure_tipnc()
- self.add_moodle_ws_token()
+ self.add_moodle_ws_token(app)
- def select_and_configure_theme(self, theme="cbe"):
+ def select_and_configure_theme(self, theme : str="cbe") -> None:
try:
self.pg.update(
"""UPDATE "mdl_config" SET value = '%s' WHERE "name" = 'theme';"""
@@ -104,7 +106,6 @@ class Postup:
except:
log.error(traceback.format_exc())
exit(1)
- None
try:
self.pg.update(
@@ -127,9 +128,8 @@ class Postup:
except:
log.error(traceback.format_exc())
exit(1)
- None
- def configure_tipnc(self):
+ def configure_tipnc(self) -> None:
try:
self.pg.update(
"""UPDATE "mdl_config_plugins" SET value = '%s' WHERE "plugin" = 'assignsubmission_tipnc' AND "name" = 'host';"""
@@ -155,9 +155,8 @@ class Postup:
except:
log.error(traceback.format_exc())
exit(1)
- None
- def add_moodle_ws_token(self):
+ def add_moodle_ws_token(self, app: "AdminFlaskApp") -> None:
try:
token = self.pg.select(
"""SELECT * FROM "mdl_external_tokens" WHERE "externalserviceid" = 3"""
@@ -166,7 +165,7 @@ class Postup:
return
except:
# log.error(traceback.format_exc())
- None
+ pass
try:
self.pg.update(
@@ -226,4 +225,3 @@ class Postup:
except:
log.error(traceback.format_exc())
exit(1)
- None
diff --git a/dd-sso/admin/src/admin/package.json b/dd-sso/admin/src/admin/package.json
index f87ec9e..0461bf4 100644
--- a/dd-sso/admin/src/admin/package.json
+++ b/dd-sso/admin/src/admin/package.json
@@ -2,5 +2,6 @@
"dependencies": {
"gentelella": "^1.4.0",
"socket.io": "^4.1.3"
- }
+ },
+ "license": "AGPL-3.0-or-later"
}
diff --git a/dd-sso/admin/src/admin/views/ApiViews.py b/dd-sso/admin/src/admin/views/ApiViews.py
index b452c73..e371a8e 100644
--- a/dd-sso/admin/src/admin/views/ApiViews.py
+++ b/dd-sso/admin/src/admin/views/ApiViews.py
@@ -1,5 +1,6 @@
#
# Copyright © 2021,2022 IsardVDI S.L.
+# Copyright © 2022 Evilham
#
# This file is part of DD
#
@@ -19,6 +20,7 @@
# SPDX-License-Identifier: AGPL-3.0-or-later
import json
import logging as log
+from operator import itemgetter
import os
import socket
import sys
@@ -27,302 +29,308 @@ import traceback
from flask import request
-from admin import app
+from typing import TYPE_CHECKING, Any, Dict, Iterable, List, Optional
+if TYPE_CHECKING:
+ from admin.flaskapp import AdminFlaskApp
from ..lib.api_exceptions import Error
-from .decorators import has_token
+from .decorators import has_token, OptionalJsonResponse
-## LISTS
-@app.route("/ddapi/users", methods=["GET"])
-@has_token
-def ddapi_users():
- if request.method == "GET":
- sorted_users = sorted(app.admin.get_mix_users(), key=lambda k: k["username"])
- users = []
- for user in sorted_users:
- users.append(user_parser(user))
- return json.dumps(users), 200, {"Content-Type": "application/json"}
+def setup_api_views(app : "AdminFlaskApp") -> None:
+ ## LISTS
+ @app.json_route("/ddapi/users", methods=["GET"])
+ @has_token
+ def ddapi_users() -> OptionalJsonResponse:
+ if request.method == "GET":
+ sorted_users = sorted(app.admin.get_mix_users(), key=itemgetter("username"))
+ users = []
+ for user in sorted_users:
+ users.append(user_parser(user))
+ return json.dumps(users), 200, {"Content-Type": "application/json"}
+ return None
+ @app.json_route("/ddapi/users/filter", methods=["POST"])
+ @has_token
+ def ddapi_users_search() -> OptionalJsonResponse:
+ if request.method == "POST":
+ data = request.get_json(force=True)
+ if not data.get("text"):
+ raise Error("bad_request", "Incorrect data requested.")
+ users = app.admin.get_mix_users()
+ result = [user_parser(user) for user in filter_users(users, data["text"])]
+ sorted_result = sorted(result, key=itemgetter("id"))
+ return json.dumps(sorted_result), 200, {"Content-Type": "application/json"}
+ return None
-@app.route("/ddapi/users/filter", methods=["POST"])
-@has_token
-def ddapi_users_search():
- if request.method == "POST":
- data = request.get_json(force=True)
- if not data.get("text"):
- raise Error("bad_request", "Incorrect data requested.")
- users = app.admin.get_mix_users()
- result = [user_parser(user) for user in filter_users(users, data["text"])]
- sorted_result = sorted(result, key=lambda k: k["id"])
- return json.dumps(sorted_result), 200, {"Content-Type": "application/json"}
+ @app.json_route("/ddapi/groups", methods=["GET"])
+ @has_token
+ def ddapi_groups() -> OptionalJsonResponse:
+ if request.method == "GET":
+ sorted_groups = sorted(app.admin.get_mix_groups(), key=itemgetter("name"))
+ groups = []
+ for group in sorted_groups:
+ groups.append(group_parser(group))
+ return json.dumps(groups), 200, {"Content-Type": "application/json"}
+ return None
-
-@app.route("/ddapi/groups", methods=["GET"])
-@has_token
-def ddapi_groups():
- if request.method == "GET":
- sorted_groups = sorted(app.admin.get_mix_groups(), key=lambda k: k["name"])
- groups = []
- for group in sorted_groups:
- groups.append(group_parser(group))
- return json.dumps(groups), 200, {"Content-Type": "application/json"}
-
-
-@app.route("/ddapi/group/users", methods=["POST"])
-@has_token
-def ddapi_group_users():
- if request.method == "POST":
- data = request.get_json(force=True)
- sorted_users = sorted(app.admin.get_mix_users(), key=lambda k: k["username"])
- if data.get("id"):
- group_users = [
- user_parser(user)
- for user in sorted_users
- if data.get("id") in user["keycloak_groups"]
- ]
- elif data.get("path"):
- try:
- name = [
- g["name"]
- for g in app.admin.get_mix_groups()
- if g["path"] == data.get("path")
- ][0]
+ @app.json_route("/ddapi/group/users", methods=["POST"])
+ @has_token
+ def ddapi_group_users() -> OptionalJsonResponse:
+ if request.method == "POST":
+ data = request.get_json(force=True)
+ sorted_users = sorted(app.admin.get_mix_users(), key=itemgetter("username"))
+ if data.get("id"):
group_users = [
user_parser(user)
for user in sorted_users
- if name in user["keycloak_groups"]
+ if data.get("id") in user["keycloak_groups"]
]
- except:
- raise Error("not_found", "Group path not found in system")
- elif data.get("keycloak_id"):
- try:
- name = [
- g["name"]
- for g in app.admin.get_mix_groups()
- if g["id"] == data.get("keycloak_id")
- ][0]
- group_users = [
- user_parser(user)
- for user in sorted_users
- if name in user["keycloak_groups"]
- ]
- except:
- raise Error("not_found", "Group keycloak_id not found in system")
- else:
- raise Error("bad_request", "Incorrect data requested.")
- return json.dumps(group_users), 200, {"Content-Type": "application/json"}
+ elif data.get("path"):
+ try:
+ name = [
+ g["name"]
+ for g in app.admin.get_mix_groups()
+ if g["path"] == data.get("path")
+ ][0]
+ group_users = [
+ user_parser(user)
+ for user in sorted_users
+ if name in user["keycloak_groups"]
+ ]
+ except:
+ raise Error("not_found", "Group path not found in system")
+ elif data.get("keycloak_id"):
+ try:
+ name = [
+ g["name"]
+ for g in app.admin.get_mix_groups()
+ if g["id"] == data.get("keycloak_id")
+ ][0]
+ group_users = [
+ user_parser(user)
+ for user in sorted_users
+ if name in user["keycloak_groups"]
+ ]
+ except:
+ raise Error("not_found", "Group keycloak_id not found in system")
+ else:
+ raise Error("bad_request", "Incorrect data requested.")
+ return json.dumps(group_users), 200, {"Content-Type": "application/json"}
+ return None
+ @app.json_route("/ddapi/roles", methods=["GET"])
+ @has_token
+ def ddapi_roles() -> OptionalJsonResponse:
+ if request.method == "GET":
+ roles = []
+ for role in sorted(app.admin.get_roles(), key=itemgetter("name")):
+ log.error(role)
+ roles.append(
+ {
+ "keycloak_id": role["id"],
+ "id": role["name"],
+ "name": role["name"],
+ "description": role.get("description", ""),
+ }
+ )
+ return json.dumps(roles), 200, {"Content-Type": "application/json"}
+ return None
-@app.route("/ddapi/roles", methods=["GET"])
-@has_token
-def ddapi_roles():
- if request.method == "GET":
- roles = []
- for role in sorted(app.admin.get_roles(), key=lambda k: k["name"]):
- log.error(role)
- roles.append(
- {
- "keycloak_id": role["id"],
- "id": role["name"],
- "name": role["name"],
- "description": role.get("description", ""),
- }
- )
- return json.dumps(roles), 200, {"Content-Type": "application/json"}
-
-
-@app.route("/ddapi/role/users", methods=["POST"])
-@has_token
-def ddapi_role_users():
- if request.method == "POST":
- data = request.get_json(force=True)
- sorted_users = sorted(app.admin.get_mix_users(), key=lambda k: k["username"])
- if data.get("id", data.get("name")):
- role_users = [
- user_parser(user)
- for user in sorted_users
- if data.get("id", data.get("name")) in user["roles"]
- ]
- elif data.get("keycloak_id"):
- try:
- id = [
- r["id"]
- for r in app.admin.get_roles()
- if r["id"] == data.get("keycloak_id")
- ][0]
+ @app.json_route("/ddapi/role/users", methods=["POST"])
+ @has_token
+ def ddapi_role_users() -> OptionalJsonResponse:
+ if request.method == "POST":
+ data = request.get_json(force=True)
+ sorted_users = sorted(app.admin.get_mix_users(), key=itemgetter("username"))
+ if data.get("id", data.get("name")):
role_users = [
- user_parser(user) for user in sorted_users if id in user["roles"]
+ user_parser(user)
+ for user in sorted_users
+ if data.get("id", data.get("name")) in user["roles"]
]
- except:
- raise Error("not_found", "Role keycloak_id not found in system")
- else:
- raise Error("bad_request", "Incorrect data requested.")
- return json.dumps(role_users), 200, {"Content-Type": "application/json"}
+ elif data.get("keycloak_id"):
+ try:
+ id = [
+ r["id"]
+ for r in app.admin.get_roles()
+ if r["id"] == data.get("keycloak_id")
+ ][0]
+ role_users = [
+ user_parser(user) for user in sorted_users if id in user["roles"]
+ ]
+ except:
+ raise Error("not_found", "Role keycloak_id not found in system")
+ else:
+ raise Error("bad_request", "Incorrect data requested.")
+ return json.dumps(role_users), 200, {"Content-Type": "application/json"}
+ return None
-
-## INDIVIDUAL ACTIONS
-@app.route("/ddapi/user", methods=["POST"])
-@app.route("/ddapi/user/", methods=["PUT", "GET", "DELETE"])
-@has_token
-def ddapi_user(user_ddid=None):
- if request.method == "GET":
- user = app.admin.get_user_username(user_ddid)
- if not user:
- raise Error("not_found", "User id not found")
- return json.dumps(user_parser(user)), 200, {"Content-Type": "application/json"}
- if request.method == "DELETE":
- user = app.admin.get_user_username(user_ddid)
- if not user:
- raise Error("not_found", "User id not found")
- app.admin.delete_user(user["id"])
- return json.dumps({}), 200, {"Content-Type": "application/json"}
- if request.method == "POST":
- data = request.get_json(force=True)
- if not app.validators["user"].validate(data):
- raise Error(
- "bad_request",
- "Data validation for user failed: ",
- +str(app.validators["user"].errors),
- traceback.format_exc(),
- )
-
- if app.admin.get_user_username(data["username"]):
- raise Error("conflict", "User id already exists")
- data = app.validators["user"].normalized(data)
- keycloak_id = app.admin.add_user(data)
- if not keycloak_id:
- raise Error(
- "precondition_required",
- "Not all user groups already in system. Please create user groups before adding user.",
- )
- return (
- json.dumps({"keycloak_id": keycloak_id}),
- 200,
- {"Content-Type": "application/json"},
- )
-
- if request.method == "PUT":
- user = app.admin.get_user_username(user_ddid)
- if not user:
- raise Error("not_found", "User id not found")
- data = request.get_json(force=True)
- if not app.validators["user_update"].validate(data):
- raise Error(
- "bad_request",
- "Data validation for user failed: "
- + str(app.validators["user_update"].errors),
- traceback.format_exc(),
- )
- data = {**user, **data}
- data = app.validators["user_update"].normalized(data)
- data = {**data, **{"username": user_ddid}}
- data["roles"] = [data.pop("role")]
- data["firstname"] = data.pop("first")
- data["lastname"] = data.pop("last")
- app.admin.user_update(data)
- if data.get("password"):
- app.admin.user_update_password(
- user["id"], data["password"], data["password_temporary"]
- )
- return json.dumps({}), 200, {"Content-Type": "application/json"}
-
-
-@app.route("/ddapi/username//", methods=["PUT"])
-@has_token
-def ddapi_username(old_user_ddid, new_user_did):
- user = app.admin.get_user_username(user_ddid)
- if not user:
- raise Error("not_found", "User id not found")
- # user = app.admin.update_user_username(old_user_ddid,new_user_did)
- return json.dumps("Not implemented yet!"), 419, {"Content-Type": "application/json"}
-
-
-@app.route("/ddapi/group", methods=["POST"])
-@app.route("/ddapi/group/", methods=["GET", "POST", "DELETE"])
-# @app.route("/api/group/", methods=["PUT", "GET", "DELETE"])
-@has_token
-def ddapi_group(id=None):
- if request.method == "GET":
- group = app.admin.get_group_by_name(id)
- if not group:
- Error("not found", "Group id not found")
- return (
- json.dumps(group_parser(group)),
- 200,
- {"Content-Type": "application/json"},
- )
- if request.method == "POST":
- data = request.get_json(force=True)
- if not app.validators["group"].validate(data):
- raise Error(
- "bad_request",
- "Data validation for group failed: "
- + str(app.validators["group"].errors),
- traceback.format_exc(),
- )
- data = app.validators["group"].normalized(data)
- data["parent"] = data["parent"] if data["parent"] != "" else None
-
- if app.admin.get_group_by_name(id):
- raise Error("conflict", "Group id already exists")
-
- path = app.admin.add_group(data)
- # log.error(path)
- # keycloak_id = app.admin.get_group_by_name(id)["id"]
- # log.error()
- return (
- json.dumps({"keycloak_id": None}),
- 200,
- {"Content-Type": "application/json"},
- )
- if request.method == "DELETE":
- group = app.admin.get_group_by_name(id)
- if not group:
- raise Error("not_found", "Group id not found")
- app.admin.delete_group_by_id(group["id"])
- return json.dumps({}), 200, {"Content-Type": "application/json"}
-
-
-@app.route("/ddapi/user_mail", methods=["POST"])
-@app.route("/ddapi/user_mail/", methods=["GET", "DELETE"])
-@has_token
-def ddapi_user_mail(id=None):
- if request.method == "GET":
- return (
- json.dumps("Not implemented yet"),
- 200,
- {"Content-Type": "application/json"},
- )
- if request.method == "POST":
- data = request.get_json(force=True)
-
- # if not app.validators["mails"].validate(data):
- # raise Error(
- # "bad_request",
- # "Data validation for mail failed: "
- # + str(app.validators["mail"].errors),
- # traceback.format_exc(),
- # )
- for user in data:
- if not app.validators["mail"].validate(user):
+ ## INDIVIDUAL ACTIONS
+ @app.json_route("/ddapi/user", methods=["POST"])
+ @app.json_route("/ddapi/user/", methods=["PUT", "GET", "DELETE"])
+ @has_token
+ def ddapi_user(user_ddid : Optional[str]=None) -> OptionalJsonResponse:
+ uid : str = user_ddid if user_ddid else ''
+ if request.method == "GET":
+ user = app.admin.get_user_username(uid)
+ if not user:
+ raise Error("not_found", "User id not found")
+ return json.dumps(user_parser(user)), 200, {"Content-Type": "application/json"}
+ if request.method == "DELETE":
+ user = app.admin.get_user_username(uid)
+ if not user:
+ raise Error("not_found", "User id not found")
+ app.admin.delete_user(user["id"])
+ return json.dumps({}), 200, {"Content-Type": "application/json"}
+ if request.method == "POST":
+ data = request.get_json(force=True)
+ if not app.validators["user"].validate(data):
raise Error(
"bad_request",
- "Data validation for mail failed: "
- + str(app.validators["mail"].errors),
+ "Data validation for user failed: "
+ + str(app.validators["user"].errors),
traceback.format_exc(),
)
- for user in data:
- log.info("Added user email")
- app.admin.set_nextcloud_user_mail(user)
- return (
- json.dumps("Users emails updated"),
- 200,
- {"Content-Type": "application/json"},
- )
+ if app.admin.get_user_username(data["username"]):
+ raise Error("conflict", "User id already exists")
+ data = app.validators["user"].normalized(data)
+ keycloak_id = app.admin.add_user(data)
+ if not keycloak_id:
+ raise Error(
+ "precondition_required",
+ "Not all user groups already in system. Please create user groups before adding user.",
+ )
+ return (
+ json.dumps({"keycloak_id": keycloak_id}),
+ 200,
+ {"Content-Type": "application/json"},
+ )
-def user_parser(user):
+ if request.method == "PUT":
+ user = app.admin.get_user_username(uid)
+ if not user:
+ raise Error("not_found", "User id not found")
+ data = request.get_json(force=True)
+ if not app.validators["user_update"].validate(data):
+ raise Error(
+ "bad_request",
+ "Data validation for user failed: "
+ + str(app.validators["user_update"].errors),
+ traceback.format_exc(),
+ )
+ data = {**user, **data}
+ data = app.validators["user_update"].normalized(data)
+ data = {**data, **{"username": uid}}
+ data["roles"] = [data.pop("role")]
+ data["firstname"] = data.pop("first")
+ data["lastname"] = data.pop("last")
+ app.admin.user_update(data)
+ if data.get("password"):
+ app.admin.user_update_password(
+ user["id"], data["password"], data["password_temporary"]
+ )
+ return json.dumps({}), 200, {"Content-Type": "application/json"}
+ return None
+
+ @app.json_route("/ddapi/username//", methods=["PUT"])
+ @has_token
+ def ddapi_username(old_user_ddid : str, new_user_did : str) -> OptionalJsonResponse:
+ user = app.admin.get_user_username(old_user_ddid)
+ if not user:
+ raise Error("not_found", "User id not found")
+ # user = app.admin.update_user_username(old_user_ddid,new_user_did)
+ return json.dumps("Not implemented yet!"), 419, {"Content-Type": "application/json"}
+
+ @app.json_route("/ddapi/group", methods=["POST"])
+ @app.json_route("/ddapi/group/", methods=["GET", "POST", "DELETE"])
+ # @app.json_route("/api/group/", methods=["PUT", "GET", "DELETE"])
+ @has_token
+ def ddapi_group(group_id : Optional[str]=None) -> OptionalJsonResponse:
+ uid : str = group_id if group_id else ''
+ if request.method == "GET":
+ group = app.admin.get_group_by_name(uid)
+ if not group:
+ Error("not found", "Group id not found")
+ return (
+ json.dumps(group_parser(group)),
+ 200,
+ {"Content-Type": "application/json"},
+ )
+ if request.method == "POST":
+ data = request.get_json(force=True)
+ if not app.validators["group"].validate(data):
+ raise Error(
+ "bad_request",
+ "Data validation for group failed: "
+ + str(app.validators["group"].errors),
+ traceback.format_exc(),
+ )
+ data = app.validators["group"].normalized(data)
+ data["parent"] = data["parent"] if data["parent"] != "" else None
+
+ if app.admin.get_group_by_name(uid):
+ raise Error("conflict", "Group id already exists")
+
+ path = app.admin.add_group(data)
+ # log.error(path)
+ # keycloak_id = app.admin.get_group_by_name(id)["id"]
+ # log.error()
+ return (
+ json.dumps({"keycloak_id": None}),
+ 200,
+ {"Content-Type": "application/json"},
+ )
+ if request.method == "DELETE":
+ group = app.admin.get_group_by_name(uid)
+ if not group:
+ raise Error("not_found", "Group id not found")
+ app.admin.delete_group_by_id(group["id"])
+ return json.dumps({}), 200, {"Content-Type": "application/json"}
+ return None
+
+ @app.json_route("/ddapi/user_mail", methods=["POST"])
+ @app.json_route("/ddapi/user_mail/", methods=["GET", "DELETE"])
+ @has_token
+ def ddapi_user_mail(id : Optional[str]=None) -> OptionalJsonResponse:
+ # TODO: Remove this endpoint when we ensure there are no consumers
+ if request.method == "GET":
+ return (
+ json.dumps("Not implemented yet"),
+ 200,
+ {"Content-Type": "application/json"},
+ )
+ if request.method == "POST":
+ data = request.get_json(force=True)
+
+ # if not app.validators["mails"].validate(data):
+ # raise Error(
+ # "bad_request",
+ # "Data validation for mail failed: "
+ # + str(app.validators["mail"].errors),
+ # traceback.format_exc(),
+ # )
+ for user in data:
+ if not app.validators["mail"].validate(user):
+ raise Error(
+ "bad_request",
+ "Data validation for mail failed: "
+ + str(app.validators["mail"].errors),
+ traceback.format_exc(),
+ )
+ for user in data:
+ log.info("Added user email")
+ app.admin.nextcloud_mail_set([user], dict())
+ return (
+ json.dumps("Users emails updated"),
+ 200,
+ {"Content-Type": "application/json"},
+ )
+ return None
+
+# TODO: After this line, this is all mostly duplicated from other places...
+def user_parser(user : Dict[str, Any]) -> Dict[str, Any]:
return {
"keycloak_id": user["id"],
"id": user["username"],
@@ -338,7 +346,7 @@ def user_parser(user):
}
-def group_parser(group):
+def group_parser(group : Dict[str, str]) -> Dict[str, Any]:
return {
"keycloak_id": group["id"],
"id": group["name"],
@@ -348,7 +356,7 @@ def group_parser(group):
}
-def filter_users(users, text):
+def filter_users(users : Iterable[Dict[str, Any]], text : str) -> List[Dict[str, Any]]:
return [
user
for user in users
diff --git a/dd-sso/admin/src/admin/views/AppViews.py b/dd-sso/admin/src/admin/views/AppViews.py
index baa9077..7a27c96 100644
--- a/dd-sso/admin/src/admin/views/AppViews.py
+++ b/dd-sso/admin/src/admin/views/AppViews.py
@@ -1,5 +1,6 @@
#
# Copyright © 2021,2022 IsardVDI S.L.
+# Copyright © 2022 Evilham
#
# This file is part of DD
#
@@ -20,6 +21,7 @@
import concurrent.futures
import json
import logging as log
+from operator import itemgetter
import os
import re
import sys
@@ -33,12 +35,15 @@ from uuid import uuid4
from flask import Response, jsonify, redirect, render_template, request, url_for
from flask_login import current_user, login_required
-from admin import app
+from typing import TYPE_CHECKING, cast, Any, Callable, Dict, List, Optional, Tuple
+if TYPE_CHECKING:
+ from admin.flaskapp import AdminFlaskApp
from ..lib.helpers import system_group
-from .decorators import login_or_token
+from .decorators import login_or_token, OptionalJsonResponse
-threads = {"external": None}
+# TODO: this is quirky and non-trivial to manage
+threads : Dict[str, threading.Thread] = {}
# q = Queue.Queue()
from keycloak.exceptions import KeycloakGetError
@@ -46,536 +51,444 @@ from keycloak.exceptions import KeycloakGetError
from ..lib.dashboard import Dashboard
from ..lib.exceptions import UserExists, UserNotFound
-dashboard = Dashboard()
from ..lib.legal import get_legal, gen_legal_if_not_exists, new_legal
-@app.route("/sysadmin/api/resync")
-@app.route("/api/resync")
-@login_required
-def resync():
- return (
- json.dumps(app.admin.resync_data()),
- 200,
- {"Content-Type": "application/json"},
- )
-
-
-@app.route("/api/users", methods=["GET", "PUT"])
-@app.route("/api/users/", methods=["POST", "PUT", "GET", "DELETE"])
-@login_or_token
-def users(provider=False):
- if request.method == "DELETE":
- if current_user.role != "admin":
- return json.dumps({}), 301, {"Content-Type": "application/json"}
- if provider == "keycloak":
+def run_in_thread(
+ op : Callable[..., Any],
+ args : Tuple = tuple(),
+ err_msg : str = "Something went wrong",
+ err_code : int = 500,
+ busy_err_msg : str ="Precondition failed: already operating users"
+ ) -> OptionalJsonResponse:
+ if threads.get("external", None) is not None:
+ if threads["external"].is_alive():
return (
- json.dumps(app.admin.delete_keycloak_users()),
- 200,
+ json.dumps(
+ {"msg": busy_err_msg}
+ ),
+ 412,
{"Content-Type": "application/json"},
)
- if provider == "nextcloud":
- return (
- json.dumps(app.admin.delete_nextcloud_users()),
- 200,
- {"Content-Type": "application/json"},
- )
- if provider == "moodle":
- return (
- json.dumps(app.admin.delete_moodle_users()),
- 200,
- {"Content-Type": "application/json"},
- )
- if request.method == "POST":
- if current_user.role != "admin":
- return json.dumps({}), 301, {"Content-Type": "application/json"}
- if provider == "moodle":
- return (
- json.dumps(app.admin.sync_to_moodle()),
- 200,
- {"Content-Type": "application/json"},
- )
- if provider == "nextcloud":
- return (
- json.dumps(app.admin.sync_to_nextcloud()),
- 200,
- {"Content-Type": "application/json"},
- )
- if request.method == "PUT" and not provider:
- if current_user.role != "admin":
- return json.dumps({}), 301, {"Content-Type": "application/json"}
-
- if "external" in threads.keys():
- if threads["external"] is not None and threads["external"].is_alive():
- return (
- json.dumps(
- {"msg": "Precondition failed: already working with users"}
- ),
- 412,
- {"Content-Type": "application/json"},
- )
- else:
- threads["external"] = None
- try:
- threads["external"] = threading.Thread(
- target=app.admin.update_users_from_keycloak, args=()
- )
- threads["external"].start()
- return json.dumps({}), 200, {"Content-Type": "application/json"}
- except:
- log.error(traceback.format_exc())
- return (
- json.dumps({"msg": "Add user error."}),
- 500,
- {"Content-Type": "application/json"},
- )
-
- # return json.dumps(app.admin.update_users_from_keycloak()), 200, {'Content-Type': 'application/json'}
-
- users = app.admin.get_mix_users()
- if current_user.role != "admin":
- for user in users:
- user["keycloak_groups"] = [
- g for g in user["keycloak_groups"] if not system_group(g)
- ]
- return json.dumps(users), 200, {"Content-Type": "application/json"}
-
-
-@app.route("/api/users_bulk/", methods=["PUT"])
-@login_required
-def users_bulk(action):
- data = request.get_json(force=True)
- if request.method == "PUT":
- if action == "enable":
- if "external" in threads.keys():
- if threads["external"] is not None and threads["external"].is_alive():
- return (
- json.dumps(
- {"msg": "Precondition failed: already operating users"}
- ),
- 412,
- {"Content-Type": "application/json"},
- )
- else:
- threads["external"] = None
- try:
- threads["external"] = threading.Thread(
- target=app.admin.enable_users, args=(data,)
- )
- threads["external"].start()
- return json.dumps({}), 200, {"Content-Type": "application/json"}
- except:
- log.error(traceback.format_exc())
- return (
- json.dumps({"msg": "Enable users error."}),
- 500,
- {"Content-Type": "application/json"},
- )
- if action == "disable":
- if "external" in threads.keys():
- if threads["external"] is not None and threads["external"].is_alive():
- return (
- json.dumps(
- {"msg": "Precondition failed: already operating users"}
- ),
- 412,
- {"Content-Type": "application/json"},
- )
- else:
- threads["external"] = None
- try:
- threads["external"] = threading.Thread(
- target=app.admin.disable_users, args=(data,)
- )
- threads["external"].start()
- return json.dumps({}), 200, {"Content-Type": "application/json"}
- except:
- log.error(traceback.format_exc())
- return (
- json.dumps({"msg": "Disabling users error."}),
- 500,
- {"Content-Type": "application/json"},
- )
- if action == "delete":
- if "external" in threads.keys():
- if threads["external"] is not None and threads["external"].is_alive():
- return (
- json.dumps(
- {"msg": "Precondition failed: already operating users"}
- ),
- 412,
- {"Content-Type": "application/json"},
- )
- else:
- threads["external"] = None
- try:
- threads["external"] = threading.Thread(
- target=app.admin.delete_users, args=(data,)
- )
- threads["external"].start()
- return json.dumps({}), 200, {"Content-Type": "application/json"}
- except:
- log.error(traceback.format_exc())
- return (
- json.dumps({"msg": "Deleting users error."}),
- 500,
- {"Content-Type": "application/json"},
- )
- return json.dumps({}), 405, {"Content-Type": "application/json"}
-
-
-# Update pwd
-@app.route("/api/user_password", methods=["GET"])
-@app.route("/api/user_password/", methods=["PUT"])
-@login_required
-def user_password(userid=False):
- if request.method == "GET":
- return (
- json.dumps(app.admin.get_dice_pwd()),
- 200,
- {"Content-Type": "application/json"},
- )
- if request.method == "PUT":
- data = request.get_json(force=True)
- password = data["password"]
- temporary = data.get("temporary", True)
- try:
- res = app.admin.user_update_password(userid, password, temporary)
- return json.dumps({}), 200, {"Content-Type": "application/json"}
- except KeycloakGetError as e:
- log.error(e.error_message.decode("utf-8"))
- return (
- json.dumps({"msg": "Update password error."}),
- 500,
- {"Content-Type": "application/json"},
- )
-
- return json.dumps({}), 405, {"Content-Type": "application/json"}
-
-
-# User
-@app.route("/api/user", methods=["POST"])
-@app.route("/api/user/", methods=["PUT", "GET", "DELETE"])
-@login_required
-def user(userid=None):
- if request.method == "DELETE":
- app.admin.delete_user(userid)
- return json.dumps({}), 200, {"Content-Type": "application/json"}
- if request.method == "POST":
- data = request.get_json(force=True)
- if app.admin.get_user_username(data["username"]):
- return (
- json.dumps({"msg": "Add user error: already exists."}),
- 409,
- {"Content-Type": "application/json"},
- )
- data["enabled"] = data.get("enabled", False) in [True, "on"]
- data["quota"] = data["quota"] if data["quota"] != "false" else False
- data["groups"] = data["groups"] if data.get("groups", False) else []
- if "external" in threads.keys():
- if threads["external"] is not None and threads["external"].is_alive():
- return (
- json.dumps({"msg": "Precondition failed: already adding users"}),
- 412,
- {"Content-Type": "application/json"},
- )
- else:
- threads["external"] = None
- try:
- threads["external"] = threading.Thread(
- target=app.admin.add_user, args=(data,)
- )
- threads["external"].start()
- return json.dumps({}), 200, {"Content-Type": "application/json"}
- except:
- log.error(traceback.format_exc())
- return (
- json.dumps({"msg": "Add user error."}),
- 500,
- {"Content-Type": "application/json"},
- )
-
- if request.method == "PUT":
- data = request.get_json(force=True)
- data["enabled"] = True if data.get("enabled", False) else False
- data["groups"] = data["groups"] if data.get("groups", False) else []
- data["roles"] = [data.pop("role-keycloak")]
- try:
- app.admin.user_update(data)
- return json.dumps({}), 200, {"Content-Type": "application/json"}
- except UserNotFound:
- return (
- json.dumps({"msg": "User not found."}),
- 404,
- {"Content-Type": "application/json"},
- )
- if request.method == "DELETE":
- pass
- if request.method == "GET":
- user = app.admin.get_user(userid)
- if not user:
- return (
- json.dumps({"msg": "User not found."}),
- 404,
- {"Content-Type": "application/json"},
- )
- return json.dumps(user), 200, {"Content-Type": "application/json"}
-
-
-@app.route("/api/roles")
-@login_required
-def roles():
- sorted_roles = sorted(app.admin.get_roles(), key=lambda k: k["name"])
- if current_user.role != "admin":
- sorted_roles = [sr for sr in sorted_roles if sr["name"] != "admin"]
- return json.dumps(sorted_roles), 200, {"Content-Type": "application/json"}
-
-
-@app.route("/api/group", methods=["POST", "DELETE"])
-@app.route("/api/group/", methods=["PUT", "GET", "DELETE"])
-@login_required
-def group(group_id=False):
- if request.method == "POST":
- data = request.get_json(force=True)
- log.error(data)
- data["parent"] = data["parent"] if data["parent"] != "" else None
- return (
- json.dumps(app.admin.add_group(data)),
- 200,
- {"Content-Type": "application/json"},
- )
- if request.method == "DELETE":
- try:
- data = request.get_json(force=True)
- except:
- data = False
-
- if data:
- res = app.admin.delete_group_by_path(data["path"])
else:
- if not group_id:
- return (
- json.dumps({"error": "bad_request","msg":"Bad request"}),
- 400,
- {"Content-Type": "application/json"},
- )
- res = app.admin.delete_group_by_id(group_id)
- return json.dumps(res), 200, {"Content-Type": "application/json"}
-
-
-@app.route("/api/groups")
-@app.route("/api/groups/", methods=["POST", "PUT", "GET", "DELETE"])
-@login_required
-def groups(provider=False):
- if request.method == "GET":
- sorted_groups = sorted(app.admin.get_mix_groups(), key=lambda k: str(k["name"]))
- if current_user.role != "admin":
- ## internal groups should be avoided as are assigned with the role
- sorted_groups = [sg for sg in sorted_groups if not system_group(sg["name"])]
- else:
- sorted_groups = [sg for sg in sorted_groups]
- return json.dumps(sorted_groups), 200, {"Content-Type": "application/json"}
- if request.method == "DELETE":
- if provider == "keycloak":
- return (
- json.dumps(app.admin.delete_keycloak_groups()),
- 200,
- {"Content-Type": "application/json"},
- )
-
-
-### SYSADM USERS ONLY
-
-
-@app.route("/api/external", methods=["POST", "PUT", "GET", "DELETE"])
-@login_required
-def external():
- if "external" in threads.keys():
- if threads["external"] is not None and threads["external"].is_alive():
- return json.dumps({}), 301, {"Content-Type": "application/json"}
- else:
- threads["external"] = None
-
- if request.method == "POST":
- data = request.get_json(force=True)
- if data["format"] == "json-ga":
- threads["external"] = threading.Thread(
- target=app.admin.upload_json_ga, args=(data,)
- )
- threads["external"].start()
- return json.dumps({}), 200, {"Content-Type": "application/json"}
- if data["format"] == "csv-ug":
- valid = check_upload_errors(data)
- if valid["pass"]:
- threads["external"] = threading.Thread(
- target=app.admin.upload_csv_ug, args=(data,)
- )
- threads["external"].start()
- return json.dumps({}), 200, {"Content-Type": "application/json"}
- else:
- return json.dumps(valid), 422, {"Content-Type": "application/json"}
- if request.method == "PUT":
- data = request.get_json(force=True)
+ del threads["external"]
+ try:
threads["external"] = threading.Thread(
- target=app.admin.sync_external, args=(data,)
+ target=op, args=args
)
+ # TODO: this probably returns immediately and client gets no real feedback
threads["external"].start()
return json.dumps({}), 200, {"Content-Type": "application/json"}
- if request.method == "DELETE":
- print("RESET")
- app.admin.reset_external()
- return json.dumps({}), 200, {"Content-Type": "application/json"}
- return json.dumps({}), 500, {"Content-Type": "application/json"}
-
-
-@app.route("/api/external/users")
-@login_required
-def external_users_list():
- while threads["external"] is not None and threads["external"].is_alive():
- time.sleep(0.5)
- return (
- json.dumps(app.admin.get_external_users()),
- 200,
- {"Content-Type": "application/json"},
- )
-
-
-@app.route("/api/external/groups")
-@login_required
-def external_groups_list():
- while threads["external"] is not None and threads["external"].is_alive():
- time.sleep(0.5)
- return (
- json.dumps(app.admin.get_external_groups()),
- 200,
- {"Content-Type": "application/json"},
- )
-
-
-@app.route("/api/external/roles", methods=["PUT"])
-@login_required
-def external_roles():
- if request.method == "PUT":
+ except:
+ log.error(traceback.format_exc())
return (
- json.dumps(app.admin.external_roleassign(request.get_json(force=True))),
+ json.dumps({"msg": err_msg}),
+ err_code,
+ {"Content-Type": "application/json"},
+ )
+
+def setup_app_views(app : "AdminFlaskApp") -> None:
+ dashboard = Dashboard(app)
+ @app.json_route("/sysadmin/api/resync")
+ @app.json_route("/api/resync")
+ @login_required
+ def resync() -> OptionalJsonResponse:
+ return (
+ json.dumps(app.admin.resync_data()),
200,
{"Content-Type": "application/json"},
)
-def check_upload_errors(data):
- email_regex = r"\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b"
- for u in data["data"]:
- try:
- user_groups = [g.strip() for g in u["groups"].split(",")]
- except:
- resp = {
- "pass": False,
- "msg": "User " + u["username"] + " has invalid groups: " + u["groups"],
- }
- log.error(resp)
- return resp
+ @app.json_route("/api/users", methods=["GET", "PUT"])
+ @app.json_route("/api/users/", methods=["POST", "PUT", "GET", "DELETE"])
+ @login_or_token
+ def users(provider : bool=False) -> OptionalJsonResponse:
+ if request.method == "DELETE":
+ if current_user.role != "admin":
+ return json.dumps({}), 301, {"Content-Type": "application/json"}
+ if provider == "keycloak":
+ return (
+ json.dumps(app.admin.delete_keycloak_users()),
+ 200,
+ {"Content-Type": "application/json"},
+ )
+ if provider == "nextcloud":
+ return (
+ json.dumps(app.admin.delete_nextcloud_users()),
+ 200,
+ {"Content-Type": "application/json"},
+ )
+ if provider == "moodle":
+ return (
+ json.dumps(app.admin.delete_moodle_users(app)),
+ 200,
+ {"Content-Type": "application/json"},
+ )
+ if request.method == "POST":
+ if current_user.role != "admin":
+ return json.dumps({}), 301, {"Content-Type": "application/json"}
+ if provider == "moodle":
+ return (
+ json.dumps(app.admin.sync_to_moodle()),
+ 200,
+ {"Content-Type": "application/json"},
+ )
+ if provider == "nextcloud":
+ return (
+ json.dumps(app.admin.sync_to_nextcloud()),
+ 200,
+ {"Content-Type": "application/json"},
+ )
+ if request.method == "PUT" and not provider:
+ if current_user.role != "admin":
+ return json.dumps({}), 301, {"Content-Type": "application/json"}
- if not re.fullmatch(email_regex, u["email"]):
- resp = {
- "pass": False,
- "msg": "User " + u["username"] + " has invalid email: " + u["email"],
- }
- log.error(resp)
- return resp
+ return run_in_thread(app.admin.update_users_from_keycloak, err_msg="Add user error.")
- if u["role"] not in ["admin", "manager", "teacher", "student"]:
- if u["role"] == "":
+ users = app.admin.get_mix_users()
+ if current_user.role != "admin":
+ for user in users:
+ user["keycloak_groups"] = [
+ g for g in user["keycloak_groups"] if not system_group(g)
+ ]
+ return json.dumps(users), 200, {"Content-Type": "application/json"}
+
+
+ @app.json_route("/api/users_bulk/", methods=["PUT"])
+ @login_required
+ def users_bulk(action : str) -> OptionalJsonResponse:
+ data = request.get_json(force=True)
+ if request.method == "PUT":
+ if action == "enable":
+ return run_in_thread(app.admin.enable_users, args=(data,), err_msg="Enable users error.")
+ if action == "disable":
+ return run_in_thread(app.admin.disable_users, args=(data,), err_msg="Disabling users error.")
+ if action == "delete":
+ return run_in_thread(app.admin.delete_users, args=(data,), err_msg="Deleting users error.")
+
+ return json.dumps({}), 405, {"Content-Type": "application/json"}
+
+
+ # Update pwd
+ @app.json_route("/api/user_password", methods=["GET"])
+ @app.json_route("/api/user_password/", methods=["PUT"])
+ @login_required
+ def user_password(userid : Optional[str]=None) -> OptionalJsonResponse:
+ if request.method == "GET":
+ return (
+ json.dumps(app.admin.get_dice_pwd()),
+ 200,
+ {"Content-Type": "application/json"},
+ )
+ if request.method == "PUT":
+ data = request.get_json(force=True)
+ password = data["password"]
+ temporary = data.get("temporary", True)
+ uid = cast(str, userid)
+ try:
+ res = app.admin.user_update_password(uid, password, temporary)
+ return json.dumps({}), 200, {"Content-Type": "application/json"}
+ except KeycloakGetError as e:
+ log.error(e.error_message.decode("utf-8"))
+ return (
+ json.dumps({"msg": "Update password error."}),
+ 500,
+ {"Content-Type": "application/json"},
+ )
+
+ return json.dumps({}), 405, {"Content-Type": "application/json"}
+
+
+ # User
+ @app.json_route("/api/user", methods=["POST"])
+ @app.json_route("/api/user/", methods=["PUT", "GET", "DELETE"])
+ @login_required
+ def user(userid : Optional[str]=None) -> OptionalJsonResponse:
+ # This is where changes happen from the UI
+ uid : str = userid if userid else ''
+ if request.method == "DELETE":
+ app.admin.delete_user(uid)
+ return json.dumps({}), 200, {"Content-Type": "application/json"}
+ if request.method == "POST":
+ data = request.get_json(force=True)
+ if app.admin.get_user_username(data["username"]):
+ return (
+ json.dumps({"msg": "Add user error: already exists."}),
+ 409,
+ {"Content-Type": "application/json"},
+ )
+ data["enabled"] = data.get("enabled", False) in [True, "on"]
+ data["quota"] = data["quota"] if data["quota"] != "false" else False
+ data["groups"] = data["groups"] if data.get("groups", False) else []
+ return run_in_thread(app.admin.add_user, args=(data,), err_msg="Add user error")
+
+ if request.method == "PUT":
+ data = request.get_json(force=True)
+ data["enabled"] = True if data.get("enabled", False) else False
+ data["groups"] = data["groups"] if data.get("groups", False) else []
+ data["roles"] = [data.pop("role-keycloak")]
+ try:
+ app.admin.user_update(data)
+ return json.dumps({}), 200, {"Content-Type": "application/json"}
+ except UserNotFound:
+ return (
+ json.dumps({"msg": "User not found."}),
+ 404,
+ {"Content-Type": "application/json"},
+ )
+ if request.method == "DELETE":
+ pass
+ if request.method == "GET":
+ user = app.admin.get_user(uid)
+ if not user:
+ return (
+ json.dumps({"msg": "User not found."}),
+ 404,
+ {"Content-Type": "application/json"},
+ )
+ return json.dumps(user), 200, {"Content-Type": "application/json"}
+ return None
+
+ @app.json_route("/api/roles")
+ @login_required
+ def roles() -> OptionalJsonResponse:
+ sorted_roles = sorted(app.admin.get_roles(), key=itemgetter("name"))
+ if current_user.role != "admin":
+ sorted_roles = [sr for sr in sorted_roles if sr["name"] != "admin"]
+ return json.dumps(sorted_roles), 200, {"Content-Type": "application/json"}
+
+
+ @app.json_route("/api/group", methods=["POST", "DELETE"])
+ @app.json_route("/api/group/", methods=["PUT", "GET", "DELETE"])
+ @login_required
+ def group(group_id : Optional[str]=None) -> OptionalJsonResponse:
+ if request.method == "POST":
+ data = request.get_json(force=True)
+ log.error(data)
+ data["parent"] = data["parent"] if data["parent"] != "" else None
+ return (
+ json.dumps(app.admin.add_group(data)),
+ 200,
+ {"Content-Type": "application/json"},
+ )
+ if request.method == "DELETE":
+ try:
+ data = request.get_json(force=True)
+ except:
+ data = False
+
+ if data:
+ res = app.admin.delete_group_by_path(data["path"])
+ else:
+ if not group_id:
+ return (
+ json.dumps({"error": "bad_request","msg":"Bad request"}),
+ 400,
+ {"Content-Type": "application/json"},
+ )
+ res = app.admin.delete_group_by_id(group_id)
+ return json.dumps(res), 200, {"Content-Type": "application/json"}
+ return None
+
+ @app.json_route("/api/groups")
+ @app.json_route("/api/groups/", methods=["POST", "PUT", "GET", "DELETE"])
+ @login_required
+ def groups(provider : Optional[str] = None) -> OptionalJsonResponse:
+ if request.method == "GET":
+ sorted_groups = sorted(app.admin.get_mix_groups(), key=lambda k: str(k["name"]))
+ if current_user.role != "admin":
+ ## internal groups should be avoided as are assigned with the role
+ sorted_groups = [sg for sg in sorted_groups if not system_group(sg["name"])]
+ else:
+ sorted_groups = [sg for sg in sorted_groups]
+ return json.dumps(sorted_groups), 200, {"Content-Type": "application/json"}
+ if request.method == "DELETE":
+ if provider == "keycloak":
+ return (
+ json.dumps(app.admin.delete_keycloak_groups()),
+ 200,
+ {"Content-Type": "application/json"},
+ )
+ return None
+
+ ### SYSADM USERS ONLY
+
+
+ @app.json_route("/api/external", methods=["POST", "PUT", "GET", "DELETE"])
+ @login_required
+ def external() -> OptionalJsonResponse:
+ if request.method == "POST":
+ data = request.get_json(force=True)
+ if data["format"] == "json-ga":
+ return run_in_thread(app.admin.upload_json_ga, args=(data,))
+ if data["format"] == "csv-ug":
+ valid = check_upload_errors(data)
+ if valid["pass"]:
+ return run_in_thread(app.admin.upload_csv_ug, args=(data,))
+ else:
+ return json.dumps(valid), 422, {"Content-Type": "application/json"}
+ if request.method == "PUT":
+ data = request.get_json(force=True)
+ return run_in_thread(app.admin.sync_external, args=(data,))
+ if request.method == "DELETE":
+ print("RESET")
+ app.admin.reset_external()
+ return json.dumps({}), 200, {"Content-Type": "application/json"}
+ return json.dumps({}), 500, {"Content-Type": "application/json"}
+
+
+ @app.json_route("/api/external/users")
+ @login_required
+ def external_users_list() -> OptionalJsonResponse:
+ while threads["external"] is not None and threads["external"].is_alive():
+ time.sleep(0.5)
+ return (
+ json.dumps(app.admin.get_external_users()),
+ 200,
+ {"Content-Type": "application/json"},
+ )
+
+
+ @app.json_route("/api/external/groups")
+ @login_required
+ def external_groups_list() -> OptionalJsonResponse:
+ while threads["external"] is not None and threads["external"].is_alive():
+ time.sleep(0.5)
+ return (
+ json.dumps(app.admin.get_external_groups()),
+ 200,
+ {"Content-Type": "application/json"},
+ )
+
+
+ @app.json_route("/api/external/roles", methods=["PUT"])
+ @login_required
+ def external_roles() -> OptionalJsonResponse:
+ if request.method == "PUT":
+ return (
+ json.dumps(app.admin.external_roleassign(request.get_json(force=True))),
+ 200,
+ {"Content-Type": "application/json"},
+ )
+ return None
+
+
+ def check_upload_errors(data : Dict[Any, Any]) -> Dict[Any, Any]:
+ email_regex = r"\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b"
+ for u in data["data"]:
+ try:
+ user_groups = [g.strip() for g in u["groups"].split(",")]
+ except:
resp = {
"pass": False,
- "msg": "User " + u["username"] + " has no role assigned!",
+ "msg": "User " + u["username"] + " has invalid groups: " + u["groups"],
}
log.error(resp)
return resp
- resp = {
- "pass": False,
- "msg": "User " + u["username"] + " has invalid role: " + u["role"],
- }
- log.error(resp)
- return resp
- return {"pass": True, "msg": ""}
+
+ if not re.fullmatch(email_regex, u["email"]):
+ resp = {
+ "pass": False,
+ "msg": "User " + u["username"] + " has invalid email: " + u["email"],
+ }
+ log.error(resp)
+ return resp
+
+ if u["role"] not in ["admin", "manager", "teacher", "student"]:
+ if u["role"] == "":
+ resp = {
+ "pass": False,
+ "msg": "User " + u["username"] + " has no role assigned!",
+ }
+ log.error(resp)
+ return resp
+ resp = {
+ "pass": False,
+ "msg": "User " + u["username"] + " has invalid role: " + u["role"],
+ }
+ log.error(resp)
+ return resp
+ return {"pass": True, "msg": ""}
-@app.route("/api/dashboard/- ", methods=["PUT"])
-@login_required
-def dashboard_put(item):
- if item == "colours":
- try:
- data = request.get_json(force=True)
- dashboard.update_colours(data)
- except:
- log.error(traceback.format_exc())
- return json.dumps({"colours": data}), 200, {"Content-Type": "application/json"}
- if item == "menu":
- try:
- data = request.get_json(force=True)
- dashboard.update_menu(data)
- except:
- log.error(traceback.format_exc())
- return json.dumps(data), 200, {"Content-Type": "application/json"}
- if item == "logo":
- dashboard.update_logo(request.files["croppedImage"])
- return json.dumps({}), 200, {"Content-Type": "application/json"}
- if item == "background":
- dashboard.update_background(request.files["croppedImage"])
- return json.dumps({}), 200, {"Content-Type": "application/json"}
- return (
- json.dumps(
- {
- "error": "update_error",
- "msg": "Error updating item " + item + "\n" + traceback.format_exc(),
- }
- ),
- 500,
- {"Content-Type": "application/json"},
- )
-
-
-@app.route("/api/legal/
- ", methods=["GET"])
-# @login_required
-def legal_get(item):
- if request.method == "GET":
- if item == "legal":
- lang = request.args.get("lang")
- if not lang or lang not in ["ca","es","en","fr"]:
- lang="ca"
- gen_legal_if_not_exists(lang)
- return (
- json.dumps({"html": get_legal(lang)}),
- 200,
- {"Content-Type": "application/json"},
- )
- # if item == "privacy":
- # return json.dumps({ "html": "Privacy policy
This works!"}), 200, {'Content-Type': 'application/json'}
-
-
-@app.route("/api/legal/- ", methods=["POST"])
-@login_required
-def legal_put(item):
- if request.method == "POST":
- if item == "legal":
- data = None
+ @app.json_route("/api/dashboard/
- ", methods=["PUT"])
+ @login_required
+ def dashboard_put(item : str) -> OptionalJsonResponse:
+ if item == "colours":
try:
- data = data = request.get_json(force=True)
- html = data["html"]
- lang = data["lang"]
- if not lang or lang not in ["ca","es","en","fr"]:
- lang="ca"
- new_legal(lang,html)
+ data = request.get_json(force=True)
+ dashboard.update_colours(data)
+ except:
+ log.error(traceback.format_exc())
+ return json.dumps({"colours": data}), 200, {"Content-Type": "application/json"}
+ if item == "menu":
+ try:
+ data = request.get_json(force=True)
+ dashboard.update_menu(data)
except:
log.error(traceback.format_exc())
return json.dumps(data), 200, {"Content-Type": "application/json"}
- # if item == "privacy":
- # data = None
- # try:
- # data = request.json
- # html = data["html"]
- # lang = data["lang"]
- # except:
- # log.error(traceback.format_exc())
- # return json.dumps(data), 200, {'Content-Type': 'application/json'}
+ if item == "logo":
+ dashboard.update_logo(request.files["croppedImage"])
+ return json.dumps({}), 200, {"Content-Type": "application/json"}
+ if item == "background":
+ dashboard.update_background(request.files["croppedImage"])
+ return json.dumps({}), 200, {"Content-Type": "application/json"}
+ return (
+ json.dumps(
+ {
+ "error": "update_error",
+ "msg": "Error updating item " + item + "\n" + traceback.format_exc(),
+ }
+ ),
+ 500,
+ {"Content-Type": "application/json"},
+ )
+
+
+ @app.json_route("/api/legal/
- ", methods=["GET"])
+ # @login_required
+ def legal_get(item : str) -> OptionalJsonResponse:
+ if request.method == "GET":
+ if item == "legal":
+ lang = request.args.get("lang")
+ if not lang or lang not in ["ca","es","en","fr"]:
+ lang="ca"
+ gen_legal_if_not_exists(app, lang)
+ return (
+ json.dumps({"html": get_legal(app, lang)}),
+ 200,
+ {"Content-Type": "application/json"},
+ )
+ # if item == "privacy":
+ # return json.dumps({ "html": "Privacy policy
This works!"}), 200, {'Content-Type': 'application/json'}
+ return None
+
+
+ @app.json_route("/api/legal/- ", methods=["POST"])
+ @login_required
+ def legal_put(item : str) -> OptionalJsonResponse:
+ if request.method == "POST":
+ if item == "legal":
+ data = None
+ try:
+ data = data = request.get_json(force=True)
+ html = data["html"]
+ lang = data["lang"]
+ if not lang or lang not in ["ca","es","en","fr"]:
+ lang="ca"
+ new_legal(app, lang, html)
+ except:
+ log.error(traceback.format_exc())
+ return json.dumps(data), 200, {"Content-Type": "application/json"}
+ return None
+ # if item == "privacy":
+ # data = None
+ # try:
+ # data = request.json
+ # html = data["html"]
+ # lang = data["lang"]
+ # except:
+ # log.error(traceback.format_exc())
+ # return json.dumps(data), 200, {'Content-Type': 'application/json'}
diff --git a/dd-sso/admin/src/admin/views/LoginViews.py b/dd-sso/admin/src/admin/views/LoginViews.py
index 95f6609..d2cf432 100644
--- a/dd-sso/admin/src/admin/views/LoginViews.py
+++ b/dd-sso/admin/src/admin/views/LoginViews.py
@@ -1,5 +1,6 @@
#
# Copyright © 2021,2022 IsardVDI S.L.
+# Copyright © 2022 Evilham
#
# This file is part of DD
#
@@ -21,41 +22,44 @@ import os
from flask import flash, redirect, render_template, request, url_for
from flask_login import current_user, login_required, login_user, logout_user
+from werkzeug.wrappers import Response
-from admin import app
+from typing import TYPE_CHECKING
+if TYPE_CHECKING:
+ from admin.flaskapp import AdminFlaskApp
from ..auth.authentication import *
-@app.route("/", methods=["GET", "POST"])
-@app.route("/login", methods=["GET", "POST"])
-def login():
- if request.method == "POST":
- if request.form["user"] == "" or request.form["password"] == "":
- flash("Can't leave it blank", "danger")
- elif request.form["user"].startswith(" "):
- flash("Username not found or incorrect password.", "warning")
- else:
- ram_user = ram_users.get(request.form["user"])
- if ram_user and request.form["password"] == ram_user["password"]:
- user = User(
- {
- "id": ram_user["id"],
- "password": ram_user["password"],
- "role": ram_user["role"],
- "active": True,
- }
- )
- login_user(user)
- flash("Logged in successfully.", "success")
- return redirect(url_for("web_users"))
- else:
+def setup_login_views(app : "AdminFlaskApp") -> None:
+ @app.route("/", methods=["GET", "POST"])
+ @app.route("/login", methods=["GET", "POST"])
+ def login() -> Response:
+ if request.method == "POST":
+ if request.form["user"] == "" or request.form["password"] == "":
+ flash("Can't leave it blank", "danger")
+ elif request.form["user"].startswith(" "):
flash("Username not found or incorrect password.", "warning")
- return render_template("login.html")
+ else:
+ ram_user = ram_users.get(request.form["user"])
+ if ram_user and request.form["password"] == ram_user["password"]:
+ user = User(
+ id = ram_user["id"],
+ password = ram_user["password"],
+ role = ram_user["role"],
+ active = True,
+ )
+ login_user(user)
+ flash("Logged in successfully.", "success")
+ return redirect(url_for("web_users"))
+ else:
+ flash("Username not found or incorrect password.", "warning")
+ o : Response = app.make_response(render_template("login.html"))
+ return o
-@app.route("/logout", methods=["GET"])
-@login_required
-def logout():
- logout_user()
- return redirect(url_for("login"))
+ @app.route("/logout", methods=["GET"])
+ @login_required
+ def logout() -> Response:
+ logout_user()
+ return redirect(url_for("login"))
diff --git a/dd-sso/admin/src/admin/views/MailViews.py b/dd-sso/admin/src/admin/views/MailViews.py
new file mode 100644
index 0000000..285274e
--- /dev/null
+++ b/dd-sso/admin/src/admin/views/MailViews.py
@@ -0,0 +1,101 @@
+#
+# Copyright © 2022 MaadiX
+# Copyright © 2022 Evilham
+#
+# This file is part of DD
+#
+# DD is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or (at your
+# option) any later version.
+#
+# DD is distributed in the hope that it will be useful, but WITHOUT ANY
+# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
+# details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with DD. If not, see .
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+import json
+import traceback
+from operator import itemgetter
+from typing import TYPE_CHECKING, Any, Dict, List, cast
+
+from flask import request
+
+from admin.auth.jws_tokens import has_jws_token
+from admin.lib.callbacks import user_parser
+from admin.views.decorators import JsonResponse
+
+from ..lib.api_exceptions import Error
+
+if TYPE_CHECKING:
+ from admin.flaskapp import AdminFlaskApp
+
+JsonHeaders = {"Content-Type": "application/json"}
+
+
+def setup_mail_views(app: "AdminFlaskApp") -> None:
+ mail_3p = app.api_3p["correu"]
+
+ @app.json_route("/ddapi/pubkey", methods=["GET"])
+ def pub_key() -> JsonResponse:
+ key = json.dumps(mail_3p.our_pubkey_jwk)
+ return key, 200, {"Content-Type": "application/json"}
+
+ @app.route("/ddapi/mailusers", methods=["GET", "POST", "PUT", "DELETE"])
+ @has_jws_token(app)
+ def ddapi_mail_users() -> JsonResponse:
+ users: List[Dict[str, Any]] = []
+ if request.method == "GET":
+ try:
+ sorted_users = sorted(
+ app.admin.get_mix_users(), key=itemgetter("username")
+ )
+ for user in sorted_users:
+ users.append(user_parser(user))
+ # Encrypt data with mail client public key
+ enc = mail_3p.sign_and_encrypt_outgoing_json({"users": users})
+ headers = mail_3p.get_outgoing_request_headers()
+ headers.update(JsonHeaders)
+ return enc, 200, headers
+ except:
+ raise Error(
+ "internal_server", "Failure sending users", traceback.format_exc()
+ )
+ if request.method not in ["POST", "PUT", "DELETE"]:
+ # Unsupported method
+ return json.dumps({}), 400, JsonHeaders
+
+ try:
+ dec_data = cast(
+ Dict, mail_3p.verify_and_decrypt_incoming_json(request.get_data())
+ )
+ users = dec_data.pop("users")
+ for user in users:
+ if not app.validators["mail"].validate(user):
+ raise Error(
+ "bad_request",
+ "Data validation for mail failed: "
+ + str(app.validators["mail"].errors),
+ traceback.format_exc(),
+ )
+ res: Dict
+ if request.method in ["POST", "PUT"]:
+ res = app.admin.nextcloud_mail_set(users, dec_data)
+ elif request.method == "DELETE":
+ res = app.admin.nextcloud_mail_delete(users, dec_data)
+ return (
+ json.dumps(res),
+ 200,
+ {"Content-Type": "application/json"},
+ )
+ except Exception as e:
+ raise Error(
+ "internal_server",
+ "Failure changing user emails",
+ traceback.format_exc(),
+ )
diff --git a/dd-sso/admin/src/admin/views/Socketio.py b/dd-sso/admin/src/admin/views/Socketio.py
deleted file mode 100644
index a945d9c..0000000
--- a/dd-sso/admin/src/admin/views/Socketio.py
+++ /dev/null
@@ -1,39 +0,0 @@
-#
-# Copyright © 2021,2022 IsardVDI S.L.
-#
-# This file is part of DD
-#
-# DD is free software: you can redistribute it and/or modify
-# it under the terms of the GNU Affero General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or (at your
-# option) any later version.
-#
-# DD is distributed in the hope that it will be useful, but WITHOUT ANY
-# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
-# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
-# details.
-#
-# You should have received a copy of the GNU Affero General Public License
-# along with DD. If not, see .
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
-# from flask_socketio import SocketIO, emit, join_room, leave_room, \
-# close_room, rooms, disconnect, send
-# from admin import app
-# import json
-
-# # socketio = SocketIO(app)
-# # from ...start import socketio
-
-# @socketio.on('connect', namespace='//sio')
-# def socketio_connect():
-# join_room('admin')
-# socketio.emit('update',
-# json.dumps('Joined'),
-# namespace='//sio',
-# room='admin')
-
-# @socketio.on('disconnect', namespace='//sio')
-# def socketio_domains_disconnect():
-# None
diff --git a/dd-sso/admin/src/admin/views/WebViews.py b/dd-sso/admin/src/admin/views/WebViews.py
index c8a62e7..d14feec 100644
--- a/dd-sso/admin/src/admin/views/WebViews.py
+++ b/dd-sso/admin/src/admin/views/WebViews.py
@@ -1,5 +1,6 @@
#
# Copyright © 2021,2022 IsardVDI S.L.
+# Copyright © 2022 Evilham
#
# This file is part of DD
#
@@ -34,134 +35,110 @@ from flask import (
jsonify,
redirect,
request,
+ Response,
send_file,
url_for,
)
from flask import render_template as render_template_flask
from flask_login import login_required
-from admin import app
+from typing import TYPE_CHECKING
+if TYPE_CHECKING:
+ from admin.flaskapp import AdminFlaskApp
-from ..lib.avatars import Avatars
from .decorators import is_admin
-avatars = Avatars()
-
from ..lib.legal import gen_legal_if_not_exists
-""" OIDC TESTS """
-# from ..auth.authentication import oidc
-# @app.route('/custom_callback')
-# @oidc.custom_callback
-# def callback(data):
-# return 'Hello. You submitted %s' % data
-
-# @app.route('/private')
-# @oidc.require_login
-# def hello_me():
-# info = oidc.user_getinfo(['email', 'openid_id'])
-# return ('Hello, %s (%s)! Return' %
-# (info.get('email'), info.get('openid_id')))
-
-
-# @app.route('/api')
-# @oidc.accept_token(True, ['openid'])
-# def hello_api():
-# return json.dumps({'hello': 'Welcome %s' % g.oidc_token_info['sub']})
-
-
-# @app.route('/logout')
-# def logoutoidc():
-# oidc.logout()
-# return 'Hi, you have been logged out! Return'
-""" OIDC TESTS """
-
-def render_template(*args, **kwargs):
+def render_template(*args : str, **kwargs : str) -> str:
kwargs["DOMAIN"] = os.environ["DOMAIN"]
return render_template_flask(*args, **kwargs)
-@app.route("/users")
-@login_required
-def web_users():
- return render_template("pages/users.html", title="Users", nav="Users")
+def setup_web_views(app : "AdminFlaskApp") -> None:
+ @app.route("/users")
+ @login_required
+ def web_users() -> str:
+ return render_template("pages/users.html", title="Users", nav="Users")
-@app.route("/roles")
-@login_required
-def web_roles():
- return render_template("pages/roles.html", title="Roles", nav="Roles")
+ @app.route("/roles")
+ @login_required
+ def web_roles() -> str:
+ return render_template("pages/roles.html", title="Roles", nav="Roles")
-@app.route("/groups")
-@login_required
-def web_groups(provider=False):
- return render_template("pages/groups.html", title="Groups", nav="Groups")
+ @app.route("/groups")
+ @login_required
+ def web_groups(provider : bool=False) -> str:
+ return render_template("pages/groups.html", title="Groups", nav="Groups")
-@app.route("/avatar/", methods=["GET"])
-@login_required
-def avatar(userid):
- if userid != "false":
- return send_file("../avatars/master-avatars/" + userid, mimetype="image/jpeg")
- return send_file("static/img/missing.jpg", mimetype="image/jpeg")
+ @app.route("/avatar/", methods=["GET"])
+ @login_required
+ def avatar(userid : str) -> Response:
+ if userid != "false":
+ return send_file("../avatars/master-avatars/" + userid, mimetype="image/jpeg")
+ return send_file("static/img/missing.jpg", mimetype="image/jpeg")
-@app.route("/dashboard")
-@login_required
-def dashboard(provider=False):
- data = json.loads(requests.get("http://dd-sso-api/json").text)
- return render_template(
- "pages/dashboard.html", title="Customization", nav="Customization", data=data
- )
+ @app.route("/dashboard")
+ @login_required
+ def dashboard(provider : bool=False) -> str:
+ data = json.loads(requests.get("http://dd-sso-api/json").text)
+ return render_template(
+ "pages/dashboard.html", title="Customization", nav="Customization", data=data
+ )
-@app.route("/legal")
-@login_required
-def legal():
- # data = json.loads(requests.get("http://dd-sso-api/json").text)
- return render_template("pages/legal.html", title="Legal", nav="Legal", data={})
+ @app.route("/legal")
+ @login_required
+ def legal() -> str:
+ # data = json.loads(requests.get("http://dd-sso-api/json").text)
+ return render_template("pages/legal.html", title="Legal", nav="Legal", data="")
-@app.route("/legal_text")
-def legal_text():
- lang = request.args.get("lang")
- if not lang or lang not in ["ca","es","en","fr"]:
- lang="ca"
- gen_legal_if_not_exists(lang)
- return render_template("pages/legal/"+lang)
+ @app.route("/legal_text")
+ def legal_text() -> str:
+ lang = request.args.get("lang")
+ if not lang or lang not in ["ca","es","en","fr"]:
+ lang="ca"
+ gen_legal_if_not_exists(app, lang)
+ return render_template("pages/legal/"+lang)
-### SYS ADMIN
+ ### SYS ADMIN
-@app.route("/sysadmin/users")
-@login_required
-@is_admin
-def web_sysadmin_users():
- return render_template(
- "pages/sysadmin/users.html", title="SysAdmin Users", nav="SysAdminUsers"
- )
+ @app.route("/sysadmin/users")
+ @login_required
+ @is_admin
+ def web_sysadmin_users() -> Response:
+ o : Response = app.make_response(render_template(
+ "pages/sysadmin/users.html", title="SysAdmin Users", nav="SysAdminUsers"
+ ))
+ return o
-@app.route("/sysadmin/groups")
-@login_required
-@is_admin
-def web_sysadmin_groups():
- return render_template(
- "pages/sysadmin/groups.html", title="SysAdmin Groups", nav="SysAdminGroups"
- )
+ @app.route("/sysadmin/groups")
+ @login_required
+ @is_admin
+ def web_sysadmin_groups() -> Response:
+ o : Response = app.make_response(render_template(
+ "pages/sysadmin/groups.html", title="SysAdmin Groups", nav="SysAdminGroups"
+ ))
+ return o
-@app.route("/sysadmin/external")
-@login_required
-## SysAdmin role
-def web_sysadmin_external():
- return render_template(
- "pages/sysadmin/external.html", title="External", nav="External"
- )
+ @app.route("/sysadmin/external")
+ @login_required
+ ## SysAdmin role
+ def web_sysadmin_external() -> str:
+ return render_template(
+ "pages/sysadmin/external.html", title="External", nav="External"
+ )
-@app.route("/sockettest")
-def web_sockettest():
- return render_template(
- "pages/sockettest.html", title="Sockettest Users", nav="SysAdminUsers"
- )
+ @app.route("/sockettest")
+ def web_sockettest() -> str:
+ return render_template(
+ "pages/sockettest.html", title="Sockettest Users", nav="SysAdminUsers"
+ )
diff --git a/dd-sso/admin/src/admin/views/WpViews.py b/dd-sso/admin/src/admin/views/WpViews.py
index 5695bca..09d3b7f 100644
--- a/dd-sso/admin/src/admin/views/WpViews.py
+++ b/dd-sso/admin/src/admin/views/WpViews.py
@@ -1,5 +1,6 @@
#
# Copyright © 2021,2022 IsardVDI S.L.
+# Copyright © 2022 Evilham
#
# This file is part of DD
#
@@ -20,6 +21,7 @@
import json
import logging as log
+from operator import itemgetter
import os
import socket
import sys
@@ -28,113 +30,117 @@ import traceback
from flask import request
-from admin import app
+from typing import TYPE_CHECKING, Any, Callable, Dict, Iterable, List
+if TYPE_CHECKING:
+ from admin.flaskapp import AdminFlaskApp
-from .decorators import is_internal
+from admin.views.decorators import OptionalJsonResponse, is_internal
-@app.route("/api/internal/users", methods=["GET"])
-@is_internal
-def internal_users():
- log.error(socket.gethostbyname("dd-apps-wordpress"))
- if request.method == "GET":
- sorted_users = sorted(app.admin.get_mix_users(), key=lambda k: k["username"])
- # group_users = [user for user in sorted_users if data['path'] in user['keycloak_groups']]
- users = []
- for user in sorted_users:
- if not user.get("enabled"):
- continue
- users.append(user_parser(user))
- return json.dumps(users), 200, {"Content-Type": "application/json"}
+def setup_wp_views(app : "AdminFlaskApp") -> None:
+ @app.json_route("/api/internal/users", methods=["GET"])
+ @is_internal
+ def internal_users() -> OptionalJsonResponse:
+ log.error(socket.gethostbyname("dd-apps-wordpress"))
+ if request.method == "GET":
+ sorted_users = sorted(app.admin.get_mix_users(), key=itemgetter("username"))
+ # group_users = [user for user in sorted_users if data['path'] in user['keycloak_groups']]
+ users = []
+ for user in sorted_users:
+ if not user.get("enabled"):
+ continue
+ users.append(user_parser(user))
+ return json.dumps(users), 200, {"Content-Type": "application/json"}
+ return None
-@app.route("/api/internal/users/filter", methods=["POST"])
-@is_internal
-def internal_users_search():
- if request.method == "POST":
- data = request.get_json(force=True)
- users = app.admin.get_mix_users()
- result = [user_parser(user) for user in filter_users(users, data["text"])]
- sorted_result = sorted(result, key=lambda k: k["id"])
- return json.dumps(sorted_result), 200, {"Content-Type": "application/json"}
-
-
-@app.route("/api/internal/groups", methods=["GET"])
-@is_internal
-def internal_groups():
- if request.method == "GET":
- sorted_groups = sorted(app.admin.get_mix_groups(), key=lambda k: k["name"])
- groups = []
- for group in sorted_groups:
- if not group["path"].startswith("/"):
- continue
- groups.append(
- {
- "id": group["path"],
- "name": group["name"],
- "description": group.get("description", ""),
- }
- )
- return json.dumps(groups), 200, {"Content-Type": "application/json"}
-
-
-@app.route("/api/internal/group/users", methods=["POST"])
-@is_internal
-def internal_group_users():
- if request.method == "POST":
- data = request.get_json(force=True)
- sorted_users = sorted(app.admin.get_mix_users(), key=lambda k: k["username"])
- # group_users = [user for user in sorted_users if data['path'] in user['keycloak_groups']]
- users = []
- for user in sorted_users:
- if data["path"] not in user["keycloak_groups"] or not user.get("enabled"):
- continue
- users.append(user)
- if data.get("text", False) and data["text"] != "":
+ @app.json_route("/api/internal/users/filter", methods=["POST"])
+ @is_internal
+ def internal_users_search() -> OptionalJsonResponse:
+ if request.method == "POST":
+ data = request.get_json(force=True)
+ users = app.admin.get_mix_users()
result = [user_parser(user) for user in filter_users(users, data["text"])]
- else:
- result = [user_parser(user) for user in users]
- return json.dumps(result), 200, {"Content-Type": "application/json"}
+ sorted_result = sorted(result, key=itemgetter("id"))
+ return json.dumps(sorted_result), 200, {"Content-Type": "application/json"}
+ return None
+ @app.json_route("/api/internal/groups", methods=["GET"])
+ @is_internal
+ def internal_groups() -> OptionalJsonResponse:
+ if request.method == "GET":
+ sorted_groups = sorted(app.admin.get_mix_groups(), key=itemgetter("name"))
+ groups = []
+ for group in sorted_groups:
+ if not group["path"].startswith("/"):
+ continue
+ groups.append(
+ {
+ "id": group["path"],
+ "name": group["name"],
+ "description": group.get("description", ""),
+ }
+ )
+ return json.dumps(groups), 200, {"Content-Type": "application/json"}
+ return None
-@app.route("/api/internal/roles", methods=["GET"])
-@is_internal
-def internal_roles():
- if request.method == "GET":
- roles = []
- for role in sorted(app.admin.get_roles(), key=lambda k: k["name"]):
- if role["name"] == "admin":
- continue
- roles.append(
- {
- "id": role["id"],
- "name": role["name"],
- "description": role.get("description", ""),
- }
- )
- return json.dumps(roles), 200, {"Content-Type": "application/json"}
+ @app.json_route("/api/internal/group/users", methods=["POST"])
+ @is_internal
+ def internal_group_users() -> OptionalJsonResponse:
+ if request.method == "POST":
+ data = request.get_json(force=True)
+ sorted_users = sorted(app.admin.get_mix_users(), key=itemgetter("username"))
+ # group_users = [user for user in sorted_users if data['path'] in user['keycloak_groups']]
+ users = []
+ for user in sorted_users:
+ if data["path"] not in user["keycloak_groups"] or not user.get("enabled"):
+ continue
+ users.append(user)
+ if data.get("text", False) and data["text"] != "":
+ result = [user_parser(user) for user in filter_users(users, data["text"])]
+ else:
+ result = [user_parser(user) for user in users]
+ return json.dumps(result), 200, {"Content-Type": "application/json"}
+ return None
+ @app.json_route("/api/internal/roles", methods=["GET"])
+ @is_internal
+ def internal_roles() -> OptionalJsonResponse:
+ if request.method == "GET":
+ roles = []
+ for role in sorted(app.admin.get_roles(), key=itemgetter("name")):
+ if role["name"] == "admin":
+ continue
+ roles.append(
+ {
+ "id": role["id"],
+ "name": role["name"],
+ "description": role.get("description", ""),
+ }
+ )
+ return json.dumps(roles), 200, {"Content-Type": "application/json"}
+ return None
-@app.route("/api/internal/role/users", methods=["POST"])
-@is_internal
-def internal_role_users():
- if request.method == "POST":
- data = request.get_json(force=True)
- sorted_users = sorted(app.admin.get_mix_users(), key=lambda k: k["username"])
- # group_users = [user for user in sorted_users if data['path'] in user['keycloak_groups']]
- users = []
- for user in sorted_users:
- if data["role"] not in user["roles"] or not user.get("enabled"):
- continue
- users.append(user)
- if data.get("text", False) and data["text"] != "":
- result = [user_parser(user) for user in filter_users(users, data["text"])]
- else:
- result = [user_parser(user) for user in users]
- return json.dumps(result), 200, {"Content-Type": "application/json"}
+ @app.json_route("/api/internal/role/users", methods=["POST"])
+ @is_internal
+ def internal_role_users() -> OptionalJsonResponse:
+ if request.method == "POST":
+ data = request.get_json(force=True)
+ sorted_users = sorted(app.admin.get_mix_users(), key=itemgetter("username"))
+ # group_users = [user for user in sorted_users if data['path'] in user['keycloak_groups']]
+ users = []
+ for user in sorted_users:
+ if data["role"] not in user["roles"] or not user.get("enabled"):
+ continue
+ users.append(user)
+ if data.get("text", False) and data["text"] != "":
+ result = [user_parser(user) for user in filter_users(users, data["text"])]
+ else:
+ result = [user_parser(user) for user in users]
+ return json.dumps(result), 200, {"Content-Type": "application/json"}
+ return None
-
-def user_parser(user):
+def user_parser(user : Dict[str, Any]) -> Dict[str, Any]:
return {
"id": user["username"],
"first": user["first"],
@@ -145,7 +151,7 @@ def user_parser(user):
}
-def filter_users(users, text):
+def filter_users(users : Iterable[Dict[str, Any]], text : str) -> List[Dict[str, Any]]:
return [
user
for user in users
diff --git a/dd-sso/admin/src/admin/views/decorators.py b/dd-sso/admin/src/admin/views/decorators.py
index 033f057..69ee220 100644
--- a/dd-sso/admin/src/admin/views/decorators.py
+++ b/dd-sso/admin/src/admin/views/decorators.py
@@ -1,5 +1,6 @@
#
# Copyright © 2021,2022 IsardVDI S.L.
+# Copyright © 2022 Evilham
#
# This file is part of DD
#
@@ -25,25 +26,28 @@ import socket
from functools import wraps
from flask import redirect, request, url_for
+from werkzeug.wrappers import Response
from flask_login import current_user, logout_user
from jose import jwt
from ..auth.tokens import get_header_jwt_payload
+from typing import Any, Callable, Dict, Optional, Tuple
+JsonResponse = Tuple[str, int, Dict[str, str]]
+OptionalJsonResponse = Optional[JsonResponse]
-def is_admin(fn):
+def is_admin(fn : Callable[..., Response]) -> Callable[..., Response]:
@wraps(fn)
- def decorated_view(*args, **kwargs):
+ def decorated_view(*args : Any, **kwargs : Any) -> Response:
if current_user.role == "admin":
return fn(*args, **kwargs)
return redirect(url_for("login"))
return decorated_view
-
-def is_internal(fn):
+def is_internal(fn : Callable[..., OptionalJsonResponse]) -> Callable[..., OptionalJsonResponse]:
@wraps(fn)
- def decorated_view(*args, **kwargs):
+ def decorated_view(*args : Any, **kwargs : Any) -> OptionalJsonResponse:
remote_addr = (
request.headers["X-Forwarded-For"].split(",")[0]
if "X-Forwarded-For" in request.headers
@@ -67,18 +71,18 @@ def is_internal(fn):
return decorated_view
-def has_token(fn):
+def has_token(fn : Callable[..., Any]) -> Callable[..., Any]:
@wraps(fn)
- def decorated(*args, **kwargs):
+ def decorated(*args : Any, **kwargs : Any) -> Any:
payload = get_header_jwt_payload()
return fn(*args, **kwargs)
return decorated
-def is_internal_or_has_token(fn):
+def is_internal_or_has_token(fn : Callable[..., Any]) -> Callable[..., Any]:
@wraps(fn)
- def decorated_view(*args, **kwargs):
+ def decorated_view(*args : Any, **kwargs : Any) -> Any:
remote_addr = (
request.headers["X-Forwarded-For"].split(",")[0]
if "X-Forwarded-For" in request.headers
@@ -94,9 +98,9 @@ def is_internal_or_has_token(fn):
return decorated_view
-def login_or_token(fn):
+def login_or_token(fn : Callable[..., Any]) -> Callable[..., Any]:
@wraps(fn)
- def decorated_view(*args, **kwargs):
+ def decorated_view(*args : Any, **kwargs : Any) -> Any:
if current_user.is_authenticated:
return fn(*args, **kwargs)
payload = get_header_jwt_payload()
diff --git a/dd-sso/admin/src/admin/yarn.lock b/dd-sso/admin/src/admin/yarn.lock
index 867ce45..172b5b7 100644
--- a/dd-sso/admin/src/admin/yarn.lock
+++ b/dd-sso/admin/src/admin/yarn.lock
@@ -88,11 +88,6 @@ engine.io@~6.1.0:
engine.io-parser "~5.0.0"
ws "~8.2.3"
-font-linux@^0.6.1:
- version "0.6.1"
- resolved "https://registry.yarnpkg.com/font-linux/-/font-linux-0.6.1.tgz#d586f46336b7da06ea3b7f10f7aee2b6346eed4f"
- integrity sha1-1Yb0Yza32gbqO38Q967itjRu7U8=
-
gentelella@^1.4.0:
version "1.4.0"
resolved "https://registry.yarnpkg.com/gentelella/-/gentelella-1.4.0.tgz#b3d15fd9c40c6ea47dc7f36290c8f89aee95efc5"
diff --git a/dd-sso/admin/src/client_secrets.json b/dd-sso/admin/src/client_secrets.json
deleted file mode 100644
index 091d005..0000000
--- a/dd-sso/admin/src/client_secrets.json
+++ /dev/null
@@ -1,13 +0,0 @@
-{
- "web": {
- "auth_uri": "https://sso.[[DOMAIN]]/auth/realms/master/protocol/openid-connect/auth",
- "client_id": "adminapp",
- "client_secret": "8a9e5a2e-3be9-43e3-9c47-1796f0d5ab72",
- "redirect_uris": [
- "https://sso.[[DOMAIN]]/oidc_callback"
- ],
- "userinfo_uri": "https://sso.[[DOMAIN]]/auth/realms/master/protocol/openid-connect/userinfo",
- "token_uri": "https://sso.[[DOMAIN]]/auth/realms/master/protocol/openid-connect/token",
- "token_introspection_uri": "https://sso.[[DOMAIN]]/auth/realms/master/protocol/openid-connect/token/introspect"
- }
-}
\ No newline at end of file
diff --git a/dd-sso/admin/src/saml_scripts/email_saml.py b/dd-sso/admin/src/saml_scripts/email_saml.py
new file mode 100644
index 0000000..9e7e4dc
--- /dev/null
+++ b/dd-sso/admin/src/saml_scripts/email_saml.py
@@ -0,0 +1,187 @@
+#
+# Copyright © 2022 Evilham
+#
+# This file is part of DD
+#
+# DD is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or (at your
+# option) any later version.
+#
+# DD is distributed in the hope that it will be useful, but WITHOUT ANY
+# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
+# details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with DD. If not, see .
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+import logging as log
+import os
+import time
+import traceback
+from typing import Any, Dict, Optional
+
+from lib.keycloak_client import KeycloakClient
+
+try:
+ # Python 3.9+
+ from functools import cache # type: ignore # Currently targetting 3.8
+except ImportError:
+ # Up to python 3.8
+ from functools import cached_property as cache
+
+
+app: Dict[str, Dict[str, str]] = {}
+app["config"] = {}
+
+
+class SamlService(object):
+ """
+ Generic class to manage a SAML service on keycloak
+ """
+
+ keycloak: KeycloakClient
+ domain: str = os.environ["DOMAIN"]
+
+ def __init__(self):
+ self.keycloak = KeycloakClient()
+
+ @cache
+ def public_cert(self) -> str:
+ """
+ Read the public SAML certificate as used by keycloak
+ """
+ ready = False
+ basepath = os.path.dirname(__file__)
+ while not ready:
+ # TODO: Check why they were using a loop
+ try:
+ with open(
+ os.path.abspath(
+ os.path.join(basepath, "../saml_certs/public.cert")
+ ),
+ "r",
+ ) as crt:
+ app["config"]["PUBLIC_CERT"] = crt.read()
+ ready = True
+ except IOError:
+ log.warning("Could not get public certificate for SAML. Retrying...")
+ log.warning(
+ " You should generate them: /admin/saml_certs # openssl req -nodes -new -x509 -keyout private.key -out public.cert"
+ )
+ time.sleep(2)
+ except:
+ log.error(traceback.format_exc())
+ log.info("Got public SAML certificate")
+ return app["config"]["PUBLIC_CERT"]
+
+ def get_client(self, client_id: str) -> Any:
+ # TODO: merge with keycloak_config.py
+ self.keycloak.connect()
+ k = self.keycloak.keycloak_admin
+
+ clients = k.get_clients()
+ client = next(filter(lambda c: c["clientId"] == client_id, clients), None)
+ return (k, client)
+
+ def set_client(self, client_id: str, client_overrides: Dict[str, Any]) -> str:
+ (k, client) = self.get_client(client_id)
+ if client is None:
+ client_uid = k.create_client(client_overrides)
+ else:
+ client_uid = client["id"]
+ k.update_client(client_uid, client_overrides)
+ return client_id
+
+ def configure(self) -> None:
+ pass
+
+
+class EmailSaml(SamlService):
+ client_name: str = "correu"
+ client_description: str = "Client for the DD-managed email service"
+ email_domain: str
+
+ def __init__(self, email_domain: str, enabled: bool = False):
+ super(EmailSaml, self).__init__()
+ self.email_domain = email_domain
+
+ @property
+ def enabled(self) -> bool:
+ return bool(self.email_domain)
+
+ def configure(self) -> None:
+ srv_base = f"https://correu.{self.domain}"
+ client_id = f"{srv_base}/metadata/"
+ client_overrides: Dict[str, Any] = {
+ "name": self.client_name,
+ "description": self.client_description,
+ "clientId": client_id,
+ "baseUrl": f"{srv_base}/login",
+ "enabled": self.enabled,
+ "redirectUris": [
+ f"{srv_base}/*",
+ ],
+ "webOrigins": [srv_base],
+ "consentRequired": False,
+ "protocol": "saml",
+ "attributes": {
+ "saml.assertion.signature": True,
+ "saml_idp_initiated_sso_relay_state": f"{srv_base}/login",
+ "saml_assertion_consumer_url_redirect": f"{srv_base}/acs",
+ "saml.force.post.binding": True,
+ "saml.multivalued.roles": False,
+ "saml.encrypt": False,
+ "saml_assertion_consumer_url_post": f"{srv_base}/acs",
+ "saml.server.signature": True,
+ "saml_idp_initiated_sso_url_name": f"{srv_base}/acs",
+ "saml.server.signature.keyinfo.ext": False,
+ "exclude.session.state.from.auth.response": False,
+ "saml_single_logout_service_url_redirect": f"{srv_base}/ls",
+ "saml.signature.algorithm": "RSA_SHA256",
+ "saml_force_name_id_format": False,
+ "saml.client.signature": False,
+ "tls.client.certificate.bound.access.tokens": False,
+ "saml.authnstatement": True,
+ "display.on.consent.screen": False,
+ "saml_name_id_format": "username",
+ "saml_signature_canonicalization_method": "http://www.w3.org/2001/10/xml-exc-c14n#",
+ "saml.onetimeuse.condition": False,
+ },
+ "protocolMappers": [
+ {
+ "name": "username",
+ "protocol": "saml",
+ "protocolMapper": "saml-user-property-mapper",
+ "consentRequired": False,
+ "config": {
+ "attribute.nameformat": "Basic",
+ "user.attribute": "username",
+ "friendly.name": "username",
+ "attribute.name": "username",
+ },
+ },
+ {
+ "name": "email",
+ "protocol": "saml",
+ "protocolMapper": "saml-user-property-mapper",
+ "consentRequired": False,
+ "config": {
+ "attribute.nameformat": "Basic",
+ "user.attribute": "email",
+ "friendly.name": "email",
+ "attribute.name": "email",
+ },
+ },
+ ],
+ }
+ self.set_client(client_id, client_overrides)
+
+
+if __name__ == "__main__":
+ email_domain = os.environ.get("MANAGED_EMAIL_DOMAIN", "")
+ log.info("Configuring SAML client for Email")
+ EmailSaml(email_domain).configure()
diff --git a/dd-sso/admin/src/start.py b/dd-sso/admin/src/start.py
index fd18efd..94fb9a5 100644
--- a/dd-sso/admin/src/start.py
+++ b/dd-sso/admin/src/start.py
@@ -1,5 +1,6 @@
#
# Copyright © 2021,2022 IsardVDI S.L.
+# Copyright © 2022 Evilham
#
# This file is part of DD
#
@@ -39,14 +40,17 @@ from flask_socketio import (
send,
)
-from admin import app
+from admin import get_app
+# Set up the app
+app = get_app()
+app.setup()
app.socketio = SocketIO(app)
@app.socketio.on("connect", namespace="/sio")
@login_required
-def socketio_connect():
+def socketio_connect() -> None:
if current_user.id:
join_room("admin")
app.socketio.emit(
@@ -57,12 +61,12 @@ def socketio_connect():
@app.socketio.on("disconnect", namespace="/sio")
-def socketio_disconnect():
+def socketio_disconnect() -> None:
leave_room("admin")
@app.socketio.on("connect", namespace="/sio/events")
-def socketio_connect():
+def socketio_connect() -> None:
jwt = get_token_payload(request.args.get("jwt"))
join_room("events")
@@ -75,7 +79,7 @@ def socketio_connect():
@app.socketio.on("disconnect", namespace="/sio/events")
-def socketio_events_disconnect():
+def socketio_events_disconnect() -> None:
leave_room("events")
diff --git a/dd-sso/admin/src/tests/api.py b/dd-sso/admin/src/tests/api.py
index d02b45c..e2ed963 100644
--- a/dd-sso/admin/src/tests/api.py
+++ b/dd-sso/admin/src/tests/api.py
@@ -29,8 +29,8 @@ import requests
from jose import jwt
## SETUP
-domain = "admin.[YOURDOMAIN]"
-secret = "[your API_SECRET]"
+domain = f"admin.{ os.environ['DOMAIN'] }"
+secret = os.environ['API_SECRET']
## END SETUP
diff --git a/dd-sso/docker-compose-parts/admin.yml b/dd-sso/docker-compose-parts/admin.yml
index 46c7afb..91c87b1 100644
--- a/dd-sso/docker-compose-parts/admin.yml
+++ b/dd-sso/docker-compose-parts/admin.yml
@@ -43,8 +43,12 @@ services:
- ${DATA_FOLDER}/moodle/saml2:/admin/moodledata/saml2:rw
- ${DATA_FOLDER}/saml_certs:/admin/saml_certs:rw
- ${DATA_FOLDER}/legal:/admin/admin/static/templates/pages/legal:rw
+ - ${DATA_FOLDER}/dd-admin:/data:rw
env_file:
- .env
environment:
- VERIFY="false" # In development do not verify certificates
- DOMAIN=${DOMAIN}
+ - MANAGED_EMAIL_DOMAIN=${MANAGED_EMAIL_DOMAIN}
+ - DATA_FOLDER=/data
+ - CUSTOM_FOLDER=/admin/custom
diff --git a/dd-sso/docker-compose-parts/network.yml b/dd-sso/docker-compose-parts/network.yml
index 038d81e..d9f79fd 100644
--- a/dd-sso/docker-compose-parts/network.yml
+++ b/dd-sso/docker-compose-parts/network.yml
@@ -21,3 +21,6 @@ version: '3.7'
networks:
dd_net:
name: dd_net
+ driver: bridge
+ driver_opts:
+ com.docker.network.driver.mtu: ${NETWORK_MTU:-1500}
diff --git a/dd.conf.sample b/dd.conf.sample
index 5cd9119..132534f 100644
--- a/dd.conf.sample
+++ b/dd.conf.sample
@@ -22,6 +22,8 @@
TITLE="DD"
TITLE_SHORT="DD"
DOMAIN=mydomain.com
+# If defined, DD will be managing email for this domain
+#MANAGED_EMAIL_DOMAIN=${DOMAIN}
LETSENCRYPT_DNS=
LETSENCRYPT_EMAIL=
# Generate letsencrypt certificate for root domain
@@ -195,3 +197,6 @@ POSTGRESQL_IMG=postgres:14.1-alpine3.15
## MINIO
#MINIO_IMG=mino/minio:RELEASE.2022-01-25T19-56-04Z
+
+## Network settings
+#NETWORK_MTU=1500
diff --git a/docs/index.ca.md b/docs/index.ca.md
index aa2e160..a2cb5c8 100644
--- a/docs/index.ca.md
+++ b/docs/index.ca.md
@@ -55,6 +55,39 @@ Aquí tens alguns recursos per guiar-te més:
- [Post-instal·lació](post-install.ca.md)
- [Codi font](https://gitlab.com/DD-workspace/DD)
+# Per què comença la història de git aquí?
+
+
Per què comença la història de git aquí
+
+Hi vam fer molta feina per estabilitzar el codi i netejar el repositori abans
+de l'anunci públic al I Curs Internacional d'Educació Digital Democràtica i Open Edtech.
+
+Fent servir aquella versió com a punt de partida ens ha deixat amb el repo que
+trobeu aquí, on els canvis seran revisats abans d'acceptar-los i qualsevol
+persona és benvinguda.
+
+Si mai hi ha dubtes respecte l'autoria, si us plau comproveu la capcelera de llicència de cada fitxer.
+
+L'autoria dels commits previs és de:
+
+
+ - Josep Maria Viñolas Auquer
+ - Simó Albert i Beltran
+ - Alberto Larraz Dalmases
+ - Yoselin Ribero
+ - Elena Barrios Galán
+ - Melina Gamboa
+ - Antonio Manzano
+ - Cecilia Bayo
+ - Naomi Hidalgo
+ - Joan Cervan Andreu
+ - Jose Antonio Exposito Garcia
+ - Raúl FS
+ - Unai Tolosa Pontesta
+ - Evilham
+
+¿Por qué comienza la historia de git aquí?
+
+Se hizo mucho trabajo para estabilizar el código y limpiar el repositorio antes
+del anuncio público en el
+I Curso Internacional de Educación Digital Democrática y Open Edtech.
+
+Usar esa versión como punto de partida nos dejó con el repositorio que tenemos
+aquí, donde los cambios serán revisados antes de aceptarlos y cualquier persona
+es bienvenida.
+
+Si en algún momento hay dudas respecto a la autoría, por favor comprovad las
+cabeceras de licencia en cada fichero.
+
+La autoría de los commits previos es de:
+
+
+ - Josep Maria Viñolas Auquer
+ - Simó Albert i Beltran
+ - Alberto Larraz Dalmases
+ - Yoselin Ribero
+ - Elena Barrios Galán
+ - Melina Gamboa
+ - Antonio Manzano
+ - Cecilia Bayo
+ - Naomi Hidalgo
+ - Joan Cervan Andreu
+ - Jose Antonio Exposito Garcia
+ - Raúl FS
+ - Unai Tolosa Pontesta
+ - Evilham
+
+Why does git history start here?
+
+A lot of work went into stabilising the code and cleaning the repo before the
+public announcement on the
+1st International Congress on Democratic Digital Education and Open Edtech.
+
+Using that version as a clean slate got us to the repo you see here, where
+changes will be reviewed before going in and anyone is welcome.
+
+When in doubt about authorship, please check each file's license headers.
+
+The authorship of the previous commits is from:
+
+
+ - Josep Maria Viñolas Auquer
+ - Simó Albert i Beltran
+ - Alberto Larraz Dalmases
+ - Yoselin Ribero
+ - Elena Barrios Galán
+ - Melina Gamboa
+ - Antonio Manzano
+ - Cecilia Bayo
+ - Naomi Hidalgo
+ - Joan Cervan Andreu
+ - Jose Antonio Exposito Garcia
+ - Raúl FS
+ - Unai Tolosa Pontesta
+ - Evilham
+
+.png
al servidor i indicant la seva ruta quan l'instal·lador les demana.
+Certificat preexistent
+Tens la posibilitat d'utilitzar el teu propi certificat, ja sigui wildcard o bé SAN. Pots llegir-ne mes a l'apartat [wildcard](wildcard.ca.md).
+