commit 78b0254ba07558de0708904b184af8e1340d73b4 Author: Evilham Date: Sun Jul 10 12:15:47 2022 +0200 DD education workspace DD is the education workspace generated within the framework of Xnet's Democratic Digitalisation Plan. It has been created and powered by Xnet, families and promoting centres, IsardVDI, 3iPunt, MaadiX, eXO.cat, Evilham and funded by the Directorate for Democratic Innovation, the Barcelona City Council's Digital Innovation Commissioner, Social Economy Commissioner, in collaboration with the Barcelona Education Consortium, aFFaC and AirVPN. DD can be used freely as long as this footer is included and the AGPLv3 license (https://www.gnu.org/licenses/agpl-3.0.en.html) is respected. Trobareu meś informació en català a la documentació: [https://dd.digitalitzacio-democratica.xnet-x.net/docs/index.ca/](https://dd.digitalitzacio-democratica.xnet-x.net/docs/index.ca/). Más información en castellano en la documentación: [https://dd.digitalitzacio-democratica.xnet-x.net/docs/index.es/](https://dd.digitalitzacio-democratica.xnet-x.net/docs/index.es/). More info in English in the documentation: [https://dd.digitalitzacio-democratica.xnet-x.net/docs/](https://dd.digitalitzacio-democratica.xnet-x.net/docs/). We thank the help of Miriam Carles, Cristian Ruiz, Anna Francàs, Christopher Millard. diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..5956991 --- /dev/null +++ b/.gitignore @@ -0,0 +1,24 @@ +dd.conf +docker-compose.yml +devel.yml +adminer.yml +pgtuner.yml +devel.yml +custom/ +docs.built/ +.env +dd-sso/docker/api/src/api/static/templates/*.html +dd-sso/docker/api/src/api/static/templates/*.json +.idea/ +*.log +# External, unmodified files +*.orig +# And their patches +*.patch +# Editor files +*.swp +# Python compiled and cached +*.pyc +**/*.pyc +__pycache__ +**/__pycache__ diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 0000000..e3d612b --- /dev/null +++ b/.gitmodules @@ -0,0 +1,9 @@ +[submodule "dd-apps/docker/moodle/src"] + path = dd-apps/docker/moodle/src + url = https://github.com/erseco/alpine-moodle.git +[submodule "dd-apps/docker/wordpress/src/wp-content/plugins"] + path = dd-apps/docker/wordpress/src/wp-content/plugins + url = https://github.com/onelogin/wordpress-saml.git +[submodule "dd-apps/docker/nextcloud/src/custom_apps/user_saml"] + path = dd-apps/docker/nextcloud/src/custom_apps/user_saml + url = https://github.com/nextcloud/user_saml.git diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..9e47a9e --- /dev/null +++ b/LICENSE @@ -0,0 +1,668 @@ + GNU AFFERO GENERAL PUBLIC LICENSE + Version 3, 19 November 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The GNU Affero General Public License is a free, copyleft license for +software and other kinds of works, specifically designed to ensure +cooperation with the community in the case of network server software. + + The licenses for most software and other practical works are designed +to take away your freedom to share and change the works. By contrast, +our General Public Licenses are intended to guarantee your freedom to +share and change all versions of a program--to make sure it remains free +software for all its users. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +them if you wish), that you receive source code or can get it if you +want it, that you can change the software or use pieces of it in new +free programs, and that you know you can do these things. + + Developers that use our General Public Licenses protect your rights +with two steps: (1) assert copyright on the software, and (2) offer +you this License which gives you legal permission to copy, distribute +and/or modify the software. + + A secondary benefit of defending all users' freedom is that +improvements made in alternate versions of the program, if they +receive widespread use, become available for other developers to +incorporate. Many developers of free software are heartened and +encouraged by the resulting cooperation. However, in the case of +software used on network servers, this result may fail to come about. +The GNU General Public License permits making a modified version and +letting the public access it on a server without ever releasing its +source code to the public. + + The GNU Affero General Public License is designed specifically to +ensure that, in such cases, the modified source code becomes available +to the community. It requires the operator of a network server to +provide the source code of the modified version running there to the +users of that server. Therefore, public use of a modified version, on +a publicly accessible server, gives the public access to the source +code of the modified version. + + An older license, called the Affero General Public License and +published by Affero, was designed to accomplish similar goals. This is +a different license, not a version of the Affero GPL, but Affero has +released a new version of the Affero GPL which permits relicensing under +this license. + + The precise terms and conditions for copying, distribution and +modification follow. + + TERMS AND CONDITIONS + + 0. Definitions. + + "This License" refers to version 3 of the GNU Affero General Public License. + + "Copyright" also means copyright-like laws that apply to other kinds of +works, such as semiconductor masks. + + "The Program" refers to any copyrightable work licensed under this +License. Each licensee is addressed as "you". "Licensees" and +"recipients" may be individuals or organizations. + + To "modify" a work means to copy from or adapt all or part of the work +in a fashion requiring copyright permission, other than the making of an +exact copy. The resulting work is called a "modified version" of the +earlier work or a work "based on" the earlier work. + + A "covered work" means either the unmodified Program or a work based +on the Program. + + To "propagate" a work means to do anything with it that, without +permission, would make you directly or secondarily liable for +infringement under applicable copyright law, except executing it on a +computer or modifying a private copy. Propagation includes copying, +distribution (with or without modification), making available to the +public, and in some countries other activities as well. + + To "convey" a work means any kind of propagation that enables other +parties to make or receive copies. Mere interaction with a user through +a computer network, with no transfer of a copy, is not conveying. + + An interactive user interface displays "Appropriate Legal Notices" +to the extent that it includes a convenient and prominently visible +feature that (1) displays an appropriate copyright notice, and (2) +tells the user that there is no warranty for the work (except to the +extent that warranties are provided), that licensees may convey the +work under this License, and how to view a copy of this License. If +the interface presents a list of user commands or options, such as a +menu, a prominent item in the list meets this criterion. + + 1. Source Code. + + The "source code" for a work means the preferred form of the work +for making modifications to it. "Object code" means any non-source +form of a work. + + A "Standard Interface" means an interface that either is an official +standard defined by a recognized standards body, or, in the case of +interfaces specified for a particular programming language, one that +is widely used among developers working in that language. + + The "System Libraries" of an executable work include anything, other +than the work as a whole, that (a) is included in the normal form of +packaging a Major Component, but which is not part of that Major +Component, and (b) serves only to enable use of the work with that +Major Component, or to implement a Standard Interface for which an +implementation is available to the public in source code form. A +"Major Component", in this context, means a major essential component +(kernel, window system, and so on) of the specific operating system +(if any) on which the executable work runs, or a compiler used to +produce the work, or an object code interpreter used to run it. + + The "Corresponding Source" for a work in object code form means all +the source code needed to generate, install, and (for an executable +work) run the object code and to modify the work, including scripts to +control those activities. However, it does not include the work's +System Libraries, or general-purpose tools or generally available free +programs which are used unmodified in performing those activities but +which are not part of the work. For example, Corresponding Source +includes interface definition files associated with source files for +the work, and the source code for shared libraries and dynamically +linked subprograms that the work is specifically designed to require, +such as by intimate data communication or control flow between those +subprograms and other parts of the work. + + The Corresponding Source need not include anything that users +can regenerate automatically from other parts of the Corresponding +Source. + + The Corresponding Source for a work in source code form is that +same work. + + 2. Basic Permissions. + + All rights granted under this License are granted for the term of +copyright on the Program, and are irrevocable provided the stated +conditions are met. This License explicitly affirms your unlimited +permission to run the unmodified Program. The output from running a +covered work is covered by this License only if the output, given its +content, constitutes a covered work. This License acknowledges your +rights of fair use or other equivalent, as provided by copyright law. + + You may make, run and propagate covered works that you do not +convey, without conditions so long as your license otherwise remains +in force. You may convey covered works to others for the sole purpose +of having them make modifications exclusively for you, or provide you +with facilities for running those works, provided that you comply with +the terms of this License in conveying all material for which you do +not control copyright. Those thus making or running the covered works +for you must do so exclusively on your behalf, under your direction +and control, on terms that prohibit them from making any copies of +your copyrighted material outside their relationship with you. + + Conveying under any other circumstances is permitted solely under +the conditions stated below. Sublicensing is not allowed; section 10 +makes it unnecessary. + + 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + + No covered work shall be deemed part of an effective technological +measure under any applicable law fulfilling obligations under article +11 of the WIPO copyright treaty adopted on 20 December 1996, or +similar laws prohibiting or restricting circumvention of such +measures. + + When you convey a covered work, you waive any legal power to forbid +circumvention of technological measures to the extent such circumvention +is effected by exercising rights under this License with respect to +the covered work, and you disclaim any intention to limit operation or +modification of the work as a means of enforcing, against the work's +users, your or third parties' legal rights to forbid circumvention of +technological measures. + + 4. Conveying Verbatim Copies. + + You may convey verbatim copies of the Program's source code as you +receive it, in any medium, provided that you conspicuously and +appropriately publish on each copy an appropriate copyright notice; +keep intact all notices stating that this License and any +non-permissive terms added in accord with section 7 apply to the code; +keep intact all notices of the absence of any warranty; and give all +recipients a copy of this License along with the Program. + + You may charge any price or no price for each copy that you convey, +and you may offer support or warranty protection for a fee. + + 5. Conveying Modified Source Versions. + + You may convey a work based on the Program, or the modifications to +produce it from the Program, in the form of source code under the +terms of section 4, provided that you also meet all of these conditions: + + a) The work must carry prominent notices stating that you modified + it, and giving a relevant date. + + b) The work must carry prominent notices stating that it is + released under this License and any conditions added under section + 7. This requirement modifies the requirement in section 4 to + "keep intact all notices". + + c) You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable section 7 + additional terms, to the whole of the work, and all its parts, + regardless of how they are packaged. This License gives no + permission to license the work in any other way, but it does not + invalidate such permission if you have separately received it. + + d) If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your + work need not make them do so. + + A compilation of a covered work with other separate and independent +works, which are not by their nature extensions of the covered work, +and which are not combined with it such as to form a larger program, +in or on a volume of a storage or distribution medium, is called an +"aggregate" if the compilation and its resulting copyright are not +used to limit the access or legal rights of the compilation's users +beyond what the individual works permit. Inclusion of a covered work +in an aggregate does not cause this License to apply to the other +parts of the aggregate. + + 6. Conveying Non-Source Forms. + + You may convey a covered work in object code form under the terms +of sections 4 and 5, provided that you also convey the +machine-readable Corresponding Source under the terms of this License, +in one of these ways: + + a) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. + + b) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that product + model, to give anyone who possesses the object code either (1) a + copy of the Corresponding Source for all the software in the + product that is covered by this License, on a durable physical + medium customarily used for software interchange, for a price no + more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the + Corresponding Source from a network server at no charge. + + c) Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, and + only if you received the object code with such an offer, in accord + with subsection 6b. + + d) Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to + copy the object code is a network server, the Corresponding Source + may be on a different server (operated by you or a third party) + that supports equivalent copying facilities, provided you maintain + clear directions next to the object code saying where to find the + Corresponding Source. Regardless of what server hosts the + Corresponding Source, you remain obligated to ensure that it is + available for as long as needed to satisfy these requirements. + + e) Convey the object code using peer-to-peer transmission, provided + you inform other peers where the object code and Corresponding + Source of the work are being offered to the general public at no + charge under subsection 6d. + + A separable portion of the object code, whose source code is excluded +from the Corresponding Source as a System Library, need not be +included in conveying the object code work. + + A "User Product" is either (1) a "consumer product", which means any +tangible personal property which is normally used for personal, family, +or household purposes, or (2) anything designed or sold for incorporation +into a dwelling. In determining whether a product is a consumer product, +doubtful cases shall be resolved in favor of coverage. For a particular +product received by a particular user, "normally used" refers to a +typical or common use of that class of product, regardless of the status +of the particular user or of the way in which the particular user +actually uses, or expects or is expected to use, the product. A product +is a consumer product regardless of whether the product has substantial +commercial, industrial or non-consumer uses, unless such uses represent +the only significant mode of use of the product. + + "Installation Information" for a User Product means any methods, +procedures, authorization keys, or other information required to install +and execute modified versions of a covered work in that User Product from +a modified version of its Corresponding Source. The information must +suffice to ensure that the continued functioning of the modified object +code is in no case prevented or interfered with solely because +modification has been made. + + If you convey an object code work under this section in, or with, or +specifically for use in, a User Product, and the conveying occurs as +part of a transaction in which the right of possession and use of the +User Product is transferred to the recipient in perpetuity or for a +fixed term (regardless of how the transaction is characterized), the +Corresponding Source conveyed under this section must be accompanied +by the Installation Information. But this requirement does not apply +if neither you nor any third party retains the ability to install +modified object code on the User Product (for example, the work has +been installed in ROM). + + The requirement to provide Installation Information does not include a +requirement to continue to provide support service, warranty, or updates +for a work that has been modified or installed by the recipient, or for +the User Product in which it has been modified or installed. Access to a +network may be denied when the modification itself materially and +adversely affects the operation of the network or violates the rules and +protocols for communication across the network. + + Corresponding Source conveyed, and Installation Information provided, +in accord with this section must be in a format that is publicly +documented (and with an implementation available to the public in +source code form), and must require no special password or key for +unpacking, reading or copying. + + 7. Additional Terms. + + "Additional permissions" are terms that supplement the terms of this +License by making exceptions from one or more of its conditions. +Additional permissions that are applicable to the entire Program shall +be treated as though they were included in this License, to the extent +that they are valid under applicable law. If additional permissions +apply only to part of the Program, that part may be used separately +under those permissions, but the entire Program remains governed by +this License without regard to the additional permissions. + + When you convey a copy of a covered work, you may at your option +remove any additional permissions from that copy, or from any part of +it. (Additional permissions may be written to require their own +removal in certain cases when you modify the work.) You may place +additional permissions on material, added by you to a covered work, +for which you have or can give appropriate copyright permission. + + Notwithstanding any other provision of this License, for material you +add to a covered work, you may (if authorized by the copyright holders of +that material) supplement the terms of this License with terms: + + a) Disclaiming warranty or limiting liability differently from the + terms of sections 15 and 16 of this License; or + + b) Requiring preservation of specified reasonable legal notices or + author attributions in that material or in the Appropriate Legal + Notices displayed by works containing it; or + + c) Prohibiting misrepresentation of the origin of that material, or + requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or + + d) Limiting the use for publicity purposes of names of licensors or + authors of the material; or + + e) Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or + + f) Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified versions of + it) with contractual assumptions of liability to the recipient, for + any liability that these contractual assumptions directly impose on + those licensors and authors. + + All other non-permissive additional terms are considered "further +restrictions" within the meaning of section 10. If the Program as you +received it, or any part of it, contains a notice stating that it is +governed by this License along with a term that is a further +restriction, you may remove that term. If a license document contains +a further restriction but permits relicensing or conveying under this +License, you may add to a covered work material governed by the terms +of that license document, provided that the further restriction does +not survive such relicensing or conveying. + + If you add terms to a covered work in accord with this section, you +must place, in the relevant source files, a statement of the +additional terms that apply to those files, or a notice indicating +where to find the applicable terms. + + Additional terms, permissive or non-permissive, may be stated in the +form of a separately written license, or stated as exceptions; +the above requirements apply either way. + + 8. Termination. + + You may not propagate or modify a covered work except as expressly +provided under this License. Any attempt otherwise to propagate or +modify it is void, and will automatically terminate your rights under +this License (including any patent licenses granted under the third +paragraph of section 11). + + However, if you cease all violation of this License, then your +license from a particular copyright holder is reinstated (a) +provisionally, unless and until the copyright holder explicitly and +finally terminates your license, and (b) permanently, if the copyright +holder fails to notify you of the violation by some reasonable means +prior to 60 days after the cessation. + + Moreover, your license from a particular copyright holder is +reinstated permanently if the copyright holder notifies you of the +violation by some reasonable means, this is the first time you have +received notice of violation of this License (for any work) from that +copyright holder, and you cure the violation prior to 30 days after +your receipt of the notice. + + Termination of your rights under this section does not terminate the +licenses of parties who have received copies or rights from you under +this License. If your rights have been terminated and not permanently +reinstated, you do not qualify to receive new licenses for the same +material under section 10. + + 9. Acceptance Not Required for Having Copies. + + You are not required to accept this License in order to receive or +run a copy of the Program. Ancillary propagation of a covered work +occurring solely as a consequence of using peer-to-peer transmission +to receive a copy likewise does not require acceptance. However, +nothing other than this License grants you permission to propagate or +modify any covered work. These actions infringe copyright if you do +not accept this License. Therefore, by modifying or propagating a +covered work, you indicate your acceptance of this License to do so. + + 10. Automatic Licensing of Downstream Recipients. + + Each time you convey a covered work, the recipient automatically +receives a license from the original licensors, to run, modify and +propagate that work, subject to this License. You are not responsible +for enforcing compliance by third parties with this License. + + An "entity transaction" is a transaction transferring control of an +organization, or substantially all assets of one, or subdividing an +organization, or merging organizations. If propagation of a covered +work results from an entity transaction, each party to that +transaction who receives a copy of the work also receives whatever +licenses to the work the party's predecessor in interest had or could +give under the previous paragraph, plus a right to possession of the +Corresponding Source of the work from the predecessor in interest, if +the predecessor has it or can get it with reasonable efforts. + + You may not impose any further restrictions on the exercise of the +rights granted or affirmed under this License. For example, you may +not impose a license fee, royalty, or other charge for exercise of +rights granted under this License, and you may not initiate litigation +(including a cross-claim or counterclaim in a lawsuit) alleging that +any patent claim is infringed by making, using, selling, offering for +sale, or importing the Program or any portion of it. + + 11. Patents. + + A "contributor" is a copyright holder who authorizes use under this +License of the Program or a work on which the Program is based. The +work thus licensed is called the contributor's "contributor version". + + A contributor's "essential patent claims" are all patent claims +owned or controlled by the contributor, whether already acquired or +hereafter acquired, that would be infringed by some manner, permitted +by this License, of making, using, or selling its contributor version, +but do not include claims that would be infringed only as a +consequence of further modification of the contributor version. For +purposes of this definition, "control" includes the right to grant +patent sublicenses in a manner consistent with the requirements of +this License. + + Each contributor grants you a non-exclusive, worldwide, royalty-free +patent license under the contributor's essential patent claims, to +make, use, sell, offer for sale, import and otherwise run, modify and +propagate the contents of its contributor version. + + In the following three paragraphs, a "patent license" is any express +agreement or commitment, however denominated, not to enforce a patent +(such as an express permission to practice a patent or covenant not to +sue for patent infringement). To "grant" such a patent license to a +party means to make such an agreement or commitment not to enforce a +patent against the party. + + If you convey a covered work, knowingly relying on a patent license, +and the Corresponding Source of the work is not available for anyone +to copy, free of charge and under the terms of this License, through a +publicly available network server or other readily accessible means, +then you must either (1) cause the Corresponding Source to be so +available, or (2) arrange to deprive yourself of the benefit of the +patent license for this particular work, or (3) arrange, in a manner +consistent with the requirements of this License, to extend the patent +license to downstream recipients. "Knowingly relying" means you have +actual knowledge that, but for the patent license, your conveying the +covered work in a country, or your recipient's use of the covered work +in a country, would infringe one or more identifiable patents in that +country that you have reason to believe are valid. + + If, pursuant to or in connection with a single transaction or +arrangement, you convey, or propagate by procuring conveyance of, a +covered work, and grant a patent license to some of the parties +receiving the covered work authorizing them to use, propagate, modify +or convey a specific copy of the covered work, then the patent license +you grant is automatically extended to all recipients of the covered +work and works based on it. + + A patent license is "discriminatory" if it does not include within +the scope of its coverage, prohibits the exercise of, or is +conditioned on the non-exercise of one or more of the rights that are +specifically granted under this License. You may not convey a covered +work if you are a party to an arrangement with a third party that is +in the business of distributing software, under which you make payment +to the third party based on the extent of your activity of conveying +the work, and under which the third party grants, to any of the +parties who would receive the covered work from you, a discriminatory +patent license (a) in connection with copies of the covered work +conveyed by you (or copies made from those copies), or (b) primarily +for and in connection with specific products or compilations that +contain the covered work, unless you entered into that arrangement, +or that patent license was granted, prior to 28 March 2007. + + Nothing in this License shall be construed as excluding or limiting +any implied license or other defenses to infringement that may +otherwise be available to you under applicable patent law. + + 12. No Surrender of Others' Freedom. + + If conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot convey a +covered work so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you may +not convey it at all. For example, if you agree to terms that obligate you +to collect a royalty for further conveying from those to whom you convey +the Program, the only way you could satisfy both those terms and this +License would be to refrain entirely from conveying the Program. + + 13. Remote Network Interaction; Use with the GNU General Public License. + + Notwithstanding any other provision of this License, if you modify the +Program, your modified version must prominently offer all users +interacting with it remotely through a computer network (if your version +supports such interaction) an opportunity to receive the Corresponding +Source of your version by providing access to the Corresponding Source +from a network server at no charge, through some standard or customary +means of facilitating copying of software. This Corresponding Source +shall include the Corresponding Source for any work covered by version 3 +of the GNU General Public License that is incorporated pursuant to the +following paragraph. + + Notwithstanding any other provision of this License, you have +permission to link or combine any covered work with a work licensed +under version 3 of the GNU General Public License into a single +combined work, and to convey the resulting work. The terms of this +License will continue to apply to the part which is the covered work, +but the work with which it is combined will remain governed by version +3 of the GNU General Public License. + + 14. Revised Versions of this License. + + The Free Software Foundation may publish revised and/or new versions of +the GNU Affero General Public License from time to time. Such new versions +will be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + + Each version is given a distinguishing version number. If the +Program specifies that a certain numbered version of the GNU Affero General +Public License "or any later version" applies to it, you have the +option of following the terms and conditions either of that numbered +version or of any later version published by the Free Software +Foundation. If the Program does not specify a version number of the +GNU Affero General Public License, you may choose any version ever published +by the Free Software Foundation. + + If the Program specifies that a proxy can decide which future +versions of the GNU Affero General Public License can be used, that proxy's +public statement of acceptance of a version permanently authorizes you +to choose that version for the Program. + + Later license versions may give you additional or different +permissions. However, no additional obligations are imposed on any +author or copyright holder as a result of your choosing to follow a +later version. + + 15. Disclaimer of Warranty. + + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY +APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT +HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY +OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, +THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM +IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. Limitation of Liability. + + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS +THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY +GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE +USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF +DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD +PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), +EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF +SUCH DAMAGES. + + 17. Interpretation of Sections 15 and 16. + + If the disclaimer of warranty and limitation of liability provided +above cannot be given local legal effect according to their terms, +reviewing courts shall apply local law that most closely approximates +an absolute waiver of all civil liability in connection with the +Program, unless a warranty or assumption of liability accompanies a +copy of the Program in return for a fee. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +state the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + Isard-vdi: DD + Copyright (C) 2022 Alberto Larraz Dalmases & Josep Maria Viñolas Auquer + + Isard Apps + Copyright (C) 2022 Isard + + Isard SSO + Copyright (C) 2022 Isard + + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see . + +Also add information on how to contact you by electronic and paper mail. + + If your software can interact with users remotely through a computer +network, you should also make sure that it provides a way for users to +get its source. For example, if your program is a web application, its +interface could display a "Source" link that leads users to an archive +of the code. There are many ways you could offer source, and different +solutions will be better for different programs; see section 13 for the +specific requirements. + + You should also get your employer (if you work as a programmer) or school, +if any, to sign a "copyright disclaimer" for the program, if necessary. +For more information on this, and how to apply and follow the GNU AGPL, see +. diff --git a/README.md b/README.md new file mode 100644 index 0000000..1955d8b --- /dev/null +++ b/README.md @@ -0,0 +1,89 @@ +# DD + +[TOC] + +## Català + +DD és el workspace educatiu generat en el marc del Pla de Digitalització Democràtica d'Xnet. Ha estat creat i powered per +Xnet, famílies i centres promotors, IsardVDI, 3iPunt, MaadiX, eXO.cat, Evilham i financiat per la Direcció d'Innovació +Democràtica, Comissionat d'Innovació Digital, Comissionat d'Economia Social de l'Ajuntament de Barcelona, en +col·laboració amb Consorci d'Educació de Barcelona, aFFaC i AirVPN. + +L'aplicació DD pot utilitzar-se lliurement sempre i quan consti aquest footer i es respecti la llicència AGPLv3 +(https://www.gnu.org/licenses/agpl-3.0.en.html). + +Trobareu meś informació en català a la documentació: [https://dd.digitalitzacio-democratica.xnet-x.net/docs/index.ca/](https://dd.digitalitzacio-democratica.xnet-x.net/docs/index.ca/). + +Agraïm l'ajuda de Miriam Carles, Cristian Ruiz, Anna Francàs, Christopher Millard. + +## Castellano + +DD es el workspace educativo generado en el marco del Plan de Digitalización Democrática de Xnet. Ha sido creado y powered por +Xnet, familias y centros promotores, IsardVDI, 3ipunt, MaadiX, eXO.cat, Evilham y financiado por la Dirección de Innovación +Democrática, Comisionado de Innovación Digital, Comisionado de Economía Social del Ayuntamiento de Barcelona, en +colaboración con el Consorcio de Educación de Barcelona, aFFaC y AirVPN. + +La aplicación DD puede utilizarse libremente siempre y cuando conste este footer y se respete la licencia AGPLv3 +(https://www.gnu.org/licenses/agpl-3.0.en.html). + +Más información en castellano en la documentación: [https://dd.digitalitzacio-democratica.xnet-x.net/docs/index.es/](https://dd.digitalitzacio-democratica.xnet-x.net/docs/index.es/). + +Agradecemos la ayuda de Miriam Carles, Cristian Ruiz, Anna Francàs, Christopher Millard. + + +## English + +DD is the education workspace generated within the framework of Xnet's Democratic Digitalisation Plan. It has been created and powered by +Xnet, families and promoting centres, IsardVDI, 3iPunt, MaadiX, eXO.cat, Evilham and funded by the Directorate for +Democratic Innovation, the Barcelona City Council's Digital Innovation Commissioner, Social Economy Commissioner, in +collaboration with the Barcelona Education Consortium, aFFaC and AirVPN. + +DD can be used freely as long as this footer is included and the AGPLv3 license (https://www.gnu.org/licenses/agpl-3.0.en.html) is respected. + +More info in English in the documentation: [https://dd.digitalitzacio-democratica.xnet-x.net/docs/](https://dd.digitalitzacio-democratica.xnet-x.net/docs/). + +We thank the help of Miriam Carles, Cristian Ruiz, Anna Francàs, Christopher Millard. + +# What is DD? + +DD sets up an identity provider and many apps providing a cohesive user +experience considering schools and universities as the main use-case. + +The project provides an integrated solution to handle the common +environment in education: + +- **Classrooms**: A Moodle instance with custom theme and custom plugins +- **Cloud drive**: A Nextcloud instance with custom theme and custom plugins +- **Documents**: A document viewer and editor integrated with Nextcloud +- **Web pages**: A Wordpress instance with custom theme and custom plugins +- **Pad**: An Etherpad instance integrated with Nextcloud +- **Conferences**: BigBlueButton integrated with Moodle and Nextcloud (needs a standalone host) +- **Forms**: A forms Nextcloud plugin + +| | | +| ---------------------------- | ------------------------------- | +| ![](docs/img/classrooms.png) | ![](docs/img/cloud_storage.png) | + +## Administration interface + +The project includes an administration interface that allows to easily manage +users and groups and keep these in sync between applications. + +| ![](docs/img/admin_sync.png) | ![](docs/img/admin_user_edit.png) | +| ---------------------------- | --------------------------------- | + +To easily migrate and insert users and groups to the system there are also two +provided imports: + +- From Google Admin Console as a JSON dump +- From a CSV file + +# I'm interested! + +That's great! Whether you want to contribute or are interested in deploying DD +for your organisation, we'll be happy to hear from you, here are some +resources to aid you further: + +- **User handbook**: [https://dd.digitalitzacio-democratica.xnet-x.net/manual-usuari/](https://dd.digitalitzacio-democratica.xnet-x.net/manual-usuari/) +- **Admin/developer docs**: [https://dd.digitalitzacio-democratica.xnet-x.net/docs/](https://dd.digitalitzacio-democratica.xnet-x.net/docs/) +- **Source code**: [https://gitlab.com/DD-workspace/DD](https://gitlab.com/DD-workspace/DD) diff --git a/custom.sample/avatars/admin.jpg b/custom.sample/avatars/admin.jpg new file mode 100644 index 0000000..ee7dff8 Binary files /dev/null and b/custom.sample/avatars/admin.jpg differ diff --git a/custom.sample/avatars/manager.jpg b/custom.sample/avatars/manager.jpg new file mode 100644 index 0000000..df6f5f4 Binary files /dev/null and b/custom.sample/avatars/manager.jpg differ diff --git a/custom.sample/avatars/student.jpg b/custom.sample/avatars/student.jpg new file mode 100644 index 0000000..ac5146c Binary files /dev/null and b/custom.sample/avatars/student.jpg differ diff --git a/custom.sample/avatars/studenth.jpg b/custom.sample/avatars/studenth.jpg new file mode 100644 index 0000000..4e5bf6d Binary files /dev/null and b/custom.sample/avatars/studenth.jpg differ diff --git a/custom.sample/avatars/teacher.jpg b/custom.sample/avatars/teacher.jpg new file mode 100644 index 0000000..e0bd4cc Binary files /dev/null and b/custom.sample/avatars/teacher.jpg differ diff --git a/custom.sample/avatars/unknown.jpg b/custom.sample/avatars/unknown.jpg new file mode 100644 index 0000000..2c65f74 Binary files /dev/null and b/custom.sample/avatars/unknown.jpg differ diff --git a/custom.sample/img/background.png b/custom.sample/img/background.png new file mode 100644 index 0000000..601ef82 Binary files /dev/null and b/custom.sample/img/background.png differ diff --git a/custom.sample/img/favicon.ico b/custom.sample/img/favicon.ico new file mode 100644 index 0000000..35a5419 Binary files /dev/null and b/custom.sample/img/favicon.ico differ diff --git a/custom.sample/img/logo.png b/custom.sample/img/logo.png new file mode 100644 index 0000000..e0bb28b Binary files /dev/null and b/custom.sample/img/logo.png differ diff --git a/custom.sample/img/product-logo.svg b/custom.sample/img/product-logo.svg new file mode 100644 index 0000000..2fc8d44 --- /dev/null +++ b/custom.sample/img/product-logo.svg @@ -0,0 +1,71 @@ + +image/svg+xml diff --git a/custom.sample/login/background.png b/custom.sample/login/background.png new file mode 100644 index 0000000..601ef82 Binary files /dev/null and b/custom.sample/login/background.png differ diff --git a/custom.sample/login/logo.png b/custom.sample/login/logo.png new file mode 100644 index 0000000..e0bb28b Binary files /dev/null and b/custom.sample/login/logo.png differ diff --git a/custom.sample/menu/custom.yaml b/custom.sample/menu/custom.yaml new file mode 100644 index 0000000..6dc7239 --- /dev/null +++ b/custom.sample/menu/custom.yaml @@ -0,0 +1,52 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +background_login: /img/background.png +colours: + background: "#F0F0F0" + primary: "#92AE01" + secondary: "#FFFFFF" +logo: /img/logo.png +product_logo: /img/product-logo.svg +product_url: https://xnet-x.net/ca/digital-democratic/ +apps_external: +- href: https://myweb + icon: fa fa-university + name: Escola Web + shortname: web +- href: https://myvideos + icon: fa fa-youtube-play + name: Youtube + shortname: youtube +- href: https://mydictionary + icon: fa fa-book + name: Diccionari + shortname: diccionari +- href: http://meet.jit.si + icon: fa fa-video-camera + name: Reunions Jitsi + shortname: jitsi +- href: https://www.duckduckgo.com + icon: fa fa-search + name: Cercar + shortname: search +- href: https://www.openstreetmap.org + icon: fa fa-map-marker + name: Maps + shortname: maps diff --git a/custom.sample/menu/system.yaml b/custom.sample/menu/system.yaml new file mode 100644 index 0000000..17f5137 --- /dev/null +++ b/custom.sample/menu/system.yaml @@ -0,0 +1,90 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +users_avatars: +- subdomain: api + href: /avatar/ + icon: fa fa-user + name: Avatar + shortname: avatar +user_menu: +- subdomain: sso + href: /auth/realms/master/account + icon: fa fa-user + name: Perfil + shortname: profile +- subdomain: + href: / + icon: fa fa-sign-out + name: Sortir + shortname: logout +apps_internal: +- subdomain: moodle + href: / + icon: fa fa-graduation-cap + name: Aules + shortname: courses +- subdomain: nextcloud + href: / + icon: fa fa-cloud + name: Fitxers + shortname: cloud +- subdomain: nextcloud + href: /apps/mail + icon: fa fa-envelope-o + name: Correu + shortname: email +- subdomain: nextcloud + href: /apps/forms + icon: fa fa-check-square-o + name: Formularis + shortname: forms +- subdomain: nextcloud + href: /apps/polls + icon: fa fa-bar-chart + name: Enquestes + shortname: feedback +- subdomain: nextcloud + href: /apps/spreed + icon: fa fa-commenting-o + name: Xat + shortname: chat +- subdomain: nextcloud + href: /apps/calendar + icon: fa fa-calendar + name: Calendari + shortname: schedule +- subdomain: wp + href: /wp-login.php?redirect_to=wp-admin/admin.php?page=mis-sitios + icon: fa fa-rss + name: Webs + shortname: webs +- subdomain: nextcloud + href: /apps/bbb + icon: fa fa-video-camera + name: Reunions BBB + shortname: meets_bbb +- subdomain: nextcloud + href: /apps/photos + icon: fa fa-file-image-o + name: Fotos + shortname: photos +user: + account: /auth/realms/master/account + avatar: /auth/realms/master/avatar-provider diff --git a/custom.sample/moodle/plugins/block_tresipuntmodspend.zip b/custom.sample/moodle/plugins/block_tresipuntmodspend.zip new file mode 100644 index 0000000..5c5ee9c Binary files /dev/null and b/custom.sample/moodle/plugins/block_tresipuntmodspend.zip differ diff --git a/dd-apps/.gitignore b/dd-apps/.gitignore new file mode 100644 index 0000000..32d0552 --- /dev/null +++ b/dd-apps/.gitignore @@ -0,0 +1,5 @@ +.idea/ +.env +**/.env +main.conf +docker-compose.* diff --git a/dd-apps/.gitmodules b/dd-apps/.gitmodules new file mode 100644 index 0000000..78d45e3 --- /dev/null +++ b/dd-apps/.gitmodules @@ -0,0 +1,15 @@ +[submodule "docker/jitsi/src"] + path = docker/jitsi/src + url = https://github.com/jitsi/docker-jitsi-meet.git +[submodule "docker/onlyoffice/src"] + path = docker/onlyoffice/src + url = https://github.com/aleho/onlyoffice-ce-docker-license.git +[submodule "docker/moodle/src"] + path = docker/moodle/src + url = https://github.com/erseco/alpine-moodle.git +[submodule "docker/moodle/rootfs-php7"] + path = docker/moodle/rootfs-php7 + url = https://github.com/erseco/alpine-php7-webserver.git +[submodule "docker/wordpress/plugins/saml"] + path = docker/wordpress/plugins/saml + url = https://github.com/onelogin/wordpress-saml.git diff --git a/dd-apps/docker/etherpad/Dockerfile b/dd-apps/docker/etherpad/Dockerfile new file mode 100644 index 0000000..fa12acc --- /dev/null +++ b/dd-apps/docker/etherpad/Dockerfile @@ -0,0 +1,36 @@ +ARG IMG +FROM ${IMG} + +MAINTAINER James Swineson + +ENV NODE_ENV production + +RUN apt-get update && \ + apt-get upgrade -y && \ + apt-get install -y curl unzip mariadb-client supervisor gzip git python libssl-dev pkg-config build-essential && \ + rm -r /var/lib/apt/lists/* + +WORKDIR /opt/ + +ARG ETHERPAD_VERSION + +RUN curl -SL \ + https://github.com/ether/etherpad-lite/archive/${ETHERPAD_VERSION}.zip \ + > etherpad.zip && unzip etherpad && rm etherpad.zip && \ + mv etherpad-lite-${ETHERPAD_VERSION} etherpad-lite + +WORKDIR etherpad-lite + +RUN bin/installDeps.sh \ + && rm settings.json +COPY entrypoint.sh /entrypoint.sh + +RUN sed -i 's/^node/exec\ node/' bin/run.sh + +VOLUME /opt/etherpad-lite/var +RUN ln -s var/settings.json settings.json +ADD supervisor.conf /etc/supervisor/supervisor.conf + +EXPOSE 9001 +ENTRYPOINT ["/entrypoint.sh"] +CMD ["supervisord", "-c", "/etc/supervisor/supervisor.conf", "-n"] diff --git a/dd-apps/docker/etherpad/dd-patch b/dd-apps/docker/etherpad/dd-patch new file mode 100644 index 0000000..7ae9560 --- /dev/null +++ b/dd-apps/docker/etherpad/dd-patch @@ -0,0 +1,5 @@ +# Generate .orig and .patch files with ./dd-ctl genpatches +# file license author source +Dockerfile ? https://github.com/Jamesits/ https://raw.githubusercontent.com/Jamesits/docker-etherpad-lite/f5d66bd35f0d7e7f3959ddfcca4b3f9d02d11c95/Dockerfile +entrypoint.sh ? https://github.com/Jamesits/ https://raw.githubusercontent.com/Jamesits/docker-etherpad-lite/f5d66bd35f0d7e7f3959ddfcca4b3f9d02d11c95/entrypoint.sh +supervisor.conf ? https://github.com/Jamesits/ https://raw.githubusercontent.com/Jamesits/docker-etherpad-lite/f5d66bd35f0d7e7f3959ddfcca4b3f9d02d11c95/supervisor.conf diff --git a/dd-apps/docker/etherpad/entrypoint.sh b/dd-apps/docker/etherpad/entrypoint.sh new file mode 100755 index 0000000..7101873 --- /dev/null +++ b/dd-apps/docker/etherpad/entrypoint.sh @@ -0,0 +1,73 @@ +#!/bin/bash +#set -e + +: ${ETHERPAD_DB_USER:=root} +if [ "$ETHERPAD_DB_USER" = 'root' ]; then + : ${ETHERPAD_DB_PASSWORD:=$MYSQL_ENV_MYSQL_ROOT_PASSWORD} +fi +: ${ETHERPAD_DB_NAME:=etherpad} + +ETHERPAD_DB_NAME=$( echo $ETHERPAD_DB_NAME | sed 's/\./_/g' ) + +if [ -z "$ETHERPAD_DB_PASSWORD" ]; then + echo >&2 'error: missing required ETHERPAD_DB_PASSWORD environment variable' + echo >&2 ' Did you forget to -e ETHERPAD_DB_PASSWORD=... ?' + echo >&2 + echo >&2 ' (Also of interest might be ETHERPAD_DB_USER and ETHERPAD_DB_NAME.)' + exit 1 +fi + +: ${ETHERPAD_TITLE:=Etherpad} +: ${ETHERPAD_PORT:=9001} + +cat settings.json +if [ ! -f settings.json ]; then + + cat <<- EOF > settings.json + { + "title": "${ETHERPAD_TITLE}", + "ip": "0.0.0.0", + "port": ${ETHERPAD_PORT}, + "maxAge": "${ETHERPAD_MAXAGE:-3600}", + "minify": true, + "dbType": "postgres", + "dbSettings": { + "user": "etherpad", + "host": "${ETHERPAD_DB_HOST}", + "port": 5432, + "password": "${ETHERPAD_DB_PASSWORD}", + "database": "${ETHERPAD_DB_NAME}", + "charset": "utf8mb4" + }, + EOF + + if [ $ETHERPAD_ADMIN_PASSWORD ]; then + + : ${ETHERPAD_ADMIN_USER:=admin} + + cat <<- EOF >> settings.json + "users": { + "${ETHERPAD_ADMIN_USER}": { + "password": "${ETHERPAD_ADMIN_PASSWORD}", + "is_admin": true + } + }, + EOF + fi + + cat <<- EOF >> settings.json + } + EOF +fi + +cat settings.json +echo "Installing plugins..." +if [ $ETHERPAD_PLUGINS ]; then + IFS=',' read -r -a PLUGIN_LIST <<< "$ETHERPAD_PLUGINS" + for PLUGIN in "${PLUGIN_LIST[@]}" + do + ./src/node_modules/.bin/npm install ${PLUGIN} + done +fi + +exec "$@" diff --git a/dd-apps/docker/etherpad/etherpad.yml b/dd-apps/docker/etherpad/etherpad.yml new file mode 100644 index 0000000..9723551 --- /dev/null +++ b/dd-apps/docker/etherpad/etherpad.yml @@ -0,0 +1,52 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +version: '3.7' +services: + dd-apps-etherpad: + build: + context: ${BUILD_APPS_ROOT_PATH}/docker/etherpad + dockerfile: Dockerfile + args: + - IMG=${ETHERPAD_IMG-node:16.13.2} + - ETHERPAD_VERSION=${ETHERPAD_VERSION} + container_name: dd-apps-etherpad + restart: unless-stopped + volumes: + - /etc/localtime:/etc/localtime:ro + security_opt: + - no-new-privileges:true + healthcheck: + test: ["CMD", "curl", "-f", "http://localhost:9001"] + interval: 1m30s + timeout: 10s + retries: 3 + environment: + ETHERPAD_TITLE: Title + ETHERPAD_PORT: 9001 + ETHERPAD_ADMIN_PASSWORD: ${ADMINAPP_PASSWORD} + ETHERPAD_ADMIN_USER: ${ADMINAPP_USER} + ETHERPAD_PLUGINS: ep_headings2,ep_adminpads2,ep_comments_page,ep_embedded_hyperlinks2,ep_font_color,ep_table_of_contents + ETHERPAD_MAXAGE: 3600 + ETHERPAD_DB_USER: ${ETHERPAD_POSTGRES_USER} + ETHERPAD_DB_PASSWORD: ${ETHERPAD_POSTGRES_PASSWORD} + ETHERPAD_DB_NAME: etherpad + ETHERPAD_DB_HOST: dd-apps-postgresql + networks: + - dd_net diff --git a/dd-apps/docker/etherpad/supervisor.conf b/dd-apps/docker/etherpad/supervisor.conf new file mode 100644 index 0000000..f83ac2d --- /dev/null +++ b/dd-apps/docker/etherpad/supervisor.conf @@ -0,0 +1,22 @@ +[supervisord] +nodaemon=true + +[unix_http_server] +file=/var/run//supervisor.sock +chmod=0700 + +[rpcinterface:supervisor] +supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface + +[supervisorctl] +serverurl=unix:///var/run//supervisor.sock + +[program:etherpad] +directory=/opt/etherpad-lite/bin +command=/opt/etherpad-lite/bin/run.sh --root +user=root +autostart=true +autorestart=true +stdout_logfile=/dev/fd/1 +stdout_logfile_maxbytes=0 +redirect_stderr=true \ No newline at end of file diff --git a/dd-apps/docker/haproxy/Dockerfile b/dd-apps/docker/haproxy/Dockerfile new file mode 100644 index 0000000..b5a2172 --- /dev/null +++ b/dd-apps/docker/haproxy/Dockerfile @@ -0,0 +1,34 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +FROM haproxy:2.3-alpine as production +RUN apk add openssl certbot py-pip +RUN pip install pip install certbot-plugin-gandi + + +ADD letsencrypt.sh / +ADD letsencrypt-check.sh / +ADD deploy-hook.sh /etc/letsencrypt/renewal-hooks/deploy/ +COPY auto-generate-certs.sh /usr/local/bin/ +COPY docker-entrypoint.sh /usr/local/bin/ +COPY auto-generate-certs.sh / +RUN rm /docker-entrypoint.sh +RUN ln -s /usr/local/bin/docker-entrypoint.sh / +RUN chmod 775 docker-entrypoint.sh +ADD haproxy.conf /usr/local/etc/haproxy/haproxy.cfg diff --git a/dd-apps/docker/haproxy/_common/auto-generate-certs.sh b/dd-apps/docker/haproxy/_common/auto-generate-certs.sh new file mode 100755 index 0000000..77d6eea --- /dev/null +++ b/dd-apps/docker/haproxy/_common/auto-generate-certs.sh @@ -0,0 +1,51 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +cd /certs + +# Self signed cert generic data +C=CA +L=Barcelona +O=localdomain +CN_CA=$O +CN_HOST=*.$O +OU=$O + +echo '#### Creating 2048-bit RSA key:' +openssl genrsa -out ca-key.pem 2048 + +echo '#### Using the key to create a self-signed certificate to your CA:' +openssl req -new -x509 -days 9999 -key ca-key.pem -out ca-cert.pem -sha256 \ + -subj "/C=$C/L=$L/O=$O/CN=$CN_CA" + +echo '#### Creating server certificate:' +openssl genrsa -out server-key.pem 2048 + +echo '#### Creating a certificate signing request for the server:' +openssl req -new -key server-key.pem -sha256 -out server-key.csr \ + -subj "/CN=$CN_HOST" + +echo '#### Creating server certificate:' +RND=$(( ( RANDOM % 1000 ) + 1 )) +openssl x509 -req -days 9999 -in server-key.csr -CA ca-cert.pem -CAkey ca-key.pem \ + -set_serial $RND -sha256 -out server-cert.pem + +echo '#### Concatenate certs for haprox' +cat server-cert.pem server-key.pem > chain.pem +chmod 440 * diff --git a/dd-apps/docker/haproxy/_common/haproxy-docker-entrypoint.sh b/dd-apps/docker/haproxy/_common/haproxy-docker-entrypoint.sh new file mode 100644 index 0000000..178d2e8 --- /dev/null +++ b/dd-apps/docker/haproxy/_common/haproxy-docker-entrypoint.sh @@ -0,0 +1,42 @@ +#!/bin/sh +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +set -e + +prepare.sh + +if [ ! -f /certs/chain.pem ]; then + auto-generate-certs.sh +fi + +# first arg is `-f` or `--some-option` +if [ "${1#-}" != "$1" ]; then + set -- haproxy "$@" +fi + +if [ "$1" = 'haproxy' ]; then + shift # "haproxy" + # if the user wants "haproxy", let's add a couple useful flags + # -W -- "master-worker mode" (similar to the old "haproxy-systemd-wrapper"; allows for reload via "SIGUSR2") + # -db -- disables background mode + set -- haproxy -W -db "$@" +fi + +exec "$@" diff --git a/dd-apps/docker/haproxy/_common/letsencrypt-hook-deploy-concatenante.sh b/dd-apps/docker/haproxy/_common/letsencrypt-hook-deploy-concatenante.sh new file mode 100755 index 0000000..3b3fc34 --- /dev/null +++ b/dd-apps/docker/haproxy/_common/letsencrypt-hook-deploy-concatenante.sh @@ -0,0 +1,23 @@ +#!/bin/sh +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +cat $RENEWED_LINEAGE/fullchain.pem $RENEWED_LINEAGE/privkey.pem > /certs/chain.pem + +kill -SIGUSR2 1 diff --git a/dd-apps/docker/haproxy/_common/letsencrypt-renew-cron.sh b/dd-apps/docker/haproxy/_common/letsencrypt-renew-cron.sh new file mode 100755 index 0000000..ecb35cf --- /dev/null +++ b/dd-apps/docker/haproxy/_common/letsencrypt-renew-cron.sh @@ -0,0 +1,21 @@ +#!/bin/sh +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +certbot renew --cert-name $LETSENCRYPT_DOMAIN diff --git a/dd-apps/docker/haproxy/_common/letsencrypt.sh b/dd-apps/docker/haproxy/_common/letsencrypt.sh new file mode 100755 index 0000000..c4f4480 --- /dev/null +++ b/dd-apps/docker/haproxy/_common/letsencrypt.sh @@ -0,0 +1,37 @@ +#!/bin/sh +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +if [ -f /letsencrypt-hook-deploy-concatenante.sh ] +then + mkdir -p /etc/letsencrypt/renewal-hooks/deploy/ + mv /letsencrypt-hook-deploy-concatenante.sh /etc/letsencrypt/renewal-hooks/deploy/concatenate.sh +fi + +if [ -n "$LETSENCRYPT_DOMAIN" -a -n "$LETSENCRYPT_EMAIL" ] +then + LETSENCRYPT_DOMAIN="$LETSENCRYPT_DOMAIN" crond + if [ ! -f /certs/chain.pem ] + then + if certbot certonly --standalone -d "$LETSENCRYPT_DOMAIN" -m "$LETSENCRYPT_EMAIL" -n --agree-tos + then + RENEWED_LINEAGE="/etc/letsencrypt/live/$LETSENCRYPT_DOMAIN" /etc/letsencrypt/renewal-hooks/deploy/concatenate.sh + fi + fi +fi diff --git a/dd-apps/docker/haproxy/auto-generate-certs.sh b/dd-apps/docker/haproxy/auto-generate-certs.sh new file mode 100755 index 0000000..107507e --- /dev/null +++ b/dd-apps/docker/haproxy/auto-generate-certs.sh @@ -0,0 +1,55 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +mkdir /certs +cd /certs + +# Self signed cert generic data +C=CA +L=Barcelona +O=localdomain +CN_CA=$O +CN_HOST=*.$O +OU=$O + +echo '#### Creating 2048-bit RSA key:' +openssl genrsa -out ca-key.pem 2048 + +echo '#### Using the key to create a self-signed certificate to your CA:' +openssl req -new -x509 -days 9999 -key ca-key.pem -out ca-cert.pem -sha256 \ + -subj "/C=$C/L=$L/O=$O/CN=$CN_CA" + +echo '#### Creating server certificate:' +openssl genrsa -out server-key.pem 2048 + +echo '#### Creating a certificate signing request for the server:' +openssl req -new -key server-key.pem -sha256 -out server-key.csr \ + -subj "/CN=$CN_HOST" + +echo '#### Creating server certificate:' +RND=$(( ( RANDOM % 1000 ) + 1 )) +openssl x509 -req -days 9999 -in server-key.csr -CA ca-cert.pem -CAkey ca-key.pem \ + -set_serial $RND -sha256 -out server-cert.pem + + +chmod 440 * + +echo '#### Concatenate certs for haprox' +cat server-cert.pem server-key.pem > /certs/chain.pem +cd / diff --git a/dd-apps/docker/haproxy/deploy-hook.sh b/dd-apps/docker/haproxy/deploy-hook.sh new file mode 100755 index 0000000..7646991 --- /dev/null +++ b/dd-apps/docker/haproxy/deploy-hook.sh @@ -0,0 +1,27 @@ +#!/bin/sh +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +echo "Domain(s) $LETSENCRYPT_DNS renewed. Restarting haproxy..." + cat /etc/letsencrypt/live/$LETSENCRYPT_DNS/fullchain.pem /etc/letsencrypt/live/$LETSENCRYPT_DNS/privkey.pem > /certs/chain.pem + chmod 440 /certs/chain.pem + mkdir -p /certs/letsencrypt/$LETSENCRYPT_DNS + cp /etc/letsencrypt/live/$LETSENCRYPT_DNS/* /certs/letsencrypt/$LETSENCRYPT_DNS/ + +kill -SIGUSR2 1 diff --git a/dd-apps/docker/haproxy/docker-entrypoint.sh b/dd-apps/docker/haproxy/docker-entrypoint.sh new file mode 100644 index 0000000..dbae5cf --- /dev/null +++ b/dd-apps/docker/haproxy/docker-entrypoint.sh @@ -0,0 +1,46 @@ +#!/bin/sh +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +set -e + +# Set debug path password +PASSWD=$(python3 -c 'import os,crypt,getpass; print(crypt.crypt(os.environ["ADMINAPP_PASSWORD"], crypt.mksalt(crypt.METHOD_SHA512)))') +sed -i "/^ user admin password/c\ user admin password $ADMINAPP_PASSWORD" /usr/local/etc/haproxy/haproxy.cfg + +#/bin/sh /letsencrypt.sh + +if [ ! -e "/certs/chain.pem" ]; then + auto-generate-certs.sh +fi + +# first arg is `-f` or `--some-option` +if [ "${1#-}" != "$1" ]; then + set -- haproxy "$@" +fi + +if [ "$1" = 'haproxy' ]; then + shift # "haproxy" + # if the user wants "haproxy", let's add a couple useful flags + # -W -- "master-worker mode" (similar to the old "haproxy-systemd-wrapper"; allows for reload via "SIGUSR2") + # -db -- disables background mode + set -- haproxy -W -db "$@" +fi + +exec "$@" diff --git a/dd-apps/docker/haproxy/haproxy.conf b/dd-apps/docker/haproxy/haproxy.conf new file mode 100644 index 0000000..1106701 --- /dev/null +++ b/dd-apps/docker/haproxy/haproxy.conf @@ -0,0 +1,101 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +resolvers mydns + nameserver dns1 127.0.0.11:53 + +global +# debug + daemon + log 127.0.0.1 local0 + tune.ssl.default-dh-param 2048 + + defaults + mode http + timeout connect 120s + timeout client 120s + timeout client-fin 120s + timeout server 120s + timeout tunnel 7200s + option http-server-close + option httpclose + log global + option httplog + backlog 4096 + maxconn 2000 + option tcpka + +frontend website + mode http + bind :80 + redirect scheme https if !{ ssl_fc } + bind :443 ssl crt /certs/chain.pem + + acl is_nextcloud hdr_beg(host) nextcloud. + acl is_moodle hdr_beg(host) moodle. + acl is_jitsi hdr_beg(host) jitsi. + + use_backend be_nextcloud if is_nextcloud + use_backend be_moodle if is_moodle + use_backend be_jitsi if is_jitsi + + default_backend be_moodle + +backend be_moodle + mode http + acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found + acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found + http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host + http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto + server moodle moodle:8080 check port 8080 inter 5s rise 2 fall 10 resolvers mydns init-addr none + +backend be_nextcloud + mode http + acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found + acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found + http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host + http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto + server nextcloud nextcloud:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none + +backend be_jitsi + mode http + acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found + acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found + http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host + http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto + server jitsi jitsi:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none + + listen stats + bind 0.0.0.0:8888 + mode http + stats enable + option httplog + stats show-legends + stats uri /haproxy + stats realm Haproxy\ Statistics + stats refresh 5s + #stats auth staging:pep1n1ll0 + #acl authorized http_auth(AuthUsers) + #stats http-request auth unless authorized + timeout connect 5000ms + timeout client 50000ms + timeout server 50000ms + +userlist AuthUsers + user admin password $6$grgQMVfwI0XSGAQl$2usaQC9LVXXXYHtSkGUf74CIGsiH8fi/K.V6DuKSq0twPkmFGP2vL/b//Ulp2I4xBEZ3eYDhUbwBPK8jpmsbo. diff --git a/dd-apps/docker/haproxy/haproxy.yml b/dd-apps/docker/haproxy/haproxy.yml new file mode 100644 index 0000000..3610ac7 --- /dev/null +++ b/dd-apps/docker/haproxy/haproxy.yml @@ -0,0 +1,40 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +version: '3.7' +services: + dd-apps-haproxy: + build: + context: ${BUILD_APPS_ROOT_PATH}/docker/haproxy + dockerfile: Dockerfile + target: production + container_name: dd-apps-haproxy + restart: unless-stopped + environment: + - ADMINAPP_PASSWORD=${ADMINAPP_PASSWORD} + volumes: + - /etc/localtime:/etc/localtime:ro + - ${SRC_FOLDER}/haproxy:/certs:rw + networks: + - dd_net + ports: + - published: 80 + target: 80 + - published: 443 + target: 443 diff --git a/dd-apps/docker/haproxy/letsencrypt-check.sh b/dd-apps/docker/haproxy/letsencrypt-check.sh new file mode 100755 index 0000000..8504cd2 --- /dev/null +++ b/dd-apps/docker/haproxy/letsencrypt-check.sh @@ -0,0 +1,26 @@ +#!/bin/sh +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +trap exit TERM +while : +do + sleep 12h + certbot renew --http-01-port 8888 +done diff --git a/dd-apps/docker/haproxy/letsencrypt.sh b/dd-apps/docker/haproxy/letsencrypt.sh new file mode 100755 index 0000000..955a2a4 --- /dev/null +++ b/dd-apps/docker/haproxy/letsencrypt.sh @@ -0,0 +1,34 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +RENEW=0 +if [[ ! -f /certs/chain.pem && ! -z "$LETSENCRYPT_EMAIL" && ! -z "$LETSENCRYPT_DNS" ]]; then + /usr/bin/certbot certonly --standalone -d "$LETSENCRYPT_DNS" -m "$LETSENCRYPT_EMAIL" -n --agree-tos + if [[ $? == 0 ]] ; then + cat /etc/letsencrypt/live/$LETSENCRYPT_DNS/fullchain.pem /etc/letsencrypt/live/$LETSENCRYPT_DNS/privkey.pem > /certs/chain.pem + chmod 440 /certs/chain.pem + mkdir -p /certs/letsencrypt/$LETSENCRYPT_DNS + cp /etc/letsencrypt/live/$LETSENCRYPT_DNS/* /certs/letsencrypt/$LETSENCRYPT_DNS/ + RENEW=1 + fi +fi + +if [ $RENEW == 1 ]; then + /bin/sh -c '/letsencrypt-check.sh' & +fi diff --git a/dd-apps/docker/haproxy/prepare.sh b/dd-apps/docker/haproxy/prepare.sh new file mode 100755 index 0000000..5df8cfb --- /dev/null +++ b/dd-apps/docker/haproxy/prepare.sh @@ -0,0 +1,26 @@ +#!/bin/sh +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +# Set debug path password +PASSWD=$(python3 -c 'import os,crypt,getpass; print(crypt.crypt(os.environ["WEBAPP_ADMIN_PWD"], crypt.mksalt(crypt.METHOD_SHA512)))') +sed -i "/^ user admin password/c\ user admin password $ADMIN_PWD" /usr/local/etc/haproxy/haproxy.cfg + +#LETSENCRYPT_DOMAIN="$WEBAPP_LETSENCRYPT_DNS" LETSENCRYPT_EMAIL="$WEBAPP_LETSENCRYPT_EMAIL" +letsencrypt.sh diff --git a/dd-apps/docker/mariadb/dd-patch b/dd-apps/docker/mariadb/dd-patch new file mode 100644 index 0000000..0f7cfdc --- /dev/null +++ b/dd-apps/docker/mariadb/dd-patch @@ -0,0 +1,3 @@ +# Generate .orig and .patch files with ./dd-ctl genpatches +# file license author source +mariadb.yml MIT https://github.com/t0lya https://raw.githubusercontent.com/t0lya/headless-wordpress-preview/master/docker-compose.yml diff --git a/dd-apps/docker/mariadb/mariadb.yml b/dd-apps/docker/mariadb/mariadb.yml new file mode 100644 index 0000000..0ac5b39 --- /dev/null +++ b/dd-apps/docker/mariadb/mariadb.yml @@ -0,0 +1,27 @@ +version: '3.7' +services: + dd-apps-mariadb: + image: ${MARIADB_IMG-mariadb:10.6.5} + container_name: dd-apps-mariadb + # Arguments inspired by: + # https://github.com/t0lya/headless-wordpress-preview/blob/master/docker-compose.yml + command: [ + '--default_authentication_plugin=mysql_native_password', + '--character-set-server=utf8mb4', + '--collation-server=utf8mb4_unicode_ci' + ] + volumes: + - /etc/localtime:/etc/localtime:ro + - ${DB_FOLDER}/mariadb:/var/lib/mysql + environment: + MYSQL_ROOT_PASSWORD: ${MARIADB_PASSWORD} + MYSQL_DATABASE: wordpress + MYSQL_USER: wordpress + MYSQL_PASSWORD: ${WORDPRESS_MARIADB_PASSWORD} + restart: unless-stopped + healthcheck: + test: ["CMD", "mysqladmin" ,"ping", "-h", "localhost"] + timeout: 20s + retries: 10 + networks: + - dd_net diff --git a/dd-apps/docker/moodle/02-configure-moodle.sh b/dd-apps/docker/moodle/02-configure-moodle.sh new file mode 100755 index 0000000..0b0cbac --- /dev/null +++ b/dd-apps/docker/moodle/02-configure-moodle.sh @@ -0,0 +1,85 @@ +#!/bin/sh +set -eo pipefail + +echo "Waiting for $database:$port to be ready" +while ! nc -w 1 $DB_HOST $DB_PORT; do + # Show some progress + echo -n '.'; + sleep 1; +done +echo "$database is ready" +sleep 3; + +if [ ! -f /var/www/html/config.php ]; then + + curl --location https://github.com/moodle/moodle/archive/$MOODLE_VERSION.tar.gz | tar xz --strip-components=1 -C /var/www/html/ + cp /isinstalled.php /var/www/html/admin/cli/ + chown nobody:root /var/www/html -R + + echo "Generating config.php file..." + ENV_VAR='var' php -d max_input_vars=$max_input_vars /var/www/html/admin/cli/install.php \ + --lang=$MOODLE_LANGUAGE \ + --wwwroot=$SITE_URL \ + --dataroot=/var/www/moodledata/ \ + --dbtype=$DB_TYPE \ + --dbhost=$DB_HOST \ + --dbname=$DB_NAME \ + --dbuser=$DB_USER \ + --dbpass=$DB_PASS \ + --dbport=$DB_PORT \ + --prefix=$DB_PREFIX \ + --fullname="$MOODLE_SITENAME" \ + --shortname="$MOODLE_SHORTSITENAME" \ + --adminuser=$MOODLE_USERNAME \ + --adminpass=$MOODLE_PASSWORD \ + --adminemail=$MOODLE_EMAIL \ + --non-interactive \ + --agree-license \ + --skip-database + + if [ "$SSLPROXY" = 'true' ]; then + sed -i '/require_once/i $CFG->sslproxy=true;' /var/www/html/config.php + fi + +fi + +if php -d max_input_vars=$max_input_vars /var/www/html/admin/cli/isinstalled.php ; then + + echo "Installing database..." + php -d max_input_vars=$max_input_vars /var/www/html/admin/cli/install_database.php \ + --lang=$MOODLE_LANGUAGE \ + --adminuser=$MOODLE_USERNAME \ + --adminpass=$MOODLE_PASSWORD \ + --adminemail=$MOODLE_EMAIL \ + --fullname="$MOODLE_SITENAME" \ + --shortname="$MOODLE_SHORTSITENAME" \ + --agree-license + + echo "Configuring settings..." + php -d max_input_vars=$max_input_vars /var/www/html/admin/cli/cfg.php --name=pathtophp --set=/usr/bin/php + php -d max_input_vars=$max_input_vars /var/www/html/admin/cli/cfg.php --name=pathtodu --set=/usr/bin/du + php -d max_input_vars=$max_input_vars /var/www/html/admin/cli/cfg.php --name=enableblogs --set=0 + + + php -d max_input_vars=$max_input_vars /var/www/html/admin/cli/cfg.php --name=smtphosts --set=$SMTP_HOST:$SMTP_PORT + php -d max_input_vars=$max_input_vars /var/www/html/admin/cli/cfg.php --name=smtpuser --set=$SMTP_USER + php -d max_input_vars=$max_input_vars /var/www/html/admin/cli/cfg.php --name=smtppass --set=$SMTP_PASSWORD + php -d max_input_vars=$max_input_vars /var/www/html/admin/cli/cfg.php --name=smtpsecure --set=$SMTP_PROTOCOL + php -d max_input_vars=$max_input_vars /var/www/html/admin/cli/cfg.php --name=noreplyaddress --set=$MOODLE_MAIL_NOREPLY_ADDRESS + php -d max_input_vars=$max_input_vars /var/www/html/admin/cli/cfg.php --name=emailsubjectprefix --set=$MOODLE_MAIL_PREFIX +fi + +chown -R nobody:root /var/www/html + + + + + + + + + + + + + diff --git a/dd-apps/docker/moodle/03-plugins.sh b/dd-apps/docker/moodle/03-plugins.sh new file mode 100755 index 0000000..90dd9f0 --- /dev/null +++ b/dd-apps/docker/moodle/03-plugins.sh @@ -0,0 +1,27 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +if [ ! -f /var/www/html/config.php ]; then + #ADD plugins/auth_saml2.zip /var/www/html/ + curl --location https://github.com/isard-vdi/moodle-auth_saml2/archive/refs/heads/role_map.zip > auth_saml2.zip + unzip auth_saml2.zip -d /var/www/html/auth/ + mv /var/www/html/auth/moodle-auth_saml2-role_map /var/www/html/auth/saml2 + rm auth_saml2.zip +fi +chown -R nobody:root /var/www/html diff --git a/dd-apps/docker/moodle/Dockerfile b/dd-apps/docker/moodle/Dockerfile new file mode 100644 index 0000000..31d523d --- /dev/null +++ b/dd-apps/docker/moodle/Dockerfile @@ -0,0 +1,16 @@ +ARG IMG=$MOODLE_IMG +FROM ${IMG} +LABEL maintainer="Adapted from: Ernesto Serrano " + + +USER root +COPY src/rootfs/ / +COPY 02-configure-moodle.sh /docker-entrypoint-init.d/ +COPY 03-plugins.sh /docker-entrypoint-init.d/ +COPY src/rootfs/var/www/html/admin/cli/isinstalled.php / +RUN echo "user=nobody" >> /etc/php7/php-fpm.d/www.conf +RUN echo "group=nobody" >> /etc/php7/php-fpm.d/www.conf +RUN apk add --no-cache dcron libcap && \ + chown nobody:nobody /usr/sbin/crond && \ + setcap cap_setgid=ep /usr/sbin/crond +RUN apk add php7-sodium diff --git a/dd-apps/docker/moodle/dd-patch b/dd-apps/docker/moodle/dd-patch new file mode 100644 index 0000000..7289a65 --- /dev/null +++ b/dd-apps/docker/moodle/dd-patch @@ -0,0 +1,5 @@ +# Generate .orig and .patch files with ./dd-ctl genpatches +# file license author source +02-configure-moodle.sh MIT https://github.com/erseco/ https://raw.githubusercontent.com/erseco/alpine-moodle/63b8b80d333eaec1cdffa2e768a364e973d6c1ee/rootfs/docker-entrypoint-init.d/02-configure-moodle.sh +Dockerfile MIT https://github.com/erseco/ https://raw.githubusercontent.com/erseco/alpine-moodle/63b8b80d333eaec1cdffa2e768a364e973d6c1ee/Dockerfile +moodle.yml MIT https://github.com/erseco/ https://raw.githubusercontent.com/erseco/alpine-moodle/63b8b80d333eaec1cdffa2e768a364e973d6c1ee/docker-compose.yml diff --git a/dd-apps/docker/moodle/moodle.yml b/dd-apps/docker/moodle/moodle.yml new file mode 100644 index 0000000..b927da0 --- /dev/null +++ b/dd-apps/docker/moodle/moodle.yml @@ -0,0 +1,51 @@ +version: '3.7' +services: + dd-apps-moodle: + build: + context: ${BUILD_APPS_ROOT_PATH}/docker/moodle + dockerfile: Dockerfile + args: + - IMG=${MOODLE_IMG} + container_name: dd-apps-moodle + restart: unless-stopped + volumes: + - /etc/localtime:/etc/localtime:ro + - ${DATA_FOLDER}/moodle:/var/www/moodledata:rw + - ${SRC_FOLDER}/moodle:/var/www/html:rw + depends_on: + - dd-apps-postgresql + environment: + #- LANG=en_US.UTF-8 + #- LANGUAGE=en_US:en + - MOODLE_VERSION=${MOODLE_VERSION} + - DOMAIN=${DOMAIN} + - SITE_URL=https://moodle.${DOMAIN} + - DB_TYPE=pgsql + - DB_HOST=dd-apps-postgresql + - DB_PORT=5432 + - DB_NAME=moodle + - DB_USER=${MOODLE_POSTGRES_USER} + - DB_PASS=${MOODLE_POSTGRES_PASSWORD} + - DB_PREFIX=mdl_ + - SSLPROXY=true + - MOODLE_EMAIL=${MOODLE_EMAIL} # + - MOODLE_LANGUAGE=${LANGUAGE_CODE} # + - MOODLE_SITENAME=${TITLE} # + - MOODLE_SHORTSITENAME=${TITLE_SHORT} # + - MOODLE_USERNAME=${MOODLE_ADMIN_USER} + - MOODLE_PASSWORD=${MOODLE_ADMIN_PASSWORD} + - SMTP_HOST=${SMTP_HOST} + - SMTP_PORT=${SMTP_PORT} + - SMTP_USER=${SMTP_USER} + - SMTP_PASSWORD=${SMTP_PASSWORD} + - SMTP_PROTOCOL=${SMTP_PROTOCOL} + - MOODLE_MAIL_NOREPLY_ADDRESS=${MOODLE_MAIL_NOREPLY_ADDRESS} + - MOODLE_MAIL_PREFIX=${MOODLE_MAIL_PREFIX} + - client_max_body_size=${MOODLE_MAX_FILESIZE_UPLOAD} + - post_max_size=${MOODLE_MAX_FILESIZE_UPLOAD} + - upload_max_filesize=${MOODLE_MAX_FILESIZE_UPLOAD} + - max_input_vars=5000 + - max_execution_time=${MOODLE_MAX_EXECUTION_TIME} + - memory_limit=${MOODLE_MEMORY_LIMIT} + networks: + - dd_net diff --git a/dd-apps/docker/moodle/src b/dd-apps/docker/moodle/src new file mode 160000 index 0000000..53d1631 --- /dev/null +++ b/dd-apps/docker/moodle/src @@ -0,0 +1 @@ +Subproject commit 53d1631d2fc355d9bd3d8e466ffd176e31de115c diff --git a/dd-apps/docker/network.yml b/dd-apps/docker/network.yml new file mode 100644 index 0000000..038d81e --- /dev/null +++ b/dd-apps/docker/network.yml @@ -0,0 +1,23 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +version: '3.7' +networks: + dd_net: + name: dd_net diff --git a/dd-apps/docker/nextcloud/Dockerfile b/dd-apps/docker/nextcloud/Dockerfile new file mode 100644 index 0000000..f21832f --- /dev/null +++ b/dd-apps/docker/nextcloud/Dockerfile @@ -0,0 +1,71 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +ARG IMG +FROM ${IMG} + +RUN apk update +RUN set -ex; \ + \ + apk add --no-cache \ + ffmpeg \ + procps \ + samba-client \ + supervisor \ +# libreoffice \ + ; + +RUN set -ex; \ + \ + apk add --no-cache --virtual .build-deps \ + $PHPIZE_DEPS \ + imap-dev \ + krb5-dev \ + openssl-dev \ + samba-dev \ + bzip2-dev \ + ; \ + \ + docker-php-ext-configure imap --with-kerberos --with-imap-ssl; \ + docker-php-ext-install \ + bz2 \ + imap \ + ; \ + pecl install smbclient; \ + docker-php-ext-enable smbclient; \ + \ + runDeps="$( \ + scanelf --needed --nobanner --format '%n#p' --recursive /usr/local/lib/php/extensions \ + | tr ',' '\n' \ + | sort -u \ + | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ + )"; \ + apk add --virtual .nextcloud-phpext-rundeps $runDeps; \ + apk del .build-deps + +RUN mkdir -p \ + /var/log/supervisord \ + /var/run/supervisord \ +; + +COPY supervisord.conf / + +ENV NEXTCLOUD_UPDATE=1 + +CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"] diff --git a/dd-apps/docker/nextcloud/dd-patch b/dd-apps/docker/nextcloud/dd-patch new file mode 100644 index 0000000..9b8b74c --- /dev/null +++ b/dd-apps/docker/nextcloud/dd-patch @@ -0,0 +1,3 @@ +# Generate .orig and .patch files with ./dd-ctl genpatches +# file license author source +nginx.conf AGPL-3.0-or-later https://github.com/nextcloud/ https://raw.githubusercontent.com/nextcloud/docker/522559eefdd56d2e49259c3b0f4a0e92882cdb87/.examples/docker-compose/with-nginx-proxy/postgres/fpm/web/nginx.conf diff --git a/dd-apps/docker/nextcloud/nextcloud.yml b/dd-apps/docker/nextcloud/nextcloud.yml new file mode 100644 index 0000000..5c18f57 --- /dev/null +++ b/dd-apps/docker/nextcloud/nextcloud.yml @@ -0,0 +1,59 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +version: '3.7' +services: + dd-apps-nextcloud-app: + build: + context: ${BUILD_APPS_ROOT_PATH}/docker/nextcloud + dockerfile: Dockerfile + args: + - IMG=${NEXTCLOUD_IMG} + container_name: dd-apps-nextcloud-app + restart: unless-stopped + depends_on: + - dd-apps-postgresql + volumes: + - /etc/localtime:/etc/localtime:ro + - ${SRC_FOLDER}/nextcloud:/var/www/html + - ${DATA_FOLDER}/nextcloud:/var/www/html/data + environment: + - NEXTCLOUD_ADMIN_USER=${NEXTCLOUD_ADMIN_USER} + - NEXTCLOUD_ADMIN_PASSWORD=${NEXTCLOUD_ADMIN_PASSWORD} + - POSTGRES_DB=nextcloud + - POSTGRES_USER=${NEXTCLOUD_POSTGRES_USER} + - POSTGRES_PASSWORD=${NEXTCLOUD_POSTGRES_PASSWORD} + - POSTGRES_HOST=dd-apps-postgresql + - REDIS_HOST=dd-apps-redis + - NC_overwriteprotocol=https + - NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.${DOMAIN} + networks: + - dd_net + + dd-apps-nextcloud-nginx: + image: ${NGINX_IMG-nginx:1.21.6} + container_name: dd-apps-nextcloud-nginx + restart: unless-stopped + links: + - dd-apps-nextcloud-app + volumes: + - ${BUILD_APPS_ROOT_PATH}/docker/nextcloud/nginx.conf:/etc/nginx/nginx.conf:ro + - ${SRC_FOLDER}/nextcloud:/var/www/html:ro + networks: + - dd_net diff --git a/dd-apps/docker/nextcloud/nginx.conf b/dd-apps/docker/nextcloud/nginx.conf new file mode 100644 index 0000000..c38f179 --- /dev/null +++ b/dd-apps/docker/nextcloud/nginx.conf @@ -0,0 +1,118 @@ +worker_processes auto; + +error_log /var/log/nginx/error.log warn; +pid /var/run/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + keepalive_timeout 65; + + set_real_ip_from 10.0.0.0/8; + set_real_ip_from 172.16.0.0/12; + set_real_ip_from 192.168.0.0/16; + real_ip_header X-Real-IP; + upstream php-handler { + server dd-apps-nextcloud-app:9000; + } + + server { + listen 80; + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; + fastcgi_hide_header X-Powered-By; + root /var/www/html; + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + location = /.well-known/carddav { + return 301 $scheme://$host/remote.php/dav; + } + + location = /.well-known/caldav { + return 301 $scheme://$host/remote.php/dav; + } + + client_max_body_size 10G; + fastcgi_buffers 64 4K; + + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + location / { + rewrite ^ /index.php; + } + + location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ { + deny all; + } + location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) { + deny all; + } + + location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) { + fastcgi_split_path_info ^(.+?\.php)(\/.*|)$; + set $path_info $fastcgi_path_info; + try_files $fastcgi_script_name =404; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $path_info; + fastcgi_param modHeadersAvailable true; + fastcgi_param front_controller_active true; + fastcgi_pass php-handler; + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + fastcgi_param SERVER_NAME $host; + } + + location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) { + try_files $uri/ =404; + index index.php; + } + + location ~ \.(?:css|js|woff2?|svg|gif|map)$ { + try_files $uri /index.php$request_uri; + add_header Cache-Control "public, max-age=15778463"; + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; + access_log off; + } + + location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$ { + try_files $uri /index.php$request_uri; + access_log off; + } + } +} diff --git a/dd-apps/docker/nextcloud/src/custom_apps/user_saml b/dd-apps/docker/nextcloud/src/custom_apps/user_saml new file mode 160000 index 0000000..4e74fb4 --- /dev/null +++ b/dd-apps/docker/nextcloud/src/custom_apps/user_saml @@ -0,0 +1 @@ +Subproject commit 4e74fb44d08ff9e669c4a44db697badf8bdf2996 diff --git a/dd-apps/docker/nextcloud/src/themes/dd/core/img/dd.svg b/dd-apps/docker/nextcloud/src/themes/dd/core/img/dd.svg new file mode 100644 index 0000000..2fc8d44 --- /dev/null +++ b/dd-apps/docker/nextcloud/src/themes/dd/core/img/dd.svg @@ -0,0 +1,71 @@ + +image/svg+xml diff --git a/dd-apps/docker/nextcloud/src/themes/dd/core/js/navbar.js b/dd-apps/docker/nextcloud/src/themes/dd/core/js/navbar.js new file mode 100644 index 0000000..491eff3 --- /dev/null +++ b/dd-apps/docker/nextcloud/src/themes/dd/core/js/navbar.js @@ -0,0 +1,55 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +jQuery(document).ready(() => { + base_url = `${window.location.protocol}//${window.location.host.replace(/^nextcloud\./, 'api.')}` + $.getJSON(`${base_url}/json`, (result) => { + if (result.logo) { + $("#navbar-logo img").attr('src', result.logo) + } + if (result.product_logo) { + $("#product-logo img").attr("src", result.product_logo) + } + if (result.product_url) { + $("#product-logo a").attr("href", result.product_url) + } + }) + $.get(`${base_url}/header/html/nextcloud`, (result) => { + console.log(result) + $("#settings").before(result) + $('#dropdownMenuAppsButton').click(() => { + $('#dropdownMenuApps').toggle() + }) + $('#dropdownMenuApps a').click(() => { + $('#dropdownMenuApps').toggle() + }) + }) + $(window).click( (event) => { + if ( + !$(event.target).parents( + '#dropdownMenuAppsButton, #dropdownMenuApps' + ).length + ) { + $('#dropdownMenuApps').hide() + } + }) + $(window).blur( (event) => { + $('#dropdownMenuApps').hide() + }) +}) diff --git a/dd-apps/docker/nextcloud/src/themes/dd/core/templates/layout.user.php b/dd-apps/docker/nextcloud/src/themes/dd/core/templates/layout.user.php new file mode 100644 index 0000000..51cb4d0 --- /dev/null +++ b/dd-apps/docker/nextcloud/src/themes/dd/core/templates/layout.user.php @@ -0,0 +1,161 @@ +. +# +# SPDX-License-Identifier: AGPL-3.0-or-later +*/ + $api_url = "https://" . preg_replace('/^nextcloud\./', 'api.', $_SERVER['HTTP_HOST']); + $avatar_url = "https://" . preg_replace('/^nextcloud\./', 'sso.', $_SERVER['HTTP_HOST']) . "/auth/realms/master/avatar-provider"; + + // Remove user menu Settings item for non-administrator users + if(!array_key_exists('core_apps', $_["settingsnavigation"])){ + unset($_["settingsnavigation"]["settings"]); + } +?> + + + + + + <?php + p(!empty($_['application'])?$_['application'].' - ':''); + p($theme->getTitle()); + ?> + + + + getiTunesAppId() !== '') { ?> + + + + + + + + + + + + + + + + + + + + + + + + + $initialState) { ?> + + + + t('Skip to main content')); ?> + t('Skip to navigation of app')); ?> + +
+
+
+ + + + + +
+ +
+ + + diff --git a/dd-apps/docker/nextcloud/supervisord.conf b/dd-apps/docker/nextcloud/supervisord.conf new file mode 100644 index 0000000..63366d0 --- /dev/null +++ b/dd-apps/docker/nextcloud/supervisord.conf @@ -0,0 +1,22 @@ +[supervisord] +nodaemon=true +logfile=/var/log/supervisord/supervisord.log +pidfile=/var/run/supervisord/supervisord.pid +childlogdir=/var/log/supervisord/ +logfile_maxbytes=50MB +logfile_backups=10 +loglevel=error + +[program:php-fpm] +stdout_logfile=/dev/stdout +stdout_logfile_maxbytes=0 +stderr_logfile=/dev/stderr +stderr_logfile_maxbytes=0 +command=php-fpm + +[program:cron] +stdout_logfile=/dev/stdout +stdout_logfile_maxbytes=0 +stderr_logfile=/dev/stderr +stderr_logfile_maxbytes=0 +command=/cron.sh \ No newline at end of file diff --git a/dd-apps/docker/nextcloud/template.docx b/dd-apps/docker/nextcloud/template.docx new file mode 100644 index 0000000..3a89798 Binary files /dev/null and b/dd-apps/docker/nextcloud/template.docx differ diff --git a/dd-apps/docker/onlyoffice/local.json b/dd-apps/docker/onlyoffice/local.json new file mode 100644 index 0000000..a8a1dd0 --- /dev/null +++ b/dd-apps/docker/onlyoffice/local.json @@ -0,0 +1,43 @@ +{ + "services": { + "CoAuthoring": { + "sql": { + "type": "postgres", + "dbHost": "localhost", + "dbPort": "5432", + "dbName": "onlyoffice", + "dbUser": "onlyoffice", + "dbPass": "onlyoffice" + }, + "token": { + "enable": { + "request": { + "inbox": true, + "outbox": true + }, + "browser": true + }, + "inbox": { + "header": "Authorization" + }, + "outbox": { + "header": "Authorization" + } + }, + "secret": { + "inbox": { + "string": "secret" + }, + "outbox": { + "string": "secret" + }, + "session": { + "string": "secret" + } + } + } + }, + "rabbitmq": { + "url": "amqp://guest:guest@localhost" + } + } \ No newline at end of file diff --git a/dd-apps/docker/onlyoffice/onlyoffice.yml b/dd-apps/docker/onlyoffice/onlyoffice.yml new file mode 100644 index 0000000..bf0d678 --- /dev/null +++ b/dd-apps/docker/onlyoffice/onlyoffice.yml @@ -0,0 +1,31 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +version: "3.7" +services: + dd-apps-onlyoffice: + container_name: dd-apps-onlyoffice + image: ${ONLYOFFICE_IMG} + volumes: + - /etc/localtime:/etc/localtime:ro + - ${BUILD_APPS_ROOT_PATH}/docker/onlyoffice/local.json:/etc/onlyoffice/documentserver/local.json:ro + restart: unless-stopped + networks: + - dd_net + diff --git a/dd-apps/docker/postgresql/docker-entrypoint-initdb.d/etherpad.sh b/dd-apps/docker/postgresql/docker-entrypoint-initdb.d/etherpad.sh new file mode 100755 index 0000000..ec9cb0e --- /dev/null +++ b/dd-apps/docker/postgresql/docker-entrypoint-initdb.d/etherpad.sh @@ -0,0 +1,25 @@ +#!/bin/bash +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" <<-EOSQL + CREATE USER $ETHERPAD_POSTGRES_USER SUPERUSER PASSWORD '${ETHERPAD_POSTGRES_PASSWORD}'; + CREATE DATABASE etherpad; + GRANT ALL PRIVILEGES ON DATABASE etherpad TO ${ETHERPAD_POSTGRES_USER}; +EOSQL diff --git a/dd-apps/docker/postgresql/docker-entrypoint-initdb.d/keycloak.sh b/dd-apps/docker/postgresql/docker-entrypoint-initdb.d/keycloak.sh new file mode 100644 index 0000000..e88d6b9 --- /dev/null +++ b/dd-apps/docker/postgresql/docker-entrypoint-initdb.d/keycloak.sh @@ -0,0 +1,25 @@ +#!/bin/bash +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" <<-EOSQL + CREATE USER $KEYCLOAK_DB_USER SUPERUSER PASSWORD '$KEYCLOAK_DB_PASSWORD'; + CREATE DATABASE $KEYCLOAK_DB_DATABASE; + GRANT ALL PRIVILEGES ON DATABASE $KEYCLOAK_DB_DATABASE TO $KEYCLOAK_DB_USER; +EOSQL diff --git a/dd-apps/docker/postgresql/docker-entrypoint-initdb.d/moodle.sh b/dd-apps/docker/postgresql/docker-entrypoint-initdb.d/moodle.sh new file mode 100755 index 0000000..aa8c728 --- /dev/null +++ b/dd-apps/docker/postgresql/docker-entrypoint-initdb.d/moodle.sh @@ -0,0 +1,26 @@ +#!/bin/bash +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" <<-EOSQL + CREATE USER $MOODLE_POSTGRES_USER SUPERUSER PASSWORD '${MOODLE_POSTGRES_PASSWORD}'; + CREATE DATABASE moodle; + GRANT ALL PRIVILEGES ON DATABASE moodle TO ${MOODLE_POSTGRES_USER}; +EOSQL + diff --git a/dd-apps/docker/postgresql/docker-entrypoint-initdb.d/nextcloud.sh b/dd-apps/docker/postgresql/docker-entrypoint-initdb.d/nextcloud.sh new file mode 100755 index 0000000..e032514 --- /dev/null +++ b/dd-apps/docker/postgresql/docker-entrypoint-initdb.d/nextcloud.sh @@ -0,0 +1,25 @@ +#!/bin/bash +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" <<-EOSQL + CREATE USER $NEXTCLOUD_POSTGRES_USER SUPERUSER PASSWORD '$NEXTCLOUD_POSTGRES_PASSWORD'; + CREATE DATABASE nextcloud; + GRANT ALL PRIVILEGES ON DATABASE nextcloud TO $NEXTCLOUD_POSTGRES_USER; +EOSQL diff --git a/dd-apps/docker/postgresql/postgresql.yml b/dd-apps/docker/postgresql/postgresql.yml new file mode 100644 index 0000000..1c510b7 --- /dev/null +++ b/dd-apps/docker/postgresql/postgresql.yml @@ -0,0 +1,35 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +version: "3.7" +services: + dd-apps-postgresql: + image: ${POSTGRESQL_IMG-postgres:13.5-alpine3.15} + container_name: dd-apps-postgresql + restart: unless-stopped + env_file: .env + environment: + - POSTGRES_PASSWORD=${POSTGRES_PASSWORD} + - POSTGRES_USER=${POSTGRES_USER} + volumes: + - /etc/localtime:/etc/localtime:ro + - ${DB_FOLDER}/postgres:/var/lib/postgresql/data + - ${BUILD_APPS_ROOT_PATH}/docker/postgresql/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d + networks: + - dd_net diff --git a/dd-apps/docker/redis/redis.yml b/dd-apps/docker/redis/redis.yml new file mode 100644 index 0000000..818f8ad --- /dev/null +++ b/dd-apps/docker/redis/redis.yml @@ -0,0 +1,30 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +version: '3.7' +services: + dd-apps-redis: + image: ${REDIS_IMG-redis:6.2.6-alpine3.15} + container_name: dd-apps-redis + volumes: + - /etc/localtime:/etc/localtime:ro + - ${DB_FOLDER}/redis:/data + restart: unless-stopped + networks: + - dd_net \ No newline at end of file diff --git a/dd-apps/docker/wordpress/.htaccess b/dd-apps/docker/wordpress/.htaccess new file mode 100644 index 0000000..0856b4b --- /dev/null +++ b/dd-apps/docker/wordpress/.htaccess @@ -0,0 +1,11 @@ +RewriteEngine On +RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] +RewriteBase / +RewriteRule ^index\.php$ - [L] +RewriteRule ^wp-admin$ wp-admin/ [R=301,L] +RewriteCond %{REQUEST_FILENAME} -f [OR] +RewriteCond %{REQUEST_FILENAME} -d +RewriteRule ^ - [L] +RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-(content|admin|includes).*) $2 [L] +RewriteRule ^([_0-9a-zA-Z-]+/)?(.*\.php)$ $2 [L] +RewriteRule . index.php [L] diff --git a/dd-apps/docker/wordpress/multisite.sh b/dd-apps/docker/wordpress/multisite.sh new file mode 100755 index 0000000..73370ef --- /dev/null +++ b/dd-apps/docker/wordpress/multisite.sh @@ -0,0 +1,32 @@ +#!/bin/sh +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +cat <> multisite.cfg +define( 'WP_ALLOW_MULTISITE', true ); +define( 'MULTISITE', true ); +define( 'SUBDOMAIN_INSTALL', false ); +\$base = '/'; +define( 'DOMAIN_CURRENT_SITE', '$WORDPRESS_DOMAIN_CURRENT_SITE' ); +define( 'PATH_CURRENT_SITE', '/' ); +define( 'SITE_ID_CURRENT_SITE', 1 ); +define( 'BLOG_ID_CURRENT_SITE', 1 ); +EOT + +sed -i '/Happy publishing/e cat multisite.cfg' /var/www/html/wp-config.php diff --git a/dd-apps/docker/wordpress/src/wp-content/plugins b/dd-apps/docker/wordpress/src/wp-content/plugins new file mode 160000 index 0000000..fb75edc --- /dev/null +++ b/dd-apps/docker/wordpress/src/wp-content/plugins @@ -0,0 +1 @@ +Subproject commit fb75edc20db7982d9112ac92a5f8a239ec636ca8 diff --git a/dd-apps/docker/wordpress/wordpress.yml b/dd-apps/docker/wordpress/wordpress.yml new file mode 100644 index 0000000..76c9f86 --- /dev/null +++ b/dd-apps/docker/wordpress/wordpress.yml @@ -0,0 +1,82 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +version: '3.7' + +x-volumes: + &wordpress-volumes + - /etc/localtime:/etc/localtime:ro + - ${BUILD_APPS_ROOT_PATH}/docker/wordpress/src/config/php.conf.ini:/usr/local/etc/php/conf.d/conf.ini + - ${SRC_FOLDER}/wordpress:/var/www/html + - ${BUILD_APPS_ROOT_PATH}/docker/wordpress/plugins:/plugins + - ${BUILD_APPS_ROOT_PATH}/docker/wordpress/.htaccess:/var/www/html/.htaccess:ro + - ${BUILD_APPS_ROOT_PATH}/docker/wordpress/multisite.sh:/multisite.sh:ro + - ${DATA_FOLDER}/wordpress:/var/www/html/wp-content/uploads + +services: + dd-apps-wordpress: + image: ${WORDPRESS_IMG} + container_name: dd-apps-wordpress + volumes: + *wordpress-volumes + environment: + WORDPRESS_DB_HOST: dd-apps-mariadb + WORDPRESS_DB_NAME: "wordpress" + WORDPRESS_DB_USER: ${WORDPRESS_MARIADB_USER} + WORDPRESS_DB_PASSWORD: ${WORDPRESS_MARIADB_PASSWORD} + WORDPRESS_DOMAIN_CURRENT_SITE: wp.${DOMAIN} + depends_on: + - dd-apps-mariadb + links: + - dd-apps-mariadb + restart: unless-stopped + healthcheck: + test: ["CMD", "curl", "-f", "http://localhost:80"] + interval: 30s + timeout: 10s + retries: 5 + networks: + - dd_net + + dd-apps-wordpress-cli: + image: ${WORDPRESS_CLI_IMG} + container_name: dd-apps-wordpress-cli + volumes: + *wordpress-volumes + command: > + bash -c 'wp core install --path="/var/www/html" --url=wp.${DOMAIN} --title="${TITLE}" --admin_user=${WORDPRESS_ADMIN_USER} --admin_password=${WORDPRESS_ADMIN_PASSWORD} --admin_email=${SMTP_USER}; + wp core multisite-convert;' + depends_on: + dd-apps-mariadb: + condition: service_healthy + dd-apps-wordpress: + condition: service_healthy + networks: + - dd_net + restart: "no" + environment: + WORDPRESS_DB_HOST: dd-apps-mariadb + WORDPRESS_DB_NAME: "wordpress" + WORDPRESS_DB_USER: ${WORDPRESS_MARIADB_USER} + WORDPRESS_DB_PASSWORD: ${WORDPRESS_MARIADB_PASSWORD} + DOMAIN: ${DOMAIN} + TITLE: ${TITLE} + SMTP_USER: ${SMTP_USER} + + diff --git a/dd-ctl b/dd-ctl new file mode 100755 index 0000000..8557fda --- /dev/null +++ b/dd-ctl @@ -0,0 +1,833 @@ +#!/usr/bin/env bash +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +OPERATION="$1" + +# We need docker-compose >= 1.28 to catch configuration variables +REQUIRED_DOCKER_COMPOSE_VERSION="1.28" + +docker_compose_version(){ + docker-compose --version --short | sed 's/^docker-compose version \([^,]\+\),.*$/\1/' +} + +check_docker_compose_version(){ + # We cannot use sort -C because is not included in BusyBox v1.33.1 of docker:dind image + { + echo "$REQUIRED_DOCKER_COMPOSE_VERSION" + docker_compose_version + } | sort -c -V 2> /dev/null +} + +get_os(){ + if grep -q ^DISTRIB_ID=Ubuntu /etc/lsb-release 2>/dev/null; then + echo ubuntu + elif [ -f /etc/debian_version ]; then + echo debian + fi +} + +help() { + cat <<-EOF + Example: ./dd.ctl [operation] [arguments] + + For a new installation, you usually will want to run: + ./dd-ctl repo-update + ./dd-ctl prerequisites + ./dd-ctl securize + ./dd-ctl all + ./dd-ctl saml + + + Generate adminer.yml to access DBs: ./dd-ctl adminer + Bring the current project up: ./dd-ctl all + Branding (custom/img, custom/menu): ./dd-ctl branding + Build the compose files: ./dd-ctl build + Build the devel compose files: ./dd-ctl build-devel + Apply customizations: ./dd-ctl customize + Stop the project when started: ./dd-ctl down + Show external files in repo, their license and source: ./dd-ctl listpatches +Generate .orig and .patch files to compare with upstream: ./dd-ctl genpatches + Rescan nextcloud data folders: ./dd-ctl nextcloud-scan + Install all prerequisites for installation: ./dd-ctl prerequisites + Update repository: ./dd-ctl repo-update [branch-name] (defaults to main) + Restart api if changes applied (development): ./dd-ctl restart-api + Update SAML certificates: ./dd-ctl saml + Set secure passwords in dd.conf: ./dd-ctl securize + Set a config variable in dd.conf: ./dd-ctl setconf VARIABLE [VALUE] + Start the project when stopped: ./dd-ctl up + Upgrade plugins: ./dd-ctl upgrade-plugins + Regenerate docker-compose.yml from conf: ./dd-ctl yml + EOF +} + +# Help messages +if [ -z "$OPERATION" ] || [ "$OPERATION" = "-h" ] || [ "$OPERATION" = "--help" ]; then + test -n "$OPERATION" || printf "Missing command.\n\n" + help + exit +fi + +# Sanity checks +if [ -z "$(get_os)" ]; then + cat >&2 <<-EOF + ***************************************************************** + Your OS doesn't seem to be Debian or Ubuntu and is not supported! + Things might still work, please report back. + ***************************************************************** + EOF +fi +if [ "$OPERATION" != "prerequisites" ]; then + if [ ! -d "custom" ]; then + echo "You need to copy custom.sample to custom folder and adapt it to your needs." >&2 + exit 1 + fi + if [ ! -f "dd.conf" ]; then + echo "You need to copy dd.conf.sample to dd.conf and adapt" >&2 + exit 1 + fi + if ! check_docker_compose_version; then + echo "ERROR: Please use docker-compose greather than or equal to $REQUIRED_DOCKER_COMPOSE_VERSION." >&2 + exit 1 + fi +fi + +REPO_BRANCH="${2:-main}" + + +cp dd.conf .env +CUSTOM_PATH=$(pwd) +. ./.env + +prerequisites_docker(){ + # Remove uncompatible docker packages + for pkg in docker docker-engine docker.io containerd runc; do + if dpkg -s "${pkg}" >/dev/null; then + apt-get remove -y "${pkg}" + fi + done + + # Install upstream-docker repo pre-requisites + apt-get install -y \ + apt-transport-https \ + ca-certificates \ + curl \ + gnupg-agent \ + software-properties-common \ + git \ + unzip \ + libffi-dev + + os="$(get_os)" + curl -fsSL "https://download.docker.com/linux/${os:?}/gpg" | \ + apt-key add - + add-apt-repository \ + "deb [arch=amd64] https://download.docker.com/linux/${os:?} \ + $(lsb_release -cs) \ + stable" + apt-get update -y + # docker-ce must be used instead of the one from the distro + apt-get install -y docker-ce docker-ce-cli containerd.io + + apt-get install -y python3-pip + # docker-compose > 1.28 is required, latest will be installed + pip3 install docker-compose +} +prerequisites_pwd(){ + apt-get install -y dictionaries-common wamerican +} + +update_repo(){ + # Switch to latest version + git fetch && git checkout $REPO_BRANCH + # Needed for dd-apps submodules... + git submodule update --init --recursive + # Remove old repositories + for old_dir in isard-apps isard-sso; do + if [ -d "${old_dir}" ]; then + mkdir -p _old + mv "${old_dir}" "_old/${old_dir}_$(date +'%Y-%m-%d_%H-%M')" + fi + done + # Cleanup + for old_dir in isard-apps isard-sso; do + git submodule deinit "${old_dir}" || true + if [ -d "${old_dir}" ]; then + rmdir "${old_dir}" + fi + done +} + +build_compose(){ + setconf CUSTOM_PATH "$CUSTOM_PATH" .env + setconf BUILD_APPS_ROOT_PATH "$CUSTOM_PATH/dd-apps" .env + setconf BUILD_SSO_ROOT_PATH "$CUSTOM_PATH/dd-sso" .env + ## Prepare apps environment + ln -sf "${CUSTOM_PATH}/.env" dd-apps/.env + ln -sf "${CUSTOM_PATH}/.env" dd-apps/docker/postgresql && \ + ln -sf "${CUSTOM_PATH}/.env" dd-apps/docker/mariadb && \ + ln -sf "${CUSTOM_PATH}/.env" dd-apps/docker/moodle && \ + ln -sf "${CUSTOM_PATH}/.env" dd-apps/docker/nextcloud && \ + ln -sf "${CUSTOM_PATH}/.env" dd-apps/docker/wordpress && \ + ln -sf "${CUSTOM_PATH}/.env" dd-apps/docker/etherpad + + ## Prepare sso environment + ln -sf "${CUSTOM_PATH}/.env" dd-sso/.env + ln -sf "${CUSTOM_PATH}/.env" dd-sso/docker-compose-parts/.env + + # Clean up older custom data + rm -rf custom/system/keycloak-themes + rmdir custom/system 2>/dev/null || true + + if [ "$BEHIND_PROXY" = "true" ]; then + BEHIND="haproxy-behind.yml" + else + BEHIND="haproxy.yml" + fi + + # Build compose ymls + docker-compose -f dd-sso/docker-compose-parts/$BEHIND \ + -f dd-sso/docker-compose-parts/api.yml \ + -f dd-sso/docker-compose-parts/keycloak.yml \ + -f dd-sso/docker-compose-parts/avatars.yml \ + -f dd-apps/docker/postgresql/postgresql.yml \ + -f dd-sso/docker-compose-parts/admin.yml \ + \ + -f dd-apps/docker/moodle/moodle.yml \ + -f dd-apps/docker/nextcloud/nextcloud.yml \ + -f dd-apps/docker/wordpress/wordpress.yml \ + -f dd-apps/docker/etherpad/etherpad.yml \ + -f dd-apps/docker/onlyoffice/onlyoffice.yml \ + -f dd-apps/docker/redis/redis.yml \ + -f dd-apps/docker/postgresql/postgresql.yml \ + -f dd-apps/docker/mariadb/mariadb.yml \ + -f dd-apps/docker/network.yml \ + config > docker-compose.yml +} + +listpatches(){ + cat <<-EOM + # Generate .orig and .patch files with ./dd-ctl genpatches + # file license author url + EOM + for patchfile in $(find . -name 'dd-patch'); do + patchdir="$(dirname "${patchfile}")" + grep -vE '^#' "${patchfile}" | awk "{print \"${patchdir}/\" \$0}" + done +} + +genpatches(){ + CD="$(pwd)" + for patchfile in $(find . -name 'dd-patch'); do + cd "$(dirname "${patchfile}")" + echo "IN DIR $(pwd)" + grep -vE '^#' dd-patch | while IFS= read -r line; do + fn="$(echo "${line}" | cut -f 1)" + url="$(echo "${line}" | cut -f 4)" + wget "${url}" -O "${fn}.orig" + diff "${fn}.orig" "${fn}" > "${fn}.patch" + done + + cd "${CD}" + done +} + +build(){ + build_compose + docker-compose build +} + +build_compose_develop(){ + build_compose + + ## Prepare sso environment + setconf CUSTOM_PATH "$CUSTOM_PATH" .env + setconf BUILD_SSO_ROOT_PATH "$CUSTOM_PATH/dd-sso" .env + + ln -sf "${CUSTOM_PATH}/.env" dd-sso/.env + ln -sf "${CUSTOM_PATH}/.env" dd-sso/docker-compose-parts/.env + + docker-compose -f docker-compose.yml \ + -f dd-sso/docker-compose-parts/api.devel.yml \ + -f dd-sso/docker-compose-parts/admin.devel.yml \ + config > devel.yml +} + +up(){ + docker-compose up -d +} + +down(){ + docker-compose down +} + +setup_nextcloud(){ + echo " --> Applying custom settings in nextcloud" + # docker exec -u www-data dd-apps-nextcloud-app sh -c 'export OC_PASS=$DDADMIN_PASSWORD && php occ user:add --password-from-env --display-name="DD Admin" --group="admin" $DDADMIN_USER' + + # docker exec -u www-data dd-apps-nextcloud-app sh -c 'export OC_PASS=admin && php occ user:delete admin' + # docker exec -u www-data dd-apps-nextcloud-app sh -c 'export OC_PASS=LostAdminGroup && php occ user:add --password-from-env --display-name="Admin" --group="admin" admin' + + # docker exec -u www-data dd-apps-nextcloud-app php occ --no-warnings config:app:set unaprova token --value "SuperS3cret" + + #cp -R $BUILD_APPS_ROOT_PATH/dd-apps/docker/nextcloud/themes/* $DATA_FOLDER/nextcloud/themes/ + docker exec -u www-data dd-apps-nextcloud-app php occ --no-warnings config:system:set default_language --value="ca" + docker exec -u www-data dd-apps-nextcloud-app php occ --no-warnings config:system:set skeletondirectory --value='' + + # Disable certain NextCloud apps + for app in firstrunwizard recommendations dashboard; do + docker exec -i -u www-data dd-apps-nextcloud-app sh -s <<-EOF + php occ --no-warnings app:disable "${app}" + EOF + done + + # Install and enable NextCloud apps + for app in bruteforcesettings polls calendar spreed bbb mail ownpad onlyoffice circles; do + docker exec -i -u www-data dd-apps-nextcloud-app sh -s <<-EOF + php occ --no-warnings app:install "${app}" + php occ --no-warnings app:enable "${app}" + EOF + done + + # Custom forms + docker exec dd-apps-nextcloud-app apk add git npm composer + docker exec -u www-data dd-apps-nextcloud-app rm -rf /var/www/html/custom_apps/forms + docker exec -u www-data dd-apps-nextcloud-app git clone https://github.com/juanan3ip/form -b dependabot/npm_and_yarn/babel/eslint-parser-7.17.0 /var/www/html/custom_apps/forms + docker exec -u www-data dd-apps-nextcloud-app npm --prefix /var/www/html/custom_apps/forms install + docker exec -u www-data dd-apps-nextcloud-app composer -d/var/www/html/custom_apps/forms install --no-dev -o + docker exec -u www-data dd-apps-nextcloud-app php occ app:enable forms + + # Disable Big Blue Button media check by default + docker exec -u www-data dd-apps-nextcloud-app php occ config:app:set bbb join.mediaCheck --value="false" + # Disable Big Blue Button listen only mode by default + docker exec dd-apps-nextcloud-app sed -i.orig 's/^\(\s*$room->setListenOnly(\)true\();\)$/\1false\2/' /var/www/html/custom_apps/bbb/lib/Service/RoomService.php + # Enable option to join muted to Big Blue Button room by default + docker exec dd-apps-nextcloud-app sed -i 's/^\(\s*$room->setJoinMuted(\)false\();\)$/\1true\2/' /var/www/html/custom_apps/bbb/lib/Service/RoomService.php + # Remove meeting join nextcloud bbb app dialog exclamation marks + docker exec dd-apps-nextcloud-app sh -c "sed -i.orig 's/\(^\s*\"Please enter your name!\" : [^¡]*\)¡\?\([^!]*\)!\(.*\)$/\1\2\3/' /var/www/html/custom_apps/bbb/l10n/*.json" + docker exec dd-apps-nextcloud-app sh -c "sed -i 's/\(^\s*\"Let\x27s go!\" : [^¡]*\)¡\?\([^!]*\)!\(.*\)$/\1\2\3/' /var/www/html/custom_apps/bbb/l10n/*.json" + + docker exec -u www-data dd-apps-nextcloud-app php occ --no-warnings config:system:set theme --value=dd + docker exec -u www-data dd-apps-nextcloud-app php occ --no-warnings config:system:set allow_local_remote_servers --value=true + docker exec -u www-data dd-apps-nextcloud-app php occ --no-warnings maintenance:theme:update + + #docker exec -u www-data dd-apps-nextcloud-app php occ app:install user_saml + docker exec -u www-data dd-apps-nextcloud-app php occ app:enable user_saml + docker exec dd-apps-nextcloud-app apk add jq + docker exec dd-apps-nextcloud-app sh -c 'jq ". + {\"pad\": [\"application/x-ownpad\"], \"calc\": [\"application/x-ownpad\"]}" /var/www/html/resources/config/mimetypemapping.dist.json > /var/www/html/config/mimetypemapping.json' + nextcloud_scan + # Open pads in a new tab/window + docker exec dd-apps-nextcloud-app sed -i.orig 's/^\(\s*\)\(var viewer = OC.generateUrl.*\)/\1\2\n\1window.open(viewer);\n\1return;/' /var/www/html/custom_apps/ownpad/js/ownpad.js + + # SMTP + SMTP_LOCAL_PART="$(echo "${SMTP_USER}" | cut -d '@' -f 1)" + SMTP_DOMAIN="$(echo "${SMTP_USER}" | cut -d '@' -f 2)" + docker exec -i -u www-data dd-apps-nextcloud-app sh -s <<-EOF + php occ --no-warnings config:system:set -n mail_smtpmode --value="smtp" + php occ --no-warnings config:system:set -n mail_smtpsecure --value="${SMTP_PROTOCOL}" + php occ --no-warnings config:system:set -n mail_sendmailmode --value="smtp" + php occ --no-warnings config:system:set -n mail_from_address --value="${SMTP_LOCAL_PART}" + php occ --no-warnings config:system:set -n mail_domain --value="${SMTP_DOMAIN}" + php occ --no-warnings config:system:set -n mail_smtpauth --value=1 + php occ --no-warnings config:system:set -n mail_smtpauthtype --value="LOGIN" + php occ --no-warnings config:system:set -n mail_smtphost --value="${SMTP_HOST}" + php occ --no-warnings config:system:set -n mail_smtpport --value="${SMTP_PORT}" + php occ --no-warnings config:system:set -n mail_smtpname --value="${SMTP_USER}" + echo 'Setting Nextcloud password' + php occ --no-warnings config:system:set -n -q mail_smtppassword --value="${SMTP_PASSWORD}" + EOF + + # Settings + docker exec -i -u www-data dd-apps-nextcloud-app sh -s <<-EOF + php occ --no-warnings config:app:set -n ownpad ownpad_etherpad_enable --value="yes" + php occ --no-warnings config:app:set -n ownpad ownpad_etherpad_host --value="https://pad.$DOMAIN" + + php occ --no-warnings config:app:set -n onlyoffice DocumentServerUrl --value="https://oof.$DOMAIN" + php occ --no-warnings config:app:set -n onlyoffice jwt_secret --value="secret" + php occ --no-warnings config:app:set -n onlyoffice jwt_header --value="Authorization" + php occ --no-warnings config:app:set -n onlyoffice sameTab --value="false" + + # Moodle nextcloud task needs forcesave onlyoffice option + php occ --no-warnings config:app:set -n onlyoffice customizationForcesave --value="true" + + # Enable circles + php occ --no-warnings config:app:set -n circles members_limit --value="150" + php occ --no-warnings config:app:set -n circles allow_linked_groups --value="1" + php occ --no-warnings config:app:set -n circles skip_invitation_to_closed_circles --value="1" + + # Add allow list IPs + php occ --no-warnings config:app:set -n bruteForce whitelist_1 --value='172.16.0.0/12' + + # OnlyOffice + php occ --no-warnings config:app:set -n onlyoffice preview --value="true" + php occ --no-warnings config:app:set -n onlyoffice defFormats --value="{\"csv\":\"false\",\"doc\":\"true\",\"docm\":\"false\",\"docx\":\"true\",\"docxf\":\"true\",\"oform\":\"true\",\"dotx\":\"false\",\"epub\":\"false\",\"html\":\"false\",\"odp\":\"true\",\"ods\":\"true\",\"odt\":\"true\",\"otp\":\"true\",\"ots\":\"true\",\"ott\":\"true\",\"pdf\":\"false\",\"potm\":\"false\",\"potx\":\"false\",\"ppsm\":\"false\",\"ppsx\":\"true\",\"ppt\":\"true\",\"pptm\":\"false\",\"pptx\":\"true\",\"rtf\":\"false\",\"txt\":\"false\",\"xls\":\"true\",\"xlsm\":\"false\",\"xlsx\":\"true\",\"xltm\":\"false\",\"xltx\":\"true\"}", + php occ --no-warnings config:app:set -n onlyoffice editFormats --value="{\"csv\":\"true\",\"odp\":\"false\",\"ods\":\"false\",\"odt\":\"false\",\"rtf\":\"false\",\"txt\":\"true\"}" + + EOF + + # Allow nextcloud into other apps iframes + # Content-Security-Policy: frame-ancestors 'self' *.$DOMAIN; + docker exec dd-apps-nextcloud-app sed -i -e "/protected \\\$allowedFrameAncestors = \[/{n;s/\('\\\\\'self\\\\\'\)\('\)/\1 *.$DOMAIN\2/}" /var/www/html/lib/public/AppFramework/Http/ContentSecurityPolicy.php + + # Content-Sety-Policy: connect-src 'self -' *.$DOMAIN; + docker exec dd-apps-nextcloud-app sed -i -e "/protected \\\$allowedConnectDomains = \[/{n;s/\('\\\\\'self\\\\\'\)\('\)/\1 *.$DOMAIN\2/}" /var/www/html/lib/public/AppFramework/Http/ContentSecurityPolicy.php + + # Content-Sety-Policy: img-src 'self' *. -$DOMAIN; + docker exec dd-apps-nextcloud-app sed -i -e "/protected \\\$allowedImageDomains = \[/{n;s/\('\\\\\'self\\\\\'\)\('\)/\1 *.$DOMAIN\2/}" /var/www/html/lib/public/AppFramework/Http/ContentSecurityPolicy.php + + # Content-Sety-Policy: style-src 'self' -*.$DOMAIN; + docker exec dd-apps-nextcloud-app sed -i -e "/protected \\\$allowedStyleDomains = \[/{n;s/\('\\\\\'self\\\\\'\)\('\)/\1 *.$DOMAIN\2/}" /var/www/html/lib/public/AppFramework/Http/ContentSecurityPolicy.php + + # Content-Sety-Policy: font-src 'self' * -.$DOMAIN; + docker exec dd-apps-nextcloud-app sed -i -e "/protected \\\$allowedFontDomains = \[/{n;s/\('\\\\\'self\\\\\'\)\('\)/\1 *.$DOMAIN\2/}" /var/www/html/lib/public/AppFramework/Http/ContentSecurityPolicy.php + + # Fix nextcloud files_external "segudos" typo + # https://github.com/nextcloud/server/pull/28990 + docker exec dd-apps-nextcloud-app sh -c 'sed -i.orig -e "s/segudos/segundos/" /var/www/html/apps/files_external/l10n/es_*.js' + + # Import fix from Nextcloud 22 of pdf viewer + # https://github.com/nextcloud/files_pdfviewer/issues/381#issuecomment-845806364 + docker exec dd-apps-nextcloud-app sed -i 's/encodeURIComponent(i\[a\])/i[a]/' /var/www/html/apps/files_pdfviewer/js/files_pdfviewer-main.js + + # Add default file for moodle activities + if [ ! -f $DATA_FOLDER/nextcloud/admin/files/template.docx ]; then + cp dd-apps/docker/nextcloud/template.docx $DATA_FOLDER/nextcloud/admin/files/ + nextcloud_scan + fi + + configure_nextcloud_logo +} + +nextcloud_scan(){ + # The folders shown as 'not writeable' are empty user folders. Not a problem. + docker exec -u www-data dd-apps-nextcloud-app php occ files:scan --all +} + +setup_moodle(){ + echo " --> Applying custom settings in moodle" + docker exec -ti dd-apps-moodle php7 admin/cli/cfg.php --name=guestloginbutton --set=0 + docker exec -ti dd-apps-moodle php7 admin/cli/cfg.php --name=enrol_plugins_enabled --set=manual + docker exec -ti dd-apps-moodle php7 admin/cli/cfg.php --name=enablemobilewebservice --set=0 + docker exec -ti dd-apps-moodle php7 admin/cli/cfg.php --name=enablebadges --set=0 + docker exec -ti dd-apps-moodle php7 admin/cli/cfg.php --name=timezone --set="${MOODLE_TIMEZONE-Europe/Madrid}" + docker exec -ti dd-apps-moodle php7 admin/cli/purge_caches.php +} + +setup_wordpress(){ + echo " --> Applying custom settings in wordpress" + ## Multisite + docker exec -ti dd-apps-wordpress /bin/sh -c "/multisite.sh" + + docker-compose run --user=33 dd-apps-wordpress-cli /bin/bash -s <<-EOF + wp plugin activate onelogin-saml-sso + wp plugin install generateblocks --activate + wp plugin activate generateblocks --network + + wp theme install generatepress --activate + wp theme enable generatepress --network + wp theme delete twentynineteen + wp theme delete twentytwenty + wp theme delete twentytwentyone + + wp option set WPLANG ca + wp option set date_format "d/m/Y" + EOF + docker-compose run --user=root dd-apps-wordpress-cli /bin/bash -c 'chown -R 33:33 /var/www/html/wp-content/uploads;' +} + +setup_keycloak(){ + # configure keycloak: realm and client_scopes + echo " --> Setting up SAML for moodle" + docker exec -ti dd-sso-admin sh -c "export PYTHONWARNINGS='ignore:Unverified HTTPS request' && cd /admin/saml_scripts/ && python3 keycloak_config.py" +} + +saml_certificates(){ + wait_for_moodle + echo " --> Setting up SAML for moodle" + docker exec -ti dd-sso-admin sh -c "export PYTHONWARNINGS='ignore:Unverified HTTPS request' && cd /admin/saml_scripts/ && python3 moodle_saml.py" + docker exec -ti dd-apps-moodle php7 admin/cli/purge_caches.php + + # CERTIFICATES FOR SAML + echo " --> Generating certificates for nextcloud and wordpress" + docker exec -ti dd-sso-admin /bin/sh -c "/admin/generate_certificates.sh" + + # SAML PLUGIN NEXTCLOUD + echo " --> Setting up SAML for nextcloud" + docker exec -ti dd-sso-admin sh -c "export PYTHONWARNINGS='ignore:Unverified HTTPS request' && cd /admin/saml_scripts/ && python3 nextcloud_saml.py" + + # SAML PLUGIN WORDPRESS + echo " --> Setting up SAML for wordpress" + docker exec -ti dd-sso-admin sh -c "export PYTHONWARNINGS='ignore:Unverified HTTPS request' && cd /admin/saml_scripts/ && python3 wordpress_saml.py" + + # SAML PLUGIN MOODLE + # echo "To add SAML to moodle:" + # echo "1.-Activate SAML plugin in moodle extensions, regenerate certificate, lock certificate" + # echo "2.-Then run: docker exec -ti dd-sso-admin python3 /admin/nextcloud_saml.py" + # echo "3.-" +} + +wait_for_moodle(){ + echo "Waiting for system to be fully up before customizing... It can take some minutes..." + echo " (you can monitorize install with: docker logs dd-apps-moodle --follow" + while [ "`docker inspect -f {{.State.Health.Status}} dd-apps-moodle`" != "healthy" ]; do sleep 2; done +} + +upgrade_moodle(){ + docker exec -ti dd-apps-moodle php7 admin/cli/maintenance.php --enable + docker exec -ti dd-apps-moodle php7 admin/cli/upgrade.php --non-interactive --allow-unstable + docker exec -ti dd-apps-moodle php7 admin/cli/maintenance.php --disable +} + +extras_adminer(){ + docker-compose -f dd-apps/docker/network.yml \ + -f dd-sso/docker-compose-parts/adminer.yml config > adminer.yml + echo " --> Generated adminer.yml" + echo " Bring it up: docker-compose -f adminer.yml up -d" + echo " Connect to: https://sso.$DOMAIN/dd-sso-adminer/" + echo " Parameters:" + echo " - System: PostgreSQL (or Mysql for wordpress db)" + echo " Server: dd-apps-postgresql (or dd-apps-mariadb for wordpress db)" + echo " User/Pass/Database from dd.conf" +} + +extras_pgtuner(){ + docker-compose -f dd-apps/docker/network.yml \ + -f dd-sso/docker-compose-parts/pgtuner.yml config > pgtuner.yml + echo " --> Generated pgtuner.yml" +} + +extras_nextcloud_remove_banned_ips(){ + docker-compose exec dd-apps-postgresql psql -v ON_ERROR_STOP=1 \ + -U admin nextcloud -c "DELETE FROM oc_bruteforce_attempts;" +} + +extras_nextcloud_set_admin_group(){ + docker exec -u www-data dd-apps-nextcloud-app sh -c 'export OC_PASS=admin && php occ user:delete admin' + docker exec -u www-data dd-apps-nextcloud-app sh -c 'export OC_PASS=N3xtcl0ud && php occ user:add --password-from-env --display-name="Admin" --group="admin" admin' +} + +extras_dump_keycloak_client(){ + docker exec -ti dd-sso-keycloak sh -c " + /opt/jboss/keycloak/bin/kcadm.sh config credentials --server http://localhost:8080/auth --realm master --user admin --password keycloakkeycloak \ + && /opt/jboss/keycloak/bin/kcadm.sh get clients/bef873f0-2079-4876-8657-067de27d01b7 -r master""" +} +upgrade_plugins_moodle(){ + wait_for_moodle + rm -rf /tmp/moodle + + mkdir -p /tmp/moodle/mod + mkdir -p /tmp/moodle/mod/assign/submission + mkdir -p /tmp/moodle/auth/saml2 + mkdir -p /tmp/moodle/theme/cbe + mkdir -p /tmp/moodle/blocks + + curl --location $MOODLE_PLUGIN_JITSI > jitsi.zip + unzip jitsi.zip -d /tmp/moodle/mod/ + rm jitsi.zip + + curl --location $MOODLE_PLUGIN_BBB > bbb.zip + unzip bbb.zip -d /tmp/moodle/mod/ + rm bbb.zip + + # curl --location https://github.com/isard-vdi/moodle-auth_saml2/archive/refs/heads/role_map.zip > auth_saml2.zip + # curl --location https://moodle.org/plugins/download.php/24556/auth_saml2_moodle311_2021062900.zip > auth_saml2.zip + curl --location $MOODLE_PLUGIN_SAML > auth_saml2.zip + unzip auth_saml2.zip -d /tmp/moodle/auth/ + mv /tmp/moodle/auth/moodle-auth_saml2-role_map/* /tmp/moodle/auth/saml2/ + rm -rf /tmp/moodle/auth/moodle-auth_saml2-role_map + rm auth_saml2.zip + + if [[ "$MOODLE_PLUGIN_TRESIPUNTSHARE" == *"develop"* ]]; then + PLUGIN_BRANCH=develop + else + PLUGIN_BRANCH=master + fi + curl --location $MOODLE_PLUGIN_TRESIPUNTSHARE > tresipuntshare.zip + unzip tresipuntshare.zip -d /tmp/moodle/mod/ + mv /tmp/moodle/mod/moodle_mod_tresipuntshare-$PLUGIN_BRANCH /tmp/moodle/mod/tresipuntshare + rm tresipuntshare.zip + + if [[ "$MOODLE_PLUGIN_TRESIPUNTVIDEO" == *"develop"* ]]; then + PLUGIN_BRANCH=develop + else + PLUGIN_BRANCH=master + fi + curl --location $MOODLE_PLUGIN_TRESIPUNTVIDEO > tresipuntvideo.zip + unzip tresipuntvideo.zip -d /tmp/moodle/mod/ + mv /tmp/moodle/mod/moodle_mod_tresipuntvideo-$PLUGIN_BRANCH /tmp/moodle/mod/tresipuntvideo + rm tresipuntvideo.zip + + if [[ "$MOODLE_PLUGIN_TRESIPUNTAUDIO" == *"develop"* ]]; then + PLUGIN_BRANCH=develop + else + PLUGIN_BRANCH=master + fi + curl --location $MOODLE_PLUGIN_TRESIPUNTAUDIO > tresipuntaudio.zip + unzip tresipuntaudio.zip -d /tmp/moodle/mod/ + mv /tmp/moodle/mod/moodle_mod_tresipuntaudio-$PLUGIN_BRANCH /tmp/moodle/mod/tresipuntaudio + rm tresipuntaudio.zip + + if [[ "$MOODLE_PLUGIN_ASSIGNSUBMISSION" == *"develop"* ]]; then + PLUGIN_BRANCH=develop + else + PLUGIN_BRANCH=master + fi + curl --location $MOODLE_PLUGIN_ASSIGNSUBMISSION > assignsubmission_tipnc.zip + unzip assignsubmission_tipnc.zip -d /tmp/moodle/mod/assign/submission/ + mv /tmp/moodle/mod/assign/submission/moodle_assignsubmission_tipnc-$PLUGIN_BRANCH /tmp/moodle/mod/assign/submission/tipnc + rm assignsubmission_tipnc.zip + + curl --location $MOODLE_PLUGIN_TRESIPUNTMODSPEND > block_tresipuntmodspend.zip + unzip block_tresipuntmodspend.zip -d /tmp/moodle/blocks/ + rm block_tresipuntmodspend.zip + + if [[ "$MOODLE_THEME_CBE" == *"develop"* ]]; then + PLUGIN_BRANCH=develop + else + PLUGIN_BRANCH=master + fi + curl --location $MOODLE_THEME_CBE > tresipunt_theme_cbe.zip + unzip tresipunt_theme_cbe.zip -d /tmp/moodle/theme/cbe/ + mv /tmp/moodle/theme/cbe/moodle_theme_cbe-$PLUGIN_BRANCH/* /tmp/moodle/theme/cbe/ + rm tresipunt_theme_cbe.zip + + #mkdir -p /tmp/moodle/local/tresipuntimportgc + #cp -R local_plugins/moodle/tresipuntimportgc/* /tmp/moodle/local/tresipuntimportgc/ + + cp -R /tmp/moodle/* $SRC_FOLDER/moodle/ + rm -rf /tmp/moodle + docker exec -ti dd-apps-moodle php7 admin/cli/purge_caches.php +} + +upgrade_plugins_nextcloud(){ + wget https://code.jquery.com/jquery-3.2.1.slim.min.js -O $SRC_FOLDER/nextcloud/themes/dd/core/js/jquery_slim_3.2.1.js + cp -R dd-apps/docker/nextcloud/src/* $SRC_FOLDER/nextcloud/ +} + +upgrade_plugins_wp(){ + cp -R dd-apps/docker/wordpress/src/* $SRC_FOLDER/wordpress/ + + if [ ! -d $SRC_FOLDER/wordpress/wp-content/mu-plugins ]; then + git clone https://gitlab.com/muplugins-multiste1/muplugins-google-sites.git $SRC_FOLDER/wordpress/wp-content/mu-plugins + fi + if [ ! -d $SRC_FOLDER/wordpress/wp-content/mu-plugins/.git ]; then + echo "WARNING: $SRC_FOLDER/wordpress/wp-content/mu-plugins is not a git repository." + echo " This could be due to old installation. To bring all new mu-plugins code for WP" + echo " remove that folder and it will be cloned and mantained with git from now on." + else + sh -c "cd $SRC_FOLDER/wordpress/wp-content/mu-plugins; git pull" + fi + docker-compose run --user=root dd-apps-wordpress-cli /bin/bash -c 'chown -R 33:33 /var/www/html/wp-content/mu-plugins;' +} + +update_logos_and_menu(){ + # docker exec -ti dd-sso-keycloak sh -c "/opt/jboss/keycloak/bin/jboss-cli.sh --connect --command='/subsystem=keycloak-server/theme=defaults/:write-attribute(name=cacheThemes,value=false)'" + # docker exec -ti dd-sso-keycloak sh -c "/opt/jboss/keycloak/bin/jboss-cli.sh --connect --command='/subsystem=keycloak-server/theme=defaults/:write-attribute(name=cacheTemplates,value=false)'" + # docker exec -ti dd-sso-keycloak sh -c "/opt/jboss/keycloak/bin/jboss-cli.sh --connect --command='/subsystem=keycloak-server/theme=defaults/:write-attribute(name=staticMaxAge,value=-1)'" + # docker exec -ti dd-sso-keycloak sh -c "/opt/jboss/keycloak/bin/jboss-cli.sh --connect --command='reload'" + docker exec -ti --user root dd-sso-keycloak sh -c 'rm -rf /opt/jboss/keycloak/standalone/tmp/kc-gzip-cache/*' + docker-compose build dd-sso-api && docker-compose up -d dd-sso-api + configure_nextcloud_logo +} + +configure_nextcloud_logo(){ + local instance_id=$(docker exec -u www-data dd-apps-nextcloud-app php occ config:system:get instanceid) + local cachebuster=$(docker exec -u www-data dd-apps-nextcloud-app php occ config:app:get theming cachebuster) + docker exec -u www-data dd-apps-nextcloud-app mkdir -p /var/www/html/data/appdata_$instance_id/theming/images + docker cp custom/img/logo.png dd-apps-nextcloud-app:/var/www/html/data/appdata_$instance_id/theming/images/logo + docker cp custom/img/background.png dd-apps-nextcloud-app:/var/www/html/data/appdata_$instance_id/theming/images/background + docker exec dd-apps-nextcloud-app chown www-data:www-data /var/www/html/data/appdata_$instance_id/theming/images/{logo,background} + docker exec -u www-data dd-apps-nextcloud-app php occ config:app:set theming logoMime --value="image/png" + docker exec -u www-data dd-apps-nextcloud-app php occ config:app:set theming backgroundMime --value="image/png" + docker exec -u www-data dd-apps-nextcloud-app php occ config:app:set theming cachebuster --value="$(expr $cachebuster + 1 )" +} + +genpwd() { + if [ ! -f /usr/share/dict/words ]; then + prerequisites_pwd > /dev/null + fi + shuf -n3 /usr/share/dict/words | tr -d "\n" | tr -d "'" +} + +securize() { + for dd_var in \ + ADMINAPP_PASSWORD \ + DDADMIN_PASSWORD \ + KEYCLOAK_PASSWORD \ + KEYCLOAK_DB_PASSWORD \ + POSTGRES_PASSWORD \ + MARIADB_PASSWORD \ + MOODLE_POSTGRES_PASSWORD \ + MOODLE_ADMIN_PASSWORD \ + NEXTCLOUD_POSTGRES_PASSWORD \ + NEXTCLOUD_ADMIN_PASSWORD \ + ETHERPAD_POSTGRES_PASSWORD \ + ETHERPAD_ADMIN_PASSWORD \ + WORDPRESS_MARIADB_PASSWORD \ + WORDPRESS_ADMIN_PASSWORD \ + IPA_ADMIN_PWD; do + setconf "${dd_var}" "$(genpwd)" + done +} + +setconf() { + dd_var="$(echo "$1" | tr "[:lower:]" "[:upper:]")" + dd_val="$2" + dd_line="$(printf '%s="%s"' "${dd_var:?}" "${dd_val}")" + conf_file="${3:-dd.conf}" + if grep -qE "^${dd_var:?}=" "${conf_file}"; then + # Found uncommented, replace in-place + sed -i'' -E "s!^${dd_var:?}=.*\$!${dd_line}!" "${conf_file}" + elif grep -qE "^#[[:space:]]*${dd_var:?}=" "${conf_file}"; then + # Found commented, replace in-place + sed -i'' -E "s!^#[[:space:]]*${dd_var:?}=.*\$!${dd_line}!" "${conf_file}" + else + # Not found, append + echo "${dd_line}" >> "${conf_file}" + fi +} + +# Argument handling +case "$OPERATION" in + build) + build + ;; + build-devel) + build_compose_develop + ;; + adminer) + extras_adminer + ;; + all) + build + up + + wait_for_moodle + upgrade_plugins_moodle + upgrade_plugins_nextcloud + upgrade_plugins_wp + + setup_nextcloud + setup_moodle + setup_wordpress + + setup_keycloak + saml_certificates + + cat <<-EOF + + #### After install #### + - SSO in moodle should be active. You can go to: https://moodle.$DOMAIN + If it fails, regenerate and lock certificate in moodle SAML2 connector as a local admin. + After that run ./dd-ctl saml + - SSO in nextcloud should be active. You can go to: https://nextcloud.$DOMAIN + - SSO in wordpress should be active. You should go to https://wp.$DOMAIN/wp-admin//plugins.php + + #### Update customizations #### + - ./dd-ctl customize + EOF + ;; + branding) + up + wait_for_moodle + update_logos_and_menu + ;; + customize) + up + wait_for_moodle + setup_nextcloud + setup_wordpress + setup_moodle + ;; + down) + down + ;; + nextcloud-scan) + nextcloud_scan + ;; + pgtuner) + extras_pgtuner + ;; + prerequisites) + prerequisites_docker + prerequisites_pwd + ;; + repo-update) + update_repo + ;; + reset-data|reset-1714) + cat <<-EOF + # Following commands RESET ALL DATA except for certificates + # execute them only if you know what you are doing + # This *will* result in DATA LOSS + "$0" down + rm -rf /opt/DD/data/* + rm -rf /opt/DD/db/* + rm -rf '$SRC_FOLDER/avatars' + rm -rf '$SRC_FOLDER/moodle' + rm -rf '$SRC_FOLDER/nextcloud' + rm -rf '$SRC_FOLDER/wordpress' + EOF + ;; + restart-api) + up + wait_for_moodle + docker restart dd-sso-api + ;; + saml) + up + wait_for_moodle + setup_keycloak + saml_certificates + ;; + securize) + securize + ;; + setconf) + setconf "$2" "$3" + ;; + up) + up + ;; + upgrade-plugins) + up + wait_for_moodle + upgrade_plugins_moodle + upgrade_plugins_nextcloud + upgrade_plugins_wp + ;; + yml) + cp dd.conf .env + CUSTOM_PATH=$(pwd) + . ./.env + build_compose + ;; + listpatches) + listpatches + ;; + genpatches) + genpatches + ;; + *) + printf "Unknown command '%s'\n\n" "$OPERATION" >&2 + help >&2 + exit 1 + ;; +esac diff --git a/dd-install.sh b/dd-install.sh new file mode 100755 index 0000000..d5b23ba --- /dev/null +++ b/dd-install.sh @@ -0,0 +1,270 @@ +#!/usr/bin/env -S bash -eu +# +# Copyright 2022 -- Evilham +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +# General settings, dir, repo, branch. You usually do not want these changed. +DDSRC_DIR="${DDSRC_DIR:-/opt/src/DD}" +DDREPO_URL="${DDREPO_URL:-https://gitlab.com/DD-workspace/DD}" +DDBRANCH="${DDBRANCH:-main}" +DDLOG="${DDLOG:-dd-install.log}" + +help() { + cat <&1 | tee -a "${DDLOG}" +# Install all prerequisites +./dd-ctl prerequisites 2>&1 | tee -a "${DDLOG}" +# Fix insecure passwords +./dd-ctl securize 2>&1 | tee -a "${DDLOG}" +# Perform installation as per further instructions +./dd-ctl all 2>&1 | tee -a "${DDLOG}" + +# Wait a tad to work around dd-sso issues +echo "Waiting a few seconds for things to settle..." +sleep 30 +# Address timing dd-sso issue by restarting the containers +./dd-ctl down +./dd-ctl up + +## Ensure SAML is set up (it errors always) +./dd-ctl saml || true +# Address Moodle custom settings, plugins and registration +NEXTCLOUD_ADMIN_USER="$(grep -E '^NEXTCLOUD_ADMIN_USER=' dd.conf | cut -d = -f 2-)" +NEXTCLOUD_ADMIN_PASSWORD="$(grep -E '^NEXTCLOUD_ADMIN_PASSWORD=' dd.conf | cut -d = -f 2-)" +docker exec -i -u nobody dd-apps-moodle sh -s <. +# +# SPDX-License-Identifier: AGPL-3.0-or-later +FROM alpine:3.12.0 as production +MAINTAINER isard + +RUN apk add python3 py3-pip py3-pyldap~=3.2.0 +RUN pip3 install --upgrade pip +RUN apk add --no-cache --virtual .build_deps \ + build-base \ + python3-dev \ + libffi-dev \ + gcc python3-dev linux-headers musl-dev postgresql-dev +COPY admin/docker/requirements.pip3 /requirements.pip3 +RUN pip3 install --no-cache-dir -r requirements.pip3 +RUN apk del .build_deps + +RUN apk add --no-cache curl py3-yaml yarn libpq openssl py3-pillow + +RUN wget -O /usr/lib/python3.8/site-packages/diceware/wordlists/wordlist_cat_ascii.txt https://raw.githubusercontent.com/1ma/diceware-cat/master/cat-wordlist-ascii.txt + +# SSH configuration +# ARG SSH_ROOT_PWD +# RUN apk add openssh +# RUN echo "root:$SSH_ROOT_PWD" |chpasswd +# RUN sed -i \ +# -e 's|[#]*PermitRootLogin prohibit-password|PermitRootLogin yes|g' \ +# -e 's|[#]*PasswordAuthentication yes|PasswordAuthentication yes|g' \ +# -e 's|[#]*ChallengeResponseAuthentication yes|ChallengeResponseAuthentication yes|g' \ +# -e 's|[#]*UsePAM yes|UsePAM yes|g' \ +# -e 's|[#]#Port 22|Port 22|g' \ +# /etc/ssh/sshd_config + +# Let's test 0.26.1 python-keycloak version +# RUN apk add --no-cache git && \ +# git clone -b delete_realm_roles https://github.com/isard-vdi/python-keycloak.git && \ +# cd python-keycloak && \ +# python3 setup.py install && \ +# apk del git + +COPY admin/src /admin +RUN cd /admin/admin && yarn install + +COPY admin/docker/run.sh /run.sh + +#EXPOSE 7039 +CMD [ "/run.sh" ] \ No newline at end of file diff --git a/dd-sso/admin/docker/requirements.pip3 b/dd-sso/admin/docker/requirements.pip3 new file mode 100644 index 0000000..697271c --- /dev/null +++ b/dd-sso/admin/docker/requirements.pip3 @@ -0,0 +1,35 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +Flask==2.0.1 +Flask-Login==0.5.0 +eventlet==0.33.0 +Flask-SocketIO==5.1.0 +bcrypt==3.2.0 +diceware==0.9.6 +mysql-connector-python==8.0.25 +psycopg2==2.8.6 +python-keycloak==0.26.1 +minio==7.0.3 +urllib3==1.26.6 +schema==0.7.5 +Werkzeug~=2.0.0 +python-jose==3.3.0 +Cerberus==1.3.4 +PyYAML==6.0 diff --git a/dd-sso/admin/docker/run.sh b/dd-sso/admin/docker/run.sh new file mode 100755 index 0000000..5f17e3d --- /dev/null +++ b/dd-sso/admin/docker/run.sh @@ -0,0 +1,30 @@ +#!/bin/sh +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +# ssh-keygen -A +## Only in development +cd /admin/admin +yarn install +## End Only in development +cd /admin +export PYTHONWARNINGS="ignore:Unverified HTTPS request" +python3 start.py +#& +# /usr/sbin/sshd -D -e -f /etc/ssh/sshd_config \ No newline at end of file diff --git a/dd-sso/admin/src/admin/__init__.py b/dd-sso/admin/src/admin/__init__.py new file mode 100644 index 0000000..014aa18 --- /dev/null +++ b/dd-sso/admin/src/admin/__init__.py @@ -0,0 +1,128 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +import logging as log +import os + +from flask import Flask, render_template, send_from_directory + +app = Flask(__name__, static_url_path="") +app = Flask(__name__, template_folder="static/templates") +app.url_map.strict_slashes = False + +""" +App secret key for encrypting cookies +You can generate one with: + import os + os.urandom(24) +And paste it here. +""" +app.secret_key = "Change this key!/\xf7\x83\xbe\x17\xfa\xa3zT\n\\]m\xa6\x8bF\xdd\r\xf7\x9e\x1d\x1f\x14'" + +print("Starting dd-sso api...") + +from admin.lib.load_config import loadConfig + +try: + loadConfig(app) +except: + print("Could not get environment variables...") + +from admin.lib.postup import Postup + +Postup() + +from admin.lib.admin import Admin + +app.admin = Admin() + +app.ready = False + +""" +Debug should be removed on production! +""" +if app.debug: + log.warning("Debug mode: {}".format(app.debug)) +else: + log.info("Debug mode: {}".format(app.debug)) + +""" +Serve static files +""" + + +@app.route("/build/") +def send_build(path): + return send_from_directory( + os.path.join(app.root_path, "node_modules/gentelella/build"), path + ) + + +@app.route("/vendors/") +def send_vendors(path): + return send_from_directory( + os.path.join(app.root_path, "node_modules/gentelella/vendors"), path + ) + + +@app.route("/node_modules/") +def send_nodes(path): + return send_from_directory(os.path.join(app.root_path, "node_modules"), path) + + +@app.route("/templates/") +def send_templates(path): + return send_from_directory(os.path.join(app.root_path, "templates"), path) + + +# @app.route('/templates/') +# def send_templates(path): +# return send_from_directory(os.path.join(app.root_path, 'static/templates'), path) + + +@app.route("/static/") +def send_static_js(path): + return send_from_directory(os.path.join(app.root_path, "static"), path) + + +@app.route("/avatars/") +def send_avatars_img(path): + return send_from_directory( + os.path.join(app.root_path, "../avatars/master-avatars"), path + ) + + +@app.route("/custom/") +def send_custom(path): + return send_from_directory(os.path.join(app.root_path, "../custom"), path) + + +# @app.errorhandler(404) +# def not_found_error(error): +# return render_template('page_404.html'), 404 + +# @app.errorhandler(500) +# def internal_error(error): +# return render_template('page_500.html'), 500 + +""" +Import all views +""" +from .views import ApiViews, AppViews, LoginViews, WebViews, WpViews diff --git a/dd-sso/admin/src/admin/auth/__init__.py b/dd-sso/admin/src/admin/auth/__init__.py new file mode 100644 index 0000000..fdc5d62 --- /dev/null +++ b/dd-sso/admin/src/admin/auth/__init__.py @@ -0,0 +1,19 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later diff --git a/dd-sso/admin/src/admin/auth/authentication.py b/dd-sso/admin/src/admin/auth/authentication.py new file mode 100644 index 0000000..f7da0be --- /dev/null +++ b/dd-sso/admin/src/admin/auth/authentication.py @@ -0,0 +1,79 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +import os + +from flask_login import LoginManager, UserMixin + +from admin import app + +""" OIDC TESTS """ +# from flask_oidc import OpenIDConnect +# app.config.update({ +# 'SECRET_KEY': 'u\x91\xcf\xfa\x0c\xb9\x95\xe3t\xba2K\x7f\xfd\xca\xa3\x9f\x90\x88\xb8\xee\xa4\xd6\xe4', +# 'TESTING': True, +# 'DEBUG': True, +# 'OIDC_CLIENT_SECRETS': 'client_secrets.json', +# 'OIDC_ID_TOKEN_COOKIE_SECURE': False, +# 'OIDC_REQUIRE_VERIFIED_EMAIL': False, +# 'OIDC_VALID_ISSUERS': ['https://sso.mydomain.duckdns.org:8080/auth/realms/master'], +# 'OIDC_OPENID_REALM': 'https://sso.mydomain.duckdns.org//custom_callback', +# 'OVERWRITE_REDIRECT_URI': 'https://sso.mydomain.duckdns.org//custom_callback', +# }) +# # 'OVERWRITE_REDIRECT_URI': 'https://sso.mydomain.duckdns.org//custom_callback', +# # 'OIDC_CALLBACK_ROUTE': '//custom_callback' +# oidc = OpenIDConnect(app) +""" OIDC TESTS """ + + +login_manager = LoginManager() +login_manager.init_app(app) +login_manager.login_view = "login" + + +ram_users = { + os.environ["ADMINAPP_USER"]: { + "id": os.environ["ADMINAPP_USER"], + "password": os.environ["ADMINAPP_PASSWORD"], + "role": "manager", + }, + os.environ["KEYCLOAK_USER"]: { + "id": os.environ["KEYCLOAK_USER"], + "password": os.environ["KEYCLOAK_PASSWORD"], + "role": "admin", + }, + os.environ["WORDPRESS_MARIADB_USER"]: { + "id": os.environ["WORDPRESS_MARIADB_USER"], + "password": os.environ["WORDPRESS_MARIADB_PASSWORD"], + "role": "manager", + }, +} + + +class User(UserMixin): + def __init__(self, dict): + self.id = dict["id"] + self.username = dict["id"] + self.password = dict["password"] + self.role = dict["role"] + + +@login_manager.user_loader +def user_loader(username): + return User(ram_users[username]) diff --git a/dd-sso/admin/src/admin/auth/tokens.py b/dd-sso/admin/src/admin/auth/tokens.py new file mode 100644 index 0000000..cc7b100 --- /dev/null +++ b/dd-sso/admin/src/admin/auth/tokens.py @@ -0,0 +1,118 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +# Copyright 2017 the Isard-vdi project authors: +# Josep Maria Viñolas Auquer +# Alberto Larraz Dalmases +# License: AGPLv3 + +import json +import logging as log +import os +import traceback +from functools import wraps + +from flask import request +from jose import jwt + +from admin import app + +from ..lib.api_exceptions import Error + + +def get_header_jwt_payload(): + return get_token_payload(get_token_auth_header()) + + +def get_token_header(header): + """Obtains the Access Token from the a Header""" + auth = request.headers.get(header, None) + if not auth: + raise Error( + "unauthorized", + "Authorization header is expected", + traceback.format_stack(), + ) + + parts = auth.split() + if parts[0].lower() != "bearer": + raise Error( + "unauthorized", + "Authorization header must start with Bearer", + traceback.format_stack(), + ) + + elif len(parts) == 1: + raise Error("bad_request", "Token not found") + elif len(parts) > 2: + raise Error( + "unauthorized", + "Authorization header must be Bearer token", + traceback.format_stack(), + ) + + return parts[1] # Token + + +def get_token_auth_header(): + return get_token_header("Authorization") + + +def get_token_payload(token): + # log.warning("The received token in get_token_payload is: " + str(token)) + try: + claims = jwt.get_unverified_claims(token) + secret = app.config["API_SECRET"] + + except: + log.warning( + "JWT token with invalid parameters. Can not parse it.: " + str(token) + ) + raise Error( + "unauthorized", + "Unable to parse authentication parameters token.", + traceback.format_stack(), + ) + + try: + payload = jwt.decode( + token, + secret, + algorithms=["HS256"], + options=dict(verify_aud=False, verify_sub=False, verify_exp=True), + ) + except jwt.ExpiredSignatureError: + log.warning("Token expired") + raise Error("unauthorized", "Token is expired", traceback.format_stack()) + + except jwt.JWTClaimsError: + raise Error( + "unauthorized", + "Incorrect claims, please check the audience and issuer", + traceback.format_stack(), + ) + except Exception: + raise Error( + "unauthorized", + "Unable to parse authentication token.", + traceback.format_stack(), + ) + if payload.get("data", False): + return payload["data"] + return payload diff --git a/dd-sso/admin/src/admin/lib/admin.py b/dd-sso/admin/src/admin/lib/admin.py new file mode 100644 index 0000000..361c3a8 --- /dev/null +++ b/dd-sso/admin/src/admin/lib/admin.py @@ -0,0 +1,1930 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +import json +import logging as log +import os +import traceback +from pprint import pprint +from time import sleep + +import diceware + +from admin import app + +from .avatars import Avatars +from .helpers import ( + filter_roles_list, + filter_roles_listofdicts, + get_gids_from_kgroup_ids, + get_group_from_group_id, + gid2kpath, + kpath2gid, + system_username, +) +from .keycloak_client import KeycloakClient +from .moodle import Moodle +from .nextcloud import Nextcloud +from .nextcloud_exc import ProviderItemExists + +options = diceware.handle_options(None) +options.wordlist = "cat_ascii" +options.num = 3 + +import secrets + +from .api_exceptions import Error +from .events import Events, sio_event_send +from .exceptions import UserExists, UserNotFound +from .helpers import ( + count_repeated, + get_group_with_childs, + get_kid_from_kpath, + kpath2gids, + kpath2kpaths, + rand_password, +) + +MANAGER = os.environ["CUSTOM_ROLE_MANAGER"] +TEACHER = os.environ["CUSTOM_ROLE_TEACHER"] +STUDENT = os.environ["CUSTOM_ROLE_STUDENT"] + + +class Admin: + def __init__(self): + self.check_connections() + + self.set_custom_roles() + self.overwrite_admins() + + self.default_setup() + self.internal = {} + + ready = False + while not ready: + try: + self.resync_data() + ready = True + except: + print(traceback.format_exc()) + log.error("Could not resync data, waiting for system to be online...") + sleep(2) + + self.sync_groups_from_keycloak() + self.external = {"users": [], "groups": [], "roles": []} + + log.warning(" Updating missing user avatars with defaults") + self.av = Avatars() + # av.minio_delete_all_objects() # This will reset all avatars on usres + self.av.update_missing_avatars(self.internal["users"]) + + log.warning(" SYSTEM READY TO HANDLE CONNECTIONS") + + def check_connections(self): + ready = False + while not ready: + try: + self.keycloak = KeycloakClient(verify=app.config["VERIFY"]) + ready = True + except: + log.error(traceback.format_exc()) + log.error("Could not connect to keycloak, waiting to be online...") + sleep(2) + log.warning("Keycloak connected.") + + ready = False + while not ready: + try: + self.moodle = Moodle(verify=app.config["VERIFY"]) + ready = True + except: + log.error("Could not connect to moodle, waiting to be online...") + sleep(2) + log.warning("Moodle connected.") + + ready = False + while not ready: + try: + with open( + os.path.join( + app.root_path, + "../moodledata/saml2/moodle." + app.config["DOMAIN"] + ".pem", + ), + "r", + ) as pem: + ready = True + except IOError: + log.warning("Could not get moodle SAML2 pem certificate. Retrying...") + sleep(2) + + ready = False + while not ready: + try: + self.nextcloud = Nextcloud(verify=app.config["VERIFY"]) + ready = True + except: + log.error("Could not connect to nextcloud, waiting to be online...") + sleep(2) + log.warning("Nextcloud connected.") + + def set_custom_roles(self): + pass + + ## This function should be moved to postup.py + def overwrite_admins(self): + log.warning("Setting defaults...") + dduser = os.environ["DDADMIN_USER"] + ddpassword = os.environ["DDADMIN_PASSWORD"] + ddmail = os.environ["DDADMIN_EMAIL"] + + ### User admin in group admin + try: + log.warning("KEYCLOAK: Adding group admin and user admin to this group") + admin_guid = self.keycloak.add_group("admin") + except: + pass + admin_guid = self.keycloak.get_group_by_path(path="/admin")["id"] + try: + ## Add default admin user to group admin + admin_uid = self.keycloak.get_user_id("admin") + self.keycloak.group_user_add(admin_uid, admin_guid) + log.warning("KEYCLOAK: OK") + except: + print(traceback.format_exc()) + log.warning("KEYCLOAK: Seems to be there already") + + ### ddadmin user + try: + log.warning( + "KEYCLOAK: Adding user ddadmin and adding to group and role admin" + ) + uid = self.keycloak.add_user( + dduser, + "DD", + "Admin", + ddmail, + ddpassword, + group="admin", + password_temporary=False, + ) + self.keycloak.assign_realm_roles(uid, "admin") + log.warning("KEYCLOAK: OK") + except: + log.warning("KEYCLOAK: Seems to be there already") + + try: + log.warning("MOODLE: Adding default group admin") + self.moodle.add_system_cohort("admin", "system admins") + log.warning("MOODLE: OK") + except: + log.warning("MOODLE: Seems to be there already") + + try: + log.warning("MOODLE: Adding user ddadmin and adding to siteadmins") + self.moodle.create_user(ddmail, dduser, ddpassword, "DD", "Admin") + uid = self.moodle.get_user_by("username", dduser)["users"][0]["id"] + self.moodle.add_user_to_siteadmin(uid) + log.warning("MOODLE: OK") + except: + log.warning("MOODLE: Seems to be there already") + + try: + log.warning("NEXTCLOUD: Adding default group admin") + self.nextcloud.add_group("admin") + log.warning("NEXTCLOUD: OK") + except ProviderItemExists: + log.warning("NEXTCLOUD: Seems to be there already") + + try: + log.warning("NEXTCLOUD: Adding user ddadmin and adding to group admin") + self.nextcloud.add_user( + dduser, ddpassword, group="admin", email=ddmail, displayname="DD Admin" + ) + log.warning("NEXTCLOUD: OK") + except ProviderItemExists: + log.warning("NEXTCLOUD: Seems to be there already") + except: + log.error(traceback.format_exc()) + exit(1) + + def default_setup(self): + ### Add default roles + try: + log.warning("KEYCLOAK: Adding default roles") + self.keycloak.add_role(MANAGER, "Realm managers") + self.keycloak.add_role(TEACHER, "Realm teachers") + self.keycloak.add_role(STUDENT, "Realm students") + log.warning("KEYCLOAK: OK") + except: + log.warning("KEYCLOAK: Seems to be there already") + + #### Add default groups + try: + log.warning("KEYCLOAK: Adding default groups") + self.keycloak.add_group(MANAGER) + self.keycloak.add_group(TEACHER) + self.keycloak.add_group(STUDENT) + log.warning("KEYCLOAK: OK") + except: + log.warning("KEYCLOAK: Seems to be there already") + + try: + log.warning("MOODLE: Adding default group manager") + self.moodle.add_system_cohort(MANAGER, "system managers") + log.warning("MOODLE: OK") + except: + log.warning("MOODLE: Seems to be there already") + + try: + log.warning("MOODLE: Adding default group teacher") + self.moodle.add_system_cohort(TEACHER, "system teachers") + log.warning("MOODLE: OK") + except: + log.warning("MOODLE: Seems to be there already") + + try: + log.warning("MOODLE: Adding default group student") + self.moodle.add_system_cohort(STUDENT, "system students") + log.warning("MOODLE: OK") + except: + log.warning("MOODLE: Seems to be there already") + + try: + log.warning("NEXTCLOUD: Adding default group manager") + self.nextcloud.add_group(MANAGER) + log.warning("NEXTCLOUD: OK") + except ProviderItemExists: + log.warning("NEXTCLOUD: Seems to be there already") + + try: + log.warning("NEXTCLOUD: Adding default group teacher") + self.nextcloud.add_group(TEACHER) + log.warning("NEXTCLOUD: OK") + except ProviderItemExists: + log.warning("NEXTCLOUD: Seems to be there already") + + try: + log.warning("NEXTCLOUD: Adding default group student") + self.nextcloud.add_group(STUDENT) + log.warning("NEXTCLOUD: OK") + except ProviderItemExists: + log.warning("NEXTCLOUD: Seems to be there already") + + # try: + # log.warning( + # "KEYCLOAK: Adding default users system_teacher, system_manager and system_student users" + # ) + # uid = self.keycloak.add_user( + # "system_manager", + # "Manager", + # "System", + # "fakemanager@fake.com", + # "m@n@g3r", + # group=MANAGER, + # temporary=False, + # ) + # self.keycloak.assign_realm_roles(uid, MANAGER) + # uid = self.keycloak.add_user( + # "system_teacher", + # "Teacher", + # "System", + # "faketeacher@fake.com", + # "t3@ch3r", + # group=TEACHER, + # temporary=False, + # ) + # self.keycloak.assign_realm_roles(uid, TEACHER) + # uid = self.keycloak.add_user( + # "system_student", + # "Student", + # "System", + # "fakestudent@fake.com", + # "stud3nt", + # group=STUDENT, + # temporary=False, + # ) + # self.keycloak.assign_realm_roles(uid, STUDENT) + # log.warning("KEYCLOAK: OK") + # except: + # log.warning("KEYCLOAK: Seems to be there already") + + def resync_data(self): + self.internal = { + "users": self._get_mix_users(), + "groups": self._get_mix_groups(), + "roles": self._get_roles(), + } + return True + + def get_moodle_users(self): + return [ + u + for u in self.moodle.get_users_with_groups_and_roles() + if not system_username(u["username"]) + ] + + ## TOO SLOW. Not used. + # def get_moodle_users(self): + # log.warning('Loading moodle users... can take a long time...') + # users = self.moodle.get_users_with_groups_and_roles() + # #self.moodle.get_user_by('email','%%')['users'] + # return [{"id":u['id'], + # "username":u['username'], + # "first": u['firstname'], + # "last": u['lastname'], + # "email": u['email'], + # "groups": u['groups'], + # "roles": u['roles']} + # for u in users] + + def get_keycloak_users(self): + # log.warning('Loading keycloak users... can take a long time...') + + users = self.keycloak.get_users_with_groups_and_roles() + return [ + { + "id": u["id"], + "username": u["username"], + "first": u.get("first_name", None), + "last": u.get("last_name", None), + "enabled": u["enabled"], + "email": u.get("email", ""), + "groups": u["group"], + "roles": filter_roles_list(u["role"]), + } + for u in users + if not system_username(u["username"]) + ] + + def get_nextcloud_users(self): + return [ + { + "id": u["username"], + "username": u["username"], + "first": u["displayname"].split(" ")[0] + if u["displayname"] is not None + else "", + "last": u["displayname"].split(" ")[1] + if u["displayname"] is not None and len(u["displayname"].split(" ")) > 1 + else "", + "email": u.get("email", ""), + "groups": u["groups"], + "roles": False, + "quota": u["quota"], + "quota_used_bytes": str(int(int(u["total_bytes"]) / 1024 / 1024 / 2)) + + " MB" + if u["total_bytes"] != None + else "0 MB", + } + # The theoretical bytes returned do not map to any known unit. The division is just an approach while we investigate. + for u in self.nextcloud.get_users_list() + if u["username"] not in ["guest", "ddadmin", "admin"] + and not u["username"].startswith("system") + ] + + ## TOO SLOW + # def get_nextcloud_users(self): + # log.warning('Loading nextcloud users... can take a long time...') + # users = self.nextcloud.get_users_list() + # users_list=[] + # for user in users: + # u=self.nextcloud.get_user(user) + # users_list.append({"id":u['id'], + # "username":u['id'], + # "first": u['displayname'], + # "last": None, + # "email": u['email'], + # "groups": u['groups'], + # "roles": []}) + # return users_list + + def get_mix_users(self): + sio_event_send("get_users", {"you_win": "you got the users!"}) + return self.internal["users"] + + def _get_mix_users(self): + kgroups = self.keycloak.get_groups() + + kusers = self.get_keycloak_users() + musers = self.get_moodle_users() + nusers = self.get_nextcloud_users() + + kusers_usernames = [u["username"] for u in kusers] + musers_usernames = [u["username"] for u in musers] + nusers_usernames = [u["username"] for u in nusers] + + all_users_usernames = set( + kusers_usernames + musers_usernames + nusers_usernames + ) + + users = [] + for username in all_users_usernames: + theuser = {} + keycloak_exists = [u for u in kusers if u["username"] == username] + + if len(keycloak_exists): + theuser = keycloak_exists[0] + theuser["keycloak"] = True + theuser["keycloak_groups"] = get_gids_from_kgroup_ids( + theuser.pop("groups"), kgroups + ) + # self.keycloak.get_user_groups_paths(keycloak_exists[0]['id']) #keycloak_exists[0]['groups'] + else: + theuser["id"] = False + theuser["keycloak"] = False + theuser["keycloak_groups"] = [] + + moodle_exists = [u for u in musers if u["username"] == username] + if len(moodle_exists): + theuser = {**moodle_exists[0], **theuser} + theuser["moodle"] = True + theuser["moodle_groups"] = moodle_exists[0]["groups"] + theuser["moodle_id"] = moodle_exists[0]["id"] + else: + theuser["moodle"] = False + theuser["moodle_groups"] = [] + + nextcloud_exists = [u for u in nusers if u["username"] == username] + if len(nextcloud_exists): + theuser = {**nextcloud_exists[0], **theuser} + theuser["nextcloud"] = True + theuser["nextcloud_groups"] = nextcloud_exists[0]["groups"] + theuser["nextcloud_id"] = nextcloud_exists[0]["id"] + theuser["quota"] = ( + theuser["quota"] + if theuser.get("quota", False) + and theuser["quota"] != None + and theuser["quota"] != "none" + else False + ) + else: + theuser["nextcloud"] = False + theuser["nextcloud_groups"] = [] + theuser["quota"] = False + theuser["quota_used_bytes"] = False + users.append(theuser) + return users + + def get_roles(self): + return self.internal["roles"] + + def _get_roles(self): + return filter_roles_listofdicts(self.keycloak.get_roles()) + + def get_group_by_name(self, group_name): + group = [g for g in self.internal["groups"] if g["name"] == group_name] + return group[0] if len(group) else False + + def get_keycloak_groups(self): + log.warning("Loading keycloak groups...") + return self.keycloak.get_groups() + + def get_moodle_groups(self): + log.warning("Loading moodle groups...") + return self.moodle.get_cohorts() + + def get_nextcloud_groups(self): + log.warning("Loading nextcloud groups...") + return self.nextcloud.get_groups_list() + + def get_mix_groups(self): + return self.internal["groups"] + + def _get_mix_groups(self): + kgroups = self.get_keycloak_groups() + mgroups = self.get_moodle_groups() + ngroups = self.get_nextcloud_groups() + + kgroups = [] if kgroups is None else kgroups + mgroups = [] if mgroups is None else mgroups + ngroups = [] if ngroups is None else ngroups + + kgroups_names = [kpath2gid(g["path"]) for g in kgroups] + mgroups_names = [g["name"] for g in mgroups] + ngroups_names = ngroups + + all_groups_names = set(kgroups_names + mgroups_names + ngroups_names) + groups = [] + for name in all_groups_names: + thegroup = {} + keycloak_exists = [g for g in kgroups if kpath2gid(g["path"]) == name] + if len(keycloak_exists): + # del keycloak_exists[0]['subGroups'] + thegroup = keycloak_exists[0] + thegroup["keycloak"] = True + thegroup["name"] = kpath2gid(thegroup["path"]) + # thegroup['path']=self.keycloak.get_group_path(keycloak_exists[0]['id']) + + else: + thegroup["id"] = False + thegroup["keycloak"] = False + thegroup["name"] = False + thegroup["path"] = False + moodle_exists = [g for g in mgroups if g["name"] == name] + if len(moodle_exists): + # del moodle_exists[0]['idnumber'] + # del moodle_exists[0]['descriptionformat'] + # del moodle_exists[0]['theme'] + # del moodle_exists[0]['visible'] + # # thegroup['path']=moodle_exists[0]['name'] + # thegroup={**moodle_exists[0], **thegroup} + thegroup["moodle"] = True + thegroup["moodle_id"] = moodle_exists[0]["id"] + thegroup["description"] = moodle_exists[0]["description"] + else: + thegroup["moodle"] = False + + nextcloud_exists = [g for g in ngroups if g == name] + if len(nextcloud_exists): + # nextcloud={"id":nextcloud_exists[0], + # "name":nextcloud_exists[0], + # "path":nextcloud_exists[0]} + # thegroup={**nextcloud, **thegroup} + thegroup["nextcloud"] = True + thegroup["nextcloud_id"] = nextcloud_exists[0] ### is the path + else: + thegroup["nextcloud"] = False + + groups.append(thegroup) + return groups + + def sync_groups_from_keycloak(self): + self.resync_data() + for group in self.internal["groups"]: + if not group["keycloak"]: + if group["moodle"]: + try: + self.moodle.delete_cohorts([group["moodle_id"]]) + except: + print(traceback.format_exc()) + # log.error('MOODLE: User '+user['username']+' it is not in cohort '+group) + if group["nextcloud"]: + self.nextcloud.delete_group(group["nextcloud_id"]) + + self.resync_data() + for group in self.internal["groups"]: + if group["keycloak"]: + if not group["moodle"]: + self.moodle.add_system_cohort(group["name"], description="") + if not group["nextcloud"]: + self.nextcloud.add_group(group["name"]) + self.resync_data() + + def get_external_users(self): + return self.external["users"] + + def get_external_groups(self): + return self.external["groups"] + + def get_external_roles(self): + return self.external["roles"] + + def upload_csv_ug(self, data): + log.warning("Processing uploaded users...") + users = [] + total = len(data["data"]) + item = 1 + ev = Events("Processing uploaded users", total=len(data["data"])) + groups = [] + for u in data["data"]: + log.warning( + "Processing (" + + str(item) + + "/" + + str(total) + + ") uploaded user: " + + u["username"] + ) + user_groups = [g.strip() for g in u["groups"].split(",") if g != ""] + if not len(user_groups): + user_groups = ["/" + u["role"].strip()] + pathslist = [] + for group in user_groups: + pathpart = "" + for part in kpath2gid(group).split("."): + if pathpart == "": + pathpart = part + else: + pathpart = pathpart + "." + part + pathslist.append(pathpart) + pathslist.append(u["role"]) + + groups = groups + user_groups + # pprint(u) + if u["quota"] == "": + u["quota"] = "500 MB" + if u["role"] == "student": + u["quota"] = "500MB" + if u["role"] == "teacher": + u["quota"] = "5 GB" + if u["role"] == "manager": + u["quota"] = "none" + if u["role"] == "admin": + u["quota"] = "none" + if u["quota"].lower() in ["false", "unlimited"]: + u["quota"] = "none" + + users.append( + { + "provider": "external", + "id": u["id"].strip(), + "email": u["email"].strip(), + "first": u["firstname"].strip(), + "last": u["lastname"].strip(), + "username": u["username"].strip(), + "groups": user_groups, + "gids": pathslist, + "quota": u["quota"], + "roles": [u["role"].strip()], + "password_temporary": True + if u["password_temporal"].lower() == "yes" + else False, + "password": self.get_dice_pwd() + if u["password"] == "" + else u["password"], + } + ) + item += 1 + ev.increment({"name": u["username"]}) + self.external["users"] = users + + groups = list(dict.fromkeys(groups)) + sysgroups = [] + for g in groups: + if g != "": + sysgroups.append( + { + "provider": "external", + "id": g, + "name": kpath2gid(g), + "path": g, + "description": "Imported with csv", + } + ) + self.external["groups"] = sysgroups + return True + + def get_dice_pwd(self): + return diceware.get_passphrase(options=options) + + def reset_external(self): + self.external = {"users": [], "groups": [], "roles": []} + return True + + def upload_json_ga(self, data): + groups = [] + log.warning("Processing uploaded groups...") + try: + ev = Events( + "Processing uploaded groups", + "Group:", + total=len(data["data"]["groups"]), + table="groups", + ) + except: + log.error(traceback.format_exc()) + for g in data["data"]["groups"]: + try: + group = { + "provider": "external", + "id": g["id"], + "mailid": g["email"].split("@")[0], + "name": g["name"], + "description": g["description"], + } + ev.increment({"name": g["name"], "data": group}) + groups.append(group) + except: + pass + self.external["groups"] = groups + + log.warning("Processing uploaded users...") + users = [] + total = len(data["data"]["users"]) + item = 1 + ev = Events( + "Processing uploaded users", + "User:", + total=len(data["data"]["users"]), + table="users", + ) + for u in data["data"]["users"]: + log.warning( + "Processing (" + + str(item) + + "/" + + str(total) + + ") uploaded user: " + + u["primaryEmail"].split("@")[0] + ) + new_user = { + "provider": "external", + "id": u["id"], + "email": u["primaryEmail"], + "first": u["name"]["givenName"], + "last": u["name"]["familyName"], + "username": u["primaryEmail"].split("@")[0], + "groups": [u["orgUnitPath"]], ## WARNING: Removing the first + "roles": [], + "password": self.get_dice_pwd(), + } + users.append(new_user) + item += 1 + ev.increment({"name": u["primaryEmail"].split("@")[0], "data": new_user}) + self.external["users"] = users + + ## Add groups to users (now they only have their orgUnitPath) + for g in self.external["groups"]: + for useringroup in data["data"]["d_members"][g["mailid"]]: + for u in self.external["users"]: + if u["id"] == useringroup["id"]: + u["groups"] = u["groups"] + [g["name"]] + return True + + def sync_external(self, ids): + # self.resync_data() + log.warning("Starting sync to keycloak") + self.sync_to_keycloak_external() + ### Now we only sycn external to keycloak and then they can be updated to others with UI buttons + log.warning("Starting sync to moodle") + self.sync_to_moodle_external() + log.warning("Starting sync to nextcloud") + self.sync_to_nextcloud_external() + log.warning("All syncs finished. Resyncing from apps...") + self.resync_data() + + def add_keycloak_groups(self, groups): + total = len(groups) + i = 0 + ev = Events( + "Syncing import groups to keycloak", "Adding group:", total=len(groups) + ) + for g in groups: + i = i + 1 + log.warning( + " KEYCLOAK GROUPS: Adding group (" + + str(i) + + "/" + + str(total) + + "): " + + g + ) + ev.increment({"name": g}) + self.keycloak.add_group_tree(g) + + def sync_to_keycloak_external( + self, + ): ### This one works from the external, moodle and nextcloud from the internal + groups = [] + for u in self.external["users"]: + groups = groups + u["groups"] + groups = list(dict.fromkeys(groups)) + + self.add_keycloak_groups(groups) + + total = len(self.external["users"]) + index = 0 + ev = Events( + "Syncing import users to keycloak", + "Adding user:", + total=len(self.external["users"]), + ) + for u in self.external["users"]: + index = index + 1 + # Add user + log.warning( + " KEYCLOAK USERS: Adding user (" + + str(index) + + "/" + + str(total) + + "): " + + u["username"] + ) + ev.increment({"name": u["username"], "data": u}) + uid = self.keycloak.add_user( + u["username"], + u["first"], + u["last"], + u["email"], + u["password"], + password_temporary=u["password_temporary"], + ) + self.av.add_user_default_avatar(uid, u["roles"][0]) + # Add user to role and group rolename + if len(u["roles"]) != 0: + log.warning( + " KEYCLOAK USERS: Assign user " + + u["username"] + + " with initial pwd " + + u["password"] + + " to role " + + u["roles"][0] + ) + self.keycloak.assign_realm_roles(uid, u["roles"][0]) + gid = self.keycloak.get_group_by_path("/" + u["roles"][0])["id"] + self.keycloak.group_user_add(uid, gid) + # Add user to groups + for group in u["groups"]: + for g in kpath2kpaths(group): + log.warning( + " KEYCLOAK USERS: Assign user " + + u["username"] + + " to group " + + str(g) + ) + kuser = self.keycloak.get_group_by_path(path=g) + gid = kuser["id"] + self.keycloak.group_user_add(uid, gid) + # We add it as it is needed for moodle and nextcloud + u["groups"].append(u["roles"][0]) + self.resync_data() + + def add_moodle_groups(self, groups): + ### Create all groups. Skip / in system groups + total = len(groups) + log.warning(groups) + ev = Events("Syncing groups from external to moodle", total=len(groups)) + i = 1 + for g in groups: + moodle_groups = kpath2gids(g) + for mg in moodle_groups: + try: + log.warning( + " MOODLE GROUPS: Adding group as cohort (" + + str(i) + + "/" + + str(total) + + "): " + + mg + ) + self.moodle.add_system_cohort(mg) + except Exception as e: + log.warning( + " MOODLE GROUPS: Group " + mg + " probably already exists" + ) + i = i + 1 + + def sync_to_moodle_external(self): # works from the internal (keycloak) + ### Process all groups from the users keycloak_groups key + groups = [] + for u in self.external["users"]: + groups = groups + u["groups"] + groups = list(dict.fromkeys(groups)) + + self.add_moodle_groups(groups) + + ### Get all existing moodle cohorts + cohorts = self.moodle.get_cohorts() + + ### Create users in moodle + ev = Events( + "Syncing users from external to moodle", total=len(self.internal["users"]) + ) + for u in self.external["users"]: + log.warning(" MOODLE: Creating moodle user: " + u["username"]) + ev.increment({"name": u["username"]}) + if u["first"] == "": + u["first"] = "-" + if u["last"] == "": + u["last"] = "-" + try: + self.moodle.create_user( + u["email"], + u["username"], + "*12" + secrets.token_urlsafe(16), + u["first"], + u["last"], + )[0] + except UserExists: + log.warning(" MOODLE: The user: " + u["username"] + " already exsits.") + except: + log.error(" -->> Error creating on moodle the user: " + u["username"]) + log.error(traceback.format_exc()) + # user_id=user['id'] + + # self.resync_data() + ### Add user to their cohorts (groups) + ev = Events( + "Syncing users groups from external to moodle cohorts", + total=len(self.internal["users"]), + ) + cohorts = self.moodle.get_cohorts() + for u in self.external["users"]: + try: + uid = self.moodle.get_user_by("username", u["username"])["users"][0][ + "id" + ] + for group in u["gids"]: + cohort = [c for c in cohorts if c["name"] == group][0] + self.moodle.add_user_to_cohort(uid, cohort["id"]) + except: + log.error("Exception on getting user from moodle: " + u["username"]) + log.error(self.moodle.get_user_by("username", u["username"])) + # self.resync_data() + + def delete_all_moodle_cohorts(self): + cohorts = self.moodle.get_cohorts() + ids = [c["id"] for c in cohorts] + self.moodle.delete_cohorts(ids) + + def add_nextcloud_groups(self, groups): + ### Create all groups. Skip / in system groups + total = len(groups) + log.warning(groups) + ev = Events("Syncing groups from external to nextcloud", total=len(groups)) + i = 1 + for g in groups: + nextcloud_groups = kpath2gids(g) + for ng in nextcloud_groups: + try: + log.warning( + " NEXTCLOUD GROUPS: Adding group (" + + str(i) + + "/" + + str(total) + + "): " + + ng + ) + self.nextcloud.add_group(ng) + except Exception as e: + log.warning( + " NEXTCLOUD GROUPS: Group " + ng + " probably already exists" + ) + i = i + 1 + + def sync_to_nextcloud_external(self): + groups = [] + for u in self.external["users"]: + groups = groups + u["gids"] + groups = list(dict.fromkeys(groups)) + + self.add_nextcloud_groups(groups) + + ev = Events( + "Syncing users from external to nextcloud", + total=len(self.internal["users"]), + ) + for u in self.external["users"]: + log.warning( + " NEXTCLOUD USERS: Creating nextcloud user: " + + u["username"] + + " with quota " + + str(u["quota"]) + + " in groups " + + str(u["gids"]) + ) + try: + ev.increment({"name": u["username"]}) + self.nextcloud.add_user_with_groups( + u["username"], + "*12" + secrets.token_urlsafe(16), + u["quota"], + u["gids"], + u["email"], + u["first"] + " " + u["last"], + ) + except ProviderItemExists: + log.warning( + " NEXTCLOUD USERS: User " + + u["username"] + + " already exists. Skipping..." + ) + continue + except: + log.error(traceback.format_exc()) + + def sync_to_moodle(self): # works from the internal (keycloak) + ### Process all groups from the users keycloak_groups key + groups = [] + for u in self.internal["users"]: + groups = groups + u["keycloak_groups"] + groups = list(dict.fromkeys(groups)) + + ev = Events("Syncing groups from keycloak to moodle", total=len(groups)) + pathslist = [] + for group in groups: + pathpart = "" + for part in group.split("."): + if pathpart == "": + pathpart = part + else: + pathpart = pathpart + "." + part + pathslist.append(pathpart) + ev.increment({"name": pathpart}) + try: + log.info("MOODLE: Adding group " + pathpart) + self.moodle.add_system_cohort(pathpart) + except: + # print(traceback.format_exc()) + log.warning( + "MOODLE: Group " + pathpart + " probably already exists." + ) + + ### Get all existing moodle cohorts + cohorts = self.moodle.get_cohorts() + + ### Create users in moodle + ev = Events( + "Syncing users from keycloak to moodle", total=len(self.internal["users"]) + ) + for u in self.internal["users"]: + if not u["moodle"]: + log.warning("Creating moodle user: " + u["username"]) + ev.increment({"name": u["username"]}) + if u["first"] == "": + u["first"] = " " + if u["last"] == "": + u["last"] = " " + try: + self.moodle.create_user( + u["email"], + u["username"], + "*12" + secrets.token_urlsafe(16), + u["first"], + u["last"], + )[0] + except: + log.error( + " -->> Error creating on moodle the user: " + u["username"] + ) + # user_id=user['id'] + + self.resync_data() + + ev = Events( + "Syncing users with moodle cohorts", total=len(self.internal["users"]) + ) + cohorts = self.moodle.get_cohorts() + for u in self.internal["users"]: + groups = u["keycloak_groups"] + [u["roles"][0]] + for path in groups: + try: + cohort = [c for c in cohorts if c["name"] == path][0] + except: + # print(traceback.format_exc()) + log.error( + " MOODLE USER GROUPS: keycloak group " + + path + + " does not exist as moodle cohort. This should not happen. User " + + u["username"] + + " not added." + ) + + try: + self.moodle.add_user_to_cohort(u["moodle_id"], cohort["id"]) + except: + # log.error(traceback.format_exc()) + log.warning( + " MOODLE USER GROUPS: User " + + u["username"] + + " already exists in cohort " + + cohort["name"] + ) + + ev.increment( + { + "name": "User " + u["username"] + " added to moodle cohorts", + "data": [], + } + ) + + self.resync_data() + + def sync_to_nextcloud(self): + groups = [] + for u in self.internal["users"]: + groups = groups + u["keycloak_groups"] + groups = list(dict.fromkeys(groups)) + + total = len(groups) + i = 0 + ev = Events("Syncing groups from keycloak to nextcloud", total=len(groups)) + for g in groups: + parts = g.split("/") + subpath = "" + for i in range(1, len(parts)): + try: + log.warning( + " NEXTCLOUD GROUPS: Adding group (" + + str(i) + + "/" + + str(total) + + "): " + + subpath + ) + ev.increment({"name": subpath}) + subpath = subpath + "/" + parts[i] + self.nextcloud.add_group(subpath) + except: + log.warning( + "NEXTCLOUD GROUPS: " + subpath + " probably already exists" + ) + i = i + 1 + + ev = Events( + "Syncing users from keycloak to nextcloud", + total=len(self.internal["users"]), + ) + for u in self.internal["users"]: + if not u["nextcloud"]: + log.warning( + " NEXTCLOUD USERS: Creating nextcloud user: " + + u["username"] + + " in groups " + + str(u["keycloak_groups"]) + ) + try: + ev.increment({"name": u["username"]}) + self.nextcloud.add_user_with_groups( + u["username"], + "*12" + secrets.token_urlsafe(16), + "500 GB", + u["keycloak_groups"], + u["email"], + u["first"] + " " + u["last"], + ) + except ProviderItemExists: + log.warning( + "User " + u["username"] + " already exists. Skipping..." + ) + continue + except: + log.error(traceback.format_exc()) + + def delete_keycloak_user(self, userid): + user = [u for u in self.internal["users"] if u["id"] == userid] + if len(user) and user[0]["keycloak"]: + user = user[0] + keycloak_id = user["id"] + else: + return False + log.warning("Removing keycloak user: " + user["username"]) + try: + self.keycloak.delete_user(keycloak_id) + except: + log.error(traceback.format_exc()) + log.warning("Could not remove users: " + user["username"]) + + self.av.delete_user_avatar(userid) + + def delete_keycloak_users(self): + total = len(self.internal["users"]) + i = 0 + ev = Events( + "Deleting users from keycloak", + "Deleting user:", + total=len(self.internal["users"]), + ) + for u in self.internal["users"]: + i = i + 1 + if not u["keycloak"]: + continue + # Do not remove admin users!!! What to do with managers??? + if ["admin"] in u["roles"]: + continue + log.info( + " KEYCLOAK USERS: Removing user (" + + str(i) + + "/" + + str(total) + + "): " + + u["username"] + ) + try: + ev.increment({"name": u["username"], "data": u}) + self.keycloak.delete_user(u["id"]) + except: + log.warning( + " KEYCLOAK USERS: Could not remove user: " + + u["username"] + + ". Probably already not exists." + ) + self.av.minio_delete_all_objects() + + def delete_nextcloud_user(self, userid): + user = [u for u in self.internal["users"] if u["id"] == userid] + if len(user) and user[0]["nextcloud"]: + user = user[0] + nextcloud_id = user["nextcloud_id"] + else: + return False + log.warning("Removing nextcloud user: " + user["username"]) + try: + self.nextcloud.delete_user(nextcloud_id) + except: + log.error(traceback.format_exc()) + log.warning("Could not remove users: " + user["username"]) + + def delete_nextcloud_users(self): + ev = Events("Deleting users from nextcloud", total=len(self.internal["users"])) + for u in self.internal["users"]: + + if u["nextcloud"] and not u["keycloak"]: + if u["roles"] and "admin" in u["roles"]: + continue + log.info("Removing nextcloud user: " + u["username"]) + try: + ev.increment({"name": u["username"]}) + self.nextcloud.delete_user(u["nextcloud_id"]) + except: + log.error(traceback.format_exc()) + log.warning("Could not remove user: " + u["username"]) + + def delete_moodle_user(self, userid): + user = [u for u in self.internal["users"] if u["id"] == userid] + if len(user) and user[0]["moodle"]: + user = user[0] + moodle_id = user["moodle_id"] + else: + return False + log.warning("Removing moodle user: " + user["username"]) + try: + self.moodle.delete_users([moodle_id]) + except: + log.error(traceback.format_exc()) + log.warning("Could not remove users: " + user["username"]) + + def delete_moodle_users(self): + userids = [] + usernames = [] + for u in self.internal["users"]: + if u["moodle"] and not u["keycloak"]: + userids.append(u["moodle_id"]) + usernames.append(u["username"]) + if len(userids): + log.warning("Removing moodle users: " + ",".join(usernames)) + try: + self.moodle.delete_users(userids) + app.socketio.emit( + "update", + json.dumps( + { + "status": True, + "item": "user", + "action": "delete", + "itemdata": u, + } + ), + namespace="//sio", + room="admin", + ) + except: + log.error(traceback.format_exc()) + log.warning("Could not remove users: " + ",".join(usernames)) + + def delete_keycloak_groups(self): + for g in self.internal["groups"]: + if not g["keycloak"]: + continue + # Do not remove admin group. It should not exist in keycloak, only in nextcloud + if g["name"] in ["admin", "manager", "teacher", "student"]: + continue + log.info("Removing keycloak group: " + g["name"]) + try: + self.keycloak.delete_group(g["id"]) + except: + log.error(traceback.format_exc()) + log.warning("Could not remove group: " + g["name"]) + + def external_roleassign(self, data): + for newuserid in data["ids"]: + for externaluser in self.external["users"]: + if externaluser["id"] == newuserid: + externaluser["roles"] = [data["action"]] + for role in ["admin", "manager", "teacher", "student"]: + try: + externaluser["gids"].remove(role) + # externaluser['groups'].remove('/'+role) + except: + pass + externaluser["gids"].append(data["action"]) + return True + + def user_update_password(self, userid, password, password_temporary): + return self.keycloak.update_user_pwd(userid, password, password_temporary) + + def update_users_from_keycloak(self): + kgroups = self.keycloak.get_groups() + users = [ + { + "id": u["id"], + "username": u["username"], + "enabled": u["enabled"], + "email": u["email"], + "firstname": u["first"], + "lastname": u["last"], + "groups": get_gids_from_kgroup_ids(u["groups"], kgroups), + "roles": u["roles"], + "quota": "3 GB" + if len(u["roles"]) and u["roles"][0] != "student" + else "500 MB", + } + for u in self.get_keycloak_users() + ] + + for user in users: + ev = Events( + "Updating users from keycloak", "User:", total=len(users), table="users" + ) + self.user_update(user) + ev.increment({"name": user["username"], "data": user["groups"]}) + + def user_update(self, user): + log.warning("Updating user moodle, nextcloud keycloak") + ev = Events("Updating user", "Updating user in keycloak") + + ## Get actual user role + try: + internaluser = [ + u for u in self.internal["users"] if u["username"] == user["username"] + ][0] + except: + raise UserNotFound + + if not len(user["roles"]): + user["roles"] = ["student"] + delete_roles = list( + set(["admin", "manager", "teacher", "student"]) - set(user["roles"]) + ) + + ### keycloak groups + + kadd = list( + set(user["groups"]) - set(internaluser["keycloak_groups"] + delete_roles) + ) + kdelete = list( + set(internaluser["keycloak_groups"]) + - set(user["groups"]) + - set(user["roles"]) + ) + if user["roles"][0] not in kadd: + kadd.append(user["roles"][0]) + + ### Moodle groups + madd = list( + set(user["groups"]) - set(internaluser["moodle_groups"] + delete_roles) + ) + mdelete = list( + set(internaluser["moodle_groups"]) + - set(user["groups"]) + - set(user["roles"]) + ) + if user["roles"][0] not in madd: + madd.append(user["roles"][0]) + + ### nextcloud groups + nadd = list( + set(user["groups"]) - set(internaluser["nextcloud_groups"] + delete_roles) + ) + ndelete = list( + set(internaluser["nextcloud_groups"]) + - set(user["groups"]) + - set(user["roles"]) + ) + if user["roles"][0] not in nadd: + nadd.append(user["roles"][0]) + + #### Delete recursive to parent from this subgroup + #### DISABLED DELETE BUT KEPT ADD, as we should then check if the user is still in another subgroups of this group. How? + # pathslist=[] + # for group in kdelete: + # pathpart='' + # for part in group.split('.'): + # if pathpart=='': + # pathpart=part + # else: + # pathpart=pathpart+'.'+part + # if repeated_subpaths[pathpart] > 1: + # ## We do not delete it as the user is in multiple subpaths of this path. + # continue + # pathslist.append(pathpart) + # kdelete=pathslist + + pathslist = [] + for group in kadd: + pathpart = "" + for part in group.split("."): + if pathpart == "": + pathpart = part + else: + pathpart = pathpart + "." + part + pathslist.append(pathpart) + kadd = pathslist + + # print('KADD WITH SUBPATHS') + # print(kadd) + # print(count_repeated(kadd)) + # print('KDELETE') + # print(kdelete) + # print(count_repeated(kdelete)) + + # pathslist=[] + # for group in mdelete: + # pathpart='' + # for part in group.split('.'): + # if pathpart=='': + # pathpart=part + # else: + # pathpart=pathpart+'.'+part + # pathslist.append(pathpart) + # mdelete=pathslist + + pathslist = [] + for group in madd: + pathpart = "" + for part in group.split("."): + if pathpart == "": + pathpart = part + else: + pathpart = pathpart + "." + part + pathslist.append(pathpart) + madd = pathslist + + # print('MADD WITH SUBPATHS') + # print(madd) + # print(count_repeated(madd)) + # print('MDELETE WITH SUBPATHS') + # print(mdelete) + # print(count_repeated(mdelete)) + + # pathslist=[] + # for group in ndelete: + # pathpart='' + # for part in group.split('.'): + # if pathpart=='': + # pathpart=part + # else: + # pathpart=pathpart+'.'+part + # pathslist.append(pathpart) + # ndelete=pathslist + + pathslist = [] + for group in nadd: + pathpart = "" + for part in group.split("."): + if pathpart == "": + pathpart = part + else: + pathpart = pathpart + "." + part + pathslist.append(pathpart) + nadd = pathslist + + # print('NADD WITH SUBPATHS') + # print(nadd) + # print(count_repeated(nadd)) + # print('NDELETE WITH SUBPATHS') + # print(ndelete) + # print(count_repeated(ndelete)) + + self.update_keycloak_user(internaluser["id"], user, kdelete, kadd) + ev.update_text("Syncing data from applications...") + self.resync_data() + + ev.update_text("Updating user in moodle") + self.update_moodle_user(internaluser["id"], user, mdelete, madd) + + ev.update_text("Updating user in nextcloud") + self.update_nextcloud_user(internaluser["id"], user, ndelete, nadd) + + ev.update_text("User updated") + return True + + def update_keycloak_user(self, user_id, user, kdelete, kadd): + # pprint(self.keycloak.get_user_realm_roles(user_id)) + self.keycloak.remove_user_realm_roles(user_id, "student") + self.keycloak.assign_realm_roles(user_id, user["roles"][0]) + for group in kdelete: + group_id = self.keycloak.get_group_by_path(gid2kpath(group))["id"] + self.keycloak.group_user_remove(user_id, group_id) + for group in kadd: + group_id = self.keycloak.get_group_by_path(gid2kpath(group))["id"] + self.keycloak.group_user_add(user_id, group_id) + self.keycloak.user_update( + user_id, user["enabled"], user["email"], user["firstname"], user["lastname"] + ) + self.resync_data() + return True + + def enable_users(self, data): + # data={'id':'','username':''} + ev = Events("Bulk actions", "Enabling user:", total=len(data)) + for user in data: + ev.increment({"name": user["username"], "data": user["username"]}) + self.keycloak.user_enable(user["id"]) + self.resync_data() + + def disable_users(self, data): + # data={'id':'','username':''} + ev = Events("Bulk actions", "Disabling user:", total=len(data)) + for user in data: + ev.increment({"name": user["username"], "data": user["username"]}) + self.keycloak.user_disable(user["id"]) + self.resync_data() + + def update_moodle_user(self, user_id, user, mdelete, madd): + internaluser = [u for u in self.internal["users"] if u["id"] == user_id][0] + cohorts = self.moodle.get_cohorts() + for group in mdelete: + cohort = [c for c in cohorts if c["name"] == group[0]] + try: + self.moodle.delete_user_in_cohort( + internaluser["moodle_id"], cohort["id"] + ) + except: + log.error( + "MOODLE: User " + user["username"] + " it is not in cohort " + group + ) + + if not internaluser["moodle"]: + self.add_moodle_user( + username=user["username"], + email=user["email"], + first_name=user["firstname"], + last_name=user["lastname"], + ) + self.resync_data() + else: + self.moodle.update_user( + username=user["username"], + email=user["email"], + first_name=user["firstname"], + last_name=user["lastname"], + enabled=user["enabled"], + ) + + for group in madd: + cohort = [c for c in cohorts if c["name"] == group][0] + self.moodle.add_user_to_cohort(internaluser["moodle_id"], cohort["id"]) + + return True + + def add_moodle_user( + self, + username, + email, + first_name, + last_name, + password="*12" + secrets.token_urlsafe(16), + ): + log.warning("Creating moodle user: " + username) + ev = Events("Add user", username) + try: + self.moodle.create_user(email, username, password, first_name, last_name) + ev.update_text({"name": "Added to moodle", "data": []}) + except UserExists: + log.error(" -->> User already exists") + error = Events("User already exists.", str(se), type="error") + except SystemError as se: + log.error("Moodle create user error: " + str(se)) + error = Events("Moodle create user error", str(se), type="error") + except: + log.error(" -->> Error creating on moodle the user: " + username) + print(traceback.format_exc()) + error = Events("Internal error", "Check logs", type="error") + + def update_nextcloud_user(self, user_id, user, ndelete, nadd): + + ## TODO: Disable de user? Is really needed? it is disabled in keycloak, so can't login again + ## ocs/v1.php/cloud/users/{userid}/disable + internaluser = [u for u in self.internal["users"] if u["id"] == user_id][0] + if not internaluser["nextcloud"]: + try: + self.add_nextcloud_user( + user["username"], + user["email"], + user["quota"], + user["firstname"], + user["lastname"], + user["groups"], + ) + except: + log.warning( + "NEXTCLOUD: Ooops! User " + + user["username"] + + " seems to be in NC but our db info says not...." + ) + self.resync_data() + else: + if not user["quota"] or user["quota"] == "false": + self.nextcloud.update_user( + user["username"], + { + "quota": "none", + "email": user["email"], + "displayname": user["firstname"] + " " + user["lastname"], + }, + ) + else: + self.nextcloud.update_user( + user["username"], + { + "quota": user["quota"], + "email": user["email"], + "displayname": user["firstname"] + " " + user["lastname"], + }, + ) + + for group in ndelete: + self.nextcloud.remove_user_from_group(user["username"], group) + + for group in nadd: + self.nextcloud.add_user_to_group(user["username"], group) + + def add_nextcloud_user( + self, + username, + email, + quota, + first_name, + last_name, + groups, + password="*12" + secrets.token_urlsafe(16), + ): + log.warning( + " NEXTCLOUD USERS: Creating nextcloud user: " + + username + + " in groups " + + str(groups) + ) + ev = Events("Add user", username) + try: + # Quota is "1 GB", "500 MB" + self.nextcloud.add_user_with_groups( + username, password, quota, groups, email, first_name + " " + last_name + ) + ev.increment({"name": "Added to nextcloud", "data": []}) + except ProviderItemExists: + log.warning( + " NEXTCLOUD USERS: User " + username + " already exists. Skipping..." + ) + except: + log.error(traceback.format_exc()) + + def delete_users(self, data): + ev = Events("Bulk actions", "Deleting users:", total=len(data)) + for user in data: + ev.increment({"name": user["username"], "data": user["username"]}) + self.delete_user(user["id"]) + self.resync_data() + + def delete_user(self, userid): + log.warning("Deleting user moodle, nextcloud keycloak") + ev = Events("Deleting user", "Deleting from moodle") + self.delete_moodle_user(userid) + ev.update_text("Deleting from nextcloud") + self.delete_nextcloud_user(userid) + ev.update_text("Deleting from keycloak") + self.delete_keycloak_user(userid) + ev.update_text("Syncing data from applications...") + self.resync_data() + ev.update_text("User deleted") + sio_event_send("delete_user", {"userid": userid}) + return True + + def get_user(self, userid): + user = [u for u in self.internal["users"] if u["id"] == userid] + if not len(user): + return False + return user[0] + + def get_user_username(self, username): + user = [u for u in self.internal["users"] if u["username"] == username] + if not len(user): + return False + return user[0] + + def add_user(self, u): + + pathslist = [] + for group in u["groups"]: + pathpart = "" + for part in group.split("."): + if pathpart == "": + pathpart = part + else: + pathpart = pathpart + "." + part + pathslist.append(pathpart) + + for path in pathslist: + path = "/" + path.replace(".", "/") + log.warning( + " KEYCLOAK USERS: Assign user " + u["username"] + " to group " + path + ) + try: + gid = self.keycloak.get_group_by_path(path=path)["id"] + except: + return False + # gid = self.keycloak.add_group_tree(path) + # log.warning("THE PATH "+str(path)+" HAS GID "+str(gid)) + # self.moodle.add_system_cohort(path) + # self.nextcloud.add_group(path) + # self.resync_data() + # gid = self.keycloak.get_group_by_path(path=path)["id"] + + ### KEYCLOAK + ####################### + ev = Events("Add user", u["username"], total=5) + log.warning(" KEYCLOAK USERS: Adding user: " + u["username"]) + uid = self.keycloak.add_user( + u["username"], + u["first"], + u["last"], + u["email"], + u["password"], + enabled=u["enabled"], + password_temporary=u.get("password_temporary", True), + ) + + self.av.add_user_default_avatar(uid, u["role"]) + + # Add user to role and group rolename + log.warning( + " KEYCLOAK USERS: Assign user " + u["username"] + " to role " + u["role"] + ) + self.keycloak.assign_realm_roles(uid, u["role"]) + gid = self.keycloak.get_group_by_path(path="/" + u["role"])["id"] + self.keycloak.group_user_add(uid, gid) + ev.increment({"name": "Added to system", "data": []}) + # Add user to groups + for path in pathslist: + path = "/" + path.replace(".", "/") + gid = self.keycloak.get_group_by_path(path=path)["id"] + self.keycloak.group_user_add(uid, gid) + ev.increment({"name": "Added to system groups", "data": []}) + + pathslist.append(u["role"]) + ### MOODLE + ############################### + # Add user + log.warning("Creating moodle user: " + u["username"]) + try: + moodle_id = self.moodle.create_user( + u["email"], + u["username"], + "*12" + secrets.token_urlsafe(16), + u["first"], + u["last"], + )[0]["id"] + ev.increment({"name": "Added to moodle", "data": []}) + except UserExists: + log.error(" -->> User already exists") + error = Events("User already exists.", str(se), type="error") + except SystemError as se: + log.error("Moodle create user error: " + str(se)) + error = Events("Moodle create user error", str(se), type="error") + except: + log.error(" -->> Error creating on moodle the user: " + u["username"]) + print(traceback.format_exc()) + error = Events("Internal error", "Check logs", type="error") + + # Add user to cohort + ## Get all existing moodle cohorts + cohorts = self.moodle.get_cohorts() + for path in pathslist: + print("MOODLE ADD SUBPATH: " + path) + try: + cohort = [c for c in cohorts if c["name"] == path][0] + except: + # print(traceback.format_exc()) + log.error( + " MOODLE USER GROUPS: keycloak group " + + path + + " does not exist as moodle cohort. This should not happen. User " + + u["username"] + + " not added." + ) + + try: + self.moodle.add_user_to_cohort(moodle_id, cohort["id"]) + except: + log.error( + " MOODLE USER GROUPS: User " + + u["username"] + + " already exists in cohort " + + cohort["name"] + ) + + ev.increment({"name": "Added to moodle cohorts", "data": []}) + + ### NEXTCLOUD + ########################3 + log.warning( + " NEXTCLOUD USERS: Creating nextcloud user: " + + u["username"] + + " in groups " + + str(list) + ) + try: + # Quota is in MB + self.nextcloud.add_user_with_groups( + u["username"], + "*12" + secrets.token_urlsafe(16), + u["quota"], + pathslist, + u["email"], + u["first"] + " " + u["last"], + ) + ev.increment({"name": "Added to nextcloud", "data": []}) + except ProviderItemExists: + log.warning("User " + u["username"] + " already exists. Skipping...") + except: + log.error(traceback.format_exc()) + + self.resync_data() + sio_event_send("new_user", u) + return uid + + def add_group(self, g): + # TODO: Check if exists + + # We add in keycloak with his name, will be shown in app with full path with dots + if g["parent"] != None: + g["parent"] = gid2kpath(g["parent"]) + + new_path = self.keycloak.add_group(g["name"], g["parent"]) + + if g["parent"] != None: + new_path = kpath2gid(new_path["path"]) + else: + new_path = g["name"] + + self.moodle.add_system_cohort(new_path, description=g["description"]) + self.nextcloud.add_group(new_path) + self.resync_data() + return new_path + + def delete_group_by_id(self, group_id): + ev = Events("Deleting group", "Deleting from keycloak") + try: + keycloak_group = self.keycloak.get_group_by_id(group_id) + except Exception as e: + print(e) + ev.update_text("Error deleting group. Not found in keycloak!") + log.error( + " KEYCLOAK GROUPS: Could not delete group " + + str(group_id) + + " as it does not exist!" + ) + raise Error("not_found", "Group " + group_id + " not found.") + + # {'id': '966ad67c-499a-4f56-bd1d-283691cde0e7', 'name': 'asdgfewfwe', 'path': '/asdgfewfwe', 'attributes': {}, 'realmRoles': [], 'clientRoles': {}, 'subGroups': [], 'access': {'view': True, 'manage': True, 'manageMembership': True}} + + subgroups = get_group_with_childs(keycloak_group) + + try: + self.keycloak.delete_group(group_id) + except: + log.error("KEYCLOAK GROUPS: Could no delete group " + group["path"]) + return + + cohorts = self.moodle.get_cohorts() + for sg in subgroups: + sg_gid = kpath2gid(sg) + + cohort = [c["id"] for c in cohorts if c["name"] == sg_gid] + ev.update_text("Deleting from moodle cohort " + sg_gid) + self.moodle.delete_cohorts(cohort) + ev.update_text("Deleting from nextcloud group " + sg_gid) + self.nextcloud.delete_group(sg_gid) + self.resync_data() + + def delete_group_by_path(self, path): + group = self.keycloak.get_group_by_path(path) + + to_be_deleted = [] + # Childs + for internalgroup in self.internal["groups"]: + if internalgroup["name"].startswith(group["name"] + "."): + to_be_deleted.append(internalgroup["name"]) + to_be_deleted.append(kpath2gid(group["path"])) + + try: + self.keycloak.delete_group(group["id"]) + except: + log.error("KEYCLOAK: Could no delete group " + group["path"]) + + cohorts = self.moodle.get_cohorts() + for gid in to_be_deleted: + cohort = [c["id"] for c in cohorts if c["name"] == gid] + self.moodle.delete_cohorts(cohort) + self.nextcloud.delete_group(gid) + self.resync_data() + + def set_nextcloud_user_mail(self, data): + self.nextcloud.set_user_mail(data) diff --git a/dd-sso/admin/src/admin/lib/api_exceptions.py b/dd-sso/admin/src/admin/lib/api_exceptions.py new file mode 100644 index 0000000..dc11014 --- /dev/null +++ b/dd-sso/admin/src/admin/lib/api_exceptions.py @@ -0,0 +1,162 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +import inspect +import json +import logging as log +import os +import traceback + +from flask import jsonify, request + +from admin import app + +content_type = {"Content-Type": "application/json"} +ex = { + "bad_request": { + "error": { + "error": "bad_request", + "msg": "Bad request", + }, + "status_code": 400, + }, + "unauthorized": { + "error": { + "error": "unauthorized", + "msg": "Unauthorized", + }, + "status_code": 401, + }, + "forbidden": { + "error": { + "error": "forbidden", + "msg": "Forbidden", + }, + "status_code": 403, + }, + "not_found": { + "error": { + "error": "not_found", + "msg": "Not found", + }, + "status_code": 404, + }, + "conflict": { + "error": { + "error": "conflict", + "msg": "Conflict", + }, + "status_code": 409, + }, + "internal_server": { + "error": { + "error": "internal_server", + "msg": "Internal server error", + }, + "status_code": 500, + }, + "gateway_timeout": { + "error": { + "error": "gateway_timeout", + "msg": "Gateway timeout", + }, + "status_code": 504, + }, + "precondition_required": { + "error": { + "error": "precondition_required", + "msg": "Precondition required", + }, + "status_code": 428, + }, + "insufficient_storage": { + "error": { + "error": "insufficient_storage", + "msg": "Insufficient storage", + }, + "status_code": 507, + }, +} + + +class Error(Exception): + def __init__(self, error="bad_request", description="", debug="", data=None): + self.error = ex[error]["error"].copy() + self.error["function"] = ( + inspect.stack()[1][1].split(os.sep)[-1] + + ":" + + str(inspect.stack()[1][2]) + + ":" + + inspect.stack()[1][3] + ) + self.error["function_call"] = ( + inspect.stack()[2][1].split(os.sep)[-1] + + ":" + + str(inspect.stack()[2][2]) + + ":" + + inspect.stack()[2][3] + ) + self.error["description"] = str(description) + self.error["debug"] = "{}\n\r{}{}".format( + "----------- DEBUG START -------------", + debug, + "----------- DEBUG STOP -------------", + ) + self.error["request"] = ( + "{}\n{}\r\n{}\r\n\r\n{}{}".format( + "----------- REQUEST START -----------", + request.method + " " + request.url, + "\r\n".join("{}: {}".format(k, v) for k, v in request.headers.items()), + request.body if hasattr(request, "body") else "", + "----------- REQUEST STOP -----------", + ) + if request + else "" + ) + self.error["data"] = ( + "{}\n{}\n{}".format( + "----------- DATA START -----------", + json.dumps(data, indent=2), + "----------- DATA STOP -----------", + ) + if data + else "" + ) + self.status_code = ex[error]["status_code"] + self.content_type = content_type + log.debug( + "%s - %s - [%s -> %s]\r\n%s\r\n%s\r\n%s" + % ( + error, + str(description), + self.error["function_call"], + self.error["function"], + self.error["debug"], + self.error["request"], + self.error["data"], + ) + ) + + +@app.errorhandler(Error) +def handle_user_error(ex): + response = jsonify(ex.error) + response.status_code = ex.status_code + response.headers = {"content-type": content_type} + return response diff --git a/dd-sso/admin/src/admin/lib/avatars.py b/dd-sso/admin/src/admin/lib/avatars.py new file mode 100644 index 0000000..6805f09 --- /dev/null +++ b/dd-sso/admin/src/admin/lib/avatars.py @@ -0,0 +1,101 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +import logging as log +import os +from pprint import pprint + +from minio import Minio +from minio.commonconfig import REPLACE, CopySource +from minio.deleteobjects import DeleteObject +from requests import get, post + +from admin import app + + +class Avatars: + def __init__(self): + self.mclient = Minio( + "dd-sso-avatars:9000", + access_key="AKIAIOSFODNN7EXAMPLE", + secret_key="wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", + secure=False, + ) + self.bucket = "master-avatars" + self._minio_set_realm() + # self.update_missing_avatars() + + def add_user_default_avatar(self, userid, role="unknown"): + self.mclient.fput_object( + self.bucket, + userid, + os.path.join(app.root_path, "../custom/avatars/" + role + ".jpg"), + content_type="image/jpeg ", + ) + log.warning( + " AVATARS: Updated avatar for user " + userid + " with role " + role + ) + + def delete_user_avatar(self, userid): + self.minio_delete_object(userid) + + def update_missing_avatars(self, users): + sys_roles = ["admin", "manager", "teacher", "student"] + for u in self.get_users_without_image(users): + try: + img = [r + ".jpg" for r in sys_roles if r in u["roles"]][0] + except: + img = "unknown.jpg" + + self.mclient.fput_object( + self.bucket, + u["id"], + os.path.join(app.root_path, "../custom/avatars/" + img), + content_type="image/jpeg ", + ) + log.warning( + " AVATARS: Updated avatar for user " + + u["username"] + + " with role " + + img.split(".")[0] + ) + + def _minio_set_realm(self): + if not self.mclient.bucket_exists(self.bucket): + self.mclient.make_bucket(self.bucket) + + def minio_get_objects(self): + return [o.object_name for o in self.mclient.list_objects(self.bucket)] + + def minio_delete_all_objects(self): + delete_object_list = map( + lambda x: DeleteObject(x.object_name), + self.mclient.list_objects(self.bucket), + ) + errors = self.mclient.remove_objects(self.bucket, delete_object_list) + for error in errors: + log.error(" AVATARS: Error occured when deleting avatar object: " + error) + + def minio_delete_object(self, oid): + errors = self.mclient.remove_objects(self.bucket, [DeleteObject(oid)]) + for error in errors: + log.error(" AVATARS: Error occured when deleting avatar object: " + error) + + def get_users_without_image(self, users): + return [u for u in users if u["id"] and u["id"] not in self.minio_get_objects()] diff --git a/dd-sso/admin/src/admin/lib/dashboard.py b/dd-sso/admin/src/admin/lib/dashboard.py new file mode 100644 index 0000000..eba50d8 --- /dev/null +++ b/dd-sso/admin/src/admin/lib/dashboard.py @@ -0,0 +1,88 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +import logging as log +import os +import shutil +import traceback +from io import BytesIO +from pprint import pprint + +import requests +import yaml +from PIL import Image +from schema import And, Optional, Schema, SchemaError, Use + +from admin import app + + +class Dashboard: + def __init__( + self, + ): + self.custom_menu = os.path.join(app.root_path, "../custom/menu/custom.yaml") + + def _update_custom_menu(self, custom_menu_part): + with open(self.custom_menu) as yml: + menu = yaml.load(yml, Loader=yaml.FullLoader) + menu = {**menu, **custom_menu_part} + with open(self.custom_menu, "w") as yml: + yml.write(yaml.dump(menu, default_flow_style=False)) + return True + + def update_colours(self, colours): + schema_template = Schema( + { + "background": And(Use(str)), + "primary": And(Use(str)), + "secondary": And(Use(str)), + } + ) + + try: + schema_template.validate(colours) + except SchemaError: + return False + + self._update_custom_menu({"colours": colours}) + return self.apply_updates() + + def update_menu(self, menu): + items = [] + for menu_item in menu.keys(): + for mustexist_key in ["href", "icon", "name", "shortname"]: + if mustexist_key not in menu[menu_item].keys(): + return False + items.append(menu[menu_item]) + self._update_custom_menu({"apps_external": items}) + return self.apply_updates() + + def update_logo(self, logo): + img = Image.open(logo.stream) + img.save(os.path.join(app.root_path, "../custom/img/logo.png")) + return self.apply_updates() + + def update_background(self, background): + img = Image.open(background.stream) + img.save(os.path.join(app.root_path, "../custom/img/background.png")) + return self.apply_updates() + + def apply_updates(self): + resp = requests.get("http://dd-sso-api:7039/restart") + return True diff --git a/dd-sso/admin/src/admin/lib/events.py b/dd-sso/admin/src/admin/lib/events.py new file mode 100644 index 0000000..ae1eefa --- /dev/null +++ b/dd-sso/admin/src/admin/lib/events.py @@ -0,0 +1,193 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +import base64 +import json +import logging as log +import os +import sys +import traceback +from time import sleep +from uuid import uuid4 + +from flask import Response, jsonify, redirect, render_template, request, url_for +from flask_socketio import ( + SocketIO, + close_room, + disconnect, + emit, + join_room, + leave_room, + rooms, + send, +) + +from admin import app + + +def sio_event_send(event, data): + app.socketio.emit( + event, + json.dumps(data), + namespace="/sio/events", + room="events", + ) + sleep(0.001) + + +class Events: + def __init__(self, title, text="", total=0, table=False, type="info"): + # notice, info, success, and error + self.eid = str(base64.b64encode(os.urandom(32))[:8]) + self.title = title + self.text = text + self.total = total + self.table = table + self.item = 0 + self.type = type + self.create() + + def create(self): + log.info("START " + self.eid + ": " + self.text) + app.socketio.emit( + "notify-create", + json.dumps( + { + "id": self.eid, + "title": self.title, + "text": self.text, + "type": self.type, + } + ), + namespace="/sio", + room="admin", + ) + sleep(0.001) + + def __del__(self): + log.info("END " + self.eid + ": " + self.text) + app.socketio.emit( + "notify-destroy", + json.dumps({"id": self.eid}), + namespace="/sio", + room="admin", + ) + sleep(0.001) + + def update_text(self, text): + self.text = text + app.socketio.emit( + "notify-update", + json.dumps( + { + "id": self.eid, + "text": self.text, + } + ), + namespace="/sio", + room="admin", + ) + sleep(0.001) + + def append_text(self, text): + self.text = self.text + "
" + text + app.socketio.emit( + "notify-update", + json.dumps( + { + "id": self.eid, + "text": self.text, + } + ), + namespace="/sio", + room="admin", + ) + sleep(0.001) + + def increment(self, data={"name": "", "data": []}): + self.item += 1 + log.info("INCREMENT " + self.eid + ": " + self.text) + app.socketio.emit( + "notify-increment", + json.dumps( + { + "id": self.eid, + "title": self.title, + "text": "[" + + str(self.item) + + "/" + + str(self.total) + + "] " + + self.text + + " " + + data["name"], + "item": self.item, + "total": self.total, + "table": self.table, + "type": self.type, + "data": data, + } + ), + namespace="/sio", + room="admin", + ) + sleep(0.0001) + + def decrement(self, data={"name": "", "data": []}): + self.item -= 1 + log.info("DECREMENT " + self.eid + ": " + self.text) + app.socketio.emit( + "notify-decrement", + json.dumps( + { + "id": self.eid, + "title": self.title, + "text": "[" + + str(self.item) + + "/" + + str(self.total) + + "] " + + self.text + + " " + + data["name"], + "item": self.item, + "total": self.total, + "table": self.table, + "type": self.type, + "data": data, + } + ), + namespace="/sio", + room="admin", + ) + sleep(0.001) + + def reload(self): + app.socketio.emit("reload", json.dumps({}), namespace="/sio", room="admin") + sleep(0.0001) + + def table(self, event, table, data={}): + # refresh, add, delete, update + app.socketio.emit( + "table_" + event, + json.dumps({"table": table, "data": data}), + namespace="/sio", + room="admin", + ) + sleep(0.0001) diff --git a/dd-sso/admin/src/admin/lib/exceptions.py b/dd-sso/admin/src/admin/lib/exceptions.py new file mode 100644 index 0000000..7c5d84b --- /dev/null +++ b/dd-sso/admin/src/admin/lib/exceptions.py @@ -0,0 +1,26 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +class UserExists(Exception): + pass + + +class UserNotFound(Exception): + pass diff --git a/dd-sso/admin/src/admin/lib/helpers.py b/dd-sso/admin/src/admin/lib/helpers.py new file mode 100644 index 0000000..80b7ea7 --- /dev/null +++ b/dd-sso/admin/src/admin/lib/helpers.py @@ -0,0 +1,134 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +import random +import string +from collections import Counter +from pprint import pprint + + +def get_recursive_groups(l_groups, l): + for d_group in l_groups: + data = {} + for key, value in d_group.items(): + if key == "subGroups": + get_recursive_groups(value, l) + else: + data[key] = value + l.append(data) + return l + + +def get_group_with_childs(keycloak_group): + return [g["path"] for g in get_recursive_groups([keycloak_group], [])] + + +def system_username(username): + return ( + True + if username in ["guest", "ddadmin", "admin"] or username.startswith("system_") + else False + ) + + +def system_group(groupname): + return True if groupname in ["admin", "manager", "teacher", "student"] else False + + +def get_group_from_group_id(group_id, groups): + return next((d for d in groups if d.get("id") == group_id), None) + + +def get_kid_from_kpath(kpath, groups): + ids = [g["id"] for g in groups if g["path"] == kpath] + if not len(ids) or len(ids) > 1: + return False + return ids[0] + + +def get_gid_from_kgroup_id(kgroup_id, groups): + return [ + g["path"].replace("/", ".")[1:] if len(g["path"].split("/")) else g["path"][1:] + for g in groups + if g["id"] == kgroup_id + ][0] + + +def get_gids_from_kgroup_ids(kgroup_ids, groups): + return [get_gid_from_kgroup_id(kgroup_id, groups) for kgroup_id in kgroup_ids] + + +def kpath2gid(path): + # print(path.replace('/','.')[1:]) + if path.startswith("/"): + return path.replace("/", ".")[1:] + return path.replace("/", ".") + + +def kpath2gids(path): + path = kpath2gid(path) + l = [] + for i in range(len(path.split("."))): + l.append(".".join(path.split(".")[: i + 1])) + return l + + +def kpath2kpaths(path): + l = [] + for i in range(len(path.split("/"))): + l.append("/".join(path.split("/")[: i + 1])) + return l[1:] + + +def gid2kpath(gid): + return "/" + gid.replace(".", "/") + + +def count_repeated(itemslist): + print(Counter(itemslist)) + + +def groups_kname2gid(groups): + return [name.replace(".", "/") for name in groups] + + +def groups_path2id(groups): + return [g.replace("/", ".")[1:] for g in groups] + + +def groups_id2path(groups): + return ["/" + g.replace(".", "/") for g in groups] + + +def filter_roles_list(role_list): + client_roles = ["admin", "manager", "teacher", "student"] + return [r for r in role_list if r in client_roles] + + +def filter_roles_listofdicts(role_listofdicts): + client_roles = ["admin", "manager", "teacher", "student"] + return [r for r in role_listofdicts if r["name"] in client_roles] + + +def rand_password(lenght): + characters = string.ascii_letters + string.digits + string.punctuation + passwd = "".join(random.choice(characters) for i in range(lenght)) + while not any(ele.isupper() for ele in passwd): + passwd = "".join(random.choice(characters) for i in range(lenght)) + return passwd diff --git a/dd-sso/admin/src/admin/lib/keycloak_client.py b/dd-sso/admin/src/admin/lib/keycloak_client.py new file mode 100644 index 0000000..5641a6b --- /dev/null +++ b/dd-sso/admin/src/admin/lib/keycloak_client.py @@ -0,0 +1,460 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +import json +import logging as log +import os +import time +import traceback +from datetime import datetime, timedelta +from pprint import pprint + +import yaml +from jinja2 import Environment, FileSystemLoader +from keycloak import KeycloakAdmin + +from .api_exceptions import Error +from .helpers import get_recursive_groups, kpath2kpaths +from .postgres import Postgres + +# from admin import app + + +class KeycloakClient: + """https://www.keycloak.org/docs-api/13.0/rest-api/index.html + https://github.com/marcospereirampj/python-keycloak + https://gist.github.com/kaqfa/99829941121188d7cef8271f93f52f1f + """ + + def __init__( + self, + url="http://dd-sso-keycloak:8080/auth/", + username=os.environ["KEYCLOAK_USER"], + password=os.environ["KEYCLOAK_PASSWORD"], + realm="master", + verify=True, + ): + self.url = url + self.username = username + self.password = password + self.realm = realm + self.verify = verify + + self.keycloak_pg = Postgres( + "dd-apps-postgresql", + "keycloak", + os.environ["KEYCLOAK_DB_USER"], + os.environ["KEYCLOAK_DB_PASSWORD"], + ) + + def connect(self): + self.keycloak_admin = KeycloakAdmin( + server_url=self.url, + username=self.username, + password=self.password, + realm_name=self.realm, + verify=self.verify, + ) + + # from keycloak import KeycloakAdmin + # keycloak_admin = KeycloakAdmin(server_url="http://dd-sso-keycloak:8080/auth/",username="admin",password="keycloakkeycloak",realm_name="master",verify=False) + + """ USERS """ + + def get_user_id(self, username): + self.connect() + return self.keycloak_admin.get_user_id(username) + + def get_users(self): + self.connect() + return self.keycloak_admin.get_users({}) + + def get_users_with_groups_and_roles(self): + q = """select u.id, u.username, u.email, u.first_name, u.last_name, u.realm_id, u.enabled, ua.value as quota + ,json_agg(g."id") as group, json_agg(g_parent."name") as group_parent1, json_agg(g_parent2."name") as group_parent2 + ,json_agg(r.name) as role + from user_entity as u + left join user_attribute as ua on ua.user_id=u.id and ua.name = 'quota' + left join user_group_membership as ugm on ugm.user_id = u.id + left join keycloak_group as g on g.id = ugm.group_id + left join keycloak_group as g_parent on g.parent_group = g_parent.id + left join keycloak_group as g_parent2 on g_parent.parent_group = g_parent2.id + left join user_role_mapping as rm on rm.user_id = u.id + left join keycloak_role as r on r.id = rm.role_id + group by u.id,u.username,u.email,u.first_name,u.last_name, u.realm_id, u.enabled, ua.value + order by u.username""" + + (headers, users) = self.keycloak_pg.select_with_headers(q) + + users_with_lists = [ + list(l[:-4]) + + ([[]] if l[-4] == [None] else [list(set(l[-4]))]) + + ([[]] if l[-3] == [None] else [list(set(l[-3]))]) + + ([[]] if l[-3] == [None] else [list(set(l[-2]))]) + + ([[]] if l[-1] == [None] else [list(set(l[-1]))]) + for l in users + ] + + users_with_lists = [ + list(l[:-4]) + + ([[]] if l[-4] == [None] else [list(set(l[-4]))]) + + ([[]] if l[-3] == [None] else [list(set(l[-3]))]) + + ([[]] if l[-3] == [None] else [list(set(l[-2]))]) + + ([[]] if l[-1] == [None] else [list(set(l[-1]))]) + for l in users_with_lists + ] + + list_dict_users = [dict(zip(headers, r)) for r in users_with_lists] + + return list_dict_users + + def getparent(self, group_id, data): + # Recursively get full path from any group_id in the tree + path = "" + for item in data: + if group_id == item[0]: + path = self.getparent(item[2], data) + path = f"{path}/{item[1]}" + return path + + def get_group_path(self, group_id): + # Get full path using getparent recursive func + # RETURNS: String with full path + q = """SELECT * FROM keycloak_group""" + groups = self.keycloak_pg.select(q) + return self.getparent(group_id, groups) + + def get_user_groups_paths(self, user_id): + # Get full paths for user grups + # RETURNS list of paths + q = """SELECT group_id FROM user_group_membership WHERE user_id = '%s'""" % ( + user_id + ) + user_group_ids = self.keycloak_pg.select(q) + + paths = [] + for g in user_group_ids: + paths.append(self.get_group_path(g[0])) + return paths + + ## Too slow. Used the direct postgres + # def get_users_with_groups_and_roles(self): + # self.connect() + # users=self.keycloak_admin.get_users({}) + # for user in users: + # user['groups']=[g['path'] for g in self.keycloak_admin.get_user_groups(user_id=user['id'])] + # user['roles']= [r['name'] for r in self.keycloak_admin.get_realm_roles_of_user(user_id=user['id'])] + # return users + + def add_user( + self, + username, + first, + last, + email, + password, + group=False, + password_temporary=True, + enabled=True, + ): + # RETURNS string with keycloak user id (the main id in this app) + self.connect() + username = username.lower() + try: + uid = self.keycloak_admin.create_user( + { + "email": email, + "username": username, + "enabled": enabled, + "firstName": first, + "lastName": last, + "credentials": [ + { + "type": "password", + "value": password, + "temporary": password_temporary, + } + ], + } + ) + except Exception as e: + log.error(traceback.format_exc()) + raise Error( + "conflict", + "user/email already exists: " + str(username) + "/" + str(email), + ) + + if group: + path = "/" + group if group[1:] != "/" else group + try: + gid = self.keycloak_admin.get_group_by_path( + path=path, search_in_subgroups=False + )["id"] + except: + self.keycloak_admin.create_group({"name": group}) + gid = self.keycloak_admin.get_group_by_path(path)["id"] + self.keycloak_admin.group_user_add(uid, gid) + return uid + + def update_user_pwd(self, user_id, password, password_temporary=True): + # Updates + payload = { + "credentials": [ + {"type": "password", "value": password, "temporary": password_temporary} + ] + } + self.connect() + return self.keycloak_admin.update_user(user_id, payload) + + def user_update(self, user_id, enabled, email, first, last, groups=[], roles=[]): + ## NOTE: Roles didn't seem to be updated/added. Also not confident with groups + # Updates + payload = { + "enabled": enabled, + "email": email, + "firstName": first, + "lastName": last, + "groups": groups, + "realmRoles": roles, + } + self.connect() + return self.keycloak_admin.update_user(user_id, payload) + + def user_enable(self, user_id): + payload = {"enabled": True} + self.connect() + return self.keycloak_admin.update_user(user_id, payload) + + def user_disable(self, user_id): + payload = {"enabled": False} + self.connect() + return self.keycloak_admin.update_user(user_id, payload) + + def group_user_remove(self, user_id, group_id): + self.connect() + return self.keycloak_admin.group_user_remove(user_id, group_id) + + # def add_user_role(self,user_id,role_id): + # self.connect() + # return self.keycloak_admin.assign_role(client_id=client_id, user_id=user_id, role_id=role_id, role_name="test") + + def remove_user_realm_roles(self, user_id, roles): + self.connect() + roles = [ + r + for r in self.get_user_realm_roles(user_id) + if r["name"] in ["admin", "manager", "teacher", "student"] + ] + return self.keycloak_admin.delete_user_realm_role(user_id, roles) + + def delete_user(self, userid): + self.connect() + return self.keycloak_admin.delete_user(user_id=userid) + + def get_user_groups(self, userid): + self.connect() + return self.keycloak_admin.get_user_groups(user_id=userid) + + def get_user_realm_roles(self, userid): + self.connect() + return self.keycloak_admin.get_realm_roles_of_user(user_id=userid) + + def add_user_client_role(self, client_id, user_id, role_id, role_name): + self.connect() + return self.keycloak_admin.assign_client_role( + client_id=client_id, user_id=user_id, role_id=role_id, role_name="test" + ) + + ## GROUPS + def get_all_groups(self): + ## RETURNS ONLY MAIN GROUPS WITH NESTED subGroups list + self.connect() + return self.keycloak_admin.get_groups() + + def get_groups(self, with_subgroups=True): + ## RETURNS ALL GROUPS in root list + self.connect() + groups = self.keycloak_admin.get_groups() + return get_recursive_groups(groups, []) + + def get_group_by_id(self, group_id): + self.connect() + return self.keycloak_admin.get_group(group_id=group_id) + + def get_group_by_path(self, path, recursive=True): + self.connect() + return self.keycloak_admin.get_group_by_path( + path=path, search_in_subgroups=recursive + ) + + def add_group(self, name, parent=None, skip_exists=False): + self.connect() + if parent != None: + parent = self.get_group_by_path(parent)["id"] + return self.keycloak_admin.create_group({"name": name}, parent=parent) + + def delete_group(self, group_id): + self.connect() + return self.keycloak_admin.delete_group(group_id=group_id) + + def group_user_add(self, user_id, group_id): + self.connect() + return self.keycloak_admin.group_user_add(user_id, group_id) + + def add_group_tree(self, path): + paths = kpath2kpaths(path) + parent = "/" + for path in paths: + try: + parent_path = None if parent == "/" else parent + # print("parent: "+str(parent_path)+" path: "+path.split("/")[-1]) + self.add_group(path.split("/")[-1], parent_path, skip_exists=True) + parent = path + except: + # print(traceback.format_exc()) + log.warning("KEYCLOAK: Group :" + path + " already exists.") + parent = path + + def add_user_with_groups_and_role( + self, username, first, last, email, password, role, groups + ): + ## Add user + uid = self.add_user(username, first, last, email, password) + ## Add user to role + log.info("User uid: " + str(uid) + " role: " + str(role)) + try: + therole = role[0] + except: + therole = "" + log.info(self.assign_realm_roles(uid, role)) + ## Create groups in user + for g in groups: + log.warning("Creating keycloak group: " + g) + parts = g.split("/") + parent_path = None + for i in range(1, len(parts)): + # parent_id=None if parent_path==None else self.get_group(parent_path)['id'] + try: + self.add_group(parts[i], parent_path, skip_exists=True) + except: + log.warning( + "Group " + + str(parent_path) + + " already exists. Skipping creation" + ) + pass + if parent_path is None: + thepath = "/" + parts[i] + else: + thepath = parent_path + "/" + parts[i] + if thepath == "/": + log.warning( + "Not adding the user " + + username + + " to any group as does not have any..." + ) + continue + gid = self.get_group_by_path(path=thepath)["id"] + + log.warning( + "Adding " + + username + + " with uuid: " + + uid + + " to group " + + g + + " with uuid: " + + gid + ) + self.keycloak_admin.group_user_add(uid, gid) + + if parent_path == None: + parent_path = "" + parent_path = parent_path + "/" + parts[i] + + # self.group_user_add(uid,gid) + + ## ROLES + def get_roles(self): + self.connect() + return self.keycloak_admin.get_realm_roles() + + def get_role(self, name): + self.connect() + return self.keycloak_admin.get_realm_role(name) + + def add_role(self, name, description=""): + self.connect() + return self.keycloak_admin.create_realm_role( + {"name": name, "description": description} + ) + + def delete_role(self, name): + self.connect() + return self.keycloak_admin.delete_realm_role(name) + + ## CLIENTS + + def get_client_roles(self, client_id): + self.connect() + return self.keycloak_admin.get_client_roles(client_id=client_id) + + def add_client_role(self, client_id, name, description=""): + self.connect() + return self.keycloak_admin.create_client_role( + client_id, {"name": name, "description": description, "clientRole": True} + ) + + ## SYSTEM + def get_server_info(self): + self.connect() + return self.keycloak_admin.get_server_info() + + def get_server_clients(self): + self.connect() + return self.keycloak_admin.get_clients() + + def get_server_rsa_key(self): + self.connect() + rsa_key = [ + k for k in self.keycloak_admin.get_keys()["keys"] if k["type"] == "RSA" + ][0] + return {"name": rsa_key["kid"], "certificate": rsa_key["certificate"]} + + ## REALM + def assign_realm_roles(self, user_id, role): + self.connect() + try: + role = [ + r for r in self.keycloak_admin.get_realm_roles() if r["name"] == role + ] + except: + return False + return self.keycloak_admin.assign_realm_roles(user_id=user_id, roles=role) + # return self.keycloak_admin.assign_realm_roles(user_id=user_id, client_id=None, roles=role) + + ## CLIENTS + def delete_client(self, clientid): + self.connect() + return self.keycloak_admin.delete_client(clientid) + + def add_client(self, client): + self.connect() + return self.keycloak_admin.create_client(client) diff --git a/dd-sso/admin/src/admin/lib/legal.py b/dd-sso/admin/src/admin/lib/legal.py new file mode 100644 index 0000000..70c27c2 --- /dev/null +++ b/dd-sso/admin/src/admin/lib/legal.py @@ -0,0 +1,46 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +import logging as log +import os +import traceback + +from admin import app +from pprint import pprint + +from minio import Minio +from minio.commonconfig import REPLACE, CopySource +from minio.deleteobjects import DeleteObject +from requests import get, post + +legal_path= os.path.join(app.root_path, "static/templates/pages/legal/") + +def get_legal(lang): + with open(legal_path+lang, "r") as languagefile: + return languagefile.read() + +def gen_legal_if_not_exists(lang): + if not os.path.isfile(legal_path+lang): + log.debug("Creating new language file") + with open(legal_path+lang, "w") as languagefile: + languagefile.write("Legal
This is the default legal page for language " + lang) + +def new_legal(lang,html): + with open(legal_path+lang, "w") as languagefile: + languagefile.write(html) \ No newline at end of file diff --git a/dd-sso/admin/src/admin/lib/load_config.py b/dd-sso/admin/src/admin/lib/load_config.py new file mode 100644 index 0000000..19ae22d --- /dev/null +++ b/dd-sso/admin/src/admin/lib/load_config.py @@ -0,0 +1,94 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later + + +import logging as log +import os +import sys +import traceback + +import yaml +from cerberus import Validator, rules_set_registry, schema_registry + +from admin import app + + +class AdminValidator(Validator): + None + # def _normalize_default_setter_genid(self, document): + # return _parse_string(document["name"]) + + # def _normalize_default_setter_genidlower(self, document): + # return _parse_string(document["name"]).lower() + + # def _normalize_default_setter_gengroupid(self, document): + # return _parse_string( + # document["parent_category"] + "-" + document["uid"] + # ).lower() + + +def load_validators(purge_unknown=True): + validators = {} + schema_path = os.path.join(app.root_path, "schemas") + for schema_filename in os.listdir(schema_path): + try: + with open(os.path.join(schema_path, schema_filename)) as file: + schema_yml = file.read() + schema = yaml.load(schema_yml, Loader=yaml.FullLoader) + validators[schema_filename.split(".")[0]] = AdminValidator( + schema, purge_unknown=purge_unknown + ) + except IsADirectoryError: + None + return validators + + +app.validators = load_validators() + + +class loadConfig: + def __init__(self, app=None): + try: + app.config.setdefault("DOMAIN", os.environ["DOMAIN"]) + app.config.setdefault( + "KEYCLOAK_POSTGRES_USER", os.environ["KEYCLOAK_DB_USER"] + ) + app.config.setdefault( + "KEYCLOAK_POSTGRES_PASSWORD", os.environ["KEYCLOAK_DB_PASSWORD"] + ) + app.config.setdefault( + "MOODLE_POSTGRES_USER", os.environ["MOODLE_POSTGRES_USER"] + ) + app.config.setdefault( + "MOODLE_POSTGRES_PASSWORD", os.environ["MOODLE_POSTGRES_PASSWORD"] + ) + app.config.setdefault( + "NEXTCLOUD_POSTGRES_USER", os.environ["NEXTCLOUD_POSTGRES_USER"] + ) + app.config.setdefault( + "NEXTCLOUD_POSTGRES_PASSWORD", os.environ["NEXTCLOUD_POSTGRES_PASSWORD"] + ) + app.config.setdefault( + "VERIFY", True if os.environ["VERIFY"] == "true" else False + ) + app.config.setdefault("API_SECRET", os.environ.get("API_SECRET")) + except Exception as e: + log.error(traceback.format_exc()) + raise diff --git a/dd-sso/admin/src/admin/lib/moodle.py b/dd-sso/admin/src/admin/lib/moodle.py new file mode 100644 index 0000000..67ba429 --- /dev/null +++ b/dd-sso/admin/src/admin/lib/moodle.py @@ -0,0 +1,285 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +import logging as log +import traceback +from pprint import pprint + +from requests import get, post + +from admin import app + +from .exceptions import UserExists, UserNotFound +from .postgres import Postgres + +# Module variables to connect to moodle api + + +class Moodle: + """https://github.com/mrcinv/moodle_api.py + https://docs.moodle.org/dev/Web_service_API_functions + https://docs.moodle.org/311/en/Using_web_services + """ + + def __init__( + self, + key=app.config["MOODLE_WS_TOKEN"], + url="https://moodle." + app.config["DOMAIN"], + endpoint="/webservice/rest/server.php", + verify=app.config["VERIFY"], + ): + self.key = key + self.url = url + self.endpoint = endpoint + self.verify = verify + + self.moodle_pg = Postgres( + "dd-apps-postgresql", + "moodle", + app.config["MOODLE_POSTGRES_USER"], + app.config["MOODLE_POSTGRES_PASSWORD"], + ) + + def rest_api_parameters(self, in_args, prefix="", out_dict=None): + """Transform dictionary/array structure to a flat dictionary, with key names + defining the structure. + Example usage: + >>> rest_api_parameters({'courses':[{'id':1,'name': 'course1'}]}) + {'courses[0][id]':1, + 'courses[0][name]':'course1'} + """ + if out_dict == None: + out_dict = {} + if not type(in_args) in (list, dict): + out_dict[prefix] = in_args + return out_dict + if prefix == "": + prefix = prefix + "{0}" + else: + prefix = prefix + "[{0}]" + if type(in_args) == list: + for idx, item in enumerate(in_args): + self.rest_api_parameters(item, prefix.format(idx), out_dict) + elif type(in_args) == dict: + for key, item in in_args.items(): + self.rest_api_parameters(item, prefix.format(key), out_dict) + return out_dict + + def call(self, fname, **kwargs): + """Calls moodle API function with function name fname and keyword arguments. + Example: + >>> call_mdl_function('core_course_update_courses', + courses = [{'id': 1, 'fullname': 'My favorite course'}]) + """ + parameters = self.rest_api_parameters(kwargs) + parameters.update( + {"wstoken": self.key, "moodlewsrestformat": "json", "wsfunction": fname} + ) + response = post(self.url + self.endpoint, parameters, verify=self.verify) + response = response.json() + if type(response) == dict and response.get("exception"): + raise SystemError(response) + return response + + def create_user(self, email, username, password, first_name="-", last_name="-"): + if len(self.get_user_by("username", username)["users"]): + raise UserExists + try: + data = [ + { + "username": username, + "email": email, + "password": password, + "firstname": first_name, + "lastname": last_name, + } + ] + user = self.call("core_user_create_users", users=data) + return user # [{'id': 8, 'username': 'asdfw'}] + except SystemError as se: + raise SystemError(se.args[0]["message"]) + + def update_user(self, username, email, first_name, last_name, enabled=True): + user = self.get_user_by("username", username)["users"][0] + if not len(user): + raise UserNotFound + try: + data = [ + { + "id": user["id"], + "username": username, + "email": email, + "firstname": first_name, + "lastname": last_name, + "suspended": 0 if enabled else 1, + } + ] + user = self.call("core_user_update_users", users=data) + return user + except SystemError as se: + raise SystemError(se.args[0]["message"]) + + def delete_user(self, user_id): + user = self.call("core_user_delete_users", userids=[user_id]) + return user + + def delete_users(self, userids): + user = self.call("core_user_delete_users", userids=userids) + return user + + def get_user_by(self, key, value): + criteria = [{"key": key, "value": value}] + try: + user = self.call("core_user_get_users", criteria=criteria) + except: + raise SystemError("Error calling Moodle API\n", traceback.format_exc()) + return user + # {'users': [{'id': 8, 'username': 'asdfw', 'firstname': 'afowie', 'lastname': 'aokjdnfwe', 'fullname': 'afowie aokjdnfwe', 'email': 'awfewe@ads.com', 'department': '', 'firstaccess': 0, 'lastaccess': 0, 'auth': 'manual', 'suspended': False, 'confirmed': True, 'lang': 'ca', 'theme': '', 'timezone': '99', 'mailformat': 1, 'profileimageurlsmall': 'https://moodle.mydomain.duckdns.org/theme/image.php/cbe/core/1630941606/u/f2', 'profileimageurl': 'https://DOMAIN/theme/image.php/cbe/core/1630941606/u/f1'}], 'warnings': []} + + def get_users_with_groups_and_roles(self): + q = """select u.id as id, username, firstname as first, lastname as last, email, json_agg(h.name) as groups, json_agg(r.shortname) as roles + from mdl_user as u + LEFT JOIN mdl_cohort_members AS hm on hm.userid = u.id + left join mdl_cohort AS h ON h.id = hm.cohortid + left join mdl_role_assignments AS ra ON ra.id = u.id + left join mdl_role as r on r.id = ra.roleid + where u.deleted = 0 + group by u.id , username, first, last, email""" + (headers, users) = self.moodle_pg.select_with_headers(q) + users_with_lists = [ + list(l[:-2]) + + ([[]] if l[-2] == [None] else [list(set(l[-2]))]) + + ([[]] if l[-1] == [None] else [list(set(l[-1]))]) + for l in users + ] + list_dict_users = [dict(zip(headers, r)) for r in users_with_lists] + return list_dict_users + + ## NOT USED. Too slow + # def get_users_with_groups_and_roles(self): + # users=self.get_user_by('email','%%')['users'] + # for user in users: + # user['groups']=[c['name'] for c in self.get_user_cohorts(user['id'])] + # user['roles']=[] + # return users + + def enroll_user_to_course(self, user_id, course_id, role_id=5): + # 5 is student + data = [{"roleid": role_id, "userid": user_id, "courseid": course_id}] + enrolment = self.call("enrol_manual_enrol_users", enrolments=data) + return enrolment + + def get_quiz_attempt(self, quiz_id, user_id): + attempts = self.call( + "mod_quiz_get_user_attempts", quizid=quiz_id, userid=user_id + ) + return attempts + + def get_cohorts(self): + cohorts = self.call("core_cohort_get_cohorts") + return cohorts + + def add_system_cohort(self, name, description="", visible=True): + visible = 1 if visible else 0 + data = [ + { + "categorytype": {"type": "system", "value": ""}, + "name": name, + "idnumber": name, + "description": description, + "visible": visible, + } + ] + cohort = self.call("core_cohort_create_cohorts", cohorts=data) + return cohort + + # def add_users_to_cohort(self,users,cohort): + # criteria = [{'key': key, 'value': value}] + # user = self.call('core_cohort_add_cohort_members', criteria=criteria) + # return user + + def add_user_to_cohort(self, userid, cohortid): + members = [ + { + "cohorttype": {"type": "id", "value": cohortid}, + "usertype": {"type": "id", "value": userid}, + } + ] + user = self.call("core_cohort_add_cohort_members", members=members) + return user + + def delete_user_in_cohort(self, userid, cohortid): + members = [{"cohortid": cohortid, "userid": userid}] + user = self.call("core_cohort_delete_cohort_members", members=members) + return user + + def get_cohort_members(self, cohort_ids): + members = self.call("core_cohort_get_cohort_members", cohortids=cohort_ids) + # [0]['userids'] + return members + + def delete_cohorts(self, cohortids): + deleted = self.call("core_cohort_delete_cohorts", cohortids=cohortids) + return deleted + + def get_user_cohorts(self, user_id): + user_cohorts = [] + cohorts = self.get_cohorts() + for cohort in cohorts: + if user_id in self.get_cohort_members(cohort["id"]): + user_cohorts.append(cohort) + return user_cohorts + + def add_user_to_siteadmin(self, user_id): + q = """SELECT value FROM mdl_config WHERE name='siteadmins'""" + value = self.moodle_pg.select(q)[0][0] + if str(user_id) not in value: + value = value + "," + str(user_id) + q = """UPDATE mdl_config SET value = '%s' WHERE name='siteadmins'""" % ( + value + ) + self.moodle_pg.update(q) + log.warning( + "MOODLE:ADDING THE USER TO ADMINS: This needs a purge cache in moodle!" + ) + + # def add_role_to_user(self, user_id, role='admin', context='missing'): + # if role=='admin': + # role_id=1 + # else: + # return False + # assignments = [{'roleid': role_id, 'userid': user_id, 'contextid': 0}] + # self.call('core_role_assign_roles', assignments=assignments) + # userid=user_id, role_id=role_id) + # 'contextlevel': 1, + + +# define('CONTEXT_SYSTEM', 10); +# define('CONTEXT_USER', 30); +# define('CONTEXT_COURSECAT', 40); +# define('CONTEXT_COURSE', 50); +# define('CONTEXT_MODULE', 70); +# define('CONTEXT_BLOCK', 80); + +# 'contextlevel': , 'instanceid' +# $assignment = array( 'roleid' => $role_id, 'userid' => $user_id, 'contextid' => $context_id ); +# $assignments = array( $assignment ); +# $params = array( 'assignments' => $assignments ); + +# $response = call_moodle( 'core_role_assign_roles', $params, $token ); diff --git a/dd-sso/admin/src/admin/lib/mysql.py b/dd-sso/admin/src/admin/lib/mysql.py new file mode 100644 index 0000000..9f3f140 --- /dev/null +++ b/dd-sso/admin/src/admin/lib/mysql.py @@ -0,0 +1,50 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +import json +import logging as log +import time +import traceback +from datetime import datetime, timedelta + +import mysql.connector +import yaml + +# from admin import app + + +class Mysql: + def __init__(self, host, database, user, password): + self.conn = mysql.connector.connect( + host=host, database=database, user=user, password=password + ) + + def select(self, sql): + self.cur = self.conn.cursor() + self.cur.execute(sql) + data = self.cur.fetchall() + self.cur.close() + return data + + def update(self, sql): + self.cur = self.conn.cursor() + self.cur.execute(sql) + self.conn.commit() + self.cur.close() diff --git a/dd-sso/admin/src/admin/lib/nextcloud.py b/dd-sso/admin/src/admin/lib/nextcloud.py new file mode 100644 index 0000000..9e2a130 --- /dev/null +++ b/dd-sso/admin/src/admin/lib/nextcloud.py @@ -0,0 +1,583 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later + + +import json +import logging as log +import os +import pprint +import time +import traceback +import urllib + +import requests +from psycopg2 import sql + +# from ..lib.log import * +from admin import app + +from .nextcloud_exc import * +from .postgres import Postgres + + +class Nextcloud: + def __init__( + self, + url="https://nextcloud." + app.config["DOMAIN"], + username=os.environ["NEXTCLOUD_ADMIN_USER"], + password=os.environ["NEXTCLOUD_ADMIN_PASSWORD"], + verify=True, + ): + + self.verify_cert = verify + self.apiurl = url + "/ocs/v1.php/cloud/" + self.shareurl = url + "/ocs/v2.php/apps/files_sharing/api/v1/" + self.davurl = url + "/remote.php/dav/files/" + self.auth = (username, password) + self.user = username + + self.nextcloud_pg = Postgres( + "dd-apps-postgresql", + "nextcloud", + app.config["NEXTCLOUD_POSTGRES_USER"], + app.config["NEXTCLOUD_POSTGRES_PASSWORD"], + ) + + def _request( + self, method, url, data={}, headers={"OCS-APIRequest": "true"}, auth=False + ): + if auth == False: + auth = self.auth + try: + response = requests.request( + method, + url, + data=data, + auth=auth, + verify=self.verify_cert, + headers=headers, + ) + if "meta" in response.text: + if "997" in response.text: + raise ProviderUnauthorized + # if '998' in response.text: raise ProviderInvalidQuery + return response.text + + ## At least the ProviderSslError is not being catched or not raised correctly + except requests.exceptions.HTTPError as errh: + raise ProviderConnError + except requests.exceptions.Timeout as errt: + raise ProviderConnTimeout + except requests.exceptions.SSLError as err: + raise ProviderSslError + except requests.exceptions.ConnectionError as errc: + raise ProviderConnError + # except requests.exceptions.RequestException as err: + # raise ProviderError + except Exception as e: + if str(e) == "an integer is required (got type bytes)": + raise ProviderConnError + raise ProviderError + + def check_connection(self): + url = self.apiurl + "users/" + self.user + "?format=json" + try: + result = self._request("GET", url) + if json.loads(result)["ocs"]["meta"]["statuscode"] == 100: + return True + raise ProviderError + except requests.exceptions.HTTPError as errh: + raise ProviderConnError + except requests.exceptions.ConnectionError as errc: + raise ProviderConnError + except requests.exceptions.Timeout as errt: + raise ProviderConnTimeout + except requests.exceptions.SSLError as err: + raise ProviderSslError + except requests.exceptions.RequestException as err: + raise ProviderError + except Exception as e: + if str(e) == "an integer is required (got type bytes)": + raise ProviderConnError + raise ProviderError + + def get_user(self, userid): + url = self.apiurl + "users/" + userid + "?format=json" + try: + result = json.loads(self._request("GET", url)) + if result["ocs"]["meta"]["statuscode"] == 100: + return result["ocs"]["data"] + raise ProviderItemNotExists + except: + # log.error(traceback.format_exc()) + raise + # 100 - successful + + # q = """select u.uid as username, adn.value as displayname, ade.value as email, json_agg(gg.displayname) as admin_groups,json_agg(g.displayname) as groups + # from oc_users as u + # left join oc_group_user as gu on gu.uid = u.uid + # left join oc_groups as g on gu.gid = g.gid + # left join oc_group_admin as ga on ga.uid = u.uid + # left join oc_groups as gg on gg.gid = ga.gid + # left join oc_accounts_data as adn on adn.uid = u.uid and adn.name = 'displayname' + # left join oc_accounts_data as ade on ade.uid = u.uid and ade.name = 'email' + # group by u.uid, adn.value, ade.value""" + # cur.execute(q) + # users = cur.fetchall() + # fields = [a.name for a in cur.description] + # cur.close() + # conn.close() + + # users_with_lists = [list(l[:-2])+([[]] if l[-2] == [None] else [list(set(l[-2]))]) + ([[]] if l[-1] == [None] else [list(set(l[-1]))]) for l in users] + # users_with_lists = [list(l[:-2])+([[]] if l[-2] == [None] else [list(set(l[-2]))]) + ([[]] if l[-1] == [None] else [list(set(l[-1]))]) for l in users_with_lists] + # list_dict_users = [dict(zip(fields, r)) for r in users_with_lists] + def get_users_list(self): + # q = """select u.uid as username, adn.value as displayname, ade.value as email, json_agg(gg.displayname) as admin_groups,json_agg(g.displayname) as groups + # from oc_users as u + # left join oc_group_user as gu on gu.uid = u.uid + # left join oc_groups as g on gu.gid = g.gid + # left join oc_group_admin as ga on ga.uid = u.uid + # left join oc_groups as gg on gg.gid = ga.gid + # left join oc_accounts_data as adn on adn.uid = u.uid and adn.name = 'displayname' + # left join oc_accounts_data as ade on ade.uid = u.uid and ade.name = 'email' + # group by u.uid, adn.value, ade.value""" + + # With quotas + q = """select u.uid as username, configvalue as quota, sum(size) as total_bytes, adn.value as displayname, ade.value as email, json_agg(gg.displayname) as admin_groups,json_agg(g.displayname) as groups + from oc_accounts as u + left join oc_group_user as gu on gu.uid = u.uid + left join oc_groups as g on gu.gid = g.gid + left join oc_group_admin as ga on ga.uid = u.uid + left join oc_groups as gg on gg.gid = ga.gid + left join oc_accounts_data as adn on adn.uid = u.uid and adn.name = 'displayname' + left join oc_accounts_data as ade on ade.uid = u.uid and ade.name = 'email' + left join oc_preferences as pref on u.uid=pref.userid and appid='files' and configkey='quota' + left join oc_storages as s on s.id=CONCAT('home::',u.uid) + left join oc_filecache as fc on fc.storage = numeric_id + group by u.uid, adn.value, ade.value, pref.configvalue""" + (headers, users) = self.nextcloud_pg.select_with_headers(q) + users_with_lists = [ + list(l[:-2]) + + ([[]] if l[-2] == [None] else [list(set(l[-2]))]) + + ([[]] if l[-1] == [None] else [list(set(l[-1]))]) + for l in users + ] + users_with_lists = [ + list(l[:-2]) + + ([[]] if l[-2] == [None] else [list(set(l[-2]))]) + + ([[]] if l[-1] == [None] else [list(set(l[-1]))]) + for l in users_with_lists + ] + list_dict_users = [dict(zip(headers, r)) for r in users_with_lists] + return list_dict_users + + ### Too slow... + # def get_users_list(self): + # url = self.apiurl + "users?format=json" + # try: + # result = json.loads(self._request('GET',url)) + # if result['ocs']['meta']['statuscode'] == 100: return result['ocs']['data']['users'] + # log.error('Get Nextcloud provider users list error: '+str(result)) + # raise ProviderOpError + # except: + # log.error(traceback.format_exc()) + # raise + + def add_user( + self, userid, userpassword, quota=False, group=False, email="", displayname="" + ): + data = { + "userid": userid, + "password": userpassword, + "quota": quota, + "groups[]": group, + "email": email, + "displayname": displayname, + } + if not group: + del data["groups[]"] + if not quota: + del data["quota"] + # if group: + # data={'userid':userid,'password':userpassword,'quota':quota,'groups[]':group,'email':email,'displayname':displayname} + # else: + # data={'userid':userid,'password':userpassword,'quota':quota,'email':email,'displayname':displayname} + url = self.apiurl + "users?format=json" + headers = { + "Content-Type": "application/x-www-form-urlencoded", + "OCS-APIRequest": "true", + } + try: + result = json.loads(self._request("POST", url, data=data, headers=headers)) + if result["ocs"]["meta"]["statuscode"] == 100: + return True + if result["ocs"]["meta"]["statuscode"] == 102: + raise ProviderItemExists + if result["ocs"]["meta"]["statuscode"] == 104: + self.add_group(group) + # raise ProviderGroupNotExists + log.error("Get Nextcloud provider user add error: " + str(result)) + raise ProviderOpError + except: + # log.error(traceback.format_exc()) + raise + # 100 - successful + # 101 - invalid input data + # 102 - username already exists + # 103 - unknown error occurred whilst adding the user + # 104 - group does not exist + # 105 - insufficient privileges for group + # 106 - no group specified (required for subadmins) + # 107 - all errors that contain a hint - for example “Password is among the 1,000,000 most common ones. Please make it unique.” (this code was added in 12.0.6 & 13.0.1) + + def update_user(self, userid, key_values): + # key_values={'quota':quota,'email':email,'displayname':displayname} + + url = self.apiurl + "users/" + userid + "?format=json" + headers = { + "Content-Type": "application/x-www-form-urlencoded", + "OCS-APIRequest": "true", + } + for k, v in key_values.items(): + data = {"key": k, "value": v} + + try: + result = json.loads( + self._request("PUT", url, data=data, headers=headers) + ) + if result["ocs"]["meta"]["statuscode"] == 100: + return True + if result["ocs"]["meta"]["statuscode"] == 102: + raise ProviderItemExists + if result["ocs"]["meta"]["statuscode"] == 104: + raise ProviderGroupNotExists + log.error("Get Nextcloud provider user add error: " + str(result)) + raise ProviderOpError + except: + # log.error(traceback.format_exc()) + raise + + def add_user_to_group(self, userid, group_id): + data = {"groupid": group_id} + + url = self.apiurl + "users/" + userid + "/groups?format=json" + headers = { + "Content-Type": "application/x-www-form-urlencoded", + "OCS-APIRequest": "true", + } + try: + result = json.loads(self._request("POST", url, data=data, headers=headers)) + if result["ocs"]["meta"]["statuscode"] == 100: + return True + if result["ocs"]["meta"]["statuscode"] == 102: + raise ProviderItemExists + if result["ocs"]["meta"]["statuscode"] == 104: + raise ProviderGroupNotExists + log.error("Get Nextcloud provider user add error: " + str(result)) + raise ProviderOpError + except: + # log.error(traceback.format_exc()) + raise + + def remove_user_from_group(self, userid, group_id): + data = {"groupid": group_id} + + url = self.apiurl + "users/" + userid + "/groups?format=json" + headers = { + "Content-Type": "application/x-www-form-urlencoded", + "OCS-APIRequest": "true", + } + try: + result = json.loads( + self._request("DELETE", url, data=data, headers=headers) + ) + if result["ocs"]["meta"]["statuscode"] == 100: + return True + if result["ocs"]["meta"]["statuscode"] == 102: + raise ProviderItemExists + if result["ocs"]["meta"]["statuscode"] == 104: + self.add_group(group) + # raise ProviderGroupNotExists + log.error("Get Nextcloud provider user add error: " + str(result)) + raise ProviderOpError + except: + # log.error(traceback.format_exc()) + raise + + def add_user_with_groups( + self, userid, userpassword, quota=False, groups=[], email="", displayname="" + ): + data = { + "userid": userid, + "password": userpassword, + "quota": quota, + "groups[]": groups, + "email": email, + "displayname": displayname, + } + # if not group: del data['groups[]'] + if not quota: + del data["quota"] + # if group: + # data={'userid':userid,'password':userpassword,'quota':quota,'groups[]':group,'email':email,'displayname':displayname} + # else: + # data={'userid':userid,'password':userpassword,'quota':quota,'email':email,'displayname':displayname} + url = self.apiurl + "users?format=json" + headers = { + "Content-Type": "application/x-www-form-urlencoded", + "OCS-APIRequest": "true", + } + try: + result = json.loads(self._request("POST", url, data=data, headers=headers)) + if result["ocs"]["meta"]["statuscode"] == 100: + return True + if result["ocs"]["meta"]["statuscode"] == 102: + raise ProviderItemExists + if result["ocs"]["meta"]["statuscode"] == 104: + # self.add_group(group) + None + # raise ProviderGroupNotExists + log.error("Get Nextcloud provider user add error: " + str(result)) + raise ProviderOpError + except: + # log.error(traceback.format_exc()) + raise + # 100 - successful + # 101 - invalid input data + # 102 - username already exists + # 103 - unknown error occurred whilst adding the user + # 104 - group does not exist + # 105 - insufficient privileges for group + # 106 - no group specified (required for subadmins) + # 107 - all errors that contain a hint - for example “Password is among the 1,000,000 most common ones. Please make it unique.” (this code was added in 12.0.6 & 13.0.1) + + def delete_user(self, userid): + url = self.apiurl + "users/" + userid + "?format=json" + try: + result = json.loads(self._request("DELETE", url)) + if result["ocs"]["meta"]["statuscode"] == 100: + return True + if result["ocs"]["meta"]["statuscode"] == 101: + raise ProviderUserNotExists + # log.error(traceback.format_exc()) + raise ProviderOpError + except: + # log.error(traceback.format_exc()) + raise + # 100 - successful + # 101 - failure + + def enable_user(self, userid): + None + + def disable_user(self, userid): + None + + def exists_user_folder(self, userid, userpassword, folder="IsardVDI"): + auth = (userid, userpassword) + url = self.davurl + userid + "/" + folder + "?format=json" + headers = { + "Depth": "0", + "Content-Type": "application/x-www-form-urlencoded", + "OCS-APIRequest": "true", + } + try: + result = self._request("PROPFIND", url, auth=auth, headers=headers) + if "HTTP/1.1 200 OK" in result: + return True + return False + except: + # log.error(traceback.format_exc()) + raise + + def add_user_folder(self, userid, userpassword, folder="IsardVDI"): + auth = (userid, userpassword) + url = self.davurl + userid + "/" + folder + "?format=json" + headers = { + "Content-Type": "application/x-www-form-urlencoded", + "OCS-APIRequest": "true", + } + try: + result = self._request("MKCOL", url, auth=auth, headers=headers) + if result == "": + return True + if ( + "The resource you tried to create already exists" + in result + ): + raise ProviderItemExists + log.error(result.split("message>")[1].split("<")[0]) + raise ProviderOpError + except: + # log.error(traceback.format_exc()) + raise + + def exists_user_share_folder(self, userid, userpassword, folder="IsardVDI"): + auth = (userid, userpassword) + url = self.shareurl + "shares?format=json" + headers = { + "Content-Type": "application/x-www-form-urlencoded", + "OCS-APIRequest": "true", + } + try: + result = json.loads(self._request("GET", url, auth=auth, headers=headers)) + if result["ocs"]["meta"]["statuscode"] == 200: + share = [s for s in result["ocs"]["data"] if s["path"] == "/" + folder] + if len(share) >= 1: + # Should we delete all but the first (0) one? + return {"token": share[0]["token"], "url": share[0]["url"]} + raise ProviderItemNotExists + raise ProviderOpError + except: + # log.error(traceback.format_exc()) + raise + + def add_user_share_folder(self, userid, userpassword, folder="IsardVDI"): + auth = (userid, userpassword) + data = {"path": "/" + folder, "shareType": 3} + url = self.shareurl + "shares?format=json" + headers = { + "Content-Type": "application/x-www-form-urlencoded", + "OCS-APIRequest": "true", + } + try: + result = json.loads( + self._request("POST", url, data=data, auth=auth, headers=headers) + ) + if ( + result["ocs"]["meta"]["statuscode"] == 100 + or result["ocs"]["meta"]["statuscode"] == 200 + ): + return { + "token": result["ocs"]["data"]["token"], + "url": result["ocs"]["data"]["url"], + } + log.error( + "Add user share folder error: " + result["ocs"]["meta"]["message"] + ) + raise ProviderFolderNotExists + except: + # log.error(traceback.format_exc()) + raise + + def get_group(self, userid): + None + + def get_groups_list(self): + url = self.apiurl + "groups?format=json" + try: + result = json.loads(self._request("GET", url)) + if result["ocs"]["meta"]["statuscode"] == 100: + return [g for g in result["ocs"]["data"]["groups"]] + raise ProviderOpError + except: + # log.error(traceback.format_exc()) + raise + + def add_group(self, groupid): + data = {"groupid": groupid} + url = self.apiurl + "groups?format=json" + headers = { + "Content-Type": "application/x-www-form-urlencoded", + "OCS-APIRequest": "true", + } + try: + result = json.loads( + self._request("POST", url, data=data, auth=self.auth, headers=headers) + ) + if result["ocs"]["meta"]["statuscode"] == 100: + return True + if result["ocs"]["meta"]["statuscode"] == 102: + raise ProviderItemExists + raise ProviderOpError + except: + # log.error(traceback.format_exc()) + raise + # 100 - successful + # 101 - invalid input data + # 102 - group already exists + # 103 - failed to add the group + + def delete_group(self, groupid): + group = urllib.parse.quote(groupid, safe="") + url = self.apiurl + "groups/" + group + "?format=json" + headers = { + "Content-Type": "application/x-www-form-urlencoded", + "OCS-APIRequest": "true", + } + try: + result = json.loads( + self._request("DELETE", url, auth=self.auth, headers=headers) + ) + if result["ocs"]["meta"]["statuscode"] == 100: + return True + # log.error(traceback.format_exc()) + raise ProviderOpError + except: + # log.error(traceback.format_exc()) + raise + # 100 - successful + # 101 - invalid input data + # 102 - group already exists + # 103 - failed to add the group + + def set_user_mail(self, data): + query = """SELECT * FROM "oc_mail_accounts" WHERE "email" = '%s'""" + sql_query = sql.SQL(query.format(data["email"])) + if not len(self.nextcloud_pg.select(sql_query)): + query = """INSERT INTO "oc_mail_accounts" ("user_id","name","email","inbound_host","inbound_port","inbound_ssl_mode","inbound_user","inbound_password","outbound_host","outbound_port","outbound_ssl_mode","outbound_user","outbound_password") VALUES + ('%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s');""" + account = [ + data["user_id"], + data["name"], + data["email"], + data["inbound_host"], + data["inbound_port"], + data["inbound_ssl_mode"], + data["inbound_user"], + data["inbound_password"], + data["outbound_host"], + data["outbound_port"], + data["outbound_ssl_mode"], + data["outbound_user"], + data["outbound_password"], + ] + else: + query = """UPDATE "oc_mail_accounts" SET ("user_id","name","email","inbound_host","inbound_port","inbound_ssl_mode","inbound_user","inbound_password","outbound_host","outbound_port","outbound_ssl_mode","outbound_user","outbound_password") = + ('%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s') WHERE email = '%s';""" + + account = [ + data["user_id"], + data["name"], + data["email"], + data["inbound_host"], + data["inbound_port"], + data["inbound_ssl_mode"], + data["inbound_user"], + data["inbound_password"], + data["outbound_host"], + data["outbound_port"], + data["outbound_ssl_mode"], + data["outbound_user"], + data["outbound_password"], + data["email"], + ] + sql_query = sql.SQL(query.format(",".join([str(acc) for acc in account]))) + self.nextcloud_pg.update(sql_query) diff --git a/dd-sso/admin/src/admin/lib/nextcloud_exc.py b/dd-sso/admin/src/admin/lib/nextcloud_exc.py new file mode 100644 index 0000000..ec1f290 --- /dev/null +++ b/dd-sso/admin/src/admin/lib/nextcloud_exc.py @@ -0,0 +1,58 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +class ProviderUnauthorized(Exception): + pass + + +class ProviderConnError(Exception): + pass + + +class ProviderSslError(Exception): + pass + + +class ProviderConnTimeout(Exception): + pass + + +class ProviderError(Exception): + pass + + +class ProviderItemExists(Exception): + pass + + +class ProviderItemNotExists(Exception): + pass + + +class ProviderGroupNotExists(Exception): + pass + + +class ProviderFolderNotExists(Exception): + pass + + +class ProviderOpError(Exception): + pass diff --git a/dd-sso/admin/src/admin/lib/postgres.py b/dd-sso/admin/src/admin/lib/postgres.py new file mode 100644 index 0000000..84b82ad --- /dev/null +++ b/dd-sso/admin/src/admin/lib/postgres.py @@ -0,0 +1,71 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +import json +import logging as log +import time +import traceback +from datetime import datetime, timedelta + +import psycopg2 +import yaml + +# from admin import app + + +class Postgres: + def __init__(self, host, database, user, password): + self.conn = psycopg2.connect( + host=host, database=database, user=user, password=password + ) + + # def __del__(self): + # self.cur.close() + # self.conn.close() + + def select(self, sql): + self.cur = self.conn.cursor() + self.cur.execute(sql) + data = self.cur.fetchall() + self.cur.close() + return data + + def update(self, sql): + self.cur = self.conn.cursor() + self.cur.execute(sql) + self.conn.commit() + self.cur.close() + # return self.cur.fetchall() + + def select_with_headers(self, sql): + self.cur = self.conn.cursor() + self.cur.execute(sql) + data = self.cur.fetchall() + fields = [a.name for a in self.cur.description] + self.cur.close() + return (fields, data) + + # def update_moodle_saml_plugin(self): + # plugin[('idpmetadata', 'NrtA5ynG0htowP3SXw7dBJRIAMxn-1PwuuXwOwNhlRwMIICmzCCAYMCBgF5jb0RCTANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0ZXIwHhcNMjEwNTIxMDcwMjI4WhcNMzEwNTIxMDcwNDA4WjARMQ8wDQYDVQQDDAZtYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCI8xh/C0+frz3kgWiUbziTDls71R2YiXLSVE+bw7gbEgZUGCLhoEI679azMtIxmnzM/snIX+yTb12+XoYkgbiLTMPQfnH+Kiab6g3HL3KPfhqS+yWkFxOoCp6Ibmp7yPlVWuHH+MBfO8OBr/r8Ao7heFbuzjiLd1KG67rcoaxfDgMuBoEomg1bgEjFgHaQIrSC6OZzH0h987/arqufZXeXlfyiqScMPUi+u5IpDWSwz06UKP0k8mxzNSlpZ93CKOUSsV0SMLxqg7FQ3SGiOk577bGW9o9BDTkkmSo3Up6smc0LzwvvUwuNd0B1irGkWZFQN9OXJnJYf1InEebIMtmPAgMBAAEwDQYJKoZIhvcNAQELBQADggEBADM34+qEGeBQ22luphVTuVJtGxcbxLx7DfsT0QfJD/OuxTTbNAa1VRyarb5juIAkqdj4y2quZna9ZXLecVo4RkwpzPoKoAkYA8b+kHnWqEwJi9iPrDvKb+GR0bBkLPN49YxIZ8IdKX/PRa3yuLHe+loiNsCaS/2ZK2KO46COsqU4QX1iVhF9kWphNLybjNAX45B6cJLsa1g0vXLdm3kv3SB4I2fErFVaOoDtFIjttoYlXdpUiThkPXBfr7N67P3dZHaS4tjJh+IZ8I6TINpcsH8dBkUhzYEIPHCePwSiC1w6WDBLNDuKt1mj1CZrLq+1x+Yhrs+QNRheEKGi89HZ8N0=urn:oasis:names:tc:SAML:2.0:nameid-format:persistenturn:oasis:names:tc:SAML:2.0:nameid-format:transienturn:oasis:names:tc:SAML:1.1:nameid-format:unspecifiedurn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress')] + # pg_update = """UPDATE mdl_config_plugins set title = %s where plugin = auth_saml2 and name =""" + # cursor.execute(pg_update, (title, bookid)) + # connection.commit() + # count = cursor.rowcount + # print(count, "Successfully Updated!") diff --git a/dd-sso/admin/src/admin/lib/postup.py b/dd-sso/admin/src/admin/lib/postup.py new file mode 100644 index 0000000..4d5a4df --- /dev/null +++ b/dd-sso/admin/src/admin/lib/postup.py @@ -0,0 +1,228 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +import json +import logging as log +import os +import random + +# from .keycloak import Keycloak +# from .moodle import Moodle +import string +import time +import traceback +from datetime import datetime, timedelta + +import psycopg2 +import yaml + +from admin import app + +from .postgres import Postgres + + +class Postup: + def __init__(self): + ready = False + while not ready: + try: + self.pg = Postgres( + "dd-apps-postgresql", + "moodle", + app.config["MOODLE_POSTGRES_USER"], + app.config["MOODLE_POSTGRES_PASSWORD"], + ) + ready = True + except: + log.warning("Could not connect to moodle database. Retrying...") + time.sleep(2) + log.info("Connected to moodle database.") + + ready = False + while not ready: + try: + with open( + os.path.join( + app.root_path, + "../moodledata/saml2/moodle." + app.config["DOMAIN"] + ".crt", + ), + "r", + ) as crt: + app.config.setdefault("SP_CRT", crt.read()) + ready = True + except IOError: + log.warning("Could not get moodle SAML2 crt certificate. Retrying...") + time.sleep(2) + except: + log.error(traceback.format_exc()) + log.info("Got moodle srt certificate.") + + ready = False + while not ready: + try: + with open( + os.path.join( + app.root_path, + "../moodledata/saml2/moodle." + app.config["DOMAIN"] + ".pem", + ), + "r", + ) as pem: + app.config.setdefault("SP_PEM", pem.read()) + ready = True + except IOError: + log.warning("Could not get moodle SAML2 pem certificate. Retrying...") + time.sleep(2) + log.info("Got moodle pem certificate.") + + self.select_and_configure_theme() + self.configure_tipnc() + self.add_moodle_ws_token() + + def select_and_configure_theme(self, theme="cbe"): + try: + self.pg.update( + """UPDATE "mdl_config" SET value = '%s' WHERE "name" = 'theme';""" + % (theme) + ) + except: + log.error(traceback.format_exc()) + exit(1) + None + + try: + self.pg.update( + """UPDATE "mdl_config_plugins" SET value = '%s' WHERE "plugin" = 'theme_cbe' AND "name" = 'host';""" + % (os.environ["DOMAIN"]) + ) + self.pg.update( + """UPDATE "mdl_config_plugins" SET value = '%s' WHERE "plugin" = 'theme_cbe' AND "name" = 'logourl';""" + % ("https://api." + os.environ["DOMAIN"] + "/img/logo.png") + ) + self.pg.update( + """UPDATE "mdl_config_plugins" SET value = '1' WHERE "plugin" = 'theme_cbe' AND "name" = 'header_api';""" + ) + self.pg.update( + """UPDATE "mdl_config_plugins" SET value = '1' WHERE "plugin" = 'theme_cbe' AND "name" = 'vclasses_direct';""" + ) + self.pg.update( + """UPDATE "mdl_config_plugins" SET value = '1' WHERE "plugin" = 'theme_cbe' AND "name" = 'uniquenamecourse';""" + ) + except: + log.error(traceback.format_exc()) + exit(1) + None + + def configure_tipnc(self): + try: + self.pg.update( + """UPDATE "mdl_config_plugins" SET value = '%s' WHERE "plugin" = 'assignsubmission_tipnc' AND "name" = 'host';""" + % ("https://nextcloud." + os.environ["DOMAIN"] + "/") + ) + self.pg.update( + """UPDATE "mdl_config_plugins" SET value = '%s' WHERE "plugin" = 'assignsubmission_tipnc' AND "name" = 'password';""" + % (os.environ["NEXTCLOUD_ADMIN_PASSWORD"]) + ) + self.pg.update( + """UPDATE "mdl_config_plugins" SET value = 'template.docx' WHERE "plugin" = 'assignsubmission_tipnc' AND "name" = 'template';""" + ) + self.pg.update( + """UPDATE "mdl_config_plugins" SET value = '/apps/onlyoffice/' WHERE "plugin" = 'assignsubmission_tipnc' AND "name" = 'location';""" + ) + self.pg.update( + """UPDATE "mdl_config_plugins" SET value = '%s' WHERE "plugin" = 'assignsubmission_tipnc' AND "name" = 'user';""" + % (os.environ["NEXTCLOUD_ADMIN_USER"]) + ) + self.pg.update( + """UPDATE "mdl_config_plugins" SET value = 'tasks' WHERE "plugin" = 'assignsubmission_tipnc' AND "name" = 'folder';""" + ) + except: + log.error(traceback.format_exc()) + exit(1) + None + + def add_moodle_ws_token(self): + try: + token = self.pg.select( + """SELECT * FROM "mdl_external_tokens" WHERE "externalserviceid" = 3""" + )[0][1] + app.config.setdefault("MOODLE_WS_TOKEN", token) + return + except: + # log.error(traceback.format_exc()) + None + + try: + self.pg.update( + """INSERT INTO "mdl_external_services" ("name", "enabled", "requiredcapability", "restrictedusers", "component", "timecreated", "timemodified", "shortname", "downloadfiles", "uploadfiles") VALUES + ('dd admin', 1, '', 1, NULL, 1621719763, 1621719850, 'dd_admin', 0, 0);""" + ) + + self.pg.update( + """INSERT INTO "mdl_external_services_functions" ("externalserviceid", "functionname") VALUES + (3, 'core_course_update_courses'), + (3, 'core_user_get_users'), + (3, 'core_user_get_users_by_field'), + (3, 'core_user_update_picture'), + (3, 'core_user_update_users'), + (3, 'core_user_delete_users'), + (3, 'core_user_create_users'), + (3, 'core_cohort_get_cohort_members'), + (3, 'core_cohort_add_cohort_members'), + (3, 'core_cohort_delete_cohort_members'), + (3, 'core_cohort_create_cohorts'), + (3, 'core_cohort_delete_cohorts'), + (3, 'core_cohort_search_cohorts'), + (3, 'core_cohort_update_cohorts'), + (3, 'core_role_assign_roles'), + (3, 'core_cohort_get_cohorts');""" + ) + + self.pg.update( + """INSERT INTO "mdl_external_services_users" ("externalserviceid", "userid", "iprestriction", "validuntil", "timecreated") VALUES + (3, 2, NULL, NULL, 1621719871);""" + ) + + b32 = "".join( + random.choices( + string.ascii_uppercase + + string.ascii_uppercase + + string.ascii_lowercase, + k=32, + ) + ) + b64 = "".join( + random.choices( + string.ascii_uppercase + + string.ascii_uppercase + + string.ascii_lowercase, + k=64, + ) + ) + self.pg.update( + """INSERT INTO "mdl_external_tokens" ("token", "privatetoken", "tokentype", "userid", "externalserviceid", "sid", "contextid", "creatorid", "iprestriction", "validuntil", "timecreated", "lastaccess") VALUES + ('%s', '%s', 0, 2, 3, NULL, 1, 2, NULL, 0, 1621831206, NULL);""" + % (b32, b64) + ) + + app.config.setdefault("MOODLE_WS_TOKEN", b32) + except: + log.error(traceback.format_exc()) + exit(1) + None diff --git a/dd-sso/admin/src/admin/package.json b/dd-sso/admin/src/admin/package.json new file mode 100644 index 0000000..f87ec9e --- /dev/null +++ b/dd-sso/admin/src/admin/package.json @@ -0,0 +1,6 @@ +{ + "dependencies": { + "gentelella": "^1.4.0", + "socket.io": "^4.1.3" + } +} diff --git a/dd-sso/admin/src/admin/schemas/group.yml b/dd-sso/admin/src/admin/schemas/group.yml new file mode 100644 index 0000000..7cc1d26 --- /dev/null +++ b/dd-sso/admin/src/admin/schemas/group.yml @@ -0,0 +1,30 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +name: + required: true + type: string +description: + required: false + type: string + default: "Api created" +parent: + required: false + type: string + default: "" \ No newline at end of file diff --git a/dd-sso/admin/src/admin/schemas/mail.yml b/dd-sso/admin/src/admin/schemas/mail.yml new file mode 100644 index 0000000..1f889ad --- /dev/null +++ b/dd-sso/admin/src/admin/schemas/mail.yml @@ -0,0 +1,53 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +user_id: + type: string + required: true +name: + type: string + required: false +email: + type: string + required: true + regex: ^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$ +inbound_host: + type: string + required: true +inbound_port: + type: integer + required: true +inbound_ssl_mode: + type: string + default: ssl +inbound_user: + type: string + required: true +outbound_host: + type: string + required: true +outbound_port: + type: integer + required: true +outbound_ssl_mode: + type: string + default: ssl +outbound_user: + type: string + required: true \ No newline at end of file diff --git a/dd-sso/admin/src/admin/schemas/mails.yml b/dd-sso/admin/src/admin/schemas/mails.yml new file mode 100644 index 0000000..e3ce276 --- /dev/null +++ b/dd-sso/admin/src/admin/schemas/mails.yml @@ -0,0 +1,56 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +mails: + type: list + schema: + user_id: + type: string + required: true + name: + type: string + required: false + email: + type: string + required: true + regex: ^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$ + inbound_host: + type: string + required: true + inbound_port: + type: integer + required: true + inbound_ssl_mode: + type: string + default: ssl + inbound_user: + type: string + required: true + outbound_host: + type: string + required: true + outbound_port: + type: integer + required: true + outbound_ssl_mode: + type: string + default: ssl + outbound_user: + type: string + required: true \ No newline at end of file diff --git a/dd-sso/admin/src/admin/schemas/user.yml b/dd-sso/admin/src/admin/schemas/user.yml new file mode 100644 index 0000000..6271c5a --- /dev/null +++ b/dd-sso/admin/src/admin/schemas/user.yml @@ -0,0 +1,53 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +username: + required: true + type: string +first: + required: true + type: string +last: + required: true + type: string +email: + required: true + type: string + regex: ^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$ +password: + required: true + type: string +password_temporary: + required: false + type: boolean + default: true +quota: + required: true + type: string +enabled: + required: true + type: boolean +role: + required: true + type: string + empty: false +groups: + required: true + type: list + diff --git a/dd-sso/admin/src/admin/schemas/user_update.yml b/dd-sso/admin/src/admin/schemas/user_update.yml new file mode 100644 index 0000000..dc75b98 --- /dev/null +++ b/dd-sso/admin/src/admin/schemas/user_update.yml @@ -0,0 +1,50 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +first: + required: false + type: string +last: + required: false + type: string +email: + required: false + type: string + regex: ^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$ +password: + required: false + type: string +password_temporary: + required: false + type: boolean + default: true +quota: + required: false + type: string +enabled: + required: false + type: boolean +role: + required: false + type: string + empty: false +groups: + required: false + type: list + diff --git a/dd-sso/admin/src/admin/static/dd.css b/dd-sso/admin/src/admin/static/dd.css new file mode 100644 index 0000000..b164954 --- /dev/null +++ b/dd-sso/admin/src/admin/static/dd.css @@ -0,0 +1,160 @@ +/*! +* Copyright © 2021,2022 IsardVDI S.L. +* +* This file is part of DD +* +* DD is free software: you can redistribute it and/or modify +* it under the terms of the GNU Affero General Public License as published by +* the Free Software Foundation, either version 3 of the License, or (at your +* option) any later version. +* +* DD is distributed in the hope that it will be useful, but WITHOUT ANY +* WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +* FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +* details. +* +* You should have received a copy of the GNU Affero General Public License +* along with DD. If not, see . +* +* SPDX-License-Identifier: AGPL-3.0-or-later +*/ + +body { + color: #3b3e47; + background: #3b3e47 +} + +.dataTables_filter {float: left; position: absolute;} +.dataTables_filter input { max-width:90px;} + +.roundbox{border-radius:4px;border:1px solid #AAAAAA;} + + .blink { + animation: blink 2s steps(5, start) infinite; + -webkit-animation: blink 1s steps(5, start) infinite; + } + @keyframes blink { + to { + visibility: hidden; + } + } + @-webkit-keyframes blink { + to { + visibility: hidden; + } + } + +.pnotify-center { + right: calc(50% - 150px) !important; +} + +.ui-select-match-text{ + width: 100%; + overflow: hidden; + text-overflow: ellipsis; + padding-right: 40px; +} +.ui-select-toggle > .btn.btn-link { + margin-right: 10px; + top: 6px; + position: absolute; + right: 10px; +} + + +.fancytree-plain` span.fancytree-selected span.fancytree-title { + background-color: yellow; + color: black; +} + +.fancytree-plain span.fancytree-active span.fancytree-title { + background-color: blue; + color: white; +} + +.quota-form-input { + width: 100% !important; + overflow: hidden; + text-overflow: ellipsis; +} + +/* + * Workaround to fix select2 placeholder cut off + * https://github.com/select2/select2/issues/291 + * https://github.com/kartik-v/yii2-widgets/issues/324 + */ +.select2-search, .select2-search__field { + width: 100% !important; +} + +table.dataTable td.details-show > button > i:before, +table.dataTable td.details-control > button > i:before { + content: '\f067'; + font-family: FontAwesome; + cursor: pointer; + color: white; +} + +table.dataTable tr.shown td.details-show > button > i:before, +table.dataTable tr.shown td.details-control > button > i:before { + content: '\f068'; + color: white; +} + +.howto-desktops { + background-color:rgb(238, 238, 238); + cursor: pointer; + padding: 5px 17px; +} + +.x_title h4, h3 { + margin: 5px 0 6px; + float: left; + display: block; + text-overflow: ellipsis; + overflow: hidden; + white-space: nowrap; +} + +.x_panel { + border: none +} + +/* Sidebar */ + +.sidebar-footer { + background: #3b3e47; +} + +#menu_toggle { + color: #3b3e47; +} + +.logo_white { + filter: invert(1); +} + +.left_col { + background: #3b3e47; +} + +.nav.side-menu>li.active>a { + background: #3b3e47; +} + +.nav_title { + background: #3b3e47; +} + +.nav_menu { + padding: 10px; + background: white; + height: 75px; + max-height: 75px; +} + +.nav_menu_logo { + margin-top: 5px; + width: 100; + height: 45px; +} \ No newline at end of file diff --git a/dd-sso/admin/src/admin/static/dd.js b/dd-sso/admin/src/admin/static/dd.js new file mode 100644 index 0000000..7b313f6 --- /dev/null +++ b/dd-sso/admin/src/admin/static/dd.js @@ -0,0 +1,368 @@ +// +// Copyright © 2021,2022 IsardVDI S.L. +// +// This file is part of DD +// +// DD is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or (at your +// option) any later version. +// +// DD is distributed in the hope that it will be useful, but WITHOUT ANY +// WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +// details. +// +// You should have received a copy of the GNU Affero General Public License +// along with DD. If not, see . +// +// SPDX-License-Identifier: AGPL-3.0-or-later + + +/** + * Resize function without multiple trigger + * + * Usage: + * $(window).smartresize(function(){ + * // code here + * }); + */ +(function($,sr){ + // debouncing function from John Hann + // http://unscriptable.com/index.php/2009/03/20/debouncing-javascript-methods/ + var debounce = function (func, threshold, execAsap) { + var timeout; + + return function debounced () { + var obj = this, args = arguments; + function delayed () { + if (!execAsap) + func.apply(obj, args); + timeout = null; + } + + if (timeout) + clearTimeout(timeout); + else if (execAsap) + func.apply(obj, args); + + timeout = setTimeout(delayed, threshold || 100); + }; + }; + + // smartresize + jQuery.fn[sr] = function(fn){ return fn ? this.bind('resize', debounce(fn)) : this.trigger(sr); }; + +})(jQuery,'smartresize'); +/** + * To change this license header, choose License Headers in Project Properties. + * To change this template file, choose Tools | Templates + * and open the template in the editor. + */ + +// Validator.js + // initialize the validator function + validator.message.date = 'not a real date'; + + // validate a field on "blur" event, a 'select' on 'change' event & a '.reuired' classed multifield on 'keyup': + $('form') + .on('blur', 'input[required], input.optional, select.required', validator.checkField) + .on('change', 'select.required', validator.checkField) + .on('keypress', 'input[required][pattern]', validator.keypress); + //~ .on('keypress', 'input[required][pattern]', function(){console.log('press')}); + + $('.multi.required').on('keyup blur', 'input', function() { + validator.checkField.apply($(this).siblings().last()[0]); + }); + + $('form').submit(function(e) { + e.preventDefault(); + var submit = true; + + // evaluate the form using generic validaing + if (!validator.checkAll($(this))) { + submit = false; + } + + if (submit) + this.submit(); + + return false; + }); +// /Validator.js + +//PNotify + var stack_center = {"dir1": "down", "dir2": "right", "firstpos1": 25, "firstpos2": ($(window).width() / 2) - (Number(PNotify.prototype.options.width.replace(/\D/g, '')) / 2)}; + $(window).resize(function(){ + stack_center.firstpos2 = ($(window).width() / 2) - (Number(PNotify.prototype.options.width.replace(/\D/g, '')) / 2); + }); + PNotify.prototype.options.styling = "bootstrap3"; +// /PNotify + +// Sidebar +var CURRENT_URL = window.location.href.split('#')[0].split('?')[0], + $BODY = $('body'), + $MENU_TOGGLE = $('#menu_toggle'), + $SIDEBAR_MENU = $('#sidebar-menu'), + $SIDEBAR_FOOTER = $('.sidebar-footer'), + $LEFT_COL = $('.left_col'), + $RIGHT_COL = $('.right_col'), + $NAV_MENU = $('.nav_menu'), + $FOOTER = $('footer'); + + +function init_sidebar() { +// TODO: This is some kind of easy fix, maybe we can improve this +var setContentHeight = function () { + // reset height + $RIGHT_COL.css('min-height', $(window).height()); + + var bodyHeight = $BODY.outerHeight(), + footerHeight = $BODY.hasClass('footer_fixed') ? -10 : $FOOTER.height(), + leftColHeight = $LEFT_COL.eq(1).height() + $SIDEBAR_FOOTER.height(), + contentHeight = bodyHeight < leftColHeight ? leftColHeight : bodyHeight; + + // normalize content + contentHeight -= $NAV_MENU.height() + footerHeight; + + $RIGHT_COL.css('min-height', contentHeight); +}; + + $SIDEBAR_MENU.find('a').on('click', function(ev) { + var $li = $(this).parent(); + + if ($li.is('.active')) { + $li.removeClass('active active-sm'); + $('ul:first', $li).slideUp(function() { + setContentHeight(); + }); + } else { + // prevent closing menu if we are on child menu + if (!$li.parent().is('.child_menu')) { + $SIDEBAR_MENU.find('li').removeClass('active active-sm'); + $SIDEBAR_MENU.find('li ul').slideUp(); + }else + { + if ( $BODY.is( ".nav-sm" ) ) + { + $SIDEBAR_MENU.find( "li" ).removeClass( "active active-sm" ); + $SIDEBAR_MENU.find( "li ul" ).slideUp(); + } + } + $li.addClass('active'); + + $('ul:first', $li).slideDown(function() { + setContentHeight(); + }); + } + }); + +// toggle small or large menu +$MENU_TOGGLE.on('click', function() { + if ($BODY.hasClass('nav-md')) { + $SIDEBAR_MENU.find('li.active ul').hide(); + $SIDEBAR_MENU.find('li.active').addClass('active-sm').removeClass('active'); + } else { + $SIDEBAR_MENU.find('li.active-sm ul').show(); + $SIDEBAR_MENU.find('li.active-sm').addClass('active').removeClass('active-sm'); + } + + $BODY.toggleClass('nav-md nav-sm'); + + setContentHeight(); +}); + + // check active menu + $SIDEBAR_MENU.find('a[href="' + CURRENT_URL + '"]').parent('li').addClass('current-page'); + + $SIDEBAR_MENU.find('a').filter(function () { + return this.href == CURRENT_URL; + }).parent('li').addClass('current-page').parents('ul').slideDown(function() { + setContentHeight(); + }).parent().addClass('active'); + + // recompute content when resizing + $(window).smartresize(function(){ + setContentHeight(); + }); + + setContentHeight(); + + // fixed sidebar + if ($.fn.mCustomScrollbar) { + $('.menu_fixed').mCustomScrollbar({ + autoHideScrollbar: true, + theme: 'minimal', + mouseWheel:{ preventDefault: true } + }); + } +}; +// /Sidebar + +$(document).ready(function() { + init_sidebar(); + $('input').iCheck({ + checkboxClass: 'icheckbox_flat-green', + radioClass: 'iradio_flat-green', + }) +}); + + +// Form serialization + + (function($){ + $.fn.serializeObject = function(){ + var self = this, + json = {}, + push_counters = {}, + patterns = { + "validate": /^[a-z][a-z0-9_-]*(?:\[(?:\d*|[a-z0-9_-]+)\])*$/i, + "key": /[a-z0-9_-]+|(?=\[\])/gi, + "named": /^[a-z0-9_-]+$/i, + //~ "validate": /^[a-zA-Z][a-zA-Z0-9_]*(?:\[(?:\d*|[a-zA-Z0-9_]+)\])*$/, + //~ "key": /[a-zA-Z0-9_]+|(?=\[\])/g, + "push": /^$/, + "fixed": /^\d+$/, + //~ "named": /^[a-zA-Z0-9_]+$/ + }; + + + this.build = function(base, key, value){ + base[key] = value; + return base; + }; + + this.push_counter = function(key){ + if(push_counters[key] === undefined){ + push_counters[key] = 0; + } + return push_counters[key]++; + }; + + $.each($(this).serializeArray(), function(){ + + // skip invalid keys + if(!patterns.validate.test(this.name)){ + return; + } + + var k, + keys = this.name.match(patterns.key), + merge = this.value, + reverse_key = this.name; + + while((k = keys.pop()) !== undefined){ + + // adjust reverse_key + reverse_key = reverse_key.replace(new RegExp("\\[" + k + "\\]$"), ''); + + // push + if(k.match(patterns.push)){ + merge = self.build([], self.push_counter(reverse_key), merge); + } + + // fixed + else if(k.match(patterns.fixed)){ + merge = self.build([], k, merge); + } + + // named + else if(k.match(patterns.named)){ + merge = self.build({}, k, merge); + } + } + + json = $.extend(true, json, merge); + }); + + return json; + }; + })(jQuery); + + +function dtUpdateInsertoLD(table, data, append){ + //Quickly appends new data rows. Does not update rows + if(append == true){ + table.rows.add(data); + + //Locate and update rows by rowId or add if new + }else{ + + found=false; + table.rows().every( function ( rowIdx, tableLoop, rowLoop ) { + if(this.data().id==data.id){ + table.row(rowIdx).data(data).invalidate(); + found=true; + return false; //Break + } + }); + if(!found){ + table.row.add(data); + } + } + + //Redraw table maintaining paging + table.draw(false); +} + +function dtUpdateInsert(table, data, append){ + table=$("#"+table).DataTable() + //Quickly appends new data rows. Does not update rows + new_id=false + if(append == true){ + table.rows.add(data); + new_id=true + //Locate and update rows by rowId or add if new + }else{ + if(typeof(table.row('#'+data.id).id())=='undefined'){ + // Does not exists yes + table.row.add(data); + new_id=true + }else{ + // Exists, do update + table.row('#'+data.id).data(data).invalidate(); + } + } + + //Redraw table maintaining paging + table.draw(false); + return new_id +} + +function dtUpdateOnly(table, data){ + if(typeof(table.row('#'+data.id).id())=='undefined'){ + // Does not exists yes + }else{ + // Exists, do update + table.row('#'+data.id).data(data).invalidate(); + } + //Redraw table maintaining paging + table.draw(false); +} + +// Panel toolbox +$(document).ready(function() { + $('.collapse-link').on('click', function() { + var $BOX_PANEL = $(this).closest('.x_panel'), + $ICON = $(this).find('i'), + $BOX_CONTENT = $BOX_PANEL.find('.x_content'); + + // fix for some div with hardcoded fix class + if ($BOX_PANEL.attr('style')) { + $BOX_CONTENT.slideToggle(200, function(){ + $BOX_PANEL.removeAttr('style'); + }); + } else { + $BOX_CONTENT.slideToggle(200); + $BOX_PANEL.css('height', 'auto'); + } + + $ICON.toggleClass('fa-chevron-up fa-chevron-down'); + }); + + $('.close-link').click(function () { + var $BOX_PANEL = $(this).closest('.x_panel'); + + $BOX_PANEL.remove(); + }); +}); \ No newline at end of file diff --git a/dd-sso/admin/src/admin/static/img/background.png b/dd-sso/admin/src/admin/static/img/background.png new file mode 100644 index 0000000..601ef82 Binary files /dev/null and b/dd-sso/admin/src/admin/static/img/background.png differ diff --git a/dd-sso/admin/src/admin/static/img/logo.png b/dd-sso/admin/src/admin/static/img/logo.png new file mode 100644 index 0000000..e0bb28b Binary files /dev/null and b/dd-sso/admin/src/admin/static/img/logo.png differ diff --git a/dd-sso/admin/src/admin/static/img/missing.jpg b/dd-sso/admin/src/admin/static/img/missing.jpg new file mode 100644 index 0000000..3b27878 Binary files /dev/null and b/dd-sso/admin/src/admin/static/img/missing.jpg differ diff --git a/dd-sso/admin/src/admin/static/js/common.js b/dd-sso/admin/src/admin/static/js/common.js new file mode 100644 index 0000000..0c9e215 --- /dev/null +++ b/dd-sso/admin/src/admin/static/js/common.js @@ -0,0 +1,19 @@ +// +// Copyright © 2021,2022 IsardVDI S.L. +// +// This file is part of DD +// +// DD is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or (at your +// option) any later version. +// +// DD is distributed in the hope that it will be useful, but WITHOUT ANY +// WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +// details. +// +// You should have received a copy of the GNU Affero General Public License +// along with DD. If not, see . +// +// SPDX-License-Identifier: AGPL-3.0-or-later diff --git a/dd-sso/admin/src/admin/static/js/dashboard.js b/dd-sso/admin/src/admin/static/js/dashboard.js new file mode 100644 index 0000000..2838b22 --- /dev/null +++ b/dd-sso/admin/src/admin/static/js/dashboard.js @@ -0,0 +1,478 @@ +// +// Copyright © 2021,2022 IsardVDI S.L. +// +// This file is part of DD +// +// DD is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or (at your +// option) any later version. +// +// DD is distributed in the hope that it will be useful, but WITHOUT ANY +// WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +// details. +// +// You should have received a copy of the GNU Affero General Public License +// along with DD. If not, see . +// +// SPDX-License-Identifier: AGPL-3.0-or-later + +$(document).ready(function() { + + $('.icon-dropdown').select2({ + width: "100%", + templateSelection: formatText, + templateResult: formatText + }); + + function formatText (icon) { + return $(' ' + icon.text + ''); + }; + + // Update background input when colorpicker is used + $('#colorpicker-background').colorpicker().on('changeColor', function (e) { + $('#colorpicker-background-input').val(e.color.toHex()); + }); + + // Update background colorpicker when input is used + $('#colorpicker-background-input').on('keyup', function (e) { + if ($('#colorpicker-background-input').val()[0] == '#' && $('#colorpicker-background-input').val().length == 7) { + $('#colorpicker-background').colorpicker('setValue', $('#colorpicker-background-input').val()); + } + }) + + // Update primary input when colorpicker is used + $('#colorpicker-primary').colorpicker().on('changeColor', function (e) { + $('#colorpicker-primary-input').val(e.color.toHex()); + }); + + // Update primary colorpicker when input is used + $('#colorpicker-primary-input').on('keyup', function (e) { + if ($('#colorpicker-primary-input').val()[0] == '#' && $('#colorpicker-primary-input').val().length == 7) { + $('#colorpicker-primary').colorpicker('setValue', $('#colorpicker-primary-input').val()); + } + }) + + // Update secondary input when colorpicker is used + $('#colorpicker-secondary').colorpicker().on('changeColor', function (e) { + $('#colorpicker-secondary-input').val(e.color.toHex()); + }); + + // Update primary colorpicker when input is used + $('#colorpicker-secondary-input').on('keyup', function (e) { + if ($('#colorpicker-secondary-input').val()[0] == '#' && $('#colorpicker-secondary-input').val().length == 7) { + $('#colorpicker-secondary').colorpicker('setValue', $('#colorpicker-secondary-input').val()); + } + }) + + init_logo_cropper() + init_background_cropper() + + $('#save-colors').click(function () { + // console.log({ + // 'background': $('#colorpicker-background-input').val(), + // 'primary': $('#colorpicker-primary-input').val(), + // 'secondary': $('#colorpicker-secondary-input').val() + // }) + $.ajax({ + type: "PUT", + url:"/api/dashboard/colours", + data: JSON.stringify({ + 'background': $('#colorpicker-background-input').val(), + 'primary': $('#colorpicker-primary-input').val(), + 'secondary': $('#colorpicker-secondary-input').val() + }), + success: function(data) + { + $('#colorpicker-background').attr('data-container', data.colours.background); + $('#colorpicker-background-input').val(data.colours.background); + $('#colorpicker-primary').attr('data-container', data.colours.primary); + $('#colorpicker-primary-input').val(data.colours.primary); + $('#colorpicker-secondary').attr('data-container', data.colours.secondary); + $('#colorpicker-secondary-input').val(data.colours.secondary); + }, + error: function(data) + { + console.log('ERROR!') + console.log(data) + } + }); + }) + + $('#save-menu').click(function () { + ids = $('[id^="apps_external-"]') + var menu_options = {}; + ids.each(function( index ) { + // console.log(ids[index].id) + if(!(ids[index].id.split('-')[1] in menu_options)){ + menu_options[ids[index].id.split('-')[1]]={} + } + menu_options[ids[index].id.split('-')[1]][ids[index].id.split('-')[2]]=$('#'+ids[index].id).val() + }) + $.ajax({ + type: "PUT", + url:"/api/dashboard/menu", + data: JSON.stringify(menu_options), + success: function(data) + { + // $('#colorpicker-background').attr('data-container', data.colours.toHex()); + // $('#colorpicker-background-input').val(data.colours.toHex()); + // $('#colorpicker-primary').attr('data-container', data.colours.toHex()); + // $('#colorpicker-primary-input').val(data.colours.toHex()); + // $('#colorpicker-secondary').attr('data-container', data.colours.toHex()); + // $('#colorpicker-secondary-input').val(data.colours.toHex()); + }, + error: function(data) + { + console.log('ERROR!') + } + }); + }) + +}) + +/* CROPPER */ + + +function init_logo_cropper() { + + + if (typeof ($.fn.cropper) === 'undefined') { return; } + // console.log('init_logo_cropper'); + + var $image = $('#image_logo'); + var $dataX = $('#dataX'); + var $dataY = $('#dataY'); + var $dataHeight = $('#dataHeight'); + var $dataWidth = $('#dataWidth'); + var $dataRotate = $('#dataRotate'); + var $dataScaleX = $('#dataScaleX'); + var $dataScaleY = $('#dataScaleY'); + var cropWidth = 80; + var cropHeight = 45; + var aspectRatio = cropWidth / cropHeight; + var options = { + aspectRatio: aspectRatio, + preview: '.img-preview-logo', + crop: function (e) { + $dataX.val(Math.round(e.x)); + $dataY.val(Math.round(e.y)); + $dataHeight.val(Math.round(e.height)); + $dataWidth.val(Math.round(e.width)); + $dataRotate.val(e.rotate); + $dataScaleX.val(e.scaleX); + $dataScaleY.val(e.scaleY); + } + }; + + + // Tooltip + $('[data-toggle="tooltip"]').tooltip(); + + + // Cropper + $image.on({ + 'build.cropper': function (e) { + // console.log(e.type); + }, + 'built.cropper': function (e) { + // console.log(e.type); + }, + 'cropstart.cropper': function (e) { + // console.log(e.type, e.action); + }, + 'cropmove.cropper': function (e) { + // console.log(e.type, e.action); + }, + 'cropend.cropper': function (e) { + // console.log(e.type, e.action); + }, + 'crop.cropper': function (e) { + // console.log(e.type, e.x, e.y, e.width, e.height, e.rotate, e.scaleX, e.scaleY); + }, + 'zoom.cropper': function (e) { + // console.log(e.type, e.ratio); + } + }).cropper(options); + + $('#save-logo-crop').click(function () { + $image.data('cropper').getCroppedCanvas({ width: cropWidth, height: cropHeight }).toBlob(function (blob) { + var uri = URL.createObjectURL(blob); + var img = new Image(); + + img.src = uri; + $('.nav_menu_logo').attr('src', img.src) + + var formData = new FormData(); + formData.append('croppedImage', blob); + $.ajax('/api/dashboard/logo', { + method: "PUT", + data: formData, + processData: false, + contentType: false, + success: function () { + // Update logo image + $('.nav_menu_logo').attr('src', img.src) + console.log('Upload success'); + }, + error: function () { + console.log('Upload error'); + } + }); + }); + }) + + // Methods + $('.docs-buttons-logo').on('click', '[data-method]', function () { + var $this = $(this); + var data = $this.data(); + var $target; + var result; + + if ($this.prop('disabled') || $this.hasClass('disabled')) { + return; + } + + if ($image.data('cropper') && data.method) { + data = $.extend({}, data); // Clone a new one + + if (typeof data.target !== 'undefined') { + $target = $(data.target); + + if (typeof data.option === 'undefined') { + try { + data.option = JSON.parse($target.val()); + } catch (e) { + console.log(e.message); + } + } + } + + result = $image.cropper(data.method, data.option, data.secondOption); + + switch (data.method) { + case 'scaleX': + case 'scaleY': + $(this).data('option', -data.option); + break; + } + + if ($.isPlainObject(result) && $target) { + try { + $target.val(JSON.stringify(result)); + } catch (e) { + console.log(e.message); + } + } + + } + }); + + // Import image + var $inputImage = $('#inputImageLogo'); + var URL = window.URL || window.webkitURL; + var blobURL; + + if (URL) { + $inputImage.change(function () { + var files = this.files; + var file; + + if (!$image.data('cropper')) { + return; + } + + if (files && files.length) { + file = files[0]; + + if (/^image\/\w+$/.test(file.type)) { + blobURL = URL.createObjectURL(file); + $image.one('built.cropper', function () { + + // Revoke when load complete + URL.revokeObjectURL(blobURL); + }).cropper('reset').cropper('replace', blobURL); + $inputImage.val(''); + } else { + window.alert('Please choose an image file.'); + } + } + }); + } else { + $inputImage.prop('disabled', true).parent().addClass('disabled'); + } + + +}; + +/* CROPPER --- end */ + +function init_background_cropper() { + + + if (typeof ($.fn.cropper) === 'undefined') { return; } + // console.log('init_background_cropper'); + + var $image = $('#image_background'); + var $dataX = $('#dataX'); + var $dataY = $('#dataY'); + var $dataHeight = $('#dataHeight'); + var $dataWidth = $('#dataWidth'); + var $dataRotate = $('#dataRotate'); + var $dataScaleX = $('#dataScaleX'); + var $dataScaleY = $('#dataScaleY'); + var cropWidth = 1920; + var cropHeight = 1080; + var aspectRatio = cropWidth / cropHeight; + var options = { + aspectRatio: aspectRatio, + preview: '.img-preview-background', + crop: function (e) { + $dataX.val(Math.round(e.x)); + $dataY.val(Math.round(e.y)); + $dataHeight.val(Math.round(e.height)); + $dataWidth.val(Math.round(e.width)); + $dataRotate.val(e.rotate); + $dataScaleX.val(e.scaleX); + $dataScaleY.val(e.scaleY); + } + }; + + + // Tooltip + $('[data-toggle="tooltip"]').tooltip(); + + + // Cropper + $image.on({ + 'build.cropper': function (e) { + // console.log(e.type); + }, + 'built.cropper': function (e) { + // console.log(e.type); + }, + 'cropstart.cropper': function (e) { + // console.log(e.type, e.action); + }, + 'cropmove.cropper': function (e) { + // console.log(e.type, e.action); + }, + 'cropend.cropper': function (e) { + // console.log(e.type, e.action); + }, + 'crop.cropper': function (e) { + // console.log(e.type, e.x, e.y, e.width, e.height, e.rotate, e.scaleX, e.scaleY); + }, + 'zoom.cropper': function (e) { + // console.log(e.type, e.ratio); + } + }).cropper(options); + + $('#save-background-crop').click(function () { + $image.data('cropper').getCroppedCanvas({ width: cropWidth, height: cropHeight }).toBlob(function (blob) { + var uri = URL.createObjectURL(blob); + var img = new Image(); + + img.src = uri; + + var formData = new FormData(); + formData.append('croppedImage', blob); + $.ajax('/api/dashboard/background', { + method: "PUT", + data: formData, + processData: false, + contentType: false, + success: function () { + // Update background image + // console.log('Upload success'); + }, + error: function () { + // console.log('Upload error'); + } + }); + }); + }) + + // Methods + $('.docs-buttons-background').on('click', '[data-method]', function () { + var $this = $(this); + var data = $this.data(); + var $target; + var result; + + if ($this.prop('disabled') || $this.hasClass('disabled')) { + return; + } + + if ($image.data('cropper') && data.method) { + data = $.extend({}, data); // Clone a new one + + if (typeof data.target !== 'undefined') { + $target = $(data.target); + + if (typeof data.option === 'undefined') { + try { + data.option = JSON.parse($target.val()); + } catch (e) { + console.log(e.message); + } + } + } + + result = $image.cropper(data.method, data.option, data.secondOption); + + switch (data.method) { + case 'scaleX': + case 'scaleY': + $(this).data('option', -data.option); + break; + } + + if ($.isPlainObject(result) && $target) { + try { + $target.val(JSON.stringify(result)); + } catch (e) { + console.log(e.message); + } + } + + } + }); + + // Import image + var $inputImage = $('#inputImageBackground'); + var URL = window.URL || window.webkitURL; + var blobURL; + + if (URL) { + $inputImage.change(function () { + var files = this.files; + var file; + + if (!$image.data('cropper')) { + return; + } + + if (files && files.length) { + file = files[0]; + + if (/^image\/\w+$/.test(file.type)) { + blobURL = URL.createObjectURL(file); + $image.one('built.cropper', function () { + + // Revoke when load complete + URL.revokeObjectURL(blobURL); + }).cropper('reset').cropper('replace', blobURL); + $inputImage.val(''); + } else { + window.alert('Please choose an image file.'); + } + } + }); + } else { + $inputImage.prop('disabled', true).parent().addClass('disabled'); + } + + +}; \ No newline at end of file diff --git a/dd-sso/admin/src/admin/static/js/groups.js b/dd-sso/admin/src/admin/static/js/groups.js new file mode 100644 index 0000000..64a2b7c --- /dev/null +++ b/dd-sso/admin/src/admin/static/js/groups.js @@ -0,0 +1,247 @@ +// +// Copyright © 2021,2022 IsardVDI S.L. +// +// This file is part of DD +// +// DD is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or (at your +// option) any later version. +// +// DD is distributed in the hope that it will be useful, but WITHOUT ANY +// WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +// details. +// +// You should have received a copy of the GNU Affero General Public License +// along with DD. If not, see . +// +// SPDX-License-Identifier: AGPL-3.0-or-later + +$(document).on('shown.bs.modal', '#modalAddDesktop', function () { + modal_add_desktops.columns.adjust().draw(); +}); + +$(document).ready(function() { + + update_modal_groups(); + + $('.btn-global-resync').on('click', function () { + $.ajax({ + type: "GET", + url:"api/resync", + success: function(data) + { + table.ajax.reload(); + // $("#modalImport").modal('hide'); + // users_table.ajax.reload(); + // groups_table.ajax.reload(); + }, + error: function(data) + { + alert('Something went wrong on our side...') + } + }); + }); + + // Open new group modal + $('.btn-new').on('click', function () { + update_modal_groups() + $('#modalAddGroup').modal({ + backdrop: 'static', + keyboard: false + }).modal('show'); + }); + + // Send new group form + $('#modalAddGroup #send').on('click', function () { + var form = $('#modalAddGroupForm'); + formdata = form.serializeObject() + console.log('NEW GROUP') + console.log(formdata) + + $.ajax({ + type: "POST", + "url": "/api/group", + data: JSON.stringify(formdata), + complete: function(jqXHR, textStatus) { + switch (jqXHR.status) { + case 200: + $("#modalAddGroup").modal('hide'); + table.ajax.reload(); + break; + case 409: + new PNotify({ + title: "Add group error", + text: $.parseJSON(jqXHR.responseText)['msg'], + hide: true, + delay: 3000, + icon: 'fa fa-alert-sign', + opacity: 1, + type: 'error' + }); + break; + case 412: + new PNotify({ + title: "Add group error", + text: $.parseJSON(jqXHR.responseText)['msg'], + hide: true, + delay: 3000, + icon: 'fa fa-alert-sign', + opacity: 1, + type: 'error' + }); + break; + default: + alert("Server error."); + } + } + }); + + }); + + $('.btn-delete_keycloak').on('click', function () { + $.ajax({ + type: "DELETE", + url:"/api/groups/keycloak", + success: function(data) + { + console.log('SUCCESS') + // $("#modalImport").modal('hide'); + // users_table.ajax.reload(); + // groups_table.ajax.reload(); + }, + error: function(data) + { + alert('Something went wrong on our side...') + } + }); + }); + + //DataTable Main renderer + var table = $('#groups').DataTable({ + "ajax": { + "url": "/api/groups", + "dataSrc": "" + }, + "language": { + "loadingRecords": 'Loading...', + "emptyTable": "

You don't have any group created yet.


Create one using the +Add new button on top right of this page.

" + }, + "rowId": "id", + "deferRender": true, + "columns": [ + { + "className": 'actions-control', + "orderable": false, + "data": null, + "width": "80px", + "defaultContent": '' + // \ + // ' + }, + { "data": "name", "width": "10px" }, + { "data": "path", "width": "10px" }, + ], + "order": [[2, 'asc']], + // "columnDefs": [ ] + } ); + + $('#groups').find(' tbody').on( 'click', 'button', function () { + var data = table.row( $(this).parents('tr') ).data(); + // var closest=$(this).closest("div").parent(); + // var pk=closest.attr("data-pk"); + // console.log(pk) + switch($(this).attr('id')){ + case 'btn-edit': + $("#modalEditGroupForm")[0].reset(); + $('#modalEditGroup').modal({ + backdrop: 'static', + keyboard: false + }).modal('show'); + // $('#modalEditGroup #user-avatar').attr("src","/avatar/"+data.id) + // setUserDefault('#modalEditGroup', data.id); + $('#modalEdit').parsley(); + break; + case 'btn-delete': + new PNotify({ + title: 'Confirmation Needed', + text: "Are you sure you want to delete group: "+data['name']+"?", + hide: false, + opacity: 0.9, + confirm: { + confirm: true + }, + buttons: { + closer: false, + sticker: false + }, + history: { + history: false + }, + addclass: 'pnotify-center' + }).get().on('pnotify.confirm', function() { + console.log(data) + if(data.id == false){ + $.ajax({ + type: "DELETE", + url:"/api/group", + data: JSON.stringify(data), + success: function(data) + { + table.ajax.reload(); + }, + error: function(data) + { + alert('Something went wrong on our side...') + } + }); + }else{ + $.ajax({ + type: "DELETE", + url:"/api/group/"+data.id, + success: function(data) + { + table.ajax.reload(); + }, + error: function(data) + { + alert('Something went wrong on our side...') + } + }); + } + }).on('pnotify.cancel', function() { + }); + break; + } + }); +}) + +function update_modal_groups(){ + $.ajax({ + type: "GET", + "url": "/api/groups", + success: function(data) + { + $(".groups-select").empty().append( + '' + ) + data.forEach(element => { + var groupOrigins = []; + ['keycloak'].forEach(o => { + if (element[o]) { + groupOrigins.push(o) + } + }) + $(".groups-select").append( + '' + ) + }); + $('.groups-select').select2(); + }, + error: function(data) + { + alert('Something went wrong on our side...') + } + }); +} \ No newline at end of file diff --git a/dd-sso/admin/src/admin/static/js/legal.js b/dd-sso/admin/src/admin/static/js/legal.js new file mode 100644 index 0000000..d84bc12 --- /dev/null +++ b/dd-sso/admin/src/admin/static/js/legal.js @@ -0,0 +1,120 @@ +// +// Copyright © 2021,2022 IsardVDI S.L. +// +// This file is part of DD +// +// DD is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or (at your +// option) any later version. +// +// DD is distributed in the hope that it will be useful, but WITHOUT ANY +// WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +// details. +// +// You should have received a copy of the GNU Affero General Public License +// along with DD. If not, see . +// +// SPDX-License-Identifier: AGPL-3.0-or-later + +$(document).ready(function () { + init_wysiwyg(); + + var lang = getCookie('KEYCLOAK_LOCALE') ? getCookie('KEYCLOAK_LOCALE') : 'ca' + $('#legal-lang').val(lang) + getLangLegal(lang) + // $('#privacy-lang').val(lang) + + // $.ajax({ + // type: "GET", + // url: "/api/legal/privacy", + // data: { + // lang: lang + // }, + // success: function (data) { + // $('#editor-privacy').html(data.html) + // } + // }) + + $("#save-legal").click(function () { + console.log($('#editor-legal').cleanHtml()) + console.log($('#legal-lang').val()) + $.ajax({ + type: "POST", + url: "/api/legal/legal", + data: JSON.stringify({ + 'html': $('#editor-legal').cleanHtml(), + 'lang': $('#legal-lang').val() + }), + success: function () { + new PNotify({ + title: "Legal text", + text: "Updated for "+$('#legal-lang').val()+" language", + hide: true, + delay: 3000, + icon: 'fa fa-alert-sign', + opacity: 1, + type: 'info' + }); + }, + }); + }); + + $('#legal-lang').on('change', function() { + getLangLegal(this.value) + }); + + // $("#save-privacy").click(function () { + // $.ajax({ + // type: "POST", + // url: "/api/legal/privacy", + // data: { + // 'html': $('#editor-privacy').cleanHtml(), + // 'lang': $('#legal-lang').val() + // }, + // success: function () { + // }, + // }); + // }); +}); + +function getLangLegal(lang) { + $.ajax({ + type: "GET", + url: "/api/legal/legal", + data: { + lang: lang + }, + success: function (data) { + $('#editor-legal').html(data.html) + } + }) +} + +function getCookie(cname) { + let name = cname + "="; + let decodedCookie = decodeURIComponent(document.cookie); + let ca = decodedCookie.split(';'); + for(let i = 0; i . +// +// SPDX-License-Identifier: AGPL-3.0-or-later + +$(document).on('shown.bs.modal', '#modalAddDesktop', function () { + modal_add_desktops.columns.adjust().draw(); +}); + +$(document).ready(function() { + + $('.btn-global-resync').on('click', function () { + $.ajax({ + type: "GET", + url:"/api/resync", + success: function(data) + { + table.ajax.reload(); + // $("#modalImport").modal('hide'); + // users_table.ajax.reload(); + // groups_table.ajax.reload(); + }, + error: function(data) + { + alert('Something went wrong on our side...') + } + }); + }); + + $('.btn-new').on('click', function () { + $("#modalAdd")[0].reset(); + $('#modalAddDesktop').modal({ + backdrop: 'static', + keyboard: false + }).modal('show'); + $('#modalAdd').parsley(); + }); + + //DataTable Main renderer + var table = $('#roles').DataTable({ + "ajax": { + "url": "/api/roles", + "dataSrc": "" + }, + "language": { + "loadingRecords": 'Loading...', + "emptyTable": "

You don't have any role created yet.


Create one using the +Add new button on top right of this page.

" + }, + "rowId": "id", + "deferRender": true, + "columns": [ + { "data": "id", "width": "10px" }, + { "data": "name", "width": "10px" }, + ], + "order": [[1, 'asc']], + // "columnDefs": [ { + // "targets": 0, + // "render": function ( data, type, full, meta ) { + // // return '' + // return '' + // }}] + } ); +}); \ No newline at end of file diff --git a/dd-sso/admin/src/admin/static/js/status_socket.js b/dd-sso/admin/src/admin/static/js/status_socket.js new file mode 100644 index 0000000..f6cf763 --- /dev/null +++ b/dd-sso/admin/src/admin/static/js/status_socket.js @@ -0,0 +1,120 @@ +// +// Copyright © 2021,2022 IsardVDI S.L. +// +// This file is part of DD +// +// DD is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or (at your +// option) any later version. +// +// DD is distributed in the hope that it will be useful, but WITHOUT ANY +// WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +// details. +// +// You should have received a copy of the GNU Affero General Public License +// along with DD. If not, see . +// +// SPDX-License-Identifier: AGPL-3.0-or-later + +notice={} +$lost=0; + +socket = io.connect(location.protocol+'//' + document.domain +'/sio'); +console.log(location.protocol+'//' + document.domain +'/sio') +socket.on('connect', function() { + if($lost){location.reload();} + console.log('Listening status socket'); +}); + +socket.on('connect_error', function(data) { + $lost=$lost+1; + $('#modal-lostconnection').modal({ + backdrop: 'static', + keyboard: false + }).modal('show'); +}); + +socket.on('notify-create', function(data) { + var data = JSON.parse(data); + notice[data.id] = new PNotify({ + title: data.title, + text: data.text, + hide: false, + type: data.type + }); +}); + +socket.on('notify-destroy', function(data) { + var data = JSON.parse(data); + notice[data.id].remove() +}); + +socket.on('notify-increment', function(data) { + var data = JSON.parse(data); + if(!( data.id in notice)){ + notice[data.id] = new PNotify({ + title: data.title, + text: data.text, + hide: false, + type: data.type + }); + } + // console.log(data.text) + notice[data.id].update({ + text: data.text + }) + if(! data.table == false){ + dtUpdateInsert(data.table,data['data']['data']) + } +}); + + + + // new PNotify({ + // title: "Quota for creating desktops full.", + // text: "Can't create another desktop, user quota full.", + // hide: true, + // delay: 3000, + // icon: 'fa fa-alert-sign', + // opacity: 1, + // type: 'error' + // }); + +// socket.on('update', function(data) { +// var data = JSON.parse(data); +// console.log('Status update') +// console.log(data) +// // var data = JSON.parse(data); +// // drawUserQuota(data); +// }); + +socket.on('update', function(data) { + var data = JSON.parse(data); + console.log('Status update') + console.log(data) + // var data = JSON.parse(data); + // drawUserQuota(data); +}); + + // {'event':'traceback', + // 'id':u['id'], + // 'item':'group', + // 'action':'add' + // 'name':g['name'], + // 'progress':str(item)+'/'+str(total), + // 'status':False, + // 'msg':, + // 'payload':{'traceback':traceback.format_exc(), + // 'data':g}) + +socket.on('progress', function(data) { + var data = JSON.parse(data); + console.log(data) + // $('.modal-progress #item').html(data.item) +}); + + + +//// diff --git a/dd-sso/admin/src/admin/static/js/sysadmin/external.js b/dd-sso/admin/src/admin/static/js/sysadmin/external.js new file mode 100644 index 0000000..e373ffc --- /dev/null +++ b/dd-sso/admin/src/admin/static/js/sysadmin/external.js @@ -0,0 +1,398 @@ +// +// Copyright © 2021,2022 IsardVDI S.L. +// +// This file is part of DD +// +// DD is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or (at your +// option) any later version. +// +// DD is distributed in the hope that it will be useful, but WITHOUT ANY +// WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +// details. +// +// You should have received a copy of the GNU Affero General Public License +// along with DD. If not, see . +// +// SPDX-License-Identifier: AGPL-3.0-or-later + +$(document).on('shown.bs.modal', '#modalAddDesktop', function () { + modal_add_desktops.columns.adjust().draw(); +}); + +$(document).ready(function() { + $('#action_role option[value=""]').prop("selected",true); + var path = ""; + items = []; + document.getElementById('file-upload').addEventListener('change', readFile, false); + $('.btn-upload').on('click', function () { + $('#modalImport').modal({backdrop: 'static', keyboard: false}).modal('show'); + $('#modalImportForm')[0].reset(); + }); + + $('.btn-sync').on('click', function () { + ids={} + $.each(users_table.rows().data(),function(key, value){ + ids[value['id']]=value['roles'] + }); + // console.log(ids) + $.ajax({ + type: "PUT", + url:"/api/external", + data: JSON.stringify(ids), + success: function(data) + { + console.log('SUCCESS') + // $("#modalImport").modal('hide'); + users_table.ajax.reload(); + groups_table.ajax.reload(); + }, + error: function(data) + { + alert('Something went wrong on our side...') + } + }); + }); + + $('.btn-clear-upload').on('click', function () { + new PNotify({ + title: 'Cleaning imported data', + text: 'Are you sure you want to clean imported data?', + hide: false, + opacity: 0.9, + confirm: { + confirm: true + }, + buttons: { + closer: false, + sticker: false + }, + history: { + history: false + }, + addclass: 'pnotify-center' + }).get().on('pnotify.confirm', function() { + $.ajax({ + type: "DELETE", + url:"/api/external", + success: function(data) + { + console.log('SUCCESS') + users_table.ajax.reload(); + groups_table.ajax.reload(); + }, + error: function(data) + { + alert('Something went wrong on our side...') + } + }); + }).on('pnotify.cancel', function() { + $('#action_role option[value=""]').prop("selected",true); + }); + + }); + + $('.btn-sample').on('click', function () { + var viewerFile = new Blob(["groups;firstname;lastname;email;username;password;password_temporal;role;quota\n/alumnes/6è;John;Doe;jdoe@digitaldemocratic.net;jdoe;SuperSecret;no;student;1GB\n/alumnes/6è;Magdalena;Martí;mm_profe@email.cat;mm_profe;SuperSecret;no;teacher;3GB\n/managers;Pere;Isard;pisardmgr@email.cat;pisardmgr;SuperSecret;no;manager;Unlimited\n/alumnes/4t,/alumnes/5è;Marc;Gómez;marcgt@email.cat;marcgt;SuperSecret;no;student;1GB"], {type: "text/csv"}); + var a = document.createElement('a'); + a.download = 'dd_sample_upload.csv'; + a.href = window.URL.createObjectURL(viewerFile); + var ev = document.createEvent("MouseEvents"); + ev.initMouseEvent("click", true, false, self, 0, 0, 0, 0, 0, false, false, false, false, 0, null); + a.dispatchEvent(ev); + }); + + $('.btn-download').on('click', function () { + + data=users_table.rows().data() + csv_data='TYPE,EXT_ID,EMAIL,FIRST,LAST,USERNAME,PATHS,GROUPS,QUOTA,ROLE,PASS_TEMP,PASSWORD'+ '\r\n' + csv_data=csv_data+convertToCSV(data) + console.log(csv_data) + exportCSVFile(csv_data, 'users_data') + }) + + $("#modalImport #send").on('click', function(e){ + // console.log(users_table.rows().data()) + var form = $('#modalImportForm'); + form.parsley().validate(); + if (form.parsley().isValid()){ + formdata = form.serializeObject() + if($('#format').val() == 'csv-ug'){ + formdata['data']=parseCSV(filecontents) + }else{ + formdata['data']=JSON.parse(filecontents) + } + $.ajax({ + type: "POST", + url:"/api/external", + data: JSON.stringify(formdata), + success: function(data) + { + console.log('SUCCESS') + $("#modalImport").modal('hide'); + users_table.ajax.reload(); + groups_table.ajax.reload(); + }, + error: function(xhr, status, error) { + var err = eval("(" + xhr.responseText + ")"); + alert(JSON.parse(xhr.responseText).msg) + users_table.ajax.reload(); + groups_table.ajax.reload(); + } + }); + } + }); + + $('#action_role').on('change', function () { + action=$(this).val(); + names='' + ids=[] + + if(users_table.rows('.active').data().length){ + $.each(users_table.rows('.active').data(),function(key, value){ + names+=value['name']+'\n'; + ids.push(value['id']); + }); + var text = "You are about to assign role "+action+" these users:\n\n "+names + }else{ + $.each(users_table.rows({filter: 'applied'}).data(),function(key, value){ + ids.push(value['id']); + }); + var text = "You are about to assign role "+action+" "+users_table.rows({filter: 'applied'}).data().length+" users!\n All the users in list!" + } + new PNotify({ + title: 'Role assignment!', + text: 'You will asign the role '+action, + hide: false, + opacity: 0.9, + confirm: { + confirm: true + }, + buttons: { + closer: false, + sticker: false + }, + history: { + history: false + }, + addclass: 'pnotify-center' + }).get().on('pnotify.confirm', function() { + $.ajax({ + type: "PUT", + url:"/api/external/roles", + data: JSON.stringify({'ids':ids,'action':action}), + success: function(data) + { + console.log('SUCCESS') + users_table.ajax.reload(); + groups_table.ajax.reload(); + }, + error: function(data) + { + alert('Something went wrong on our side...') + } + }); + }).on('pnotify.cancel', function() { + + }); + $('#action_role option[value=""]').prop("selected",true); + } ); + + //DataTable Main renderer + var users_table = $('#users').DataTable({ + "ajax": { + "url": "/api/external/users", + "dataSrc": "" + }, + "language": { + "loadingRecords": 'Loading...', + "emptyTable": "

No users imported yet.


Import with the Upload button on top right of this page.

" + }, + "rowId": "id", + "deferRender": true, + "columns": [ + { + "className": 'details-control', + "orderable": false, + "data": null, + "width": "10px", + "defaultContent": '' + }, + // { "data": "provider", "width": "10px" }, + { "data": "id", "width": "10px" }, + { "data": "username", "width": "10px"}, + { "data": "first", "width": "10px"}, + { "data": "last", "width": "10px"}, + { "data": "email", "width": "10px"}, + { "data": "gids", "width": "10px"}, + { "data": "groups", "width": "10px"}, + { "data": "roles", "width": "10px"}, + { "data": "quota", "width": "10px"}, + { "data": "password", "width": "10px"}, + ], + "order": [[3, 'asc']], + "columnDefs": [ { + "targets": 1, + "render": function ( data, type, full, meta ) { + return '' + return '' + }}, + { + "targets": 6, + "render": function ( data, type, full, meta ) { + return "
  • " + full.gids.join("
  • ") + "
    • " + }}, + { + "targets": 7, + "render": function ( data, type, full, meta ) { + return "
  • " + full.groups.join("
  • ") + "
    • " + }} + ] + } ); + + + var groups_table = $('#groups').DataTable({ + "ajax": { + "url": "/api/external/groups", + "dataSrc": "" + }, + "language": { + "loadingRecords": 'Loading...', + "emptyTable": "

    No groups imported yet.

    " + }, + "rowId": "id", + "deferRender": true, + "columns": [ + { + "className": 'details-control', + "orderable": false, + "data": null, + "width": "10px", + "defaultContent": '' + }, + // { "data": "id", "width": "10px" }, + // { "data": "provider", "width": "10px" }, + { "data": "name", "width": "10px" }, + { "data": "description", "width": "10px"}, + ], + "order": [[2, 'asc']], + "columnDefs": [ ] +} ); +}); + +function readFile (evt) { + if($('#format').val() == 'json-ga'){ + path = ""; + items = []; + var files = evt.target.files; + var file = files[0]; + var reader = new FileReader(); + reader.onload = function(event) { + filecontents=event.target.result; + $.each(JSON.parse(filecontents), walker); + populate_path(items) + } + reader.readAsText(file, 'UTF-8') + } + if($('#format').val() == 'csv-ug'){ + var files = evt.target.files; + var file = files[0]; + var reader = new FileReader(); + reader.onload = function(event) { + filecontents=event.target.result; + // $.each(JSON.parse(filecontents), walker); + // populate_path(items) + } + reader.readAsText(file, 'UTF-8') + } + + } + +function parseCSV(){ + lines=filecontents.split('\n') + header=lines[0].split(';') + users=[] + $.each(lines, function(n, l){ + if(n!=0 && l.length > 10){ + usr=toObject(header,l.split(';')) + usr['id']=usr['username'] + users.push(usr) + } + }) + return users; +} + function toObject(names, values) { + var result = {}; + for (var i = 0; i < names.length; i++) + result[names[i]] = values[i]; + return result; + } + +function walker(key, value) { + var savepath = path; + path = path ? (path + "/" + key) : key; + items.push({path:path}) + + if (typeof value === "object") { + // Recurse into children + if(value.constructor === Array){ + value=value[0] + } + if(typeof value == "object"){ + $.each(value, walker); + } + } + + path = savepath; +} + +function populate_path(){ + $.each(items, function(key, value) { + $(".populate").append(''); + }) +} + +function convertToCSV(objArray) { + var array = typeof objArray != 'object' ? JSON.parse(objArray) : objArray; + var str = ''; + + for (var i = 0; i < array.length; i++) { + var line = ''; + for (var index in array[i]) { + if (line != '') line += ',' + + if (Array.isArray(array[i][index])){ + line += '"'+array[i][index]+'"' + }else{ + line += array[i][index]; + } + } + + str += line + '\r\n'; + } + + return str; +} + +function exportCSVFile(csv, fileTitle) { + var exportedFilenmae = fileTitle + '.csv' || 'export.csv'; + + var blob = new Blob([csv], { type: 'text/csv;charset=utf-8;' }); + if (navigator.msSaveBlob) { // IE 10+ + navigator.msSaveBlob(blob, exportedFilenmae); + } else { + var link = document.createElement("a"); + if (link.download !== undefined) { // feature detection + // Browsers that support HTML5 download attribute + var url = URL.createObjectURL(blob); + link.setAttribute("href", url); + link.setAttribute("download", exportedFilenmae); + link.style.visibility = 'hidden'; + document.body.appendChild(link); + link.click(); + document.body.removeChild(link); + } + } +} \ No newline at end of file diff --git a/dd-sso/admin/src/admin/static/js/sysadmin/groups.js b/dd-sso/admin/src/admin/static/js/sysadmin/groups.js new file mode 100644 index 0000000..5524d5f --- /dev/null +++ b/dd-sso/admin/src/admin/static/js/sysadmin/groups.js @@ -0,0 +1,149 @@ +// +// Copyright © 2021,2022 IsardVDI S.L. +// +// This file is part of DD +// +// DD is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or (at your +// option) any later version. +// +// DD is distributed in the hope that it will be useful, but WITHOUT ANY +// WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +// details. +// +// You should have received a copy of the GNU Affero General Public License +// along with DD. If not, see . +// +// SPDX-License-Identifier: AGPL-3.0-or-later + +$(document).on('shown.bs.modal', '#modalAddDesktop', function () { + modal_add_desktops.columns.adjust().draw(); +}); + +$(document).ready(function() { + + $('.btn-global-resync').on('click', function () { + $.ajax({ + type: "GET", + url:"api/resync", + success: function(data) + { + table.ajax.reload(); + // $("#modalImport").modal('hide'); + // users_table.ajax.reload(); + // groups_table.ajax.reload(); + }, + error: function(data) + { + alert('Something went wrong on our side...') + } + }); + }); + + // Open new group modal + $('.btn-new').on('click', function () { + $('#modalAddGroup').modal({ + backdrop: 'static', + keyboard: false + }).modal('show'); + }); + + // Send new group form + $('#modalAddGroup #send').on('click', function () { + var form = $('#modalAddGroupForm'); + formdata = form.serializeObject() + console.log('NEW GROUP') + console.log(formdata) + // $.ajax({ + // type: "POST", + // "url": "/groups_list", + // success: function(data) + // { + // console.log('SUCCESS') + // // $("#modalAddGroup").modal('hide'); + // }, + // error: function(data) + // { + // alert('Something went wrong on our side...') + // } + // }); + }); + + $('.btn-delete_keycloak').on('click', function () { + $.ajax({ + type: "DELETE", + url:"/api/groups/keycloak", + success: function(data) + { + console.log('SUCCESS') + // $("#modalImport").modal('hide'); + // users_table.ajax.reload(); + // groups_table.ajax.reload(); + }, + error: function(data) + { + alert('Something went wrong on our side...') + } + }); + }); + + //DataTable Main renderer + var table = $('#groups').DataTable({ + "ajax": { + "url": "/api/groups", + "dataSrc": "" + }, + "language": { + "loadingRecords": 'Loading...', + "emptyTable": "

    You don't have any group created yet.


    Create one using the +Add new button on top right of this page.

    " + }, + "rowId": "id", + "deferRender": true, + "columns": [ + { + "className": 'details-control', + "orderable": false, + "data": null, + "width": "10px", + "defaultContent": '' + }, + { "data": "id", "width": "10px" }, + { "data": "keycloak", "width": "10px" }, + { "data": "moodle", "width": "10px" }, + { "data": "nextcloud", "width": "10px" }, + { "data": "name", "width": "10px" }, + { "data": "path", "width": "10px" }, + ], + "order": [[3, 'asc']], + "columnDefs": [ { + "targets": 2, + "render": function ( data, type, full, meta ) { + if(full.keycloak){ + return '' + }else{ + return '' + }; + }}, + { + "targets": 3, + "render": function ( data, type, full, meta ) { + if(full.moodle){ + return '' + }else{ + return '' + }; + }}, + { + "targets": 4, + "render": function ( data, type, full, meta ) { + if(full.nextcloud){ + return '' + }else{ + return '' + }; + }}, + ] +} ); +}) \ No newline at end of file diff --git a/dd-sso/admin/src/admin/static/js/sysadmin/users.js b/dd-sso/admin/src/admin/static/js/sysadmin/users.js new file mode 100644 index 0000000..bb04c35 --- /dev/null +++ b/dd-sso/admin/src/admin/static/js/sysadmin/users.js @@ -0,0 +1,545 @@ +// +// Copyright © 2021,2022 IsardVDI S.L. +// +// This file is part of DD +// +// DD is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or (at your +// option) any later version. +// +// DD is distributed in the hope that it will be useful, but WITHOUT ANY +// WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +// details. +// +// You should have received a copy of the GNU Affero General Public License +// along with DD. If not, see . +// +// SPDX-License-Identifier: AGPL-3.0-or-later + + +$(document).on('shown.bs.modal', '#modalAddDesktop', function () { + modal_add_desktops.columns.adjust().draw(); +}); + +$(document).ready(function() { + + $.ajax({ + type: "GET", + "url": "/api/groups", + success: function(data) + { + data.forEach(element => { + var groupOrigins = []; + ['keycloak', 'moodle', 'nextcloud'].forEach(o => { + if (element[o]) { + groupOrigins.push(o) + } + }) + $(".groups-select").append( + '' + ) + }); + $('.groups-select').select2(); + }, + error: function(data) + { + alert('Something went wrong on our side...') + } + }); + + $.ajax({ + type: "GET", + "url": "/api/roles", + success: function(data) + { + console.log('ROLES') + console.log(data) + data.forEach(element => { + $(".role-moodle-select, .role-nextcloud-select, .role-keycloak-select").append( + '' + ) + }) + }, + error: function(data) + { + alert('Something went wrong on our side...') + } + }); + + $('.btn-global-resync').on('click', function () { + $.ajax({ + type: "GET", + url:"/api/resync", + success: function(data) + { + console.log('Reloaded') + table.ajax.reload(); + // $("#modalImport").modal('hide'); + // users_table.ajax.reload(); + // groups_table.ajax.reload(); + }, + error: function(data) + { + alert('Something went wrong on our side...') + } + }); + }); + + // Open new user modal + $('.btn-new-user').on('click', function () { + $('#modalAddUser').modal({ + backdrop: 'static', + keyboard: false + }).modal('show'); + }); + + // Send new user form + $('#modalAddUser #send').on('click', function () { + var form = $('#modalAddUserForm'); + formdata = form.serializeObject() + console.log('NEW USER') + console.log(formdata) + // $.ajax({ + // type: "POST", + // "url": "/groups_list", + // success: function(data) + // { + // console.log('SUCCESS') + // // $("#modalAddUser").modal('hide'); + // }, + // error: function(data) + // { + // alert('Something went wrong on our side...') + // } + // }); + }); + + $('.btn-delete_keycloak').on('click', function () { + new PNotify({ + title: 'Confirmation Needed', + text: "Are you sure you want to DELETE ALL USERS IN KEYCLOAK???", + hide: false, + opacity: 0.9, + confirm: { + confirm: true + }, + buttons: { + closer: false, + sticker: false + }, + history: { + history: false + }, + addclass: 'pnotify-center' + }).get().on('pnotify.confirm', function() { + console.log('Updating user password...') + $.ajax({ + type: "DELETE", + url:"/api/users/keycloak", + success: function(data) + { + console.log('SUCCESS') + // $("#modalImport").modal('hide'); + // users_table.ajax.reload(); + // groups_table.ajax.reload(); + }, + error: function(data) + { + alert('Something went wrong on our side...') + } + }); + }).on('pnotify.cancel', function() { + }); + + + }); + + $('.btn-delete_nextcloud').on('click', function () { + new PNotify({ + title: 'Confirmation Needed', + text: "Are you sure you want to DELETE ALL USERS IN NEXTCLOUD?", + hide: false, + opacity: 0.9, + confirm: { + confirm: true + }, + buttons: { + closer: false, + sticker: false + }, + history: { + history: false + }, + addclass: 'pnotify-center' + }).get().on('pnotify.confirm', function() { + console.log('Updating user password...') + $.ajax({ + type: "DELETE", + url:"/api/users/nextcloud", + success: function(data) + { + console.log('SUCCESS') + // $("#modalImport").modal('hide'); + // users_table.ajax.reload(); + // groups_table.ajax.reload(); + }, + error: function(data) + { + alert('Something went wrong on our side...') + } + }); + }).on('pnotify.cancel', function() { + }); + }); + + $('.btn-delete_moodle').on('click', function () { + new PNotify({ + title: 'Confirmation Needed', + text: "Are you sure you want to DELETE ALL USERS IN MOODLE?", + hide: false, + opacity: 0.9, + confirm: { + confirm: true + }, + buttons: { + closer: false, + sticker: false + }, + history: { + history: false + }, + addclass: 'pnotify-center' + }).get().on('pnotify.confirm', function() { + console.log('Updating user password...') + $.ajax({ + type: "DELETE", + url:"/api/users/moodle", + success: function(data) + { + console.log('SUCCESS') + // $("#modalImport").modal('hide'); + // users_table.ajax.reload(); + // groups_table.ajax.reload(); + }, + error: function(data) + { + alert('Something went wrong on our side...') + } + }); + }).on('pnotify.cancel', function() { + }); + }); + + $('.btn-sync_to_moodle').on('click', function () { + $.ajax({ + type: "POST", + url:"/api/users/moodle", + success: function(data) + { + console.log('SUCCESS') + // $("#modalImport").modal('hide'); + // users_table.ajax.reload(); + // groups_table.ajax.reload(); + }, + error: function(data) + { + alert('Something went wrong on our side...') + } + }); + }); + + + $('.btn-sync_from_keycloak').on('click', function () { + $.ajax({ + type: "PUT", + url:"/api/users", + success: function(data) + { + console.log('SUCCESS') + // $("#modalImport").modal('hide'); + // users_table.ajax.reload(); + // groups_table.ajax.reload(); + }, + error: function(data) + { + alert('Something went wrong on our side...') + } + }); + }); + + $('.btn-sync_to_nextcloud').on('click', function () { + $.ajax({ + type: "POST", + url:"/api/users/nextcloud", + success: function(data) + { + console.log('SUCCESS') + // $("#modalImport").modal('hide'); + // users_table.ajax.reload(); + // groups_table.ajax.reload(); + }, + error: function(data) + { + alert('Something went wrong on our side...') + } + }); + }); + + //DataTable Main renderer + var table = $('#users').DataTable({ + "ajax": { + "url": "/api/users", + "dataSrc": "" + }, + "language": { + "loadingRecords": 'Loading...', + "emptyTable": "

    You don't have any user created yet.


    Create one using the +Add new button on top right of this page.

    " + }, + "rowId": "id", + "deferRender": true, + "columns": [ + { + "className": 'details-control', + "orderable": false, + "data": null, + "width": "10px", + "defaultContent": '' + }, + { "data": "id", "width": "10px" }, + { "data": "username", "width": "10px"}, + { "data": "first", "width": "10px"}, + { "data": "last", "width": "10px"}, + { "data": "email", "width": "10px"}, + { "data": "keycloak", "width": "10px" }, + { "data": "keycloak_groups", "width": "10px" }, + { "data": "roles", "width": "10px" }, + { "data": "moodle", "width": "10px" }, + { "data": "moodle_groups", "width": "10px" }, + { "data": "nextcloud", "width": "10px" }, + { "data": "nextcloud_groups", "width": "10px" }, + ], + "order": [[4, 'asc']], + "columnDefs": [ { + "targets": 1, + "render": function ( data, type, full, meta ) { + return '' + }}, + { + "targets": 6, + "render": function ( data, type, full, meta ) { + if(full.keycloak){ + return '' + }else{ + return '' + }; + }}, + { + "targets": 7, + "render": function ( data, type, full, meta ) { + return "
  • " + full.keycloak_groups.join("
  • ") + "
    • " + }}, + { + "targets": 9, + "render": function ( data, type, full, meta ) { + if(full.moodle){ + return '' + }else{ + return '' + }; + }}, + { + "targets": 10, + "render": function ( data, type, full, meta ) { + return "
  • " + full.moodle_groups.join("
  • ") + "
    • " + }}, + { + "targets": 11, + "render": function ( data, type, full, meta ) { + if(full.nextcloud){ + return '' + }else{ + return '' + }; + }}, + { + "targets": 12, + "render": function ( data, type, full, meta ) { + return "
  • " + full.nextcloud_groups.join("
  • ") + "
    • " + }}, + ] + } ); + + $template = $(".template-detail-users"); + + $('#users').find('tbody').on('click', 'td.details-control', function () { + var tr = $(this).closest('tr'); + var row = table.row( tr ); + + if ( row.child.isShown() ) { + // This row is already open - close it + row.child.hide(); + tr.removeClass('shown'); + } + else { + // Close other rows + if ( table.row( '.shown' ).length ) { + $('.details-control', table.row( '.shown' ).node()).click(); + } + // Open this row + row.child( addUserDetailPannel(row.data()) ).show(); + tr.addClass('shown'); + actionsUserDetail() + } + } ); + + function addUserDetailPannel ( d ) { + $newPanel = $template.clone(); + $newPanel.html(function(i, oldHtml){ + return oldHtml.replace(/d.id/g, d.id).replace(/d.username/g, d.username); + }); + return $newPanel + } + + function actionsUserDetail(){ + + $('.btn-passwd').on('click', function () { + var closest=$(this).closest("div").parent(); + var pk=closest.attr("data-pk"); + $("#modalPasswdUserForm")[0].reset(); + $('#modalPasswdUser').modal({ + backdrop: 'static', + keyboard: false + }).modal('show'); + $('#modalPasswdUserForm #id').val(pk); + }); + + $("#modalPasswdUser #send").on('click', function(e){ + var form = $('#modalPasswdUserForm'); + form.parsley().validate(); + if (form.parsley().isValid()){ + data=$('#modalPasswdUserForm').serializeObject(); + data['id']=$('#modalPasswdUserForm #id').val(); + new PNotify({ + title: 'Confirmation Needed', + text: "Are you sure you want to update password for the user "+ username+"?", + hide: false, + opacity: 0.9, + confirm: { + confirm: true + }, + buttons: { + closer: false, + sticker: false + }, + history: { + history: false + }, + addclass: 'pnotify-center' + }).get().on('pnotify.confirm', function() { + console.log('Updating user password...') + $.ajax({ + type: "PUT", + url:"/api/user" + id, + success: function(data) + { + $(div_id + ' #id').val(data.id); + $(div_id + ' #username').val(data.username); + $(div_id + ' #email').val(data.email); + $(div_id + ' #firstname').val(data.firstname); + $(div_id + ' #lastname').val(data.lastname); + $(div_id + ' .groups-select').val(data.groups); + $(div_id + ' .role-moodle-select').val(data.roles); + $(div_id + ' .role-nextcloud-select').val(data.roles); + $(div_id + ' .role-keycloak-select').val(data.roles); + $('.groups-select, .role-moodle-select, .role-nextcloud-select, .role-keycloak-select').trigger('change'); + } + }); + }).on('pnotify.cancel', function() { + }); + } + }); + + $('.btn-edit').on('click', function () { + var closest=$(this).closest("div").parent(); + var pk=closest.attr("data-pk"); + $("#modalEditUserForm")[0].reset(); + $('#modalEditUser').modal({ + backdrop: 'static', + keyboard: false + }).modal('show'); + setUserDefault('#modalEditUser', pk); + $('#modalEdit').parsley(); + }); + + $("#modalEditUser #send").on('click', function(e){ + var form = $('#modalEditUserForm'); + form.parsley().validate(); + if (form.parsley().isValid()){ + data=$('#modalEditUserForm').serializeObject(); + data['id']=$('#modalEditUserForm #id').val(); + console.log('Editing user...') + console.log(data) + } + }); + + $('.btn-delete').on('click', function () { + var closest=$(this).closest("div").parent(); + var pk=closest.attr("data-pk"); + var username=closest.attr("data-username"); + console.log(username) + new PNotify({ + title: 'Confirmation Needed', + text: "Are you sure you want to delete the user: "+ username+"?", + hide: false, + opacity: 0.9, + confirm: { + confirm: true + }, + buttons: { + closer: false, + sticker: false + }, + history: { + history: false + }, + addclass: 'pnotify-center' + }).get().on('pnotify.confirm', function() { + console.log('Deleting user...') + }).on('pnotify.cancel', function() { + }); + }); + } + function setUserDefault(div_id, user_id) { + // $.ajax({ + // type: "GET", + // url:"/api/user/" + id, + // success: function(data) + // { + // $(div_id + ' #id').val(data.id); + // $(div_id + ' #username').val(data.username); + // $(div_id + ' #email').val(data.email); + // $(div_id + ' #firstname').val(data.firstname); + // $(div_id + ' #lastname').val(data.lastname); + // $(div_id + ' .groups-select').val(data.groups); + // $(div_id + ' .role-moodle-select').val(data.roles); + // $(div_id + ' .role-nextcloud-select').val(data.roles); + // $(div_id + ' .role-keycloak-select').val(data.roles); + // $('.groups-select, .role-moodle-select, .role-nextcloud-select, .role-keycloak-select').trigger('change'); + // } + // }); + // MOCK + $(div_id + ' #id').val('b57c8d3f-ee08-4a1d-9873-f40c082b9c69'); + $(div_id + ' #user-avatar').attr('src', '/static/img/usera.jpg'); + $(div_id + ' #username').val('yedcaqwvt'); + $(div_id + ' #email').val('yedcaqwvt@institutmariaespinalt.cat'); + $(div_id + ' #firstname').val('Ymisno'); + $(div_id + ' #lastname').val('Edcaqwvt tavnuoes'); + $(div_id + ' .groups-select').val(['student', 'manager']); + $(div_id + ' .role-moodle-select').val('51cc1a95-94b7-48eb-aebb-1eba6745e09f'); + $(div_id + ' .role-nextcloud-select').val('1e21ec95-b8c7-43b8-baad-1a31ad33f388'); + $(div_id + ' .role-keycloak-select').val('13da53d5-c50b-42d9-8fbf-84f2ed7cbf9e'); + $('.groups-select, .role-moodle-select, .role-nextcloud-select, .role-keycloak-select').trigger('change'); + } +}); \ No newline at end of file diff --git a/dd-sso/admin/src/admin/static/js/users.js b/dd-sso/admin/src/admin/static/js/users.js new file mode 100644 index 0000000..4007c10 --- /dev/null +++ b/dd-sso/admin/src/admin/static/js/users.js @@ -0,0 +1,663 @@ +// +// Copyright © 2021,2022 IsardVDI S.L. +// +// This file is part of DD +// +// DD is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or (at your +// option) any later version. +// +// DD is distributed in the hope that it will be useful, but WITHOUT ANY +// WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +// details. +// +// You should have received a copy of the GNU Affero General Public License +// along with DD. If not, see . +// +// SPDX-License-Identifier: AGPL-3.0-or-later + +$(document).on('shown.bs.modal', '#modalAddDesktop', function () { + modal_add_desktops.columns.adjust().draw(); +}); + +$(document).ready(function() { + + $('#bulk_actions option[value=""]').prop("selected",true); + + update_groups(); + + $.ajax({ + type: "GET", + "url": "/api/roles", + success: function(data) + { + data.forEach(element => { + $(".role-moodle-select, .role-nextcloud-select, .role-keycloak-select").append( + '' + ) + }) + }, + error: function(data) + { + alert('Something went wrong on our side...') + } + }); + + $('.btn-global-resync').on('click', function () { + $.ajax({ + type: "GET", + url:"/api/resync", + success: function(data) + { + table.ajax.reload(); + }, + error: function(data) + { + alert('Something went wrong on our side...') + table.ajax.reload(); + } + }); + }); + + $('#bulk_actions').on('change', function () { + action=$(this).val(); + names='' + ids=[] + + if(table.rows('.active').data().length){ + $.each(table.rows('.active').data(),function(key, value){ + names+=value['username']+'\n'; + ids.push({'id':value['id'],'username':value['username']}); + }); + var text = "You are about to "+action+" these users:\n\n "+names + }else{ + $.each(table.rows({filter: 'applied'}).data(),function(key, value){ + ids.push({'id':value['id'],'username':value['username']}); + }); + var text = "You are about to "+action+" "+table.rows({filter: 'applied'}).data().length+" users!\n To all the users in list!" + } + console.log(ids) + new PNotify({ + title: 'Bulk actions on users', + text: text, + hide: false, + opacity: 0.9, + confirm: { + confirm: true + }, + buttons: { + closer: false, + sticker: false + }, + history: { + history: false + }, + addclass: 'pnotify-center' + }).get().on('pnotify.confirm', function() { + $.ajax({ + type: "PUT", + url:"/api/users_bulk/"+$('#bulk_actions').val(), + data: JSON.stringify(ids), + success: function(data) + { + console.log('SUCCESS') + $('#bulk_actions option[value=""]').prop("selected",true); + table.ajax.reload(); + }, + error: function(data) + { + alert('Something went wrong on our side...') + $('#bulk_actions option[value=""]').prop("selected",true); + table.ajax.reload(); + } + }); + }).on('pnotify.cancel', function() { + $('#bulk_actions option[value=""]').prop("selected",true); + }); + } ); + + // Open new user modal + $('.btn-new-user').on('click', function () { + $("#modalAddUserForm")[0].reset(); + update_groups(); + $.ajax({ + type: "GET", + "url": "/api/user_password", + success: function(data) + { + $('#modalAddUser #password').val(data) + }, + error: function(data) + { + alert('Something went wrong on our side...') + } + }); + $('#modalAddUser #enabled').prop('checked',true).iCheck('update'); + $('#modalAddUser').modal({ + backdrop: 'static', + keyboard: false + }).modal('show'); + }); + + //has uppercase + window.Parsley.addValidator('uppercase', { + requirementType: 'number', + validateString: function(value, requirement) { + var uppercases = value.match(/[A-Z]/g) || []; + return uppercases.length >= requirement; + }, + messages: { + en: 'Your password must contain at least (%s) uppercase letter.' + } + }); + + //has lowercase + window.Parsley.addValidator('lowercase', { + requirementType: 'number', + validateString: function(value, requirement) { + var lowecases = value.match(/[a-z]/g) || []; + return lowecases.length >= requirement; + }, + messages: { + en: 'Your password must contain at least (%s) lowercase letter.' + } + }); + // Send new user form + $('#modalAddUser #send').on('click', function () { + var form = $('#modalAddUserForm'); + form.parsley().validate(); + if (form.parsley().isValid()){ + formdata = form.serializeObject() + // console.log('NEW USER') + // console.log(formdata) + + $.ajax({ + type: "POST", + "url": "/api/user", + data: JSON.stringify(formdata), + complete: function(jqXHR, textStatus) { + switch (jqXHR.status) { + case 200: + $("#modalAddUser").modal('hide'); + break; + case 409: + new PNotify({ + title: "Add user error", + text: $.parseJSON(jqXHR.responseText)['msg'], + hide: true, + delay: 3000, + icon: 'fa fa-alert-sign', + opacity: 1, + type: 'error' + }); + break; + case 412: + new PNotify({ + title: "Add user error", + text: $.parseJSON(jqXHR.responseText)['msg'], + hide: true, + delay: 3000, + icon: 'fa fa-alert-sign', + opacity: 1, + type: 'error' + }); + break; + default: + alert("Server error."); + } + } + }); + } + table.ajax.reload(); + }); + + // $("#modalEditUser #send").on('click', function(e){ + // var form = $('#modalEditUserForm'); + // form.parsley().validate(); + // if (form.parsley().isValid()){ + // data=$('#modalEditUserForm').serializeObject(); + // data['id']=$('#modalEditUserForm #id').val(); + // console.log('Editing user...') + // console.log(data) + // } + // }); + + $('#modalEditUser #send').on('click', function () { + var form = $('#modalEditUserForm'); + form.parsley().validate(); + if (form.parsley().isValid()){ + formdata = form.serializeObject() + formdata['id']=$('#modalEditUserForm #id').val(); + formdata['username']=$('#modalEditUserForm #username').val(); + console.log('UPDATE USER') + console.log(formdata) + $.ajax({ + type: "PUT", + "url": "/api/user/"+formdata['id'], + data: JSON.stringify(formdata), + complete: function(jqXHR, textStatus) { + table.ajax.reload(); + switch (jqXHR.status) { + case 200: + $("#modalEditUser").modal('hide'); + break; + case 404: + new PNotify({ + title: "Update user error", + text: $.parseJSON(jqXHR.responseText)['msg'], + hide: true, + delay: 3000, + icon: 'fa fa-alert-sign', + opacity: 1, + type: 'error' + }); + break; + case 409: + new PNotify({ + title: "Add user error", + text: $.parseJSON(jqXHR.responseText)['msg'], + hide: true, + delay: 3000, + icon: 'fa fa-alert-sign', + opacity: 1, + type: 'error' + }); + break; + case 412: + new PNotify({ + title: "Add user error", + text: $.parseJSON(jqXHR.responseText)['msg'], + hide: true, + delay: 3000, + icon: 'fa fa-alert-sign', + opacity: 1, + type: 'error' + }); + break; + default: + alert("Server error."); + } + } + }); + } + }); + //DataTable Main renderer + var table = $('#users').DataTable({ + "ajax": { + "url": "/api/users", + "dataSrc": "" + }, + "language": { + "loadingRecords": 'Loading...', + "emptyTable": "

    You don't have any user created yet.


    Create one using the +Add new button on top right of this page.

    " + }, + "rowId": "id", + "deferRender": true, + "columns": [ + // { + // "className": 'details-control', + // "orderable": false, + // "data": null, + // "width": "10px", + // "defaultContent": '' + // }, + { "data": "enabled", "width": "1px" }, + { "data": "id", "width": "10px" }, + { "data": "roles", "width": "10px" }, + { + "className": 'actions-control', + "orderable": false, + "data": null, + "width": "80px", + "defaultContent": ' \ + \ + ' + }, + { + "className": 'text-center', + "data": null, + "orderable": false, + "defaultContent": '', + "width": "10px" + }, + { "data": "username", "width": "10px"}, + { "data": "first", "width": "10px"}, + { "data": "last", "width": "150px"}, + { "data": "email", "width": "10px"}, + { "data": "keycloak_groups", "width": "50px" }, + { "data": "quota", "width": "10px", "default": "-"}, + ], + "order": [[6, 'asc']], + "columnDefs": [ { + "targets": 1, + "render": function ( data, type, full, meta ) { + // return '' + return '' + }}, + { + "targets": 0, + "render": function ( data, type, full, meta ) { + if(full.enabled){ + return '' + }else{ + return '' + }; + }}, + { + "targets": 2, + "render": function ( data, type, full, meta ) { + if(full.roles.length){ + return full.roles[0][0].toUpperCase() + full.roles[0].slice(1); + }else{ + return '-' + } + }}, + { + "targets": 5, + "render": function ( data, type, full, meta ) { + return ''+full.username+'' + }}, + { + "targets": 9, + "render": function ( data, type, full, meta ) { + grups = '' + full.keycloak_groups.forEach(element => { + grups += '' + element + '' + }) + return grups + }}, + { + "targets": 10, + "render": function ( data, type, full, meta ) { + if(full.quota == false){ + return 'Unlimited' + }else{ + return full.quota + } + }}, + ] + } ); + + table.on( 'click', 'tr', function () { + $(this).toggleClass('active'); + if ($(this).hasClass('active')) { + $(this).find('input').prop('checked', true); + } else { + $(this).find('input').prop('checked', false); + } + } ); + + // $template = $(".template-detail-users"); + + // $('#users').find('tbody').on('click', 'td.details-control', function () { + // var tr = $(this).closest('tr'); + // var row = table.row( tr ); + + // if ( row.child.isShown() ) { + // // This row is already open - close it + // row.child.hide(); + // tr.removeClass('shown'); + // } + // else { + // // Close other rows + // if ( table.row( '.shown' ).length ) { + // $('.details-control', table.row( '.shown' ).node()).click(); + // } + // // Open this row + // row.child( addUserDetailPannel(row.data()) ).show(); + // tr.addClass('shown'); + // actionsUserDetail() + // } + // } ); + + $('#users').find(' tbody').on( 'click', 'button', function () { + var data = table.row( $(this).parents('tr') ).data(); + // var closest=$(this).closest("div").parent(); + // var pk=closest.attr("data-pk"); + // console.log(pk) + switch($(this).attr('id')){ + case 'btn-edit': + $("#modalEditUserForm")[0].reset(); + $('#modalEditUser').modal({ + backdrop: 'static', + keyboard: false + }).modal('show'); + $('#modalEditUser #user-avatar').attr("src","/avatar/"+data.id) + setUserDefault('#modalEditUser', data.id); + $('#modalEdit').parsley(); + break; + case 'btn-delete': + new PNotify({ + title: 'Confirmation Needed', + text: "Are you sure you want to delete user: "+data['username']+"?", + hide: false, + opacity: 0.9, + confirm: { + confirm: true + }, + buttons: { + closer: false, + sticker: false + }, + history: { + history: false + }, + addclass: 'pnotify-center' + }).get().on('pnotify.confirm', function() { + $.ajax({ + type: "DELETE", + url:"/api/user/"+data.id, + success: function(data) + { + table.ajax.reload(); + }, + error: function(data) + { + alert('Something went wrong on our side...') + table.ajax.reload(); + } + }); + }).on('pnotify.cancel', function() { + }); + break; + case 'btn-password': + $("#modalPasswdUserForm")[0].reset(); + $('#modalPasswdUser').modal({ + backdrop: 'static', + keyboard: false + }).modal('show'); + $('#modalPasswdUserForm #id').val(data.id); + + $.ajax({ + type: "GET", + url:"/api/user_password", + success: function(data) + { + $('#modalPasswdUserForm #password').val(data); + table.ajax.reload(); + }, + error: function(data) + { + alert('Something went wrong on our side...') + table.ajax.reload(); + } + }); + break; + } + }); + + $("#modalPasswdUser #send").on('click', function(e){ + var form = $('#modalPasswdUserForm'); + form.parsley().validate(); + if (form.parsley().isValid()){ + formdata=$('#modalPasswdUserForm').serializeObject(); + + id=$('#modalPasswdUserForm #id').val(); + $.ajax({ + type: "PUT", + url:"/api/user_password/" + id, + data: JSON.stringify(formdata), + success: function(data) + { + $("#modalPasswdUser").modal('hide'); + table.ajax.reload(); + // groups_table.ajax.reload(); + }, + error: function(data) + { + alert('Something went wrong on our side...') + table.ajax.reload(); + } + // statusCode: { + // 404: function(data) { + // // {'error': 'description}. Not able to get responseJSON from received object + // alert('User not exists in system!') + // }, + // 200: function() { + // console.log("Success"); + // } + // }, + // error: function(data) + // { + // alert('Something went wrong on our side...') + // } + }); + } + }); + + // function addUserDetailPannel ( d ) { + // $newPanel = $template.clone(); + // $newPanel.html(function(i, oldHtml){ + // return oldHtml.replace(/d.id/g, d.id).replace(/d.username/g, d.username); + // }); + // return $newPanel + // } + + // function actionsUserDetail(){ + + // $('.btn-passwd').on('click', function () { + // var closest=$(this).closest("div").parent(); + // var pk=closest.attr("data-pk"); + // $("#modalPasswdUserForm")[0].reset(); + // $('#modalPasswdUser').modal({ + // backdrop: 'static', + // keyboard: false + // }).modal('show'); + // $('#modalPasswdUserForm #id').val(pk); + // }); + + + + // $('.btn-edit').on('click', function () { + // var closest=$(this).closest("div").parent(); + // var pk=closest.attr("data-pk"); + // $("#modalEditUserForm")[0].reset(); + // $('#modalEditUser').modal({ + // backdrop: 'static', + // keyboard: false + // }).modal('show'); + // setUserDefault('#modalEditUser', pk); + // $('#modalEdit').parsley(); + // }); + + // $('.btn-delete').on('click', function () { + // var closest=$(this).closest("div").parent(); + // var pk=closest.attr("data-pk"); + // var username=closest.attr("data-username"); + // console.log(username) + // new PNotify({ + // title: 'Confirmation Needed', + // text: "Are you sure you want to delete the user: "+ username+"?", + // hide: false, + // opacity: 0.9, + // confirm: { + // confirm: true + // }, + // buttons: { + // closer: false, + // sticker: false + // }, + // history: { + // history: false + // }, + // addclass: 'pnotify-center' + // }).get().on('pnotify.confirm', function() { + // console.log('Deleting user...') + // }).on('pnotify.cancel', function() { + // }); + // }); + // } + + function setUserDefault(div_id, user_id) { + $.ajax({ + type: "GET", + url:"/api/user/" + user_id, + success: function(data) + { + console.log(data) + if (data.enabled) { + $(div_id + ' #enabled').iCheck('check') + } + $(div_id + ' #id').val(data.id); + $(div_id + ' #username').val(data.username); + $(div_id + ' #email').val(data.email); + $(div_id + ' #firstname').val(data.first); + $(div_id + ' #lastname').val(data.last); + if(data.quota == false){ + $(div_id + ' #quota').val('false') + }else{ + $(div_id + ' #quota').val(data.quota); + } + $(div_id + ' .groups-select').val(data.keycloak_groups); + + // $(div_id + ' .role-moodle-select').val(data.keycloak_roles); + // $(div_id + ' .role-nextcloud-select').val(data.roles); + $(div_id + ' .role-keycloak-select').val(data.roles[0]); + $('.groups-select').trigger('change'); + + // $('.groups-select, .role-moodle-select, .role-nextcloud-select, .role-keycloak-select').trigger('change'); + } + }); + // MOCK + // $(div_id + ' #id').val('b57c8d3f-ee08-4a1d-9873-f40c082b9c69'); + // $(div_id + ' #user-avatar').attr('src', 'static/img/usera.jpg'); + // $(div_id + ' #username').val('yedcaqwvt'); + // $(div_id + ' #email').val('yedcaqwvt@institutmariaespinalt.cat'); + // $(div_id + ' #firstname').val('Ymisno'); + // $(div_id + ' #lastname').val('Edcaqwvt tavnuoes'); + // $(div_id + ' .groups-select').val(['student', 'manager']); + // $(div_id + ' .role-moodle-select').val('51cc1a95-94b7-48eb-aebb-1eba6745e09f'); + // $(div_id + ' .role-nextcloud-select').val('1e21ec95-b8c7-43b8-baad-1a31ad33f388'); + // $(div_id + ' .role-keycloak-select').val('13da53d5-c50b-42d9-8fbf-84f2ed7cbf9e'); + // $('.groups-select, .role-moodle-select, .role-nextcloud-select, .role-keycloak-select').trigger('change'); + } +}); + +function update_groups(){ + $(".groups-select").empty() + $.ajax({ + type: "GET", + "url": "/api/groups", + success: function(data) + { + data.forEach(element => { + var groupOrigins = []; + ['keycloak'].forEach(o => { + if (element[o]) { + groupOrigins.push(o) + } + }) + $(".groups-select").append( + '' + ) + }); + $('.groups-select').select2(); + }, + error: function(data) + { + alert('Something went wrong on our side...') + } + }); +} \ No newline at end of file diff --git a/dd-sso/admin/src/admin/static/templates/aux/text-editor.html b/dd-sso/admin/src/admin/static/templates/aux/text-editor.html new file mode 100644 index 0000000..6e71bd0 --- /dev/null +++ b/dd-sso/admin/src/admin/static/templates/aux/text-editor.html @@ -0,0 +1,118 @@ + +
    +
    +
    + +
    + +
    + +
    +   + +
    + +
    + + + + +
    + +
    + + + + +
    + +
    + + + + +
    + +
    + + +
    +
    + +
    + + +
    diff --git a/dd-sso/admin/src/admin/static/templates/base.html b/dd-sso/admin/src/admin/static/templates/base.html new file mode 100644 index 0000000..cecd08c --- /dev/null +++ b/dd-sso/admin/src/admin/static/templates/base.html @@ -0,0 +1,152 @@ + + + + + + + + + + + + + + {{ title }} | DD + + + + + + + + + + + + + + + + + + {% block css %}{% endblock %} + + + + + + + +
    +
    +
    +
    + {% include 'sidebar.html' %} +
    +
    + + {% include 'header.html' %} + +
    + + {% block content %} + {% endblock %} + +
    + + {% include 'footer.html' %} + +
    +
    + + {% include 'pages/modals/common_modals.html' %} + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + {% with messages = get_flashed_messages(with_categories=true) %} + {% if messages %} + {% for category, message in messages %} + + {% endfor %} + {% endif %} + {% endwith %} + {% block pagescript %}{% endblock %} + + diff --git a/dd-sso/admin/src/admin/static/templates/footer.html b/dd-sso/admin/src/admin/static/templates/footer.html new file mode 100644 index 0000000..ab83b85 --- /dev/null +++ b/dd-sso/admin/src/admin/static/templates/footer.html @@ -0,0 +1,26 @@ + +
    +
    + DD - Administration | source +
    +
    +
    diff --git a/dd-sso/admin/src/admin/static/templates/header.html b/dd-sso/admin/src/admin/static/templates/header.html new file mode 100644 index 0000000..6c8a995 --- /dev/null +++ b/dd-sso/admin/src/admin/static/templates/header.html @@ -0,0 +1,22 @@ + + diff --git a/dd-sso/admin/src/admin/static/templates/login.html b/dd-sso/admin/src/admin/static/templates/login.html new file mode 100644 index 0000000..7a19230 --- /dev/null +++ b/dd-sso/admin/src/admin/static/templates/login.html @@ -0,0 +1,108 @@ + + + + + + + + + + + Login | DD + + + + + + + + + + + + + + + +
    + + + +
    + + + + + + + + + + + {% with messages = get_flashed_messages(with_categories=true) %} + {% if messages %} + {% for category, message in messages %} + + {% endfor %} + {% endif %} + {% endwith %} + + + diff --git a/dd-sso/admin/src/admin/static/templates/page_404.html b/dd-sso/admin/src/admin/static/templates/page_404.html new file mode 100755 index 0000000..2ccf94d --- /dev/null +++ b/dd-sso/admin/src/admin/static/templates/page_404.html @@ -0,0 +1,89 @@ + + + + + + + + + + + Page not found! | DD + + + + + + + + + + + + + +
    +
    + +
    +
    +
    +

    404

    +

    Sorry but we couldn't find this page

    +

    This page you are looking for does not exist Report this? + Go back to login page +

    + +
    +
    +
    + +
    +
    + + + + + + + + + + + + + + diff --git a/dd-sso/admin/src/admin/static/templates/page_500.html b/dd-sso/admin/src/admin/static/templates/page_500.html new file mode 100755 index 0000000..d585eaa --- /dev/null +++ b/dd-sso/admin/src/admin/static/templates/page_500.html @@ -0,0 +1,89 @@ + + + + + + + + + + + Page not allowed! | DD + + + + + + + + + + + + + +
    +
    + +
    +
    +
    +

    500

    +

    Internal Server Error

    +

    We track these errors automatically, but if the problem persists feel free to contact us. In the meantime, try refreshing. Report this? + Go back to login page +

    + +
    +
    +
    + +
    +
    + + + + + + + + + + + + + + diff --git a/dd-sso/admin/src/admin/static/templates/pages/about.html b/dd-sso/admin/src/admin/static/templates/pages/about.html new file mode 100644 index 0000000..c172310 --- /dev/null +++ b/dd-sso/admin/src/admin/static/templates/pages/about.html @@ -0,0 +1,77 @@ + + +{% extends "base.html" %} + +{% block content %} +
    +
    +
    +
    + +

    DD

    +

    Schools apps integrations

    +
    +
    +
    + + +

    Visit website

    +     +
    +
    + + +

    Open an issue

    +     +
    +
    +
    +
    +
    +
    + +

    + + Contact us at: +
    + info@digitaldemocratic.net +     +

    +
    +
    +

    +

    License

    +
    +
    +
    +
    +
    +
    +
    + +{% endblock %} + +{% block pagescript %} + + + +{% endblock %} diff --git a/dd-sso/admin/src/admin/static/templates/pages/dashboard.html b/dd-sso/admin/src/admin/static/templates/pages/dashboard.html new file mode 100644 index 0000000..cc4c132 --- /dev/null +++ b/dd-sso/admin/src/admin/static/templates/pages/dashboard.html @@ -0,0 +1,456 @@ + + +{% extends "base.html" %} +{% block css %} + + + + + + + + +{% endblock %} +{% block content %} + +{% set icons = [ 'fa-500px', 'fa-address-book', 'fa-address-book-o', 'fa-address-card', 'fa-address-card-o', 'fa-adjust', 'fa-adn', +'fa-align-center', 'fa-align-justify', 'fa-align-left', 'fa-align-right', 'fa-amazon', 'fa-ambulance', 'fa-american-sign-language-interpreting', +'fa-anchor', 'fa-android', 'fa-angellist', 'fa-angle-double-down', 'fa-angle-double-left', 'fa-angle-double-right', 'fa-angle-double-up', +'fa-angle-down', 'fa-angle-left', 'fa-angle-right', 'fa-angle-up', 'fa-apple', 'fa-archive', 'fa-area-chart', 'fa-arrow-circle-down', +'fa-arrow-circle-left', 'fa-arrow-circle-o-down', 'fa-arrow-circle-o-left', 'fa-arrow-circle-o-right', 'fa-arrow-circle-o-up', 'fa-arrow-circle-right', +'fa-arrow-circle-up', 'fa-arrow-down', 'fa-arrow-left', 'fa-arrow-right', 'fa-arrow-up', 'fa-arrows', 'fa-arrows-alt', 'fa-arrows-h', +'fa-arrows-v', 'fa-asl-interpreting', 'fa-assistive-listening-systems', 'fa-asterisk', 'fa-at', 'fa-audio-description', 'fa-automobile', +'fa-backward', 'fa-balance-scale', 'fa-ban', 'fa-bandcamp', 'fa-bank', 'fa-bar-chart', 'fa-bar-chart-o', 'fa-barcode', 'fa-bars', 'fa-bath', +'fa-bathtub', 'fa-battery', 'fa-battery-0', 'fa-battery-1', 'fa-battery-2', 'fa-battery-3', 'fa-battery-4', 'fa-battery-empty', +'fa-battery-full', 'fa-battery-half', 'fa-battery-quarter', 'fa-battery-three-quarters', 'fa-bed', 'fa-beer', 'fa-behance', 'fa-behance-square', 'fa-bell', 'fa-bell-o', 'fa-bell-slash', 'fa-bell-slash-o', 'fa-bicycle', 'fa-binoculars', 'fa-birthday-cake', 'fa-bitbucket', 'fa-bitbucket-square', 'fa-bitcoin', 'fa-black-tie', 'fa-blind', 'fa-bluetooth', 'fa-bold', 'fa-bolt', 'fa-bomb', 'fa-book', 'fa-bookmark', 'fa-bookmark-o', 'fa-braille', 'fa-briefcase', 'fa-btc', 'fa-bug', 'fa-building', 'fa-building-o', 'fa-bullhorn', 'fa-bullseye', 'fa-bus', 'fa-buysellads', 'fa-cab', 'fa-calculator', 'fa-calendar', 'fa-calendar-check-o', 'fa-calendar-minus-o', 'fa-calendar-o', 'fa-calendar-plus-o', 'fa-calendar-times-o', 'fa-camera', 'fa-camera-retro', +'fa-car', 'fa-caret-down', 'fa-caret-left', 'fa-caret-right', 'fa-caret-square-o-down', 'fa-caret-square-o-left', 'fa-caret-square-o-right', +'fa-caret-square-o-up', 'fa-caret-up', 'fa-cart-arrow-down', 'fa-cart-plus', 'fa-cc', 'fa-cc-amex', 'fa-cc-diners-club', 'fa-cc-discover', +'fa-cc-jcb', 'fa-cc-mastercard', 'fa-cc-paypal', 'fa-cc-stripe', 'fa-cc-visa', 'fa-certificate', 'fa-chain', 'fa-chain-broken', 'fa-check', +'fa-check-circle', 'fa-check-circle-o', 'fa-check-square', 'fa-check-square-o', 'fa-chevron-circle-down', 'fa-chevron-circle-left', +'fa-chevron-circle-right', 'fa-chevron-circle-up', 'fa-chevron-down', 'fa-chevron-left', 'fa-chevron-right', 'fa-chevron-up', 'fa-child', +'fa-chrome', 'fa-circle', 'fa-circle-o', 'fa-circle-o-notch', 'fa-circle-thin', 'fa-clipboard', 'fa-clock-o', 'fa-clone', 'fa-close', +'fa-cloud', 'fa-cloud-download', 'fa-cloud-upload', 'fa-cny', 'fa-code', 'fa-code-fork', 'fa-codepen', 'fa-codiepie', 'fa-coffee', 'fa-cog', +'fa-cogs', 'fa-columns', 'fa-comment', 'fa-comment-o', 'fa-commenting', 'fa-commenting-o', 'fa-comments', 'fa-comments-o', 'fa-compass', +'fa-compress', 'fa-connectdevelop', 'fa-contao', 'fa-copy', 'fa-copyright', 'fa-creative-commons', 'fa-credit-card', 'fa-credit-card-alt', +'fa-crop', 'fa-crosshairs', 'fa-css3', 'fa-cube', 'fa-cubes', 'fa-cut', 'fa-cutlery', 'fa-dashboard', 'fa-dashcube', 'fa-database', 'fa-deaf', 'fa-deafness', 'fa-dedent', 'fa-delicious', 'fa-desktop', 'fa-deviantart', 'fa-diamond', 'fa-digg', 'fa-dollar', 'fa-dot-circle-o', 'fa-download', 'fa-dribbble', 'fa-drivers-license', 'fa-drivers-license-o', 'fa-dropbox', 'fa-drupal', 'fa-edge', 'fa-edit', 'fa-eercast', 'fa-eject', 'fa-ellipsis-h', 'fa-ellipsis-v', 'fa-empire', 'fa-envelope', 'fa-envelope-o', 'fa-envelope-open', +'fa-envelope-open-o', 'fa-envelope-square', 'fa-envira', 'fa-eraser', 'fa-etsy', 'fa-eur', 'fa-euro', 'fa-exchange', 'fa-exclamation', +'fa-exclamation-circle', 'fa-exclamation-triangle', 'fa-expand', 'fa-expeditedssl', 'fa-external-link', 'fa-external-link-square', 'fa-eye', +'fa-eye-slash', 'fa-eyedropper', 'fa-fa', 'fa-facebook', 'fa-facebook-f', 'fa-facebook-official', 'fa-facebook-square', 'fa-fast-backward', +'fa-fast-forward', 'fa-fax', 'fa-feed', 'fa-female', 'fa-fighter-jet', 'fa-file', 'fa-file-archive-o', 'fa-file-audio-o', 'fa-file-code-o', +'fa-file-excel-o', 'fa-file-image-o', 'fa-file-movie-o', 'fa-file-o', 'fa-file-pdf-o', 'fa-file-photo-o', 'fa-file-picture-o', +'fa-file-powerpoint-o', 'fa-file-sound-o', 'fa-file-text', 'fa-file-text-o', 'fa-file-video-o', 'fa-file-word-o', 'fa-file-zip-o', +'fa-files-o', 'fa-film', 'fa-filter', 'fa-fire', 'fa-fire-extinguisher', 'fa-firefox', 'fa-first-order', 'fa-flag', 'fa-flag-checkered', +'fa-flag-o', 'fa-flash', 'fa-flask', 'fa-flickr', 'fa-floppy-o', 'fa-folder', 'fa-folder-o', 'fa-folder-open', 'fa-folder-open-o', 'fa-font', +'fa-font-awesome', 'fa-fonticons', 'fa-fort-awesome', 'fa-forumbee', 'fa-forward', 'fa-foursquare', 'fa-free-code-camp', 'fa-frown-o', +'fa-futbol-o', 'fa-gamepad', 'fa-gavel', 'fa-gbp', 'fa-ge', 'fa-gear', 'fa-gears', 'fa-genderless', 'fa-get-pocket', 'fa-gg', 'fa-gg-circle', +'fa-gift', 'fa-git', 'fa-git-square', 'fa-github', 'fa-github-alt', 'fa-github-square', 'fa-gitlab', 'fa-gittip', 'fa-glass', 'fa-glide', +'fa-glide-g', 'fa-globe', 'fa-google', 'fa-google-plus', 'fa-google-plus-circle', 'fa-google-plus-official', 'fa-google-plus-square', +'fa-google-wallet', 'fa-graduation-cap', 'fa-gratipay', 'fa-grav', 'fa-group', 'fa-h-square', 'fa-hacker-news', 'fa-hand-grab-o', +'fa-hand-lizard-o', 'fa-hand-o-down', 'fa-hand-o-left', 'fa-hand-o-right', 'fa-hand-o-up', 'fa-hand-paper-o', 'fa-hand-peace-o', +'fa-hand-pointer-o', 'fa-hand-rock-o', 'fa-hand-scissors-o', 'fa-hand-spock-o', 'fa-hand-stop-o', 'fa-handshake-o', 'fa-hard-of-hearing', +'fa-hashtag', 'fa-hdd-o', 'fa-header', 'fa-headphones', 'fa-heart', 'fa-heart-o', 'fa-heartbeat', 'fa-history', 'fa-home', 'fa-hospital-o', +'fa-hotel', 'fa-hourglass', 'fa-hourglass-1', 'fa-hourglass-2', 'fa-hourglass-3', 'fa-hourglass-end', 'fa-hourglass-half', 'fa-hourglass-o', +'fa-hourglass-start', 'fa-houzz', 'fa-html5', 'fa-i-cursor', 'fa-id-badge', 'fa-id-card', 'fa-id-card-o', 'fa-ils', 'fa-image', 'fa-imdb', +'fa-inbox', 'fa-indent', 'fa-industry', 'fa-info', 'fa-info-circle', 'fa-inr', 'fa-instagram', 'fa-institution', 'fa-internet-explorer', +'fa-intersex', 'fa-ioxhost', 'fa-italic', 'fa-joomla', 'fa-jpy', 'fa-jsfiddle', 'fa-key', 'fa-keyboard-o', 'fa-krw', 'fa-language', +'fa-laptop', 'fa-lastfm', 'fa-lastfm-square', 'fa-leaf', 'fa-leanpub', 'fa-legal', 'fa-lemon-o', 'fa-level-down', 'fa-level-up', +'fa-life-bouy', 'fa-life-buoy', 'fa-life-ring', 'fa-life-saver', 'fa-lightbulb-o', 'fa-line-chart', 'fa-link', 'fa-linkedin', +'fa-linkedin-square', 'fa-linode', 'fa-linux', 'fa-list', 'fa-list-alt', 'fa-list-ol', 'fa-list-ul', 'fa-location-arrow', 'fa-lock', +'fa-long-arrow-down', 'fa-long-arrow-left', 'fa-long-arrow-right', 'fa-long-arrow-up', 'fa-low-vision', 'fa-magic', 'fa-magnet', +'fa-mail-forward', 'fa-mail-reply', 'fa-mail-reply-all', 'fa-male', 'fa-map', 'fa-map-marker', 'fa-map-o', 'fa-map-pin', 'fa-map-signs', +'fa-mars', 'fa-mars-double', 'fa-mars-stroke', 'fa-mars-stroke-h', 'fa-mars-stroke-v', 'fa-maxcdn', 'fa-meanpath', 'fa-medium', 'fa-medkit', +'fa-meetup', 'fa-meh-o', 'fa-mercury', 'fa-microchip', 'fa-microphone', 'fa-microphone-slash', 'fa-minus', 'fa-minus-circle', 'fa-minus-square', +'fa-minus-square-o', 'fa-mixcloud', 'fa-mobile', 'fa-mobile-phone', 'fa-modx', 'fa-money', 'fa-moon-o', 'fa-mortar-board', 'fa-motorcycle', 'fa-mouse-pointer', 'fa-music', 'fa-navicon', 'fa-neuter', 'fa-newspaper-o', 'fa-object-group', 'fa-object-ungroup', +'fa-odnoklassniki', 'fa-odnoklassniki-square', 'fa-opencart', 'fa-openid', 'fa-opera', 'fa-optin-monster', 'fa-outdent', 'fa-pagelines', +'fa-paint-brush', 'fa-paper-plane', 'fa-paper-plane-o', 'fa-paperclip', 'fa-paragraph', 'fa-paste', 'fa-pause', 'fa-pause-circle', +'fa-pause-circle-o', 'fa-paw', 'fa-paypal', 'fa-pencil', 'fa-pencil-square', 'fa-pencil-square-o', 'fa-percent', 'fa-phone', 'fa-phone-square', +'fa-photo', 'fa-picture-o', 'fa-pie-chart', 'fa-pied-piper', 'fa-pied-piper-alt', 'fa-pied-piper-pp', 'fa-pinterest', 'fa-pinterest-p', +'fa-pinterest-square', 'fa-plane', 'fa-play', 'fa-play-circle', 'fa-play-circle-o', 'fa-plug', 'fa-plus', 'fa-plus-circle', 'fa-plus-square', +'fa-plus-square-o', 'fa-podcast', 'fa-power-off', 'fa-print', 'fa-product-hunt', 'fa-puzzle-piece', 'fa-qq', 'fa-qrcode', 'fa-question', +'fa-question-circle', 'fa-question-circle-o', 'fa-quora', 'fa-quote-left', 'fa-quote-right', 'fa-ra', 'fa-random', 'fa-ravelry', 'fa-rebel', +'fa-recycle', 'fa-reddit', 'fa-reddit-alien', 'fa-reddit-square', 'fa-refresh', 'fa-registered', 'fa-remove', 'fa-renren', 'fa-reorder', +'fa-repeat', 'fa-reply', 'fa-reply-all', 'fa-resistance', 'fa-retweet', 'fa-rmb', 'fa-road', 'fa-rocket', 'fa-rotate-left', 'fa-rotate-right', +'fa-rouble', 'fa-rss', 'fa-rss-square', 'fa-rub', 'fa-ruble', 'fa-rupee', 'fa-s15', 'fa-safari', 'fa-save', 'fa-scissors', 'fa-scribd', +'fa-search', 'fa-search-minus', 'fa-search-plus', 'fa-sellsy', 'fa-send', 'fa-send-o', 'fa-server', 'fa-share', 'fa-share-alt', +'fa-share-alt-square', 'fa-share-square', 'fa-share-square-o', 'fa-shekel', 'fa-sheqel', 'fa-shield', 'fa-ship', 'fa-shirtsinbulk', +'fa-shopping-bag', 'fa-shopping-basket', 'fa-shopping-cart', 'fa-shower', 'fa-sign-in', 'fa-sign-language', 'fa-sign-out', 'fa-signal', +'fa-signing', 'fa-simplybuilt', 'fa-sitemap', 'fa-skyatlas', 'fa-skype', 'fa-slack', 'fa-sliders', 'fa-slideshare', 'fa-smile-o', 'fa-snapchat', +'fa-snapchat-ghost', 'fa-snapchat-square', 'fa-snowflake-o', 'fa-soccer-ball-o', 'fa-sort', 'fa-sort-alpha-asc', 'fa-sort-alpha-desc', +'fa-sort-amount-asc', 'fa-sort-amount-desc', 'fa-sort-asc', 'fa-sort-desc', 'fa-sort-down', 'fa-sort-numeric-asc', 'fa-sort-numeric-desc', +'fa-sort-up', 'fa-soundcloud', 'fa-space-shuttle', 'fa-spinner', 'fa-spoon', 'fa-spotify', 'fa-square', 'fa-square-o', 'fa-stack-exchange', +'fa-stack-overflow', 'fa-star', 'fa-star-half', 'fa-star-half-empty', 'fa-star-half-full', 'fa-star-half-o', 'fa-star-o', 'fa-steam', +'fa-steam-square', 'fa-step-backward', 'fa-step-forward', 'fa-stethoscope', 'fa-sticky-note', 'fa-sticky-note-o', 'fa-stop', 'fa-stop-circle', +'fa-stop-circle-o', 'fa-street-view', 'fa-strikethrough', 'fa-stumbleupon', 'fa-stumbleupon-circle', 'fa-subscript', 'fa-subway', 'fa-suitcase', +'fa-sun-o', 'fa-superpowers', 'fa-superscript', 'fa-support', 'fa-table', 'fa-tablet', 'fa-tachometer', 'fa-tag', 'fa-tags', 'fa-tasks', +'fa-taxi', 'fa-telegram', 'fa-television', 'fa-tencent-weibo', 'fa-terminal', 'fa-text-height', 'fa-text-width', 'fa-th', 'fa-th-large', +'fa-th-list', 'fa-themeisle', 'fa-thermometer', 'fa-thermometer-0', 'fa-thermometer-1', 'fa-thermometer-2', 'fa-thermometer-3', 'fa-thermometer-4', +'fa-thermometer-empty', 'fa-thermometer-full', 'fa-thermometer-half', 'fa-thermometer-quarter', 'fa-thermometer-three-quarters', 'fa-thumb-tack', +'fa-thumbs-down', 'fa-thumbs-o-down', 'fa-thumbs-o-up', 'fa-thumbs-up', 'fa-ticket', 'fa-times', 'fa-times-circle', 'fa-times-circle-o', +'fa-times-rectangle', 'fa-times-rectangle-o', 'fa-tint', 'fa-toggle-down', 'fa-toggle-left', 'fa-toggle-off', 'fa-toggle-on', 'fa-toggle-right', +'fa-toggle-up', 'fa-trademark', 'fa-train', 'fa-transgender', 'fa-transgender-alt', 'fa-trash', 'fa-trash-o', 'fa-tree', 'fa-trello', 'fa-tripadvisor', +'fa-trophy', 'fa-truck', 'fa-try', 'fa-tty', 'fa-tumblr', 'fa-tumblr-square', 'fa-turkish-lira', 'fa-tv', 'fa-twitch', 'fa-twitter', 'fa-twitter-square', +'fa-umbrella', 'fa-underline', 'fa-undo', 'fa-universal-access', 'fa-university', 'fa-unlink', 'fa-unlock', 'fa-unlock-alt', 'fa-unsorted', +'fa-upload', 'fa-usb', 'fa-usd', 'fa-user', 'fa-user-circle', 'fa-user-circle-o', 'fa-user-md', 'fa-user-o', 'fa-user-plus', 'fa-user-secret', +'fa-user-times', 'fa-users', 'fa-vcard', 'fa-vcard-o', 'fa-venus', 'fa-venus-double', 'fa-venus-mars', 'fa-viacoin', 'fa-viadeo', +'fa-viadeo-square', 'fa-video-camera', 'fa-vimeo', 'fa-vimeo-square', 'fa-vine', 'fa-vk', 'fa-volume-control-phone', 'fa-volume-down', +'fa-volume-off', 'fa-volume-up', 'fa-warning', 'fa-wechat', 'fa-weibo', 'fa-weixin', 'fa-whatsapp', 'fa-wheelchair', 'fa-wheelchair-alt', +'fa-wifi', 'fa-wikipedia-w', 'fa-window-close', 'fa-window-close-o', 'fa-window-maximize', 'fa-window-minimize', 'fa-window-restore', +'fa-windows', 'fa-won', 'fa-wordpress', 'fa-wpbeginner', 'fa-wpexplorer', 'fa-wpforms', 'fa-wrench', 'fa-xing', 'fa-xing-square', +'fa-y-combinator', 'fa-y-combinator-square', 'fa-yahoo', 'fa-yc', 'fa-yc-square', 'fa-yelp', 'fa-yen', 'fa-yoast', 'fa-youtube', +'fa-youtube-play', 'fa-youtube-square' ] +%} + + +
    + +
    +
    +
    +

    System colors

    +
    +
    +
    +
    +
    + +

    It will appear in Moodle's (Aules/Aulas) background. We recomend using a grey color.

    +
    + +
    +
    + +

    It will appear in main top bar menú and Moodle's (Aules/Aulas) buttons. We recomend using a corporate color.

    +
    + +
    +
    + +

    It will appear in some secondary buttons in Moodle. We recommend white, unless corporate color is clear.

    +
    + +
    +
    +
    +
      +
      • +
    +
    +
    +
    +
    + + +
    +
    +
    +

    Custom menu

    + +
    +
    +
    + {% for menu_item in data.apps_external %} +
    +
    + +

    + + - {{ menu_item.name }} +

    +
    +
    +
    + +
    + + +
    +
    + + +
    +
    + + +
    +
    + {% endfor %} +
    +
      +
      • +
    +
    +
    +
    +
    + +
    + +
    +
    +
    +
    +

    Logo Image

    +
    +
    +
    +
    + +
    +
    +
    +
    + +
    +
    +
    +
    + +
    + +
    +
    +
    + +
    +
    + +
    +
      +
      • +
    +
    +
    +
    +
    +
    +
    + +
    +
    +
    +
    +

    Background Image

    +
    +
    +
    +
    + +
    +
    +
    +
    + Background login +
    +
    +
    +
    +
    +
    + +
    +
    +
    +
    +
    + + +
    + +
    + + +
    + +
    + + +
    + +
    + + +
    +
    +
    +
    + +
    +
    +
      +
      • +
    +
    +
    +
    +
    +
    + +{% endblock %} + +{% block pagescript %} + + + + + + + + + + + + +{% endblock %} diff --git a/dd-sso/admin/src/admin/static/templates/pages/groups.html b/dd-sso/admin/src/admin/static/templates/pages/groups.html new file mode 100644 index 0000000..2367db6 --- /dev/null +++ b/dd-sso/admin/src/admin/static/templates/pages/groups.html @@ -0,0 +1,75 @@ + + +{% extends "base.html" %} +{% block css %} + + + + +{% endblock %} +{% block content %} + +
    +
    +
    +
    +

    Groups

    + +
    +
    +
    +

    + + + + + + + + + + +
    NamePath
    +
    +
    +
    +
    + +{% include 'pages/modals/groups_modals.html' %} + +{% endblock %} + +{% block pagescript %} + + + + + + + + +{% endblock %} diff --git a/dd-sso/admin/src/admin/static/templates/pages/legal.html b/dd-sso/admin/src/admin/static/templates/pages/legal.html new file mode 100644 index 0000000..4228d2b --- /dev/null +++ b/dd-sso/admin/src/admin/static/templates/pages/legal.html @@ -0,0 +1,101 @@ + + +{% extends "base.html" %} {% block css %} + + + + + + + +{% endblock %} {% block content %} + + +
    + +
    +
    +
    +

    LegalCompany/School

    +
    +
    +
    + {% with type = 'legal' %} + {% include 'aux/text-editor.html' %} + {% endwith %} +
    +
      +
    • + +
      • +
    +
    +
    +
    +
    +
    + + + {% endblock %} {% block pagescript %} + + + + + + {% endblock %} + diff --git a/dd-sso/admin/src/admin/static/templates/pages/modals/common_modals.html b/dd-sso/admin/src/admin/static/templates/pages/modals/common_modals.html new file mode 100644 index 0000000..4035f87 --- /dev/null +++ b/dd-sso/admin/src/admin/static/templates/pages/modals/common_modals.html @@ -0,0 +1,64 @@ + + + + \ No newline at end of file diff --git a/dd-sso/admin/src/admin/static/templates/pages/modals/groups_modals.html b/dd-sso/admin/src/admin/static/templates/pages/modals/groups_modals.html new file mode 100644 index 0000000..3843950 --- /dev/null +++ b/dd-sso/admin/src/admin/static/templates/pages/modals/groups_modals.html @@ -0,0 +1,88 @@ + + diff --git a/dd-sso/admin/src/admin/static/templates/pages/modals/users_modals.html b/dd-sso/admin/src/admin/static/templates/pages/modals/users_modals.html new file mode 100644 index 0000000..e975d60 --- /dev/null +++ b/dd-sso/admin/src/admin/static/templates/pages/modals/users_modals.html @@ -0,0 +1,362 @@ + + + + + + \ No newline at end of file diff --git a/dd-sso/admin/src/admin/static/templates/pages/roles.html b/dd-sso/admin/src/admin/static/templates/pages/roles.html new file mode 100644 index 0000000..850e9e5 --- /dev/null +++ b/dd-sso/admin/src/admin/static/templates/pages/roles.html @@ -0,0 +1,71 @@ + + +{% extends "base.html" %} +{% block css %} + + + + +{% endblock %} +{% block content %} + +
    +
    +
    +
    +

    Roles

    +
      +
    • + +
      • +
    +
    +
    +
    +

    + + + + + + + + + +
    IdName
    +
    +
    +
    +
    + +{% endblock %} + +{% block pagescript %} + + + + + + + + +{% endblock %} diff --git a/dd-sso/admin/src/admin/static/templates/pages/sysadmin/external.html b/dd-sso/admin/src/admin/static/templates/pages/sysadmin/external.html new file mode 100644 index 0000000..cdf7c43 --- /dev/null +++ b/dd-sso/admin/src/admin/static/templates/pages/sysadmin/external.html @@ -0,0 +1,92 @@ + +{% extends "base.html" %} +{% block css %} + + + + +{% endblock %} +{% block content %} + +
    +
    +
    +
    +

    External

    + +
    +
    +
    +

    + + + + + + + + + + + + + + + + + + +
    AvatarUsernameFirstLastemailgroupspathsrolesquotapassword
    +
    +
    +

    + + + + + + + + + + +
    NameDescription
    +
    +
    +
    +
    + +{% include 'pages/sysadmin/modals/external_modals.html' %} +{% endblock %} + +{% block pagescript %} + + + + + + + + +{% endblock %} diff --git a/dd-sso/admin/src/admin/static/templates/pages/sysadmin/groups.html b/dd-sso/admin/src/admin/static/templates/pages/sysadmin/groups.html new file mode 100644 index 0000000..a242aa5 --- /dev/null +++ b/dd-sso/admin/src/admin/static/templates/pages/sysadmin/groups.html @@ -0,0 +1,59 @@ + +{% extends "base.html" %} +{% block css %} + + + + +{% endblock %} +{% block content %} + +
    +
    +
    +
    +

    Groups

    + +
    +
    +
    +

    + + + + + + + + + + + + + + +
    IdKeycloakMoodleNextcloudNamePath
    +
    +
    +
    +
    + +{% include 'pages/modals/groups_modals.html' %} + +{% endblock %} + +{% block pagescript %} + + + + + + + + +{% endblock %} diff --git a/dd-sso/admin/src/admin/static/templates/pages/sysadmin/modals/external_modals.html b/dd-sso/admin/src/admin/static/templates/pages/sysadmin/modals/external_modals.html new file mode 100644 index 0000000..bd8c3d5 --- /dev/null +++ b/dd-sso/admin/src/admin/static/templates/pages/sysadmin/modals/external_modals.html @@ -0,0 +1,134 @@ + \ No newline at end of file diff --git a/dd-sso/admin/src/admin/static/templates/pages/sysadmin/users.html b/dd-sso/admin/src/admin/static/templates/pages/sysadmin/users.html new file mode 100644 index 0000000..13177c2 --- /dev/null +++ b/dd-sso/admin/src/admin/static/templates/pages/sysadmin/users.html @@ -0,0 +1,84 @@ + +{% extends "base.html" %} +{% block css %} + + + + +{% endblock %} +{% block content %} + +
    +
    +
    +
    +

    Users

    + +
    +
    +
    + + + + {% if current_user.role =='admin' %} + + + + {% endif %} + + + + + + + + + + + + + + + + + + + + +
    AvatarUsernameFirstLastemailKeycloakK.GroupsK.RolesMoodleM.GroupsNextcloudN.Groups
    +
    +
    + {% include 'pages/modals/users_modals.html' %} + {% include 'pages/users_detail.html' %} +
    +
    + + +{% endblock %} + +{% block pagescript %} + + + + + + + + +{% endblock %} diff --git a/dd-sso/admin/src/admin/static/templates/pages/users.html b/dd-sso/admin/src/admin/static/templates/pages/users.html new file mode 100644 index 0000000..2361426 --- /dev/null +++ b/dd-sso/admin/src/admin/static/templates/pages/users.html @@ -0,0 +1,110 @@ + + +{% extends "base.html" %} +{% block css %} + + + + +{% endblock %} +{% block content %} + +
    +
    +
    +
    +

    Users

    +
      +
    • +
      + +
      + +
      +
      +
      • +
    • + Add new +
      • +
    +
    +
    +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    EnabledAvatarRoleActionsSelectedUsernameFirstLastEmailGroupsQuota
    EnabledAvatarRoleActionsSelectedUsernameFirstLastEmailGroupsQuota
    +
    +
    + {% include 'pages/modals/users_modals.html' %} + {% include 'pages/users_detail.html' %} +
    +
    + + +{% endblock %} + +{% block pagescript %} + + + + + + + + +{% endblock %} diff --git a/dd-sso/admin/src/admin/static/templates/pages/users_detail.html b/dd-sso/admin/src/admin/static/templates/pages/users_detail.html new file mode 100644 index 0000000..6052824 --- /dev/null +++ b/dd-sso/admin/src/admin/static/templates/pages/users_detail.html @@ -0,0 +1,35 @@ + +
    +
    +
    +
    +
    +
    + + + +
    +
    +
    +
    +
    +
    diff --git a/dd-sso/admin/src/admin/static/templates/sidebar.html b/dd-sso/admin/src/admin/static/templates/sidebar.html new file mode 100644 index 0000000..97a8a0d --- /dev/null +++ b/dd-sso/admin/src/admin/static/templates/sidebar.html @@ -0,0 +1,53 @@ + +
    +
    + +
    + + diff --git a/dd-sso/admin/src/admin/views/ApiViews.py b/dd-sso/admin/src/admin/views/ApiViews.py new file mode 100644 index 0000000..b452c73 --- /dev/null +++ b/dd-sso/admin/src/admin/views/ApiViews.py @@ -0,0 +1,359 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +import json +import logging as log +import os +import socket +import sys +import time +import traceback + +from flask import request + +from admin import app + +from ..lib.api_exceptions import Error +from .decorators import has_token + + +## LISTS +@app.route("/ddapi/users", methods=["GET"]) +@has_token +def ddapi_users(): + if request.method == "GET": + sorted_users = sorted(app.admin.get_mix_users(), key=lambda k: k["username"]) + users = [] + for user in sorted_users: + users.append(user_parser(user)) + return json.dumps(users), 200, {"Content-Type": "application/json"} + + +@app.route("/ddapi/users/filter", methods=["POST"]) +@has_token +def ddapi_users_search(): + if request.method == "POST": + data = request.get_json(force=True) + if not data.get("text"): + raise Error("bad_request", "Incorrect data requested.") + users = app.admin.get_mix_users() + result = [user_parser(user) for user in filter_users(users, data["text"])] + sorted_result = sorted(result, key=lambda k: k["id"]) + return json.dumps(sorted_result), 200, {"Content-Type": "application/json"} + + +@app.route("/ddapi/groups", methods=["GET"]) +@has_token +def ddapi_groups(): + if request.method == "GET": + sorted_groups = sorted(app.admin.get_mix_groups(), key=lambda k: k["name"]) + groups = [] + for group in sorted_groups: + groups.append(group_parser(group)) + return json.dumps(groups), 200, {"Content-Type": "application/json"} + + +@app.route("/ddapi/group/users", methods=["POST"]) +@has_token +def ddapi_group_users(): + if request.method == "POST": + data = request.get_json(force=True) + sorted_users = sorted(app.admin.get_mix_users(), key=lambda k: k["username"]) + if data.get("id"): + group_users = [ + user_parser(user) + for user in sorted_users + if data.get("id") in user["keycloak_groups"] + ] + elif data.get("path"): + try: + name = [ + g["name"] + for g in app.admin.get_mix_groups() + if g["path"] == data.get("path") + ][0] + group_users = [ + user_parser(user) + for user in sorted_users + if name in user["keycloak_groups"] + ] + except: + raise Error("not_found", "Group path not found in system") + elif data.get("keycloak_id"): + try: + name = [ + g["name"] + for g in app.admin.get_mix_groups() + if g["id"] == data.get("keycloak_id") + ][0] + group_users = [ + user_parser(user) + for user in sorted_users + if name in user["keycloak_groups"] + ] + except: + raise Error("not_found", "Group keycloak_id not found in system") + else: + raise Error("bad_request", "Incorrect data requested.") + return json.dumps(group_users), 200, {"Content-Type": "application/json"} + + +@app.route("/ddapi/roles", methods=["GET"]) +@has_token +def ddapi_roles(): + if request.method == "GET": + roles = [] + for role in sorted(app.admin.get_roles(), key=lambda k: k["name"]): + log.error(role) + roles.append( + { + "keycloak_id": role["id"], + "id": role["name"], + "name": role["name"], + "description": role.get("description", ""), + } + ) + return json.dumps(roles), 200, {"Content-Type": "application/json"} + + +@app.route("/ddapi/role/users", methods=["POST"]) +@has_token +def ddapi_role_users(): + if request.method == "POST": + data = request.get_json(force=True) + sorted_users = sorted(app.admin.get_mix_users(), key=lambda k: k["username"]) + if data.get("id", data.get("name")): + role_users = [ + user_parser(user) + for user in sorted_users + if data.get("id", data.get("name")) in user["roles"] + ] + elif data.get("keycloak_id"): + try: + id = [ + r["id"] + for r in app.admin.get_roles() + if r["id"] == data.get("keycloak_id") + ][0] + role_users = [ + user_parser(user) for user in sorted_users if id in user["roles"] + ] + except: + raise Error("not_found", "Role keycloak_id not found in system") + else: + raise Error("bad_request", "Incorrect data requested.") + return json.dumps(role_users), 200, {"Content-Type": "application/json"} + + +## INDIVIDUAL ACTIONS +@app.route("/ddapi/user", methods=["POST"]) +@app.route("/ddapi/user/", methods=["PUT", "GET", "DELETE"]) +@has_token +def ddapi_user(user_ddid=None): + if request.method == "GET": + user = app.admin.get_user_username(user_ddid) + if not user: + raise Error("not_found", "User id not found") + return json.dumps(user_parser(user)), 200, {"Content-Type": "application/json"} + if request.method == "DELETE": + user = app.admin.get_user_username(user_ddid) + if not user: + raise Error("not_found", "User id not found") + app.admin.delete_user(user["id"]) + return json.dumps({}), 200, {"Content-Type": "application/json"} + if request.method == "POST": + data = request.get_json(force=True) + if not app.validators["user"].validate(data): + raise Error( + "bad_request", + "Data validation for user failed: ", + +str(app.validators["user"].errors), + traceback.format_exc(), + ) + + if app.admin.get_user_username(data["username"]): + raise Error("conflict", "User id already exists") + data = app.validators["user"].normalized(data) + keycloak_id = app.admin.add_user(data) + if not keycloak_id: + raise Error( + "precondition_required", + "Not all user groups already in system. Please create user groups before adding user.", + ) + return ( + json.dumps({"keycloak_id": keycloak_id}), + 200, + {"Content-Type": "application/json"}, + ) + + if request.method == "PUT": + user = app.admin.get_user_username(user_ddid) + if not user: + raise Error("not_found", "User id not found") + data = request.get_json(force=True) + if not app.validators["user_update"].validate(data): + raise Error( + "bad_request", + "Data validation for user failed: " + + str(app.validators["user_update"].errors), + traceback.format_exc(), + ) + data = {**user, **data} + data = app.validators["user_update"].normalized(data) + data = {**data, **{"username": user_ddid}} + data["roles"] = [data.pop("role")] + data["firstname"] = data.pop("first") + data["lastname"] = data.pop("last") + app.admin.user_update(data) + if data.get("password"): + app.admin.user_update_password( + user["id"], data["password"], data["password_temporary"] + ) + return json.dumps({}), 200, {"Content-Type": "application/json"} + + +@app.route("/ddapi/username//", methods=["PUT"]) +@has_token +def ddapi_username(old_user_ddid, new_user_did): + user = app.admin.get_user_username(user_ddid) + if not user: + raise Error("not_found", "User id not found") + # user = app.admin.update_user_username(old_user_ddid,new_user_did) + return json.dumps("Not implemented yet!"), 419, {"Content-Type": "application/json"} + + +@app.route("/ddapi/group", methods=["POST"]) +@app.route("/ddapi/group/", methods=["GET", "POST", "DELETE"]) +# @app.route("/api/group/", methods=["PUT", "GET", "DELETE"]) +@has_token +def ddapi_group(id=None): + if request.method == "GET": + group = app.admin.get_group_by_name(id) + if not group: + Error("not found", "Group id not found") + return ( + json.dumps(group_parser(group)), + 200, + {"Content-Type": "application/json"}, + ) + if request.method == "POST": + data = request.get_json(force=True) + if not app.validators["group"].validate(data): + raise Error( + "bad_request", + "Data validation for group failed: " + + str(app.validators["group"].errors), + traceback.format_exc(), + ) + data = app.validators["group"].normalized(data) + data["parent"] = data["parent"] if data["parent"] != "" else None + + if app.admin.get_group_by_name(id): + raise Error("conflict", "Group id already exists") + + path = app.admin.add_group(data) + # log.error(path) + # keycloak_id = app.admin.get_group_by_name(id)["id"] + # log.error() + return ( + json.dumps({"keycloak_id": None}), + 200, + {"Content-Type": "application/json"}, + ) + if request.method == "DELETE": + group = app.admin.get_group_by_name(id) + if not group: + raise Error("not_found", "Group id not found") + app.admin.delete_group_by_id(group["id"]) + return json.dumps({}), 200, {"Content-Type": "application/json"} + + +@app.route("/ddapi/user_mail", methods=["POST"]) +@app.route("/ddapi/user_mail/", methods=["GET", "DELETE"]) +@has_token +def ddapi_user_mail(id=None): + if request.method == "GET": + return ( + json.dumps("Not implemented yet"), + 200, + {"Content-Type": "application/json"}, + ) + if request.method == "POST": + data = request.get_json(force=True) + + # if not app.validators["mails"].validate(data): + # raise Error( + # "bad_request", + # "Data validation for mail failed: " + # + str(app.validators["mail"].errors), + # traceback.format_exc(), + # ) + for user in data: + if not app.validators["mail"].validate(user): + raise Error( + "bad_request", + "Data validation for mail failed: " + + str(app.validators["mail"].errors), + traceback.format_exc(), + ) + for user in data: + log.info("Added user email") + app.admin.set_nextcloud_user_mail(user) + return ( + json.dumps("Users emails updated"), + 200, + {"Content-Type": "application/json"}, + ) + + +def user_parser(user): + return { + "keycloak_id": user["id"], + "id": user["username"], + "username": user["username"], + "enabled": user["enabled"], + "first": user["first"], + "last": user["last"], + "role": user["roles"][0] if len(user["roles"]) else None, + "email": user["email"], + "groups": user.get("groups", user["keycloak_groups"]), + "quota": user["quota"], + "quota_used_bytes": user["quota_used_bytes"], + } + + +def group_parser(group): + return { + "keycloak_id": group["id"], + "id": group["name"], + "name": group["name"].split(".")[-1], + "path": group["path"], + "description": group.get("description", ""), + } + + +def filter_users(users, text): + return [ + user + for user in users + if text in user["username"] + or text in user["first"] + or text in user["last"] + or text in user["email"] + ] diff --git a/dd-sso/admin/src/admin/views/AppViews.py b/dd-sso/admin/src/admin/views/AppViews.py new file mode 100644 index 0000000..baa9077 --- /dev/null +++ b/dd-sso/admin/src/admin/views/AppViews.py @@ -0,0 +1,581 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +import concurrent.futures +import json +import logging as log +import os +import re +import sys + +# import Queue +import threading +import time +import traceback +from uuid import uuid4 + +from flask import Response, jsonify, redirect, render_template, request, url_for +from flask_login import current_user, login_required + +from admin import app + +from ..lib.helpers import system_group +from .decorators import login_or_token + +threads = {"external": None} +# q = Queue.Queue() + +from keycloak.exceptions import KeycloakGetError + +from ..lib.dashboard import Dashboard +from ..lib.exceptions import UserExists, UserNotFound + +dashboard = Dashboard() + +from ..lib.legal import get_legal, gen_legal_if_not_exists, new_legal + +@app.route("/sysadmin/api/resync") +@app.route("/api/resync") +@login_required +def resync(): + return ( + json.dumps(app.admin.resync_data()), + 200, + {"Content-Type": "application/json"}, + ) + + +@app.route("/api/users", methods=["GET", "PUT"]) +@app.route("/api/users/", methods=["POST", "PUT", "GET", "DELETE"]) +@login_or_token +def users(provider=False): + if request.method == "DELETE": + if current_user.role != "admin": + return json.dumps({}), 301, {"Content-Type": "application/json"} + if provider == "keycloak": + return ( + json.dumps(app.admin.delete_keycloak_users()), + 200, + {"Content-Type": "application/json"}, + ) + if provider == "nextcloud": + return ( + json.dumps(app.admin.delete_nextcloud_users()), + 200, + {"Content-Type": "application/json"}, + ) + if provider == "moodle": + return ( + json.dumps(app.admin.delete_moodle_users()), + 200, + {"Content-Type": "application/json"}, + ) + if request.method == "POST": + if current_user.role != "admin": + return json.dumps({}), 301, {"Content-Type": "application/json"} + if provider == "moodle": + return ( + json.dumps(app.admin.sync_to_moodle()), + 200, + {"Content-Type": "application/json"}, + ) + if provider == "nextcloud": + return ( + json.dumps(app.admin.sync_to_nextcloud()), + 200, + {"Content-Type": "application/json"}, + ) + if request.method == "PUT" and not provider: + if current_user.role != "admin": + return json.dumps({}), 301, {"Content-Type": "application/json"} + + if "external" in threads.keys(): + if threads["external"] is not None and threads["external"].is_alive(): + return ( + json.dumps( + {"msg": "Precondition failed: already working with users"} + ), + 412, + {"Content-Type": "application/json"}, + ) + else: + threads["external"] = None + try: + threads["external"] = threading.Thread( + target=app.admin.update_users_from_keycloak, args=() + ) + threads["external"].start() + return json.dumps({}), 200, {"Content-Type": "application/json"} + except: + log.error(traceback.format_exc()) + return ( + json.dumps({"msg": "Add user error."}), + 500, + {"Content-Type": "application/json"}, + ) + + # return json.dumps(app.admin.update_users_from_keycloak()), 200, {'Content-Type': 'application/json'} + + users = app.admin.get_mix_users() + if current_user.role != "admin": + for user in users: + user["keycloak_groups"] = [ + g for g in user["keycloak_groups"] if not system_group(g) + ] + return json.dumps(users), 200, {"Content-Type": "application/json"} + + +@app.route("/api/users_bulk/", methods=["PUT"]) +@login_required +def users_bulk(action): + data = request.get_json(force=True) + if request.method == "PUT": + if action == "enable": + if "external" in threads.keys(): + if threads["external"] is not None and threads["external"].is_alive(): + return ( + json.dumps( + {"msg": "Precondition failed: already operating users"} + ), + 412, + {"Content-Type": "application/json"}, + ) + else: + threads["external"] = None + try: + threads["external"] = threading.Thread( + target=app.admin.enable_users, args=(data,) + ) + threads["external"].start() + return json.dumps({}), 200, {"Content-Type": "application/json"} + except: + log.error(traceback.format_exc()) + return ( + json.dumps({"msg": "Enable users error."}), + 500, + {"Content-Type": "application/json"}, + ) + if action == "disable": + if "external" in threads.keys(): + if threads["external"] is not None and threads["external"].is_alive(): + return ( + json.dumps( + {"msg": "Precondition failed: already operating users"} + ), + 412, + {"Content-Type": "application/json"}, + ) + else: + threads["external"] = None + try: + threads["external"] = threading.Thread( + target=app.admin.disable_users, args=(data,) + ) + threads["external"].start() + return json.dumps({}), 200, {"Content-Type": "application/json"} + except: + log.error(traceback.format_exc()) + return ( + json.dumps({"msg": "Disabling users error."}), + 500, + {"Content-Type": "application/json"}, + ) + if action == "delete": + if "external" in threads.keys(): + if threads["external"] is not None and threads["external"].is_alive(): + return ( + json.dumps( + {"msg": "Precondition failed: already operating users"} + ), + 412, + {"Content-Type": "application/json"}, + ) + else: + threads["external"] = None + try: + threads["external"] = threading.Thread( + target=app.admin.delete_users, args=(data,) + ) + threads["external"].start() + return json.dumps({}), 200, {"Content-Type": "application/json"} + except: + log.error(traceback.format_exc()) + return ( + json.dumps({"msg": "Deleting users error."}), + 500, + {"Content-Type": "application/json"}, + ) + return json.dumps({}), 405, {"Content-Type": "application/json"} + + +# Update pwd +@app.route("/api/user_password", methods=["GET"]) +@app.route("/api/user_password/", methods=["PUT"]) +@login_required +def user_password(userid=False): + if request.method == "GET": + return ( + json.dumps(app.admin.get_dice_pwd()), + 200, + {"Content-Type": "application/json"}, + ) + if request.method == "PUT": + data = request.get_json(force=True) + password = data["password"] + temporary = data.get("temporary", True) + try: + res = app.admin.user_update_password(userid, password, temporary) + return json.dumps({}), 200, {"Content-Type": "application/json"} + except KeycloakGetError as e: + log.error(e.error_message.decode("utf-8")) + return ( + json.dumps({"msg": "Update password error."}), + 500, + {"Content-Type": "application/json"}, + ) + + return json.dumps({}), 405, {"Content-Type": "application/json"} + + +# User +@app.route("/api/user", methods=["POST"]) +@app.route("/api/user/", methods=["PUT", "GET", "DELETE"]) +@login_required +def user(userid=None): + if request.method == "DELETE": + app.admin.delete_user(userid) + return json.dumps({}), 200, {"Content-Type": "application/json"} + if request.method == "POST": + data = request.get_json(force=True) + if app.admin.get_user_username(data["username"]): + return ( + json.dumps({"msg": "Add user error: already exists."}), + 409, + {"Content-Type": "application/json"}, + ) + data["enabled"] = data.get("enabled", False) in [True, "on"] + data["quota"] = data["quota"] if data["quota"] != "false" else False + data["groups"] = data["groups"] if data.get("groups", False) else [] + if "external" in threads.keys(): + if threads["external"] is not None and threads["external"].is_alive(): + return ( + json.dumps({"msg": "Precondition failed: already adding users"}), + 412, + {"Content-Type": "application/json"}, + ) + else: + threads["external"] = None + try: + threads["external"] = threading.Thread( + target=app.admin.add_user, args=(data,) + ) + threads["external"].start() + return json.dumps({}), 200, {"Content-Type": "application/json"} + except: + log.error(traceback.format_exc()) + return ( + json.dumps({"msg": "Add user error."}), + 500, + {"Content-Type": "application/json"}, + ) + + if request.method == "PUT": + data = request.get_json(force=True) + data["enabled"] = True if data.get("enabled", False) else False + data["groups"] = data["groups"] if data.get("groups", False) else [] + data["roles"] = [data.pop("role-keycloak")] + try: + app.admin.user_update(data) + return json.dumps({}), 200, {"Content-Type": "application/json"} + except UserNotFound: + return ( + json.dumps({"msg": "User not found."}), + 404, + {"Content-Type": "application/json"}, + ) + if request.method == "DELETE": + pass + if request.method == "GET": + user = app.admin.get_user(userid) + if not user: + return ( + json.dumps({"msg": "User not found."}), + 404, + {"Content-Type": "application/json"}, + ) + return json.dumps(user), 200, {"Content-Type": "application/json"} + + +@app.route("/api/roles") +@login_required +def roles(): + sorted_roles = sorted(app.admin.get_roles(), key=lambda k: k["name"]) + if current_user.role != "admin": + sorted_roles = [sr for sr in sorted_roles if sr["name"] != "admin"] + return json.dumps(sorted_roles), 200, {"Content-Type": "application/json"} + + +@app.route("/api/group", methods=["POST", "DELETE"]) +@app.route("/api/group/", methods=["PUT", "GET", "DELETE"]) +@login_required +def group(group_id=False): + if request.method == "POST": + data = request.get_json(force=True) + log.error(data) + data["parent"] = data["parent"] if data["parent"] != "" else None + return ( + json.dumps(app.admin.add_group(data)), + 200, + {"Content-Type": "application/json"}, + ) + if request.method == "DELETE": + try: + data = request.get_json(force=True) + except: + data = False + + if data: + res = app.admin.delete_group_by_path(data["path"]) + else: + if not group_id: + return ( + json.dumps({"error": "bad_request","msg":"Bad request"}), + 400, + {"Content-Type": "application/json"}, + ) + res = app.admin.delete_group_by_id(group_id) + return json.dumps(res), 200, {"Content-Type": "application/json"} + + +@app.route("/api/groups") +@app.route("/api/groups/", methods=["POST", "PUT", "GET", "DELETE"]) +@login_required +def groups(provider=False): + if request.method == "GET": + sorted_groups = sorted(app.admin.get_mix_groups(), key=lambda k: str(k["name"])) + if current_user.role != "admin": + ## internal groups should be avoided as are assigned with the role + sorted_groups = [sg for sg in sorted_groups if not system_group(sg["name"])] + else: + sorted_groups = [sg for sg in sorted_groups] + return json.dumps(sorted_groups), 200, {"Content-Type": "application/json"} + if request.method == "DELETE": + if provider == "keycloak": + return ( + json.dumps(app.admin.delete_keycloak_groups()), + 200, + {"Content-Type": "application/json"}, + ) + + +### SYSADM USERS ONLY + + +@app.route("/api/external", methods=["POST", "PUT", "GET", "DELETE"]) +@login_required +def external(): + if "external" in threads.keys(): + if threads["external"] is not None and threads["external"].is_alive(): + return json.dumps({}), 301, {"Content-Type": "application/json"} + else: + threads["external"] = None + + if request.method == "POST": + data = request.get_json(force=True) + if data["format"] == "json-ga": + threads["external"] = threading.Thread( + target=app.admin.upload_json_ga, args=(data,) + ) + threads["external"].start() + return json.dumps({}), 200, {"Content-Type": "application/json"} + if data["format"] == "csv-ug": + valid = check_upload_errors(data) + if valid["pass"]: + threads["external"] = threading.Thread( + target=app.admin.upload_csv_ug, args=(data,) + ) + threads["external"].start() + return json.dumps({}), 200, {"Content-Type": "application/json"} + else: + return json.dumps(valid), 422, {"Content-Type": "application/json"} + if request.method == "PUT": + data = request.get_json(force=True) + threads["external"] = threading.Thread( + target=app.admin.sync_external, args=(data,) + ) + threads["external"].start() + return json.dumps({}), 200, {"Content-Type": "application/json"} + if request.method == "DELETE": + print("RESET") + app.admin.reset_external() + return json.dumps({}), 200, {"Content-Type": "application/json"} + return json.dumps({}), 500, {"Content-Type": "application/json"} + + +@app.route("/api/external/users") +@login_required +def external_users_list(): + while threads["external"] is not None and threads["external"].is_alive(): + time.sleep(0.5) + return ( + json.dumps(app.admin.get_external_users()), + 200, + {"Content-Type": "application/json"}, + ) + + +@app.route("/api/external/groups") +@login_required +def external_groups_list(): + while threads["external"] is not None and threads["external"].is_alive(): + time.sleep(0.5) + return ( + json.dumps(app.admin.get_external_groups()), + 200, + {"Content-Type": "application/json"}, + ) + + +@app.route("/api/external/roles", methods=["PUT"]) +@login_required +def external_roles(): + if request.method == "PUT": + return ( + json.dumps(app.admin.external_roleassign(request.get_json(force=True))), + 200, + {"Content-Type": "application/json"}, + ) + + +def check_upload_errors(data): + email_regex = r"\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b" + for u in data["data"]: + try: + user_groups = [g.strip() for g in u["groups"].split(",")] + except: + resp = { + "pass": False, + "msg": "User " + u["username"] + " has invalid groups: " + u["groups"], + } + log.error(resp) + return resp + + if not re.fullmatch(email_regex, u["email"]): + resp = { + "pass": False, + "msg": "User " + u["username"] + " has invalid email: " + u["email"], + } + log.error(resp) + return resp + + if u["role"] not in ["admin", "manager", "teacher", "student"]: + if u["role"] == "": + resp = { + "pass": False, + "msg": "User " + u["username"] + " has no role assigned!", + } + log.error(resp) + return resp + resp = { + "pass": False, + "msg": "User " + u["username"] + " has invalid role: " + u["role"], + } + log.error(resp) + return resp + return {"pass": True, "msg": ""} + + +@app.route("/api/dashboard/", methods=["PUT"]) +@login_required +def dashboard_put(item): + if item == "colours": + try: + data = request.get_json(force=True) + dashboard.update_colours(data) + except: + log.error(traceback.format_exc()) + return json.dumps({"colours": data}), 200, {"Content-Type": "application/json"} + if item == "menu": + try: + data = request.get_json(force=True) + dashboard.update_menu(data) + except: + log.error(traceback.format_exc()) + return json.dumps(data), 200, {"Content-Type": "application/json"} + if item == "logo": + dashboard.update_logo(request.files["croppedImage"]) + return json.dumps({}), 200, {"Content-Type": "application/json"} + if item == "background": + dashboard.update_background(request.files["croppedImage"]) + return json.dumps({}), 200, {"Content-Type": "application/json"} + return ( + json.dumps( + { + "error": "update_error", + "msg": "Error updating item " + item + "\n" + traceback.format_exc(), + } + ), + 500, + {"Content-Type": "application/json"}, + ) + + +@app.route("/api/legal/", methods=["GET"]) +# @login_required +def legal_get(item): + if request.method == "GET": + if item == "legal": + lang = request.args.get("lang") + if not lang or lang not in ["ca","es","en","fr"]: + lang="ca" + gen_legal_if_not_exists(lang) + return ( + json.dumps({"html": get_legal(lang)}), + 200, + {"Content-Type": "application/json"}, + ) + # if item == "privacy": + # return json.dumps({ "html": "Privacy policy
    This works!"}), 200, {'Content-Type': 'application/json'} + + +@app.route("/api/legal/", methods=["POST"]) +@login_required +def legal_put(item): + if request.method == "POST": + if item == "legal": + data = None + try: + data = data = request.get_json(force=True) + html = data["html"] + lang = data["lang"] + if not lang or lang not in ["ca","es","en","fr"]: + lang="ca" + new_legal(lang,html) + except: + log.error(traceback.format_exc()) + return json.dumps(data), 200, {"Content-Type": "application/json"} + # if item == "privacy": + # data = None + # try: + # data = request.json + # html = data["html"] + # lang = data["lang"] + # except: + # log.error(traceback.format_exc()) + # return json.dumps(data), 200, {'Content-Type': 'application/json'} diff --git a/dd-sso/admin/src/admin/views/LoginViews.py b/dd-sso/admin/src/admin/views/LoginViews.py new file mode 100644 index 0000000..95f6609 --- /dev/null +++ b/dd-sso/admin/src/admin/views/LoginViews.py @@ -0,0 +1,61 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +import os + +from flask import flash, redirect, render_template, request, url_for +from flask_login import current_user, login_required, login_user, logout_user + +from admin import app + +from ..auth.authentication import * + + +@app.route("/", methods=["GET", "POST"]) +@app.route("/login", methods=["GET", "POST"]) +def login(): + if request.method == "POST": + if request.form["user"] == "" or request.form["password"] == "": + flash("Can't leave it blank", "danger") + elif request.form["user"].startswith(" "): + flash("Username not found or incorrect password.", "warning") + else: + ram_user = ram_users.get(request.form["user"]) + if ram_user and request.form["password"] == ram_user["password"]: + user = User( + { + "id": ram_user["id"], + "password": ram_user["password"], + "role": ram_user["role"], + "active": True, + } + ) + login_user(user) + flash("Logged in successfully.", "success") + return redirect(url_for("web_users")) + else: + flash("Username not found or incorrect password.", "warning") + return render_template("login.html") + + +@app.route("/logout", methods=["GET"]) +@login_required +def logout(): + logout_user() + return redirect(url_for("login")) diff --git a/dd-sso/admin/src/admin/views/Socketio.py b/dd-sso/admin/src/admin/views/Socketio.py new file mode 100644 index 0000000..a945d9c --- /dev/null +++ b/dd-sso/admin/src/admin/views/Socketio.py @@ -0,0 +1,39 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +# from flask_socketio import SocketIO, emit, join_room, leave_room, \ +# close_room, rooms, disconnect, send +# from admin import app +# import json + +# # socketio = SocketIO(app) +# # from ...start import socketio + +# @socketio.on('connect', namespace='//sio') +# def socketio_connect(): +# join_room('admin') +# socketio.emit('update', +# json.dumps('Joined'), +# namespace='//sio', +# room='admin') + +# @socketio.on('disconnect', namespace='//sio') +# def socketio_domains_disconnect(): +# None diff --git a/dd-sso/admin/src/admin/views/WebViews.py b/dd-sso/admin/src/admin/views/WebViews.py new file mode 100644 index 0000000..c8a62e7 --- /dev/null +++ b/dd-sso/admin/src/admin/views/WebViews.py @@ -0,0 +1,167 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +import concurrent.futures +import json +import logging as log +import os +import sys +import time +import traceback +from pprint import pprint +from uuid import uuid4 + +import requests +from flask import ( + Response, + jsonify, + redirect, + request, + send_file, + url_for, +) +from flask import render_template as render_template_flask +from flask_login import login_required + +from admin import app + +from ..lib.avatars import Avatars +from .decorators import is_admin + +avatars = Avatars() + +from ..lib.legal import gen_legal_if_not_exists + +""" OIDC TESTS """ +# from ..auth.authentication import oidc + +# @app.route('/custom_callback') +# @oidc.custom_callback +# def callback(data): +# return 'Hello. You submitted %s' % data + +# @app.route('/private') +# @oidc.require_login +# def hello_me(): +# info = oidc.user_getinfo(['email', 'openid_id']) +# return ('Hello, %s (%s)! Return' % +# (info.get('email'), info.get('openid_id'))) + + +# @app.route('/api') +# @oidc.accept_token(True, ['openid']) +# def hello_api(): +# return json.dumps({'hello': 'Welcome %s' % g.oidc_token_info['sub']}) + + +# @app.route('/logout') +# def logoutoidc(): +# oidc.logout() +# return 'Hi, you have been logged out! Return' +""" OIDC TESTS """ + +def render_template(*args, **kwargs): + kwargs["DOMAIN"] = os.environ["DOMAIN"] + return render_template_flask(*args, **kwargs) + +@app.route("/users") +@login_required +def web_users(): + return render_template("pages/users.html", title="Users", nav="Users") + + +@app.route("/roles") +@login_required +def web_roles(): + return render_template("pages/roles.html", title="Roles", nav="Roles") + + +@app.route("/groups") +@login_required +def web_groups(provider=False): + return render_template("pages/groups.html", title="Groups", nav="Groups") + + +@app.route("/avatar/", methods=["GET"]) +@login_required +def avatar(userid): + if userid != "false": + return send_file("../avatars/master-avatars/" + userid, mimetype="image/jpeg") + return send_file("static/img/missing.jpg", mimetype="image/jpeg") + + +@app.route("/dashboard") +@login_required +def dashboard(provider=False): + data = json.loads(requests.get("http://dd-sso-api/json").text) + return render_template( + "pages/dashboard.html", title="Customization", nav="Customization", data=data + ) + + +@app.route("/legal") +@login_required +def legal(): + # data = json.loads(requests.get("http://dd-sso-api/json").text) + return render_template("pages/legal.html", title="Legal", nav="Legal", data={}) + +@app.route("/legal_text") +def legal_text(): + lang = request.args.get("lang") + if not lang or lang not in ["ca","es","en","fr"]: + lang="ca" + gen_legal_if_not_exists(lang) + return render_template("pages/legal/"+lang) + +### SYS ADMIN + + +@app.route("/sysadmin/users") +@login_required +@is_admin +def web_sysadmin_users(): + return render_template( + "pages/sysadmin/users.html", title="SysAdmin Users", nav="SysAdminUsers" + ) + + +@app.route("/sysadmin/groups") +@login_required +@is_admin +def web_sysadmin_groups(): + return render_template( + "pages/sysadmin/groups.html", title="SysAdmin Groups", nav="SysAdminGroups" + ) + + +@app.route("/sysadmin/external") +@login_required +## SysAdmin role +def web_sysadmin_external(): + return render_template( + "pages/sysadmin/external.html", title="External", nav="External" + ) + + +@app.route("/sockettest") +def web_sockettest(): + return render_template( + "pages/sockettest.html", title="Sockettest Users", nav="SysAdminUsers" + ) diff --git a/dd-sso/admin/src/admin/views/WpViews.py b/dd-sso/admin/src/admin/views/WpViews.py new file mode 100644 index 0000000..5695bca --- /dev/null +++ b/dd-sso/admin/src/admin/views/WpViews.py @@ -0,0 +1,156 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +import json +import logging as log +import os +import socket +import sys +import time +import traceback + +from flask import request + +from admin import app + +from .decorators import is_internal + + +@app.route("/api/internal/users", methods=["GET"]) +@is_internal +def internal_users(): + log.error(socket.gethostbyname("dd-apps-wordpress")) + if request.method == "GET": + sorted_users = sorted(app.admin.get_mix_users(), key=lambda k: k["username"]) + # group_users = [user for user in sorted_users if data['path'] in user['keycloak_groups']] + users = [] + for user in sorted_users: + if not user.get("enabled"): + continue + users.append(user_parser(user)) + return json.dumps(users), 200, {"Content-Type": "application/json"} + + +@app.route("/api/internal/users/filter", methods=["POST"]) +@is_internal +def internal_users_search(): + if request.method == "POST": + data = request.get_json(force=True) + users = app.admin.get_mix_users() + result = [user_parser(user) for user in filter_users(users, data["text"])] + sorted_result = sorted(result, key=lambda k: k["id"]) + return json.dumps(sorted_result), 200, {"Content-Type": "application/json"} + + +@app.route("/api/internal/groups", methods=["GET"]) +@is_internal +def internal_groups(): + if request.method == "GET": + sorted_groups = sorted(app.admin.get_mix_groups(), key=lambda k: k["name"]) + groups = [] + for group in sorted_groups: + if not group["path"].startswith("/"): + continue + groups.append( + { + "id": group["path"], + "name": group["name"], + "description": group.get("description", ""), + } + ) + return json.dumps(groups), 200, {"Content-Type": "application/json"} + + +@app.route("/api/internal/group/users", methods=["POST"]) +@is_internal +def internal_group_users(): + if request.method == "POST": + data = request.get_json(force=True) + sorted_users = sorted(app.admin.get_mix_users(), key=lambda k: k["username"]) + # group_users = [user for user in sorted_users if data['path'] in user['keycloak_groups']] + users = [] + for user in sorted_users: + if data["path"] not in user["keycloak_groups"] or not user.get("enabled"): + continue + users.append(user) + if data.get("text", False) and data["text"] != "": + result = [user_parser(user) for user in filter_users(users, data["text"])] + else: + result = [user_parser(user) for user in users] + return json.dumps(result), 200, {"Content-Type": "application/json"} + + +@app.route("/api/internal/roles", methods=["GET"]) +@is_internal +def internal_roles(): + if request.method == "GET": + roles = [] + for role in sorted(app.admin.get_roles(), key=lambda k: k["name"]): + if role["name"] == "admin": + continue + roles.append( + { + "id": role["id"], + "name": role["name"], + "description": role.get("description", ""), + } + ) + return json.dumps(roles), 200, {"Content-Type": "application/json"} + + +@app.route("/api/internal/role/users", methods=["POST"]) +@is_internal +def internal_role_users(): + if request.method == "POST": + data = request.get_json(force=True) + sorted_users = sorted(app.admin.get_mix_users(), key=lambda k: k["username"]) + # group_users = [user for user in sorted_users if data['path'] in user['keycloak_groups']] + users = [] + for user in sorted_users: + if data["role"] not in user["roles"] or not user.get("enabled"): + continue + users.append(user) + if data.get("text", False) and data["text"] != "": + result = [user_parser(user) for user in filter_users(users, data["text"])] + else: + result = [user_parser(user) for user in users] + return json.dumps(result), 200, {"Content-Type": "application/json"} + + +def user_parser(user): + return { + "id": user["username"], + "first": user["first"], + "last": user["last"], + "role": user["roles"][0] if len(user["roles"]) else None, + "email": user["email"], + "groups": user["keycloak_groups"], + } + + +def filter_users(users, text): + return [ + user + for user in users + if text in user["username"] + or text in user["first"] + or text in user["last"] + or text in user["email"] + ] diff --git a/dd-sso/admin/src/admin/views/__init__.py b/dd-sso/admin/src/admin/views/__init__.py new file mode 100644 index 0000000..fdc5d62 --- /dev/null +++ b/dd-sso/admin/src/admin/views/__init__.py @@ -0,0 +1,19 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later diff --git a/dd-sso/admin/src/admin/views/decorators.py b/dd-sso/admin/src/admin/views/decorators.py new file mode 100644 index 0000000..033f057 --- /dev/null +++ b/dd-sso/admin/src/admin/views/decorators.py @@ -0,0 +1,105 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +import json +import logging as log +import os +import socket +from functools import wraps + +from flask import redirect, request, url_for +from flask_login import current_user, logout_user +from jose import jwt + +from ..auth.tokens import get_header_jwt_payload + + +def is_admin(fn): + @wraps(fn) + def decorated_view(*args, **kwargs): + if current_user.role == "admin": + return fn(*args, **kwargs) + return redirect(url_for("login")) + + return decorated_view + + +def is_internal(fn): + @wraps(fn) + def decorated_view(*args, **kwargs): + remote_addr = ( + request.headers["X-Forwarded-For"].split(",")[0] + if "X-Forwarded-For" in request.headers + else request.remote_addr.split(",")[0] + ) + ## Now only checks if it is wordpress container, + ## but we should check if it is internal net and not haproxy + if socket.gethostbyname("dd-apps-wordpress") == remote_addr: + return fn(*args, **kwargs) + return ( + json.dumps( + { + "error": "unauthorized", + "msg": "Unauthorized access", + } + ), + 401, + {"Content-Type": "application/json"}, + ) + + return decorated_view + + +def has_token(fn): + @wraps(fn) + def decorated(*args, **kwargs): + payload = get_header_jwt_payload() + return fn(*args, **kwargs) + + return decorated + + +def is_internal_or_has_token(fn): + @wraps(fn) + def decorated_view(*args, **kwargs): + remote_addr = ( + request.headers["X-Forwarded-For"].split(",")[0] + if "X-Forwarded-For" in request.headers + else request.remote_addr.split(",")[0] + ) + payload = get_header_jwt_payload() + + if socket.gethostbyname("dd-apps-wordpress") == remote_addr: + return fn(*args, **kwargs) + payload = get_header_jwt_payload() + return fn(*args, **kwargs) + + return decorated_view + + +def login_or_token(fn): + @wraps(fn) + def decorated_view(*args, **kwargs): + if current_user.is_authenticated: + return fn(*args, **kwargs) + payload = get_header_jwt_payload() + return fn(*args, **kwargs) + + return decorated_view diff --git a/dd-sso/admin/src/admin/yarn.lock b/dd-sso/admin/src/admin/yarn.lock new file mode 100644 index 0000000..867ce45 --- /dev/null +++ b/dd-sso/admin/src/admin/yarn.lock @@ -0,0 +1,162 @@ +# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY. +# yarn lockfile v1 + + +"@types/component-emitter@^1.2.10": + version "1.2.11" + resolved "https://registry.yarnpkg.com/@types/component-emitter/-/component-emitter-1.2.11.tgz#50d47d42b347253817a39709fef03ce66a108506" + integrity sha512-SRXjM+tfsSlA9VuG8hGO2nft2p8zjXCK1VcC6N4NXbBbYbSia9kzCChYQajIjzIqOOOuh5Ock6MmV2oux4jDZQ== + +"@types/cookie@^0.4.1": + version "0.4.1" + resolved "https://registry.yarnpkg.com/@types/cookie/-/cookie-0.4.1.tgz#bfd02c1f2224567676c1545199f87c3a861d878d" + integrity sha512-XW/Aa8APYr6jSVVA1y/DEIZX0/GMKLEVekNG727R8cs56ahETkRAy/3DR7+fJyh7oUgGwNQaRfXCun0+KbWY7Q== + +"@types/cors@^2.8.12": + version "2.8.12" + resolved "https://registry.yarnpkg.com/@types/cors/-/cors-2.8.12.tgz#6b2c510a7ad7039e98e7b8d3d6598f4359e5c080" + integrity sha512-vt+kDhq/M2ayberEtJcIN/hxXy1Pk+59g2FV/ZQceeaTyCtCucjL2Q7FXlFjtWn4n15KCr1NE2lNNFhp0lEThw== + +"@types/node@>=10.0.0": + version "17.0.5" + resolved "https://registry.yarnpkg.com/@types/node/-/node-17.0.5.tgz#57ca67ec4e57ad9e4ef5a6bab48a15387a1c83e0" + integrity sha512-w3mrvNXLeDYV1GKTZorGJQivK6XLCoGwpnyJFbJVK/aTBQUxOCaa/GlFAAN3OTDFcb7h5tiFG+YXCO2By+riZw== + +accepts@~1.3.4: + version "1.3.7" + resolved "https://registry.yarnpkg.com/accepts/-/accepts-1.3.7.tgz#531bc726517a3b2b41f850021c6cc15eaab507cd" + integrity sha512-Il80Qs2WjYlJIBNzNkK6KYqlVMTbZLXgHx2oT0pU/fjRHyEp+PEfEPY0R3WCwAGVOtauxh1hOxNgIf5bv7dQpA== + dependencies: + mime-types "~2.1.24" + negotiator "0.6.2" + +base64-arraybuffer@~1.0.1: + version "1.0.1" + resolved "https://registry.yarnpkg.com/base64-arraybuffer/-/base64-arraybuffer-1.0.1.tgz#87bd13525626db4a9838e00a508c2b73efcf348c" + integrity sha512-vFIUq7FdLtjZMhATwDul5RZWv2jpXQ09Pd6jcVEOvIsqCWTRFD/ONHNfyOS8dA/Ippi5dsIgpyKWKZaAKZltbA== + +base64id@2.0.0, base64id@~2.0.0: + version "2.0.0" + resolved "https://registry.yarnpkg.com/base64id/-/base64id-2.0.0.tgz#2770ac6bc47d312af97a8bf9a634342e0cd25cb6" + integrity sha512-lGe34o6EHj9y3Kts9R4ZYs/Gr+6N7MCaMlIFA3F1R2O5/m7K06AxfSeO5530PEERE6/WyEg3lsuyw4GHlPZHog== + +component-emitter@~1.3.0: + version "1.3.0" + resolved "https://registry.yarnpkg.com/component-emitter/-/component-emitter-1.3.0.tgz#16e4070fba8ae29b679f2215853ee181ab2eabc0" + integrity sha512-Rd3se6QB+sO1TwqZjscQrurpEPIfO0/yYnSin6Q/rD3mOutHvUrCAhJub3r90uNb+SESBuE0QYoB90YdfatsRg== + +cookie@~0.4.1: + version "0.4.1" + resolved "https://registry.yarnpkg.com/cookie/-/cookie-0.4.1.tgz#afd713fe26ebd21ba95ceb61f9a8116e50a537d1" + integrity sha512-ZwrFkGJxUR3EIoXtO+yVE69Eb7KlixbaeAWfBQB9vVsNn/o+Yw69gBWSSDK825hQNdN+wF8zELf3dFNl/kxkUA== + +cors@~2.8.5: + version "2.8.5" + resolved "https://registry.yarnpkg.com/cors/-/cors-2.8.5.tgz#eac11da51592dd86b9f06f6e7ac293b3df875d29" + integrity sha512-KIHbLJqu73RGr/hnbrO9uBeixNGuvSQjul/jdFvS/KFSIH1hWVd1ng7zOHx+YrEfInLG7q4n6GHQ9cDtxv/P6g== + dependencies: + object-assign "^4" + vary "^1" + +debug@~4.3.1, debug@~4.3.2: + version "4.3.3" + resolved "https://registry.yarnpkg.com/debug/-/debug-4.3.3.tgz#04266e0b70a98d4462e6e288e38259213332b664" + integrity sha512-/zxw5+vh1Tfv+4Qn7a5nsbcJKPaSvCDhojn6FEl9vupwK2VCSDtEiEtqr8DFtzYFOdz63LBkxec7DYuc2jon6Q== + dependencies: + ms "2.1.2" + +engine.io-parser@~5.0.0: + version "5.0.2" + resolved "https://registry.yarnpkg.com/engine.io-parser/-/engine.io-parser-5.0.2.tgz#69a2ec3ed431da021f0666712d07f106bcffa6ce" + integrity sha512-wuiO7qO/OEkPJSFueuATIXtrxF7/6GTbAO9QLv7nnbjwZ5tYhLm9zxvLwxstRs0dcT0KUlWTjtIOs1T86jt12g== + dependencies: + base64-arraybuffer "~1.0.1" + +engine.io@~6.1.0: + version "6.1.0" + resolved "https://registry.yarnpkg.com/engine.io/-/engine.io-6.1.0.tgz#459eab0c3724899d7b63a20c3a6835cf92857939" + integrity sha512-ErhZOVu2xweCjEfYcTdkCnEYUiZgkAcBBAhW4jbIvNG8SLU3orAqoJCiytZjYF7eTpVmmCrLDjLIEaPlUAs1uw== + dependencies: + "@types/cookie" "^0.4.1" + "@types/cors" "^2.8.12" + "@types/node" ">=10.0.0" + accepts "~1.3.4" + base64id "2.0.0" + cookie "~0.4.1" + cors "~2.8.5" + debug "~4.3.1" + engine.io-parser "~5.0.0" + ws "~8.2.3" + +font-linux@^0.6.1: + version "0.6.1" + resolved "https://registry.yarnpkg.com/font-linux/-/font-linux-0.6.1.tgz#d586f46336b7da06ea3b7f10f7aee2b6346eed4f" + integrity sha1-1Yb0Yza32gbqO38Q967itjRu7U8= + +gentelella@^1.4.0: + version "1.4.0" + resolved "https://registry.yarnpkg.com/gentelella/-/gentelella-1.4.0.tgz#b3d15fd9c40c6ea47dc7f36290c8f89aee95efc5" + integrity sha512-lp54+y6bwSLHF6KMstW2jD6oqV68vLMnFqMqATRp5a/8Tp52NYly7Q+5FZIMaNKATrb3EKx+BN/bKpaZ4BYLEw== + +mime-db@1.51.0: + version "1.51.0" + resolved "https://registry.yarnpkg.com/mime-db/-/mime-db-1.51.0.tgz#d9ff62451859b18342d960850dc3cfb77e63fb0c" + integrity sha512-5y8A56jg7XVQx2mbv1lu49NR4dokRnhZYTtL+KGfaa27uq4pSTXkwQkFJl4pkRMyNFz/EtYDSkiiEHx3F7UN6g== + +mime-types@~2.1.24: + version "2.1.34" + resolved "https://registry.yarnpkg.com/mime-types/-/mime-types-2.1.34.tgz#5a712f9ec1503511a945803640fafe09d3793c24" + integrity sha512-6cP692WwGIs9XXdOO4++N+7qjqv0rqxxVvJ3VHPh/Sc9mVZcQP+ZGhkKiTvWMQRr2tbHkJP/Yn7Y0npb3ZBs4A== + dependencies: + mime-db "1.51.0" + +ms@2.1.2: + version "2.1.2" + resolved "https://registry.yarnpkg.com/ms/-/ms-2.1.2.tgz#d09d1f357b443f493382a8eb3ccd183872ae6009" + integrity sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w== + +negotiator@0.6.2: + version "0.6.2" + resolved "https://registry.yarnpkg.com/negotiator/-/negotiator-0.6.2.tgz#feacf7ccf525a77ae9634436a64883ffeca346fb" + integrity sha512-hZXc7K2e+PgeI1eDBe/10Ard4ekbfrrqG8Ep+8Jmf4JID2bNg7NvCPOZN+kfF574pFQI7mum2AUqDidoKqcTOw== + +object-assign@^4: + version "4.1.1" + resolved "https://registry.yarnpkg.com/object-assign/-/object-assign-4.1.1.tgz#2109adc7965887cfc05cbbd442cac8bfbb360863" + integrity sha1-IQmtx5ZYh8/AXLvUQsrIv7s2CGM= + +socket.io-adapter@~2.3.3: + version "2.3.3" + resolved "https://registry.yarnpkg.com/socket.io-adapter/-/socket.io-adapter-2.3.3.tgz#4d6111e4d42e9f7646e365b4f578269821f13486" + integrity sha512-Qd/iwn3VskrpNO60BeRyCyr8ZWw9CPZyitW4AQwmRZ8zCiyDiL+znRnWX6tDHXnWn1sJrM1+b6Mn6wEDJJ4aYQ== + +socket.io-parser@~4.0.4: + version "4.0.4" + resolved "https://registry.yarnpkg.com/socket.io-parser/-/socket.io-parser-4.0.4.tgz#9ea21b0d61508d18196ef04a2c6b9ab630f4c2b0" + integrity sha512-t+b0SS+IxG7Rxzda2EVvyBZbvFPBCjJoyHuE0P//7OAsN23GItzDRdWa6ALxZI/8R5ygK7jAR6t028/z+7295g== + dependencies: + "@types/component-emitter" "^1.2.10" + component-emitter "~1.3.0" + debug "~4.3.1" + +socket.io@^4.1.3: + version "4.4.0" + resolved "https://registry.yarnpkg.com/socket.io/-/socket.io-4.4.0.tgz#8140a0db2c22235f88a6dceb867e4d5c9bd70507" + integrity sha512-bnpJxswR9ov0Bw6ilhCvO38/1WPtE3eA2dtxi2Iq4/sFebiDJQzgKNYA7AuVVdGW09nrESXd90NbZqtDd9dzRQ== + dependencies: + accepts "~1.3.4" + base64id "~2.0.0" + debug "~4.3.2" + engine.io "~6.1.0" + socket.io-adapter "~2.3.3" + socket.io-parser "~4.0.4" + +vary@^1: + version "1.1.2" + resolved "https://registry.yarnpkg.com/vary/-/vary-1.1.2.tgz#2299f02c6ded30d4a5961b0b9f74524a18f634fc" + integrity sha1-IpnwLG3tMNSllhsLn3RSShj2NPw= + +ws@~8.2.3: + version "8.2.3" + resolved "https://registry.yarnpkg.com/ws/-/ws-8.2.3.tgz#63a56456db1b04367d0b721a0b80cae6d8becbba" + integrity sha512-wBuoj1BDpC6ZQ1B7DWQBYVLphPWkm8i9Y0/3YdHjHKHiohOJ1ws+3OccDWtH+PoC9DZD5WOTrJvNbWvjS6JWaA== diff --git a/dd-sso/admin/src/client_secrets.json b/dd-sso/admin/src/client_secrets.json new file mode 100644 index 0000000..091d005 --- /dev/null +++ b/dd-sso/admin/src/client_secrets.json @@ -0,0 +1,13 @@ +{ + "web": { + "auth_uri": "https://sso.[[DOMAIN]]/auth/realms/master/protocol/openid-connect/auth", + "client_id": "adminapp", + "client_secret": "8a9e5a2e-3be9-43e3-9c47-1796f0d5ab72", + "redirect_uris": [ + "https://sso.[[DOMAIN]]/oidc_callback" + ], + "userinfo_uri": "https://sso.[[DOMAIN]]/auth/realms/master/protocol/openid-connect/userinfo", + "token_uri": "https://sso.[[DOMAIN]]/auth/realms/master/protocol/openid-connect/token", + "token_introspection_uri": "https://sso.[[DOMAIN]]/auth/realms/master/protocol/openid-connect/token/introspect" + } +} \ No newline at end of file diff --git a/dd-sso/admin/src/generate_certificates.sh b/dd-sso/admin/src/generate_certificates.sh new file mode 100755 index 0000000..63ecdf3 --- /dev/null +++ b/dd-sso/admin/src/generate_certificates.sh @@ -0,0 +1,29 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +cd /admin/saml_certs +C=CA +L=Barcelona +O=localdomain +CN_CA=$O +CN_HOST=*.$O +OU=$O +openssl req -nodes -new -x509 -keyout private.key -out public.cert -subj "/C=$C/L=$L/O=$O/CN=$CN_CA" -days 3650 +cd /admin +echo "Now run the python nextcloud and wordpress scripts" diff --git a/dd-sso/admin/src/nextcloud_saml_onlycerts.py b/dd-sso/admin/src/nextcloud_saml_onlycerts.py new file mode 100644 index 0000000..bb1f267 --- /dev/null +++ b/dd-sso/admin/src/nextcloud_saml_onlycerts.py @@ -0,0 +1,164 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +import json +import logging as log +import os +import pprint +import random +import string +import time +import traceback +from datetime import datetime, timedelta + +import psycopg2 +import yaml +from admin.lib.keycloak_client import KeycloakClient +from admin.lib.postgres import Postgres + +app = {} +app["config"] = {} + + +class NextcloudSaml: + def __init__(self): + self.url = "http://dd-sso-keycloak:8080/auth/" + self.username = os.environ["KEYCLOAK_USER"] + self.password = os.environ["KEYCLOAK_PASSWORD"] + self.realm = "master" + self.verify = True + + ready = False + while not ready: + try: + self.pg = Postgres( + "dd-apps-postgresql", + "nextcloud", + os.environ["NEXTCLOUD_POSTGRES_USER"], + os.environ["NEXTCLOUD_POSTGRES_PASSWORD"], + ) + ready = True + except: + log.warning("Could not connect to nextcloud database. Retrying...") + time.sleep(2) + log.info("Connected to nextcloud database.") + + ready = False + while not ready: + try: + with open(os.path.join("./saml_certs/public.cert"), "r") as crt: + app["config"]["PUBLIC_CERT"] = crt.read() + ready = True + except IOError: + log.warning( + "Could not get public certificate to be used in nextcloud. Retrying..." + ) + log.warning( + " You should generate them: /admin/saml_certs # openssl req -nodes -new -x509 -keyout private.key -out public.cert" + ) + time.sleep(2) + except: + log.error(traceback.format_exc()) + log.info("Got moodle srt certificate to be used in nextcloud.") + + ready = False + while not ready: + try: + with open(os.path.join("./saml_certs/private.key"), "r") as pem: + app["config"]["PRIVATE_KEY"] = pem.read() + ready = True + except IOError: + log.warning( + "Could not get private key to be used in nextcloud. Retrying..." + ) + log.warning( + " You should generate them: /admin/saml_certs # openssl req -nodes -new -x509 -keyout private.key -out public.cert" + ) + time.sleep(2) + log.info("Got moodle pem certificate to be used in nextcloud.") + + # ## This seems related to the fact that the certificate generated the first time does'nt work. + # ## And when regenerating the certificate de privatekeypass seems not to be used and instead it + # ## will use always this code as filename: 0f635d0e0f3874fff8b581c132e6c7a7 + # ## As this bug I'm not able to solve, the process is: + # ## 1.- Bring up moodle and regenerate certificates on saml2 plugin in plugins-authentication + # ## 2.- Execute this script + # ## 3.- Cleanup all caches in moodle (Development tab) + # # with open(os.path.join("./moodledata/saml2/"+os.environ['NEXTCLOUD_SAML_PRIVATEKEYPASS'].replace("moodle."+os.environ['DOMAIN'],'')+'.idp.xml'),"w") as xml: + # # xml.write(self.parse_idp_metadata()) + # with open(os.path.join("./moodledata/saml2/0f635d0e0f3874fff8b581c132e6c7a7.idp.xml"),"w") as xml: + # xml.write(self.parse_idp_metadata()) + + try: + self.reset_saml_certs() + except: + print("Error resetting saml on nextcloud") + + try: + self.set_nextcloud_saml_plugin_certs() + except: + log.error(traceback.format_exc()) + print("Error adding saml on nextcloud") + + def connect(self): + self.keycloak = KeycloakClient( + url=self.url, + username=self.username, + password=self.password, + realm=self.realm, + verify=self.verify, + ) + + # def activate_saml_plugin(self): + # ## After you need to purge moodle caches: /var/www/html # php admin/cli/purge_caches.php + # return self.pg.update("""UPDATE "mdl_config" SET value = 'email,saml2' WHERE "name" = 'auth'""") + + # def get_privatekey_pass(self): + # return self.pg.select("""SELECT * FROM "mdl_config" WHERE "name" = 'siteidentifier'""")[0][2] + + def parse_idp_cert(self): + self.connect() + rsa = self.keycloak.get_server_rsa_key() + self.keycloak = None + return rsa["certificate"] + + def set_nextcloud_saml_plugin_certs(self): + self.pg.update( + """INSERT INTO "oc_appconfig" ("appid", "configkey", "configvalue") VALUES +('user_saml', 'sp-privateKey', '%s'), +('user_saml', 'idp-x509cert', '%s'), +('user_saml', 'sp-x509cert', '%s');""" + % ( + app["config"]["PRIVATE_KEY"], + self.parse_idp_cert(), + app["config"]["PUBLIC_CERT"], + ) + ) + + def reset_saml_certs(self): + cfg_list = ["sp-privateKey", "idp-x509cert", "sp-x509cert"] + for cfg in cfg_list: + self.pg.update( + """DELETE FROM "oc_appconfig" WHERE appid = 'user_saml' AND configkey = '%s'""" + % (cfg) + ) + + +n = NextcloudSaml() diff --git a/dd-sso/admin/src/postgres.py b/dd-sso/admin/src/postgres.py new file mode 100644 index 0000000..d0cea49 --- /dev/null +++ b/dd-sso/admin/src/postgres.py @@ -0,0 +1,70 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +import json +import logging as log +import pprint +import time +import traceback +from datetime import datetime, timedelta + +import psycopg2 +import yaml + + +class Postgres: + def __init__(self, host, database, user, password): + self.conn = psycopg2.connect( + host=host, database=database, user=user, password=password + ) + + # def __del__(self): + # self.cur.close() + # self.conn.close() + + def select(self, sql): + self.cur = self.conn.cursor() + self.cur.execute(sql) + data = self.cur.fetchall() + self.cur.close() + return data + + def update(self, sql): + self.cur = self.conn.cursor() + self.cur.execute(sql) + self.conn.commit() + self.cur.close() + # return self.cur.fetchall() + + def select_with_headers(self, sql): + self.cur = self.conn.cursor() + self.cur.execute(sql) + data = self.cur.fetchall() + fields = [a.name for a in self.cur.description] + self.cur.close() + return (fields, data) + + # def update_moodle_saml_plugin(self): + # plugin[('idpmetadata', 'NrtA5ynG0htowP3SXw7dBJRIAMxn-1PwuuXwOwNhlRwMIICmzCCAYMCBgF5jb0RCTANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0ZXIwHhcNMjEwNTIxMDcwMjI4WhcNMzEwNTIxMDcwNDA4WjARMQ8wDQYDVQQDDAZtYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCI8xh/C0+frz3kgWiUbziTDls71R2YiXLSVE+bw7gbEgZUGCLhoEI679azMtIxmnzM/snIX+yTb12+XoYkgbiLTMPQfnH+Kiab6g3HL3KPfhqS+yWkFxOoCp6Ibmp7yPlVWuHH+MBfO8OBr/r8Ao7heFbuzjiLd1KG67rcoaxfDgMuBoEomg1bgEjFgHaQIrSC6OZzH0h987/arqufZXeXlfyiqScMPUi+u5IpDWSwz06UKP0k8mxzNSlpZ93CKOUSsV0SMLxqg7FQ3SGiOk577bGW9o9BDTkkmSo3Up6smc0LzwvvUwuNd0B1irGkWZFQN9OXJnJYf1InEebIMtmPAgMBAAEwDQYJKoZIhvcNAQELBQADggEBADM34+qEGeBQ22luphVTuVJtGxcbxLx7DfsT0QfJD/OuxTTbNAa1VRyarb5juIAkqdj4y2quZna9ZXLecVo4RkwpzPoKoAkYA8b+kHnWqEwJi9iPrDvKb+GR0bBkLPN49YxIZ8IdKX/PRa3yuLHe+loiNsCaS/2ZK2KO46COsqU4QX1iVhF9kWphNLybjNAX45B6cJLsa1g0vXLdm3kv3SB4I2fErFVaOoDtFIjttoYlXdpUiThkPXBfr7N67P3dZHaS4tjJh+IZ8I6TINpcsH8dBkUhzYEIPHCePwSiC1w6WDBLNDuKt1mj1CZrLq+1x+Yhrs+QNRheEKGi89HZ8N0=urn:oasis:names:tc:SAML:2.0:nameid-format:persistenturn:oasis:names:tc:SAML:2.0:nameid-format:transienturn:oasis:names:tc:SAML:1.1:nameid-format:unspecifiedurn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress')] + # pg_update = """UPDATE mdl_config_plugins set title = %s where plugin = auth_saml2 and name =""" + # cursor.execute(pg_update, (title, bookid)) + # connection.commit() + # count = cursor.rowcount + # print(count, "Successfully Updated!") diff --git a/dd-sso/admin/src/saml_scripts/keycloak_config.py b/dd-sso/admin/src/saml_scripts/keycloak_config.py new file mode 100644 index 0000000..60640fa --- /dev/null +++ b/dd-sso/admin/src/saml_scripts/keycloak_config.py @@ -0,0 +1,121 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +import json +import logging as log +import os +import os.path + +from lib.keycloak_client import KeycloakClient + + +class KeycloakConfig: + def __init__(self): + self.keycloak = KeycloakClient() + self.domain = os.getenv('DOMAIN', 'localhost') + + def config_realm_update(self, path_json="/admin/custom/keycloak/realm.json"): + self.keycloak.connect() + k = self.keycloak.keycloak_admin + path = path_json if os.path.isfile(path_json) else '/admin/keycloak-init/realm.json' + with open(path) as json_file: + json_body = json_file.read().replace('DDDOMAIN', self.domain) + d_update = json.loads(json_body) + k.update_realm("master", d_update) + + def config_role_list(self): + self.keycloak.connect() + k = self.keycloak.keycloak_admin + + name_protocol_mapper = "role list" + id_client_scope_role_list = [ + a["id"] for a in k.get_client_scopes() if a["name"] == "role_list" + ][0] + d = k.get_client_scope(id_client_scope_role_list) + d_mapper = [ + a for a in d["protocolMappers"] if a["name"] == name_protocol_mapper + ][0] + id_mapper = d_mapper["id"] + + # Single Role Attribute = On + d_mapper["config"]["single"] = "true" + + k.update_mapper_in_client_scope(id_client_scope_role_list, id_mapper, d_mapper) + + def get_client(self, client_name): + self.keycloak.connect() + k = self.keycloak.keycloak_admin + + clients = k.get_clients() + client = next(filter(lambda c: c["clientId"] == client_name, clients)) + return (k, client) + + def config_client(self, client_name): + (k, client) = self.get_client(client_name) + client_id = client["id"] + + client_overrides = { + "redirectUris": [ + "/realms/master/account/*", + f"https://moodle.{self.domain}/*", + f"https://nextcloud.{self.domain}/*", + f"https://wp.{self.domain}/*", + ], + } + + k.update_client(client_id, client_overrides) + + def set_client_mapper(self, client_name, mapper_name, script): + (k, client) = self.get_client(client_name) + pms = client["protocolMappers"] + if mapper_name in [pm["name"] for pm in pms]: + # It exists, update + mapper_id = next(filter(lambda pm: pm["name"] == mapper_name, pms))["id"] + set_mapper = lambda pl: k.update_client_mapper(client["id"], mapper_id, pl) + else: + # It does not exist, create + set_mapper = lambda pl: k.add_mapper_to_client(client["id"], pl) + + mapper = { + "name": mapper_name, + "protocol": "saml", + "protocolMapper": "saml-javascript-mapper", + "consentRequired": "false", + "config": { + "single": "true", + "Script": script, + "attribute.nameformat": "Basic", + "friendly.name": mapper_name, + "attribute.name": mapper_name, + }, + } + + set_mapper(mapper) + + +if __name__ == "__main__": + keycloak_config = KeycloakConfig() + print("Provisioning realm") + keycloak_config.config_realm_update() + print("Provisioning role list") + keycloak_config.config_role_list() + for client_name in [ "account", "account-console" ]: + print(f"Provisioning client '{client_name}'") + keycloak_config.config_client(client_name) diff --git a/dd-sso/admin/src/saml_scripts/lib/keycloak_client.py b/dd-sso/admin/src/saml_scripts/lib/keycloak_client.py new file mode 100644 index 0000000..3480ea1 --- /dev/null +++ b/dd-sso/admin/src/saml_scripts/lib/keycloak_client.py @@ -0,0 +1,534 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +import json +import logging as log +import os +import time +import traceback +from datetime import datetime, timedelta +from pprint import pprint + +import yaml +from jinja2 import Environment, FileSystemLoader +from keycloak import KeycloakAdmin + +from .postgres import Postgres + +# from admin import app + + +class KeycloakClient: + """https://www.keycloak.org/docs-api/13.0/rest-api/index.html + https://github.com/marcospereirampj/python-keycloak + https://gist.github.com/kaqfa/99829941121188d7cef8271f93f52f1f + """ + + def __init__( + self, + url="http://dd-sso-keycloak:8080/auth/", + username=os.environ["KEYCLOAK_USER"], + password=os.environ["KEYCLOAK_PASSWORD"], + realm="master", + verify=True, + ): + self.url = url + self.username = username + self.password = password + self.realm = realm + self.verify = verify + + self.keycloak_pg = Postgres( + "dd-apps-postgresql", + "keycloak", + os.environ["KEYCLOAK_DB_USER"], + os.environ["KEYCLOAK_DB_PASSWORD"], + ) + + def connect(self): + self.keycloak_admin = KeycloakAdmin( + server_url=self.url, + username=self.username, + password=self.password, + realm_name=self.realm, + verify=self.verify, + ) + + # from keycloak import KeycloakAdmin + # keycloak_admin = KeycloakAdmin(server_url="http://dd-sso-keycloak:8080/auth/",username="admin",password="keycloakkeycloak",realm_name="master",verify=False) + + ######## Example create group and subgroup + + # try: + # self.add_group('level1') + # except: + # self.delete_group(self.get_group('/level1')['id']) + # self.add_group('level1') + # self.add_group('level2',parent=self.get_group('/level1')['id']) + # pprint(self.get_groups()) + + ######## Example roles + # try: + # self.add_role('superman') + # except: + # self.delete_role('superman') + # self.add_role('superman') + # pprint(self.get_roles()) + + """ USERS """ + + def get_user_id(self, username): + self.connect() + return self.keycloak_admin.get_user_id(username) + + def get_users(self): + self.connect() + return self.keycloak_admin.get_users({}) + + def get_users_with_groups_and_roles(self): + q = """select u.id, u.username, u.email, u.first_name, u.last_name, u.realm_id, u.enabled, ua.value as quota + ,json_agg(g."id") as group, json_agg(g_parent."name") as group_parent1, json_agg(g_parent2."name") as group_parent2 + ,json_agg(r.name) as role + from user_entity as u + left join user_attribute as ua on ua.user_id=u.id and ua.name = 'quota' + left join user_group_membership as ugm on ugm.user_id = u.id + left join keycloak_group as g on g.id = ugm.group_id + left join keycloak_group as g_parent on g.parent_group = g_parent.id + left join keycloak_group as g_parent2 on g_parent.parent_group = g_parent2.id + left join user_role_mapping as rm on rm.user_id = u.id + left join keycloak_role as r on r.id = rm.role_id + group by u.id,u.username,u.email,u.first_name,u.last_name, u.realm_id, u.enabled, ua.value + order by u.username""" + + (headers, users) = self.keycloak_pg.select_with_headers(q) + + users_with_lists = [ + list(l[:-4]) + + ([[]] if l[-4] == [None] else [list(set(l[-4]))]) + + ([[]] if l[-3] == [None] else [list(set(l[-3]))]) + + ([[]] if l[-3] == [None] else [list(set(l[-2]))]) + + ([[]] if l[-1] == [None] else [list(set(l[-1]))]) + for l in users + ] + + users_with_lists = [ + list(l[:-4]) + + ([[]] if l[-4] == [None] else [list(set(l[-4]))]) + + ([[]] if l[-3] == [None] else [list(set(l[-3]))]) + + ([[]] if l[-3] == [None] else [list(set(l[-2]))]) + + ([[]] if l[-1] == [None] else [list(set(l[-1]))]) + for l in users_with_lists + ] + + list_dict_users = [dict(zip(headers, r)) for r in users_with_lists] + + # self.connect() + # groups = self.keycloak_admin.get_groups() + + # for user in list_dict_users: + # new_user_groups = [] + # for group_id in user['group']: + # found = [g for g in groups if g['id'] == group_id][0] + # new_user_groups.append({'id':found['id'], + # 'name':found['name'], + # 'path':found['path']}) + # user['group']=new_user_groups + return list_dict_users + + def getparent(self, group_id, data): + # Recursively get full path from any group_id in the tree + path = "" + for item in data: + if group_id == item[0]: + path = self.getparent(item[2], data) + path = f"{path}/{item[1]}" + return path + + def get_group_path(self, group_id): + # Get full path using getparent recursive func + # RETURNS: String with full path + q = """SELECT * FROM keycloak_group""" + groups = self.keycloak_pg.select(q) + return self.getparent(group_id, groups) + + def get_user_groups_paths(self, user_id): + # Get full paths for user grups + # RETURNS list of paths + q = """SELECT group_id FROM user_group_membership WHERE user_id = '%s'""" % ( + user_id + ) + user_group_ids = self.keycloak_pg.select(q) + + paths = [] + for g in user_group_ids: + paths.append(self.get_group_path(g[0])) + return paths + + ## Too slow. Used the direct postgres + # def get_users_with_groups_and_roles(self): + # self.connect() + # users=self.keycloak_admin.get_users({}) + # for user in users: + # user['groups']=[g['path'] for g in self.keycloak_admin.get_user_groups(user_id=user['id'])] + # user['roles']= [r['name'] for r in self.keycloak_admin.get_realm_roles_of_user(user_id=user['id'])] + # return users + + def add_user( + self, + username, + first, + last, + email, + password, + group=False, + temporary=True, + enabled=True, + ): + # RETURNS string with keycloak user id (the main id in this app) + self.connect() + username = username.lower() + try: + uid = self.keycloak_admin.create_user( + { + "email": email, + "username": username, + "enabled": enabled, + "firstName": first, + "lastName": last, + "credentials": [ + {"type": "password", "value": password, "temporary": temporary} + ], + } + ) + except: + log.error(traceback.format_exc()) + + if group: + path = "/" + group if group[1:] != "/" else group + try: + gid = self.keycloak_admin.get_group_by_path( + path=path, search_in_subgroups=False + )["id"] + except: + self.keycloak_admin.create_group({"name": group}) + gid = self.keycloak_admin.get_group_by_path(path)["id"] + self.keycloak_admin.group_user_add(uid, gid) + return uid + + def update_user_pwd(self, user_id, password, temporary=True): + # Updates + payload = { + "credentials": [ + {"type": "password", "value": password, "temporary": temporary} + ] + } + self.connect() + return self.keycloak_admin.update_user(user_id, payload) + + def user_update(self, user_id, enabled, email, first, last, groups=[], roles=[]): + ## NOTE: Roles didn't seem to be updated/added. Also not confident with groups + # Updates + payload = { + "enabled": enabled, + "email": email, + "firstName": first, + "lastName": last, + "groups": groups, + "realmRoles": roles, + } + self.connect() + return self.keycloak_admin.update_user(user_id, payload) + + def user_enable(self, user_id): + payload = {"enabled": True} + self.connect() + return self.keycloak_admin.update_user(user_id, payload) + + def user_disable(self, user_id): + payload = {"enabled": False} + self.connect() + return self.keycloak_admin.update_user(user_id, payload) + + def group_user_remove(self, user_id, group_id): + self.connect() + return self.keycloak_admin.group_user_remove(user_id, group_id) + + # def add_user_role(self,user_id,role_id): + # self.connect() + # return self.keycloak_admin.assign_role(client_id=client_id, user_id=user_id, role_id=role_id, role_name="test") + + def remove_user_realm_roles(self, user_id, roles): + self.connect() + roles = [ + r + for r in self.get_user_realm_roles(user_id) + if r["name"] in ["admin", "manager", "teacher", "student"] + ] + return self.keycloak_admin.delete_realm_roles_of_user(user_id, roles) + + def delete_user(self, userid): + self.connect() + return self.keycloak_admin.delete_user(user_id=userid) + + def get_user_groups(self, userid): + self.connect() + return self.keycloak_admin.get_user_groups(user_id=userid) + + def get_user_realm_roles(self, userid): + self.connect() + return self.keycloak_admin.get_realm_roles_of_user(user_id=userid) + + def add_user_client_role(self, client_id, user_id, role_id, role_name): + self.connect() + return self.keycloak_admin.assign_client_role( + client_id=client_id, user_id=user_id, role_id=role_id, role_name="test" + ) + + ## GROUPS + def get_all_groups(self): + ## RETURNS ONLY MAIN GROUPS WITH NESTED subGroups list + self.connect() + return self.keycloak_admin.get_groups() + + def get_recursive_groups(self, l_groups, l=[]): + for d_group in l_groups: + d = {} + for key, value in d_group.items(): + if key == "subGroups": + self.get_recursive_groups(value, l) + else: + d[key] = value + l.append(d) + return l + + def get_groups(self, with_subgroups=True): + ## RETURNS ALL GROUPS in root list + self.connect() + groups = self.keycloak_admin.get_groups() + return self.get_recursive_groups(groups) + subgroups = [] + subgroups1 = [] + # This needs to be recursive function + if with_subgroups: + for group in groups: + if len(group["subGroups"]): + for sg in group["subGroups"]: + subgroups.append(sg) + # for sgroup in subgroups: + # if len(sgroup['subGroups']): + # for sg1 in sgroup['subGroups']: + # subgroups1.append(sg1) + + return groups + subgroups + subgroups1 + + def get_group_by_id(self, group_id): + self.connect() + return self.keycloak_admin.get_group(group_id=group_id) + + def get_group_by_path(self, path, recursive=True): + self.connect() + return self.keycloak_admin.get_group_by_path( + path=path, search_in_subgroups=recursive + ) + + def add_group(self, name, parent=None, skip_exists=False): + self.connect() + if parent != None: + parent = self.get_group_by_path(parent)["id"] + return self.keycloak_admin.create_group({"name": name}, parent=parent) + + def delete_group(self, group_id): + self.connect() + return self.keycloak_admin.delete_group(group_id=group_id) + + def group_user_add(self, user_id, group_id): + self.connect() + return self.keycloak_admin.group_user_add(user_id, group_id) + + def add_group_tree(self, path): + parts = path.split("/") + parent_path = "/" + for i in range(1, len(parts)): + if i == 1: + try: + self.add_group(parts[i], None, skip_exists=True) + except: + log.warning("KEYCLOAK: Group :" + parts[i] + " already exists.") + parent_path = parent_path + parts[i] + else: + try: + self.add_group(parts[i], parent_path, skip_exists=True) + except: + log.warning("KEYCLOAK: Group :" + parts[i] + " already exists.") + parent_path = parent_path + parts[i] + + # parts=path.split('/') + # parent_path=None + # for i in range(1,len(parts)): + # # print('Adding group name '+parts[i]+' with parent path '+str(parent_path)) + # try: + # self.add_group(parts[i],parent_path,skip_exists=True) + # except: + # if parent_path==None: + # parent_path='/'+parts[i] + # else: + # parent_path=self.get_group_by_path(parent_path)['path'] + # parent_path=parent_path+'/'+parts[i] + # continue + + # if parent_path==None: + # parent_path='/'+parts[i] + # else: + # parent_path=parent_path+'/'+parts[i] + + # try: + # if i == 1: parent_id=self.add_group(parts[i]) + # except: + # # Main already exists?? What a fail! + # parent_id=self.get_group(parent_id)['id'] + # continue + # self.add_group(parts[i],parent_id) + + def add_user_with_groups_and_role( + self, username, first, last, email, password, role, groups + ): + ## Add user + uid = self.add_user(username, first, last, email, password) + ## Add user to role + log.info("User uid: " + str(uid) + " role: " + str(role)) + try: + therole = role[0] + except: + therole = "" + log.info(self.assign_realm_roles(uid, role)) + ## Create groups in user + for g in groups: + log.warning("Creating keycloak group: " + g) + parts = g.split("/") + parent_path = None + for i in range(1, len(parts)): + # parent_id=None if parent_path==None else self.get_group(parent_path)['id'] + try: + self.add_group(parts[i], parent_path, skip_exists=True) + except: + log.warning( + "Group " + + str(parent_path) + + " already exists. Skipping creation" + ) + pass + if parent_path is None: + thepath = "/" + parts[i] + else: + thepath = parent_path + "/" + parts[i] + if thepath == "/": + log.warning( + "Not adding the user " + + username + + " to any group as does not have any..." + ) + continue + gid = self.get_group_by_path(path=thepath)["id"] + + log.warning( + "Adding " + + username + + " with uuid: " + + uid + + " to group " + + g + + " with uuid: " + + gid + ) + self.keycloak_admin.group_user_add(uid, gid) + + if parent_path == None: + parent_path = "" + parent_path = parent_path + "/" + parts[i] + + # self.group_user_add(uid,gid) + + ## ROLES + def get_roles(self): + self.connect() + return self.keycloak_admin.get_realm_roles() + + def get_role(self, name): + self.connect() + return self.keycloak_admin.get_realm_role(name) + + def add_role(self, name, description=""): + self.connect() + return self.keycloak_admin.create_realm_role( + {"name": name, "description": description} + ) + + def delete_role(self, name): + self.connect() + return self.keycloak_admin.delete_realm_role(name) + + ## CLIENTS + + def get_client_roles(self, client_id): + self.connect() + return self.keycloak_admin.get_client_roles(client_id=client_id) + + def add_client_role(self, client_id, name, description=""): + self.connect() + return self.keycloak_admin.create_client_role( + client_id, {"name": name, "description": description, "clientRole": True} + ) + + ## SYSTEM + def get_server_info(self): + self.connect() + return self.keycloak_admin.get_server_info() + + def get_server_clients(self): + self.connect() + return self.keycloak_admin.get_clients() + + def get_server_rsa_key(self): + self.connect() + rsa_key = [ + k for k in self.keycloak_admin.get_keys()["keys"] if k["type"] == "RSA" + ][0] + return {"name": rsa_key["kid"], "certificate": rsa_key["certificate"]} + + ## REALM + def assign_realm_roles(self, user_id, role): + self.connect() + try: + role = [ + r for r in self.keycloak_admin.get_realm_roles() if r["name"] == role + ] + except: + return False + return self.keycloak_admin.assign_realm_roles(user_id=user_id, roles=role) + # return self.keycloak_admin.assign_realm_roles(user_id=user_id, client_id=None, roles=role) + + ## CLIENTS + def delete_client(self, clientid): + self.connect() + return self.keycloak_admin.delete_client(clientid) + + def add_client(self, client): + self.connect() + return self.keycloak_admin.create_client(client) diff --git a/dd-sso/admin/src/saml_scripts/lib/mysql.py b/dd-sso/admin/src/saml_scripts/lib/mysql.py new file mode 100644 index 0000000..9f3f140 --- /dev/null +++ b/dd-sso/admin/src/saml_scripts/lib/mysql.py @@ -0,0 +1,50 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +import json +import logging as log +import time +import traceback +from datetime import datetime, timedelta + +import mysql.connector +import yaml + +# from admin import app + + +class Mysql: + def __init__(self, host, database, user, password): + self.conn = mysql.connector.connect( + host=host, database=database, user=user, password=password + ) + + def select(self, sql): + self.cur = self.conn.cursor() + self.cur.execute(sql) + data = self.cur.fetchall() + self.cur.close() + return data + + def update(self, sql): + self.cur = self.conn.cursor() + self.cur.execute(sql) + self.conn.commit() + self.cur.close() diff --git a/dd-sso/admin/src/saml_scripts/lib/postgres.py b/dd-sso/admin/src/saml_scripts/lib/postgres.py new file mode 100644 index 0000000..84b82ad --- /dev/null +++ b/dd-sso/admin/src/saml_scripts/lib/postgres.py @@ -0,0 +1,71 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +import json +import logging as log +import time +import traceback +from datetime import datetime, timedelta + +import psycopg2 +import yaml + +# from admin import app + + +class Postgres: + def __init__(self, host, database, user, password): + self.conn = psycopg2.connect( + host=host, database=database, user=user, password=password + ) + + # def __del__(self): + # self.cur.close() + # self.conn.close() + + def select(self, sql): + self.cur = self.conn.cursor() + self.cur.execute(sql) + data = self.cur.fetchall() + self.cur.close() + return data + + def update(self, sql): + self.cur = self.conn.cursor() + self.cur.execute(sql) + self.conn.commit() + self.cur.close() + # return self.cur.fetchall() + + def select_with_headers(self, sql): + self.cur = self.conn.cursor() + self.cur.execute(sql) + data = self.cur.fetchall() + fields = [a.name for a in self.cur.description] + self.cur.close() + return (fields, data) + + # def update_moodle_saml_plugin(self): + # plugin[('idpmetadata', 'NrtA5ynG0htowP3SXw7dBJRIAMxn-1PwuuXwOwNhlRwMIICmzCCAYMCBgF5jb0RCTANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0ZXIwHhcNMjEwNTIxMDcwMjI4WhcNMzEwNTIxMDcwNDA4WjARMQ8wDQYDVQQDDAZtYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCI8xh/C0+frz3kgWiUbziTDls71R2YiXLSVE+bw7gbEgZUGCLhoEI679azMtIxmnzM/snIX+yTb12+XoYkgbiLTMPQfnH+Kiab6g3HL3KPfhqS+yWkFxOoCp6Ibmp7yPlVWuHH+MBfO8OBr/r8Ao7heFbuzjiLd1KG67rcoaxfDgMuBoEomg1bgEjFgHaQIrSC6OZzH0h987/arqufZXeXlfyiqScMPUi+u5IpDWSwz06UKP0k8mxzNSlpZ93CKOUSsV0SMLxqg7FQ3SGiOk577bGW9o9BDTkkmSo3Up6smc0LzwvvUwuNd0B1irGkWZFQN9OXJnJYf1InEebIMtmPAgMBAAEwDQYJKoZIhvcNAQELBQADggEBADM34+qEGeBQ22luphVTuVJtGxcbxLx7DfsT0QfJD/OuxTTbNAa1VRyarb5juIAkqdj4y2quZna9ZXLecVo4RkwpzPoKoAkYA8b+kHnWqEwJi9iPrDvKb+GR0bBkLPN49YxIZ8IdKX/PRa3yuLHe+loiNsCaS/2ZK2KO46COsqU4QX1iVhF9kWphNLybjNAX45B6cJLsa1g0vXLdm3kv3SB4I2fErFVaOoDtFIjttoYlXdpUiThkPXBfr7N67P3dZHaS4tjJh+IZ8I6TINpcsH8dBkUhzYEIPHCePwSiC1w6WDBLNDuKt1mj1CZrLq+1x+Yhrs+QNRheEKGi89HZ8N0=urn:oasis:names:tc:SAML:2.0:nameid-format:persistenturn:oasis:names:tc:SAML:2.0:nameid-format:transienturn:oasis:names:tc:SAML:1.1:nameid-format:unspecifiedurn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress')] + # pg_update = """UPDATE mdl_config_plugins set title = %s where plugin = auth_saml2 and name =""" + # cursor.execute(pg_update, (title, bookid)) + # connection.commit() + # count = cursor.rowcount + # print(count, "Successfully Updated!") diff --git a/dd-sso/admin/src/saml_scripts/moodle_saml.py b/dd-sso/admin/src/saml_scripts/moodle_saml.py new file mode 100644 index 0000000..20d39b3 --- /dev/null +++ b/dd-sso/admin/src/saml_scripts/moodle_saml.py @@ -0,0 +1,390 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +import json +import logging as log +import os +import pprint +import random +import string +import time +import traceback +from datetime import datetime, timedelta + +import psycopg2 +import yaml +from lib.keycloak_client import KeycloakClient +from lib.postgres import Postgres + +app = {} +app["config"] = {} + + +class MoodleSaml: + def __init__(self): + ready = False + while not ready: + try: + self.pg = Postgres( + "dd-apps-postgresql", + "moodle", + os.environ["MOODLE_POSTGRES_USER"], + os.environ["MOODLE_POSTGRES_PASSWORD"], + ) + ready = True + except: + log.warning("Could not connect to moodle database. Retrying...") + time.sleep(2) + log.info("Connected to moodle database.") + + ready = False + while not ready: + try: + privatekey_pass = self.get_privatekey_pass() + log.info("Read the private key") + if privatekey_pass.endswith(os.environ["DOMAIN"]): + app["config"]["MOODLE_SAML_PRIVATEKEYPASS"] = privatekey_pass + ready = True + else: + log.err(f"Private key does not end with: {os.environ['DOMAIN']}") + except: + # print(traceback.format_exc()) + log.warning("Could not get moodle site identifier. Retrying...") + time.sleep(2) + log.info("Got moodle site identifier.") + + basepath = os.path.dirname(__file__) + + ready = False + while not ready: + try: + with open( + os.path.abspath( + os.path.join( + basepath, + "../moodledata/saml2/moodle." + + os.environ["DOMAIN"] + + ".crt", + ) + ), + "r", + ) as crt: + app["config"]["SP_CRT"] = crt.read() + ready = True + except IOError: + log.warning("Could not get moodle SAML2 crt certificate. Retrying...") + time.sleep(2) + except: + log.error(traceback.format_exc()) + log.info("Got moodle srt certificate.") + + ready = False + while not ready: + try: + with open( + os.path.abspath( + os.path.join( + basepath, + "../moodledata/saml2/moodle." + + os.environ["DOMAIN"] + + ".pem", + ) + ), + "r", + ) as pem: + app["config"]["SP_PEM"] = pem.read() + ready = True + except IOError: + log.warning("Could not get moodle SAML2 pem certificate. Retrying...") + time.sleep(2) + log.info("Got moodle pem certificate.") + + idp_name="0f635d0e0f3874fff8b581c132e6c7a7" + ## Upstream bug: + ## https://github.com/catalyst/moodle-auth_saml2/issues/652 + ## + ## This seems related to the fact that the certificate generated the first time does'nt work. + ## And when regenerating the certificate the privatekeypass seems not to be used and instead it + ## will use always this code as filename: 0f635d0e0f3874fff8b581c132e6c7a7 + ## As this bug I'm not able to solve, the process is: + ## 1.- Bring up moodle and regenerate certificates on saml2 plugin in plugins-authentication + ## 2.- Execute this script + ## 3.- Cleanup all caches in moodle (Development tab) + with open( + os.path.abspath( + os.path.join( + basepath, + f"../moodledata/saml2/{idp_name}.idp.xml", + ) + ), + "w", + ) as xml: + xml.write(self.parse_idp_metadata()) + + log.info("Written SP file on moodledata.") + + try: + self.activate_saml_plugin() + except: + print("Error activating saml on moodle") + + try: + self.set_moodle_saml_plugin() + except: + print("Error setting saml on moodle") + + try: + self.delete_keycloak_moodle_saml_plugin() + except: + print("Error deleting saml on keycloak") + + try: + self.add_keycloak_moodle_saml() + except: + print("Error adding saml on keycloak") + + # SAML clients don't work well with composite roles so disabling and adding on realm + # self.add_client_roles() + + def activate_saml_plugin(self): + ## After you need to purge moodle caches: /var/www/html # php admin/cli/purge_caches.php + return self.pg.update( + """UPDATE "mdl_config" SET value = 'email,saml2' WHERE "name" = 'auth'""" + ) + + def get_privatekey_pass(self): + return self.pg.select( + """SELECT * FROM "mdl_config" WHERE "name" = 'siteidentifier'""" + )[0][2] + + def parse_idp_metadata(self): + keycloak = KeycloakClient() + rsa = keycloak.get_server_rsa_key() + keycloak = None + return ( + '' + + rsa["name"] + + "" + + rsa["certificate"] + + 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistenturn:oasis:names:tc:SAML:2.0:nameid-format:transienturn:oasis:names:tc:SAML:1.1:nameid-format:unspecifiedurn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress' + ) + + def set_keycloak_moodle_saml_plugin(self): + keycloak = KeycloakClient() + keycloak.add_moodle_client() + keycloak = None + + def delete_keycloak_moodle_saml_plugin(self): + keycloak = KeycloakClient() + keycloak.delete_client("a92d5417-92b6-4678-9cb9-51bc0edcee8c") + keycloak = None + + def set_moodle_saml_plugin(self): + config = { + "idpmetadata": self.parse_idp_metadata(), + "certs_locked": "1", + "duallogin": "0", + "idpattr": "username", + "autocreate": "1", + "anyauth": "1", + "saml_role_siteadmin_map": "admin", + "saml_role_coursecreator_map": "teacher", + "saml_role_manager_map": "manager", + "field_map_email": "email", + "field_map_firstname": "givenName", + "field_map_lastname": "sn", + } + for name in config.keys(): + self.pg.update( + """UPDATE "mdl_config_plugins" SET value = '%s' WHERE "plugin" = 'auth_saml2' AND "name" = '%s'""" + % (config[name], name) + ) + self.pg.update( + """INSERT INTO "mdl_auth_saml2_idps" ("metadataurl", "entityid", "activeidp", "defaultidp", "adminidp", "defaultname", "displayname", "logo", "alias", "whitelist") VALUES + ('xml', 'https://sso.%s/auth/realms/master', 1, 0, 0, 'Login via SAML2', '', NULL, NULL, NULL);""" + % (os.environ["DOMAIN"]) + ) + + def add_keycloak_moodle_saml(self): + client = { + "id": "a92d5417-92b6-4678-9cb9-51bc0edcee8c", + "name": "moodle", + "description": "moodle", + "clientId": "https://moodle." + + os.environ["DOMAIN"] + + "/auth/saml2/sp/metadata.php", + "surrogateAuthRequired": False, + "enabled": True, + "alwaysDisplayInConsole": False, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "https://moodle." + + os.environ["DOMAIN"] + + "/auth/saml2/sp/saml2-acs.php/moodle." + + os.environ["DOMAIN"] + + "" + ], + "webOrigins": ["https://moodle." + os.environ["DOMAIN"] + ""], + "notBefore": 0, + "bearerOnly": False, + "consentRequired": False, + "standardFlowEnabled": True, + "implicitFlowEnabled": False, + "directAccessGrantsEnabled": False, + "serviceAccountsEnabled": False, + "publicClient": False, + "frontchannelLogout": True, + "protocol": "saml", + "attributes": { + "saml.force.post.binding": True, + "saml.encrypt": False, + "saml_assertion_consumer_url_post": "https://moodle." + + os.environ["DOMAIN"] + + "/auth/saml2/sp/saml2-acs.php/moodle." + + os.environ["DOMAIN"] + + "", + "saml.server.signature": True, + "saml.server.signature.keyinfo.ext": False, + "saml.signing.certificate": app["config"]["SP_CRT"], + "saml_single_logout_service_url_redirect": "https://moodle." + + os.environ["DOMAIN"] + + "/auth/saml2/sp/saml2-logout.php/moodle." + + os.environ["DOMAIN"] + + "", + "saml.signature.algorithm": "RSA_SHA256", + "saml_force_name_id_format": False, + "saml.client.signature": True, + "saml.encryption.certificate": app["config"]["SP_PEM"], + "saml.authnstatement": True, + "saml_name_id_format": "username", + "saml_signature_canonicalization_method": "http://www.w3.org/2001/10/xml-exc-c14n#", + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": True, + "nodeReRegistrationTimeout": -1, + "protocolMappers": [ + { + "id": "9296daa3-4fc4-4b80-b007-5070f546ae13", + "name": "X500 sn", + "protocol": "saml", + "protocolMapper": "saml-user-property-mapper", + "consentRequired": False, + "config": { + "attribute.nameformat": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri", + "user.attribute": "lastName", + "friendly.name": "sn", + "attribute.name": "urn:oid:2.5.4.4", + }, + }, + { + "id": "ccecf6e4-d20a-4211-b67c-40200a6b2c5d", + "name": "username", + "protocol": "saml", + "protocolMapper": "saml-user-property-mapper", + "consentRequired": False, + "config": { + "attribute.nameformat": "Basic", + "user.attribute": "username", + "friendly.name": "username", + "attribute.name": "username", + }, + }, + { + "id": "53858403-eba2-4f6d-81d0-cced700b5719", + "name": "X500 givenName", + "protocol": "saml", + "protocolMapper": "saml-user-property-mapper", + "consentRequired": False, + "config": { + "attribute.nameformat": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri", + "user.attribute": "firstName", + "friendly.name": "givenName", + "attribute.name": "urn:oid:2.5.4.42", + }, + }, + { + "id": "20034db5-1d0e-4e66-b815-fb0440c6d1e2", + "name": "X500 email", + "protocol": "saml", + "protocolMapper": "saml-user-property-mapper", + "consentRequired": False, + "config": { + "attribute.nameformat": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri", + "user.attribute": "email", + "friendly.name": "email", + "attribute.name": "urn:oid:1.2.840.113549.1.9.1", + }, + }, + ], + "defaultClientScopes": [ + "web-origins", + "role_list", + "roles", + "profile", + "email", + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt", + ], + "access": {"view": True, "configure": True, "manage": True}, + } + keycloak = KeycloakClient() + keycloak.add_client(client) + keycloak = None + + def add_client_roles(self): + keycloak = KeycloakClient() + keycloak.add_client_role( + "a92d5417-92b6-4678-9cb9-51bc0edcee8c", "admin", "Moodle admins" + ) + keycloak.add_client_role( + "a92d5417-92b6-4678-9cb9-51bc0edcee8c", "manager", "Moodle managers" + ) + keycloak.add_client_role( + "a92d5417-92b6-4678-9cb9-51bc0edcee8c", "teacher", "Moodle teachers" + ) + keycloak.add_client_role( + "a92d5417-92b6-4678-9cb9-51bc0edcee8c", "student", "Moodle students" + ) + keycloak = None + + +m = MoodleSaml() diff --git a/dd-sso/admin/src/saml_scripts/nextcloud_saml.py b/dd-sso/admin/src/saml_scripts/nextcloud_saml.py new file mode 100644 index 0000000..863cde6 --- /dev/null +++ b/dd-sso/admin/src/saml_scripts/nextcloud_saml.py @@ -0,0 +1,382 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +import json +import logging as log +import os +import pprint +import random +import string +import time +import traceback +from datetime import datetime, timedelta + +import psycopg2 +import yaml +from lib.keycloak_client import KeycloakClient +from lib.postgres import Postgres + +app = {} +app["config"] = {} + + +class NextcloudSaml: + def __init__(self): + self.url = "http://dd-sso-keycloak:8080/auth/" + self.username = os.environ["KEYCLOAK_USER"] + self.password = os.environ["KEYCLOAK_PASSWORD"] + self.realm = "master" + self.verify = True + + ready = False + while not ready: + try: + self.pg = Postgres( + "dd-apps-postgresql", + "nextcloud", + os.environ["NEXTCLOUD_POSTGRES_USER"], + os.environ["NEXTCLOUD_POSTGRES_PASSWORD"], + ) + ready = True + except: + log.warning("Could not connect to nextcloud database. Retrying...") + time.sleep(2) + log.info("Connected to nextcloud database.") + + basepath = os.path.dirname(__file__) + + ready = False + while not ready: + try: + with open( + os.path.abspath( + os.path.join(basepath, "../saml_certs/public.cert") + ), + "r", + ) as crt: + app["config"]["PUBLIC_CERT"] = crt.read() + ready = True + except IOError: + log.warning( + "Could not get public certificate to be used in nextcloud. Retrying..." + ) + log.warning( + " You should generate them: /admin/saml_certs # openssl req -nodes -new -x509 -keyout private.key -out public.cert" + ) + time.sleep(2) + except: + log.error(traceback.format_exc()) + log.info("Got moodle srt certificate to be used in nextcloud.") + + ready = False + while not ready: + try: + with open( + os.path.abspath( + os.path.join(basepath, "../saml_certs/private.key") + ), + "r", + ) as pem: + app["config"]["PRIVATE_KEY"] = pem.read() + ready = True + except IOError: + log.warning( + "Could not get private key to be used in nextcloud. Retrying..." + ) + log.warning( + " You should generate them: /admin/saml_certs # openssl req -nodes -new -x509 -keyout private.key -out public.cert" + ) + time.sleep(2) + log.info("Got moodle pem certificate to be used in nextcloud.") + + # ## This seems related to the fact that the certificate generated the first time does'nt work. + # ## And when regenerating the certificate de privatekeypass seems not to be used and instead it + # ## will use always this code as filename: 0f635d0e0f3874fff8b581c132e6c7a7 + # ## As this bug I'm not able to solve, the process is: + # ## 1.- Bring up moodle and regenerate certificates on saml2 plugin in plugins-authentication + # ## 2.- Execute this script + # ## 3.- Cleanup all caches in moodle (Development tab) + # # with open(os.path.join("./moodledata/saml2/"+os.environ['NEXTCLOUD_SAML_PRIVATEKEYPASS'].replace("moodle."+os.environ['DOMAIN'],'')+'.idp.xml'),"w") as xml: + # # xml.write(self.parse_idp_metadata()) + # with open(os.path.join("./moodledata/saml2/0f635d0e0f3874fff8b581c132e6c7a7.idp.xml"),"w") as xml: + # xml.write(self.parse_idp_metadata()) + + try: + self.reset_saml() + except: + print("Error resetting saml on nextcloud") + + try: + self.delete_keycloak_nextcloud_saml_plugin() + except: + print("Error resetting saml on keycloak") + + try: + self.set_nextcloud_saml_plugin() + except: + log.error(traceback.format_exc()) + print("Error adding saml on nextcloud") + + try: + self.add_keycloak_nextcloud_saml() + except: + print("Error adding saml on keycloak") + + def connect(self): + self.keycloak = KeycloakClient( + url=self.url, + username=self.username, + password=self.password, + realm=self.realm, + verify=self.verify, + ) + + # def activate_saml_plugin(self): + # ## After you need to purge moodle caches: /var/www/html # php admin/cli/purge_caches.php + # return self.pg.update("""UPDATE "mdl_config" SET value = 'email,saml2' WHERE "name" = 'auth'""") + + # def get_privatekey_pass(self): + # return self.pg.select("""SELECT * FROM "mdl_config" WHERE "name" = 'siteidentifier'""")[0][2] + + def parse_idp_cert(self): + self.connect() + rsa = self.keycloak.get_server_rsa_key() + self.keycloak = None + return rsa["certificate"] + + def set_keycloak_nextcloud_saml_plugin(self): + self.connect() + self.keycloak.add_nextcloud_client() + self.keycloak = None + + def delete_keycloak_nextcloud_saml_plugin(self): + self.connect() + self.keycloak.delete_client("bef873f0-2079-4876-8657-067de27d01b7") + self.keycloak = None + + def set_nextcloud_saml_plugin(self): + self.pg.update( + """INSERT INTO "oc_appconfig" ("appid", "configkey", "configvalue") VALUES +('user_saml', 'general-uid_mapping', 'username'), +('user_saml', 'type', 'saml'), +('user_saml', 'sp-privateKey', '%s'), +('user_saml', 'saml-attribute-mapping-email_mapping', 'email'), +('user_saml', 'saml-attribute-mapping-quota_mapping', 'quota'), +('user_saml', 'saml-attribute-mapping-displayName_mapping', 'displayname'), +('user_saml', 'saml-attribute-mapping-group_mapping', 'member'), +('user_saml', 'idp-entityId', 'https://sso.%s/auth/realms/master'), +('user_saml', 'idp-singleSignOnService.url', 'https://sso.%s/auth/realms/master/protocol/saml'), +('user_saml', 'idp-x509cert', '%s'), +('user_saml', 'security-authnRequestsSigned', '1'), +('user_saml', 'security-logoutRequestSigned', '1'), +('user_saml', 'security-logoutResponseSigned', '1'), +('user_saml', 'security-wantMessagesSigned', '1'), +('user_saml', 'security-wantAssertionsSigned', '1'), +('user_saml', 'general-idp0_display_name', 'SAML Login'), +('user_saml', 'sp-x509cert', '%s'), +('user_saml', 'idp-singleLogoutService.url', 'https://sso.%s/auth/realms/master/protocol/saml');""" + % ( + app["config"]["PRIVATE_KEY"], + os.environ["DOMAIN"], + os.environ["DOMAIN"], + self.parse_idp_cert(), + app["config"]["PUBLIC_CERT"], + os.environ["DOMAIN"], + ) + ) + + def reset_saml(self): + cfg_list = [ + "general-uid_mapping", + "sp-privateKey", + "saml-attribute-mapping-email_mapping", + "saml-attribute-mapping-quota_mapping", + "saml-attribute-mapping-displayName_mapping", + "saml-attribute-mapping-group_mapping", + "idp-entityId", + "idp-singleSignOnService.url", + "idp-x509cert", + "security-authnRequestsSigned", + "security-logoutRequestSigned", + "security-logoutResponseSigned", + "security-wantMessagesSigned", + "security-wantAssertionsSigned", + "general-idp0_display_name", + "type", + "sp-x509cert", + "idp-singleLogoutService.url", + ] + for cfg in cfg_list: + self.pg.update( + """DELETE FROM "oc_appconfig" WHERE appid = 'user_saml' AND configkey = '%s'""" + % (cfg) + ) + + def add_keycloak_nextcloud_saml(self): + client = { + "id": "bef873f0-2079-4876-8657-067de27d01b7", + "name": "nextcloud", + "description": "nextcloud", + "clientId": "https://nextcloud." + + os.environ["DOMAIN"] + + "/apps/user_saml/saml/metadata", + "surrogateAuthRequired": False, + "enabled": True, + "alwaysDisplayInConsole": False, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "https://nextcloud." + os.environ["DOMAIN"] + "/apps/user_saml/saml/acs" + ], + "webOrigins": ["https://nextcloud." + os.environ["DOMAIN"]], + "notBefore": 0, + "bearerOnly": False, + "consentRequired": False, + "standardFlowEnabled": True, + "implicitFlowEnabled": False, + "directAccessGrantsEnabled": False, + "serviceAccountsEnabled": False, + "publicClient": False, + "frontchannelLogout": True, + "protocol": "saml", + "attributes": { + "saml.assertion.signature": True, + "saml.force.post.binding": True, + "saml_assertion_consumer_url_post": "https://nextcloud." + + os.environ["DOMAIN"] + + "/apps/user_saml/saml/acs", + "saml.server.signature": True, + "saml.server.signature.keyinfo.ext": False, + "saml.signing.certificate": app["config"]["PUBLIC_CERT"], + "saml_single_logout_service_url_redirect": "https://nextcloud." + + os.environ["DOMAIN"] + + "/apps/user_saml/saml/sls", + "saml.signature.algorithm": "RSA_SHA256", + "saml_force_name_id_format": False, + "saml.client.signature": False, + "saml.authnstatement": True, + "saml_name_id_format": "username", + "saml_signature_canonicalization_method": "http://www.w3.org/2001/10/xml-exc-c14n#", + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": True, + "nodeReRegistrationTimeout": -1, + "protocolMappers": [ + { + "id": "e8e4acff-da2b-46aa-8bdb-ba42171671d6", + "name": "username", + "protocol": "saml", + "protocolMapper": "saml-user-attribute-mapper", + "consentRequired": False, + "config": { + "attribute.nameformat": "Basic", + "user.attribute": "username", + "friendly.name": "username", + "attribute.name": "username", + }, + }, + { + "id": "8ab13cd7-822a-40d5-a1e1-9f556aed2332", + "name": "quota", + "protocol": "saml", + "protocolMapper": "saml-user-attribute-mapper", + "consentRequired": False, + "config": { + "attribute.nameformat": "Basic", + "user.attribute": "quota", + "friendly.name": "quota", + "attribute.name": "quota", + }, + }, + { + "id": "28206b59-757b-4e3c-81cb-0b6053b1fd3d", + "name": "email", + "protocol": "saml", + "protocolMapper": "saml-user-property-mapper", + "consentRequired": False, + "config": { + "attribute.nameformat": "Basic", + "user.attribute": "email", + "friendly.name": "email", + "attribute.name": "email", + }, + }, + { + "id": "5176a593-180f-4924-b294-b83a0d8d5972", + "name": "displayname", + "protocol": "saml", + "protocolMapper": "saml-javascript-mapper", + "consentRequired": False, + "config": { + "single": False, + "Script": '/**\n * Available variables: \n * user - the current user\n * realm - the current realm\n * clientSession - the current clientSession\n * userSession - the current userSession\n * keycloakSession - the current keycloakSession\n */\n\n\n//insert your code here...\nvar Output = user.getFirstName()+" "+user.getLastName();\nOutput;\n', + "attribute.nameformat": "Basic", + "friendly.name": "displayname", + "attribute.name": "displayname", + }, + }, + { + "id": "e51e04b9-f71a-42de-819e-dd9285246ada", + "name": "Roles", + "protocol": "saml", + "protocolMapper": "saml-role-list-mapper", + "consentRequired": False, + "config": { + "single": True, + "attribute.nameformat": "Basic", + "friendly.name": "Roles", + "attribute.name": "Roles", + }, + }, + { + "id": "9c101249-bb09-4cc8-8f75-5a18fcb307e6", + "name": "group_list", + "protocol": "saml", + "protocolMapper": "saml-group-membership-mapper", + "consentRequired": False, + "config": { + "single": True, + "attribute.nameformat": "Basic", + "full.path": False, + "friendly.name": "member", + "attribute.name": "member", + }, + }, + ], + "defaultClientScopes": [ + "web-origins", + "role_list", + "roles", + "profile", + "email", + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt", + ], + "access": {"view": True, "configure": True, "manage": True}, + } + self.connect() + self.keycloak.add_client(client) + self.keycloak = None + + +n = NextcloudSaml() diff --git a/dd-sso/admin/src/saml_scripts/wordpress_saml.py b/dd-sso/admin/src/saml_scripts/wordpress_saml.py new file mode 100644 index 0000000..8b0a582 --- /dev/null +++ b/dd-sso/admin/src/saml_scripts/wordpress_saml.py @@ -0,0 +1,402 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +import json +import logging as log +import os +import pprint +import random +import string +import time +import traceback +from datetime import datetime, timedelta + +import psycopg2 +import yaml +from lib.keycloak_client import KeycloakClient +from lib.mysql import Mysql + +app = {} +app["config"] = {} + +nickname_script=""" +var Output = user.getFirstName()+" "+user.getLastName(); +Output; +""" + + +class WordpressSaml: + def __init__(self): + self.url = "http://dd-sso-keycloak:8080/auth/" + self.username = os.environ["KEYCLOAK_USER"] + self.password = os.environ["KEYCLOAK_PASSWORD"] + self.realm = "master" + self.verify = True + + ready = False + while not ready: + try: + self.db = Mysql( + "dd-apps-mariadb", + "wordpress", + "root", + os.environ["MARIADB_PASSWORD"], + ) + ready = True + except: + log.warning("Could not connect to wordpress database. Retrying...") + time.sleep(2) + log.info("Connected to wordpress database.") + + basepath = os.path.dirname(__file__) + + ready = False + while not ready: + try: + with open( + os.path.abspath( + os.path.join(basepath, "../saml_certs/public.cert") + ), + "r", + ) as crt: + app["config"]["PUBLIC_CERT_RAW"] = crt.read() + app["config"]["PUBLIC_CERT"] = self.cert_prepare( + app["config"]["PUBLIC_CERT_RAW"] + ) + ready = True + except IOError: + log.warning( + "Could not get public certificate to be used in wordpress. Retrying..." + ) + log.warning( + " You should generate them: /admin/saml_certs # openssl req -nodes -new -x509 -keyout private.key -out public.cert" + ) + time.sleep(2) + except: + log.error(traceback.format_exc()) + log.info("Got moodle srt certificate to be used in wordpress.") + + ready = False + while not ready: + try: + with open( + os.path.abspath( + os.path.join(basepath, "../saml_certs/private.key") + ), + "r", + ) as pem: + app["config"]["PRIVATE_KEY"] = self.cert_prepare(pem.read()) + ready = True + except IOError: + log.warning( + "Could not get private key to be used in wordpress. Retrying..." + ) + log.warning( + " You should generate them: /admin/saml_certs # openssl req -nodes -new -x509 -keyout private.key -out public.cert" + ) + time.sleep(2) + log.info("Got moodle pem certificate to be used in wordpress.") + + # ## This seems related to the fact that the certificate generated the first time does'nt work. + # ## And when regenerating the certificate de privatekeypass seems not to be used and instead it + # ## will use always this code as filename: 0f635d0e0f3874fff8b581c132e6c7a7 + # ## As this bug I'm not able to solve, the process is: + # ## 1.- Bring up moodle and regenerate certificates on saml2 plugin in plugins-authentication + # ## 2.- Execute this script + # ## 3.- Cleanup all caches in moodle (Development tab) + # # with open(os.path.join("./moodledata/saml2/"+os.environ['NEXTCLOUD_SAML_PRIVATEKEYPASS'].replace("moodle."+os.environ['DOMAIN'],'')+'.idp.xml'),"w") as xml: + # # xml.write(self.parse_idp_metadata()) + # with open(os.path.join("./moodledata/saml2/0f635d0e0f3874fff8b581c132e6c7a7.idp.xml"),"w") as xml: + # xml.write(self.parse_idp_metadata()) + + try: + self.reset_saml() + except: + print(traceback.format_exc()) + print("Error resetting saml on wordpress") + try: + self.delete_keycloak_wordpress_saml_plugin() + except: + print("Error resetting saml on keycloak") + + try: + self.set_wordpress_saml_plugin() + except: + print(traceback.format_exc()) + print("Error adding saml on wordpress") + + try: + self.add_keycloak_wordpress_saml() + except: + print("Error adding saml on keycloak") + + # SAML clients don't work well with composite roles so disabling and adding on realm + # self.add_client_roles() + + def connect(self): + self.keycloak = KeycloakClient( + url=self.url, + username=self.username, + password=self.password, + realm=self.realm, + verify=self.verify, + ) + + # def activate_saml_plugin(self): + # ## After you need to purge moodle caches: /var/www/html # php admin/cli/purge_caches.php + # return self.db.update("""UPDATE "mdl_config" SET value = 'email,saml2' WHERE "name" = 'auth'""") + + # def get_privatekey_pass(self): + # return self.db.select("""SELECT * FROM "mdl_config" WHERE "name" = 'siteidentifier'""")[0][2] + + def cert_prepare(self, cert): + return "".join(cert.split("-----")[2].splitlines()) + + def parse_idp_cert(self): + self.connect() + rsa = self.keycloak.get_server_rsa_key() + self.keycloak = None + return rsa["certificate"] + + def set_keycloak_wordpress_saml_plugin(self): + self.connect() + self.keycloak.add_wordpress_client() + self.keycloak = None + + def delete_keycloak_wordpress_saml_plugin(self): + self.connect() + self.keycloak.delete_client("630601f8-25d1-4822-8741-c93affd2cd84") + self.keycloak = None + + def set_wordpress_saml_plugin(self): + # ('active_plugins', 'a:2:{i:0;s:33:\"edwiser-bridge/edwiser-bridge.php\";i:1;s:17:\"onelogin_saml.php\";}', 'yes'), + self.db.update( + """INSERT INTO wp_options (option_name, option_value, autoload) VALUES +('onelogin_saml_enabled', 'on', 'yes'), +('onelogin_saml_idp_entityid', 'Saml Login', 'yes'), +('onelogin_saml_idp_sso', 'https://sso.%s/auth/realms/master/protocol/saml', 'yes'), +('onelogin_saml_idp_slo', 'https://sso.%s/auth/realms/master/protocol/saml', 'yes'), +('onelogin_saml_idp_x509cert', '%s', 'yes'), +('onelogin_saml_autocreate', 'on', 'yes'), +('onelogin_saml_updateuser', 'on', 'yes'), +('onelogin_saml_forcelogin', 'on', 'yes'), +('onelogin_saml_slo', 'on', 'yes'), +('onelogin_saml_keep_local_login', '', 'yes'), +('onelogin_saml_alternative_acs', '', 'yes'), +('onelogin_saml_account_matcher', 'username', 'yes'), +('onelogin_saml_trigger_login_hook', '', 'yes'), +('onelogin_saml_multirole', '', 'yes'), +('onelogin_saml_trusted_url_domains', '', 'yes'), +('onelogin_saml_attr_mapping_username', 'username', 'yes'), +('onelogin_saml_attr_mapping_mail', 'email', 'yes'), +('onelogin_saml_attr_mapping_firstname', 'givenName', 'yes'), +('onelogin_saml_attr_mapping_lastname', 'sn', 'yes'), +('onelogin_saml_attr_mapping_nickname', '', 'yes'), +('onelogin_saml_attr_mapping_role', 'Role', 'yes'), +('onelogin_saml_attr_mapping_rememberme', '', 'yes'), +('onelogin_saml_role_mapping_administrator', 'admin', 'yes'), +('onelogin_saml_role_mapping_editor', 'manager', 'yes'), +('onelogin_saml_role_mapping_author', 'coursecreator', 'yes'), +('onelogin_saml_role_mapping_contributor', 'teacher', 'yes'), +('onelogin_saml_role_mapping_subscriber', '', 'yes'), +('onelogin_saml_role_mapping_multivalued_in_one_attribute_value', 'on', 'yes'), +('onelogin_saml_role_mapping_multivalued_pattern', '', 'yes'), +('onelogin_saml_role_order_administrator', '', 'yes'), +('onelogin_saml_role_order_editor', '', 'yes'), +('onelogin_saml_role_order_author', '', 'yes'), +('onelogin_saml_role_order_contributor', '', 'yes'), +('onelogin_saml_role_order_subscriber', '', 'yes'), +('onelogin_saml_customize_action_prevent_local_login', '', 'yes'), +('onelogin_saml_customize_action_prevent_reset_password', '', 'yes'), +('onelogin_saml_customize_action_prevent_change_password', '', 'yes'), +('onelogin_saml_customize_action_prevent_change_mail', '', 'yes'), +('onelogin_saml_customize_stay_in_wordpress_after_slo', 'on', 'yes'), +('onelogin_saml_customize_links_user_registration', '', 'yes'), +('onelogin_saml_customize_links_lost_password', '', 'yes'), +('onelogin_saml_customize_links_saml_login', '', 'yes'), +('onelogin_saml_advanced_settings_debug', '', 'yes'), +('onelogin_saml_advanced_settings_strict_mode', '', 'yes'), +('onelogin_saml_advanced_settings_sp_entity_id', '', 'yes'), +('onelogin_saml_advanced_idp_lowercase_url_encoding', '', 'yes'), +('onelogin_saml_advanced_settings_nameid_encrypted', '', 'yes'), +('onelogin_saml_advanced_settings_authn_request_signed', 'on', 'yes'), +('onelogin_saml_advanced_settings_logout_request_signed', 'on', 'yes'), +('onelogin_saml_advanced_settings_logout_response_signed', 'on', 'yes'), +('onelogin_saml_advanced_settings_want_message_signed', '', 'yes'), +('onelogin_saml_advanced_settings_want_assertion_signed', '', 'yes'), +('onelogin_saml_advanced_settings_want_assertion_encrypted', '', 'yes'), +('onelogin_saml_advanced_settings_retrieve_parameters_from_server', '', 'yes'), +('onelogin_saml_advanced_nameidformat', 'unspecified', 'yes'), +('onelogin_saml_advanced_requestedauthncontext', '', 'yes'), +('onelogin_saml_advanced_settings_sp_x509cert', '%s', 'yes'), +('onelogin_saml_advanced_settings_sp_privatekey', '%s', 'yes'), +('onelogin_saml_advanced_signaturealgorithm', 'http://www.w3.org/2000/09/xmldsig#rsa-sha1', 'yes'), +('onelogin_saml_advanced_digestalgorithm', 'http://www.w3.org/2000/09/xmldsig#sha1', 'yes');""" + % ( + os.environ["DOMAIN"], + os.environ["DOMAIN"], + self.parse_idp_cert(), + app["config"]["PUBLIC_CERT"], + app["config"]["PRIVATE_KEY"], + ) + ) + + def reset_saml(self): + self.db.update( + """DELETE FROM wp_options WHERE option_name LIKE 'onelogin_saml_%'""" + ) + + def add_keycloak_wordpress_saml(self): + client = { + "id": "630601f8-25d1-4822-8741-c93affd2cd84", + "clientId": "php-saml", + "surrogateAuthRequired": False, + "enabled": True, + "alwaysDisplayInConsole": False, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "/realms/master/account/*", + f"https://wp.{os.environ['DOMAIN']}/wp-login.php?saml_acs", + f"https://wp.{os.environ['DOMAIN']}/*", + ], + "webOrigins": [f"https://wp.{os.environ['DOMAIN']}"], + "notBefore": 0, + "bearerOnly": False, + "consentRequired": False, + "standardFlowEnabled": True, + "implicitFlowEnabled": False, + "directAccessGrantsEnabled": False, + "serviceAccountsEnabled": False, + "publicClient": False, + "frontchannelLogout": True, + "protocol": "saml", + "attributes": { + "saml.force.post.binding": True, + "saml_assertion_consumer_url_post": "https://wp." + + os.environ["DOMAIN"] + + "/wp-login.php?saml_acs", + "saml.server.signature": True, + "saml.server.signature.keyinfo.ext": False, + "saml.signing.certificate": app["config"]["PUBLIC_CERT_RAW"], + "saml_single_logout_service_url_redirect": "https://wp." + + os.environ["DOMAIN"] + + "/wp-login.php?saml_sls", + "saml.signature.algorithm": "RSA_SHA256", + "saml_force_name_id_format": False, + "saml.client.signature": True, + "saml.authnstatement": True, + "saml_name_id_format": "username", + "saml_signature_canonicalization_method": "http://www.w3.org/2001/10/xml-exc-c14n#", + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": True, + "nodeReRegistrationTimeout": -1, + "protocolMappers": [ + { + "id": "72c6175e-bd07-4c27-abd6-4e4ae38d834b", + "name": "username", + "protocol": "saml", + "protocolMapper": "saml-user-attribute-mapper", + "consentRequired": False, + "config": { + "attribute.nameformat": "Basic", + "user.attribute": "username", + "friendly.name": "username", + "attribute.name": "username", + }, + }, + { + "id": "abd6562f-4732-4da9-987f-b1a6ad6605fa", + "name": "roles", + "protocol": "saml", + "protocolMapper": "saml-role-list-mapper", + "consentRequired": False, + "config": { + "single": True, + "attribute.nameformat": "Basic", + "friendly.name": "Roles", + "attribute.name": "Role", + }, + }, + { + "id": "50aafb71-d91c-4bc7-bb60-e1ae0222aab3", + "name": "email", + "protocol": "saml", + "protocolMapper": "saml-user-property-mapper", + "consentRequired": False, + "config": { + "attribute.nameformat": "Basic", + "user.attribute": "email", + "friendly.name": "email", + "attribute.name": "email", + }, + }, + { + "id": "b1befc6b-580f-4065-804c-b45d23a1af5d", + "name": "nickname", + "protocol": "saml", + "protocolMapper": "saml-javascript-mapper", + "consentRequired": False, + "config": { + "single": True, + "Script": nickname_script, + "attribute.nameformat": "Basic", + "friendly.name": "nickname", + "attribute.name": "nickname", + }, + }, + ], + "defaultClientScopes": [ + "web-origins", + "role_list", + "roles", + "profile", + "email", + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt", + ], + "access": {"view": True, "configure": True, "manage": True}, + } + self.connect() + self.keycloak.add_client(client) + self.keycloak = None + + def add_client_roles(self): + self.connect() + self.keycloak.add_client_role( + "630601f8-25d1-4822-8741-c93affd2cd84", "admin", "Wordpress admins" + ) + self.keycloak.add_client_role( + "630601f8-25d1-4822-8741-c93affd2cd84", "manager", "Wordpress managers" + ) + self.keycloak.add_client_role( + "630601f8-25d1-4822-8741-c93affd2cd84", "teacher", "Wordpress teachers" + ) + self.keycloak.add_client_role( + "630601f8-25d1-4822-8741-c93affd2cd84", "student", "Wordpress students" + ) + self.keycloak = None + + +nw = WordpressSaml() diff --git a/dd-sso/admin/src/scripts/README.md b/dd-sso/admin/src/scripts/README.md new file mode 100644 index 0000000..6163ed2 --- /dev/null +++ b/dd-sso/admin/src/scripts/README.md @@ -0,0 +1,7 @@ +# Scripts for cli + +Take care at using this at your own risk! +The reset_pwd.py for example will reset ALL USERS password and dump a file with pwd that should be removed! +The avatars.py will reset all users avatars to defaults. + +If you still want to play with them copy it one folder up to be used. diff --git a/dd-sso/admin/src/scripts/avatars.py b/dd-sso/admin/src/scripts/avatars.py new file mode 100644 index 0000000..f3f329d --- /dev/null +++ b/dd-sso/admin/src/scripts/avatars.py @@ -0,0 +1,162 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +import json +import logging as log +import os +import time +import traceback +from datetime import datetime, timedelta +from pprint import pprint + +import yaml +from keycloak import KeycloakAdmin +from minio import Minio +from minio.commonconfig import REPLACE, CopySource +from minio.deleteobjects import DeleteObject +from postgres import Postgres + + +class DefaultAvatars: + def __init__( + self, + url="http://dd-sso-keycloak:8080/auth/", + username=os.environ["KEYCLOAK_USER"], + password=os.environ["KEYCLOAK_PASSWORD"], + realm="master", + verify=True, + ): + self.url = url + self.username = username + self.password = password + self.realm = realm + self.verify = verify + + self.keycloak_pg = Postgres( + "dd-apps-postgresql", + "keycloak", + os.environ["KEYCLOAK_DB_USER"], + os.environ["KEYCLOAK_DB_PASSWORD"], + ) + + self.mclient = Minio( + "dd-sso-avatars:9000", + access_key="AKIAIOSFODNN7EXAMPLE", + secret_key="wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", + secure=False, + ) + self.bucket = "master-avatars" + self._minio_set_realm() + self.update_missing_avatars() + + def connect(self): + self.keycloak_admin = KeycloakAdmin( + server_url=self.url, + username=self.username, + password=self.password, + realm_name=self.realm, + verify=self.verify, + ) + + def update_missing_avatars(self): + sys_roles = ["admin", "manager", "teacher", "student"] + for u in self.get_users_without_image(): + try: + img = [r + ".jpg" for r in sys_roles if r in u["role"]][0] + except: + img = "unknown.jpg" + + self.mclient.fput_object( + self.bucket, + u["id"], + "custom/avatars/" + img, + content_type="image/jpeg ", + ) + log.warning( + " AVATARS: Updated avatar for user " + + u["username"] + + " with role " + + img.split(".")[0] + ) + + def _minio_set_realm(self): + if not self.mclient.bucket_exists(self.bucket): + self.mclient.make_bucket(self.bucket) + + def minio_get_objects(self): + return [o.object_name for o in self.mclient.list_objects(self.bucket)] + + def minio_delete_all_objects(self): + delete_object_list = map( + lambda x: DeleteObject(x.object_name), + self.mclient.list_objects(self.bucket), + ) + errors = self.mclient.remove_objects(self.bucket, delete_object_list) + for error in errors: + log.error(" AVATARS: Error occured when deleting avatar object", error) + + def get_users(self): + self.connect() + users = self.get_users_with_groups_and_roles() + return users + + def get_users_without_image(self): + return [u for u in self.get_users() if u["id"] not in self.minio_get_objects()] + + def get_users_with_groups_and_roles(self): + q = """select u.id, u.username, u.email, u.first_name, u.last_name, u.realm_id, ua.value as quota + ,json_agg(g."name") as group, json_agg(g_parent."name") as group_parent1, json_agg(g_parent2."name") as group_parent2 + ,json_agg(r.name) as role + from user_entity as u + left join user_attribute as ua on ua.user_id=u.id and ua.name = 'quota' + left join user_group_membership as ugm on ugm.user_id = u.id + left join keycloak_group as g on g.id = ugm.group_id + left join keycloak_group as g_parent on g.parent_group = g_parent.id + left join keycloak_group as g_parent2 on g_parent.parent_group = g_parent2.id + left join user_role_mapping as rm on rm.user_id = u.id + left join keycloak_role as r on r.id = rm.role_id + group by u.id,u.username,u.email,u.first_name,u.last_name, u.realm_id, ua.value + order by u.username""" + + (headers, users) = self.keycloak_pg.select_with_headers(q) + + users_with_lists = [ + list(l[:-4]) + + ([[]] if l[-4] == [None] else [list(set(l[-4]))]) + + ([[]] if l[-3] == [None] else [list(set(l[-3]))]) + + ([[]] if l[-3] == [None] else [list(set(l[-2]))]) + + ([[]] if l[-1] == [None] else [list(set(l[-1]))]) + for l in users + ] + + users_with_lists = [ + list(l[:-4]) + + ([[]] if l[-4] == [None] else [list(set(l[-4]))]) + + ([[]] if l[-3] == [None] else [list(set(l[-3]))]) + + ([[]] if l[-3] == [None] else [list(set(l[-2]))]) + + ([[]] if l[-1] == [None] else [list(set(l[-1]))]) + for l in users_with_lists + ] + + list_dict_users = [dict(zip(headers, r)) for r in users_with_lists] + return list_dict_users + + +da = DefaultAvatars() diff --git a/dd-sso/admin/src/scripts/parse_fontawesome-icons.py b/dd-sso/admin/src/scripts/parse_fontawesome-icons.py new file mode 100644 index 0000000..3954eeb --- /dev/null +++ b/dd-sso/admin/src/scripts/parse_fontawesome-icons.py @@ -0,0 +1,41 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +import os + +new_file = "" +with open("select.html") as f: + for line in f: + icon = line.split("'")[1] + icon_hex = line.split(">")[1].split(";")[0] + new_file += ( + "\n" + ) + +with open("select_output.html", "w") as f: + f.writelines(new_file) diff --git a/dd-sso/admin/src/scripts/reset_pwds.py b/dd-sso/admin/src/scripts/reset_pwds.py new file mode 100644 index 0000000..6065db3 --- /dev/null +++ b/dd-sso/admin/src/scripts/reset_pwds.py @@ -0,0 +1,182 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +import json +import logging as log +import os +import time +import traceback +from datetime import datetime, timedelta +from pprint import pprint + +import diceware +import yaml +from jinja2 import Environment, FileSystemLoader +from keycloak import KeycloakAdmin +from postgres import Postgres + +options = diceware.handle_options(None) +options.wordlist = "cat_ascii" +options.num = 3 + + +class KeycloakClient: + """https://www.keycloak.org/docs-api/13.0/rest-api/index.html + https://github.com/marcospereirampj/python-keycloak + https://gist.github.com/kaqfa/99829941121188d7cef8271f93f52f1f + """ + + def __init__( + self, + url="http://dd-sso-keycloak:8080/auth/", + username=os.environ["KEYCLOAK_USER"], + password=os.environ["KEYCLOAK_PASSWORD"], + realm="master", + verify=True, + ): + self.url = url + self.username = username + self.password = password + self.realm = realm + self.verify = verify + + self.keycloak_pg = Postgres( + "dd-apps-postgresql", + "keycloak", + os.environ["KEYCLOAK_DB_USER"], + os.environ["KEYCLOAK_DB_PASSWORD"], + ) + + def connect(self): + self.keycloak_admin = KeycloakAdmin( + server_url=self.url, + username=self.username, + password=self.password, + realm_name=self.realm, + verify=self.verify, + ) + + def update_pwds(self): + self.get_users() + + def get_users(self): + self.connect() + users = self.get_users_with_groups_and_roles() + userupdate = [] + for u in users: + if u["username"] not in ["admin", "ddadmin"] and not u[ + "username" + ].startswith("system_"): + print("Generating password for user " + u["username"]) + userupdate.append( + { + "id": u["id"], + "username": u["username"], + "password": diceware.get_passphrase(options=options), + } + ) + with open("user_temp_passwd.csv", "w") as csv: + for user in userupdate: + csv.write( + "%s,%s,%s\n" % (user["id"], user["username"], user["password"]) + ) + + for u in userupdate: + print("Updating keycloak password for user " + u["username"]) + self.update_user_pwd(u["id"], u["password"]) + + def update_user_pwd(self, user_id, password, temporary=True): + payload = { + "credentials": [ + {"type": "password", "value": password, "temporary": temporary} + ] + } + self.connect() + self.keycloak_admin.update_user(user_id, payload) + + def get_users_with_groups_and_roles(self): + q = """select u.id, u.username, u.email, u.first_name, u.last_name, u.realm_id, ua.value as quota + ,json_agg(g."name") as group, json_agg(g_parent."name") as group_parent1, json_agg(g_parent2."name") as group_parent2 + ,json_agg(r.name) as role + from user_entity as u + left join user_attribute as ua on ua.user_id=u.id and ua.name = 'quota' + left join user_group_membership as ugm on ugm.user_id = u.id + left join keycloak_group as g on g.id = ugm.group_id + left join keycloak_group as g_parent on g.parent_group = g_parent.id + left join keycloak_group as g_parent2 on g_parent.parent_group = g_parent2.id + left join user_role_mapping as rm on rm.user_id = u.id + left join keycloak_role as r on r.id = rm.role_id + group by u.id,u.username,u.email,u.first_name,u.last_name, u.realm_id, ua.value + order by u.username""" + + # q = """select u.id, u.username, u.email, u.first_name, u.last_name, u.realm_id, ua.value as quota, g.id, g.path, g.name, + # --,json_agg(g."name") as group, json_agg(g_parent."name") as group_parent1, json_agg(g_parent2."name") as group_parent2 + # --,json_agg(r.name) as role + # from user_entity as u + # left join user_attribute as ua on ua.user_id=u.id and ua.name = 'quota' + # left join user_group_membership as ugm on ugm.user_id = u.id + # left join keycloak_group as g on g.id = ugm.group_id + # --left join keycloak_group as g_parent on g.parent_group = g_parent.id + # --left join keycloak_group as g_parent2 on g_parent.parent_group = g_parent2.id + # left join user_role_mapping as rm on rm.user_id = u.id + # left join keycloak_role as r on r.id = rm.role_id + # --group by u.id,u.username,u.email,u.first_name,u.last_name, u.realm_id, ua.value + # order by u.username""" + + # q = """select u.id, u.username, u.email, u.first_name, u.last_name, u.realm_id, ua.value as quota + # ,json_agg(g."name") as group_name,json_agg(g."id") as group_id,json_agg(g."path") as group_path + # ,json_agg(g_parent."name") as group_parent1, json_agg(g_parent2."name") as group_parent2 + # ,json_agg(r.name) as role + # from user_entity as u + # left join user_attribute as ua on ua.user_id=u.id and ua.name = 'quota' + # left join user_group_membership as ugm on ugm.user_id = u.id + # left join keycloak_group as g on g.id = ugm.group_id + # left join keycloak_group as g_parent on g.parent_group = g_parent.id + # left join keycloak_group as g_parent2 on g_parent.parent_group = g_parent2.id + # left join user_role_mapping as rm on rm.user_id = u.id + # left join keycloak_role as r on r.id = rm.role_id + # group by u.id,u.username,u.email,u.first_name,u.last_name, u.realm_id, ua.value + # order by u.username""" + (headers, users) = self.keycloak_pg.select_with_headers(q) + + users_with_lists = [ + list(l[:-4]) + + ([[]] if l[-4] == [None] else [list(set(l[-4]))]) + + ([[]] if l[-3] == [None] else [list(set(l[-3]))]) + + ([[]] if l[-3] == [None] else [list(set(l[-2]))]) + + ([[]] if l[-1] == [None] else [list(set(l[-1]))]) + for l in users + ] + + users_with_lists = [ + list(l[:-4]) + + ([[]] if l[-4] == [None] else [list(set(l[-4]))]) + + ([[]] if l[-3] == [None] else [list(set(l[-3]))]) + + ([[]] if l[-3] == [None] else [list(set(l[-2]))]) + + ([[]] if l[-1] == [None] else [list(set(l[-1]))]) + for l in users_with_lists + ] + + list_dict_users = [dict(zip(headers, r)) for r in users_with_lists] + return list_dict_users + + +k = KeycloakClient() +k.update_pwds() diff --git a/dd-sso/admin/src/scripts/temporary_no.py b/dd-sso/admin/src/scripts/temporary_no.py new file mode 100644 index 0000000..5f24815 --- /dev/null +++ b/dd-sso/admin/src/scripts/temporary_no.py @@ -0,0 +1,173 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +import json +import logging as log +import os +import time +import traceback +from datetime import datetime, timedelta +from pprint import pprint + +import yaml +from jinja2 import Environment, FileSystemLoader +from keycloak import KeycloakAdmin +from postgres import Postgres + + +class KeycloakClient: + """https://www.keycloak.org/docs-api/13.0/rest-api/index.html + https://github.com/marcospereirampj/python-keycloak + https://gist.github.com/kaqfa/99829941121188d7cef8271f93f52f1f + """ + + def __init__( + self, + url="http://dd-sso-keycloak:8080/auth/", + username=os.environ["KEYCLOAK_USER"], + password=os.environ["KEYCLOAK_PASSWORD"], + realm="master", + verify=True, + ): + self.url = url + self.username = username + self.password = password + self.realm = realm + self.verify = verify + + self.keycloak_pg = Postgres( + "dd-apps-postgresql", + "keycloak", + os.environ["KEYCLOAK_DB_USER"], + os.environ["KEYCLOAK_DB_PASSWORD"], + ) + + def connect(self): + self.keycloak_admin = KeycloakAdmin( + server_url=self.url, + username=self.username, + password=self.password, + realm_name=self.realm, + verify=self.verify, + ) + + def update_pwds(self): + self.get_users() + + def get_users(self): + self.connect() + users = self.get_users_with_groups_and_roles() + userupdate = [] + for u in users: + if u["username"] not in ["admin", "ddadmin"] and not u[ + "username" + ].startswith("system_"): + print("Generating password for user " + u["username"]) + userupdate.append( + { + "id": u["id"], + "username": u["username"], + "password": diceware.get_passphrase(options=options), + } + ) + with open("user_temp_passwd.csv", "w") as csv: + for user in userupdate: + csv.write( + "%s,%s,%s\n" % (user["id"], user["username"], user["password"]) + ) + + for u in userupdate: + print("Updating keycloak password for user " + u["username"]) + self.update_user_pwd(u["id"], u["password"]) + + def update_user_pwd_temporary(self, temporary=False): + payload = {"credentials": [{"temporary": temporary}]} + self.connect() + self.keycloak_admin.update_user(user_id, payload) + + def get_users_with_groups_and_roles(self): + q = """select u.id, u.username, u.email, u.first_name, u.last_name, u.realm_id, ua.value as quota + ,json_agg(g."name") as group, json_agg(g_parent."name") as group_parent1, json_agg(g_parent2."name") as group_parent2 + ,json_agg(r.name) as role + from user_entity as u + left join user_attribute as ua on ua.user_id=u.id and ua.name = 'quota' + left join user_group_membership as ugm on ugm.user_id = u.id + left join keycloak_group as g on g.id = ugm.group_id + left join keycloak_group as g_parent on g.parent_group = g_parent.id + left join keycloak_group as g_parent2 on g_parent.parent_group = g_parent2.id + left join user_role_mapping as rm on rm.user_id = u.id + left join keycloak_role as r on r.id = rm.role_id + group by u.id,u.username,u.email,u.first_name,u.last_name, u.realm_id, ua.value + order by u.username""" + + # q = """select u.id, u.username, u.email, u.first_name, u.last_name, u.realm_id, ua.value as quota, g.id, g.path, g.name, + # --,json_agg(g."name") as group, json_agg(g_parent."name") as group_parent1, json_agg(g_parent2."name") as group_parent2 + # --,json_agg(r.name) as role + # from user_entity as u + # left join user_attribute as ua on ua.user_id=u.id and ua.name = 'quota' + # left join user_group_membership as ugm on ugm.user_id = u.id + # left join keycloak_group as g on g.id = ugm.group_id + # --left join keycloak_group as g_parent on g.parent_group = g_parent.id + # --left join keycloak_group as g_parent2 on g_parent.parent_group = g_parent2.id + # left join user_role_mapping as rm on rm.user_id = u.id + # left join keycloak_role as r on r.id = rm.role_id + # --group by u.id,u.username,u.email,u.first_name,u.last_name, u.realm_id, ua.value + # order by u.username""" + + # q = """select u.id, u.username, u.email, u.first_name, u.last_name, u.realm_id, ua.value as quota + # ,json_agg(g."name") as group_name,json_agg(g."id") as group_id,json_agg(g."path") as group_path + # ,json_agg(g_parent."name") as group_parent1, json_agg(g_parent2."name") as group_parent2 + # ,json_agg(r.name) as role + # from user_entity as u + # left join user_attribute as ua on ua.user_id=u.id and ua.name = 'quota' + # left join user_group_membership as ugm on ugm.user_id = u.id + # left join keycloak_group as g on g.id = ugm.group_id + # left join keycloak_group as g_parent on g.parent_group = g_parent.id + # left join keycloak_group as g_parent2 on g_parent.parent_group = g_parent2.id + # left join user_role_mapping as rm on rm.user_id = u.id + # left join keycloak_role as r on r.id = rm.role_id + # group by u.id,u.username,u.email,u.first_name,u.last_name, u.realm_id, ua.value + # order by u.username""" + (headers, users) = self.keycloak_pg.select_with_headers(q) + + users_with_lists = [ + list(l[:-4]) + + ([[]] if l[-4] == [None] else [list(set(l[-4]))]) + + ([[]] if l[-3] == [None] else [list(set(l[-3]))]) + + ([[]] if l[-3] == [None] else [list(set(l[-2]))]) + + ([[]] if l[-1] == [None] else [list(set(l[-1]))]) + for l in users + ] + + users_with_lists = [ + list(l[:-4]) + + ([[]] if l[-4] == [None] else [list(set(l[-4]))]) + + ([[]] if l[-3] == [None] else [list(set(l[-3]))]) + + ([[]] if l[-3] == [None] else [list(set(l[-2]))]) + + ([[]] if l[-1] == [None] else [list(set(l[-1]))]) + for l in users_with_lists + ] + + list_dict_users = [dict(zip(headers, r)) for r in users_with_lists] + return list_dict_users + + +k = KeycloakClient() +k.update_user_pwd_temporary() diff --git a/dd-sso/admin/src/scripts/temporary_no.py.mod b/dd-sso/admin/src/scripts/temporary_no.py.mod new file mode 100644 index 0000000..3d3794e --- /dev/null +++ b/dd-sso/admin/src/scripts/temporary_no.py.mod @@ -0,0 +1,137 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +import json +import logging as log +import os +import time +import traceback +from datetime import datetime, timedelta +from pprint import pprint + +import yaml +from jinja2 import Environment, FileSystemLoader +from keycloak import KeycloakAdmin +from postgres import Postgres + + +class KeycloakClient(): + """https://www.keycloak.org/docs-api/13.0/rest-api/index.html + https://github.com/marcospereirampj/python-keycloak + https://gist.github.com/kaqfa/99829941121188d7cef8271f93f52f1f + """ + def __init__(self, + url="http://dd-sso-keycloak:8080/auth/", + username=os.environ['KEYCLOAK_USER'], + password=os.environ['KEYCLOAK_PASSWORD'], + realm='master', + verify=True): + self.url=url + self.username=username + self.password=password + self.realm=realm + self.verify=verify + + self.keycloak_pg=Postgres('dd-apps-postgresql','keycloak',os.environ['KEYCLOAK_DB_USER'],os.environ['KEYCLOAK_DB_PASSWORD']) + + def connect(self): + self.keycloak_admin = KeycloakAdmin(server_url=self.url, + username=self.username, + password=self.password, + realm_name=self.realm, + verify=self.verify) + + + def run(self): + self.get_users() + + def get_users(self): + self.connect() + users=self.get_users_with_groups_and_roles() + for u in users: + if u['username']=='proves-meves': pprint(u) + print('Updating keycloak temporary for user '+u['username']) + self.update_user_pwd_temporary(u['id']) + + def update_user_pwd_temporary(self,user_id,temporary=False): + payload={"credentials":[{"temporary":temporary}], + "requiredActions": []} + self.connect() + self.keycloak_admin.update_user( user_id, payload) + + def get_users_with_groups_and_roles(self): + q = """select u.id, u.username, u.email, u.first_name, u.last_name, u.realm_id, ua.value as quota + ,json_agg(g."name") as group, json_agg(g_parent."name") as group_parent1, json_agg(g_parent2."name") as group_parent2 + ,json_agg(r.name) as role + from user_entity as u + left join user_attribute as ua on ua.user_id=u.id and ua.name = 'quota' + left join user_group_membership as ugm on ugm.user_id = u.id + left join keycloak_group as g on g.id = ugm.group_id + left join keycloak_group as g_parent on g.parent_group = g_parent.id + left join keycloak_group as g_parent2 on g_parent.parent_group = g_parent2.id + left join user_role_mapping as rm on rm.user_id = u.id + left join keycloak_role as r on r.id = rm.role_id + group by u.id,u.username,u.email,u.first_name,u.last_name, u.realm_id, ua.value + order by u.username""" + + # q = """select u.id, u.username, u.email, u.first_name, u.last_name, u.realm_id, ua.value as quota, g.id, g.path, g.name, + # --,json_agg(g."name") as group, json_agg(g_parent."name") as group_parent1, json_agg(g_parent2."name") as group_parent2 + # --,json_agg(r.name) as role + # from user_entity as u + # left join user_attribute as ua on ua.user_id=u.id and ua.name = 'quota' + # left join user_group_membership as ugm on ugm.user_id = u.id + # left join keycloak_group as g on g.id = ugm.group_id + # --left join keycloak_group as g_parent on g.parent_group = g_parent.id + # --left join keycloak_group as g_parent2 on g_parent.parent_group = g_parent2.id + # left join user_role_mapping as rm on rm.user_id = u.id + # left join keycloak_role as r on r.id = rm.role_id + # --group by u.id,u.username,u.email,u.first_name,u.last_name, u.realm_id, ua.value + # order by u.username""" + + # q = """select u.id, u.username, u.email, u.first_name, u.last_name, u.realm_id, ua.value as quota + # ,json_agg(g."name") as group_name,json_agg(g."id") as group_id,json_agg(g."path") as group_path + # ,json_agg(g_parent."name") as group_parent1, json_agg(g_parent2."name") as group_parent2 + # ,json_agg(r.name) as role + # from user_entity as u + # left join user_attribute as ua on ua.user_id=u.id and ua.name = 'quota' + # left join user_group_membership as ugm on ugm.user_id = u.id + # left join keycloak_group as g on g.id = ugm.group_id + # left join keycloak_group as g_parent on g.parent_group = g_parent.id + # left join keycloak_group as g_parent2 on g_parent.parent_group = g_parent2.id + # left join user_role_mapping as rm on rm.user_id = u.id + # left join keycloak_role as r on r.id = rm.role_id + # group by u.id,u.username,u.email,u.first_name,u.last_name, u.realm_id, ua.value + # order by u.username""" + (headers,users)=self.keycloak_pg.select_with_headers(q) + + users_with_lists = [list(l[:-4])+([[]] if l[-4] == [None] else [list(set(l[-4]))]) +\ + ([[]] if l[-3] == [None] else [list(set(l[-3]))]) +\ + ([[]] if l[-3] == [None] else [list(set(l[-2]))]) +\ + ([[]] if l[-1] == [None] else [list(set(l[-1]))]) for l in users] + + users_with_lists = [list(l[:-4])+([[]] if l[-4] == [None] else [list(set(l[-4]))]) +\ + ([[]] if l[-3] == [None] else [list(set(l[-3]))]) +\ + ([[]] if l[-3] == [None] else [list(set(l[-2]))]) +\ + ([[]] if l[-1] == [None] else [list(set(l[-1]))]) for l in users_with_lists] + + list_dict_users = [dict(zip(headers, r)) for r in users_with_lists] + return list_dict_users + +k=KeycloakClient() +k.run() diff --git a/dd-sso/admin/src/start.py b/dd-sso/admin/src/start.py new file mode 100644 index 0000000..fd18efd --- /dev/null +++ b/dd-sso/admin/src/start.py @@ -0,0 +1,92 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +from eventlet import monkey_patch + +monkey_patch() + +import json + +from admin.auth.tokens import get_token_payload +from admin.lib.api_exceptions import Error +from flask import request +from flask_login import current_user, login_required +from flask_socketio import ( + SocketIO, + close_room, + disconnect, + emit, + join_room, + leave_room, + rooms, + send, +) + +from admin import app + +app.socketio = SocketIO(app) + + +@app.socketio.on("connect", namespace="/sio") +@login_required +def socketio_connect(): + if current_user.id: + join_room("admin") + app.socketio.emit( + "update", json.dumps("Joined admins room"), namespace="/sio", room="admin" + ) + else: + None + + +@app.socketio.on("disconnect", namespace="/sio") +def socketio_disconnect(): + leave_room("admin") + + +@app.socketio.on("connect", namespace="/sio/events") +def socketio_connect(): + jwt = get_token_payload(request.args.get("jwt")) + + join_room("events") + app.socketio.emit( + "update", + json.dumps("Joined events room"), + namespace="/sio/events", + room="events", + ) + + +@app.socketio.on("disconnect", namespace="/sio/events") +def socketio_events_disconnect(): + leave_room("events") + + +if __name__ == "__main__": + app.socketio.run( + app, + host="0.0.0.0", + port=9000, + debug=False, + ) + # ssl_context="adhoc", + # async_mode="threading", + # ) # , logger=logger, engineio_logger=engineio_logger) + # , cors_allowed_origins="*" diff --git a/dd-sso/admin/src/tests/api.py b/dd-sso/admin/src/tests/api.py new file mode 100644 index 0000000..d02b45c --- /dev/null +++ b/dd-sso/admin/src/tests/api.py @@ -0,0 +1,442 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +import json +import os +import secrets +import time +import traceback +from datetime import datetime, timedelta +from pprint import pprint + +import requests +from jose import jwt + +## SETUP +domain = "admin.[YOURDOMAIN]" +secret = "[your API_SECRET]" +## END SETUP + + +auths = {} +dbconn = None +base = "https://" + domain + "/ddapi" + +raw_jwt_data = { + "exp": datetime.utcnow() + timedelta(minutes=5), + "kid": "test", +} +admin_jwt = jwt.encode(raw_jwt_data, secret, algorithm="HS256") +jwt = {"Authorization": "Bearer " + admin_jwt} + + +####################################################################################################################### +print(" ----- USUARIS AL SISTEMA") +response = requests.get( + base + "/users", + headers=jwt, + verify=True, +) +print("METHOD: GET, URL: " + base + "/users, STATUS_CODE:" + str(response.status_code)) +if response.status_code == 200: + print("RESPONSE:") + pprint(json.loads(response.text)[:2]) +else: + print( + "ERROR: " + + json.loads(response.text)["error"] + + " DESCRIPTION: " + + json.loads(response.text)["description"] + ) + +####################################################################################################################### +print(" ----- USUARIS AL SISTEMA QUE CONTENEN UN TEXT") +data = {"text": "alu"} +response = requests.post( + base + "/users/filter", + json=data, + headers=jwt, + verify=True, +) +print( + "METHOD: POST, URL: " + + base + + "/users/filter, STATUS_CODE:" + + str(response.status_code) + + ", POST DATA:" +) +pprint(data) +if response.status_code == 200: + print("RESPONSE:") + pprint(json.loads(response.text)[:2]) +else: + print( + "ERROR: " + + json.loads(response.text)["error"] + + " DESCRIPTION: " + + json.loads(response.text)["description"] + ) + +####################################################################################################################### +print(" ----- GRUPS AL SISTEMA") +response = requests.get( + base + "/groups", + headers=jwt, + verify=True, +) +print("METHOD: GET, URL: " + base + "/groups, STATUS_CODE:" + str(response.status_code)) +if response.status_code == 200: + print("RESPONSE:") + pprint(json.loads(response.text)[:2]) +else: + print( + "ERROR: " + + json.loads(response.text)["error"] + + " DESCRIPTION: " + + json.loads(response.text)["description"] + ) + +####################################################################################################################### +print(" ----- USUARIS DEL GRUP") +data = {"id": "test00.classeB"} +response = requests.post( + base + "/group/users", + json=data, + headers=jwt, + verify=True, +) +print( + "METHOD: POST, URL: " + + base + + "/group/users, STATUS_CODE:" + + str(response.status_code) + + ", POST DATA:" +) +pprint(data) +if response.status_code == 200: + print("RESPONSE:") + pprint(json.loads(response.text)[:2]) +else: + print( + "ERROR: " + + json.loads(response.text)["error"] + + " DESCRIPTION: " + + json.loads(response.text)["description"] + ) + +####################################################################################################################### +print(" ----- ROLS AL SISTEMA") +response = requests.get( + base + "/roles", + headers=jwt, + verify=True, +) +print("METHOD: GET, URL: " + base + "/roles, STATUS_CODE:" + str(response.status_code)) +if response.status_code == 200: + print("RESPONSE:") + pprint(json.loads(response.text)[:2]) +else: + print( + "ERROR: " + + json.loads(response.text)["error"] + + " DESCRIPTION: " + + json.loads(response.text)["description"] + ) + +####################################################################################################################### +print(" ----- USUARIS DEL ROL") +data = {"id": "teacher"} +response = requests.post( + base + "/role/users", + json=data, + headers=jwt, + verify=True, +) +print( + "METHOD: POST, URL: " + + base + + "/role/users, STATUS_CODE:" + + str(response.status_code) + + ", POST DATA:" +) +pprint(data) +if response.status_code == 200: + print("RESPONSE:") + pprint(json.loads(response.text)[:2]) +else: + print( + "ERROR: " + + json.loads(response.text)["error"] + + " DESCRIPTION: " + + json.loads(response.text)["description"] + ) + + +print("\nXXXXXXXXXXXXXXXXX ACTIONS ON USER XXXXXXXXXXXXXXXXXXXXXX\n") +####################################################################################################################### +print(" ----- GET USER") +response = requests.get( + base + "/user/nou.usuari", + headers=jwt, + verify=True, +) +print( + "METHOD: GET, URL: " + + base + + "/user/nou.usuari, STATUS_CODE:" + + str(response.status_code) +) +if response.status_code == 200: + print("RESPONSE:") + pprint(json.loads(response.text)) +else: + print( + "ERROR: " + + json.loads(response.text)["error"] + + " DESCRIPTION: " + + json.loads(response.text)["description"] + ) + +####################################################################################################################### +print(" ----- DELETE USER") +response = requests.delete( + base + "/user/nou.usuari", + headers=jwt, + verify=True, +) +print( + "METHOD: DELETE, URL: " + + base + + "/user/nou.usuari, STATUS_CODE:" + + str(response.status_code) +) +if response.status_code == 200: + print("RESPONSE:") + pprint(json.loads(response.text)) +else: + print( + "ERROR: " + + json.loads(response.text)["error"] + + " DESCRIPTION: " + + json.loads(response.text)["description"] + ) + +####################################################################################################################### +print(" ----- POST NEW USER") +user = { + "username": "nou.usuari", + "first": "Nou", + "last": "Usuari", + "email": "nou.usuari@nodns.com", + "password": "1n2n3n4n5n6", + "quota": "default", + "enabled": True, + "role": "student", + "groups": ["test00.classeB"], +} +response = requests.post( + base + "/user", + json=user, + headers=jwt, + verify=True, +) +print( + "METHOD: POST, URL: " + + base + + "/user, STATUS_CODE:" + + str(response.status_code) + + ", POST DATA:" +) +pprint(user) +if response.status_code == 200: + print("RESPONSE:") + pprint(json.loads(response.text)) +else: + print( + "ERROR: " + + json.loads(response.text)["error"] + + " DESCRIPTION: " + + json.loads(response.text)["description"] + ) + +####################################################################################################################### +print(" ----- UPDATE USER") +update_user = { + "id": "nou.usuari", + "email": "nou.usuari@nodns.com", + "enabled": True, + "first": "Antic", + "groups": ["test00.classeB"], + "last": "Usuari", + "quota": "default", + "quota_used_bytes": "0 MB", + "role": "teacher", +} +response = requests.put( + base + "/user/nou.usuari", + json=update_user, + headers=jwt, + verify=True, +) +print( + "METHOD: PUT, URL: " + + base + + "/user/nou.usuari, STATUS_CODE:" + + str(response.status_code) + + ", PUT DATA:" +) +pprint(update_user) +if response.status_code == 200: + print("RESPONSE:") + pprint(json.loads(response.text)) +else: + print( + "ERROR: " + + json.loads(response.text)["error"] + + " DESCRIPTION: " + + json.loads(response.text)["description"] + ) + +####################################################################################################################### +print(" ----- GET USER") +response = requests.get( + base + "/user/nou.usuari", + headers=jwt, + verify=True, +) +print( + "METHOD: GET, URL: " + + base + + "/user/nou.usuari, STATUS_CODE:" + + str(response.status_code) +) +if response.status_code == 200: + print("RESPONSE:") + pprint(json.loads(response.text)) +else: + print( + "ERROR: " + + json.loads(response.text)["error"] + + " DESCRIPTION: " + + json.loads(response.text)["description"] + ) + +####################################################################################################################### +print(" ----- DELETE USER") +response = requests.delete( + base + "/user/nou.usuari", + headers=jwt, + verify=True, +) +print( + "METHOD: DELETE, URL: " + + base + + "/user/nou.usuari, STATUS_CODE:" + + str(response.status_code) +) +if response.status_code == 200: + print("RESPONSE:") + pprint(json.loads(response.text)) +else: + print( + "ERROR: " + + json.loads(response.text)["error"] + + " DESCRIPTION: " + + json.loads(response.text)["description"] + ) + + +print("\nXXXXXXXXXXXXXXXXX ACTIONS ON GROUP XXXXXXXXXXXXXXXXXXXXXX\n") + +####################################################################################################################### +print(" ----- GET GROUP") +response = requests.get( + base + "/group/teacher", + headers=jwt, + verify=True, +) +print( + "METHOD: GET, URL: " + + base + + "/group/teacher, STATUS_CODE:" + + str(response.status_code) +) +if response.status_code == 200: + print("RESPONSE:") + pprint(json.loads(response.text)) +else: + print( + "ERROR: " + + json.loads(response.text)["error"] + + " DESCRIPTION: " + + json.loads(response.text)["description"] + ) + +####################################################################################################################### +print(" ----- POST NEW GROUP") +group = {"name": "test"} +response = requests.post( + base + "/group", + json=group, + headers=jwt, + verify=True, +) +print( + "METHOD: POST, URL: " + + base + + "/group, STATUS_CODE:" + + str(response.status_code) + + ", POST DATA:" +) +pprint(group) +if response.status_code == 200: + print("RESPONSE:") + pprint(json.loads(response.text)) +else: + print( + "ERROR: " + + json.loads(response.text)["error"] + + " DESCRIPTION: " + + json.loads(response.text)["description"] + ) + + +####################################################################################################################### +print(" ----- DELETE GROUP") +response = requests.delete( + base + "/group/test", + headers=jwt, + verify=True, +) +print( + "METHOD: DELETE, URL: " + + base + + "/group/test, STATUS_CODE:" + + str(response.status_code) +) +if response.status_code == 200: + print("RESPONSE:") + pprint(json.loads(response.text)) +else: + print( + "ERROR: " + + json.loads(response.text)["error"] + + " DESCRIPTION: " + + json.loads(response.text)["description"] + ) diff --git a/dd-sso/admin/src/wordpress_saml_onlycerts.py b/dd-sso/admin/src/wordpress_saml_onlycerts.py new file mode 100644 index 0000000..567f788 --- /dev/null +++ b/dd-sso/admin/src/wordpress_saml_onlycerts.py @@ -0,0 +1,178 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +import json +import logging as log +import os +import pprint +import random +import string +import time +import traceback +from datetime import datetime, timedelta + +import psycopg2 +import yaml +from admin.lib.keycloak_client import KeycloakClient +from admin.lib.mysql import Mysql + +app = {} +app["config"] = {} + + +class WordpressSaml: + def __init__(self): + self.url = "http://dd-sso-keycloak:8080/auth/" + self.username = os.environ["KEYCLOAK_USER"] + self.password = os.environ["KEYCLOAK_PASSWORD"] + self.realm = "master" + self.verify = True + + ready = False + while not ready: + try: + self.db = Mysql( + "dd-apps-mariadb", + "wordpress", + "root", + os.environ["MARIADB_PASSWORD"], + ) + ready = True + except: + log.warning("Could not connect to wordpress database. Retrying...") + time.sleep(2) + log.info("Connected to wordpress database.") + + ready = False + while not ready: + try: + with open(os.path.join("./saml_certs/public.cert"), "r") as crt: + app["config"]["PUBLIC_CERT_RAW"] = crt.read() + app["config"]["PUBLIC_CERT"] = self.cert_prepare( + app["config"]["PUBLIC_CERT_RAW"] + ) + ready = True + except IOError: + log.warning( + "Could not get public certificate to be used in wordpress. Retrying..." + ) + log.warning( + " You should generate them: /admin/saml_certs # openssl req -nodes -new -x509 -keyout private.key -out public.cert" + ) + time.sleep(2) + except: + log.error(traceback.format_exc()) + log.info("Got moodle srt certificate to be used in wordpress.") + + ready = False + while not ready: + try: + with open(os.path.join("./saml_certs/private.key"), "r") as pem: + app["config"]["PRIVATE_KEY"] = self.cert_prepare(pem.read()) + ready = True + except IOError: + log.warning( + "Could not get private key to be used in wordpress. Retrying..." + ) + log.warning( + " You should generate them: /admin/saml_certs # openssl req -nodes -new -x509 -keyout private.key -out public.cert" + ) + time.sleep(2) + log.info("Got moodle pem certificate to be used in wordpress.") + + # ## This seems related to the fact that the certificate generated the first time does'nt work. + # ## And when regenerating the certificate de privatekeypass seems not to be used and instead it + # ## will use always this code as filename: 0f635d0e0f3874fff8b581c132e6c7a7 + # ## As this bug I'm not able to solve, the process is: + # ## 1.- Bring up moodle and regenerate certificates on saml2 plugin in plugins-authentication + # ## 2.- Execute this script + # ## 3.- Cleanup all caches in moodle (Development tab) + # # with open(os.path.join("./moodledata/saml2/"+os.environ['NEXTCLOUD_SAML_PRIVATEKEYPASS'].replace("moodle."+os.environ['DOMAIN'],'')+'.idp.xml'),"w") as xml: + # # xml.write(self.parse_idp_metadata()) + # with open(os.path.join("./moodledata/saml2/0f635d0e0f3874fff8b581c132e6c7a7.idp.xml"),"w") as xml: + # xml.write(self.parse_idp_metadata()) + + try: + self.reset_saml_certs() + except: + print(traceback.format_exc()) + print("Error resetting saml certs on wordpress") + + try: + self.set_wordpress_saml_plugin_certs() + except: + print(traceback.format_exc()) + print("Error adding saml on wordpress") + + # SAML clients don't work well with composite roles so disabling and adding on realm + # self.add_client_roles() + + # def activate_saml_plugin(self): + # ## After you need to purge moodle caches: /var/www/html # php admin/cli/purge_caches.php + # return self.db.update("""UPDATE "mdl_config" SET value = 'email,saml2' WHERE "name" = 'auth'""") + + # def get_privatekey_pass(self): + # return self.db.select("""SELECT * FROM "mdl_config" WHERE "name" = 'siteidentifier'""")[0][2] + + def connect(self): + self.keycloak = KeycloakClient( + url=self.url, + username=self.username, + password=self.password, + realm=self.realm, + verify=self.verify, + ) + + def cert_prepare(self, cert): + return "".join(cert.split("-----")[2].splitlines()) + + def parse_idp_cert(self): + self.connect() + rsa = self.keycloak.get_server_rsa_key() + self.keycloak = None + return rsa["certificate"] + + def set_wordpress_saml_plugin_certs(self): + # ('active_plugins', 'a:2:{i:0;s:33:\"edwiser-bridge/edwiser-bridge.php\";i:1;s:17:\"onelogin_saml.php\";}', 'yes'), + self.db.update( + """INSERT INTO wp_options (option_name, option_value, autoload) VALUES +('onelogin_saml_idp_x509cert', '%s', 'yes'), +('onelogin_saml_advanced_settings_sp_x509cert', '%s', 'yes'), +('onelogin_saml_advanced_settings_sp_privatekey', '%s', 'yes');""" + % ( + self.parse_idp_cert(), + app["config"]["PUBLIC_CERT"], + app["config"]["PRIVATE_KEY"], + ) + ) + + def reset_saml_certs(self): + self.db.update( + """DELETE FROM wp_options WHERE option_name = 'onelogin_saml_idp_x509cert'""" + ) + self.db.update( + """DELETE FROM wp_options WHERE option_name = 'onelogin_saml_advanced_settings_sp_x509cert'""" + ) + self.db.update( + """DELETE FROM wp_options WHERE option_name = 'onelogin_saml_advanced_settings_sp_privatekey'""" + ) + + +nw = WordpressSaml() diff --git a/dd-sso/docker-compose-parts/admin.devel.yml b/dd-sso/docker-compose-parts/admin.devel.yml new file mode 100644 index 0000000..a57daec --- /dev/null +++ b/dd-sso/docker-compose-parts/admin.devel.yml @@ -0,0 +1,23 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +version: '3.7' +services: + dd-sso-admin: + entrypoint: /bin/sleep infinity diff --git a/dd-sso/docker-compose-parts/admin.yml b/dd-sso/docker-compose-parts/admin.yml new file mode 100644 index 0000000..46c7afb --- /dev/null +++ b/dd-sso/docker-compose-parts/admin.yml @@ -0,0 +1,50 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +version: '3.7' +services: + dd-sso-admin: + container_name: dd-sso-admin + build: + context: ${BUILD_SSO_ROOT_PATH} + dockerfile: admin/docker/Dockerfile + target: production + # args: ## DEVELOPMENT + # SSH_ROOT_PWD: ${IPA_ADMIN_PWD} + # SSH_PORT: 2022 + networks: + - dd_net + # ports: + # - "2022:22" + # - "9000:9000" + restart: unless-stopped + volumes: + - /etc/localtime:/etc/localtime:ro + - ${BUILD_SSO_ROOT_PATH}/admin/src:/admin # Revome in production + - ${BUILD_SSO_ROOT_PATH}/init/keycloak/jsons:/admin/keycloak-init:ro + - ${CUSTOM_PATH}/custom:/admin/custom + - ${DATA_FOLDER}/avatars:/admin/avatars:ro + - ${DATA_FOLDER}/moodle/saml2:/admin/moodledata/saml2:rw + - ${DATA_FOLDER}/saml_certs:/admin/saml_certs:rw + - ${DATA_FOLDER}/legal:/admin/admin/static/templates/pages/legal:rw + env_file: + - .env + environment: + - VERIFY="false" # In development do not verify certificates + - DOMAIN=${DOMAIN} diff --git a/dd-sso/docker-compose-parts/adminer.yml b/dd-sso/docker-compose-parts/adminer.yml new file mode 100644 index 0000000..5281fa7 --- /dev/null +++ b/dd-sso/docker-compose-parts/adminer.yml @@ -0,0 +1,27 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +version: '3.7' +services: + isard-sso-adminer: + image: adminer + container_name: isard-sso-adminer + restart: unless-stopped + networks: + isard_net: {} diff --git a/dd-sso/docker-compose-parts/api.devel.yml b/dd-sso/docker-compose-parts/api.devel.yml new file mode 100644 index 0000000..de3fefe --- /dev/null +++ b/dd-sso/docker-compose-parts/api.devel.yml @@ -0,0 +1,26 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +version: '3.7' +services: + dd-sso-api: + volumes: + - ${BUILD_SSO_ROOT_PATH}/docker/api/src:/api:rw + - ${BUILD_SSO_ROOT_PATH}/docker/api/default.conf:/etc/nginx/conf.d/default.conf:rw + command: sleep infinity \ No newline at end of file diff --git a/dd-sso/docker-compose-parts/api.yml b/dd-sso/docker-compose-parts/api.yml new file mode 100644 index 0000000..aee61d6 --- /dev/null +++ b/dd-sso/docker-compose-parts/api.yml @@ -0,0 +1,44 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +version: '3.7' +services: + dd-sso-api: + build: + context: ${BUILD_SSO_ROOT_PATH}/docker/api + dockerfile: Dockerfile + target: production + args: + DOMAIN: $DOMAIN + NGINX_ALPINE_IMG: ${NGINX_ALPINE_IMG-nginx:1.21.6-alpine} + container_name: dd-sso-api + volumes: + - /etc/localtime:/etc/localtime:ro + #- ${BUILD_SSO_ROOT_PATH}/docker/api/src:/api:rw ## Develop + - ${CUSTOM_PATH}/custom/menu:/api/menu + - ${CUSTOM_PATH}/custom/img:/api/api/static/img + - ${DATA_FOLDER}/avatars:/api/avatars:ro + restart: unless-stopped + networks: + - dd_net + # ports: + # - published: 7039 + # target: 7039 + env_file: + - .env diff --git a/dd-sso/docker-compose-parts/avatars.yml b/dd-sso/docker-compose-parts/avatars.yml new file mode 100644 index 0000000..009fd45 --- /dev/null +++ b/dd-sso/docker-compose-parts/avatars.yml @@ -0,0 +1,38 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +version: '3.7' + +services: + dd-sso-avatars: + image: ${MINIO_IMG-minio/minio:RELEASE.2022-01-25T19-56-04Z} + container_name: dd-sso-avatars + volumes: + - /etc/localtime:/etc/localtime:ro + - ${DATA_FOLDER}/avatars:/data + - ${SRC_FOLDER}/avatars:/root/.minio + environment: + - MINIO_ACCESS_KEY=AKIAIOSFODNN7EXAMPLE + - MINIO_SECRET_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY + restart: unless-stopped + # depends_on: + # - ${KEYCLOAK_DB_ADDR} + command: "server /data" + networks: + - dd_net diff --git a/dd-sso/docker-compose-parts/haproxy-behind.yml b/dd-sso/docker-compose-parts/haproxy-behind.yml new file mode 100644 index 0000000..42db73d --- /dev/null +++ b/dd-sso/docker-compose-parts/haproxy-behind.yml @@ -0,0 +1,43 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +version: '3.7' +services: + dd-sso-haproxy: + build: + args: + HAPROXY_IMG: ${HAPROXY_IMG-haproxy:2.4.12-alpine3.15} + context: ${BUILD_SSO_ROOT_PATH}/docker/haproxy + dockerfile: Dockerfile + target: production + container_name: dd-sso-haproxy + restart: unless-stopped + volumes: + - /etc/localtime:/etc/localtime:ro + - ${SRC_FOLDER}/haproxy/letsencrypt:/etc/letsencrypt:rw + - ${SRC_FOLDER}/haproxy/certs:/certs:rw + networks: + - dd_net + env_file: + - .env + logging: + driver: "json-file" + options: + max-size: "5m" + max-file: "10" diff --git a/dd-sso/docker-compose-parts/haproxy.yml b/dd-sso/docker-compose-parts/haproxy.yml new file mode 100644 index 0000000..accda37 --- /dev/null +++ b/dd-sso/docker-compose-parts/haproxy.yml @@ -0,0 +1,48 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +version: '3.7' +services: + dd-sso-haproxy: + build: + args: + HAPROXY_IMG: ${HAPROXY_IMG-haproxy:2.4.12-alpine3.15} + context: ${BUILD_SSO_ROOT_PATH}/docker/haproxy + dockerfile: Dockerfile + target: production + container_name: dd-sso-haproxy + restart: unless-stopped + volumes: + - /etc/localtime:/etc/localtime:ro + - ${SRC_FOLDER}/haproxy/letsencrypt:/etc/letsencrypt:rw + - ${SRC_FOLDER}/haproxy/certs:/certs:rw + networks: + - dd_net + ports: + - published: 80 + target: 80 + - published: 443 + target: 443 + env_file: + - .env + logging: + driver: "json-file" + options: + max-size: "5m" + max-file: "10" diff --git a/dd-sso/docker-compose-parts/keycloak.yml b/dd-sso/docker-compose-parts/keycloak.yml new file mode 100644 index 0000000..a8cd961 --- /dev/null +++ b/dd-sso/docker-compose-parts/keycloak.yml @@ -0,0 +1,59 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +version: '3.7' +services: + dd-sso-keycloak: + image: ${KEYCLOAK_IMG} + build: + context: ${BUILD_SSO_ROOT_PATH}/docker/keycloak + args: + - IMG=${KEYCLOAK_IMG} + container_name: dd-sso-keycloak + volumes: + - /etc/localtime:/etc/localtime:ro + - ${BUILD_SSO_ROOT_PATH}/init/keycloak/jsons:/opt/jboss/keycloak/imports + - ${BUILD_SSO_ROOT_PATH}/init/keycloak/scripts/:/opt/jboss/startup-scripts/ + - ${CUSTOM_PATH}/custom/img:/opt/jboss/keycloak/themes/dd/login/resources/custom-img + - ${BUILD_SSO_ROOT_PATH}/docker/keycloak/extensions/avatar-minio-extension-bundle-1.0.1.0-SNAPSHOT.ear:/opt/jboss/keycloak/standalone/deployments/avatar-minio-extension-bundle-1.0.1.0-SNAPSHOT.ear + environment: + - KEYCLOAK_IMPORT=/opt/jboss/keycloak/imports/realm.json + - DB_VENDOR=POSTGRES + - DB_ADDR=${KEYCLOAK_DB_ADDR} + - DB_DATABASE=${KEYCLOAK_DB_DATABASE} + - DB_USER=${KEYCLOAK_DB_USER} + - DB_SCHEMA=public + - DB_PASSWORD=${KEYCLOAK_DB_PASSWORD} + - KEYCLOAK_USER=${KEYCLOAK_USER} + - KEYCLOAK_PASSWORD=${KEYCLOAK_PASSWORD} + - PROXY_ADDRESS_FORWARDING=true + - KEYCLOAK_FRONTEND_URL=https://sso.${DOMAIN}/auth/ + - DDADMIN_USER=${DDADMIN_USER} + - DDADMIN_PASSWORD=${DDADMIN_PASSWORD} + - DDDOMAIN=${DOMAIN} + depends_on: + - ${KEYCLOAK_DB_ADDR} + restart: unless-stopped + networks: + - dd_net + logging: + driver: "json-file" + options: + max-size: "5m" + max-file: "10" diff --git a/dd-sso/docker-compose-parts/network.yml b/dd-sso/docker-compose-parts/network.yml new file mode 100644 index 0000000..038d81e --- /dev/null +++ b/dd-sso/docker-compose-parts/network.yml @@ -0,0 +1,23 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +version: '3.7' +networks: + dd_net: + name: dd_net diff --git a/dd-sso/docker-compose-parts/pgtuner.yml b/dd-sso/docker-compose-parts/pgtuner.yml new file mode 100644 index 0000000..79acd9a --- /dev/null +++ b/dd-sso/docker-compose-parts/pgtuner.yml @@ -0,0 +1,28 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +version: '3.7' +services: + isard-sso-pgtuner: + image: jfcoz/postgresqltuner + container_name: isard-sso-pgtuner + restart: "no" + command: --host isard-apps-postgresql --user ${NEXTCLOUD_POSTGRES_USER} --password ${NEXTCLOUD_POSTGRES_PASSWORD} --database nextcloud + networks: + isard_net: {} diff --git a/dd-sso/docker-compose-parts/postgresql.yml b/dd-sso/docker-compose-parts/postgresql.yml new file mode 100644 index 0000000..60f9585 --- /dev/null +++ b/dd-sso/docker-compose-parts/postgresql.yml @@ -0,0 +1,38 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +version: '3.7' +services: + dd-sso-postgresql: + image: ${POSTGRESQL_IMG-postgres:13.5-alpine3.15} + container_name: dd-sso-postgresql + restart: unless-stopped + env_file: + - .env + volumes: + - /etc/localtime:/etc/localtime:ro + - ${DB_FOLDER}/postgres:/var/lib/postgresql/data + - ${BUILD_SSO_ROOT_PATH}/init/databases:/docker-entrypoint-initdb.d + networks: + - dd_net + logging: + driver: "json-file" + options: + max-size: "5m" + max-file: "10" diff --git a/dd-sso/docker/api/Dockerfile b/dd-sso/docker/api/Dockerfile new file mode 100644 index 0000000..64c8d40 --- /dev/null +++ b/dd-sso/docker/api/Dockerfile @@ -0,0 +1,44 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +ARG NGINX_ALPINE_IMG +FROM $NGINX_ALPINE_IMG as production +MAINTAINER IsardVDI S.L. + +RUN apk add --no-cache python3 py3-pip +RUN pip3 install --upgrade pip +RUN apk add --no-cache --virtual .build_deps \ + build-base \ + python3-dev \ + libffi-dev +COPY ./requirements.pip3 /requirements.pip3 +RUN pip3 install --no-cache-dir -r requirements.pip3 +RUN apk del .build_deps + +RUN apk add curl py3-yaml + +COPY ./src /api +RUN wget https://raw.githubusercontent.com/twbs/bootstrap/v4.0.0/dist/css/bootstrap.min.css -O /api/api/static/css/bootstrap.min.css +RUN wget -qO - https://github.com/FortAwesome/Font-Awesome/archive/v4.7.0.zip | busybox unzip -d /api/api/static/css/ - +RUN mv /api/api/static/css/Font-Awesome-4.7.0 /api/api/static/css/font-awesome-4.7.0 +#https://fontawesome.com/v4.7/assets/font-awesome-4.7.0.zip + +COPY default.conf /etc/nginx/conf.d/default.conf +ADD entrypoint.sh /docker-entrypoint.d/ +RUN chmod 775 /docker-entrypoint.d/entrypoint.sh diff --git a/dd-sso/docker/api/default.conf b/dd-sso/docker/api/default.conf new file mode 100644 index 0000000..1307407 --- /dev/null +++ b/dd-sso/docker/api/default.conf @@ -0,0 +1,118 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +upstream api { + server 127.0.0.1:7039 fail_timeout=0; +} + +server { + listen 80; + server_name localhost; + + root /api/api/static/; + expires 1m; + log_not_found off; + access_log off; + + add_header Access-Control-Allow-Origin *; + + location /avatar { + proxy_pass http://127.0.0.1:7039/avatar; + expires 1m; + log_not_found off; + access_log off; + } + + location /restart { + proxy_pass http://127.0.0.1:7039/restart; + expires 1m; + log_not_found off; + access_log off; + } + + location /user_menu/json { + alias /api/api/static/templates/user_menu_header.json; + default_type application/json; + index user_menu_header.json; + expires 1m; + log_not_found off; + access_log off; + } + + location /user_menu/html { + alias /api/api/static/templates/user_menu_header.html; + default_type text/html; + index user_menu_header.html; + expires 1m; + log_not_found off; + access_log off; + } + + location /json { + alias /api/api/static/templates/header.json; + default_type application/json; + index header.json; + expires 1m; + log_not_found off; + access_log off; + } + + location /header/html { + alias /api/api/static/templates/header.html; + default_type text/html; + index header.html; + expires 1m; + log_not_found off; + access_log off; + } + + location /header/html/nextcloud { + alias /api/api/static/templates/header_nextcloud.html; + default_type text/html; + index header_nextcloud.html + expires 1m; + log_not_found off; + access_log off; + } + + location /header/html/admin { + alias /api/api/static/templates/header_admin.html; + default_type text/html; + index header_admin.html + expires 1m; + log_not_found off; + access_log off; + } + + location /header/html/sso { + alias /api/api/static/templates/header_sso.html; + default_type text/html; + index header_sso.html + expires 1m; + log_not_found off; + access_log off; + } + + location / { + try_files $uri $uri/ + expires 1m; + log_not_found off; + access_log off; + } +} diff --git a/dd-sso/docker/api/entrypoint.sh b/dd-sso/docker/api/entrypoint.sh new file mode 100644 index 0000000..b534688 --- /dev/null +++ b/dd-sso/docker/api/entrypoint.sh @@ -0,0 +1,24 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +cd /api +{ + python3 start.py + nginx -s reload +} & diff --git a/dd-sso/docker/api/requirements.pip3 b/dd-sso/docker/api/requirements.pip3 new file mode 100644 index 0000000..ece5a5a --- /dev/null +++ b/dd-sso/docker/api/requirements.pip3 @@ -0,0 +1,23 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +Flask==2.0.1 +eventlet==0.33.0 +Flask-SocketIO==5.1.0 +python-keycloak==0.26.1 \ No newline at end of file diff --git a/dd-sso/docker/api/src/api/__init__.py b/dd-sso/docker/api/src/api/__init__.py new file mode 100644 index 0000000..83a6d92 --- /dev/null +++ b/dd-sso/docker/api/src/api/__init__.py @@ -0,0 +1,70 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +import logging as log +import os + +from flask import Flask, render_template, send_from_directory + +app = Flask(__name__, static_url_path="") +app = Flask(__name__, template_folder="static/templates") +app.url_map.strict_slashes = False + +""" +App secret key for encrypting cookies +You can generate one with: + import os + os.urandom(24) +And paste it here. +""" +app.secret_key = "Change this key!//\xf7\x83\xbe\x17\xfa\xa3zT\n\\]m\xa6\x8bF\xdd\r\xf7\x9e\x1d\x1f\x14'" + +print("Starting dd-sso api...") + +from api.lib.load_config import loadConfig + +try: + loadConfig(app) +except: + print("Could not get environment variables...") + + +""" +Debug should be removed on production! +""" +if app.debug: + log.warning("Debug mode: {}".format(app.debug)) +else: + log.info("Debug mode: {}".format(app.debug)) + +""" +Serve static files +""" + + +@app.route("/templates/") +def send_templates(path): + return send_from_directory(os.path.join(app.root_path, "static/templates"), path) + + +""" +Import all views +""" +from .views import AvatarsViews, InternalViews, MenuViews diff --git a/dd-sso/docker/api/src/api/lib/avatars.py b/dd-sso/docker/api/src/api/lib/avatars.py new file mode 100644 index 0000000..40f3583 --- /dev/null +++ b/dd-sso/docker/api/src/api/lib/avatars.py @@ -0,0 +1,69 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +import json +import logging +import os +import pprint +import time +import traceback +from datetime import datetime, timedelta + +import yaml +from api import app as application +from keycloak import KeycloakAdmin + + +class Avatars: + def __init__( + self, + url="http://dd-sso-keycloak:8080/auth/", + username=os.environ["KEYCLOAK_USER"], + password=os.environ["KEYCLOAK_PASSWORD"], + realm="master", + verify=True, + ): + self.url = url + self.username = username + self.password = password + self.realm = realm + self.verify = verify + + def connect(self): + self.keycloak_admin = KeycloakAdmin( + server_url=self.url, + username=self.username, + password=self.password, + realm_name=self.realm, + verify=self.verify, + ) + + def get_user_avatar(self, username): + self.connect() + return self.keycloak_admin.get_user_id(username) + + +# # Add user +# new_user = keycloak_admin.create_user({"email": "example@example.com", +# "username": "example@example.com", +# "enabled": True, +# "firstName": "Example", +# "lastName": "Example"}) +# print(new_user) diff --git a/dd-sso/docker/api/src/api/lib/load_config.py b/dd-sso/docker/api/src/api/lib/load_config.py new file mode 100644 index 0000000..f2aea9a --- /dev/null +++ b/dd-sso/docker/api/src/api/lib/load_config.py @@ -0,0 +1,37 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later + + +import logging as log +import os +import sys +import traceback + +from api import app + + +class loadConfig: + def __init__(self, app=None): + try: + app.config.setdefault("DOMAIN", os.environ["DOMAIN"]) + + except Exception as e: + log.error(traceback.format_exc()) + raise diff --git a/dd-sso/docker/api/src/api/lib/menu.py b/dd-sso/docker/api/src/api/lib/menu.py new file mode 100644 index 0000000..b975832 --- /dev/null +++ b/dd-sso/docker/api/src/api/lib/menu.py @@ -0,0 +1,155 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +import json +import logging +import pprint +import time +import traceback +from datetime import datetime, timedelta + +import yaml +from api import app as application +from jinja2 import Environment, FileSystemLoader + + +def write_css(): + env = Environment(loader=FileSystemLoader("api/static/_templates")) + css_template = env.get_template("dd.css") + with open("menu/custom.yaml", "r") as menu_custom_file: + menu_custom_yaml = menu_custom_file.read() + menu_custom = yaml.full_load(menu_custom_yaml) + css = css_template.render(data=menu_custom) + with open("api/static/css/dd.css", "w") as css_file: + css_file.write(css) + + +class Menu: + def __init__(self): + # self.user_menudict=self.gen_user_menu() + # pprint.pprint(self.user_menudict) + # self.write_user_menu() + + self.menudict = self.gen_header() + pprint.pprint(self.menudict) + self.write_headers() + write_css() + + """ HEADER & APP MENU """ + + def gen_header(self): + with open(r"menu/system.yaml") as yml: + system = yaml.load(yml, Loader=yaml.FullLoader) + + user_menu = [] + for item in system["user_menu"]: + item["href"] = ( + "https://" + + item["subdomain"] + + "." + + application.config["DOMAIN"] + + item["href"] + ) + del item["subdomain"] + user_menu.append(item) + user_menu_dict = { + "user_menu": user_menu, + "user_avatar": "https://sso." + + application.config["DOMAIN"] + + "/auth/realms/master/avatar-provider", + } + + apps_internal = [] + for app in system["apps_internal"]: + app["href"] = ( + "https://" + + app["subdomain"] + + "." + + application.config["DOMAIN"] + + app["href"] + ) + del app["subdomain"] + apps_internal.append(app) + + with open(r"menu/custom.yaml") as yml: + custom = yaml.load(yml, Loader=yaml.FullLoader) + custom["background_login"] = ( + "https://api." + application.config["DOMAIN"] + custom["background_login"] + ) + custom["logo"] = "https://api." + application.config["DOMAIN"] + custom["logo"] + custom["product_logo"] = ( + "https://api." + application.config["DOMAIN"] + custom["product_logo"] + ) + + menudict = {**custom, **{"apps_internal": apps_internal, **user_menu_dict}} + menudict["user"] = {} + menudict["user"]["account"] = ( + "https://sso." + application.config["DOMAIN"] + system["user"]["account"] + ) + menudict["user"]["avatar"] = ( + "https://sso." + application.config["DOMAIN"] + system["user"]["avatar"] + ) + return menudict + + def write_headers(self): + env = Environment(loader=FileSystemLoader("api/static/_templates")) + + template = env.get_template("user_menu.html") + output_from_parsed_template = template.render(data=self.menudict) + print(output_from_parsed_template) + with open("api/static/templates/user_menu_header.html", "w") as fh: + fh.write(output_from_parsed_template) + + # with open("api/static/templates/user_menu_header.json", "w") as fh: + # fh.write(json.dumps(self.menudict)) + + template = env.get_template("apps_menu.html") + output_from_parsed_template = template.render(data=self.menudict) + print(output_from_parsed_template) + with open("api/static/templates/header.html", "w") as fh: + fh.write(output_from_parsed_template) + + ## Nextcloud. Nginx will serve /header/html/nextcloud -> header_nextcloud.html + with open("api/static/templates/header_nextcloud.html", "w") as fh: + fh.write(output_from_parsed_template) + with open("api/static/templates/header_nextcloud.html", "a") as fh: + with open("api/static/_templates/nextcloud.html", "r") as nextcloud: + fh.write(nextcloud.read()) + with open("api/static/templates/header.json", "w") as fh: + fh.write(json.dumps(self.menudict)) + + ## Admin app. Nginx will serve /header/html/admin -> header_admin.html + template = env.get_template("admin.html") + output_from_parsed_template = template.render(data=self.menudict) + print(output_from_parsed_template) + with open("api/static/templates/header_admin.html", "w") as fh: + fh.write(output_from_parsed_template) + + ## SSO app. Nginx will serve /header/html/sso -> header_sso.html + template = env.get_template("sso.html") + output_from_parsed_template = template.render(data=self.menudict) + print(output_from_parsed_template) + with open("api/static/templates/header_sso.html", "w") as fh: + fh.write(output_from_parsed_template) + + def get_header(self): + return self.menudict + # with open('menu.yaml', 'w') as yml: + # print(yaml.dump(header, yml, allow_unicode=True)) diff --git a/dd-sso/docker/api/src/api/static/_templates/admin.html b/dd-sso/docker/api/src/api/static/_templates/admin.html new file mode 100644 index 0000000..465bc4e --- /dev/null +++ b/dd-sso/docker/api/src/api/static/_templates/admin.html @@ -0,0 +1,396 @@ + +{% block css %} + +{% endblock %} + diff --git a/dd-sso/docker/api/src/api/static/_templates/admin_old.html b/dd-sso/docker/api/src/api/static/_templates/admin_old.html new file mode 100644 index 0000000..b78ba1a --- /dev/null +++ b/dd-sso/docker/api/src/api/static/_templates/admin_old.html @@ -0,0 +1,411 @@ + +{% block css %} + +{% endblock %} + + +{% block pagescript %} + +{% endblock %} diff --git a/dd-sso/docker/api/src/api/static/_templates/apps_menu.html b/dd-sso/docker/api/src/api/static/_templates/apps_menu.html new file mode 100644 index 0000000..e472f8e --- /dev/null +++ b/dd-sso/docker/api/src/api/static/_templates/apps_menu.html @@ -0,0 +1,64 @@ + + \ No newline at end of file diff --git a/dd-sso/docker/api/src/api/static/_templates/dd.css b/dd-sso/docker/api/src/api/static/_templates/dd.css new file mode 100644 index 0000000..4474c21 --- /dev/null +++ b/dd-sso/docker/api/src/api/static/_templates/dd.css @@ -0,0 +1,218 @@ +/*! +* Copyright © 2021,2022 IsardVDI S.L. +* +* This file is part of DD +* +* DD is free software: you can redistribute it and/or modify +* it under the terms of the GNU Affero General Public License as published by +* the Free Software Foundation, either version 3 of the License, or (at your +* option) any later version. +* +* DD is distributed in the hope that it will be useful, but WITHOUT ANY +* WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +* FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +* details. +* +* You should have received a copy of the GNU Affero General Public License +* along with DD. If not, see . +* +* SPDX-License-Identifier: AGPL-3.0-or-later +*/ + +#body-user, #body-settings, #body-public { + font-family: 'Montserrat', sans-serif; + color: #262626; +} + +#body-user #app-dashboard>h2, #body-settings #app-dashboard>h2, #body-public #app-dashboard>h2 { + color: #262626; +} + + +#body-user header#header, #body-settings header#header, #body-public header#header { + background-color: white !important; + box-shadow: 0 2px 4px #00000014; + border-bottom: 1px solid #262626; + background-image: inherit; +} + +#theming-preview-logo, #header #nextcloud { + padding-left: 64px; +} + +#navbar-nextcloud #unified-search { + margin-right: 16px; +} + +#navbar-nextcloud #unified-search svg { + fill: black; + width: 16px; + height: 16px; +} + +#navbar-nextcloud #unified-search a.header-menu__trigger .magnify-icon { + width: 16px; + height: 16px; +} + +#navbar-nextcloud #unified-search.header-menu.unified-search a.header-menu__trigger { + width: auto; +} + +#navbar-nextcloud #unified-search a.header-menu__trigger { + opacity: 1; +} + +#navbar-nextcloud #unified-search #header-menu-unified-search div.header-menu__carret { + right: 205px; +} + +#navbar-nextcloud .notifications .notifications-button { + opacity: 1; +} +#navbar-nextcloud .notifications .notifications-button img.svg { + filter: invert(100%) +} + +#navbar-nextcloud .notifications .notifications-button.menutoggle { + margin-right: 16px; + width: auto; +} + +#navbar-nextcloud #contactsmenu .icon-contacts { + background-image: var(--icon-contacts-000); + opacity: 1; + margin-right: 16px; + width: auto; +} + +#navbar-nextcloud #settings #expand { + width: 39px; + padding-right: 16px; +} + +#navbar-nextcloud #settings #expand .avatardiv { + height: 39px; + width: 39px; +} + +#navbar-nextcloud #settings #expand .avatardiv img { + height: 39px; + width: 39px; +} + + +#body-user div#content div#app-dashboard, #body-settings div#content div#app-dashboard, #body-public div#content div#app-dashboard { + background-image: none !important; + background-color: #F0F0F0!important; +} + +#body-user div#app-navigation, #body-settings div#app-navigation, #body-public div#app-navigation { + color: #262626 !important; +} + +#header .header-menu__wrapper[data-v-a58f012a] { + top: 65px; +} + +#header #navbar-menu-apps #menu-apps-btn #dropdownMenuAppsButton { + cursor: pointer; + height: 16px; + margin-right: 16px; +} +#header #navbar-menu-apps #menu-apps-btn #dropdownMenuAppsButton #menu-apps-icon { + height: 16px; + width: 16px; +} + +#header div#navbar-menu-apps { + display: flex; + align-items: center; +} + +#header #navbar-menu-apps #menu-apps-btn { + cursor: pointer; + position: relative; +} + +#header #navbar-menu-apps .dropdown-menu { + display: none; + position: absolute; + border: 1px solid rgba(0,0,0,.15); + border-radius: 5px; + box-shadow: rgb(0 0 0 / 20%) 0 3px 8px; + margin-top: -2px; + padding: 10px; + max-height: 500px; + overflow-y: scroll; + z-index: 2000; + background-color: white; + top: 33px; + right: -14px; + left: auto; +} + +#header #navbar-menu-apps .dropdown-menu ul { + list-style: none; + display: grid; + flex-wrap: wrap; + padding: 15px 2px 0 0; + margin-bottom: 0; + grid-template-columns: 82px 82px 82px; + grid-gap: 12px 2px; +} + +#header #navbar-menu-apps .dropdown-menu ul#app-admin { + border-bottom: 1px solid #D9D9D9; + padding-bottom: 4px; + margin-bottom: 6px; +} + +#header #navbar-menu-apps .dropdown-menu ul#app-external { + border-top: 1px solid #D9D9D9; + padding-top: 20px; + margin-top: 8px; +} + +#header #navbar-menu-apps .dropdown-menu ul li.app a.app-link { + display: flex; + flex-direction: column; + align-items: center; + justify-content: start; + text-align: center; + color: #262626; + text-decoration: none; +} + +#header #navbar-menu-apps .dropdown-menu ul li.app a.app-link .icon { + width: 40px; + height: 40px; + background-color: {{ data.colours.primary }}; + border-radius: .25rem; + margin-right: 0; + display: flex; + align-items: center; + justify-content: center; +} + +#header #navbar-menu-apps .dropdown-menu ul li.app a.app-link .text { + text-align: center; + margin-top: 4px; + height: 26px; + font-size: 13px; + line-height: 15px; + overflow-wrap: anywhere; +} + +#header #navbar-menu-apps .dropdown-menu ul li.app a.app-link .icon i { + color: #fff; + font-size: 19px; +} + +div#content-vue { + padding-top: 75px; +} + +#content.app-files [data-path="/"][data-file="Talk"] { + display: none !important; +} diff --git a/dd-sso/docker/api/src/api/static/_templates/navbar_nextcloud.html b/dd-sso/docker/api/src/api/static/_templates/navbar_nextcloud.html new file mode 100644 index 0000000..63185af --- /dev/null +++ b/dd-sso/docker/api/src/api/static/_templates/navbar_nextcloud.html @@ -0,0 +1,66 @@ + + diff --git a/dd-sso/docker/api/src/api/static/_templates/nextcloud.html b/dd-sso/docker/api/src/api/static/_templates/nextcloud.html new file mode 100644 index 0000000..6cee1ba --- /dev/null +++ b/dd-sso/docker/api/src/api/static/_templates/nextcloud.html @@ -0,0 +1,20 @@ + \ No newline at end of file diff --git a/dd-sso/docker/api/src/api/static/_templates/sso.html b/dd-sso/docker/api/src/api/static/_templates/sso.html new file mode 100644 index 0000000..d8b11f8 --- /dev/null +++ b/dd-sso/docker/api/src/api/static/_templates/sso.html @@ -0,0 +1,396 @@ + +{% block css %} + +{% endblock %} + diff --git a/dd-sso/docker/api/src/api/static/_templates/sso_old.html b/dd-sso/docker/api/src/api/static/_templates/sso_old.html new file mode 100644 index 0000000..04989b9 --- /dev/null +++ b/dd-sso/docker/api/src/api/static/_templates/sso_old.html @@ -0,0 +1,350 @@ + +{% block css %} + +{% endblock %} + + +{% block pagescript %} + +{% endblock %} diff --git a/dd-sso/docker/api/src/api/static/_templates/user_menu.html b/dd-sso/docker/api/src/api/static/_templates/user_menu.html new file mode 100644 index 0000000..4bf5017 --- /dev/null +++ b/dd-sso/docker/api/src/api/static/_templates/user_menu.html @@ -0,0 +1,41 @@ + + \ No newline at end of file diff --git a/dd-sso/docker/api/src/api/static/css/dd.css b/dd-sso/docker/api/src/api/static/css/dd.css new file mode 100644 index 0000000..f63139a --- /dev/null +++ b/dd-sso/docker/api/src/api/static/css/dd.css @@ -0,0 +1,220 @@ +/*! +* Copyright © 2021,2022 IsardVDI S.L. +* +* This file is part of DD +* +* DD is free software: you can redistribute it and/or modify +* it under the terms of the GNU Affero General Public License as published by +* the Free Software Foundation, either version 3 of the License, or (at your +* option) any later version. +* +* DD is distributed in the hope that it will be useful, but WITHOUT ANY +* WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +* FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +* details. +* +* You should have received a copy of the GNU Affero General Public License +* along with DD. If not, see . +* +* SPDX-License-Identifier: AGPL-3.0-or-later +*/ + +#body-user, #body-settings, #body-public { + font-family: 'Montserrat', sans-serif; + color: #262626; +} + +#body-user #app-dashboard>h2, #body-settings #app-dashboard>h2, #body-public #app-dashboard>h2 { + color: #262626; +} + + +#body-user header#header, #body-settings header#header, #body-public header#header { + background-color: white !important; + height: 74px ; + box-shadow: 0 2px 4px #00000014; + border-bottom: 1px solid #262626; + background-image: inherit; +} + +#theming-preview-logo, #header #nextcloud { + padding-left: 10px; +} + +#header #unified-search svg { + fill: #262626; + width: 35px; + height: 35px; +} + +#header .notifications .notifications-button img.svg { + background-color: #262626; + padding: 5px; + border-radius: 18px; + height: 23px; + width: 23px; + margin-left: 10px; +} + + +#header #contactsmenu { + display: flex; + align-items: center; +} + +#header #contactsmenu .icon-contacts { + background-color: #262626; + padding: 5px; + border-radius: 18px; + height: 23px; + width: 23px; + opacity: 1; + margin-left: 10px; +} + +#header #settings { + margin-left: 5px; +} + +#header #settings #expand .avatardiv { + height: 35px; + width: 35px; +} + +#header #settings #expand .avatardiv img { + height: 35px; + width: 35px; +} + + +#header #unified-search a.header-menu__trigger { + opacity: 1; +} + +#header #unified-search a.header-menu__trigger .magnify-icon { + width: 35px; + height: 35px; +} + +#body-user div#content, #body-settings div#content, #body-public div#content { + padding-top: 75px; +} + +#body-user div#content div#app-dashboard, #body-settings div#content div#app-dashboard, #body-public div#content div#app-dashboard { + background-image: none !important; + background-color: #F0F0F0!important; +} + +#body-user div#app-navigation, #body-settings div#app-navigation, #body-public div#app-navigation { + top: 75px; + height: calc(100% - 75px); + color: #262626 !important; +} + +#header .header-menu__wrapper[data-v-a58f012a] { + top: 65px; +} + +#header #navbar-menu-apps #menu-apps-btn #dropdownMenuAppsButton { + cursor: pointer; + border: none; + background-color: inherit; + padding: 4px; +} + +#header div#navbar-menu-apps { + display: flex; + align-items: center; +} + +#header #navbar-menu-apps #menu-apps-btn { + margin-right: 20px; + cursor: pointer; + position: relative; +} + +#header #navbar-menu-apps #menu-apps-btn #dropdownMenuAppsButton { + cursor: pointer; + border: none; + background-color: inherit; + padding: 4px; +} + +#header #navbar-menu-apps .dropdown-menu { + display: none; + position: absolute; + border: 1px solid rgba(0,0,0,.15); + border-radius: 5px; + box-shadow: rgb(0 0 0 / 20%) 0 3px 8px; + margin-top: 15px; + padding: 10px; + max-height: 500px; + overflow-y: scroll; + z-index: 2000; + background-color: white; + top: 33px; + right: -14px; + left: auto; +} + +#header #navbar-menu-apps .dropdown-menu ul { + list-style: none; + display: grid; + flex-wrap: wrap; + padding: 15px 2px 0 0; + margin-bottom: 0; + grid-template-columns: 82px 82px 82px; + grid-gap: 12px 2px; +} + +#header #navbar-menu-apps .dropdown-menu ul#app-admin { + border-bottom: 1px solid #D9D9D9; + padding-bottom: 4px; + margin-bottom: 6px; +} + +#header #navbar-menu-apps .dropdown-menu ul#app-external { + border-top: 1px solid #D9D9D9; + padding-top: 20px; + margin-top: 8px; +} + +#header #navbar-menu-apps .dropdown-menu ul li.app a.app-link { + display: flex; + flex-direction: column; + align-items: center; + justify-content: start; + text-align: center; + color: #262626; + text-decoration: none; +} + +#header #navbar-menu-apps .dropdown-menu ul li.app a.app-link .icon { + width: 40px; + height: 40px; + background-color: #d5045c; + border-radius: .25rem; + margin-right: 0; + display: flex; + align-items: center; + justify-content: center; +} + +#header #navbar-menu-apps .dropdown-menu ul li.app a.app-link .text { + text-align: center; + margin-top: 4px; + height: 26px; + font-size: 13px; + line-height: 15px; + overflow-wrap: anywhere; +} + +#header #navbar-menu-apps .dropdown-menu ul li.app a.app-link .icon i { + color: #fff; + font-size: 19px; +} + +div#content-vue { + padding-top: 75px; +} + diff --git a/dd-sso/docker/api/src/api/static/img/background.png b/dd-sso/docker/api/src/api/static/img/background.png new file mode 100644 index 0000000..601ef82 Binary files /dev/null and b/dd-sso/docker/api/src/api/static/img/background.png differ diff --git a/dd-sso/docker/api/src/api/static/img/logo.png b/dd-sso/docker/api/src/api/static/img/logo.png new file mode 100644 index 0000000..e0bb28b Binary files /dev/null and b/dd-sso/docker/api/src/api/static/img/logo.png differ diff --git a/dd-sso/docker/api/src/api/static/js/navbar.js b/dd-sso/docker/api/src/api/static/js/navbar.js new file mode 100644 index 0000000..310d12a --- /dev/null +++ b/dd-sso/docker/api/src/api/static/js/navbar.js @@ -0,0 +1,25 @@ +// +// Copyright © 2021,2022 IsardVDI S.L. +// +// This file is part of DD +// +// DD is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or (at your +// option) any later version. +// +// DD is distributed in the hope that it will be useful, but WITHOUT ANY +// WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +// details. +// +// You should have received a copy of the GNU Affero General Public License +// along with DD. If not, see . +// +// SPDX-License-Identifier: AGPL-3.0-or-later + +jQuery(document).ready(function() { + $('#dropdownMenuAppsButton').click(function (e) { + $('#dropdownMenuApps').toggle(); + }); +}); diff --git a/dd-sso/docker/api/src/api/static/templates/.gitkeep b/dd-sso/docker/api/src/api/static/templates/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/dd-sso/docker/api/src/api/views/AvatarsViews.py b/dd-sso/docker/api/src/api/views/AvatarsViews.py new file mode 100644 index 0000000..d894997 --- /dev/null +++ b/dd-sso/docker/api/src/api/views/AvatarsViews.py @@ -0,0 +1,51 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +import json +import logging as log +import os +import sys +import time +import traceback +from uuid import uuid4 + +from api import app +from flask import ( + Response, + jsonify, + redirect, + render_template, + request, + send_from_directory, + url_for, +) + +from ..lib.avatars import Avatars + +avatars = Avatars() + + +@app.route("/avatar/", methods=["GET"]) +def avatar(username): + return send_from_directory( + os.path.join(app.root_path, "../avatars/master-avatars/"), + avatars.get_user_avatar(username), + mimetype="image/jpg", + ) diff --git a/dd-sso/docker/api/src/api/views/InternalViews.py b/dd-sso/docker/api/src/api/views/InternalViews.py new file mode 100644 index 0000000..088fba7 --- /dev/null +++ b/dd-sso/docker/api/src/api/views/InternalViews.py @@ -0,0 +1,41 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +import os + +from api import app +from flask import Response, jsonify, redirect, render_template, request, url_for + +from .decorators import is_internal + + +@app.route("/restart", methods=["GET"]) +@is_internal +def api_restart(): + os.system("kill 1") + + +# @app.route('/user_menu/', methods=['GET']) +# @app.route('/user_menu//', methods=['GET']) +# def api_v2_user_menu(format,application=False): +# if application == False: +# if format == 'json': +# if application == False: +# return json.dumps(menu.get_user_nenu()), 200, {'Content-Type': 'application/json'} diff --git a/dd-sso/docker/api/src/api/views/MenuViews.py b/dd-sso/docker/api/src/api/views/MenuViews.py new file mode 100644 index 0000000..4c2a2c6 --- /dev/null +++ b/dd-sso/docker/api/src/api/views/MenuViews.py @@ -0,0 +1,63 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +import json +import logging as log +import os +import sys +import time +import traceback +from uuid import uuid4 + +from api import app +from flask import Response, jsonify, redirect, render_template, request, url_for + +from ..lib.menu import Menu + +menu = Menu() + + +@app.route("/header/", methods=["GET"]) +@app.route("/header//", methods=["GET"]) +def api_v2_header(format, application=False): + if application == False: + if format == "json": + if application == False: + return ( + json.dumps(menu.get_header()), + 200, + {"Content-Type": "application/json"}, + ) + if format == "html": + if application == False: + return render_template("header.html") + if application == "nextcloud": + return render_template("header_nextcloud.html") + if application == "wordpress": + return render_template("header_wordpress.html") + + +# @app.route('/user_menu/', methods=['GET']) +# @app.route('/user_menu//', methods=['GET']) +# def api_v2_user_menu(format,application=False): +# if application == False: +# if format == 'json': +# if application == False: +# return json.dumps(menu.get_user_nenu()), 200, {'Content-Type': 'application/json'} diff --git a/dd-sso/docker/api/src/api/views/__init__.py b/dd-sso/docker/api/src/api/views/__init__.py new file mode 100644 index 0000000..fdc5d62 --- /dev/null +++ b/dd-sso/docker/api/src/api/views/__init__.py @@ -0,0 +1,19 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later diff --git a/dd-sso/docker/api/src/api/views/decorators.py b/dd-sso/docker/api/src/api/views/decorators.py new file mode 100644 index 0000000..2935bfe --- /dev/null +++ b/dd-sso/docker/api/src/api/views/decorators.py @@ -0,0 +1,39 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +import socket +from functools import wraps + +from flask import redirect, request, url_for + + +def is_internal(fn): + @wraps(fn) + def decorated_view(*args, **kwargs): + remote_addr = ( + request.headers["X-Forwarded-For"].split(",")[0] + if "X-Forwarded-For" in request.headers + else request.remote_addr.split(",")[0] + ) + if socket.gethostbyname("dd-sso-admin") == remote_addr: + return fn(*args, **kwargs) + return "" + + return decorated_view diff --git a/dd-sso/docker/api/src/start.py b/dd-sso/docker/api/src/start.py new file mode 100644 index 0000000..8846fec --- /dev/null +++ b/dd-sso/docker/api/src/start.py @@ -0,0 +1,38 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +from eventlet import monkey_patch + +monkey_patch() + +from api import app +from flask_socketio import SocketIO + +socketio = SocketIO(app) + +if __name__ == "__main__": + import logging + + logger = logging.getLogger("socketio") + logger.setLevel("ERROR") + engineio_logger = logging.getLogger("engineio") + engineio_logger.setLevel("ERROR") + + socketio.run(app, host="0.0.0.0", port=7039, debug=False) diff --git a/dd-sso/docker/haproxy/Dockerfile b/dd-sso/docker/haproxy/Dockerfile new file mode 100644 index 0000000..6cb27a4 --- /dev/null +++ b/dd-sso/docker/haproxy/Dockerfile @@ -0,0 +1,36 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +ARG HAPROXY_IMG +FROM $HAPROXY_IMG as production + +USER root +RUN apk add openssl certbot py-pip +RUN pip install certbot-plugin-gandi + +COPY letsencrypt-hook-deploy-concatenante.sh /usr/local/sbin/ +COPY letsencrypt.sh /usr/local/sbin/ +COPY letsencrypt-renew-cron.sh /etc/periodic/daily/letsencrypt-renew +COPY auto-generate-certs.sh /usr/local/sbin/ + +COPY docker-entrypoint.sh /usr/local/bin/ +RUN ln -s /usr/local/bin/docker-entrypoint.sh / +RUN chmod 775 docker-entrypoint.sh + +ADD haproxy.conf /usr/local/etc/haproxy/haproxy.cfg diff --git a/dd-sso/docker/haproxy/auto-generate-certs.sh b/dd-sso/docker/haproxy/auto-generate-certs.sh new file mode 100755 index 0000000..5d9a10a --- /dev/null +++ b/dd-sso/docker/haproxy/auto-generate-certs.sh @@ -0,0 +1,50 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +cd /certs + +# Self signed cert generic data +C=CA +L=Barcelona +O=localdomain +CN_CA=$O +CN_HOST=*.$O +OU=$O + +echo '#### Creating 2048-bit RSA key:' +openssl genrsa -out ca-key.pem 2048 + +echo '#### Using the key to create a self-signed certificate to your CA:' +openssl req -new -x509 -days 9999 -key ca-key.pem -out ca-cert.pem -sha256 \ + -subj "/C=$C/L=$L/O=$O/CN=$CN_CA" + +echo '#### Creating server certificate:' +openssl genrsa -out server-key.pem 2048 + +echo '#### Creating a certificate signing request for the server:' +openssl req -new -key server-key.pem -sha256 -out server-key.csr \ + -subj "/CN=$CN_HOST" + +echo '#### Creating server certificate:' +RND=$(( ( RANDOM % 1000 ) + 1 )) +openssl x509 -req -days 9999 -in server-key.csr -CA ca-cert.pem -CAkey ca-key.pem \ + -set_serial $RND -sha256 -out server-cert.pem + +echo '#### Concatenate certs for haprox' +cat server-cert.pem server-key.pem > chain.pem diff --git a/dd-sso/docker/haproxy/docker-entrypoint.sh b/dd-sso/docker/haproxy/docker-entrypoint.sh new file mode 100644 index 0000000..af96f96 --- /dev/null +++ b/dd-sso/docker/haproxy/docker-entrypoint.sh @@ -0,0 +1,46 @@ +#!/bin/sh +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +set -e + +# Set debug path password +PASSWD=$(python3 -c 'import os,crypt,getpass; print(crypt.crypt(os.environ["KEYCLOAK_PASSWORD"], crypt.mksalt(crypt.METHOD_SHA512)))') +sed -i "/^ user admin password/c\ user admin password $PASSWD" /usr/local/etc/haproxy/haproxy.cfg + +LETSENCRYPT_DOMAIN="$DOMAIN" letsencrypt.sh + +if [ ! -e "/certs/chain.pem" ]; then + auto-generate-certs.sh +fi + +# first arg is `-f` or `--some-option` +if [ "${1#-}" != "$1" ]; then + set -- haproxy "$@" +fi + +if [ "$1" = 'haproxy' ]; then + shift # "haproxy" + # if the user wants "haproxy", let's add a couple useful flags + # -W -- "master-worker mode" (similar to the old "haproxy-systemd-wrapper"; allows for reload via "SIGUSR2") + # -db -- disables background mode + set -- haproxy -W -db "$@" +fi + +exec "$@" diff --git a/dd-sso/docker/haproxy/haproxy-docker-entrypoint.sh b/dd-sso/docker/haproxy/haproxy-docker-entrypoint.sh new file mode 100644 index 0000000..178d2e8 --- /dev/null +++ b/dd-sso/docker/haproxy/haproxy-docker-entrypoint.sh @@ -0,0 +1,42 @@ +#!/bin/sh +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +set -e + +prepare.sh + +if [ ! -f /certs/chain.pem ]; then + auto-generate-certs.sh +fi + +# first arg is `-f` or `--some-option` +if [ "${1#-}" != "$1" ]; then + set -- haproxy "$@" +fi + +if [ "$1" = 'haproxy' ]; then + shift # "haproxy" + # if the user wants "haproxy", let's add a couple useful flags + # -W -- "master-worker mode" (similar to the old "haproxy-systemd-wrapper"; allows for reload via "SIGUSR2") + # -db -- disables background mode + set -- haproxy -W -db "$@" +fi + +exec "$@" diff --git a/dd-sso/docker/haproxy/haproxy.conf b/dd-sso/docker/haproxy/haproxy.conf new file mode 100644 index 0000000..4f11c19 --- /dev/null +++ b/dd-sso/docker/haproxy/haproxy.conf @@ -0,0 +1,236 @@ +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +resolvers mydns + nameserver dns1 127.0.0.11:53 + +global +# debug + daemon + log 127.0.0.1 local0 + tune.ssl.default-dh-param 2048 + h1-case-adjust content-type Content-Type + h1-case-adjust content-encoding Content-Encoding + h1-case-adjust transfer-encoding Transfer-Encoding + + defaults + mode http + timeout connect 120s + timeout client 120s + timeout client-fin 120s + timeout server 120s + timeout tunnel 7200s + option http-server-close + option httpclose + log global + option httplog + backlog 4096 + maxconn 2000 + option tcpka + option h1-case-adjust-bogus-client + +frontend website + mode http + bind :80 + redirect scheme https if !{ env(BEHIND_PROXY) -m str true } !{ ssl_fc } + http-request del-header ssl_client_cert unless { ssl_fc_has_crt } + http-request set-header ssl_client_cert -----BEGIN\ CERTIFICATE-----\ %[ssl_c_der,base64]\ -----END\ CERTIFICATE-----\ if { ssl_fc_has_crt } + bind :443 ssl crt /certs/chain.pem + + acl is_upgrade hdr(Connection) -i upgrade + acl is_websocket hdr(Upgrade) -i websocket + + acl is_nextcloud hdr_beg(host) nextcloud. + acl is_moodle hdr_beg(host) moodle. !path_beg -i /local/tresipuntimportgc/ + acl is_moodle_long hdr_beg(host) moodle. path_beg -i /local/tresipuntimportgc/ + acl is_jitsi hdr_beg(host) jitsi. + acl is_oof hdr_beg(host) oof. + acl is_wp hdr_sub(host) .wp. + acl is_wp hdr_beg(host) wp. + acl is_pad hdr_beg(host) pad. + acl is_sso hdr_beg(host) sso. + acl is_ipa hdr_beg(host) ipa. + acl is_api hdr_beg(host) api. + acl is_admin hdr_beg(host) admin. + + acl is_root path -i / + http-request deny if is_pad is_root + + use_backend be_api if { path_end -i favicon.ico } or { path_end -i favicon } or { path_beg -i /apps/theming/favicon/ } + + use_backend letsencrypt if { path_beg /.well-known/acme-challenge/ } + use_backend be_api if is_nextcloud { path_beg /avatar/ } + use_backend be_nextcloud if is_nextcloud + use_backend be_moodle_long if is_moodle_long + use_backend be_moodle if is_moodle + use_backend be_jitsi if is_jitsi + use_backend be_oof if is_oof + use_backend be_wp if is_wp + use_backend be_etherpad if is_pad + use_backend be_admin if is_sso { path_beg /socket.io } + use_backend be_adminer if is_sso { path_beg /dd-sso-adminer } + use_backend be_admin if is_admin + use_backend be_sso if is_sso + use_backend be_ipa if is_ipa + use_backend be_api if is_api + + http-request redirect code 301 location https://moodle."${DOMAIN}" if { hdr(host) -i "${DOMAIN}" } +# default_backend be_sso + +backend letsencrypt + server letsencrypt 127.0.0.1:8080 + +backend be_api + mode http + http-request set-path /img/favicon.ico if { path_end -i favicon.ico } or { path_end -i favicon } or { path_beg -i /apps/theming/favicon/ } + acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found + acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found + http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host + http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto + # Nextcloud use /avatar/username/32 /avatar/username/64 and /avatar/username/128 + http-request set-path %[path,regsub(\"^(/avatar/[^/]+).*\",\"\1\")] + server api dd-sso-api:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none + +backend be_ipa + mode http + acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found + acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found + http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host + http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto + server freeipa dd-sso-freeipa:443 check port 443 ssl verify none inter 5s rise 2 fall 10 resolvers mydns init-addr none + +backend be_sso + mode http + option httpclose + #option http-server-close + option forwardfor + acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found + acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found + http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host + http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto + http-response replace-header Set-Cookie (KEYCLOAK_LOCALE=[^;]*);(.*) \1;Domain="${DOMAIN}";Version=1;Path=/;Secure; + server keycloak dd-sso-keycloak:8080 check port 8080 inter 5s rise 2 fall 10 resolvers mydns init-addr none + +backend be_admin + mode http + option forwardfor + timeout queue 600s + timeout server 600s + timeout connect 600s + # acl authorized http_auth(AuthUsers) + # http-request auth realm AuthUsers unless authorized + acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found + acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found + http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host + http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto + server dd-sso-admin dd-sso-admin:9000 check port 9000 inter 5s rise 2 fall 10 resolvers mydns init-addr none + +backend be_adminer + mode http + # acl authorized http_auth(AuthUsers) + # http-request auth realm AuthUsers unless authorized + http-request redirect scheme http drop-query append-slash if { path -m str /dd-sso-adminer } + http-request replace-path /dd-sso-adminer/(.*) /\1 + # http-request del-header Authorization + acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found + acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found + http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host + http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto + server dd-sso-adminer dd-sso-adminer:8080 check port 8080 inter 5s rise 2 fall 10 resolvers mydns init-addr none + +## APPS +backend be_moodle + mode http + acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found + acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found + http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host + http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto + server moodle dd-apps-moodle:8080 check port 8080 inter 5s rise 2 fall 10 resolvers mydns init-addr none + +backend be_moodle_long + mode http + timeout server 900s + acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found + acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found + http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host + http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto + server moodle dd-apps-moodle:8080 check port 8080 inter 5s rise 2 fall 10 resolvers mydns init-addr none + +backend be_nextcloud + mode http + acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found + acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found + http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host + http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto + server nextcloud dd-apps-nextcloud-nginx:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none + +backend be_etherpad + mode http + acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found + acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found + http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host + http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto + server etherpad dd-apps-etherpad:9001 check port 9001 inter 5s rise 2 fall 10 resolvers mydns init-addr none + +backend be_jitsi + mode http + acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found + acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found + http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host + http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto + server jitsi dd-apps-jitsi:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none + +backend be_oof + mode http + acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found + acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found + http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host + http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto + server onlyoffice dd-apps-onlyoffice:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none + +backend be_wp + mode http + acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found + acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found + http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host + http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto + + http-request set-header X-SSL %[ssl_fc] + http-request set-header X-Forwarded-Proto https + server wp dd-apps-wordpress:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none + + + listen stats + bind 0.0.0.0:8888 + mode http + stats enable + option httplog + stats show-legends + stats uri /haproxy + stats realm Haproxy\ Statistics + stats refresh 5s + #stats auth staging:mypassword + #acl authorized http_auth(AuthUsers) + #stats http-request auth unless authorized + timeout connect 5000ms + timeout client 50000ms + timeout server 50000ms + +userlist AuthUsers + user admin password $6$grgQMVfwI0XSGAQl$2usaQC9LVXXXYHtSkGUf74CIGsiH8fi/K.V6DuKSq0twPkmFGP2vL/b//Ulp2I4xBEZ3eYDhUbwBPK8jpmsbo. diff --git a/dd-sso/docker/haproxy/letsencrypt-hook-deploy-concatenante.sh b/dd-sso/docker/haproxy/letsencrypt-hook-deploy-concatenante.sh new file mode 100755 index 0000000..3b3fc34 --- /dev/null +++ b/dd-sso/docker/haproxy/letsencrypt-hook-deploy-concatenante.sh @@ -0,0 +1,23 @@ +#!/bin/sh +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +cat $RENEWED_LINEAGE/fullchain.pem $RENEWED_LINEAGE/privkey.pem > /certs/chain.pem + +kill -SIGUSR2 1 diff --git a/dd-sso/docker/haproxy/letsencrypt-renew-cron.sh b/dd-sso/docker/haproxy/letsencrypt-renew-cron.sh new file mode 100755 index 0000000..486d64a --- /dev/null +++ b/dd-sso/docker/haproxy/letsencrypt-renew-cron.sh @@ -0,0 +1,21 @@ +#!/bin/sh +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +certbot renew --http-01-port 8080 --cert-name sso.$LETSENCRYPT_DOMAIN diff --git a/dd-sso/docker/haproxy/letsencrypt.sh b/dd-sso/docker/haproxy/letsencrypt.sh new file mode 100755 index 0000000..a571eff --- /dev/null +++ b/dd-sso/docker/haproxy/letsencrypt.sh @@ -0,0 +1,50 @@ +#!/bin/sh +# +# Copyright © 2021,2022 IsardVDI S.L. +# +# This file is part of DD +# +# DD is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# DD is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more +# details. +# +# You should have received a copy of the GNU Affero General Public License +# along with DD. If not, see . +# +# SPDX-License-Identifier: AGPL-3.0-or-later +if [ ! -L /etc/letsencrypt/renewal-hooks/deploy/letsencrypt-hook-deploy-concatenante.sh ] +then + mkdir -p /etc/letsencrypt/renewal-hooks/deploy/ + ln -s /usr/local/sbin/letsencrypt-hook-deploy-concatenante.sh /etc/letsencrypt/renewal-hooks/deploy/ +fi + +if [ -n "$LETSENCRYPT_DOMAIN" -a -n "$LETSENCRYPT_EMAIL" ] +then + LETSENCRYPT_DOMAIN="$LETSENCRYPT_DOMAIN" crond + if [ "$LETSENCRYPT_DOMAIN_ROOT" == "true" ] + then + option_root_domain="-d $LETSENCRYPT_DOMAIN" + fi + if [ ! -f /certs/chain.pem ] + then + if certbot certonly --standalone -m "$LETSENCRYPT_EMAIL" -n --agree-tos \ + -d "sso.$LETSENCRYPT_DOMAIN" \ + -d "api.$LETSENCRYPT_DOMAIN" \ + -d "admin.$LETSENCRYPT_DOMAIN" \ + -d "moodle.$LETSENCRYPT_DOMAIN" \ + -d "nextcloud.$LETSENCRYPT_DOMAIN" \ + -d "wp.$LETSENCRYPT_DOMAIN" \ + -d "oof.$LETSENCRYPT_DOMAIN" \ + -d "pad.$LETSENCRYPT_DOMAIN" \ + $option_root_domain + then + RENEWED_LINEAGE="/etc/letsencrypt/live/sso.$LETSENCRYPT_DOMAIN" /etc/letsencrypt/renewal-hooks/deploy/letsencrypt-hook-deploy-concatenante.sh + fi + fi +fi diff --git a/dd-sso/docker/keycloak/Dockerfile b/dd-sso/docker/keycloak/Dockerfile new file mode 100644 index 0000000..f61d85d --- /dev/null +++ b/dd-sso/docker/keycloak/Dockerfile @@ -0,0 +1,4 @@ +ARG IMG=${KEYCLOAK_IMG} +FROM ${IMG} + +COPY themes/dd /opt/jboss/keycloak/themes/dd diff --git a/dd-sso/docker/keycloak/extensions/avatar-minio-extension-bundle-1.0.1.0-SNAPSHOT.ear b/dd-sso/docker/keycloak/extensions/avatar-minio-extension-bundle-1.0.1.0-SNAPSHOT.ear new file mode 100644 index 0000000..87ddad8 Binary files /dev/null and b/dd-sso/docker/keycloak/extensions/avatar-minio-extension-bundle-1.0.1.0-SNAPSHOT.ear differ diff --git a/dd-sso/docker/keycloak/themes/dd/README.md b/dd-sso/docker/keycloak/themes/dd/README.md new file mode 100644 index 0000000..000646c --- /dev/null +++ b/dd-sso/docker/keycloak/themes/dd/README.md @@ -0,0 +1,8 @@ +# DD theme for keycloak + +When this started, it was heavily inspired by the liiibrelite theme at: +https://forge.liiib.re/indiehost/tech/keycloak-themes/ + +But due to licensing and the fact that it didn't match our needs, we switched +to just heavily customising and overriding keycloak's base theme: +https://github.com/keycloak/keycloak/tree/main/themes/src/main/resources/theme/base diff --git a/dd-sso/docker/keycloak/themes/dd/account/resources/css/account.css b/dd-sso/docker/keycloak/themes/dd/account/resources/css/account.css new file mode 100644 index 0000000..e86b250 --- /dev/null +++ b/dd-sso/docker/keycloak/themes/dd/account/resources/css/account.css @@ -0,0 +1,156 @@ +header#header { + background-color: white !important; + box-shadow: 0 2px 4px #00000014; + border-bottom: 1px solid #262626; + display: inline-flex; + top: 0; + width: 100%; + z-index: 2000; + height: 50px; + position: absolute; + box-sizing: border-box; + justify-content: space-between; + } + + #nextcloud { + padding: 7px 0; + padding-left: 86px; + position: relative; + height: 100%; + box-sizing: border-box; + opacity: 1; + align-items: center; + display: flex; + flex-wrap: wrap; + overflow: hidden; + } + + a * { + cursor: pointer; + } + + a { + border: 0; + color: var(--color-main-text); + text-decoration: none; + cursor: pointer; + } + + #theming-preview-logo, + #header #nextcloud { + padding-left: 64px; + } + + #header #header-left, + #header .header-left { + flex: 1 0; + white-space: nowrap; + min-width: 0; + } + + #header #header-right, + #header .header-right { + justify-content: flex-end; + flex-shrink: 1; + } + + #header .header-right > div, + #header .header-right > form { + height: 100%; + position: relative; + } + + #header #navbar-menu-apps #menu-apps-btn { + cursor: pointer; + position: relative; + } + + #header #navbar-menu-apps #menu-apps-btn #dropdownMenuAppsButton { + cursor: pointer; + height: 16px; + margin-right: 16px; + } + + #header + #navbar-menu-apps + #menu-apps-btn + #dropdownMenuAppsButton + #menu-apps-icon { + height: 16px; + width: 16px; + } + + #header div#navbar-menu-apps { + display: flex; + align-items: center; + } + + #header #navbar-menu-apps .dropdown-menu { + display: none; + position: absolute; + border: 1px solid rgba(0, 0, 0, 0.15); + border-radius: 5px; + box-shadow: rgb(0 0 0 / 20%) 0 3px 8px; + margin-top: -2px; + padding: 10px; + max-height: 500px; + overflow-y: scroll; + z-index: 2000; + background-color: white; + top: 33px; + right: -14px; + left: auto; + } + + #header #navbar-menu-apps .dropdown-menu ul { + list-style: none; + display: grid; + flex-wrap: wrap; + padding: 15px 2px 0 0; + margin-bottom: 0; + grid-template-columns: 82px 82px 82px; + grid-gap: 12px 2px; + } + + #header #navbar-menu-apps .dropdown-menu ul li.app a.app-link { + display: flex; + flex-direction: column; + align-items: center; + justify-content: start; + text-align: center; + color: #262626; + text-decoration: none; + } + + #header #navbar-menu-apps .dropdown-menu ul li.app a.app-link .icon { + width: 40px; + height: 40px; + background-color: #cc0066; + border-radius: 0.25rem; + margin-right: 0; + display: flex; + align-items: center; + justify-content: center; + } + + #header #navbar-menu-apps .dropdown-menu ul li.app a.app-link .icon i { + color: #fff; + font-size: 19px; + } + + #header #navbar-menu-apps .dropdown-menu ul li.app a.app-link .text { + text-align: center; + margin-top: 4px; + height: 26px; + font-size: 13px; + line-height: 15px; + overflow-wrap: anywhere; + } + + #header #header-left, + #header .header-left, + #header #header-right, + #header .header-right { + display: inline-flex; + align-items: center; + } diff --git a/dd-sso/docker/keycloak/themes/dd/account/resources/css/style.css b/dd-sso/docker/keycloak/themes/dd/account/resources/css/style.css new file mode 100644 index 0000000..d1a0aa3 --- /dev/null +++ b/dd-sso/docker/keycloak/themes/dd/account/resources/css/style.css @@ -0,0 +1,198 @@ +#body-user, #body-settings, #body-public { + font-family: 'Montserrat', sans-serif; + color: #262626; +} + +#body-user #app-dashboard>h2, #body-settings #app-dashboard>h2, #body-public #app-dashboard>h2 { + color: #262626; +} + + +#body-user header#header, #body-settings header#header, #body-public header#header { + background-color: white !important; + box-shadow: 0 2px 4px #00000014; + border-bottom: 1px solid #262626; + background-image: inherit; +} + +#theming-preview-logo, #header #nextcloud { + padding-left: 64px; +} + +#navbar-nextcloud #unified-search { + margin-right: 16px; +} + +#navbar-nextcloud #unified-search svg { + fill: black; + width: 16px; + height: 16px; +} + +#navbar-nextcloud #unified-search a.header-menu__trigger .magnify-icon { + width: 16px; + height: 16px; +} + +#navbar-nextcloud #unified-search.header-menu.unified-search a.header-menu__trigger { + width: auto; +} + +#navbar-nextcloud #unified-search a.header-menu__trigger { + opacity: 1; +} + +#navbar-nextcloud #unified-search #header-menu-unified-search div.header-menu__carret { + right: 205px; +} + +#navbar-nextcloud .notifications .notifications-button { + opacity: 1; +} +#navbar-nextcloud .notifications .notifications-button img.svg { + filter: invert(100%) +} + +#navbar-nextcloud .notifications .notifications-button.menutoggle { + margin-right: 16px; + width: auto; +} + +#navbar-nextcloud #contactsmenu .icon-contacts { + background-image: var(--icon-contacts-000); + opacity: 1; + margin-right: 16px; + width: auto; +} + +#navbar-nextcloud #settings #expand { + width: 39px; + padding-right: 16px; +} + +#navbar-nextcloud #settings #expand .avatardiv { + height: 39px; + width: 39px; +} + +#navbar-nextcloud #settings #expand .avatardiv img { + height: 39px; + width: 39px; +} + + +#body-user div#content div#app-dashboard, #body-settings div#content div#app-dashboard, #body-public div#content div#app-dashboard { + background-image: none !important; + background-color: #F0F0F0!important; +} + +#body-user div#app-navigation, #body-settings div#app-navigation, #body-public div#app-navigation { + color: #262626 !important; +} + +#header .header-menu__wrapper[data-v-a58f012a] { + top: 65px; +} + +#header #navbar-menu-apps #menu-apps-btn #dropdownMenuAppsButton { + cursor: pointer; + height: 16px; + margin-right: 16px; +} +#header #navbar-menu-apps #menu-apps-btn #dropdownMenuAppsButton #menu-apps-icon { + height: 16px; + width: 16px; +} + +#header div#navbar-menu-apps { + display: flex; + align-items: center; +} + +#header #navbar-menu-apps #menu-apps-btn { + cursor: pointer; + position: relative; +} + +#header #navbar-menu-apps .dropdown-menu { + display: none; + position: absolute; + border: 1px solid rgba(0,0,0,.15); + border-radius: 5px; + box-shadow: rgb(0 0 0 / 20%) 0 3px 8px; + margin-top: -2px; + padding: 10px; + max-height: 500px; + overflow-y: scroll; + z-index: 2000; + background-color: white; + top: 33px; + right: -14px; + left: auto; +} + +#header #navbar-menu-apps .dropdown-menu ul { + list-style: none; + display: grid; + flex-wrap: wrap; + padding: 15px 2px 0 0; + margin-bottom: 0; + grid-template-columns: 82px 82px 82px; + grid-gap: 12px 2px; +} + +#header #navbar-menu-apps .dropdown-menu ul#app-admin { + border-bottom: 1px solid #D9D9D9; + padding-bottom: 4px; + margin-bottom: 6px; +} + +#header #navbar-menu-apps .dropdown-menu ul#app-external { + border-top: 1px solid #D9D9D9; + padding-top: 20px; + margin-top: 8px; +} + +#header #navbar-menu-apps .dropdown-menu ul li.app a.app-link { + display: flex; + flex-direction: column; + align-items: center; + justify-content: start; + text-align: center; + color: #262626; + text-decoration: none; +} + +#header #navbar-menu-apps .dropdown-menu ul li.app a.app-link .icon { + width: 40px; + height: 40px; + background-color: #506bb6; + border-radius: .25rem; + margin-right: 0; + display: flex; + align-items: center; + justify-content: center; +} + +#header #navbar-menu-apps .dropdown-menu ul li.app a.app-link .text { + text-align: center; + margin-top: 4px; + height: 26px; + font-size: 13px; + line-height: 15px; + overflow-wrap: anywhere; +} + +#header #navbar-menu-apps .dropdown-menu ul li.app a.app-link .icon i { + color: #fff; + font-size: 19px; +} + +div#content-vue { + padding-top: 75px; +} + +#content.app-files [data-path="/"][data-file="Talk"] { + display: none !important; +} + diff --git a/dd-sso/docker/keycloak/themes/dd/account/resources/js/dd.js b/dd-sso/docker/keycloak/themes/dd/account/resources/js/dd.js new file mode 100644 index 0000000..d811a1e --- /dev/null +++ b/dd-sso/docker/keycloak/themes/dd/account/resources/js/dd.js @@ -0,0 +1,14 @@ +$(document).ready(function() { + $.ajax({ + type: "GET", + url: "https://api."+document.domain.split(/\.(.+)/)[1]+"/header/html/sso", + success: function(data) { + $('#header').html(data) + lang = $('#keycloak_lang').html() + $('#keycloak_lang').html('') + $('#navbar-nextcloud').html(lang + $('#navbar-nextcloud').html()) + } + }) + /* TODO: Remove and fix product_logo + document for existing instances */ + $('#dd-logo img').attr('src', "https://api."+document.domain.split(/\.(.+)/)[1]+"/img/dd.svg"); +}) diff --git a/dd-sso/docker/keycloak/themes/dd/account/resources/js/jquery.min.js b/dd-sso/docker/keycloak/themes/dd/account/resources/js/jquery.min.js new file mode 100644 index 0000000..b8c4187 --- /dev/null +++ b/dd-sso/docker/keycloak/themes/dd/account/resources/js/jquery.min.js @@ -0,0 +1,4 @@ +/*! jQuery v2.2.3 | (c) jQuery Foundation | jquery.org/license */ +!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=a.document,e=c.slice,f=c.concat,g=c.push,h=c.indexOf,i={},j=i.toString,k=i.hasOwnProperty,l={},m="2.2.3",n=function(a,b){return new n.fn.init(a,b)},o=/^[\s\uFEFF\xA0]+|[\s\uFEFF\xA0]+$/g,p=/^-ms-/,q=/-([\da-z])/gi,r=function(a,b){return b.toUpperCase()};n.fn=n.prototype={jquery:m,constructor:n,selector:"",length:0,toArray:function(){return e.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:e.call(this)},pushStack:function(a){var b=n.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a){return n.each(this,a)},map:function(a){return this.pushStack(n.map(this,function(b,c){return a.call(b,c,b)}))},slice:function(){return this.pushStack(e.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(a){var b=this.length,c=+a+(0>a?b:0);return this.pushStack(c>=0&&b>c?[this[c]]:[])},end:function(){return this.prevObject||this.constructor()},push:g,sort:c.sort,splice:c.splice},n.extend=n.fn.extend=function(){var a,b,c,d,e,f,g=arguments[0]||{},h=1,i=arguments.length,j=!1;for("boolean"==typeof g&&(j=g,g=arguments[h]||{},h++),"object"==typeof g||n.isFunction(g)||(g={}),h===i&&(g=this,h--);i>h;h++)if(null!=(a=arguments[h]))for(b in a)c=g[b],d=a[b],g!==d&&(j&&d&&(n.isPlainObject(d)||(e=n.isArray(d)))?(e?(e=!1,f=c&&n.isArray(c)?c:[]):f=c&&n.isPlainObject(c)?c:{},g[b]=n.extend(j,f,d)):void 0!==d&&(g[b]=d));return g},n.extend({expando:"jQuery"+(m+Math.random()).replace(/\D/g,""),isReady:!0,error:function(a){throw new Error(a)},noop:function(){},isFunction:function(a){return"function"===n.type(a)},isArray:Array.isArray,isWindow:function(a){return null!=a&&a===a.window},isNumeric:function(a){var b=a&&a.toString();return!n.isArray(a)&&b-parseFloat(b)+1>=0},isPlainObject:function(a){var b;if("object"!==n.type(a)||a.nodeType||n.isWindow(a))return!1;if(a.constructor&&!k.call(a,"constructor")&&!k.call(a.constructor.prototype||{},"isPrototypeOf"))return!1;for(b in a);return void 0===b||k.call(a,b)},isEmptyObject:function(a){var b;for(b in a)return!1;return!0},type:function(a){return null==a?a+"":"object"==typeof a||"function"==typeof a?i[j.call(a)]||"object":typeof a},globalEval:function(a){var b,c=eval;a=n.trim(a),a&&(1===a.indexOf("use strict")?(b=d.createElement("script"),b.text=a,d.head.appendChild(b).parentNode.removeChild(b)):c(a))},camelCase:function(a){return a.replace(p,"ms-").replace(q,r)},nodeName:function(a,b){return a.nodeName&&a.nodeName.toLowerCase()===b.toLowerCase()},each:function(a,b){var c,d=0;if(s(a)){for(c=a.length;c>d;d++)if(b.call(a[d],d,a[d])===!1)break}else for(d in a)if(b.call(a[d],d,a[d])===!1)break;return a},trim:function(a){return null==a?"":(a+"").replace(o,"")},makeArray:function(a,b){var c=b||[];return null!=a&&(s(Object(a))?n.merge(c,"string"==typeof a?[a]:a):g.call(c,a)),c},inArray:function(a,b,c){return null==b?-1:h.call(b,a,c)},merge:function(a,b){for(var c=+b.length,d=0,e=a.length;c>d;d++)a[e++]=b[d];return a.length=e,a},grep:function(a,b,c){for(var d,e=[],f=0,g=a.length,h=!c;g>f;f++)d=!b(a[f],f),d!==h&&e.push(a[f]);return e},map:function(a,b,c){var d,e,g=0,h=[];if(s(a))for(d=a.length;d>g;g++)e=b(a[g],g,c),null!=e&&h.push(e);else for(g in a)e=b(a[g],g,c),null!=e&&h.push(e);return f.apply([],h)},guid:1,proxy:function(a,b){var c,d,f;return"string"==typeof b&&(c=a[b],b=a,a=c),n.isFunction(a)?(d=e.call(arguments,2),f=function(){return a.apply(b||this,d.concat(e.call(arguments)))},f.guid=a.guid=a.guid||n.guid++,f):void 0},now:Date.now,support:l}),"function"==typeof Symbol&&(n.fn[Symbol.iterator]=c[Symbol.iterator]),n.each("Boolean Number String Function Array Date RegExp Object Error Symbol".split(" "),function(a,b){i["[object "+b+"]"]=b.toLowerCase()});function s(a){var b=!!a&&"length"in a&&a.length,c=n.type(a);return"function"===c||n.isWindow(a)?!1:"array"===c||0===b||"number"==typeof b&&b>0&&b-1 in a}var t=function(a){var b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u="sizzle"+1*new Date,v=a.document,w=0,x=0,y=ga(),z=ga(),A=ga(),B=function(a,b){return a===b&&(l=!0),0},C=1<<31,D={}.hasOwnProperty,E=[],F=E.pop,G=E.push,H=E.push,I=E.slice,J=function(a,b){for(var c=0,d=a.length;d>c;c++)if(a[c]===b)return c;return-1},K="checked|selected|async|autofocus|autoplay|controls|defer|disabled|hidden|ismap|loop|multiple|open|readonly|required|scoped",L="[\\x20\\t\\r\\n\\f]",M="(?:\\\\.|[\\w-]|[^\\x00-\\xa0])+",N="\\["+L+"*("+M+")(?:"+L+"*([*^$|!~]?=)"+L+"*(?:'((?:\\\\.|[^\\\\'])*)'|\"((?:\\\\.|[^\\\\\"])*)\"|("+M+"))|)"+L+"*\\]",O=":("+M+")(?:\\((('((?:\\\\.|[^\\\\'])*)'|\"((?:\\\\.|[^\\\\\"])*)\")|((?:\\\\.|[^\\\\()[\\]]|"+N+")*)|.*)\\)|)",P=new RegExp(L+"+","g"),Q=new RegExp("^"+L+"+|((?:^|[^\\\\])(?:\\\\.)*)"+L+"+$","g"),R=new RegExp("^"+L+"*,"+L+"*"),S=new RegExp("^"+L+"*([>+~]|"+L+")"+L+"*"),T=new RegExp("="+L+"*([^\\]'\"]*?)"+L+"*\\]","g"),U=new RegExp(O),V=new RegExp("^"+M+"$"),W={ID:new RegExp("^#("+M+")"),CLASS:new RegExp("^\\.("+M+")"),TAG:new RegExp("^("+M+"|[*])"),ATTR:new RegExp("^"+N),PSEUDO:new RegExp("^"+O),CHILD:new RegExp("^:(only|first|last|nth|nth-last)-(child|of-type)(?:\\("+L+"*(even|odd|(([+-]|)(\\d*)n|)"+L+"*(?:([+-]|)"+L+"*(\\d+)|))"+L+"*\\)|)","i"),bool:new RegExp("^(?:"+K+")$","i"),needsContext:new RegExp("^"+L+"*[>+~]|:(even|odd|eq|gt|lt|nth|first|last)(?:\\("+L+"*((?:-\\d)?\\d*)"+L+"*\\)|)(?=[^-]|$)","i")},X=/^(?:input|select|textarea|button)$/i,Y=/^h\d$/i,Z=/^[^{]+\{\s*\[native \w/,$=/^(?:#([\w-]+)|(\w+)|\.([\w-]+))$/,_=/[+~]/,aa=/'|\\/g,ba=new RegExp("\\\\([\\da-f]{1,6}"+L+"?|("+L+")|.)","ig"),ca=function(a,b,c){var d="0x"+b-65536;return d!==d||c?b:0>d?String.fromCharCode(d+65536):String.fromCharCode(d>>10|55296,1023&d|56320)},da=function(){m()};try{H.apply(E=I.call(v.childNodes),v.childNodes),E[v.childNodes.length].nodeType}catch(ea){H={apply:E.length?function(a,b){G.apply(a,I.call(b))}:function(a,b){var c=a.length,d=0;while(a[c++]=b[d++]);a.length=c-1}}}function fa(a,b,d,e){var f,h,j,k,l,o,r,s,w=b&&b.ownerDocument,x=b?b.nodeType:9;if(d=d||[],"string"!=typeof a||!a||1!==x&&9!==x&&11!==x)return d;if(!e&&((b?b.ownerDocument||b:v)!==n&&m(b),b=b||n,p)){if(11!==x&&(o=$.exec(a)))if(f=o[1]){if(9===x){if(!(j=b.getElementById(f)))return d;if(j.id===f)return d.push(j),d}else if(w&&(j=w.getElementById(f))&&t(b,j)&&j.id===f)return d.push(j),d}else{if(o[2])return H.apply(d,b.getElementsByTagName(a)),d;if((f=o[3])&&c.getElementsByClassName&&b.getElementsByClassName)return H.apply(d,b.getElementsByClassName(f)),d}if(c.qsa&&!A[a+" "]&&(!q||!q.test(a))){if(1!==x)w=b,s=a;else if("object"!==b.nodeName.toLowerCase()){(k=b.getAttribute("id"))?k=k.replace(aa,"\\$&"):b.setAttribute("id",k=u),r=g(a),h=r.length,l=V.test(k)?"#"+k:"[id='"+k+"']";while(h--)r[h]=l+" "+qa(r[h]);s=r.join(","),w=_.test(a)&&oa(b.parentNode)||b}if(s)try{return H.apply(d,w.querySelectorAll(s)),d}catch(y){}finally{k===u&&b.removeAttribute("id")}}}return i(a.replace(Q,"$1"),b,d,e)}function ga(){var a=[];function b(c,e){return a.push(c+" ")>d.cacheLength&&delete b[a.shift()],b[c+" "]=e}return b}function ha(a){return a[u]=!0,a}function ia(a){var b=n.createElement("div");try{return!!a(b)}catch(c){return!1}finally{b.parentNode&&b.parentNode.removeChild(b),b=null}}function ja(a,b){var c=a.split("|"),e=c.length;while(e--)d.attrHandle[c[e]]=b}function ka(a,b){var c=b&&a,d=c&&1===a.nodeType&&1===b.nodeType&&(~b.sourceIndex||C)-(~a.sourceIndex||C);if(d)return d;if(c)while(c=c.nextSibling)if(c===b)return-1;return a?1:-1}function la(a){return function(b){var c=b.nodeName.toLowerCase();return"input"===c&&b.type===a}}function ma(a){return function(b){var c=b.nodeName.toLowerCase();return("input"===c||"button"===c)&&b.type===a}}function na(a){return ha(function(b){return b=+b,ha(function(c,d){var e,f=a([],c.length,b),g=f.length;while(g--)c[e=f[g]]&&(c[e]=!(d[e]=c[e]))})})}function oa(a){return a&&"undefined"!=typeof a.getElementsByTagName&&a}c=fa.support={},f=fa.isXML=function(a){var b=a&&(a.ownerDocument||a).documentElement;return b?"HTML"!==b.nodeName:!1},m=fa.setDocument=function(a){var b,e,g=a?a.ownerDocument||a:v;return g!==n&&9===g.nodeType&&g.documentElement?(n=g,o=n.documentElement,p=!f(n),(e=n.defaultView)&&e.top!==e&&(e.addEventListener?e.addEventListener("unload",da,!1):e.attachEvent&&e.attachEvent("onunload",da)),c.attributes=ia(function(a){return a.className="i",!a.getAttribute("className")}),c.getElementsByTagName=ia(function(a){return a.appendChild(n.createComment("")),!a.getElementsByTagName("*").length}),c.getElementsByClassName=Z.test(n.getElementsByClassName),c.getById=ia(function(a){return o.appendChild(a).id=u,!n.getElementsByName||!n.getElementsByName(u).length}),c.getById?(d.find.ID=function(a,b){if("undefined"!=typeof b.getElementById&&p){var c=b.getElementById(a);return c?[c]:[]}},d.filter.ID=function(a){var b=a.replace(ba,ca);return function(a){return a.getAttribute("id")===b}}):(delete d.find.ID,d.filter.ID=function(a){var b=a.replace(ba,ca);return function(a){var c="undefined"!=typeof a.getAttributeNode&&a.getAttributeNode("id");return c&&c.value===b}}),d.find.TAG=c.getElementsByTagName?function(a,b){return"undefined"!=typeof b.getElementsByTagName?b.getElementsByTagName(a):c.qsa?b.querySelectorAll(a):void 0}:function(a,b){var c,d=[],e=0,f=b.getElementsByTagName(a);if("*"===a){while(c=f[e++])1===c.nodeType&&d.push(c);return d}return f},d.find.CLASS=c.getElementsByClassName&&function(a,b){return"undefined"!=typeof b.getElementsByClassName&&p?b.getElementsByClassName(a):void 0},r=[],q=[],(c.qsa=Z.test(n.querySelectorAll))&&(ia(function(a){o.appendChild(a).innerHTML="",a.querySelectorAll("[msallowcapture^='']").length&&q.push("[*^$]="+L+"*(?:''|\"\")"),a.querySelectorAll("[selected]").length||q.push("\\["+L+"*(?:value|"+K+")"),a.querySelectorAll("[id~="+u+"-]").length||q.push("~="),a.querySelectorAll(":checked").length||q.push(":checked"),a.querySelectorAll("a#"+u+"+*").length||q.push(".#.+[+~]")}),ia(function(a){var b=n.createElement("input");b.setAttribute("type","hidden"),a.appendChild(b).setAttribute("name","D"),a.querySelectorAll("[name=d]").length&&q.push("name"+L+"*[*^$|!~]?="),a.querySelectorAll(":enabled").length||q.push(":enabled",":disabled"),a.querySelectorAll("*,:x"),q.push(",.*:")})),(c.matchesSelector=Z.test(s=o.matches||o.webkitMatchesSelector||o.mozMatchesSelector||o.oMatchesSelector||o.msMatchesSelector))&&ia(function(a){c.disconnectedMatch=s.call(a,"div"),s.call(a,"[s!='']:x"),r.push("!=",O)}),q=q.length&&new RegExp(q.join("|")),r=r.length&&new RegExp(r.join("|")),b=Z.test(o.compareDocumentPosition),t=b||Z.test(o.contains)?function(a,b){var c=9===a.nodeType?a.documentElement:a,d=b&&b.parentNode;return a===d||!(!d||1!==d.nodeType||!(c.contains?c.contains(d):a.compareDocumentPosition&&16&a.compareDocumentPosition(d)))}:function(a,b){if(b)while(b=b.parentNode)if(b===a)return!0;return!1},B=b?function(a,b){if(a===b)return l=!0,0;var d=!a.compareDocumentPosition-!b.compareDocumentPosition;return d?d:(d=(a.ownerDocument||a)===(b.ownerDocument||b)?a.compareDocumentPosition(b):1,1&d||!c.sortDetached&&b.compareDocumentPosition(a)===d?a===n||a.ownerDocument===v&&t(v,a)?-1:b===n||b.ownerDocument===v&&t(v,b)?1:k?J(k,a)-J(k,b):0:4&d?-1:1)}:function(a,b){if(a===b)return l=!0,0;var c,d=0,e=a.parentNode,f=b.parentNode,g=[a],h=[b];if(!e||!f)return a===n?-1:b===n?1:e?-1:f?1:k?J(k,a)-J(k,b):0;if(e===f)return ka(a,b);c=a;while(c=c.parentNode)g.unshift(c);c=b;while(c=c.parentNode)h.unshift(c);while(g[d]===h[d])d++;return d?ka(g[d],h[d]):g[d]===v?-1:h[d]===v?1:0},n):n},fa.matches=function(a,b){return fa(a,null,null,b)},fa.matchesSelector=function(a,b){if((a.ownerDocument||a)!==n&&m(a),b=b.replace(T,"='$1']"),c.matchesSelector&&p&&!A[b+" "]&&(!r||!r.test(b))&&(!q||!q.test(b)))try{var d=s.call(a,b);if(d||c.disconnectedMatch||a.document&&11!==a.document.nodeType)return d}catch(e){}return fa(b,n,null,[a]).length>0},fa.contains=function(a,b){return(a.ownerDocument||a)!==n&&m(a),t(a,b)},fa.attr=function(a,b){(a.ownerDocument||a)!==n&&m(a);var e=d.attrHandle[b.toLowerCase()],f=e&&D.call(d.attrHandle,b.toLowerCase())?e(a,b,!p):void 0;return void 0!==f?f:c.attributes||!p?a.getAttribute(b):(f=a.getAttributeNode(b))&&f.specified?f.value:null},fa.error=function(a){throw new Error("Syntax error, unrecognized expression: "+a)},fa.uniqueSort=function(a){var b,d=[],e=0,f=0;if(l=!c.detectDuplicates,k=!c.sortStable&&a.slice(0),a.sort(B),l){while(b=a[f++])b===a[f]&&(e=d.push(f));while(e--)a.splice(d[e],1)}return k=null,a},e=fa.getText=function(a){var b,c="",d=0,f=a.nodeType;if(f){if(1===f||9===f||11===f){if("string"==typeof a.textContent)return a.textContent;for(a=a.firstChild;a;a=a.nextSibling)c+=e(a)}else if(3===f||4===f)return a.nodeValue}else while(b=a[d++])c+=e(b);return c},d=fa.selectors={cacheLength:50,createPseudo:ha,match:W,attrHandle:{},find:{},relative:{">":{dir:"parentNode",first:!0}," ":{dir:"parentNode"},"+":{dir:"previousSibling",first:!0},"~":{dir:"previousSibling"}},preFilter:{ATTR:function(a){return a[1]=a[1].replace(ba,ca),a[3]=(a[3]||a[4]||a[5]||"").replace(ba,ca),"~="===a[2]&&(a[3]=" "+a[3]+" "),a.slice(0,4)},CHILD:function(a){return a[1]=a[1].toLowerCase(),"nth"===a[1].slice(0,3)?(a[3]||fa.error(a[0]),a[4]=+(a[4]?a[5]+(a[6]||1):2*("even"===a[3]||"odd"===a[3])),a[5]=+(a[7]+a[8]||"odd"===a[3])):a[3]&&fa.error(a[0]),a},PSEUDO:function(a){var b,c=!a[6]&&a[2];return W.CHILD.test(a[0])?null:(a[3]?a[2]=a[4]||a[5]||"":c&&U.test(c)&&(b=g(c,!0))&&(b=c.indexOf(")",c.length-b)-c.length)&&(a[0]=a[0].slice(0,b),a[2]=c.slice(0,b)),a.slice(0,3))}},filter:{TAG:function(a){var b=a.replace(ba,ca).toLowerCase();return"*"===a?function(){return!0}:function(a){return a.nodeName&&a.nodeName.toLowerCase()===b}},CLASS:function(a){var b=y[a+" "];return b||(b=new RegExp("(^|"+L+")"+a+"("+L+"|$)"))&&y(a,function(a){return b.test("string"==typeof a.className&&a.className||"undefined"!=typeof a.getAttribute&&a.getAttribute("class")||"")})},ATTR:function(a,b,c){return function(d){var e=fa.attr(d,a);return null==e?"!="===b:b?(e+="","="===b?e===c:"!="===b?e!==c:"^="===b?c&&0===e.indexOf(c):"*="===b?c&&e.indexOf(c)>-1:"$="===b?c&&e.slice(-c.length)===c:"~="===b?(" "+e.replace(P," ")+" ").indexOf(c)>-1:"|="===b?e===c||e.slice(0,c.length+1)===c+"-":!1):!0}},CHILD:function(a,b,c,d,e){var f="nth"!==a.slice(0,3),g="last"!==a.slice(-4),h="of-type"===b;return 1===d&&0===e?function(a){return!!a.parentNode}:function(b,c,i){var j,k,l,m,n,o,p=f!==g?"nextSibling":"previousSibling",q=b.parentNode,r=h&&b.nodeName.toLowerCase(),s=!i&&!h,t=!1;if(q){if(f){while(p){m=b;while(m=m[p])if(h?m.nodeName.toLowerCase()===r:1===m.nodeType)return!1;o=p="only"===a&&!o&&"nextSibling"}return!0}if(o=[g?q.firstChild:q.lastChild],g&&s){m=q,l=m[u]||(m[u]={}),k=l[m.uniqueID]||(l[m.uniqueID]={}),j=k[a]||[],n=j[0]===w&&j[1],t=n&&j[2],m=n&&q.childNodes[n];while(m=++n&&m&&m[p]||(t=n=0)||o.pop())if(1===m.nodeType&&++t&&m===b){k[a]=[w,n,t];break}}else if(s&&(m=b,l=m[u]||(m[u]={}),k=l[m.uniqueID]||(l[m.uniqueID]={}),j=k[a]||[],n=j[0]===w&&j[1],t=n),t===!1)while(m=++n&&m&&m[p]||(t=n=0)||o.pop())if((h?m.nodeName.toLowerCase()===r:1===m.nodeType)&&++t&&(s&&(l=m[u]||(m[u]={}),k=l[m.uniqueID]||(l[m.uniqueID]={}),k[a]=[w,t]),m===b))break;return t-=e,t===d||t%d===0&&t/d>=0}}},PSEUDO:function(a,b){var c,e=d.pseudos[a]||d.setFilters[a.toLowerCase()]||fa.error("unsupported pseudo: "+a);return e[u]?e(b):e.length>1?(c=[a,a,"",b],d.setFilters.hasOwnProperty(a.toLowerCase())?ha(function(a,c){var d,f=e(a,b),g=f.length;while(g--)d=J(a,f[g]),a[d]=!(c[d]=f[g])}):function(a){return e(a,0,c)}):e}},pseudos:{not:ha(function(a){var b=[],c=[],d=h(a.replace(Q,"$1"));return d[u]?ha(function(a,b,c,e){var f,g=d(a,null,e,[]),h=a.length;while(h--)(f=g[h])&&(a[h]=!(b[h]=f))}):function(a,e,f){return b[0]=a,d(b,null,f,c),b[0]=null,!c.pop()}}),has:ha(function(a){return function(b){return fa(a,b).length>0}}),contains:ha(function(a){return a=a.replace(ba,ca),function(b){return(b.textContent||b.innerText||e(b)).indexOf(a)>-1}}),lang:ha(function(a){return V.test(a||"")||fa.error("unsupported lang: "+a),a=a.replace(ba,ca).toLowerCase(),function(b){var c;do if(c=p?b.lang:b.getAttribute("xml:lang")||b.getAttribute("lang"))return c=c.toLowerCase(),c===a||0===c.indexOf(a+"-");while((b=b.parentNode)&&1===b.nodeType);return!1}}),target:function(b){var c=a.location&&a.location.hash;return c&&c.slice(1)===b.id},root:function(a){return a===o},focus:function(a){return a===n.activeElement&&(!n.hasFocus||n.hasFocus())&&!!(a.type||a.href||~a.tabIndex)},enabled:function(a){return a.disabled===!1},disabled:function(a){return a.disabled===!0},checked:function(a){var b=a.nodeName.toLowerCase();return"input"===b&&!!a.checked||"option"===b&&!!a.selected},selected:function(a){return a.parentNode&&a.parentNode.selectedIndex,a.selected===!0},empty:function(a){for(a=a.firstChild;a;a=a.nextSibling)if(a.nodeType<6)return!1;return!0},parent:function(a){return!d.pseudos.empty(a)},header:function(a){return Y.test(a.nodeName)},input:function(a){return X.test(a.nodeName)},button:function(a){var b=a.nodeName.toLowerCase();return"input"===b&&"button"===a.type||"button"===b},text:function(a){var b;return"input"===a.nodeName.toLowerCase()&&"text"===a.type&&(null==(b=a.getAttribute("type"))||"text"===b.toLowerCase())},first:na(function(){return[0]}),last:na(function(a,b){return[b-1]}),eq:na(function(a,b,c){return[0>c?c+b:c]}),even:na(function(a,b){for(var c=0;b>c;c+=2)a.push(c);return a}),odd:na(function(a,b){for(var c=1;b>c;c+=2)a.push(c);return a}),lt:na(function(a,b,c){for(var d=0>c?c+b:c;--d>=0;)a.push(d);return a}),gt:na(function(a,b,c){for(var d=0>c?c+b:c;++db;b++)d+=a[b].value;return d}function ra(a,b,c){var d=b.dir,e=c&&"parentNode"===d,f=x++;return b.first?function(b,c,f){while(b=b[d])if(1===b.nodeType||e)return a(b,c,f)}:function(b,c,g){var h,i,j,k=[w,f];if(g){while(b=b[d])if((1===b.nodeType||e)&&a(b,c,g))return!0}else while(b=b[d])if(1===b.nodeType||e){if(j=b[u]||(b[u]={}),i=j[b.uniqueID]||(j[b.uniqueID]={}),(h=i[d])&&h[0]===w&&h[1]===f)return k[2]=h[2];if(i[d]=k,k[2]=a(b,c,g))return!0}}}function sa(a){return a.length>1?function(b,c,d){var e=a.length;while(e--)if(!a[e](b,c,d))return!1;return!0}:a[0]}function ta(a,b,c){for(var d=0,e=b.length;e>d;d++)fa(a,b[d],c);return c}function ua(a,b,c,d,e){for(var f,g=[],h=0,i=a.length,j=null!=b;i>h;h++)(f=a[h])&&(c&&!c(f,d,e)||(g.push(f),j&&b.push(h)));return g}function va(a,b,c,d,e,f){return d&&!d[u]&&(d=va(d)),e&&!e[u]&&(e=va(e,f)),ha(function(f,g,h,i){var j,k,l,m=[],n=[],o=g.length,p=f||ta(b||"*",h.nodeType?[h]:h,[]),q=!a||!f&&b?p:ua(p,m,a,h,i),r=c?e||(f?a:o||d)?[]:g:q;if(c&&c(q,r,h,i),d){j=ua(r,n),d(j,[],h,i),k=j.length;while(k--)(l=j[k])&&(r[n[k]]=!(q[n[k]]=l))}if(f){if(e||a){if(e){j=[],k=r.length;while(k--)(l=r[k])&&j.push(q[k]=l);e(null,r=[],j,i)}k=r.length;while(k--)(l=r[k])&&(j=e?J(f,l):m[k])>-1&&(f[j]=!(g[j]=l))}}else r=ua(r===g?r.splice(o,r.length):r),e?e(null,g,r,i):H.apply(g,r)})}function wa(a){for(var b,c,e,f=a.length,g=d.relative[a[0].type],h=g||d.relative[" "],i=g?1:0,k=ra(function(a){return a===b},h,!0),l=ra(function(a){return J(b,a)>-1},h,!0),m=[function(a,c,d){var e=!g&&(d||c!==j)||((b=c).nodeType?k(a,c,d):l(a,c,d));return b=null,e}];f>i;i++)if(c=d.relative[a[i].type])m=[ra(sa(m),c)];else{if(c=d.filter[a[i].type].apply(null,a[i].matches),c[u]){for(e=++i;f>e;e++)if(d.relative[a[e].type])break;return va(i>1&&sa(m),i>1&&qa(a.slice(0,i-1).concat({value:" "===a[i-2].type?"*":""})).replace(Q,"$1"),c,e>i&&wa(a.slice(i,e)),f>e&&wa(a=a.slice(e)),f>e&&qa(a))}m.push(c)}return sa(m)}function xa(a,b){var c=b.length>0,e=a.length>0,f=function(f,g,h,i,k){var l,o,q,r=0,s="0",t=f&&[],u=[],v=j,x=f||e&&d.find.TAG("*",k),y=w+=null==v?1:Math.random()||.1,z=x.length;for(k&&(j=g===n||g||k);s!==z&&null!=(l=x[s]);s++){if(e&&l){o=0,g||l.ownerDocument===n||(m(l),h=!p);while(q=a[o++])if(q(l,g||n,h)){i.push(l);break}k&&(w=y)}c&&((l=!q&&l)&&r--,f&&t.push(l))}if(r+=s,c&&s!==r){o=0;while(q=b[o++])q(t,u,g,h);if(f){if(r>0)while(s--)t[s]||u[s]||(u[s]=F.call(i));u=ua(u)}H.apply(i,u),k&&!f&&u.length>0&&r+b.length>1&&fa.uniqueSort(i)}return k&&(w=y,j=v),t};return c?ha(f):f}return h=fa.compile=function(a,b){var c,d=[],e=[],f=A[a+" "];if(!f){b||(b=g(a)),c=b.length;while(c--)f=wa(b[c]),f[u]?d.push(f):e.push(f);f=A(a,xa(e,d)),f.selector=a}return f},i=fa.select=function(a,b,e,f){var i,j,k,l,m,n="function"==typeof a&&a,o=!f&&g(a=n.selector||a);if(e=e||[],1===o.length){if(j=o[0]=o[0].slice(0),j.length>2&&"ID"===(k=j[0]).type&&c.getById&&9===b.nodeType&&p&&d.relative[j[1].type]){if(b=(d.find.ID(k.matches[0].replace(ba,ca),b)||[])[0],!b)return e;n&&(b=b.parentNode),a=a.slice(j.shift().value.length)}i=W.needsContext.test(a)?0:j.length;while(i--){if(k=j[i],d.relative[l=k.type])break;if((m=d.find[l])&&(f=m(k.matches[0].replace(ba,ca),_.test(j[0].type)&&oa(b.parentNode)||b))){if(j.splice(i,1),a=f.length&&qa(j),!a)return H.apply(e,f),e;break}}}return(n||h(a,o))(f,b,!p,e,!b||_.test(a)&&oa(b.parentNode)||b),e},c.sortStable=u.split("").sort(B).join("")===u,c.detectDuplicates=!!l,m(),c.sortDetached=ia(function(a){return 1&a.compareDocumentPosition(n.createElement("div"))}),ia(function(a){return a.innerHTML="","#"===a.firstChild.getAttribute("href")})||ja("type|href|height|width",function(a,b,c){return c?void 0:a.getAttribute(b,"type"===b.toLowerCase()?1:2)}),c.attributes&&ia(function(a){return a.innerHTML="",a.firstChild.setAttribute("value",""),""===a.firstChild.getAttribute("value")})||ja("value",function(a,b,c){return c||"input"!==a.nodeName.toLowerCase()?void 0:a.defaultValue}),ia(function(a){return null==a.getAttribute("disabled")})||ja(K,function(a,b,c){var d;return c?void 0:a[b]===!0?b.toLowerCase():(d=a.getAttributeNode(b))&&d.specified?d.value:null}),fa}(a);n.find=t,n.expr=t.selectors,n.expr[":"]=n.expr.pseudos,n.uniqueSort=n.unique=t.uniqueSort,n.text=t.getText,n.isXMLDoc=t.isXML,n.contains=t.contains;var u=function(a,b,c){var d=[],e=void 0!==c;while((a=a[b])&&9!==a.nodeType)if(1===a.nodeType){if(e&&n(a).is(c))break;d.push(a)}return d},v=function(a,b){for(var c=[];a;a=a.nextSibling)1===a.nodeType&&a!==b&&c.push(a);return c},w=n.expr.match.needsContext,x=/^<([\w-]+)\s*\/?>(?:<\/\1>|)$/,y=/^.[^:#\[\.,]*$/;function z(a,b,c){if(n.isFunction(b))return n.grep(a,function(a,d){return!!b.call(a,d,a)!==c});if(b.nodeType)return n.grep(a,function(a){return a===b!==c});if("string"==typeof b){if(y.test(b))return n.filter(b,a,c);b=n.filter(b,a)}return n.grep(a,function(a){return h.call(b,a)>-1!==c})}n.filter=function(a,b,c){var d=b[0];return c&&(a=":not("+a+")"),1===b.length&&1===d.nodeType?n.find.matchesSelector(d,a)?[d]:[]:n.find.matches(a,n.grep(b,function(a){return 1===a.nodeType}))},n.fn.extend({find:function(a){var b,c=this.length,d=[],e=this;if("string"!=typeof a)return this.pushStack(n(a).filter(function(){for(b=0;c>b;b++)if(n.contains(e[b],this))return!0}));for(b=0;c>b;b++)n.find(a,e[b],d);return d=this.pushStack(c>1?n.unique(d):d),d.selector=this.selector?this.selector+" "+a:a,d},filter:function(a){return this.pushStack(z(this,a||[],!1))},not:function(a){return this.pushStack(z(this,a||[],!0))},is:function(a){return!!z(this,"string"==typeof a&&w.test(a)?n(a):a||[],!1).length}});var A,B=/^(?:\s*(<[\w\W]+>)[^>]*|#([\w-]*))$/,C=n.fn.init=function(a,b,c){var e,f;if(!a)return this;if(c=c||A,"string"==typeof a){if(e="<"===a[0]&&">"===a[a.length-1]&&a.length>=3?[null,a,null]:B.exec(a),!e||!e[1]&&b)return!b||b.jquery?(b||c).find(a):this.constructor(b).find(a);if(e[1]){if(b=b instanceof n?b[0]:b,n.merge(this,n.parseHTML(e[1],b&&b.nodeType?b.ownerDocument||b:d,!0)),x.test(e[1])&&n.isPlainObject(b))for(e in b)n.isFunction(this[e])?this[e](b[e]):this.attr(e,b[e]);return this}return f=d.getElementById(e[2]),f&&f.parentNode&&(this.length=1,this[0]=f),this.context=d,this.selector=a,this}return a.nodeType?(this.context=this[0]=a,this.length=1,this):n.isFunction(a)?void 0!==c.ready?c.ready(a):a(n):(void 0!==a.selector&&(this.selector=a.selector,this.context=a.context),n.makeArray(a,this))};C.prototype=n.fn,A=n(d);var D=/^(?:parents|prev(?:Until|All))/,E={children:!0,contents:!0,next:!0,prev:!0};n.fn.extend({has:function(a){var b=n(a,this),c=b.length;return this.filter(function(){for(var a=0;c>a;a++)if(n.contains(this,b[a]))return!0})},closest:function(a,b){for(var c,d=0,e=this.length,f=[],g=w.test(a)||"string"!=typeof a?n(a,b||this.context):0;e>d;d++)for(c=this[d];c&&c!==b;c=c.parentNode)if(c.nodeType<11&&(g?g.index(c)>-1:1===c.nodeType&&n.find.matchesSelector(c,a))){f.push(c);break}return this.pushStack(f.length>1?n.uniqueSort(f):f)},index:function(a){return a?"string"==typeof a?h.call(n(a),this[0]):h.call(this,a.jquery?a[0]:a):this[0]&&this[0].parentNode?this.first().prevAll().length:-1},add:function(a,b){return this.pushStack(n.uniqueSort(n.merge(this.get(),n(a,b))))},addBack:function(a){return this.add(null==a?this.prevObject:this.prevObject.filter(a))}});function F(a,b){while((a=a[b])&&1!==a.nodeType);return a}n.each({parent:function(a){var b=a.parentNode;return b&&11!==b.nodeType?b:null},parents:function(a){return u(a,"parentNode")},parentsUntil:function(a,b,c){return u(a,"parentNode",c)},next:function(a){return F(a,"nextSibling")},prev:function(a){return F(a,"previousSibling")},nextAll:function(a){return u(a,"nextSibling")},prevAll:function(a){return u(a,"previousSibling")},nextUntil:function(a,b,c){return u(a,"nextSibling",c)},prevUntil:function(a,b,c){return u(a,"previousSibling",c)},siblings:function(a){return v((a.parentNode||{}).firstChild,a)},children:function(a){return v(a.firstChild)},contents:function(a){return a.contentDocument||n.merge([],a.childNodes)}},function(a,b){n.fn[a]=function(c,d){var e=n.map(this,b,c);return"Until"!==a.slice(-5)&&(d=c),d&&"string"==typeof d&&(e=n.filter(d,e)),this.length>1&&(E[a]||n.uniqueSort(e),D.test(a)&&e.reverse()),this.pushStack(e)}});var G=/\S+/g;function H(a){var b={};return n.each(a.match(G)||[],function(a,c){b[c]=!0}),b}n.Callbacks=function(a){a="string"==typeof a?H(a):n.extend({},a);var b,c,d,e,f=[],g=[],h=-1,i=function(){for(e=a.once,d=b=!0;g.length;h=-1){c=g.shift();while(++h-1)f.splice(c,1),h>=c&&h--}),this},has:function(a){return a?n.inArray(a,f)>-1:f.length>0},empty:function(){return f&&(f=[]),this},disable:function(){return e=g=[],f=c="",this},disabled:function(){return!f},lock:function(){return e=g=[],c||(f=c=""),this},locked:function(){return!!e},fireWith:function(a,c){return e||(c=c||[],c=[a,c.slice?c.slice():c],g.push(c),b||i()),this},fire:function(){return j.fireWith(this,arguments),this},fired:function(){return!!d}};return j},n.extend({Deferred:function(a){var b=[["resolve","done",n.Callbacks("once memory"),"resolved"],["reject","fail",n.Callbacks("once memory"),"rejected"],["notify","progress",n.Callbacks("memory")]],c="pending",d={state:function(){return c},always:function(){return e.done(arguments).fail(arguments),this},then:function(){var a=arguments;return n.Deferred(function(c){n.each(b,function(b,f){var g=n.isFunction(a[b])&&a[b];e[f[1]](function(){var a=g&&g.apply(this,arguments);a&&n.isFunction(a.promise)?a.promise().progress(c.notify).done(c.resolve).fail(c.reject):c[f[0]+"With"](this===d?c.promise():this,g?[a]:arguments)})}),a=null}).promise()},promise:function(a){return null!=a?n.extend(a,d):d}},e={};return d.pipe=d.then,n.each(b,function(a,f){var g=f[2],h=f[3];d[f[1]]=g.add,h&&g.add(function(){c=h},b[1^a][2].disable,b[2][2].lock),e[f[0]]=function(){return e[f[0]+"With"](this===e?d:this,arguments),this},e[f[0]+"With"]=g.fireWith}),d.promise(e),a&&a.call(e,e),e},when:function(a){var b=0,c=e.call(arguments),d=c.length,f=1!==d||a&&n.isFunction(a.promise)?d:0,g=1===f?a:n.Deferred(),h=function(a,b,c){return function(d){b[a]=this,c[a]=arguments.length>1?e.call(arguments):d,c===i?g.notifyWith(b,c):--f||g.resolveWith(b,c)}},i,j,k;if(d>1)for(i=new Array(d),j=new Array(d),k=new Array(d);d>b;b++)c[b]&&n.isFunction(c[b].promise)?c[b].promise().progress(h(b,j,i)).done(h(b,k,c)).fail(g.reject):--f;return f||g.resolveWith(k,c),g.promise()}});var I;n.fn.ready=function(a){return n.ready.promise().done(a),this},n.extend({isReady:!1,readyWait:1,holdReady:function(a){a?n.readyWait++:n.ready(!0)},ready:function(a){(a===!0?--n.readyWait:n.isReady)||(n.isReady=!0,a!==!0&&--n.readyWait>0||(I.resolveWith(d,[n]),n.fn.triggerHandler&&(n(d).triggerHandler("ready"),n(d).off("ready"))))}});function J(){d.removeEventListener("DOMContentLoaded",J),a.removeEventListener("load",J),n.ready()}n.ready.promise=function(b){return I||(I=n.Deferred(),"complete"===d.readyState||"loading"!==d.readyState&&!d.documentElement.doScroll?a.setTimeout(n.ready):(d.addEventListener("DOMContentLoaded",J),a.addEventListener("load",J))),I.promise(b)},n.ready.promise();var K=function(a,b,c,d,e,f,g){var h=0,i=a.length,j=null==c;if("object"===n.type(c)){e=!0;for(h in c)K(a,b,h,c[h],!0,f,g)}else if(void 0!==d&&(e=!0,n.isFunction(d)||(g=!0),j&&(g?(b.call(a,d),b=null):(j=b,b=function(a,b,c){return j.call(n(a),c)})),b))for(;i>h;h++)b(a[h],c,g?d:d.call(a[h],h,b(a[h],c)));return e?a:j?b.call(a):i?b(a[0],c):f},L=function(a){return 1===a.nodeType||9===a.nodeType||!+a.nodeType};function M(){this.expando=n.expando+M.uid++}M.uid=1,M.prototype={register:function(a,b){var c=b||{};return a.nodeType?a[this.expando]=c:Object.defineProperty(a,this.expando,{value:c,writable:!0,configurable:!0}),a[this.expando]},cache:function(a){if(!L(a))return{};var b=a[this.expando];return b||(b={},L(a)&&(a.nodeType?a[this.expando]=b:Object.defineProperty(a,this.expando,{value:b,configurable:!0}))),b},set:function(a,b,c){var d,e=this.cache(a);if("string"==typeof b)e[b]=c;else for(d in b)e[d]=b[d];return e},get:function(a,b){return void 0===b?this.cache(a):a[this.expando]&&a[this.expando][b]},access:function(a,b,c){var d;return void 0===b||b&&"string"==typeof b&&void 0===c?(d=this.get(a,b),void 0!==d?d:this.get(a,n.camelCase(b))):(this.set(a,b,c),void 0!==c?c:b)},remove:function(a,b){var c,d,e,f=a[this.expando];if(void 0!==f){if(void 0===b)this.register(a);else{n.isArray(b)?d=b.concat(b.map(n.camelCase)):(e=n.camelCase(b),b in f?d=[b,e]:(d=e,d=d in f?[d]:d.match(G)||[])),c=d.length;while(c--)delete f[d[c]]}(void 0===b||n.isEmptyObject(f))&&(a.nodeType?a[this.expando]=void 0:delete a[this.expando])}},hasData:function(a){var b=a[this.expando];return void 0!==b&&!n.isEmptyObject(b)}};var N=new M,O=new M,P=/^(?:\{[\w\W]*\}|\[[\w\W]*\])$/,Q=/[A-Z]/g;function R(a,b,c){var d;if(void 0===c&&1===a.nodeType)if(d="data-"+b.replace(Q,"-$&").toLowerCase(),c=a.getAttribute(d),"string"==typeof c){try{c="true"===c?!0:"false"===c?!1:"null"===c?null:+c+""===c?+c:P.test(c)?n.parseJSON(c):c; +}catch(e){}O.set(a,b,c)}else c=void 0;return c}n.extend({hasData:function(a){return O.hasData(a)||N.hasData(a)},data:function(a,b,c){return O.access(a,b,c)},removeData:function(a,b){O.remove(a,b)},_data:function(a,b,c){return N.access(a,b,c)},_removeData:function(a,b){N.remove(a,b)}}),n.fn.extend({data:function(a,b){var c,d,e,f=this[0],g=f&&f.attributes;if(void 0===a){if(this.length&&(e=O.get(f),1===f.nodeType&&!N.get(f,"hasDataAttrs"))){c=g.length;while(c--)g[c]&&(d=g[c].name,0===d.indexOf("data-")&&(d=n.camelCase(d.slice(5)),R(f,d,e[d])));N.set(f,"hasDataAttrs",!0)}return e}return"object"==typeof a?this.each(function(){O.set(this,a)}):K(this,function(b){var c,d;if(f&&void 0===b){if(c=O.get(f,a)||O.get(f,a.replace(Q,"-$&").toLowerCase()),void 0!==c)return c;if(d=n.camelCase(a),c=O.get(f,d),void 0!==c)return c;if(c=R(f,d,void 0),void 0!==c)return c}else d=n.camelCase(a),this.each(function(){var c=O.get(this,d);O.set(this,d,b),a.indexOf("-")>-1&&void 0!==c&&O.set(this,a,b)})},null,b,arguments.length>1,null,!0)},removeData:function(a){return this.each(function(){O.remove(this,a)})}}),n.extend({queue:function(a,b,c){var d;return a?(b=(b||"fx")+"queue",d=N.get(a,b),c&&(!d||n.isArray(c)?d=N.access(a,b,n.makeArray(c)):d.push(c)),d||[]):void 0},dequeue:function(a,b){b=b||"fx";var c=n.queue(a,b),d=c.length,e=c.shift(),f=n._queueHooks(a,b),g=function(){n.dequeue(a,b)};"inprogress"===e&&(e=c.shift(),d--),e&&("fx"===b&&c.unshift("inprogress"),delete f.stop,e.call(a,g,f)),!d&&f&&f.empty.fire()},_queueHooks:function(a,b){var c=b+"queueHooks";return N.get(a,c)||N.access(a,c,{empty:n.Callbacks("once memory").add(function(){N.remove(a,[b+"queue",c])})})}}),n.fn.extend({queue:function(a,b){var c=2;return"string"!=typeof a&&(b=a,a="fx",c--),arguments.length",""],thead:[1,"","
    "],col:[2,"","
    "],tr:[2,"","
    "],td:[3,"","
    "],_default:[0,"",""]};$.optgroup=$.option,$.tbody=$.tfoot=$.colgroup=$.caption=$.thead,$.th=$.td;function _(a,b){var c="undefined"!=typeof a.getElementsByTagName?a.getElementsByTagName(b||"*"):"undefined"!=typeof a.querySelectorAll?a.querySelectorAll(b||"*"):[];return void 0===b||b&&n.nodeName(a,b)?n.merge([a],c):c}function aa(a,b){for(var c=0,d=a.length;d>c;c++)N.set(a[c],"globalEval",!b||N.get(b[c],"globalEval"))}var ba=/<|&#?\w+;/;function ca(a,b,c,d,e){for(var f,g,h,i,j,k,l=b.createDocumentFragment(),m=[],o=0,p=a.length;p>o;o++)if(f=a[o],f||0===f)if("object"===n.type(f))n.merge(m,f.nodeType?[f]:f);else if(ba.test(f)){g=g||l.appendChild(b.createElement("div")),h=(Y.exec(f)||["",""])[1].toLowerCase(),i=$[h]||$._default,g.innerHTML=i[1]+n.htmlPrefilter(f)+i[2],k=i[0];while(k--)g=g.lastChild;n.merge(m,g.childNodes),g=l.firstChild,g.textContent=""}else m.push(b.createTextNode(f));l.textContent="",o=0;while(f=m[o++])if(d&&n.inArray(f,d)>-1)e&&e.push(f);else if(j=n.contains(f.ownerDocument,f),g=_(l.appendChild(f),"script"),j&&aa(g),c){k=0;while(f=g[k++])Z.test(f.type||"")&&c.push(f)}return l}!function(){var a=d.createDocumentFragment(),b=a.appendChild(d.createElement("div")),c=d.createElement("input");c.setAttribute("type","radio"),c.setAttribute("checked","checked"),c.setAttribute("name","t"),b.appendChild(c),l.checkClone=b.cloneNode(!0).cloneNode(!0).lastChild.checked,b.innerHTML="",l.noCloneChecked=!!b.cloneNode(!0).lastChild.defaultValue}();var da=/^key/,ea=/^(?:mouse|pointer|contextmenu|drag|drop)|click/,fa=/^([^.]*)(?:\.(.+)|)/;function ga(){return!0}function ha(){return!1}function ia(){try{return d.activeElement}catch(a){}}function ja(a,b,c,d,e,f){var g,h;if("object"==typeof b){"string"!=typeof c&&(d=d||c,c=void 0);for(h in b)ja(a,h,c,d,b[h],f);return a}if(null==d&&null==e?(e=c,d=c=void 0):null==e&&("string"==typeof c?(e=d,d=void 0):(e=d,d=c,c=void 0)),e===!1)e=ha;else if(!e)return a;return 1===f&&(g=e,e=function(a){return n().off(a),g.apply(this,arguments)},e.guid=g.guid||(g.guid=n.guid++)),a.each(function(){n.event.add(this,b,e,d,c)})}n.event={global:{},add:function(a,b,c,d,e){var f,g,h,i,j,k,l,m,o,p,q,r=N.get(a);if(r){c.handler&&(f=c,c=f.handler,e=f.selector),c.guid||(c.guid=n.guid++),(i=r.events)||(i=r.events={}),(g=r.handle)||(g=r.handle=function(b){return"undefined"!=typeof n&&n.event.triggered!==b.type?n.event.dispatch.apply(a,arguments):void 0}),b=(b||"").match(G)||[""],j=b.length;while(j--)h=fa.exec(b[j])||[],o=q=h[1],p=(h[2]||"").split(".").sort(),o&&(l=n.event.special[o]||{},o=(e?l.delegateType:l.bindType)||o,l=n.event.special[o]||{},k=n.extend({type:o,origType:q,data:d,handler:c,guid:c.guid,selector:e,needsContext:e&&n.expr.match.needsContext.test(e),namespace:p.join(".")},f),(m=i[o])||(m=i[o]=[],m.delegateCount=0,l.setup&&l.setup.call(a,d,p,g)!==!1||a.addEventListener&&a.addEventListener(o,g)),l.add&&(l.add.call(a,k),k.handler.guid||(k.handler.guid=c.guid)),e?m.splice(m.delegateCount++,0,k):m.push(k),n.event.global[o]=!0)}},remove:function(a,b,c,d,e){var f,g,h,i,j,k,l,m,o,p,q,r=N.hasData(a)&&N.get(a);if(r&&(i=r.events)){b=(b||"").match(G)||[""],j=b.length;while(j--)if(h=fa.exec(b[j])||[],o=q=h[1],p=(h[2]||"").split(".").sort(),o){l=n.event.special[o]||{},o=(d?l.delegateType:l.bindType)||o,m=i[o]||[],h=h[2]&&new RegExp("(^|\\.)"+p.join("\\.(?:.*\\.|)")+"(\\.|$)"),g=f=m.length;while(f--)k=m[f],!e&&q!==k.origType||c&&c.guid!==k.guid||h&&!h.test(k.namespace)||d&&d!==k.selector&&("**"!==d||!k.selector)||(m.splice(f,1),k.selector&&m.delegateCount--,l.remove&&l.remove.call(a,k));g&&!m.length&&(l.teardown&&l.teardown.call(a,p,r.handle)!==!1||n.removeEvent(a,o,r.handle),delete i[o])}else for(o in i)n.event.remove(a,o+b[j],c,d,!0);n.isEmptyObject(i)&&N.remove(a,"handle events")}},dispatch:function(a){a=n.event.fix(a);var b,c,d,f,g,h=[],i=e.call(arguments),j=(N.get(this,"events")||{})[a.type]||[],k=n.event.special[a.type]||{};if(i[0]=a,a.delegateTarget=this,!k.preDispatch||k.preDispatch.call(this,a)!==!1){h=n.event.handlers.call(this,a,j),b=0;while((f=h[b++])&&!a.isPropagationStopped()){a.currentTarget=f.elem,c=0;while((g=f.handlers[c++])&&!a.isImmediatePropagationStopped())a.rnamespace&&!a.rnamespace.test(g.namespace)||(a.handleObj=g,a.data=g.data,d=((n.event.special[g.origType]||{}).handle||g.handler).apply(f.elem,i),void 0!==d&&(a.result=d)===!1&&(a.preventDefault(),a.stopPropagation()))}return k.postDispatch&&k.postDispatch.call(this,a),a.result}},handlers:function(a,b){var c,d,e,f,g=[],h=b.delegateCount,i=a.target;if(h&&i.nodeType&&("click"!==a.type||isNaN(a.button)||a.button<1))for(;i!==this;i=i.parentNode||this)if(1===i.nodeType&&(i.disabled!==!0||"click"!==a.type)){for(d=[],c=0;h>c;c++)f=b[c],e=f.selector+" ",void 0===d[e]&&(d[e]=f.needsContext?n(e,this).index(i)>-1:n.find(e,this,null,[i]).length),d[e]&&d.push(f);d.length&&g.push({elem:i,handlers:d})}return h]*)\/>/gi,la=/\s*$/g;function pa(a,b){return n.nodeName(a,"table")&&n.nodeName(11!==b.nodeType?b:b.firstChild,"tr")?a.getElementsByTagName("tbody")[0]||a.appendChild(a.ownerDocument.createElement("tbody")):a}function qa(a){return a.type=(null!==a.getAttribute("type"))+"/"+a.type,a}function ra(a){var b=na.exec(a.type);return b?a.type=b[1]:a.removeAttribute("type"),a}function sa(a,b){var c,d,e,f,g,h,i,j;if(1===b.nodeType){if(N.hasData(a)&&(f=N.access(a),g=N.set(b,f),j=f.events)){delete g.handle,g.events={};for(e in j)for(c=0,d=j[e].length;d>c;c++)n.event.add(b,e,j[e][c])}O.hasData(a)&&(h=O.access(a),i=n.extend({},h),O.set(b,i))}}function ta(a,b){var c=b.nodeName.toLowerCase();"input"===c&&X.test(a.type)?b.checked=a.checked:"input"!==c&&"textarea"!==c||(b.defaultValue=a.defaultValue)}function ua(a,b,c,d){b=f.apply([],b);var e,g,h,i,j,k,m=0,o=a.length,p=o-1,q=b[0],r=n.isFunction(q);if(r||o>1&&"string"==typeof q&&!l.checkClone&&ma.test(q))return a.each(function(e){var f=a.eq(e);r&&(b[0]=q.call(this,e,f.html())),ua(f,b,c,d)});if(o&&(e=ca(b,a[0].ownerDocument,!1,a,d),g=e.firstChild,1===e.childNodes.length&&(e=g),g||d)){for(h=n.map(_(e,"script"),qa),i=h.length;o>m;m++)j=e,m!==p&&(j=n.clone(j,!0,!0),i&&n.merge(h,_(j,"script"))),c.call(a[m],j,m);if(i)for(k=h[h.length-1].ownerDocument,n.map(h,ra),m=0;i>m;m++)j=h[m],Z.test(j.type||"")&&!N.access(j,"globalEval")&&n.contains(k,j)&&(j.src?n._evalUrl&&n._evalUrl(j.src):n.globalEval(j.textContent.replace(oa,"")))}return a}function va(a,b,c){for(var d,e=b?n.filter(b,a):a,f=0;null!=(d=e[f]);f++)c||1!==d.nodeType||n.cleanData(_(d)),d.parentNode&&(c&&n.contains(d.ownerDocument,d)&&aa(_(d,"script")),d.parentNode.removeChild(d));return a}n.extend({htmlPrefilter:function(a){return a.replace(ka,"<$1>")},clone:function(a,b,c){var d,e,f,g,h=a.cloneNode(!0),i=n.contains(a.ownerDocument,a);if(!(l.noCloneChecked||1!==a.nodeType&&11!==a.nodeType||n.isXMLDoc(a)))for(g=_(h),f=_(a),d=0,e=f.length;e>d;d++)ta(f[d],g[d]);if(b)if(c)for(f=f||_(a),g=g||_(h),d=0,e=f.length;e>d;d++)sa(f[d],g[d]);else sa(a,h);return g=_(h,"script"),g.length>0&&aa(g,!i&&_(a,"script")),h},cleanData:function(a){for(var b,c,d,e=n.event.special,f=0;void 0!==(c=a[f]);f++)if(L(c)){if(b=c[N.expando]){if(b.events)for(d in b.events)e[d]?n.event.remove(c,d):n.removeEvent(c,d,b.handle);c[N.expando]=void 0}c[O.expando]&&(c[O.expando]=void 0)}}}),n.fn.extend({domManip:ua,detach:function(a){return va(this,a,!0)},remove:function(a){return va(this,a)},text:function(a){return K(this,function(a){return void 0===a?n.text(this):this.empty().each(function(){1!==this.nodeType&&11!==this.nodeType&&9!==this.nodeType||(this.textContent=a)})},null,a,arguments.length)},append:function(){return ua(this,arguments,function(a){if(1===this.nodeType||11===this.nodeType||9===this.nodeType){var b=pa(this,a);b.appendChild(a)}})},prepend:function(){return ua(this,arguments,function(a){if(1===this.nodeType||11===this.nodeType||9===this.nodeType){var b=pa(this,a);b.insertBefore(a,b.firstChild)}})},before:function(){return ua(this,arguments,function(a){this.parentNode&&this.parentNode.insertBefore(a,this)})},after:function(){return ua(this,arguments,function(a){this.parentNode&&this.parentNode.insertBefore(a,this.nextSibling)})},empty:function(){for(var a,b=0;null!=(a=this[b]);b++)1===a.nodeType&&(n.cleanData(_(a,!1)),a.textContent="");return this},clone:function(a,b){return a=null==a?!1:a,b=null==b?a:b,this.map(function(){return n.clone(this,a,b)})},html:function(a){return K(this,function(a){var b=this[0]||{},c=0,d=this.length;if(void 0===a&&1===b.nodeType)return b.innerHTML;if("string"==typeof a&&!la.test(a)&&!$[(Y.exec(a)||["",""])[1].toLowerCase()]){a=n.htmlPrefilter(a);try{for(;d>c;c++)b=this[c]||{},1===b.nodeType&&(n.cleanData(_(b,!1)),b.innerHTML=a);b=0}catch(e){}}b&&this.empty().append(a)},null,a,arguments.length)},replaceWith:function(){var a=[];return ua(this,arguments,function(b){var c=this.parentNode;n.inArray(this,a)<0&&(n.cleanData(_(this)),c&&c.replaceChild(b,this))},a)}}),n.each({appendTo:"append",prependTo:"prepend",insertBefore:"before",insertAfter:"after",replaceAll:"replaceWith"},function(a,b){n.fn[a]=function(a){for(var c,d=[],e=n(a),f=e.length-1,h=0;f>=h;h++)c=h===f?this:this.clone(!0),n(e[h])[b](c),g.apply(d,c.get());return this.pushStack(d)}});var wa,xa={HTML:"block",BODY:"block"};function ya(a,b){var c=n(b.createElement(a)).appendTo(b.body),d=n.css(c[0],"display");return c.detach(),d}function za(a){var b=d,c=xa[a];return c||(c=ya(a,b),"none"!==c&&c||(wa=(wa||n("