Commit Graph

83 Commits (revert-4e64f57c)

Author SHA1 Message Date
elena 0888c2ba05 changes suggested 2023-02-27 10:53:11 +00:00
elena 92c5828b33 admin avatar added 2023-02-27 10:53:11 +00:00
Jose Antonio Exposito Garcia 358004899b add yoututbe video in wp 2023-02-21 09:24:32 +00:00
elena 895bd122ef new font LeagueSpartan added 2023-02-17 14:16:44 +00:00
elena 647191497d new fonts 2023-02-17 14:41:20 +01:00
elena 7ac06ef82c new megamenu style 2023-02-17 13:22:24 +00:00
elena d449bff1d1 Merge branch 'main' into feature/menuandfonts 2023-02-17 12:26:03 +00:00
Evilham ed44b8d3d2
[sso-api] Fix SocketIO transitive dependency (dnspython)
Flask-SocketIO depends on dnspython but dnspython 2.3 removes
dns.rdtypes.ANY, which is needed by Flask-SocketIO so we keep it below
version 2.3

We had missed Flask-SocketIO being a dependency on API when fixing the
issue for admin.
2023-02-03 11:40:13 +01:00
Evilham a72001dea5
[docker] Cleanup environment files
By having the environment explicit on each service, we both document
the settings and have more control over what each service is allowed
to see.

This avoids weird things like nginx having access to postgresql's
credentials on its environment.

As a bonus: we are able to use one single environment file, which is
basically dd.conf with some values that are dynamically-calculated and
added from dd-ctl.
2023-01-20 11:40:03 +01:00
Evilham 1d077b71f9
[sso-admin] Fix SocketIO transitive dependency (dnspython)
Flask-SocketIO depends on dnspython but dnspython 2.3 removes
dns.rdtypes.ANY, which is needed by Flask-SocketIO so we keep it below
version 2.3
2023-01-20 11:29:51 +01:00
Evilham c9af7242c0
[NC] Work arround issue nextcloud/server#33751
That issue is fixed in NC 25, but it will likely not be backported to
NC 24.

It produces issues when modifying users and not modifying their
display name.

See also:	https://github.com/nextcloud/server/issues/33751
2023-01-13 11:26:12 +01:00
elena c7b032ec2e feature/menuandfonts: new menu styles and fonts 2023-01-02 13:46:01 +00:00
Evilham 0994ea6bed
NotaBLE: add information about the project
NotaBLE és la col·laboració entre Gwido i el Workspace educatiu DD.

És un projecte de Xnet, IsardVDI, Gwido i Taller de Músics, guanyador
de la Ciutat Proactiva 2021, suport a la innovació urbana de la
Fundació BitHabitat.
2022-12-15 12:36:00 +01:00
Evilham bbc8051260
[dd-sso] Fix regression in API
Recent simplifications to the API contained a typo which resulted in
the logo not being visible.

Reported by:	Gwido
2022-12-13 21:51:01 +01:00
Evilham 583664cca8
[dd-sso] Add project texts for API documentation 2022-12-12 12:50:41 +01:00
Evilham d37b4dfa6a
[dd-sso] Add API documentation
The API spec file can be generated with:

python -m admin.views.test.test_ApiViews --generate-spec

From the admin development environment.

A simple testing ground that serves the Swagger UI can also be started with:

python -m admin.views.test.test_ApiViews
2022-12-11 19:13:03 +01:00
Evilham 10e6afe351
[dd-sso] Add tests and refactor API
These tests can be executed with:
python -m unittest discover -s admin.views.test
2022-12-11 14:00:47 +01:00
Evilham 579af2b31c
[dd-sso] Adapt admin so it is easily importable
This paves the path forward for thorough testing.
2022-12-11 10:28:37 +01:00
Evilham cdfa4c5724
[api] Give operators the ability to easily add custom CSS
This enables various use-cases like custom icons and other personalisations.
2022-12-10 11:53:28 +01:00
Evilham f3108ac3dc
[api] Add type hints and cleanup
This makes modifying the existing code easier
2022-12-06 19:26:08 +01:00
Evilham 53674bfb24
[api] Reorganise and be more forgiving on yml
This allows for more flexible settings in
custom/menu/[custom|system].yml

And it makes the default values explicit
2022-12-06 18:15:05 +01:00
elena 2368a072d1 new footer added to admin login page 2022-12-02 13:16:38 +00:00
Evilham 740f799b9c
[WP] Add CSP and Content-Type-Options headers
We do this more reliably on HAProxy, as doing it from WP requires
specialised plugins and in DD we are sure that traffic goes through
the corresponding HAProxy backend.
2022-12-02 11:13:33 +01:00
Evilham 8f5de8af6a
[network] Fix handling of forwarded headers
This fixes several issues where services would see the internal IP of
the proxy and not that of the client.

It works by first unsetting any proxy-related headers that arrive from
the internet, then setting those as seen by HAProxy's entrypoint
frontend.
And finally making sure that neither WAF when enabled nor other
HAProxy backends touch these headers, while they are actually used by
the final services.

Services affected:	Netcloud, Keycloak, Moodle
2022-12-02 06:49:56 +01:00
Manolo Caballero e45eec6822 [dd-waf] block external access to sensible URLs 2022-12-01 10:49:56 +00:00
Evilham 09fec74915
[WAF] Consolidate proxies and documentation
The environment / dd.conf variables: PROXY_PROTOCOL and DISABLE_WAF
determine how DD and HAProxy will behave.

- PROXY_PROTOCOL: whether or not the PROXY protocol will be accepted
- DISABLE_WAF: whether or not WAF will be enabled

This simplifies maintenance, as well as the overall architecture and operation.

While at it, we now publish images for DD's HAProxy as well.
2022-11-24 12:54:46 +01:00
Manuel Caballero 392f8e0ee9
Volume to modsecurity 2022-11-24 10:01:37 +01:00
Manuel Caballero 26728a3c72
configure deploy modsecurity 2022-11-24 10:01:37 +01:00
Manuel Caballero 1375f4c102
remove cerbot service 2022-11-24 10:01:35 +01:00
Manuel Caballero b10178f0f7
Initial config modsecurity 2022-11-24 10:01:35 +01:00
Evilham ca8b29dd5e
[dd-sso/api] Cover all cases, add docs for megamenu internal links
These documentation convering these changes should be visible in:
https://dd.digitalitzacio-democratica.xnet-x.net/docs/customising.ca/
2022-11-23 12:54:21 +01:00
elena 97b4916983 new validation to create href 2022-11-15 11:47:04 +00:00
elena 0b03efc73e changes recommended by evilham 2022-11-15 08:58:57 +00:00
elena ec4f4587d4 new megamenu link: DD manual 2022-11-14 15:07:40 +00:00
Evilham b92dc23557
[sso] Allow for Keycloak login footer customisation
This enables more advanced customisation by allowing for
administrators to fully replace the footer of the login theme.

We try to take into account maintainability, at the same time mention
that it is the administrators' responsibility to keep their
customisations compatible with newer versions of DD.
2022-11-13 10:03:49 +01:00
Evilham 071bcd827f
[dd-admin] Fix issue propagating changes to NC
There was erroneous logic that only propagated the first attribute of
many, so some attribute changes were never propagated to NextCloud.
2022-10-30 20:01:44 +01:00
Evilham 895a20abba
[dd-admin] Fix email schemas in certain API endpoints
Dot character was not being properly escaped, we switch to using
bracket expressions to avoid possible future issues.
2022-10-23 19:45:40 +02:00
Evilham 559a90fba9
[mail] Refactor queue for easier maintenance, use name
We thought the name parameter was the account name to be shown in the
plugin, but it is the contents of the "From" email header instead.

While changing that, we also update the code to better match the open
Pull Request upstream that adds the update-account to the mail plugin
for nextcloud.
2022-10-17 19:06:59 +02:00
Evilham 8cbff5b8c6
[saml] Rework SAML handling
This separates stages more efficiently, and we are e.g. able to
support newer versions of Nextcloud's SAML plugin.
2022-09-23 08:39:40 +02:00
Evilham 3ae974432a
[registry] Add dd-sso-admin as an image
This would be the first image that is already distributed directly
from the registry to improve setup and maintenance.
2022-09-22 12:48:13 +02:00
Evilham 34761e028b
[sso-admin] Improve postup's idempotency
The class was only checking whether or not a specific token exists in
moodle, and it should ensure that it has access to the right permissions

Reported by:	@elena61
2022-09-06 19:29:37 +02:00
Evilham 075529f472
[haproxy] Remove leftovers, fix config selection
dd-apps/docker/haproxy seems to be a leftover and is not being used
anywhere.

Also fix the config selection for HAProxy.
2022-08-30 22:17:57 +02:00
Evilham 72f9d927e1
[haproxy] Support other HAProxy configurations
This can be used by setting up HAPROXY_CONF in dd.conf, which will
determine which config file will be used.

We also add haproxy.proxy-protocol.conf which is cleaner than
haproxy.conf and allows the PROXY protocol on certain ports.
With this setup it is possible to e.g. run DD without a public IPv4
address by proxying it from an edge server.
2022-08-30 20:47:42 +02:00
elena 993b5f0e24 fixed mysql-connector-python version. fixed mariadb conection user and pwd 2022-08-30 16:58:30 +02:00
Evilham 2d057ec6bc
[sso-admin] Fix regression on new installations
When introducing typing, we erroneously started passing an empty parent
Id instead of None, and the underlying Keycloak library failed to create
the groups.

Closes #15
2022-08-29 12:22:58 +02:00
Evilham 3f08973d7c
[wordpress] Reduce diff / upstream contribution
Now that https://github.com/keycloak/keycloak/pull/12966 has landed on
keycloak we can use that commit as a base for our file, therefore
reducing the resulting diff.
2022-08-29 12:08:42 +02:00
Evilham 701be40cf5
[sso-admin] load svg from DOMAIN
This was previously using digitaldemocratic.net
2022-08-08 13:10:47 +02:00
Evilham 519146a58f
[sso-admin] Fix bug in user_parser 2022-08-08 12:05:42 +02:00
Evilham 8309771a1c
[sso-avatars] Also use env var for minio container
From minio's documentation:
- MINIO_ACCESS_KEY and MINIO_SECRET_KEY are deprecated in lieu of
  MINIO_ROOT_USER and MINIO_ROOT_PASSWORD respectively
- In order to rotate secrets we only need to change
  MINIO_ROOT_{USER,PASSWORD}

Using this commit and the previous one affecting keycloak we can use
per-instance keys as opposed to the current state.
In order to achieve this, AVATARS_ACCESS_KEY and AVATARS_SECRET_KEY must
be set to the desired values.

The only guidelines as to how to generate ACCESS_KEY and SECRET_KEY are:

> Specify a unique, random, and long string for both the ACCESSKEY and
> SECRETKEY. Your organization may have specific internal or regulatory
> requirements around generating values for use with access or secret keys.

See:
- https://docs.min.io/minio/baremetal/reference/minio-server/minio-server.html#envvar.MINIO_ACCESS_KEY
- https://docs.min.io/minio/baremetal/security/minio-identity-management/user-management.html
2022-08-08 09:40:51 +02:00
Evilham 1ba5e51c41
bugfix in user_parser 2022-08-06 21:47:57 +02:00