Commit Graph

67 Commits (10e6afe351ac136e428493978e302cf3453b9568)

Author SHA1 Message Date
Evilham 10e6afe351
[dd-sso] Add tests and refactor API
These tests can be executed with:
python -m unittest discover -s admin.views.test
2022-12-11 14:00:47 +01:00
Evilham 579af2b31c
[dd-sso] Adapt admin so it is easily importable
This paves the path forward for thorough testing.
2022-12-11 10:28:37 +01:00
Evilham cdfa4c5724
[api] Give operators the ability to easily add custom CSS
This enables various use-cases like custom icons and other personalisations.
2022-12-10 11:53:28 +01:00
Evilham f3108ac3dc
[api] Add type hints and cleanup
This makes modifying the existing code easier
2022-12-06 19:26:08 +01:00
Evilham 53674bfb24
[api] Reorganise and be more forgiving on yml
This allows for more flexible settings in
custom/menu/[custom|system].yml

And it makes the default values explicit
2022-12-06 18:15:05 +01:00
elena 2368a072d1 new footer added to admin login page 2022-12-02 13:16:38 +00:00
Evilham 740f799b9c
[WP] Add CSP and Content-Type-Options headers
We do this more reliably on HAProxy, as doing it from WP requires
specialised plugins and in DD we are sure that traffic goes through
the corresponding HAProxy backend.
2022-12-02 11:13:33 +01:00
Evilham 8f5de8af6a
[network] Fix handling of forwarded headers
This fixes several issues where services would see the internal IP of
the proxy and not that of the client.

It works by first unsetting any proxy-related headers that arrive from
the internet, then setting those as seen by HAProxy's entrypoint
frontend.
And finally making sure that neither WAF when enabled nor other
HAProxy backends touch these headers, while they are actually used by
the final services.

Services affected:	Netcloud, Keycloak, Moodle
2022-12-02 06:49:56 +01:00
Manolo Caballero e45eec6822 [dd-waf] block external access to sensible URLs 2022-12-01 10:49:56 +00:00
Evilham 09fec74915
[WAF] Consolidate proxies and documentation
The environment / dd.conf variables: PROXY_PROTOCOL and DISABLE_WAF
determine how DD and HAProxy will behave.

- PROXY_PROTOCOL: whether or not the PROXY protocol will be accepted
- DISABLE_WAF: whether or not WAF will be enabled

This simplifies maintenance, as well as the overall architecture and operation.

While at it, we now publish images for DD's HAProxy as well.
2022-11-24 12:54:46 +01:00
Manuel Caballero 392f8e0ee9
Volume to modsecurity 2022-11-24 10:01:37 +01:00
Manuel Caballero 26728a3c72
configure deploy modsecurity 2022-11-24 10:01:37 +01:00
Manuel Caballero 1375f4c102
remove cerbot service 2022-11-24 10:01:35 +01:00
Manuel Caballero b10178f0f7
Initial config modsecurity 2022-11-24 10:01:35 +01:00
Evilham ca8b29dd5e
[dd-sso/api] Cover all cases, add docs for megamenu internal links
These documentation convering these changes should be visible in:
https://dd.digitalitzacio-democratica.xnet-x.net/docs/customising.ca/
2022-11-23 12:54:21 +01:00
elena 97b4916983 new validation to create href 2022-11-15 11:47:04 +00:00
elena 0b03efc73e changes recommended by evilham 2022-11-15 08:58:57 +00:00
elena ec4f4587d4 new megamenu link: DD manual 2022-11-14 15:07:40 +00:00
Evilham b92dc23557
[sso] Allow for Keycloak login footer customisation
This enables more advanced customisation by allowing for
administrators to fully replace the footer of the login theme.

We try to take into account maintainability, at the same time mention
that it is the administrators' responsibility to keep their
customisations compatible with newer versions of DD.
2022-11-13 10:03:49 +01:00
Evilham 071bcd827f
[dd-admin] Fix issue propagating changes to NC
There was erroneous logic that only propagated the first attribute of
many, so some attribute changes were never propagated to NextCloud.
2022-10-30 20:01:44 +01:00
Evilham 895a20abba
[dd-admin] Fix email schemas in certain API endpoints
Dot character was not being properly escaped, we switch to using
bracket expressions to avoid possible future issues.
2022-10-23 19:45:40 +02:00
Evilham 559a90fba9
[mail] Refactor queue for easier maintenance, use name
We thought the name parameter was the account name to be shown in the
plugin, but it is the contents of the "From" email header instead.

While changing that, we also update the code to better match the open
Pull Request upstream that adds the update-account to the mail plugin
for nextcloud.
2022-10-17 19:06:59 +02:00
Evilham 8cbff5b8c6
[saml] Rework SAML handling
This separates stages more efficiently, and we are e.g. able to
support newer versions of Nextcloud's SAML plugin.
2022-09-23 08:39:40 +02:00
Evilham 3ae974432a
[registry] Add dd-sso-admin as an image
This would be the first image that is already distributed directly
from the registry to improve setup and maintenance.
2022-09-22 12:48:13 +02:00
Evilham 34761e028b
[sso-admin] Improve postup's idempotency
The class was only checking whether or not a specific token exists in
moodle, and it should ensure that it has access to the right permissions

Reported by:	@elena61
2022-09-06 19:29:37 +02:00
Evilham 075529f472
[haproxy] Remove leftovers, fix config selection
dd-apps/docker/haproxy seems to be a leftover and is not being used
anywhere.

Also fix the config selection for HAProxy.
2022-08-30 22:17:57 +02:00
Evilham 72f9d927e1
[haproxy] Support other HAProxy configurations
This can be used by setting up HAPROXY_CONF in dd.conf, which will
determine which config file will be used.

We also add haproxy.proxy-protocol.conf which is cleaner than
haproxy.conf and allows the PROXY protocol on certain ports.
With this setup it is possible to e.g. run DD without a public IPv4
address by proxying it from an edge server.
2022-08-30 20:47:42 +02:00
elena 993b5f0e24 fixed mysql-connector-python version. fixed mariadb conection user and pwd 2022-08-30 16:58:30 +02:00
Evilham 2d057ec6bc
[sso-admin] Fix regression on new installations
When introducing typing, we erroneously started passing an empty parent
Id instead of None, and the underlying Keycloak library failed to create
the groups.

Closes #15
2022-08-29 12:22:58 +02:00
Evilham 3f08973d7c
[wordpress] Reduce diff / upstream contribution
Now that https://github.com/keycloak/keycloak/pull/12966 has landed on
keycloak we can use that commit as a base for our file, therefore
reducing the resulting diff.
2022-08-29 12:08:42 +02:00
Evilham 701be40cf5
[sso-admin] load svg from DOMAIN
This was previously using digitaldemocratic.net
2022-08-08 13:10:47 +02:00
Evilham 519146a58f
[sso-admin] Fix bug in user_parser 2022-08-08 12:05:42 +02:00
Evilham 8309771a1c
[sso-avatars] Also use env var for minio container
From minio's documentation:
- MINIO_ACCESS_KEY and MINIO_SECRET_KEY are deprecated in lieu of
  MINIO_ROOT_USER and MINIO_ROOT_PASSWORD respectively
- In order to rotate secrets we only need to change
  MINIO_ROOT_{USER,PASSWORD}

Using this commit and the previous one affecting keycloak we can use
per-instance keys as opposed to the current state.
In order to achieve this, AVATARS_ACCESS_KEY and AVATARS_SECRET_KEY must
be set to the desired values.

The only guidelines as to how to generate ACCESS_KEY and SECRET_KEY are:

> Specify a unique, random, and long string for both the ACCESSKEY and
> SECRETKEY. Your organization may have specific internal or regulatory
> requirements around generating values for use with access or secret keys.

See:
- https://docs.min.io/minio/baremetal/reference/minio-server/minio-server.html#envvar.MINIO_ACCESS_KEY
- https://docs.min.io/minio/baremetal/security/minio-identity-management/user-management.html
2022-08-08 09:40:51 +02:00
Evilham 1ba5e51c41
bugfix in user_parser 2022-08-06 21:47:57 +02:00
Evilham 38d4e517b3
[sso-avatars] Actually use environment variables
This was needed because previously the DEFAULT_SERVER_URL was hardcoded
in the compiled keycloak module and that URL has changed.

For consistency sso-admin uses the same environment variables (except it
needs AVATARS_SERVER_HOST instead of AVATARS_SERVER_URL).
2022-08-06 21:47:35 +02:00
elena beb0350e9a Merge branch 'main' into develop 2022-08-05 15:42:57 +02:00
elena 6ad8df956e Merge branch 'develop' of https://gitlab.com/DD-workspace/DD into develop 2022-08-05 15:42:52 +02:00
elena bf0aeaf991 ADMIN: fix moodle db name 2022-08-05 15:42:27 +02:00
elena 5c3967cbe6
variable format changed 2022-08-05 10:55:13 +02:00
elena 77342f6e8a
FIX: role changed on admin and on moodle 2022-08-05 10:55:11 +02:00
elena d9d9fc8ef0 variable format changed 2022-08-05 09:43:58 +02:00
Evilham 86baf7bd69
[sso-admin] Add compatibility keys in outgoing API 2022-08-04 14:42:17 +02:00
Evilham 822ed98ab4
[dd-sso-admin] bugfix and add tracing for 3p cbs 2022-08-04 14:05:02 +02:00
elena 8152d24b29 Merge branch 'main' into develop 2022-08-04 09:48:39 +02:00
Evilham 0eb8f5f549
[sso-admin] Fix issue when editing users
Co-written with:	@elena61
2022-08-04 09:24:37 +02:00
Evilham e07249a1cb
[dd-sso] Fix leftover old container names 2022-08-03 09:30:15 +02:00
Evilham cf05b9675c
[dd-sso] Fix minio issue and MailViews API
Email service sends a JSON with: {"config": {...}, "users": [...]}
2022-08-03 08:16:19 +02:00
Evilham ac66814947
[sso-admin] Fix permsissions for node_modules, ncq
node_modules needs proper permissions on image build and the Nextcloud
queue on run-time.

We also realised the user must be www-data for compatibility with the NC
image.
2022-08-01 23:04:39 +02:00
Evilham df29999e62
[sso-admin] Generate script for NC mail accounts
This must be executed from cron on dd-apps-nextcloud-app.
2022-08-01 14:32:51 +02:00
Evilham da52d322af
[sso-admin] Add cache decorator for python 3.7 2022-08-01 12:59:10 +02:00