#29-add-admin-role #2

Merged
philipp merged 10 commits from #29-add-admin-role into fork 2022-11-08 16:36:18 +01:00
18 changed files with 223 additions and 81 deletions
Showing only changes of commit 35a4f29f07 - Show all commits

View file

@ -1,32 +0,0 @@
"""Everything to do with Apps"""
from database import db
from .models import App, AppRole
class LITApp(App):
"""
"""
def get_url(self):
return self.url
def to_dict(self):
"""
represent this object as a dict, compatible for JSON output
"""
return {"id": self.id,
"name": self.name,
"slug": self.slug,
"external": self.external,
"status": self.get_status(),
"url": self.get_url()}
def get_status(self):
"""Returns an AppStatus object that describes the current cluster state"""
return {
"installed": "",
"ready": "",
"message": "",
}

View file

@ -5,15 +5,14 @@ from flask_cors import cross_origin
from datetime import timedelta from datetime import timedelta
from areas import api_v1 from areas import api_v1
from areas.apps import App, AppRole
from config import * from config import *
from helpers import HydraOauth, BadRequest from helpers import LITOauth, BadRequest
@api_v1.route("/login", methods=["POST"]) @api_v1.route("/login", methods=["POST"])
@cross_origin() @cross_origin()
def login(): def login():
authorization_url = HydraOauth.authorize() authorization_url = LITOauth.authorize()
return jsonify({"authorizationUrl": authorization_url}) return jsonify({"authorizationUrl": authorization_url})
@ -28,11 +27,10 @@ def hydra_callback():
if code == None: if code == None:
raise BadRequest("Missing code query param") raise BadRequest("Missing code query param")
token = HydraOauth.get_token(state, code) token = LITOauth.get_token(state, code)
user_info = HydraOauth.get_user_info() user_info = LITOauth.get_user_info()
access_token = create_access_token( access_token = create_access_token(
identity=token, expires_delta=timedelta(days=365)) identity=token, expires_delta=timedelta(days=365))
isAdmin = "admin" in user_info["groups"] isAdmin = "admin" in user_info["groups"]
app_roles = [ app_roles = [
{ {
@ -40,18 +38,7 @@ def hydra_callback():
"role_id": 1 if isAdmin else 2 "role_id": 1 if isAdmin else 2
}, },
] ]
print(app_roles)
# apps = App.query.all()
# for app in apps:
# tmp_app_role = AppRole.query.filter_by(
# user_id=user_info["sub"], app_id=app.id
# ).first()
# app_roles.append(
# {
# "name": app.slug,
# "role_id": tmp_app_role.role_id if tmp_app_role else None,
# }
# )
return jsonify( return jsonify(
{ {
"accessToken": access_token, "accessToken": access_token,

View file

@ -0,0 +1,39 @@
from flask import current_app
from helpers.authentik_api import AuthentikApi
from .user_service import UserService
from .models import User
class UserService(UserService):
@staticmethod
def get_users():
user_list = [User.from_authentik(u).to_dict() for u in AuthentikApi.get("/core/users")]
return user_list
@staticmethod
def get_user(id):
pass
@staticmethod
def post_user(data):
pass
@staticmethod
def __start_recovery_flow(email):
pass
@staticmethod
def put_user(id, user_editing_id, data):
pass
@staticmethod
def delete_user(id):
pass
@staticmethod
def post_multiple_users(data):
pass
@staticmethod
def __insertAppRoleToUser(userId, userRes):
pass

View file

@ -0,0 +1,37 @@
class User:
id = None
uuid = None
traits = None
email = None
name = None
preferredUsername = None
state = None
def __init__(self):
pass
@staticmethod
def from_authentik(authentik_user):
u = User()
u.id = authentik_user["pk"]
u.uuid = authentik_user["uid"]
u.name = authentik_user["name"]
u.email = authentik_user["email"]
u.traits = {
"name": authentik_user["name"],
"email": authentik_user["email"],
"app_roles": []
}
u.preferredUsername = authentik_user["username"]
u.state = "active" if authentik_user["is_active"] else ""
return u
def to_dict(self):
return {
"id": self.id,
"traits": self.traits,
"preferredUsername": self.preferredUsername,
"state": self.state,
}

View file

@ -8,7 +8,7 @@ from helpers import KratosApi
from helpers.auth_guard import admin_required from helpers.auth_guard import admin_required
from .validation import schema, schema_multiple from .validation import schema, schema_multiple
from .user_service import UserService from .lit_user_service import UserService
@api_v1.route("/users", methods=["GET"]) @api_v1.route("/users", methods=["GET"])
@ -16,8 +16,7 @@ from .user_service import UserService
@cross_origin() @cross_origin()
@admin_required() @admin_required()
def get_users(): def get_users():
res = UserService.get_users() return jsonify(UserService.get_users())
return jsonify(res)
@api_v1.route("/users/<string:id>", methods=["GET"]) @api_v1.route("/users/<string:id>", methods=["GET"])

View file

@ -2,3 +2,4 @@ from .kratos_api import *
from .error_handler import * from .error_handler import *
from .hydra_oauth import * from .hydra_oauth import *
from .kratos_user import * from .kratos_user import *
from .lit_oauth import *

View file

@ -11,9 +11,10 @@ def admin_required():
@wraps(fn) @wraps(fn)
def decorator(*args, **kwargs): def decorator(*args, **kwargs):
verify_jwt_in_request() verify_jwt_in_request()
claims = get_jwt() # claims = get_jwt()
user_id = claims["user_id"] # user_id = claims["user_id"]
is_admin = RoleService.is_user_admin(user_id) is_admin = True # RoleService.is_user_admin(user_id)
# TODO: actually check if admin
if is_admin: if is_admin:
return fn(*args, **kwargs) return fn(*args, **kwargs)
else: else:

View file

@ -0,0 +1,43 @@
from typing import List
from flask_jwt_extended import get_jwt
import requests
from .error_handler import AuthentikError
AUTHENTIK_BASEURL = "https://dev.local-it.cloud/api/v3"
class AuthentikApi: # TODO: check if can be replaced with apispec generated api?
@staticmethod
def __handleError(res):
if res.status_code >= 400:
message = res.json()["error"]["message"]
raise AuthentikError(message, res.status_code)
@staticmethod
def __token():
jwt = get_jwt()
return jwt["sub"]["refresh_token"]
@staticmethod
def get(url):
try:
res = requests.get(f"{AUTHENTIK_BASEURL}{url}", headers={
"Authorization": f"Bearer {AuthentikApi.__token()}"})
AuthentikApi.__handleError(res)
if (res.json()["pagination"]):
return AuthentikApi.__paginate(res)
return res.json()
except AuthentikError as err:
raise err
except:
raise AuthentikError()
@staticmethod
def __paginate(res: requests.Response): # TODO: test this
results = res.json()["results"]
for page in range(1, res.json()["pagination"]["total_pages"]):
res = requests.get(
f"{res.request.url}", headers=res.request.headers, params={'page': page})
AuthentikApi.__handleError(res)
results.append(res.json()["results"])
return results

View file

@ -5,6 +5,8 @@ from jsonschema import ValidationError
class KratosError(Exception): class KratosError(Exception):
pass pass
class AuthentikError(Exception):
pass
class HydraError(Exception): class HydraError(Exception):
pass pass

View file

@ -9,7 +9,7 @@ class HydraOauth:
@staticmethod @staticmethod
def authorize(): def authorize():
try: try:
hydra = OAuth2Session(HYDRA_CLIENT_ID, redirect_uri=REDIRECT_URL) hydra = OAuth2Session(HYDRA_CLIENT_ID)
authorization_url, state = hydra.authorization_url( authorization_url, state = hydra.authorization_url(
HYDRA_AUTHORIZATION_BASE_URL HYDRA_AUTHORIZATION_BASE_URL
) )

View file

@ -4,7 +4,6 @@ import requests
from config import * from config import *
from .error_handler import KratosError from .error_handler import KratosError
class KratosApi: class KratosApi:
@staticmethod @staticmethod
def __handleError(res): def __handleError(res):

View file

@ -0,0 +1,51 @@
from flask import request, session
from requests_oauthlib import OAuth2Session
from config import *
from helpers import HydraError
class LITOauth:
@staticmethod
def authorize():
try:
scopes = ["openid", "email", "profile", "goauthentik.io/api"]
oauth = OAuth2Session(HYDRA_CLIENT_ID, redirect_uri=REDIRECT_URL, scope=scopes)
authorization_url, state = oauth.authorization_url(
HYDRA_AUTHORIZATION_BASE_URL
)
return authorization_url
except Exception as err:
raise HydraError(str(err), 500)
@staticmethod
def get_token(state, code):
try:
oauth = OAuth2Session(
client_id=HYDRA_CLIENT_ID,
state=state,
)
token = oauth.fetch_token(
token_url=TOKEN_URL,
code=code,
client_secret=HYDRA_CLIENT_SECRET,
include_client_id=True,
)
session["oauth_token"] = token
return token
except Exception as err:
raise HydraError(str(err), 500)
@staticmethod
def get_user_info():
try:
hydra = OAuth2Session(
client_id=HYDRA_CLIENT_ID, token=session["oauth_token"]
)
user_info = hydra.get("{}/userinfo".format(HYDRA_PUBLIC_URL))
return user_info.json()
except Exception as err:
raise HydraError(str(err), 500)

View file

@ -1,5 +1,8 @@
alembic==1.8.1
attrs==21.4.0 attrs==21.4.0
black==22.1.0 black==22.1.0
cachelib==0.9.0
cachetools==5.2.0
certifi==2021.10.8 certifi==2021.10.8
cffi==1.15.0 cffi==1.15.0
charset-normalizer==2.0.12 charset-normalizer==2.0.12
@ -9,32 +12,43 @@ Flask==2.0.3
Flask-Cors==3.0.10 Flask-Cors==3.0.10
flask-expects-json==1.7.0 flask-expects-json==1.7.0
Flask-JWT-Extended==4.3.1 Flask-JWT-Extended==4.3.1
Flask-Migrate==3.1.0
Flask-Session==0.4.0
Flask-SQLAlchemy==2.5.1
google-auth==2.14.0
greenlet==2.0.0.post0
gunicorn==20.1.0 gunicorn==20.1.0
hydra-client==0.4.0
idna==3.3 idna==3.3
install==1.3.5 install==1.3.5
itsdangerous==2.1.1 itsdangerous==2.1.1
jsonschema==4.4.0
Jinja2==3.0.3 Jinja2==3.0.3
jinja2-base64-filters==0.1.4 jinja2-base64-filters==0.1.4
jsonschema==4.4.0
kubernetes==24.2.0 kubernetes==24.2.0
Mako==1.2.3
MarkupSafe==2.1.1 MarkupSafe==2.1.1
mypy-extensions==0.4.3 mypy-extensions==0.4.3
oauthlib==3.2.0 oauthlib==3.2.0
ory-kratos-client==0.9.0a2
pathspec==0.9.0 pathspec==0.9.0
platformdirs==2.5.1 platformdirs==2.5.1
pyasn1==0.4.8
pyasn1-modules==0.2.8
pycparser==2.21 pycparser==2.21
PyJWT==2.3.0 PyJWT==2.3.0
PyMySQL==1.0.2
pyrsistent==0.18.1 pyrsistent==0.18.1
python-dateutil==2.8.2
PyYAML==6.0
regex==2022.3.15 regex==2022.3.15
requests==2.27.1 requests==2.27.1
requests-oauthlib==1.3.1 requests-oauthlib==1.3.1
rsa==4.9
six==1.16.0 six==1.16.0
SQLAlchemy==1.4.42
tomli==1.2.3 tomli==1.2.3
typing-extensions==4.1.1 typing_extensions==4.1.1
urllib3==1.26.8 urllib3==1.26.8
websocket-client==1.4.2
Werkzeug==2.0.3 Werkzeug==2.0.3
ory-kratos-client==0.9.0a2
pymysql
Flask-SQLAlchemy
hydra-client
Flask-Migrate

View file

@ -261,8 +261,6 @@ function render_messages(data) {
// value: If there is already a value known, show it // value: If there is already a value known, show it
// messages: error messages related to the field // messages: error messages related to the field
function getFormElement(type, name, value, messages) { function getFormElement(type, name, value, messages) {
console.log('Getting form element', type, name, value, messages);
if (value == undefined) { if (value == undefined) {
value = ''; value = '';
} }
@ -350,7 +348,6 @@ function getFormInput(type, name, value, label, placeHolder, help, messages) {
if (typeof help == 'undefined' || help == null) { if (typeof help == 'undefined' || help == null) {
help = ''; help = '';
} }
console.log('Messages: ', messages);
// Id field for help element // Id field for help element
var nameHelp = name + 'Help'; var nameHelp = name + 'Help';
@ -362,7 +359,6 @@ function getFormInput(type, name, value, label, placeHolder, help, messages) {
// messages get appended to help info // messages get appended to help info
if (messages.length) { if (messages.length) {
for (message in messages) { for (message in messages) {
console.log('adding message', messages[message]);
help += messages[message]['text']; help += messages[message]['text'];
} }
} }

View file

@ -9,7 +9,7 @@ import { useApps } from 'src/services/apps';
const navigation = [ const navigation = [
{ name: 'Users', to: '/users', requiresAdmin: true }, { name: 'Users', to: '/users', requiresAdmin: true },
{ name: 'Apps', to: '/apps', requiresAdmin: true }, // { name: 'Apps', to: '/apps', requiresAdmin: true },
]; ];
function classNames(...classes: any[]) { function classNames(...classes: any[]) {
@ -33,8 +33,6 @@ const HeaderLIT: React.FC<HeaderProps> = () => {
const { pathname } = useLocation(); const { pathname } = useLocation();
const { apps } = useApps(); const { apps } = useApps();
const navigationItems = filterNavigationByDashboardRole(isAdmin); const navigationItems = filterNavigationByDashboardRole(isAdmin);
console.log(isAdmin);
console.log(navigationItems);
const signOutUrl = useMemo(() => { const signOutUrl = useMemo(() => {
// @ts-ignore // @ts-ignore
@ -86,9 +84,9 @@ const HeaderLIT: React.FC<HeaderProps> = () => {
key={item.name} key={item.name}
to={item.to} to={item.to}
className={clsx( className={clsx(
'border-primary-50 text-gray-900 inline-flex items-center px-1 pt-1 border-b-2 text-sm font-medium', 'border-primary-50 inline-flex items-center px-1 pt-1 border-b-2 text-sm font-medium litbutton',
{ {
'border-primary-500 text-gray-500 hover:border-gray-300 hover:text-gray-700 inline-flex items-center px-1 pt-1 text-sm font-medium': 'border-primary-500 litbutton-active hover:border-gray-300 inline-flex items-center px-1 pt-1 text-sm font-medium':
pathname.includes(item.to), pathname.includes(item.to),
}, },
)} )}

View file

@ -53,6 +53,11 @@ export const Users: React.FC = () => {
const columns: any = React.useMemo( const columns: any = React.useMemo(
() => [ () => [
{
Header: 'Username',
accessor: 'preferredUsername',
width: 'auto',
},
{ {
Header: 'Name', Header: 'Name',
accessor: 'name', accessor: 'name',
@ -75,11 +80,12 @@ export const Users: React.FC = () => {
if (isAdmin) { if (isAdmin) {
return ( return (
<div className="text-right lg:opacity-0 group-hover:opacity-100 transition-opacity"> <div className="text-right lg:opacity-0 transition-opacity">
<button <button
disabled
onClick={() => configureModalOpen(row.original.id)} onClick={() => configureModalOpen(row.original.id)}
type="button" type="button"
className="inline-flex items-center px-4 py-2 border border-gray-200 shadow-sm text-sm font-medium rounded-md text-gray-700 bg-white hover:bg-gray-50 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-primary-500" className="inline-flex items-center px-4 py-2 border border-gray-200 shadow-sm text-sm font-medium rounded-md text-gray bg-gray hover:bg-gray focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-primary-500"
> >
<CogIcon className="-ml-0.5 mr-2 h-4 w-4" aria-hidden="true" /> <CogIcon className="-ml-0.5 mr-2 h-4 w-4" aria-hidden="true" />
Configure Configure
@ -109,17 +115,19 @@ export const Users: React.FC = () => {
{isAdmin && ( {isAdmin && (
<div className="mt-3 sm:mt-0 sm:ml-4"> <div className="mt-3 sm:mt-0 sm:ml-4">
<button <button
disabled
onClick={() => configureModalOpen(null)} onClick={() => configureModalOpen(null)}
type="button" type="button"
className="inline-flex items-center px-4 py-2 border border-transparent rounded-md shadow-sm text-sm font-medium text-white bg-primary-700 hover:bg-primary-800 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-primary-800 mx-5 " className="inline-flex items-center px-4 py-2 border border-transparent rounded-md shadow-sm text-sm font-medium text-white bg-gray-200 hover:bg-gray-200 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-primary-800 mx-5 "
> >
<PlusIcon className="-ml-0.5 mr-2 h-4 w-4" aria-hidden="true" /> <PlusIcon className="-ml-0.5 mr-2 h-4 w-4" aria-hidden="true" />
Add new user Add new user
</button> </button>
<button <button
disabled
onClick={() => setMultipleUsersModal(true)} onClick={() => setMultipleUsersModal(true)}
type="button" type="button"
className="inline-flex items-center px-4 py-2 border border-transparent rounded-md shadow-sm text-sm font-medium text-white bg-primary-700 hover:bg-primary-800 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-primary-800" className="inline-flex items-center px-4 py-2 border border-transparent rounded-md shadow-sm text-sm font-medium text-white bg-gray-200 hover:bg-gray-200 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-primary-800"
> >
<ViewGridAddIcon className="-ml-0.5 mr-2 h-4 w-4" aria-hidden="true" /> <ViewGridAddIcon className="-ml-0.5 mr-2 h-4 w-4" aria-hidden="true" />
Add new users Add new users

View file

@ -26,7 +26,7 @@ export const signIn = (params: string) =>
); );
export function signOut() { export function signOut() {
return async (dispatch: any) => { return (dispatch: any) => {
dispatch(signOutAction()); dispatch(signOutAction());
}; };
} }

View file

@ -12,7 +12,6 @@ export const getCurrentUser = (state: State) => state.auth.userInfo;
export const getIsAdmin = (state: State) => { export const getIsAdmin = (state: State) => {
// check since old users wont have this // check since old users wont have this
if (state.auth.userInfo) { if (state.auth.userInfo) {
console.log(state.auth.userInfo);
if (!state.auth.userInfo.app_roles) { if (!state.auth.userInfo.app_roles) {
return false; return false;
} }