version 0.7.3, simple auth mode available, docs for auth created

CESNET · Nov 3, 2023 · 4c1ece5 · 4c1ece5
1 parent 6913689
commit 4c1ece5
Show file tree

Hide file tree

Showing 6 changed files with 72 additions and 24 deletions.
diff --git a/README.md b/README.md
@@ -52,6 +52,7 @@ Last part of the system is Guarda service. This systemctl service is running in
 * [Local database instalation notes](./docs/DB_LOCAL.md)
 
 ## Change Log
+- 0.7.3 - New possibility of external auth proxy. 
 - 0.7.2 - Dashboard and Main menu are now customizable in config. App is ready to be packaged using setup.py.
 - 0.7.0 - ExaAPI now have two options - HTTP or RabbitMQ. ExaAPI process has been renamed, update of ExaBGP process value is needed for this version.
 - 0.6.2 - External config for ExaAPI 

diff --git a/docs/AUTH.md b/docs/AUTH.md
@@ -0,0 +1,43 @@
+# ExaFS tool
+## Auth mechanism
+
+Since version 0.7.3, the application supports three different forms of user authorization. 
+
+* SSO using Shibboleth
+* Simple Auth proxy 
+* Local single-user mode 
+
+### SSO
+To use SSO, you need to set up Apache + Shiboleth in the usual way. Then set `SSO_AUTH = True` in the application configuration file **config.py**
+
+Shibboleth configuration example:
+
+#### shibboleth config:
+```
+<Location />
+  AuthType shibboleth
+  ShibRequestSetting requireSession 1
+  require shib-session
+</Location>
+
+```
+
+
+#### httpd ssl.conf 
+We recomend using app with https only. It's important to configure proxy pass to uwsgi in httpd config.
+```
+# Proxy everything to the WSGI server except /Shibboleth.sso and
+# /shibboleth-sp
+ProxyPass /kon.php !
+ProxyPass /Shibboleth.sso !
+ProxyPass /shibboleth-sp !
+ProxyPass / uwsgi://127.0.0.1:8000/
+```
+
+### Simple Auth
+This mode uses a WWW server (usually Apache) as an auth proxy. It is thus possible to use an external user database. Everything needs to be set in the web server configuration, then in **config.py** enable `HEADER_AUTH = True` and set `AUTH_HEADER_NAME = 'X-Authenticated-User'` 
+
+See [apache.conf.example]('./apache.example.conf') for more information about configuration.
+
+### Local single user mode
+This mode is used as a fallback if neither SSO nor Simple Auth is enabled. Configuration is done using **config.py**. The mode is more for testing purposes, it does not allow to set up multiple users with different permission levels and also does not perform user authentication. 
diff --git a/docs/INSTALL.md b/docs/INSTALL.md
@@ -8,30 +8,12 @@ The default Python for RHEL9 is Python 3.9
 Virtualenv with Python39 is used by uWSGI server to keep the packages for app separated from system.
 
 ## Prerequisites
+First, choose how to [authenticate and authorize users]('./AUTH.md'). The application currently supports three options. 
 
-ExaFS is using Shibboleth auth and therefore we suggest to use Apache web server. 
-Install the Apache httpd as usual and then continue with this guide. 
+Depending on the selected WWW server, set up a proxy. We recommend using Apache + mod_uwsgi. If you use another solution, set up the WWW server as you are used to. 
 
-First configure Shibboleth
-
-### shibboleth config:
-```
-<Location />
-  AuthType shibboleth
-  ShibRequestSetting requireSession 1
-  require shib-session
-</Location>
-
-```
-
-### httpd ssl.conf 
-We are using https only. It's important to configure proxy pass to uwsgi in httpd config.
 ```
-# Proxy everything to the WSGI server except /Shibboleth.sso and
-# /shibboleth-sp
-ProxyPass /kon.php !
-ProxyPass /Shibboleth.sso !
-ProxyPass /shibboleth-sp !
+# Proxy everything to the WSGI server
 ProxyPass / uwsgi://127.0.0.1:8000/
 ```
 

diff --git a/docs/apache.conf.example b/docs/apache.conf.example
@@ -0,0 +1,24 @@
+# mod_dbd configuration
+DBDriver pgsql
+DBDParams "dbname=exafs_users host=localhost user=exafs password=verysecurepassword"
+
+DBDMin  4
+DBDKeep 8
+DBDMax  20
+DBDExptime 300
+
+# ExaFS authentication
+<VirtualHost *:80>
+    ServerName example.com
+    DocumentRoot /var/www/html
+
+    <Location />
+    AuthType Basic
+    AuthName "Database Authentication"
+    AuthBasicProvider dbd
+    AuthDBDUserPWQuery "SELECT pass_hash AS password FROM \"users\" WHERE email = %s"
+    Require valid-user
+    RequestHeader set X-Authenticated-User expr=%{REMOTE_USER}
+    ProxyPass http://127.0.0.1:8080/
+    </Location>
+</VirtualHost>
diff --git a/flowapp/__about__.py b/flowapp/__about__.py
@@ -1 +1 @@
-__version__ = "0.7.2"
+__version__ = "0.7.3"
diff --git a/flowapp/__init__.py b/flowapp/__init__.py
@@ -70,7 +70,6 @@ def login(user_info):
             uuid = False
             return redirect("/")
         else:
-            user = db.session.query(models.User).filter_by(uuid=uuid).first()
             try:
                 _register_user_to_session(uuid)
             except AttributeError:
@@ -194,4 +193,3 @@ def _register_user_to_session(uuid: str):
         session["can_edit"] = True if all(roles) and roles else []
 
     return app
-