Develop (#37)

* Support for authentication using external proxy (#33)

* add options for HTTP header authentication to config

* add template for handling error 401: Unauthorized

* support external authentication

Expects authentication to be done using an external tool (such as
Apache), that fills the users UUID to a HTTP header and acts as a
proxy.

* version 0.7.3, simple auth mode available, docs for auth created

* version 0.7.3, simple auth mode available, docs for auth created

* typo in link

* Bugfix/autoescape (#35)

* rename all j2 files back to html

* add Markup to dashboard to render tables from macros

* bugfix - V4 table cols, DOCS update

---------

Co-authored-by: Jakub Man <[email protected]>

Author: jirivrany

config.example.py

@@ -8,10 +8,12 @@ class Config():
     # Flask testing
     TESTING = False
     # SSO auth enabled
-    SSO_AUTH = False
+
+    SSO_AUTH = True
     # Authentication is done outside the app, use HTTP header to get the user uuid.
     # If SSO_AUTH is set to True, this option is ignored and SSO auth is used.
-    HEADER_AUTH = True
+    HEADER_AUTH = False
+
     # Name of HTTP header containing the UUID of authenticated user.
     # Only used when HEADER_AUTH is set to True
     AUTH_HEADER_NAME = 'X-Authenticated-User'

docs/AUTH.md

@@ -10,16 +10,34 @@ Since version 0.7.3, the application supports three different forms of user auth
 ### SSO
 To use SSO, you need to set up Apache + Shiboleth in the usual way. Then set `SSO_AUTH = True` in the application configuration file **config.py**
 
+In general the whole app should be protected by Shiboleth. However, there certain endpoints should be excluded from Shiboleth for the interaction with BGP. See configuration example bellow. The endpoints which are not protected by Shibboleth are protected by app itself. Either by @localhost_only decorator or by API key. 
+
 Shibboleth configuration example:
 
-#### shibboleth config:
+#### shibboleth config (shib.conf):
+
 ```
 <Location />
   AuthType shibboleth
   ShibRequestSetting requireSession 1
   require shib-session
 </Location>
 
+
+<LocationMatch /api/>
+  Satisfy Any
+  allow from All
+</LocationMatch>
+
+<LocationMatch /rules/announce_all>
+  Satisfy Any
+  allow from All
+</LocationMatch>
+
+<LocationMatch /rules/withdraw_expired>
+  Satisfy Any
+  allow from All
+</LocationMatch> 
 ```
 
 

docs/INSTALL.md

@@ -125,18 +125,18 @@ Supervisord is used to run and manage application.
 
 #### Final steps - as deploy user
 
-Copy config.example.py to config.py and fill out the DB credetials. 
+1. Copy config.example.py to config.py and fill out the DB credetials. 
 
-Create and populate database tables.
+2. Create and populate database tables.
 ```
 cd ~/www
 source venv/bin/activate
 python db-init.py
 ```
 DB-init script inserts default roles, actions, rule states and two organizations (TUL and Cesnet). But no users.
 
-So before start, use your favorite mysql admin tool and insert some users into database. 
-The uuid of user should be set the eppn value provided by Shibboleth. 
+3. Before start, **use your favorite mysql admin tool and insert some users into database**. 
+The **uuid** of user should be set the **eppn** value provided by Shibboleth. 
 
 You can use following MYSQL commands to insert the user, give him role 'admin' and add him to the the organization 'Cesnet'.
 

flowapp/__init__.py

@@ -87,13 +87,14 @@ def logout():
     def ext_login():
         header_name = app.config.get("AUTH_HEADER_NAME", 'X-Authenticated-User')
         if header_name not in request.headers:
-            return render_template("errors/401.j2")
+            return render_template("errors/401.html")
+
         uuid = request.headers.get(header_name)
         if uuid:
             try:
                 _register_user_to_session(uuid)
             except AttributeError:
-                return render_template("errors/401.j2")
+                return render_template("errors/401.html")
         return redirect("/")
 
     @app.route("/")
@@ -136,12 +137,12 @@ def shutdown_session(exception=None):
     # HTTP error handling
     @app.errorhandler(404)
     def not_found(error):
-        return render_template("errors/404.j2"), 404
+        return render_template("errors/404.html"), 404
 
     @app.errorhandler(500)
     def internal_error(exception):
         app.logger.error(exception)
-        return render_template("errors/500.j2"), 500
+        return render_template("errors/500.html"), 500
 
     @app.context_processor
     def utility_processor():

flowapp/instance_config.py

@@ -99,23 +99,23 @@ class InstanceConfig:
     DASHBOARD = {
         "ipv4": {
             "name": "IPv4",
-            "macro_file": "macros.j2",
+            "macro_file": "macros.html",
             "macro_tbody": "build_ip_tbody",
             "macro_thead": "build_rules_thead",
             "table_colspan": 10,
-            "table_columns": RULES_COLUMNS_V6,
+            "table_columns": RULES_COLUMNS_V4,
         },
         "ipv6": {
             "name": "IPv6",
-            "macro_file": "macros.j2",
+            "macro_file": "macros.html",
             "macro_tbody": "build_ip_tbody",
             "macro_thead": "build_rules_thead",
             "table_colspan": 10,
             "table_columns": RULES_COLUMNS_V6,
         },
         "rtbh": {
             "name": "RTBH",
-            "macro_file": "macros.j2",
+            "macro_file": "macros.html",
             "macro_tbody": "build_rtbh_tbody",
             "macro_thead": "build_rules_thead",
             "table_colspan": 5,

flowapp/templates/errors/401.html

@@ -0,0 +1,7 @@
+{% extends 'layouts/default.html' %}
+{% block content %}
+  <h1>Could not log you in.</h1>
+  <p class="form-text">401: Unauthorized</p>
+  <p>Please log out and try logging in again.</p>
+  <p><a href="{{url_for('logout')}}">Log out</a></p>
+{% endblock %}

flowapp/templates/errors/404.j2 renamed to flowapp/templates/errors/404.html

@@ -1,4 +1,4 @@
-{% extends 'layouts/default.j2' %}
+{% extends 'layouts/default.html' %}
 {% block content %}
   <h1>Sorry ...</h1>
   <p>There's nothing here!</p>

flowapp/templates/errors/500.j2 renamed to flowapp/templates/errors/500.html

@@ -1,4 +1,4 @@
-{% extends 'layouts/default.j2' %}
+{% extends 'layouts/default.html' %}
 {% block content %}
   <h1>Error ...</h1>
   <p>Sorry ;-)</p>

flowapp/templates/forms/api_key.j2 renamed to flowapp/templates/forms/api_key.html

@@ -1,5 +1,5 @@
-{% extends 'layouts/default.j2' %}
-{% from 'forms/macros.j2' import render_field %}
+{% extends 'layouts/default.html' %}
+{% from 'forms/macros.html' import render_field %}
 {% block title %}Add New Machine with ApiKey{% endblock %}
 {% block content %}
   <h2>Add new ApiKey for your machine</h2>

flowapp/templates/forms/ipv4_rule.j2 renamed to flowapp/templates/forms/ipv4_rule.html

@@ -1,5 +1,5 @@
-{% extends 'layouts/default.j2' %}
-{% from 'forms/macros.j2' import render_field %}
+{% extends 'layouts/default.html' %}
+{% from 'forms/macros.html' import render_field %}
 {% block title %}Add IPv4 rule{% endblock %}
 {% block content %}
   <h2>{{ title or 'New'}} IPv4 rule</h2>