remove ldap

lenticular_cloud/views/admin.py

@@ -11,7 +11,7 @@ from ory_hydra_client.models import OAuth2Client, GenericError
 from typing import Optional
 import logging
 
-from ..model import db, User, UserSignUp
+from ..model import db, User
 from .oauth2 import redirect_login, oauth2
 from ..form.admin import OAuth2ClientForm
 from ..hydra import hydra_service
@@ -50,28 +50,24 @@ async def users():
 
 @admin_views.route('/registrations', methods=['GET'])
 def registrations() -> ResponseReturnValue:
-    users = UserSignUp.query.all()
+    users = User.query.filter_by(enabled=False).all()
     return render_template('admin/registrations.html.j2', users=users)
 
 
 @admin_views.route('/registration/<registration_id>', methods=['DELETE'])
 def registration_delete(registration_id) -> ResponseReturnValue:
-    user_data = UserSignUp.query.get(registration_id)
-    if user_data is None:
+    user = User.query.get(registration_id)
+    if user is None:
         return jsonify({}), 404
-    db.session.delete(user_data)
+    db.session.delete(user)
     db.session.commit()
     return jsonify({})
 
 
 @admin_views.route('/registration/<registration_id>', methods=['PUT'])
 def registration_accept(registration_id) -> ResponseReturnValue:
-    user_data = UserSignUp.query.get(registration_id)
-    #create user
-    user = User.new(user_data)
-
-    db.session.add(user)
-    db.session.delete(user_data)
+    user = User.query.get(registration_id)
+    user.enabled = True
     db.session.commit()
     return jsonify({})
 

lenticular_cloud/views/api.py

@@ -64,7 +64,7 @@ def email_login() -> ResponseReturnValue:
     logger.error(f'{request}')
     logger.error(f'{request.headers}')
     if not request.is_json:
-        return {}, 400
+        return jsonify({}), 400
     req_payload = request.get_json()
     logger.error(f'{req_payload}')
     password = req_payload["password"]

lenticular_cloud/views/auth.py

@@ -21,7 +21,7 @@ from ory_hydra_client.api.admin import get_consent_request, accept_consent_reque
 from ory_hydra_client.models import AcceptLoginRequest, AcceptConsentRequest, ConsentRequestSession, GenericError, ConsentRequestSessionAccessToken, ConsentRequestSessionIdToken
 from typing import Optional
 
-from ..model import db, User, SecurityUser, UserSignUp
+from ..model import db, User, SecurityUser
 from ..form.auth import ConsentForm, LoginForm, RegistrationForm
 from ..auth_providers import AUTH_PROVIDER_LIST
 from ..hydra import hydra_service
@@ -118,7 +118,7 @@ async def login() -> ResponseReturnValue:
         return redirect(resp.redirect_to)
     form = LoginForm()
     if form.validate_on_submit():
-        user = User.query_().by_username(form.data['name'])
+        user = User.query.filter_by(username=form.data['name']).first()
         if user:
             session['username'] = str(user.username)
         else:
@@ -141,7 +141,7 @@ async def login_auth() -> ResponseReturnValue:
     if 'username' not in session:
         return redirect(url_for('auth.login'))
     auth_forms = {}
-    user = User.query_().by_username(session['username'])
+    user = User.query.filter_by(username=session['username']).first()
     for auth_provider in AUTH_PROVIDER_LIST:
         form = auth_provider.get_form()
         if auth_provider.get_name() not in session['auth_providers'] and\
@@ -216,9 +216,9 @@ def sign_up():
 def sign_up_submit():
     form = RegistrationForm()
     if form.validate_on_submit():
-        user = UserSignUp()
+        user = User()
         user.username = form.data['username']
-        user.password = crypt.crypt(form.data['password'])
+        user.password_hashed = crypt.crypt(form.data['password'])
         user.alternative_email = form.data['alternative_email']
         db.session.add(user)
         db.session.commit()

lenticular_cloud/views/frontend.py

@@ -31,6 +31,8 @@ from ..auth_providers import LdapAuthProvider
 from .auth import webauthn
 from .oauth2 import redirect_login, oauth2
 from ..hydra import hydra_service
+from ..pki import pki
+from ..lenticular_services import lenticular_services
 
 frontend_views = Blueprint('frontend', __name__, url_prefix='')
 logger = logging.getLogger(__name__)
@@ -43,8 +45,10 @@ def before_request() -> Optional[ResponseReturnValue]:
             logger.info('user not logged in redirect')
             return redirect_login()
     except MissingTokenError:
+        logger.info('MissingTokenError redirect user to login')
         return redirect_login()
     except InvalidTokenError:
+        logger.info('InvalidTokenError redirect user to login')
         return redirect_login()
 
     return None
@@ -72,20 +76,20 @@ def index() -> ResponseReturnValue:
 @frontend_views.route('/client_cert')
 def client_cert() -> ResponseReturnValue:
     client_certs = {}
-    for service in current_app.lenticular_services.values():
+    for service in lenticular_services.values():
         client_certs[str(service.name)] = \
-                current_app.pki.get_client_certs(current_user, service)
+                pki.get_client_certs(current_user, service)
 
     return render_template(
             'frontend/client_cert.html.j2',
-            services=current_app.lenticular_services,
+            services=lenticular_services,
             client_certs=client_certs)
 
 
 @frontend_views.route('/client_cert/<service_name>/<serial_number>')
 def get_client_cert(service_name, serial_number) -> ResponseReturnValue:
-    service = current_app.lenticular_services[service_name]
-    cert = current_app.pki.get_client_cert(
+    service = lenticular_services[service_name]
+    cert = pki.get_client_cert(
             current_user, service, serial_number)
     return jsonify({
         'data': {
@@ -96,10 +100,10 @@ def get_client_cert(service_name, serial_number) -> ResponseReturnValue:
 @frontend_views.route(
         '/client_cert/<service_name>/<serial_number>', methods=['DELETE'])
 def revoke_client_cert(service_name, serial_number) -> ResponseReturnValue:
-    service = current_app.lenticular_services[service_name]
-    cert = current_app.pki.get_client_cert(
+    service = lenticular_services[service_name]
+    cert = pki.get_client_cert(
             current_user, service, serial_number)
-    current_app.pki.revoke_certificate(cert)
+    pki.revoke_certificate(cert)
     return jsonify({})
 
 
@@ -107,11 +111,11 @@ def revoke_client_cert(service_name, serial_number) -> ResponseReturnValue:
         '/client_cert/<service_name>/new',
         methods=['GET', 'POST'])
 def client_cert_new(service_name) -> ResponseReturnValue:
-    service = current_app.lenticular_services[service_name]
+    service = lenticular_services[service_name]
     form = ClientCertForm()
     if form.validate_on_submit():
         valid_time = int(form.data['valid_time']) * timedelta(1, 0, 0)
-        cert = current_app.pki.signing_publickey(
+        cert = pki.signing_publickey(
                 current_user,
                 service,
                 form.data['publickey'],
@@ -120,7 +124,7 @@ def client_cert_new(service_name) -> ResponseReturnValue:
                 'status': 'ok',
                 'data': {
                     'cert': cert.pem(),
-                    'ca_cert': current_app.pki.get_ca_cert_pem(service)
+                    'ca_cert': pki.get_ca_cert_pem(service)
                 }})
     elif form.is_submitted():
         return jsonify({
@@ -252,7 +256,7 @@ def webauthn_register_route() -> ResponseReturnValue:
 
             return redirect(url_for('app.webauthn_list_route'))
         except (KeyError, ValueError) as e:
-            current_app.logger.exception(e)
+            logger.exception(e)
             flash('Error during registration.', 'error')
 
     return render_template('frontend/webauthn_register.html', form=form)

lenticular_cloud/views/oauth2.py

@@ -1,13 +1,16 @@
 from authlib.integrations.flask_client import OAuth
 from authlib.integrations.base_client.errors import MismatchingStateError
-from flask import Flask, Blueprint, session, request, redirect, url_for
+from flask import Flask, Blueprint, Response, session, request, redirect, url_for
 from flask_login import login_user, logout_user, current_user
 from flask.typing import ResponseReturnValue
 from flask_login import LoginManager
 from typing import Optional
+import logging
 
 from ..model import User, SecurityUser
 
+logger = logging.getLogger(__name__)
+
 def fetch_token(name: str) -> Optional[dict]:
     token = session.get('token', None)
     if isinstance(token, dict):
@@ -24,7 +27,10 @@ def redirect_login() -> ResponseReturnValue:
     logout_user()
     session['next_url'] = request.path
     redirect_uri = url_for('oauth2.authorized', _external=True)
-    return oauth2.custom.authorize_redirect(redirect_uri)
+    response = oauth2.custom.authorize_redirect(redirect_uri)
+    #if isinstance(response, ResponseReturnValue):
+    #    raise RuntimeError("invalid redirect")
+    return response
 
 
 @oauth2_views.route('/authorized')
@@ -32,29 +38,38 @@ def authorized() -> ResponseReturnValue:
     try:
         token = oauth2.custom.authorize_access_token()
     except MismatchingStateError:
+        logger.warning("MismatchingStateError redirect user")
         return redirect(url_for('oauth2.login'))
     if token is None:
         return 'bad request', 400
     session['token'] = token
     userinfo = oauth2.custom.get('/userinfo').json()
-    db_user = User.query.get(str(userinfo["sub"]))
-    login_user(SecurityUser(db_user.username))
-    
+    logger.info(f"userinfo `{userinfo}`")
+    user = User.query.get(str(userinfo["sub"]))
+    if user is None:
+        return "user not found", 404
+    logger.info(f"login user `{user.username}`")
+    login_user(SecurityUser(user.username))
+    logger.info(f"session user `{session}`")
 
     next_url = request.args.get('next_url')
     if next_url is None:
         next_url = '/'
     return redirect(next_url)
 
+
 @oauth2_views.route('login')
 def login() -> ResponseReturnValue:
     redirect_uri = url_for('.authorized', _external=True)
-    return oauth2.custom.authorize_redirect(redirect_uri)
+    response = oauth2.custom.authorize_redirect(redirect_uri)
+    #if type(response) != Response:
+    #    raise RuntimeError("invalid redirect")
+    return response
 
 
 @login_manager.user_loader
 def user_loader(username) -> Optional[User]:
-    user =  User.query_().by_username(username)
+    user =  User.query.filter_by(username=username).first()
     if isinstance(user, User):
         return user
     else:
@@ -65,12 +80,15 @@ def request_loader(_request):
     pass
 
 @login_manager.unauthorized_handler
-def unauthorized():
-    redirect_login()
+def unauthorized() -> Optional[User]:
+    pass
 
-def init_login_manager(app: Flask):
+def init_login_manager(app: Flask) -> None:
 
     base_url = app.config['HYDRA_PUBLIC_URL']
+    if not isinstance(base_url, str):
+        raise RuntimeError("HYDRA_PUBLIC_URL not set")
+
     oauth2.register(
         name="custom",
         client_id=app.config['OAUTH_ID'],

lenticular_cloud/views/pki.py

@@ -1,5 +1,7 @@
-from flask import current_app, Blueprint
+from flask import Blueprint
 from cryptography.hazmat.primitives import serialization
+from ..lenticular_services import lenticular_services
+from ..pki import pki
 
 
 pki_views = Blueprint('pki', __name__, url_prefix='/')
@@ -7,7 +9,7 @@ pki_views = Blueprint('pki', __name__, url_prefix='/')
 
 @pki_views.route('/<service_name>.crl')
 def crl(service_name: str):
-    service = current_app.lenticular_services[service_name]
-    crl = current_app.pki.get_crl(service)
+    service = lenticular_services[service_name]
+    crl = pki.get_crl(service)
     return crl.public_bytes(encoding=serialization.Encoding.DER)