Skip to content
Snippets Groups Projects
Select Git revision
  • f299519d2df2fef6cd8fe3f319da63ff6d06ea1c
  • main default protected
  • renovate/pin-dependencies
  • renovate/sqlalchemy-2.x
  • renovate/pysaml2-7.x
  • renovate/authlib-1.x
  • renovate/flask-smorest-0.x
  • renovate/cryptojwt-1.x
  • renovate/validators-0.x
  • renovate/jinja2-3.x
  • renovate/marshmallow-3.x
  • renovate/python-dateutil-2.x
  • brousek/use_engine_begin
  • brousek/do_not_hide_errors
  • renovate/flask-session-0.x
  • renovate/bitnami-python-3.x
  • fix-tests
  • fix-logout-application-conext
  • unify-jwt-handling
  • logout_fe_pavlicek
  • logout_fe_pavlicek_joined
  • v8.2.2
  • v8.2.1
  • v8.2.0
  • v8.1.3
  • v8.1.2
  • v8.1.1
  • v8.1.0
  • v8.0.0
  • v7.2.10
  • v7.2.9
  • v7.2.8
  • v7.2.7
  • v7.2.6
  • v7.2.5
  • v7.2.4
  • v7.2.3
  • v7.2.2
  • v7.2.1
  • v7.2.0
  • v7.1.0
41 results

proxyidp-gui

  • Clone with SSH
  • Clone with HTTPS
    • Pavel Břoušek's avatar
    chore: merge branch 'tokens' into 'main'
    Pavel Břoušek authored 
    feat: remove refresh tokens for banned users

See merge request perun-proxy-aai/python/perun-proxygui!22
    f299519d
    History
    Pavel Břoušek's avatar f299519d
    History
    Name Last commit Last update
    config_templates
    perun
    .flake8
    .gitignore
    .gitlab-ci.yml
    .prettierignore
    .prettierrc.json
    .releaserc.json
    CHANGELOG.md
    LICENSE
    MANIFEST.in
    README.md
    babel.cfg
    messages.pot
    renovate.json
    requirements-dev.txt
    requirements.txt
    setup.cfg
    setup.py
    README.md

    perun.proxygui

    Pages used by microservices in satosacontrib.perun.

    Installation

    The recommended way to install is via pip:

    pip3 install perun.proxygui

    Alternatively, you can clone the repository and run:

    pip3 install .

    You also need to install the appropriate sqlalchemy driver. For PostgreSQL, you can include the postgresql extra, which will install psycopg2-binary:

    pip3 install perun.proxygui[postgresql]

    Configuration

    General

    Copy perun.proxygui.yaml from config_templates to /etc/ (it needs to reside at /etc/perun.proxygui.yaml) and adjust to your needs.

    The global_cfg_filepath option needs to point to the location of the global microservice config from the satosacontrib.perun module. You also need to set the attribute map config.

    At the very least, you need to copy the config templates:

    cp config_templates/perun.proxygui.yaml /etc/perun.proxygui.yaml
cp ../satosacontrib-perun/satosacontrib/perun/config_templates/attribute_typing.yaml /etc/
cp ../satosacontrib-perun/satosacontrib/perun/config_templates/microservices_global.yaml /etc/

    Then change the following line in /etc/perun.proxygui.yaml:

    global_cfg_filepath: /etc/microservices_global.yaml

    And the following line in /etc/microservices_global.yaml:

    attrs_cfg_path: /etc/attribute_typing.yaml

    Backchannel logout

    Analogous to general configuration. Copy backchannel-logout.yaml from config_templates to /etc/ so the resulting filepath is /etc/backchannel-logout.yaml and adjust to your needs.

    This configuration is necessary for using /backchannel-logout endpoint. It performs OIDC Back-Channel Logout 1.0 using the idpy-oidc library.

    OIDC builds upon OAuth 2.0. Config options issuer, client_id and client_secret are terms explained in OAuth 2.0 [RFC6749].

    The endpoint accepts an OIDC Logout Token which is a JWT with the necessary information for performing back-channel logout. Therefore, the key_conf setting must contain paths to the key pair configured between an OP (our endpoint) which decrypts the JWT and an RP (endpoint caller) who encrypts the JWT. Options private_path and public_path represent filepaths to the private/public key. Settings key_defs specify key types and read_only determines whether the keys are read-only. Both come from the idpy-oidc library.

    Run

    uWSGI

    To run this Flask app with uWSGI, use the callable perun.proxygui.app:get_app, e.g.

    mount = /proxygui=perun.proxygui.app:get_app

    local development

    python3 perun/proxygui/app.py

    Now the app is available at http://localhost:5000/ (e.g. http://localhost:5000/banned-users/).

    Translations

    Babel

    First you need to generate .pot file: pybabel extract -F babel.cfg -o messages.pot .

    Next step is to generate .po file: pybabel init -i messages.pot -d perun/proxygui/gui/translations -D messages -l <language_code>

    • replace with given language code (eg: fr)

    Then you need to, manually or using a tool like Poedit, write your translations in the generated .po file and compile it: pybabel compile -d perun/proxygui/gui/translations -D messages

    • note that if the .pot file is already created and you want to add new language ignore the first step

    API

    Consent

    This API handles consents - checks if any consent was given by the user and asks him to give a new one if not. API is connected to GUI where user can choose which attributes are to be consented. This API is strongly based on CMservice. Some of the differences:

    • GUI
    • usage of MongoDB
    • user_id and requester_name are sent from micro_service and are part of the consent stored in the database
    • we can define attributes which are ignored (in the config)

    Back-channel logout

    Performs OIDC Back-Channel Logout 1.0 in the role of RP.

    Endpoint: /backchannel-logout

    Method: POST

    Input arguments: OIDC Logout Token in the request body.

    Result:

    • HTTP Bad Request [400] and an error message in the response body if the logout wasn't performed successfully
    • HTTP No Content [204] indicating a successful logout

    Ban

    Provides management of Perun user bans. A banned user can not log in to the system.


    Endpoint: /banned-users

    Method: PUT

    Description: This endpoint adds all user bans provided in the request input data to the database. This effectively bans the Perun users from logging in to the system. If the user is already banned, their ban is replaced with the latest one (the one currently provided in the request).

    Example ban:

    {
    "description": "Misuse of resources.",
    "facilityId": "1",
    "id": 1,
    "userId": "12345",
    "validityTo": "1670799600000",
}

    Here, id is the ban ID and validityTo is the time when the ban expires represented as a UNIX timestamp.

    Input arguments: List of users bans in JSON format.

    Result:

    • HTTP No Content [204] indicating a successful update of bans


    Endpoint: /banned-users-generic

    Method: PUT

    Description: Generalized endpoint behaving in the same way as the /banned-users endpoint. The only difference is that the input data is passed in binary form as .tar file in the request.

    Input arguments: List of users to ban in .tar format in request data.

    Result:

    • HTTP Request Entity too large [413] if the data passed to the request was larger than the upper limit
    • HTTP Unprocessable Entity [422] if the banned users data couldn't be parsed correctly or wasn't provided in the request at all
    • HTTP No Content [204] indicating successful banning


    Endpoint: /ban/<ban_id>

    Method: GET

    Description: Used for checking whether a ban with given ban_id exists.

    Input arguments: ID of a potential ban in the URL parameter

    Result:

    • HTTP OK [200] indicating a successful operation, the body of the response includes either the ban information as a JSON if it exists or an empty JSON {} if a ban with given ID doesn't exist