Merge pull request #45 from rockychen-dpaw/master

Upgrade python & Customize singout page per domain

.github/workflows/image-build-scan.yml

@@ -0,0 +1,72 @@
+name: "Build Docker image and run Trivy vulnerability scan"
+
+on:
+  push:
+    # Publish `master` as `latest` image.
+    branches: [master]
+    # Publish `2.*` tags as releases.
+    tags: ['2.*']
+  pull_request:
+    branches: [master]
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build:
+    name: Build Docker image
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+      - name: Log into registry ${{ env.REGISTRY }}
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v1
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@v3
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          flavor: |
+            latest=true
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+  scan:
+    name: Trivy scan
+    runs-on: ubuntu-latest
+    needs: [build]
+    permissions:
+      contents: read
+      packages: read
+      security-events: write
+    steps:
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: image
+          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          vuln-type: 'os,library'
+          severity: 'HIGH,CRITICAL'
+          format: template
+          template: '@/contrib/sarif.tpl'
+          output: trivy-results.sarif
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: trivy-results.sarif

Dockerfile

@@ -1,19 +1,20 @@
 # Prepare the base environment.
-FROM python:3.7.8-slim-buster as builder_base_authome
+FROM python:3.10.12-slim-buster as builder_base_authome
 MAINTAINER asi@dbca.wa.gov.au
+LABEL org.opencontainers.image.source https://github.com/dbca-wa/authome
 RUN apt-get update -y \
   && apt-get upgrade -y \
-  && apt-get install --no-install-recommends -y wget python3-dev \
+  && apt-get install -y wget libmagic-dev gcc binutils python3-dev libpq-dev \
   && rm -rf /var/lib/apt/lists/* \
   && pip install --upgrade pip
 
 #install and config poetry
-ENV POETRY_VERSION=1.0.5
-RUN pip install "poetry==$POETRY_VERSION"
 WORKDIR /app
-COPY poetry.lock pyproject.toml ./
+ENV POETRY_VERSION=1.5.1
+RUN pip install "poetry==$POETRY_VERSION"
+COPY poetry.lock pyproject.toml /app/
 RUN poetry config virtualenvs.create false \
-  && poetry install --no-dev --no-interaction --no-ansi
+  && poetry install --only main --no-interaction --no-ansi
 
 # Install Python libs from pyproject.toml.
 FROM builder_base_authome as python_libs_authome
@@ -64,7 +65,6 @@ fi \n\
 
 RUN chmod 555 run_command
 
-
 # Run the application as the www-data user.
 USER www-data
 EXPOSE 8080

authome/admin/admin.py

@@ -8,15 +8,13 @@
 from django.contrib import messages, auth
 from django.core.exceptions import ObjectDoesNotExist
 from django.utils.html import mark_safe
-from django.templatetags.static import static
 from django.db.models import Q
 from django.contrib.admin.views.main import ChangeList
 from django.urls import reverse
 from django.template.response import TemplateResponse
 
 from .. import models
 from .. import forms
-from ..cache import cache
 
 logger = logging.getLogger(__name__)
 
@@ -27,7 +25,7 @@ def change_view(self,request,*args,**kwargs):
         except Exception as ex:
             self.message_user(request, str(ex),level=messages.ERROR)
             return HttpResponseRedirect(request.get_full_path())
-            
+
 class ExtraToolsChangeList(ChangeList):
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
@@ -51,7 +49,7 @@ def get_queryset(self, request):
             return qs
         else:
             qs = qs.only("id")
-            ids = [o.id for o in qs if models.can_access(request.user.email,settings.AUTH2_DOMAIN,reverse(self.object_change_url_name, args=(o.id,)))] 
+            ids = [o.id for o in qs if models.can_access(request.user.email,settings.AUTH2_DOMAIN,reverse(self.object_change_url_name, args=(o.id,)))]
             return self.model.objects.filter(id__in=ids)
 
     def has_add_permission(self, request, obj=None):
@@ -640,6 +638,15 @@ class SystemUserAccessTokenAdmin(PermissionCheckMixin,AccessTokenAdmin):
     object_change_url_name = 'admin:{}_{}_change'.format(SystemUserToken._meta.app_label,SystemUserToken._meta.model_name)
     object_delete_url_name = 'admin:{}_{}_delete'.format(SystemUserToken._meta.app_label,SystemUserToken._meta.model_name)
 
+    def has_change_permission(self, request, obj=None):
+        return False
+
+    def has_add_permission(self, request, obj=None):
+        return False
+
+    def has_delete_permission(self, request, obj=None):
+        return False
+
 
 for token_lifetime in settings.USER_ACCESS_TOKEN_LIFETIME:
     method_name = 'create_{}days_token'.format(token_lifetime) if token_lifetime > 0 else 'create_permenent_token'
@@ -668,7 +675,7 @@ class CustomizableUserflowAdmin(PermissionCheckMixin,CacheableListTitleMixin,Dat
     list_display = ('domain','fixed','default','mfa_set',"mfa_reset",'password_reset','_modified','_created')
     readonly_fields = ('_modified','_created')
     form = forms.CustomizableUserflowForm
-    fields = ('domain','fixed','default','mfa_set',"mfa_reset",'password_reset','extracss','page_layout',"verifyemail_from","verifyemail_subject","verifyemail_body","sortkey",'_modified','_created')
+    fields = ('domain','fixed','default','mfa_set',"mfa_reset",'password_reset','extracss','page_layout',"verifyemail_from","verifyemail_subject","verifyemail_body","signedout_url","relogin_url","signout_body","sortkey",'_modified','_created')
     ordering = (models.sortkey_c.asc(),)
     search_fields=("domain",)
 

authome/admin/clusteradmin.py

@@ -150,6 +150,24 @@ class CustomizableUserflowAdmin(SyncConfigChangeMixin,admin.CustomizableUserflow
 class UserAdmin(SyncObjectChangeMixin,admin.UserAdmin):
     def _sync_change(self,objids):
         return cache.users_changed(objids,True)
+
+    def save_model(self, request, obj, form, change):
+        """
+        Given a model instance save it to the database.
+        """
+        userid = obj.id
+        result = super().save_model(request,obj,form,change)
+        if userid:
+            #update existing user
+            changed_clusters,not_changed_clusters,failed_clusters = cache.user_changed(userid)
+            if failed_clusters:
+                self.message_user(
+                    request, 
+                    "Failed to send change event of the user({1}<{0}>) to some clusters.{2} ".format(obj.id,obj.email,["{}:{}".format(c,str(e)) for c,e in failed_clusters]),
+                    level=messages.ERROR
+                )
+        return result
+
 
 class UserAccessTokenAdmin(SyncObjectChangeMixin,admin.UserAccessTokenAdmin):
     def _sync_change(self,objids):

authome/cache/cache.py

@@ -304,23 +304,38 @@ def userflows(self):
         self.refresh_userflow_cache()
         return self._userflows
 
+    def _find_userflows(self,domain):
+        userflows = self._userflows_map.get(domain)
+        if not userflows:
+            userflows = []
+            for o in self._userflows:
+                if o.request_domain.match(domain):
+                    userflows.append(o)
+            if not userflows:
+                userflows.append(self._defaultuserflow)
+            self._userflows_map[domain] = userflows
+        logger.debug("Find the userflow({1}) for domain '{0}'".format(domain,userflows))
+        return userflows
+
+    def find_userflows(self,domain=None):
+        """
+        find matched userflows, if can't find, return default userflow
+        if domain is None, return default userflow
+        """
+        self.refresh_userflow_cache()
+        if domain:
+            return self._find_userflows(domain)
+        else:
+            return [self._defaultuserflow]
+
     def get_userflow(self,domain=None):
         """
         Get the userflow configured for that domain, if can't find, return default userflow
         if domain is None, return default userflow
         """
         self.refresh_userflow_cache()
         if domain:
-            userflow = self._userflows_map.get(domain)
-            if not userflow:
-                for o in self._userflows:
-                    if o.request_domain.match(domain):
-                        userflow = o
-                        break
-                userflow = userflow or self._defaultuserflow
-                self._userflows_map[domain] = userflow
-            logger.debug("Find the userflow({1}) for domain '{0}'".format(domain,userflow.domain))
-            return userflow
+            return self._find_userflows(domain)[0]
         else:
             return self._defaultuserflow
 

authome/forms/__init__.py

@@ -3,4 +3,5 @@
 from .forms import *
 
 if settings.AUTH2_CLUSTER_ENABLED:
-    from .clusterforms import UserEditForm
+    #from .clusterforms import UserEditForm
+    pass

authome/forms/forms.py

@@ -95,6 +95,9 @@ class Meta:
             'extracss': djangoforms.Textarea(attrs={'style':'width:80%;height:100px'}),
             'page_layout': djangoforms.Textarea(attrs={'style':'width:80%;height:500px'}),
             'verifyemail_body': djangoforms.Textarea(attrs={'style':'width:80%;height:500px'}),
-            'verifyemail_subject': djangoforms.TextInput(attrs={'style':'width:80%;'})
+            'verifyemail_subject': djangoforms.TextInput(attrs={'style':'width:80%;'}),
+            'signedout_url': djangoforms.TextInput(attrs={'style':'width:80%;'}),
+            'relogin_url': djangoforms.TextInput(attrs={'style':'width:80%;'}),
+            'signout_body': djangoforms.Textarea(attrs={'style':'width:80%;height:500px'})
         }