- May 22, 2024
-
-
Julian authored
Closes #163
-
- May 18, 2024
-
-
Julian authored
Prerequisite for doing the same to OAuth2 state. This is required for implementing missing OIDC features later.
-
- Mar 25, 2024
-
-
Julian authored
-
- Nov 13, 2022
-
-
Julian authored
-
- Oct 22, 2022
-
- Aug 15, 2022
-
-
Julian authored
Move all models, views, cli commands and templates into corresponding top-level folders. Detailed changes: - uffd/<NAME>/models.py -> uffd/models/<NAME>.py - uffd/<NAME>/cli.py -> uffd/commands/<NAME>.py - uffd/<NAME>/views.py -> uffd/views/<NAME>.py - uffd/<NAME>/templates/* -> uffd/templates/ - uffd/ratelimit.py -> uffd/models/ratelimit.py (it contains models) - gendevcert from uffd/__init__.py -> uffd/commands/gendevcert.py - profile from uffd/__init__.py -> uffd/commands/profile.py - cleanup from uffd/tasks.py -> uffd/commands/cleanup.py - roles-update-all from uffd/role/views.py -> uffd/commands/... - Views from uffd/__init__.py -> uffd/views/__init__.py - All models can/should be imported from uffd.models - flask shell auto-imports all models instead of only a few The old structure was meant to keep the code modular and related code/resources close to each other. However, the modules turned out to be heavily interdependent and not very modular. Also importing was fragile due to ordering issues. With the new structure the dependency tree is much simpler: Infrastructure code (top-level *.py files) has no internal dependencies. Models only depend on infrastructure and other models. Views and cli commands depend on infrastructure, models and other views/commands. Going forward there is still some restructuring to do, e.g.: - Move mfa setup views to selfservice views - Move mfa auth views to session views - Move utility code from views to infrastructure (e.g. login_required) - In most cases views should not need to import from other views - Reorganize infrastructure code
-
- Feb 24, 2022
-
-
Julian authored
Also adds a shallow Service model that coexists with the config-defined services to group multiple OAuth2 and API clients together. Clients defined in the config with OAUTH2_CLIENTS and API_CLIENTS_2 are imported by the database migrations. Removes support for complex values for the OAuth2 client group_required option. Only simple group names are supported, not (nested) lists of groups previously interpreted as AND/OR conjunctions. Also removes support for the login_message parameter of OAuth2 clients.
-
- Feb 13, 2022
-
-
Julian authored
Previously User used salted SHA512 with OpenLDAP-style prefix syntax and Signup used crypt. Both models had their own hashing and verification code. Now both use OpenLDAP-style syntax with support for all traditional formats including crypt. Salted SHA512 is used for new User and Signup passwords. Existing Signup objects are migrated to the new format and remain functional. User passwords now support gradual migration to another hash algorithm when it is changed in the future. This code is planned to be used for database-stored API and OAuth2 client secrets.
-
- Oct 02, 2021
-
-
Julian authored
* Removal of ldapalchemy and LDAP mocking support * Removal of dependency on ldap3 (except for the migration) * Remaining "LDAP_<name>" config keys are renamed to "<name>" * Web interface to create, edit and delete groups * Consistent foreign key, cascading and nullable configuration on all models * User/Group.dn is replaced with numeric User/Group.id * User.uid is renamed to User.unix_uid (to differentiate with new User.id) * Group.gid is renamed to Group.unix_gid (to differentiate with new Group.id) * All User/Group/Mail related routes now use the database ids instead of uid/gid/dn * PasswordToken/MailToken now reference users directly instead of storing loginnames The database migration (optionally) uses the v1 config keys to connect to an LDAP server and to import all users, groups and mail forwardings.
-
- Sep 05, 2021
-
-
Julian authored
Fixes #104. Replaced "group" keyword argument for login_required with "permission_check". Most views already define a *_acl_check function that returns whether the current user has the required permissions for use with register_navbar. The same function can now be passed to login_required as the "permission_check" argument. Differenciated login and selfservice access permissions. Previously ACL_SELFSERVICE_GROUP was required to login. Now ACL_ACCESS_GROUP is required to login and ACL_SELFSERVICE_GROUP is required to access selfservice functions (and to use role-granting invite links). A user with just ACL_ACCESS_GROUP can now login, access the services overview page and authenticate with OAuth2 services he has access to, but not change his user attributes, password or roles/permissions.
-
- Aug 30, 2021
-
-
Julian authored
Ldap3 raises LDAPSASLPrepError on bind if the password contains characters forbidden by SASLPrep (string preperation/normalization algorithm for user names and passwords). Examples are carriage return ("\r") or newline ("\n") characters. See #100.
-
- Jul 26, 2021
-
-
Julian authored
For password reset this prevents circumventing the loginname/email-based ratelimit.
-
- Jul 23, 2021
-
-
Julian authored
-
- Jun 13, 2021
-
-
Julian authored
-
- May 01, 2021
-
-
sistason authored
-
- Feb 15, 2021
-
-
Julian authored
-
- Nov 04, 2020
-
-
Julian authored
-
- Nov 03, 2020
-
-
Julian authored
-
- Oct 26, 2020
-
-
Julian authored
Add a few unit tests as well as integration tests that cover almost all views. Also fixed a lot of HTML validator errors.
-