Skip to content
Snippets Groups Projects
  1. May 22, 2024
  2. May 18, 2024
  3. Mar 25, 2024
  4. Nov 13, 2022
  5. Oct 22, 2022
    • Julian's avatar
      Restructure tests · 0bd26ee8
      Julian authored
      Restructure tests into views/models/commands subdirectories to mirror the new
      source tree structure introduced with ac731bf4 (Restructure source tree).
      0bd26ee8
  6. Aug 15, 2022
    • Julian's avatar
      Restructure source tree · ac731bf4
      Julian authored
      Move all models, views, cli commands and templates into corresponding
      top-level folders. Detailed changes:
      
      - uffd/<NAME>/models.py -> uffd/models/<NAME>.py
      - uffd/<NAME>/cli.py -> uffd/commands/<NAME>.py
      - uffd/<NAME>/views.py -> uffd/views/<NAME>.py
      - uffd/<NAME>/templates/* -> uffd/templates/
      - uffd/ratelimit.py -> uffd/models/ratelimit.py (it contains models)
      - gendevcert from uffd/__init__.py -> uffd/commands/gendevcert.py
      - profile from uffd/__init__.py -> uffd/commands/profile.py
      - cleanup from uffd/tasks.py -> uffd/commands/cleanup.py
      - roles-update-all from uffd/role/views.py -> uffd/commands/...
      - Views from uffd/__init__.py -> uffd/views/__init__.py
      - All models can/should be imported from uffd.models
      - flask shell auto-imports all models instead of only a few
      
      The old structure was meant to keep the code modular and related
      code/resources close to each other. However, the modules turned out to
      be heavily interdependent and not very modular. Also importing was fragile
      due to ordering issues.
      
      With the new structure the dependency tree is much simpler: Infrastructure
      code (top-level *.py files) has no internal dependencies. Models only
      depend on infrastructure and other models. Views and cli commands depend
      on infrastructure, models and other views/commands.
      
      Going forward there is still some restructuring to do, e.g.:
      
      - Move mfa setup views to selfservice views
      - Move mfa auth views to session views
      - Move utility code from views to infrastructure (e.g. login_required)
      - In most cases views should not need to import from other views
      - Reorganize infrastructure code
      ac731bf4
  7. Feb 24, 2022
    • Julian's avatar
      Migrate OAuth2 and API clients to database · fa67bde0
      Julian authored
      Also adds a shallow Service model that coexists with the config-defined
      services to group multiple OAuth2 and API clients together.
      
      Clients defined in the config with OAUTH2_CLIENTS and API_CLIENTS_2 are
      imported by the database migrations.
      
      Removes support for complex values for the OAuth2 client group_required option.
      Only simple group names are supported, not (nested) lists of groups previously
      interpreted as AND/OR conjunctions. Also removes support for the login_message
      parameter of OAuth2 clients.
      fa67bde0
  8. Feb 13, 2022
    • Julian's avatar
      Unified password hashing for User and Signup · 117e257c
      Julian authored
      Previously User used salted SHA512 with OpenLDAP-style prefix syntax and
      Signup used crypt. Both models had their own hashing and verification
      code. Now both use OpenLDAP-style syntax with support for all traditional
      formats including crypt. Salted SHA512 is used for new User and Signup
      passwords.
      
      Existing Signup objects are migrated to the new format and remain functional.
      User passwords now support gradual migration to another hash algorithm when
      it is changed in the future.
      
      This code is planned to be used for database-stored API and OAuth2 client
      secrets.
      117e257c
  9. Oct 02, 2021
    • Julian's avatar
      Move User, Group and Mail models from LDAP to DB · 4a9c455f
      Julian authored
      * Removal of ldapalchemy and LDAP mocking support
      * Removal of dependency on ldap3 (except for the migration)
      * Remaining "LDAP_<name>" config keys are renamed to "<name>"
      * Web interface to create, edit and delete groups
      * Consistent foreign key, cascading and nullable configuration on all models
      * User/Group.dn is replaced with numeric User/Group.id
      * User.uid is renamed to User.unix_uid (to differentiate with new User.id)
      * Group.gid is renamed to Group.unix_gid (to differentiate with new Group.id)
      * All User/Group/Mail related routes now use the database ids instead of uid/gid/dn
      * PasswordToken/MailToken now reference users directly instead of storing loginnames
      
      The database migration (optionally) uses the v1 config keys to connect to
      an LDAP server and to import all users, groups and mail forwardings.
      4a9c455f
  10. Sep 05, 2021
    • Julian's avatar
      Refactor permission checking and differenciate login and selfservice access · e6df5bbe
      Julian authored
      Fixes #104.
      
      Replaced "group" keyword argument for login_required with "permission_check".
      Most views already define a *_acl_check function that returns whether the
      current user has the required permissions for use with register_navbar. The
      same function can now be passed to login_required as the "permission_check"
      argument.
      
      Differenciated login and selfservice access permissions. Previously
      ACL_SELFSERVICE_GROUP was required to login. Now ACL_ACCESS_GROUP is required
      to login and ACL_SELFSERVICE_GROUP is required to access selfservice functions
      (and to use role-granting invite links). A user with just ACL_ACCESS_GROUP can
      now login, access the services overview page and authenticate with OAuth2
      services he has access to, but not change his user attributes, password or
      roles/permissions.
      e6df5bbe
  11. Aug 30, 2021
    • Julian's avatar
      Catch LDAPSASLPrepError on login · 3f6a67ea
      Julian authored
      Ldap3 raises LDAPSASLPrepError on bind if the password contains characters
      forbidden by SASLPrep (string preperation/normalization algorithm for user
      names and passwords). Examples are carriage return ("\r") or newline ("\n")
      characters. See #100.
      3f6a67ea
  12. Jul 26, 2021
  13. Jul 23, 2021
  14. Jun 13, 2021
  15. May 01, 2021
  16. Feb 15, 2021
  17. Nov 04, 2020
  18. Nov 03, 2020
  19. Oct 26, 2020
Loading