Skip to content
Snippets Groups Projects
Select Git revision
  • claims-in-idtoke
  • master default protected
  • jwt_encode_inconsistencies
  • recovery-code-pwhash
  • incremental-sync
  • redis-rate-limits
  • typehints
  • v1.2.x
  • v1.x.x
  • v1.1.x
  • feature_invite_validuntil_minmax
  • Dockerfile
  • v1.0.x
  • roles-recursive-cte
  • v2.3.1
  • v2.3.0
  • v2.2.0
  • v2.1.0
  • v2.0.1
  • v2.0.0
  • v1.2.0
  • v1.1.2
  • v1.1.1
  • v1.0.2
  • v1.1.0
  • v1.0.1
  • v1.0.0
  • v0.3.0
  • v0.2.0
  • v0.1.5
  • v0.1.4
  • v0.1.2
32 results
Compare
Forked from uffd / uffd
78 commits behind the upstream repository.
Julian Rother's avatar
Unified password hashing for User and Signup
Julian authored 
Previously User used salted SHA512 with OpenLDAP-style prefix syntax and
Signup used crypt. Both models had their own hashing and verification
code. Now both use OpenLDAP-style syntax with support for all traditional
formats including crypt. Salted SHA512 is used for new User and Signup
passwords.

Existing Signup objects are migrated to the new format and remain functional.
User passwords now support gradual migration to another hash algorithm when
it is changed in the future.

This code is planned to be used for database-stored API and OAuth2 client
secrets.
117e257c
History
Julian Rother's avatar 117e257c
History
Name Last commit Last update
debian
tests
uffd
.gitignore
.gitlab-ci.yml
.pylintrc
LICENSE
MANIFEST.in
README.md
cccv-archive-key.gpg
check_migrations.py
nginx.include.conf
pytest.ini
requirements.txt
setup.py
update_translations.sh
uwsgi.ini
README.md

Uffd

Uffd (UserFerwaltungsFrontend) is a web-based user management and single sign-on software.

Development chat: #uffd-development

Dependencies

Please note that we refer to Debian packages here and not pip packages.

  • python3
  • python3-flask
  • python3-flask-sqlalchemy
  • python3-flask-migrate
  • python3-qrcode
  • python3-fido2 (version 0.5.0 or 0.9.1, optional)
  • python3-oauthlib
  • python3-flask-babel
  • python3-mysqldb or python3-pymysql for MySQL/MariaDB support

Some of the dependencies (especially fido2) changed their API in recent versions, so make sure to install the versions from Debian Buster or Bullseye. For development, you can also use virtualenv with the supplied requirements.txt.

Development

Before running uffd, you need to create the database with flask db upgrade. The database is placed in instance/uffd.sqlit3.

Then use flask run to start the application:

FLASK_APP=uffd flask db upgrade
FLASK_APP=uffd FLASK_ENV=development flask run

During development, you may want to create some example data:

export FLASK_APP=uffd
flask group create 'uffd_access' --description 'Access to Single-Sign-On and Selfservice'
flask group create 'uffd_admin' --description 'Admin access to uffd'
flask role create 'base' --default --add-group 'uffd_access'
flask role create 'admin' --default --add-group 'uffd_admin'
flask user create 'testuser' --password 'userpassword' --mail 'test@example.com' --displayname 'Test User'
flask user create 'testadmin' --password 'adminpassword' --mail 'admin@example.com' --displayname 'Test Admin' --add-role 'admin'

Afterwards you can login as a normal user with "testuser" and "userpassword", or as an admin with "testad min" and "adminpassword".

Deployment

Do not use pip install uffd for production deployments! The dependencies of the pip package roughly represent the versions shipped by Debian stable. We do not keep them updated and we do not test the pip package! The pip package only exists for local testing/development and to help build the Debian package.

We provide packages for Debian stable and oldstable (currently Bullseye and Buster). Since all dependencies are available in the official package mirrors, you will get security updates for everything but uffd itself from Debian.

To install uffd on Debian Bullseye, add our package mirror to /etc/sources.list:

deb https://packages.cccv.de/uffd bullseye main

Then download cccv-archive-key.gpg and add it to the trusted repository keys in /etc/apt/trusted.gpg.d/. Afterwards run apt update && apt install uffd to install the package.

The Debian package uses uwsgi to run uffd and ships an uffd-admin to execute flask commands in the correct context. If you upgrade, make sure to run flask db upgrade after every update! The Debian package takes care of this by itself using uwsgi pre start hooks. For an example uwsgi config, see our uswgi.ini. You might find our nginx include file helpful to setup a web server in front of uwsgi.

Migration from version 1

If a custom config file name was set with CONFIG_FILENAME, this must be replaced with CONFIG_PATH. The new variable must be set to a full path instead of a filename relative to the application's instance directory.

Prior to version 2 uffd stored users, groups and mail aliases in an LDAP server. To migrate from version 1 to a later version, make sure to keep the v1 config file as it is with all LDAP settings. Running the database migrations with flask db upgrade automatically imports all users, groups and mail forwardings from LDAP to the database. Note that all LDAP attributes must be readable, including the password field. Make sure to have a working backup of the database before running the database upgrade! Downgrading is not supported.

After running the migrations you can remove all LDAP_*-prefixed settings from the config file except the following ones that are renamed:

  • LDAP_USER_GID -> USER_GID
  • LDAP_USER_MIN_UID -> USER_MIN_UID
  • LDAP_USER_MAX_UID -> USER_MAX_UID
  • LDAP_USER_SERVICE_MIN_UID -> USER_SERVICE_MIN_UID
  • LDAP_USER_SERVICE_MAX_UID -> USER_SERVICE_MAX_UID
  • LDAP_GROUP_MIN_GID -> GROUP_MIN_GID
  • LDAP_GROUP_MAX_GID -> GROUP_MAX_GID

Upgrading will not perform any write access to the LDAP server.

If the config option ACL_SELFSERVICE_GROUP is set but not ACL_ACCESS_GROUP, make sure to set ACL_ACCESS_GROUP to the same value as ACL_SELFSERVICE_GROUP,

Python Coding Style Conventions

PEP 8 without double new lines, tabs instead of spaces and a max line length of 160 characters. We ship a pylint config to verify changes with.

Configuration

Uffd reads its default config from uffd/default_config.cfg. You can overwrite config variables by creating a config file in the instance folder. The file must be named config.cfg (Python syntax), config.json or config.yml/config.yaml. You can also set a custom file path with the environment variable CONFIG_PATH.

OAuth2 Single-Sign-On Provider

Other services can use uffd as an OAuth2.0-based authentication provider. The required credentials (client_id, client_secret and redirect_uris) for these services are defined in the config. The services need to be setup to use the following URLs with the Authorization Code Flow:

  • /oauth2/authorize: authorization endpoint
  • /oauth2/token: token request endpoint
  • /oauth2/userinfo: endpoint that provides information about the current user

The userinfo endpoint returns json data with the following structure:

{
  "id": 10000,
  "name": "Test User",
  "nickname": "testuser"
  "email": "testuser@example.com",
  "groups": [
    "uffd_access",
    "users"
  ],
}

id is the numeric (Unix) user id, name the display name and nickname the loginname of the user.

Translation

The web frontend is initially written in English and translated in the following Languages:

status

The selection uses the language browser header by default but can be overwritten via a UI element. You can specify the available languages in the config.

Use the update_translations.sh to update the translation files.

License

GNU Affero General Public License v3.0, see LICENSE.

Impressum - Datenschutzerklärung