public inbox for [email protected]help / color / mirror / Atom feed
feature #6640 3+ messages / 3 participants [nested] [flat]
* feature #6640 @ 2021-10-10 10:42 Florian Sabonchi <[email protected]> 0 siblings, 2 replies; 3+ messages in thread From: Florian Sabonchi @ 2021-10-10 10:42 UTC (permalink / raw) To: pgadmin-hackers Hi I have written a patch for feature #6640 Attachments: [text/x-patch] 0001-first-draft-for-feature-6640.patch (3.7K, 2-0001-first-draft-for-feature-6640.patch) download | inline diff: From fd3978884501845099ca6547cd342ead0f833b14 Mon Sep 17 00:00:00 2001 From: Florian Sabonchi <[email protected]> Date: Sun, 10 Oct 2021 12:38:50 +0200 Subject: [PATCH] first draft for feature #6640 --- docs/en_US/oauth2.rst | 1 + web/config.py | 2 ++ web/pgadmin/authenticate/oauth2.py | 19 +++++++++++++++++-- 3 files changed, 20 insertions(+), 2 deletions(-) diff --git a/docs/en_US/oauth2.rst b/docs/en_US/oauth2.rst index 4cc2628f5..6cf2f5aba 100644 --- a/docs/en_US/oauth2.rst +++ b/docs/en_US/oauth2.rst @@ -36,6 +36,7 @@ and modify the values for the following parameters: "OAUTH2_AUTO_CREATE_USER", "Set the value to *True* if you want to automatically create a pgAdmin user corresponding to a successfully authenticated Oauth2 user. Please note that password is not stored in the pgAdmin database." + "ALLOWED_ORGANIZATIONS", "Github organizations which are allowed. If the user is in an organization that is not in the list, logging in is not possible." Redirect URL ============ diff --git a/web/config.py b/web/config.py index 7a1f4ab1f..ec8ec0959 100644 --- a/web/config.py +++ b/web/config.py @@ -719,6 +719,8 @@ OAUTH2_CONFIG = [ 'OAUTH2_ICON': None, # UI button colour, ex: #0000ff 'OAUTH2_BUTTON_COLOR': None, + # Allowed github organizations + 'ALLOWED_ORGANIZATIONS': [''], } ] diff --git a/web/pgadmin/authenticate/oauth2.py b/web/pgadmin/authenticate/oauth2.py index cc1143e06..866e12680 100644 --- a/web/pgadmin/authenticate/oauth2.py +++ b/web/pgadmin/authenticate/oauth2.py @@ -8,11 +8,12 @@ ########################################################################## """A blueprint module implementing the Oauth2 authentication.""" +import requests as requests import config from authlib.integrations.flask_client import OAuth -from flask import current_app, url_for, session, request,\ +from flask import current_app, url_for, session, request, \ redirect, Flask, flash from flask_babelex import gettext from flask_security import login_user, current_user @@ -91,7 +92,6 @@ class OAuth2Authentication(BaseAuthentication): def __init__(self): for oauth2_config in config.OAUTH2_CONFIG: - OAuth2Authentication.oauth2_config[ oauth2_config['OAUTH2_NAME']] = oauth2_config @@ -130,6 +130,17 @@ class OAuth2Authentication(BaseAuthentication): user, msg = self.__auto_create_user(profile) if user: + organizations = self.get_organizations(profile['organizations_url']) + + for oauth2_config in config.OAUTH2_CONFIG: + allowed_organizations = oauth2_config['ALLOWED_ORGANIZATIONS'] + if allowed_organizations: + for organization in organizations: + if organization['login'] not in allowed_organizations: + return False, gettext("You are in an organization " + "that is not on the " + "whitelist") + user = db.session.query(User).filter_by( username=profile['email'], auth_source=OAUTH2).first() current_app.login_manager.logout_view = \ @@ -137,6 +148,10 @@ class OAuth2Authentication(BaseAuthentication): return login_user(user), None return False, msg + def get_organizations(self, organizations_url: str): + organizations = requests.get(organizations_url) + return organizations.json() + def get_user_profile(self): session['oauth2_token'] = self.oauth2_clients[ self.oauth2_current_client].authorize_access_token() -- 2.25.1 [application/pgp-keys] OpenPGP_0x9B79A5A968AF5F8F.asc (2.4K, 3-OpenPGP_0x9B79A5A968AF5F8F.asc) download [application/pgp-signature] OpenPGP_signature (665B, 4-OpenPGP_signature) download ^ permalink raw reply [nested|flat] 3+ messages in thread
* Re: feature #6640 @ 2021-10-13 11:21 Akshay Joshi <[email protected]> parent: Florian Sabonchi <[email protected]> 1 sibling, 0 replies; 3+ messages in thread From: Akshay Joshi @ 2021-10-13 11:21 UTC (permalink / raw) To: Florian Sabonchi <[email protected]>; Khushboo Vashi <[email protected]>; +Cc: pgadmin-hackers Khushboo, Can you please review the patch? On Wed, Oct 13, 2021 at 4:03 PM Florian Sabonchi <[email protected]> wrote: > Hi I have written a patch for feature #6640 > > -- *Thanks & Regards* *Akshay Joshi* *pgAdmin Hacker | Principal Software Architect* *EDB Postgres <http://edbpostgres.com>* *Mobile: +91 976-788-8246* ^ permalink raw reply [nested|flat] 3+ messages in thread
* Re: feature #6640 @ 2021-10-18 05:07 Khushboo Vashi <[email protected]> parent: Florian Sabonchi <[email protected]> 1 sibling, 0 replies; 3+ messages in thread From: Khushboo Vashi @ 2021-10-18 05:07 UTC (permalink / raw) To: Florian Sabonchi <[email protected]>; +Cc: pgadmin-hackers Hi Florian, Review comments: - Allowed_organisation is introduced for all, so the code comments and documentation should reflect it. Github should be an example of that. - The below code checks all the Oauth2 configs, so if I have set ALLOWED_ORGANIZATIONS for only github, it will check for all the configured oauth2 servers, which will give the wrong result in case of multiple providers/servers. Use the current Oauth2 client, self .oauth2_current_client]['ALLOWED_ORGANIZATION'] instead. for oauth2_config in config.OAUTH2_CONFIG: allowed_organizations = oauth2_config['ALLOWED_ORGANIZATIONS'] - 'ALLOWED_ORGANIZATIONS' should be conditional. if it's in the config, then only go further and check the user's validity, otherwise the current users who are using Oauth2 will face the problem. - The patch doesn't apply on the latest code, please rebase your patch. Thanks, Khushboo On Wed, Oct 13, 2021 at 4:03 PM Florian Sabonchi <[email protected]> wrote: > Hi I have written a patch for feature #6640 > > ^ permalink raw reply [nested|flat] 3+ messages in thread
end of thread, other threads:[~2021-10-18 05:07 UTC | newest] Thread overview: 3+ messages (download: mbox mbox.gz follow: Atom feed) -- links below jump to the message on this page -- 2021-10-10 10:42 feature #6640 Florian Sabonchi <[email protected]> 2021-10-13 11:21 ` Akshay Joshi <[email protected]> 2021-10-18 05:07 ` Khushboo Vashi <[email protected]>
This inbox is served by agora; see mirroring instructions for how to clone and mirror all data and code used for this inbox