public inbox for [email protected]
help / color / mirror / Atom feedfeature #6640
3+ messages / 3 participants
[nested] [flat]
* feature #6640
@ 2021-10-10 10:42 Florian Sabonchi <[email protected]>
2021-10-13 11:21 ` Re: feature #6640 Akshay Joshi <[email protected]>
2021-10-18 05:07 ` Re: feature #6640 Khushboo Vashi <[email protected]>
0 siblings, 2 replies; 3+ messages in thread
From: Florian Sabonchi @ 2021-10-10 10:42 UTC (permalink / raw)
To: pgadmin-hackers
Hi I have written a patch for feature #6640
Attachments:
[text/x-patch] 0001-first-draft-for-feature-6640.patch (3.7K, 2-0001-first-draft-for-feature-6640.patch)
download | inline diff:
From fd3978884501845099ca6547cd342ead0f833b14 Mon Sep 17 00:00:00 2001
From: Florian Sabonchi <[email protected]>
Date: Sun, 10 Oct 2021 12:38:50 +0200
Subject: [PATCH] first draft for feature #6640
---
docs/en_US/oauth2.rst | 1 +
web/config.py | 2 ++
web/pgadmin/authenticate/oauth2.py | 19 +++++++++++++++++--
3 files changed, 20 insertions(+), 2 deletions(-)
diff --git a/docs/en_US/oauth2.rst b/docs/en_US/oauth2.rst
index 4cc2628f5..6cf2f5aba 100644
--- a/docs/en_US/oauth2.rst
+++ b/docs/en_US/oauth2.rst
@@ -36,6 +36,7 @@ and modify the values for the following parameters:
"OAUTH2_AUTO_CREATE_USER", "Set the value to *True* if you want to automatically
create a pgAdmin user corresponding to a successfully authenticated Oauth2 user.
Please note that password is not stored in the pgAdmin database."
+ "ALLOWED_ORGANIZATIONS", "Github organizations which are allowed. If the user is in an organization that is not in the list, logging in is not possible."
Redirect URL
============
diff --git a/web/config.py b/web/config.py
index 7a1f4ab1f..ec8ec0959 100644
--- a/web/config.py
+++ b/web/config.py
@@ -719,6 +719,8 @@ OAUTH2_CONFIG = [
'OAUTH2_ICON': None,
# UI button colour, ex: #0000ff
'OAUTH2_BUTTON_COLOR': None,
+ # Allowed github organizations
+ 'ALLOWED_ORGANIZATIONS': [''],
}
]
diff --git a/web/pgadmin/authenticate/oauth2.py b/web/pgadmin/authenticate/oauth2.py
index cc1143e06..866e12680 100644
--- a/web/pgadmin/authenticate/oauth2.py
+++ b/web/pgadmin/authenticate/oauth2.py
@@ -8,11 +8,12 @@
##########################################################################
"""A blueprint module implementing the Oauth2 authentication."""
+import requests as requests
import config
from authlib.integrations.flask_client import OAuth
-from flask import current_app, url_for, session, request,\
+from flask import current_app, url_for, session, request, \
redirect, Flask, flash
from flask_babelex import gettext
from flask_security import login_user, current_user
@@ -91,7 +92,6 @@ class OAuth2Authentication(BaseAuthentication):
def __init__(self):
for oauth2_config in config.OAUTH2_CONFIG:
-
OAuth2Authentication.oauth2_config[
oauth2_config['OAUTH2_NAME']] = oauth2_config
@@ -130,6 +130,17 @@ class OAuth2Authentication(BaseAuthentication):
user, msg = self.__auto_create_user(profile)
if user:
+ organizations = self.get_organizations(profile['organizations_url'])
+
+ for oauth2_config in config.OAUTH2_CONFIG:
+ allowed_organizations = oauth2_config['ALLOWED_ORGANIZATIONS']
+ if allowed_organizations:
+ for organization in organizations:
+ if organization['login'] not in allowed_organizations:
+ return False, gettext("You are in an organization "
+ "that is not on the "
+ "whitelist")
+
user = db.session.query(User).filter_by(
username=profile['email'], auth_source=OAUTH2).first()
current_app.login_manager.logout_view = \
@@ -137,6 +148,10 @@ class OAuth2Authentication(BaseAuthentication):
return login_user(user), None
return False, msg
+ def get_organizations(self, organizations_url: str):
+ organizations = requests.get(organizations_url)
+ return organizations.json()
+
def get_user_profile(self):
session['oauth2_token'] = self.oauth2_clients[
self.oauth2_current_client].authorize_access_token()
--
2.25.1
[application/pgp-keys] OpenPGP_0x9B79A5A968AF5F8F.asc (2.4K, 3-OpenPGP_0x9B79A5A968AF5F8F.asc)
download
[application/pgp-signature] OpenPGP_signature (665B, 4-OpenPGP_signature)
download
^ permalink raw reply [nested|flat] 3+ messages in thread
* Re: feature #6640
2021-10-10 10:42 feature #6640 Florian Sabonchi <[email protected]>
@ 2021-10-13 11:21 ` Akshay Joshi <[email protected]>
1 sibling, 0 replies; 3+ messages in thread
From: Akshay Joshi @ 2021-10-13 11:21 UTC (permalink / raw)
To: Florian Sabonchi <[email protected]>; Khushboo Vashi <[email protected]>; +Cc: pgadmin-hackers
Khushboo,
Can you please review the patch?
On Wed, Oct 13, 2021 at 4:03 PM Florian Sabonchi <[email protected]> wrote:
> Hi I have written a patch for feature #6640
>
>
--
*Thanks & Regards*
*Akshay Joshi*
*pgAdmin Hacker | Principal Software Architect*
*EDB Postgres <http://edbpostgres.com>*
*Mobile: +91 976-788-8246*
^ permalink raw reply [nested|flat] 3+ messages in thread
* Re: feature #6640
2021-10-10 10:42 feature #6640 Florian Sabonchi <[email protected]>
@ 2021-10-18 05:07 ` Khushboo Vashi <[email protected]>
1 sibling, 0 replies; 3+ messages in thread
From: Khushboo Vashi @ 2021-10-18 05:07 UTC (permalink / raw)
To: Florian Sabonchi <[email protected]>; +Cc: pgadmin-hackers
Hi Florian,
Review comments:
- Allowed_organisation is introduced for all, so the code comments and
documentation should reflect it. Github should be an example of that.
- The below code checks all the Oauth2 configs, so if I have set
ALLOWED_ORGANIZATIONS for only github, it will check for all the configured
oauth2 servers, which will give the wrong result in case of multiple
providers/servers. Use the current Oauth2 client, self
.oauth2_current_client]['ALLOWED_ORGANIZATION'] instead.
for oauth2_config in config.OAUTH2_CONFIG:
allowed_organizations =
oauth2_config['ALLOWED_ORGANIZATIONS']
- 'ALLOWED_ORGANIZATIONS' should be conditional. if it's in the config,
then only go further and check the user's validity, otherwise the current
users who are using Oauth2 will face the problem.
- The patch doesn't apply on the latest code, please rebase your patch.
Thanks,
Khushboo
On Wed, Oct 13, 2021 at 4:03 PM Florian Sabonchi <[email protected]> wrote:
> Hi I have written a patch for feature #6640
>
>
^ permalink raw reply [nested|flat] 3+ messages in thread
end of thread, other threads:[~2021-10-18 05:07 UTC | newest]
Thread overview: 3+ messages (download: mbox mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2021-10-10 10:42 feature #6640 Florian Sabonchi <[email protected]>
2021-10-13 11:21 ` Akshay Joshi <[email protected]>
2021-10-18 05:07 ` Khushboo Vashi <[email protected]>
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox