Skip to content

ZaPF/ZaPF-Auth

BranchesTags

Repository files navigation

ZaPF OAuth Provider

Code Climate Issue Count

Deployment

To deploy the flask app you can use the configuration and systemd service for a gunicorn provided in the repository. The gunicorn creates in the default configuration a socket that can be used by a proxy daemon like nginx to deploy the app to the internet. The proxy daemon also would be responsible for stuff like SSL encryption.

Environment Variables

Variable     Description
AUTH_SETTINGS A path to a config file that overrides the defaults

Commands

Apart from the usual manage.py runserver and manage.py shell, the following commands are supported:

  • manage.py createuser uid FirstName Surname [email] [password] - create a user
  • manage.py delete_user uid - delete a user
  • manage.py passwd uid - change a password for the user
  • manage.py sanity - runs sanity checks, like checking that the base DN's for different things exist, and creates them if necessary
  • manage.py groups - lists groups
  • manage.py members group_name - list members in a group
  • manage.py newgroup group_name - create a group
  • manage.py delgroup group_name - delete a group
  • manage.py join username group_name - add a user to a group
  • manage.py remove username group_name - remove a user from a group
  • manage.py unis - list unis and their tokens
  • manage.py adduni name token - add a uni and a token
  • manage.py deluni name - delete a uni
  • manage.py set_token name token - set the token for a uni
  • manage.py profile [length] [profile_dir] - run the app under a profiler
  • manage.py db - Flask-Migrate DB commands:
    • manage.py db upgrade - Run database migrations
    • manage.py db migrate - Create database migrations

Permissions

Permissions are managed via groups. The members of the following groups have special permissions:

  • members of admin are superusers, and can administrate oauth2 applications
  • members of orga can see and edit uni registration data

OAuth

Scopes

Scope Name Description
uni_list List all of the universities
ownUserData Get user data of currently logged in user
registration Allow a user to create a registration

Endpoints

URL Scopes required Description
/api/me ownUserData Get user data of currently logged in user
/api/unis uni_list Get a list of universities
/api/registration registration GET the registration of currently logged in user or POST a new registration

OpenLDAP notes

Schema

The following schema are required:

ACL's

Please make sure the bind user can bind and has read&write access to the users, groups, and oauth2 subtrees.

Good hashing

Using the contrib/sha2 module for OpenLDAP is highly recommended, otherwise the following hashes do not work:

  • HASHED_SHA256
  • HASHED_SHA385
  • HASHED_SHA512
  • HASHED_SALTED_SHA256
  • HASHED_SALTED_SHA385
  • HASHED_SALTED_SHA512

Testing

A sample OpenLDAP configuration to run a testing server is included. Tests hoever are run by mocking the ldap connection. A script is included to generate the serialized data objects used from a LDIF file.

About

SSO für die ZaPF

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

6 watching

Forks

8 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages