Version 0.7.3. (#34)

* Support for authentication using external proxy (#33)

* add options for HTTP header authentication to config

* add template for handling error 401: Unauthorized

* support external authentication

Expects authentication to be done using an external tool (such as
Apache), that fills the users UUID to a HTTP header and acts as a
proxy.

* version 0.7.3, simple auth mode available, docs for auth created

* version 0.7.3, simple auth mode available, docs for auth created

* typo in link

---------

Co-authored-by: Jakub Man <jakub.man@pm.me>

README.md

@@ -52,6 +52,7 @@ Last part of the system is Guarda service. This systemctl service is running in
 * [Local database instalation notes](./docs/DB_LOCAL.md)
 
 ## Change Log
+- 0.7.3 - New possibility of external auth proxy. 
 - 0.7.2 - Dashboard and Main menu are now customizable in config. App is ready to be packaged using setup.py.
 - 0.7.0 - ExaAPI now have two options - HTTP or RabbitMQ. ExaAPI process has been renamed, update of ExaBGP process value is needed for this version.
 - 0.6.2 - External config for ExaAPI 

config.example.py

@@ -9,6 +9,12 @@ class Config():
     TESTING = False
     # SSO auth enabled
     SSO_AUTH = False
+    # Authentication is done outside the app, use HTTP header to get the user uuid.
+    # If SSO_AUTH is set to True, this option is ignored and SSO auth is used.
+    HEADER_AUTH = True
+    # Name of HTTP header containing the UUID of authenticated user.
+    # Only used when HEADER_AUTH is set to True
+    AUTH_HEADER_NAME = 'X-Authenticated-User'
     # SSO LOGOUT
     LOGOUT_URL = "https://flowspec.example.com/Shibboleth.sso/Logout"
     # SQL Alchemy config

docs/AUTH.md

@@ -0,0 +1,43 @@
+# ExaFS tool
+## Auth mechanism
+
+Since version 0.7.3, the application supports three different forms of user authorization. 
+
+* SSO using Shibboleth
+* Simple Auth proxy 
+* Local single-user mode 
+
+### SSO
+To use SSO, you need to set up Apache + Shiboleth in the usual way. Then set `SSO_AUTH = True` in the application configuration file **config.py**
+
+Shibboleth configuration example:
+
+#### shibboleth config:
+```
+<Location />
+  AuthType shibboleth
+  ShibRequestSetting requireSession 1
+  require shib-session
+</Location>
+
+```
+
+
+#### httpd ssl.conf 
+We recomend using app with https only. It's important to configure proxy pass to uwsgi in httpd config.
+```
+# Proxy everything to the WSGI server except /Shibboleth.sso and
+# /shibboleth-sp
+ProxyPass /kon.php !
+ProxyPass /Shibboleth.sso !
+ProxyPass /shibboleth-sp !
+ProxyPass / uwsgi://127.0.0.1:8000/
+```
+
+### Simple Auth
+This mode uses a WWW server (usually Apache) as an auth proxy. It is thus possible to use an external user database. Everything needs to be set in the web server configuration, then in **config.py** enable `HEADER_AUTH = True` and set `AUTH_HEADER_NAME = 'X-Authenticated-User'` 
+
+See [apache.conf.example](./apache.conf.example) for more information about configuration.
+
+### Local single user mode
+This mode is used as a fallback if neither SSO nor Simple Auth is enabled. Configuration is done using **config.py**. The mode is more for testing purposes, it does not allow to set up multiple users with different permission levels and also does not perform user authentication. 

docs/INSTALL.md

@@ -8,30 +8,12 @@ The default Python for RHEL9 is Python 3.9
 Virtualenv with Python39 is used by uWSGI server to keep the packages for app separated from system.
 
 ## Prerequisites
+First, choose how to [authenticate and authorize users](./AUTH.md). The application currently supports three options. 
 
-ExaFS is using Shibboleth auth and therefore we suggest to use Apache web server. 
-Install the Apache httpd as usual and then continue with this guide. 
+Depending on the selected WWW server, set up a proxy. We recommend using Apache + mod_uwsgi. If you use another solution, set up the WWW server as you are used to. 
 
-First configure Shibboleth
-
-### shibboleth config:
-```
-<Location />
-  AuthType shibboleth
-  ShibRequestSetting requireSession 1
-  require shib-session
-</Location>
-
-```
-
-### httpd ssl.conf 
-We are using https only. It's important to configure proxy pass to uwsgi in httpd config.
 ```
-# Proxy everything to the WSGI server except /Shibboleth.sso and
-# /shibboleth-sp
-ProxyPass /kon.php !
-ProxyPass /Shibboleth.sso !
-ProxyPass /shibboleth-sp !
+# Proxy everything to the WSGI server
 ProxyPass / uwsgi://127.0.0.1:8000/
 ```
 

docs/apache.conf.example

@@ -0,0 +1,24 @@
+# mod_dbd configuration
+DBDriver pgsql
+DBDParams "dbname=exafs_users host=localhost user=exafs password=verysecurepassword"
+
+DBDMin  4
+DBDKeep 8
+DBDMax  20
+DBDExptime 300
+
+# ExaFS authentication
+<VirtualHost *:80>
+    ServerName example.com
+    DocumentRoot /var/www/html
+
+    <Location />
+    AuthType Basic
+    AuthName "Database Authentication"
+    AuthBasicProvider dbd
+    AuthDBDUserPWQuery "SELECT pass_hash AS password FROM \"users\" WHERE email = %s"
+    Require valid-user
+    RequestHeader set X-Authenticated-User expr=%{REMOTE_USER}
+    ProxyPass http://127.0.0.1:8080/
+    </Location>
+</VirtualHost>

flowapp/__about__.py

@@ -1 +1 @@
-__version__ = "0.7.2"
+__version__ = "0.7.3"

flowapp/__init__.py

@@ -1,7 +1,7 @@
 # -*- coding: utf-8 -*-
 import babel
 
-from flask import Flask, redirect, render_template, session, url_for
+from flask import Flask, redirect, render_template, session, url_for, request
 from flask_sso import SSO
 from flask_sqlalchemy import SQLAlchemy
 from flask_wtf.csrf import CSRFProtect
@@ -70,23 +70,10 @@ def login(user_info):
             uuid = False
             return redirect("/")
         else:
-            user = db.session.query(models.User).filter_by(uuid=uuid).first()
             try:
-                session["user_uuid"] = user.uuid
-                session["user_email"] = user.uuid
-                session["user_name"] = user.name
-                session["user_id"] = user.id
-                session["user_roles"] = [role.name for role in user.role.all()]
-                session["user_orgs"] = ", ".join(
-                    org.name for org in user.organization.all()
-                )
-                session["user_role_ids"] = [role.id for role in user.role.all()]
-                session["user_org_ids"] = [org.id for org in user.organization.all()]
-                roles = [i > 1 for i in session["user_role_ids"]]
-                session["can_edit"] = True if all(roles) and roles else []
+                _register_user_to_session(uuid)
             except AttributeError:
-                return redirect("/")
-
+                pass
             return redirect("/")
 
     @app.route("/logout")
@@ -96,6 +83,19 @@ def logout():
         session.clear()
         return redirect(app.config.get("LOGOUT_URL"))
 
+    @app.route("/ext-login")
+    def ext_login():
+        header_name = app.config.get("AUTH_HEADER_NAME", 'X-Authenticated-User')
+        if header_name not in request.headers:
+            return render_template("errors/401.j2")
+        uuid = request.headers.get(header_name)
+        if uuid:
+            try:
+                _register_user_to_session(uuid)
+            except AttributeError:
+                return render_template("errors/401.j2")
+        return redirect("/")
+
     @app.route("/")
     @auth_required
     def index():
@@ -177,4 +177,19 @@ def format_datetime(value):
 
         return babel.dates.format_datetime(value, format)
 
+    def _register_user_to_session(uuid: str):
+        user = db.session.query(models.User).filter_by(uuid=uuid).first()
+        session["user_uuid"] = user.uuid
+        session["user_email"] = user.uuid
+        session["user_name"] = user.name
+        session["user_id"] = user.id
+        session["user_roles"] = [role.name for role in user.role.all()]
+        session["user_orgs"] = ", ".join(
+            org.name for org in user.organization.all()
+        )
+        session["user_role_ids"] = [role.id for role in user.role.all()]
+        session["user_org_ids"] = [org.id for org in user.organization.all()]
+        roles = [i > 1 for i in session["user_role_ids"]]
+        session["can_edit"] = True if all(roles) and roles else []
+
     return app

flowapp/auth.py

@@ -14,7 +14,10 @@ def auth_required(f):
     @wraps(f)
     def decorated(*args, **kwargs):
         if not check_auth(get_user()):
-            return redirect("/login")
+            if current_app.config.get("SSO_AUTH"):
+                return redirect("/login")
+            elif current_app.config.get("HEADER_AUTH", False):
+                return redirect("/ext-login")
         return f(*args, **kwargs)
 
     return decorated
@@ -99,6 +102,12 @@ def check_auth(uuid):
         if uuid:
             exist = db.session.query(User).filter_by(uuid=uuid).first()
         return exist
+    elif current_app.config.get("HEADER_AUTH", False):
+        # External auth (for example apache)
+        header_name = current_app.config.get("AUTH_HEADER_NAME", 'X-Authenticated-User')
+        if header_name not in request.headers or not session.get("user_uuid"):
+            return False
+        return db.session.query(User).filter_by(uuid=request.headers.get(header_name))
     else:
         # Localhost login / no check
         session["user_email"] = current_app.config["LOCAL_USER_UUID"]

flowapp/templates/errors/401.j2

@@ -0,0 +1,7 @@
+{% extends 'layouts/default.j2' %}
+{% block content %}
+  <h1>Could not log you in.</h1>
+  <p class="form-text">401: Unauthorized</p>
+  <p>Please log out and try logging in again.</p>
+  <p><a href="{{url_for('logout')}}">Log out</a></p>
+{% endblock %}