Merge branch 'main' into issue-91

SURFscz · Aug 7, 2024 · 64bcaef · 64bcaef
2 parents bc7adab + 1e6a43d
commit 64bcaef
Show file tree

Hide file tree

Showing 12 changed files with 92 additions and 79 deletions.
diff --git a/.env.example b/.env.example
diff --git a/README.md b/README.md
@@ -202,8 +202,9 @@ PYTHONUNBUFFERED=1
 For localhost deployment you can make use of **docker**. You can take existing **docker-compose.yml** as your starting point. The docker-compose file makes use of environment variables that you can adjust via a local **.env** file. To create your own **.env** file, copy the provided **.env.example** file:
 
 ```bash
-$ cp .env.example .env
+$ cp env.example .env
 ```
+and edit the values to some sane values.
 
 Now adjust the contents of this **.env** file to match your desired configuration.
 
@@ -215,4 +216,4 @@ $ docker compose build
 $ docker compose up -d
 ```
 
-Now open your browser at: http://localhost:8080
+Now open your browser at: http://localhost:8080
diff --git a/client/src/locale/nl.js b/client/src/locale/nl.js
@@ -1049,7 +1049,7 @@ const nl = {
         cancel: "Annuleren",
         flash: {
             created: "Dienst {{name}} is aangemaakt.",
-            createdServiceRequest: "Bedankt voor de dienstregistratie van {{name}}. We zullen je verzoek bekijken en bij je terug komen binnen één werkdag.<br/><br/>Het SURF Research Access Management support team",
+            createdServiceRequest: "Bedankt voor de dienstregistratie van {{name}}. We bekijken je verzoek en van ons laten horen binnen een werkdag.<br/><br/>Het SURF Research Access Management support team",
             updated: "Dienst {{name}} is bijgewerkt.",
             deleted: "Dienst {{name}} is verwijderd.",
             requestDeleted: "Verzoek om dienst {{name}} te verwijderen is verzonden",
@@ -2454,8 +2454,8 @@ const nl = {
             ldap: "LDAP",
             tokens: "User introspection tokens",
             pamWebLogin: "PAM web login",
-            SCIMServer: "SCIM server",
-            SCIMClient: "SCIM client",
+            SCIMServer: "SCIM push naar dienst",
+            SCIMClient: "SCIM pull door dienst",
             OIDC: "OpenID Connect",
             SAML: "SAML2.0",
             Export: "Export"

diff --git a/client/src/pages/ServiceOverview.jsx b/client/src/pages/ServiceOverview.jsx
@@ -879,7 +879,7 @@ class ServiceOverview extends React.Component {
                           value={service.scim_client_enabled || false}
                           tooltip={I18n.t("scim.scimClientEnabledTooltip")}
                           info={I18n.t("scim.scimClientEnabled")}
-                          readOnly={!isAdmin || showServiceAdminView}
+                          readOnly={false}
                           onChange={e => this.setState({
                               "service": {
                                   ...service, scim_client_enabled: e.target.checked
@@ -924,7 +924,7 @@ class ServiceOverview extends React.Component {
                           value={service.scim_enabled || false}
                           tooltip={I18n.t("scim.scimEnabledTooltip")}
                           info={I18n.t("scim.scimEnabled")}
-                          readOnly={!isAdmin || showServiceAdminView}
+                          readOnly={false}
                           onChange={e => this.setState({"service": {...service, scim_enabled: e.target.checked}})}
                 />
                 {!service.scim_enabled && <p>{I18n.t("scim.scimDisclaimer")}</p>}

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -1,63 +1,61 @@
-# -*- coding: utf-8 -*-
-#
-
+---
 volumes:
   data:
-    driver: local
+    driver: "local"
 
 services:
   redis:
-    image: amd64/redis
+    image: "docker.io/redis"
     container_name: redis
 
   client:
-    build: client
+    build: "client"
     restart: "always"
     links:
-      - server
+      - "server"
     ports:
-      - 8080:80
+      - "8080:80"
     volumes:
-      - ${PWD}/etc/apache.conf:/etc/apache2/sites-enabled/sbs.conf:ro
+      - "${PWD}/etc/apache.conf:/etc/apache2/sites-enabled/sbs.conf:ro"
 
   server:
-    build: server
+    build: "server"
     restart: "always"
     links:
-      - db
-      - redis
+      - "db"
+      - "redis"
     volumes:
-      - ${PWD}/etc/config.yml:/etc/config.yml
-      - ${PWD}/server:/opt/server
+      - "${PWD}/etc/config.yml:/etc/config.yml"
+      - "${PWD}/server:/opt/server"
     ports:
-      - 8080
+      - "8080"
     environment:
-      CONFIG_TEMPLATE: /etc/config.yml
+      CONFIG_TEMPLATE: "/etc/config.yml"
       TESTING: 1
-      PROFILE: local
+      PROFILE: "local"
       ALLOW_MOCK_USER_API: 1
-      DATABASE_URI: mysql+mysqldb://sbs:sbs@db/sbs?charset=utf8mb4
-      REDIS_URI: redis://redis:6379/
-      BASE_URL: http://localhost:8080
-      SOCKET_URL: 0.0.0.0:8080/
-      SECRET: ${SECRET}
-      CLIENT_ID: ${CLIENT_ID}
-      CLIENT_SECRET: ${CLIENT_SECRET}
-      AUDIENCE: ${AUDIENCE}
-      ADMIN: ${ADMIN}
-      LDAP_URL: ${LDAP_URL}
-      LDAP_BIND: ${LDAP_BIND}
+      DATABASE_URI: "mysql+mysqldb://sbs:sbs@db/sbs?charset=utf8mb4"
+      REDIS_URI: "redis://redis:6379/"
+      BASE_URL: "http://localhost:8080"
+      SOCKET_URL: "0.0.0.0:8080/"
+      SECRET: "${SECRET:-geheim}"
+      CLIENT_ID: "${CLIENT_ID:-foo}"
+      CLIENT_SECRET: "${CLIENT_SECRET:-echtgeheim}"
+      AUDIENCE: "${AUDIENCE:-http://localhost:9001}"
+      ADMIN: "${ADMIN:-urn:john}"
+      LDAP_URL: "${LDAP_URL:-ldap://localhost:1389/dc=example,dc=org}"
+      LDAP_BIND: "${LDAP_BIND:-cn=admin,dc=example,dc=org}"
 
   db:
-    image: amd64/mariadb:11
-    restart: always
+    image: "docker.io/mariadb:11"
+    restart: "always"
     environment:
-      MARIADB_ROOT_PASSWORD: ${DB_ROOT_PASSWORD:-sbs}
-      MARIADB_DATABASE: sbs
-      MARIADB_USER: sbs
-      MARIADB_PASSWORD: sbs
+      MARIADB_ROOT_PASSWORD: "${DB_ROOT_PASSWORD:-sbs}"
+      MARIADB_DATABASE: "sbs"
+      MARIADB_USER: "sbs"
+      MARIADB_PASSWORD: "sbs"
     ports:
-      - 13306:3306
+      - "13306:3306"
     volumes:
-      - data:/var/lib/mysql:Z
-      - ${PWD}/etc/init.sql:/docker-entrypoint-initdb.d/init.sql:ro
+      - "data:/var/lib/mysql:Z"
+      - "${PWD}/etc/init.sql:/docker-entrypoint-initdb.d/init.sql:ro"
diff --git a/env.example b/env.example
@@ -0,0 +1,15 @@
+# these are only needed if you want to connect to a real upstream OP
+# the default install will mock the login, so you won't need these
+CLIENT_ID=oidc_clientid
+CLIENT_SECRET=oidc_client_secret
+AUDIENCE=https://upstream-op.example.com
+
+# generic encryption secret for internal use
+SECRET=geheim
+
+# if you connect an extern OP, put the sub of the admin user for SBS here
+ADMIN=<your SRAM UID >
+
+# optional, if you want to use a real LDAP server
+LDAP_URL=ldap://localhost:1389/dc=example,dc=org
+LDAP_BIND=cn=admin,dc=example,dc=org
diff --git a/env.sample b/env.sample
diff --git a/etc/config.yml b/etc/config.yml
@@ -86,6 +86,12 @@ mail:
   send_exceptions_recipients: ["[email protected]"]
   environment: local
 
+manage:
+  enabled: false
+  base_url: ""
+  user: ""
+  password: ""
+
 aup:
   version: 1
   url_aup_en: https://edu.nl/6wb63

diff --git a/server/Dockerfile b/server/Dockerfile
@@ -1,7 +1,6 @@
 FROM python:3.11
 
-RUN apt-get update
-RUN apt-get install -y libxmlsec1-dev gettext
+RUN apt-get update && apt-get install -y libxmlsec1-dev gettext && rm -rf /var/lib/apt/ /var/cache/apt/
 
 WORKDIR /opt
 

diff --git a/server/api/service.py b/server/api/service.py
@@ -561,8 +561,7 @@ def update_service():
     service = Service.query.filter(Service.id == service_id).one()
 
     if not is_application_admin():
-        forbidden = ["allow_restricted_orgs", "non_member_users_access_allowed", "entity_id", "abbreviation",
-                     "scim_enabled", "scim_client_enabled"]
+        forbidden = ["allow_restricted_orgs", "non_member_users_access_allowed", "entity_id", "abbreviation"]
         for attr in [fb for fb in forbidden if fb in data]:
             data[attr] = getattr(service, attr)
 

diff --git a/server/auth/security.py b/server/auth/security.py
@@ -12,7 +12,7 @@
 def is_admin_user(user):
     admin_users = current_app.app_config.admin_users
     uid = user.uid if isinstance(user, User) else user["uid"]
-    return len(list(filter(lambda u: u.uid == uid, admin_users))) == 1
+    return uid in (u.uid for u in admin_users)
 
 
 def _get_impersonated_session():

diff --git a/server/test/api/test_service.py b/server/test/api/test_service.py
@@ -149,6 +149,29 @@ def test_service_update(self):
         row = next(rows)
         self.assertIsNone(row[0])
 
+    def test_service_update_disallowed(self):
+        disallowed_fields = ["allow_restricted_orgs", "non_member_users_access_allowed", "entity_id", "abbreviation"]
+        immutable_fields = ["sweep_scim_last_run", "ldap_password", "scim_bearer_token", "oidc_client_secret"]
+
+        service = self._find_by_name(service_cloud_name)
+        orig_service = service.copy()
+
+        service["allow_restricted_orgs"] = True
+        service["non_member_users_access_allowed"] = True
+        service["entity_id"] = "https://changed"
+        service["abbreviation"] = "changed"
+        service["sweep_scim_last_run"] = "2063-04-05:12:00:00"
+        service["ldap_password"] = "changed"
+        service["scim_bearer_token"] = "changed"
+        service["oidc_client_secret"] = "changed"
+
+        self.login("urn:james")  # regular service admin
+        self.put("/api/services", body=service, with_basic_auth=False)
+
+        service = self._find_by_name(service_cloud_name)
+        for field in immutable_fields + disallowed_fields:
+            self.assertEqual(orig_service[field], service[field])
+
     def test_service_update_delete_service_tokens(self):
         service = self.find_entity_by_name(Service, service_network_name)
         self.login("urn:john")
@@ -509,7 +532,7 @@ def test_reset_ldap_password(self):
         with db.engine.connect() as conn:
             with conn.begin():
                 rs = conn.execute(text(f"SELECT ldap_password FROM services WHERE id = {service['id']}"))
-        ldap_password = next(rs, (0,))[0]
+        ldap_password = str(next(rs, (0,))[0])
         self.assertTrue(ldap_password.startswith("$2b$12$"))
         service = self._find_by_name()
         self.assertIsNone(service.get("ldap_password"))
@@ -521,7 +544,7 @@ def test_reset_oidc_client_secret(self):
         with db.engine.connect() as conn:
             with conn.begin():
                 rs = conn.execute(text(f"SELECT oidc_client_secret FROM services WHERE id = {service_id}"))
-        oidc_client_secret = next(rs, (0,))[0]
+        oidc_client_secret = str(next(rs, (0,))[0])
         # Ensure we use rounds=5 to prevent performance loss in OIDC-NG
         self.assertTrue(oidc_client_secret.startswith("$2b$05$"))
         # Ensure the oidc_client_secret is not exposed in the API