move config to separate file

also move references to top of file
author: B. Stack <bgstack15@gmail.com> 2021-06-27 17:26:06 -0400
committer: B. Stack <bgstack15@gmail.com> 2021-06-27 17:26:06 -0400
commit: d52971b79245328b4c0764bf0269d443a485f249 (patch)
tree: 0100e1d1a8835144eb29c432ab6e45dedc4ac5c4
parent: now store user groups in session, for display (diff)
download: session_app-d52971b79245328b4c0764bf0269d443a485f249.tar.gz
session_app-d52971b79245328b4c0764bf0269d443a485f249.tar.bz2
session_app-d52971b79245328b4c0764bf0269d443a485f249.zip
3 files changed, 60 insertions, 35 deletions
diff --git a/.gitignore b/.gitignore
index 27fb390..c9055c8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,7 @@
 __pycache__
-session_app.py
 *.keytab
 *.log
 .*.swp
 WORKHERE
+dev.cfg
+prod.cfg
diff --git a/example.cfg b/example.cfg
new file mode 100644
index 0000000..c7c7bd2
--- /dev/null
+++ b/example.cfg
@@ -0,0 +1,27 @@
+# SESSION_CONFIG file
+# Run with:
+#    SESSION_CONFIG=example.cfg FLASK_APP=session_app.py FLASK_DEBUG=1 flask run --host 0.0.0.0 --port 5000
+HOSTNAME = "d2-03a.ipa.internal.com"
+# These don't seem to work when running "flask run", so they might only be used by uwsgi.
+LISTEN_HOST = "0.0.0.0"
+LISTEN_PORT = "5000"
+
+DEBUG=True
+
+LDAP_URI = "ldaps://ipa.internal.com:636"
+LDAP_USER_BASE = "cn=users,cn=accounts,dc=ipa,dc=internal,dc=com"
+LDAP_GROUP_BASE = "cn=groups,cn=accounts,dc=ipa,dc=internal,dc=com"
+LDAP_USER_MATCH_ATTRIB = "uid"
+LDAP_USER_DISPLAY_ATTRIB = "uid"
+LDAP_USER_ATTRIB_MEMBEROF = "memberof"
+LDAP_GROUP_DISPLAY_ATTRIB = "cn"
+LDAP_BIND_DN = "uid=domainjoin,cn=users,cn=accounts,dc=ipa,dc=internal,dc=com"
+LDAP_BIND_PASSWORD = "examplepassword"
+LDAP_USER_KERBEROS_PRINCIPAL_ATTRIB = "krbPrincipalName"
+SESSION_DURATION_MINUTES = 2
+
+KRB5_SERVICE = "HTTP"
+# keytab from `/usr/sbin/ipa-getkeytab -p HTTP/d2-03a.ipa.example.com -k session.keytab`
+KRB5_KTNAME = "./session.keytab"
+# Define this variable if you want it to be used.
+KRB5_TRACE = "./kerberos.log"
diff --git a/session_app.py.publish b/session_app.py
index 18bf5f1..847df19 100755
--- a/session_app.py.publish
+++ b/session_app.py
@@ -10,10 +10,13 @@
 #    future: https://code.tutsplus.com/tutorials/flask-authentication-with-ldap--cms-23101
 #    better timeout session: https://stackoverflow.com/a/49891626/3569534
 #    store "formdata" in session for changing the basic auth to form data for the ldap login https://stackoverflow.com/a/56904875/3569534
+#    requires_session similar to requires_auth (kerberos) return to the passed function, from https://github.com/ArtemAngelchev/flask-basicauth-ldap/blob/master/flask_basicauth_ldap.py
 #    modify url from urlparse https://stackoverflow.com/a/21629125/3569534
+#    _unauthorized_kerberos meta redirect from https://billstclair.com/html-redirect2.html
+#    preserve POST with code 307 https://stackoverflow.com/a/15480983/3569534
 # Improve:
-#    move all configs to config file
-#    move all references to references section
+#    remove session info, when logging out?
+#    provide web page for adjusting settings like ldap uri
 # Run:
 #    FLASK_APP=session_app.py FLASK_DEBUG=1 flask run --host 0.0.0.0
 # Dependencies:
@@ -22,32 +25,24 @@
 
 from flask import Flask, Response, redirect, url_for, render_template, request, _request_ctx_stack as stack, make_response, session
 from flask_kerberos import init_kerberos, requires_authentication, _unauthorized, _forbidden, _gssapi_authenticate
-import kerberos
 from functools import wraps
-import binascii, datetime
-import os
-import session_ldap
 from urllib.parse import urlparse
+import kerberos, binascii, datetime, os
+import session_ldap
 
-DEBUG=True
 app = Flask(__name__)
-app.config.from_object(__name__)
-app.debug=True
+if 'SESSION_CONFIG' in os.environ:
+   conf_file=os.environ['SESSION_CONFIG']
+else:
+   conf_file="dev.cfg"
+app.config.from_pyfile(conf_file, silent=False)
+#app.config.from_object(__name__)
+if 'DEBUG' in app.config and app.config['DEBUG']:
+   app.debug=True
 secret_key_value = os.urandom(24)
 secret_key_value_hex_encoded = binascii.hexlify(secret_key_value)
 app.config['SECRET_KEY'] = secret_key_value_hex_encoded
-app.config['LDAP_URI'] = "ldaps://ipa.internal.com:636"
-app.config['LDAP_USER_BASE'] = "cn=users,cn=accounts,dc=ipa,dc=internal,dc=com"
-app.config['LDAP_GROUP_BASE'] = "cn=groups,cn=accounts,dc=ipa,dc=internal,dc=com"
-app.config['LDAP_USER_MATCH_ATTRIB'] = "uid"
-app.config['LDAP_USER_DISPLAY_ATTRIB'] = "uid"
-app.config['LDAP_USER_ATTRIB_MEMBEROF'] = "memberof"
-app.config['LDAP_GROUP_NAME_ATTRIB'] = "cn"
-app.config['LDAP_BIND_DN'] = "uid=domainjoin,cn=users,cn=accounts,dc=ipa,dc=internal,dc=com"
-app.config['LDAP_BIND_PASSWORD'] = "bulkpassword"
-app.config['LDAP_USER_KERBEROS_PRINCIPAL_ATTRIB'] = "krbPrincipalName"
-app.config['minutes'] = 2
-app.permanent_session_lifetime=datetime.timedelta(minutes=app.config['minutes'])
+app.permanent_session_lifetime=datetime.timedelta(minutes=app.config['SESSION_DURATION_MINUTES'])
 
 def requires_session(function):
    '''
@@ -67,8 +62,6 @@ def requires_session(function):
          if session['user'] != c_user:
             return Response("Wrong user for this session!.",401)
          # otherwise, everything is good!
-         #return Response(f"session user: {s_user}<br/>cookie user: {c_user}", 200)
-         # return to the passed function, from https://github.com/ArtemAngelchev/flask-basicauth-ldap/blob/master/flask_basicauth_ldap.py
          return function(*args,**kwargs)
       # catch-all
       return Response("requires session",401)
@@ -120,7 +113,7 @@ def requires_authn_kerberos(function):
                   connection=conn,
                   user_dn=this_user,
                   user_attrib_memberof=app.config['LDAP_USER_ATTRIB_MEMBEROF'],
-                  group_name_attrib=app.config['LDAP_GROUP_NAME_ATTRIB'],
+                  group_name_attrib=app.config['LDAP_GROUP_DISPLAY_ATTRIB'],
                   group_base=app.config['LDAP_GROUP_BASE']
                )
                #print(f"DEBUG: groups {groups}")
@@ -188,7 +181,7 @@ def requires_authn_ldap(function):
             connection=ll,
             user_dn=this_user,
             user_attrib_memberof=app.config['LDAP_USER_ATTRIB_MEMBEROF'],
-            group_name_attrib=app.config['LDAP_GROUP_NAME_ATTRIB'],
+            group_name_attrib=app.config['LDAP_GROUP_DISPLAY_ATTRIB'],
             group_base=app.config['LDAP_GROUP_BASE']
          )
          print(f"DEBUG: user {shortuser} has groups {groups}")
@@ -201,7 +194,6 @@ def _unauthorized_kerberos():
    '''
    Indicate that authentication is required
    '''
-   # from https://billstclair.com/html-redirect2.html
    return Response(f'<meta http-equiv="Refresh" content="4; url={url_for("login_ldap")}">Unauthorized! No kerberos auth provided. Trying <a href="{url_for("login_ldap")}">ldap</a> automatically in a moment.', 401, {'WWW-Authenticate': 'Negotiate'})
 
 def _unauthorized_ldap():
@@ -335,7 +327,6 @@ def handle_login_ldap_from_non_ldap(request):
    if 'logintype' in request.form:
       logintype = request.form['logintype']
    if "ldap" == logintype:
-      # preserve POST with code 307 https://stackoverflow.com/a/15480983/3569534
       return redirect(url_for("login_ldap"), code=307)
    else:
       return f"Authentication method {logintype} not supported yet.",400
@@ -343,7 +334,7 @@ def handle_login_ldap_from_non_ldap(request):
 @app.route("/logout")
 @app.route("/logout/")
 def logout():
-   resp = Response(f"logged out")
+   resp = Response(f'<meta http-equiv="Refresh" content="1; url={url_for("index")}">logged out')
    # Doing anything with session here leaves a cookie.
    #session['user']=""
    resp.set_cookie('user','',expires=0)
@@ -373,10 +364,16 @@ def login_basic():
 #   session.permanent = True
 #   session['end_time'] = datetime.datetime.now()+app.permanent_session_lifetime
 
-# keytab from `/usr/sbin/ipa-getkeytab -p HTTP/d2-03a.ipa.example.com -k session.keytab`
-os.environ['KRB5_KTNAME'] = "./session.keytab"
-os.environ['KRB5_TRACE'] = "./kerberos.log"
-init_kerberos(app, hostname="d2-03a.ipa.internal.com", service="HTTP")
+os.environ['KRB5_KTNAME'] = app.config['KRB5_KTNAME']
+if 'KRB5_TRACE' in app.config:
+   os.environ['KRB5_TRACE'] = app.config['KRB5_TRACE']
+
+init_kerberos(app, hostname=app.config['HOSTNAME'], service=app.config['KRB5_SERVICE'])
 if __name__ == '__main__':
-   init_kerberos(app, hostname="d2-03a.ipa.internal.com", service="HTTP")
-   app.run(host='0.0.0.0',debug=True)
+   #init_kerberos(app, hostname=app.config['HOSTNAME'], service=app.config['KRB5_SERVICE'])
+   print("should listen to ",app.config['LISTEN_HOST'])
+   app.run(
+      host=app.config['LISTEN_HOST'],
+      port=app.config['LISTEN_PORT'],
+      debug=app.config['DEBUG']
+   )
author	B. Stack <bgstack15@gmail.com>	2021-06-27 17:26:06 -0400
committer	B. Stack <bgstack15@gmail.com>	2021-06-27 17:26:06 -0400
commit	d52971b79245328b4c0764bf0269d443a485f249 (patch)
tree	0100e1d1a8835144eb29c432ab6e45dedc4ac5c4
parent	now store user groups in session, for display (diff)
download	session_app-d52971b79245328b4c0764bf0269d443a485f249.tar.gz session_app-d52971b79245328b4c0764bf0269d443a485f249.tar.bz2 session_app-d52971b79245328b4c0764bf0269d443a485f249.zip