almet/argos
1
0
Fork 0
mirror of https://framagit.org/framasoft/framaspace/argos.git synced 2025-04-28 01:42:38 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

🛂 — Allow to use a LDAP server for authentication (fix #64)

Browse source
This commit is contained in:
Luc Didry 2024-11-28 15:08:02 +01:00
parent da221b856b
commit 04e33a8d24
No known key found for this signature in database
GPG key ID: EA868E12D0257E3C
13 changed files with 129 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
.gitlab-ci.yml
View file

@ -1,3 +1,4 @@
---
image: python:3.11
stages:
@ -18,6 +19,9 @@ default:
install:
stage: install
before_script:
- apt-get update
- apt-get install -y build-essential libldap-dev libsasl2-dev
script:
- make venv
- make develop
@ -64,7 +68,7 @@ release_job:
- if: $CI_COMMIT_TAG
script:
- sed -n '/^## '$CI_COMMIT_TAG'/,/^#/p' CHANGELOG.md | sed -e '/^\(#\|$\|Date\)/d' > release.md
release: # See https://docs.gitlab.com/ee/ci/yaml/#release for available properties
release: # See https://docs.gitlab.com/ee/ci/yaml/#release for available properties
tag_name: '$CI_COMMIT_TAG'
description: './release.md'
assets:

1
CHANGELOG.md
View file

@ -14,6 +14,7 @@
You need to use `M`, `month` or `months`
- ✨ - Allow to choose a frequency smaller than a minute
- ✨🛂 — Allow partial or total anonymous access to web interface (#63)
- ✨🛂 — Allow to use a LDAP server for authentication (#64)
## 0.5.0

2
Makefile
View file

@ -10,7 +10,7 @@ NC=\033[0m # No Color
venv: ## Create the venv
python3 -m venv venv
develop: venv ## Install the dev dependencies
venv/bin/pip install -e ".[dev,docs]"
venv/bin/pip install -e ".[dev,docs,ldap]"
docs: cog ## Build the docs
venv/bin/sphinx-build docs public
if [ ! -e "public/mermaid.min.js" ]; then curl -sL $$(grep mermaid.min.js public/search.html | cut -f 2 -d '"') --output public/mermaid.min.js; fi

17
argos/config-example.yaml
View file

@ -36,6 +36,23 @@ general:
# If not present, all pages needs authentication
# unauthenticated_access: "all"
# LDAP authentication
# Instead of relying on Argos users, use a LDAP server to authenticate users.
# If not present, Argos native user system is used.
# ldap:
# # Server URI
# uri: "ldaps://ldap.example.org"
# # Search base DN
# user_tree: "ou=users,dc=example,dc=org"
# # Search bind DN
# bind_dn: "uid=ldap_user,ou=users,dc=example,dc=org"
# # Search bind password
# bind_pwd: "secr3t"
# # User attribute (uid, mail, sAMAccountName, etc.)
# user_attr: "uid"
# # User filter (to exclude some users, etc.)
# user_filter: "(!(uid=ldap_user))"
# Default delay for checks.
# Can be superseeded in domain configuration.
# For ex., to run checks every 5 minutes:

10
argos/schemas/config.py
View file

@ -183,6 +183,15 @@ class DbSettings(BaseModel):
max_overflow: int = 20
class LdapSettings(BaseModel):
uri: str
user_tree: str
bind_dn: str | None = None
bind_pwd: str | None = None
user_attr: str
user_filter: str | None = None
class General(BaseModel):
"""Frequency for the checks and alerts"""
@ -192,6 +201,7 @@ class General(BaseModel):
session_duration: int = 10080 # 7 days
remember_me_duration: int | None = None
unauthenticated_access: Unauthenticated | None = None
ldap: LdapSettings | None = None
frequency: float
recheck_delay: float | None = None
root_path: str = ""

8
argos/server/alerting.py
View file

@ -25,7 +25,7 @@ def get_icon_from_severity(severity: str) -> str:
return icon
def handle_alert(config: Config, result, task, severity, old_severity, request):
def handle_alert(config: Config, result, task, severity, old_severity, request): # pylint: disable-msg=too-many-positional-arguments
"""Dispatch alert through configured alert channels"""
if "local" in getattr(config.general.alerts, severity):
@ -64,7 +64,7 @@ def handle_alert(config: Config, result, task, severity, old_severity, request):
)
def notify_with_apprise(
def notify_with_apprise( # pylint: disable-msg=too-many-positional-arguments
result, task, severity: str, old_severity: str, group: List[str], request
) -> None:
logger.debug("Will send apprise notification")
@ -90,7 +90,7 @@ See results of task on {request.url_for('get_task_results_view', task_id=task.id
apobj.notify(title=title, body=msg)
def notify_by_mail(
def notify_by_mail( # pylint: disable-msg=too-many-positional-arguments
result, task, severity: str, old_severity: str, config: Mail, request
) -> None:
logger.debug("Will send mail notification")
@ -137,7 +137,7 @@ See results of task on {request.url_for('get_task_results_view', task_id=task.id
smtp.send_message(mail, to_addrs=address)
def notify_with_gotify(
def notify_with_gotify( # pylint: disable-msg=too-many-positional-arguments
result, task, severity: str, old_severity: str, config: List[GotifyUrl], request
) -> None:
logger.debug("Will send gotify notification")

16
argos/server/main.py
View file

@ -36,13 +36,25 @@ def get_application() -> FastAPI:
appli.add_exception_handler(NotAuthenticatedException, auth_exception_handler)
appli.state.manager = create_manager(config.general.cookie_secret)
if config.general.ldap is not None:
import ldap
l = ldap.initialize(config.general.ldap.uri)
l.simple_bind_s(config.general.ldap.bind_dn, config.general.ldap.bind_pwd)
appli.state.ldap = l
@appli.state.manager.user_loader()
async def query_user(user: str) -> None | models.User:
async def query_user(user: str) -> None | str | models.User:
"""
Get a user from the db
Get a user from the db or LDAP
:param user: name of the user
:return: None or the user object
"""
if appli.state.config.general.ldap is not None:
from argos.server.routes.dependencies import find_ldap_user
return await find_ldap_user(appli.state.config, appli.state.ldap, user)
return await queries.get_user(appli.state.db, user)
appli.include_router(routes.api, prefix="/api")

2
argos/server/routes/api.py
View file

@ -30,7 +30,7 @@ async def read_tasks(
@route.post("/results", status_code=201, dependencies=[Depends(verify_token)])
async def create_results(
async def create_results( # pylint: disable-msg=too-many-positional-arguments
request: Request,
results: List[AgentResult],
background_tasks: BackgroundTasks,

25
argos/server/routes/dependencies.py
View file

@ -31,3 +31,28 @@ async def verify_token(
if token.credentials not in request.app.state.config.service.secrets:
raise HTTPException(status_code=401, detail="Unauthorized")
return token
async def find_ldap_user(config, ldap, user: str) -> str | None:
"""Do a LDAP search for user and return its dn"""
import ldap.filter as ldap_filter
from ldapurl import LDAP_SCOPE_SUBTREE
result = ldap.search_s(
config.general.ldap.user_tree,
LDAP_SCOPE_SUBTREE,
filterstr=ldap_filter.filter_format(
f"(&(%s=%s){config.general.ldap.user_filter})",
[
config.general.ldap.user_attr,
user,
],
),
attrlist=[config.general.ldap.user_attr],
)
# If there is a result, there should, logically, be only one entry
if len(result) > 0:
return result[0][0]
return None

30
argos/server/routes/views.py
View file

@ -80,20 +80,34 @@ async def post_login(
)
username = data.username
user = await queries.get_user(db, username)
invalid_credentials = templates.TemplateResponse(
"login.html",
{"request": request, "msg": "Sorry, invalid username or bad password."},
)
if user is None:
return invalid_credentials
pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
if not pwd_context.verify(data.password, user.password):
return invalid_credentials
if config.general.ldap is not None:
from ldap import INVALID_CREDENTIALS # pylint: disable-msg=no-name-in-module
from argos.server.routes.dependencies import find_ldap_user
user.last_login_at = datetime.now()
db.commit()
ldap_dn = await find_ldap_user(config, request.app.state.ldap, username)
if ldap_dn is None:
return invalid_credentials
try:
request.app.state.ldap.simple_bind_s(ldap_dn, data.password)
except INVALID_CREDENTIALS:
return invalid_credentials
else:
user = await queries.get_user(db, username)
if user is None:
return invalid_credentials
pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
if not pwd_context.verify(data.password, user.password):
return invalid_credentials
user.last_login_at = datetime.now()
db.commit()
manager = request.app.state.manager
session_duration = config.general.session_duration

6
docs/cli.md
View file

@ -280,7 +280,11 @@ You can choose to protect Argos web interface with a user system, in which ca
See [`unauthenticated_access` in the configuration file](configuration.md) to allow partial or total unauthenticated access to Argos.
You can manage users only through CLI.
See [`ldap` in the configuration file](configuration.md) to authenticate users against a LDAP server instead of Argos database.
You can manage Argos users only through CLI.
NB: you cant manage the LDAP users with Argos.
<!--
.. [[[cog

20
docs/installation/getting-started.md
View file

@ -10,6 +10,14 @@ NB: if you want a quick-installation guide, we [got you covered](tl-dr.md).
- Python 3.11+
- PostgreSQL 13+ (for production)
### Optional dependencies
If you want to use LDAP authentication, you will need to install some packages (here for a Debian-based system):
```bash
apt-get install build-essential python3-dev libldap-dev libsasl2-dev
```
## Recommendation
Create a dedicated user for argos:
@ -45,6 +53,18 @@ For production, we recommend the use of [Gunicorn](https://gunicorn.org/), which
pip install "argos-monitoring[gunicorn]"
```
If you want to use LDAP authentication, youll need to install Argos this way:
```bash
pip install "argos-monitoring[ldap]"
```
And for an installation with Gunicorn and LDAP authentication:
```bash
pip install "argos-monitoring[gunicorn,ldap]"
```
## Install from sources
Once you got the source locally, create a virtualenv and install the dependencies:

5
pyproject.toml
View file

@ -53,7 +53,7 @@ dev = [
"ipython>=8.16,<9",
"isort==5.11.5",
"mypy>=1.10.0,<2",
"pylint>=3.0.2",
"pylint>=3.2.5",
"pytest-asyncio>=0.21,<1",
"pytest>=6.2.5",
"respx>=0.20,<1",
@ -72,6 +72,9 @@ docs = [
gunicorn = [
"gunicorn>=21.2,<22",
]
ldap = [
"python-ldap>=3.4.4,<4",
]
[project.urls]
homepage = "https://argos-monitoring.framasoft.org/"