Maj terminée. Pour consulter la release notes associée voici le lien :
https://about.gitlab.com/releases/2021/07/07/critical-security-release-gitlab-14-0-4-released/

Commit 67437318 authored by CAMPION Sebastien's avatar CAMPION Sebastien
Browse files

Basic Auth support

parent ed87a7b9
...@@ -12,7 +12,7 @@ RUN apt-get update && apt-get -t stretch-backports install -y \ ...@@ -12,7 +12,7 @@ RUN apt-get update && apt-get -t stretch-backports install -y \
python3-django python3-django-allauth python3-django python3-django-allauth
RUN apt-get install -y mysql-server default-libmysqlclient-dev \ RUN apt-get install -y mysql-server default-libmysqlclient-dev \
nginx-light zip python3-dev python3-pip python3-mysqldb python-mysqldb \ nginx-light zip python3-dev python3-pip python3-mysqldb python-mysqldb python3-crypto \
supervisor && pip3 install gunicorn supervisor && pip3 install gunicorn
...@@ -30,4 +30,5 @@ RUN rm /etc/nginx/sites-enabled/default && \ ...@@ -30,4 +30,5 @@ RUN rm /etc/nginx/sites-enabled/default && \
WORKDIR /opt/allgo WORKDIR /opt/allgo
LABEL dk.migrate_always=1 LABEL dk.migrate_always=1
ENV PYTHONUNBUFFERED 1
CMD run-allgo CMD run-allgo
...@@ -3,6 +3,9 @@ import time ...@@ -3,6 +3,9 @@ import time
import hashlib import hashlib
import base64 import base64
import subprocess import subprocess
import binascii
from Crypto.PublicKey import RSA
from jose import jwt from jose import jwt
SIGNING_KEY_PATH = os.environ.get('SIGNING_KEY_PATH') SIGNING_KEY_PATH = os.environ.get('SIGNING_KEY_PATH')
...@@ -21,13 +24,13 @@ def run_command(command): ...@@ -21,13 +24,13 @@ def run_command(command):
def key_id_encode(the_bytes): def key_id_encode(the_bytes):
source = base64.b32encode(the_bytes).rstrip("=") source = base64.b32encode(the_bytes)
result = [] result = []
for i in xrange(0, len(source), 4): for i in range(0, len(source), 4):
start = i start = i
end = start+4 end = start+4
result.append(source[start:end]) result.append(source[start:end])
return ":".join(result) return ":".join(map(str, result))
def kid_from_crypto_key(private_key_path, key_type='EC'): def kid_from_crypto_key(private_key_path, key_type='EC'):
...@@ -41,20 +44,8 @@ def kid_from_crypto_key(private_key_path, key_type='EC'): ...@@ -41,20 +44,8 @@ def kid_from_crypto_key(private_key_path, key_type='EC'):
ABCD:EFGH:IJKL:MNOP:QRST:UVWX:YZ23:4567:ABCD:EFGH:IJKL:MNOP ABCD:EFGH:IJKL:MNOP:QRST:UVWX:YZ23:4567:ABCD:EFGH:IJKL:MNOP
""" """
algorithm = hashlib.sha256() algorithm = hashlib.sha256()
if key_type == 'EC': key = RSA.importKey(open(private_key_path).read())
der, msg = run_command(['openssl', 'ec', '-in', private_key_path, der = key.publickey().exportKey("DER")
'-pubout', '-outform', 'DER'])
elif key_type == 'RSA':
der, msg = run_command(['openssl', 'rsa', '-in', private_key_path,
'-pubout', '-outform', 'DER'])
else:
raise Exception("Key type not supported")
if not der:
raise Exception(msg)
algorithm.update(der) algorithm.update(der)
return key_id_encode(algorithm.digest()[:30]) return key_id_encode(algorithm.digest()[:30])
...@@ -112,3 +103,4 @@ class Token(object): ...@@ -112,3 +103,4 @@ class Token(object):
headers=self.header) headers=self.header)
return token return token
import base64
from django.contrib.auth.mixins import LoginRequiredMixin from django.contrib.auth.mixins import LoginRequiredMixin
from django.contrib.auth.models import User
from django.shortcuts import render, get_object_or_404 from django.shortcuts import render, get_object_or_404
from django.http import JsonResponse from django.http import JsonResponse, HttpResponse
from django.urls import reverse from django.urls import reverse
from django.views.generic import ( from django.views.generic import (
ListView, ListView,
...@@ -12,7 +15,7 @@ from allgo.django.allgo.main.tokens import Token ...@@ -12,7 +15,7 @@ from allgo.django.allgo.main.tokens import Token
from .models import Webapp, Job, AllgoUser from .models import Webapp, Job, AllgoUser
def get_allowed_actions(actions): def get_allowed_actions(user, actions):
# FIXME restrict to repository and acl define in DB # FIXME restrict to repository and acl define in DB
return actions return actions
...@@ -22,11 +25,21 @@ def index(request): ...@@ -22,11 +25,21 @@ def index(request):
def tokens(request): def tokens(request):
if not request.user.is_authenticated:
return JsonResponse({'WWW-Authenticate': 'Basic realm="Login Required"'}, status=401)
service = request.args.get('service') auth_header = request.META.get('HTTP_AUTHORIZATION', '')
scope = request.args.get('scope') token_type, credentials = auth_header.split(' ')
username, password = base64.b64decode(credentials).decode('utf-8').split(':')
print(username, password)
try:
user = User.objects.get(email=username)
except User.DoesNotExist:
return HttpResponse(status=401)
password_valid = user.check_password(password)
if token_type != 'Basic' or not password_valid:
return HttpResponse(status=401)
service = request.GET['service']
scope = request.GET['scope']
if not scope: if not scope:
typ = '' typ = ''
name = '' name = ''
......
...@@ -2,5 +2,6 @@ Django==1.11 ...@@ -2,5 +2,6 @@ Django==1.11
mysqlclient==1.3.12 mysqlclient==1.3.12
django-environ==0.4.4 django-environ==0.4.4
django-allauth==0.35.0 django-allauth==0.35.0
jwt python-jose==2.0.2
pyopenssl
...@@ -2,168 +2,168 @@ ...@@ -2,168 +2,168 @@
version: '2' version: '2'
networks: networks:
dev: dev:
driver: bridge driver: bridge
sandboxes: sandboxes:
driver: bridge driver: bridge
services: services:
dev-registry:
container_name: dev-registry
build: registry
#image: allgo/registry # DJANGO
######################################################################################################################
dev-django:
container_name: dev-django
build: django
user: "$DOCKERUSER" user: "$DOCKERUSER"
ports: ports:
- "127.0.0.1:8000-8002:8000-8002" - "8008:8000"
command: "python3 manage.py runserver 0.0.0.0:8000"
volumes:
- "/data/dev/django:/vol"
- "./django:/opt/allgo"
- "./certs:/certs"
networks: [dev]
tty: true
stdin_open: true
environment:
PYTHONUNBUFFERED: 1
ALLGO_ALLOWED_HOSTS: 0.0.0.0
DJANGO_DEBUG: 1
ALLGO_DEBUG: "True"
ALLGO_EMAIL_BACKEND: "django.core.mail.backends.console.EmailBackend"
ALLGO_SECRET_KEY: "nFgLEiedSJfYKyJA6WjkiGs8c23vokcVoM4DDLi9GsCX36TdsR"
ALLGO_DATABASE_PASSWORD: "allgo"
SIGNING_KEY_PATH: "/certs/server.key"
SIGNING_KEY_TYPE: "RSA"
SIGNING_KEY_ALG: "RS256"
ISSUER: "allgo_oauth"
TOKEN_EXPIRATION: "3600"
TOKEN_TYPE: "JWT"
# REGISTRY
######################################################################################################################
dev-registry:
container_name: dev-registry
image: registry:2
ports:
- "5000:5000"
volumes: volumes:
- "/data/dev/registry:/vol"
- "./certs:/certs" - "./certs:/certs"
environment: environment:
REGISTRY_LOG_LEVEL: "debug"
REGISTRY_HTTP_TLS_CERTIFICATE: "/certs/server.crt" REGISTRY_HTTP_TLS_CERTIFICATE: "/certs/server.crt"
REGISTRY_HTTP_TLS_KEY: "/certs/server.key" REGISTRY_HTTP_TLS_KEY: "/certs/server.key"
REGISTRY_AUTH: "token" REGISTRY_AUTH: "token"
REGISTRY_AUTH_TOKEN_REALM: "http://django:8080/tokens" REGISTRY_AUTH_TOKEN_REALM: "http://django:8000/tokens"
REGISTRY_AUTH_TOKEN_SERVICE: "allgo_registry" REGISTRY_AUTH_TOKEN_SERVICE: "allgo_registry"
REGISTRY_AUTH_TOKEN_ISSUER: "allgo_oauth" REGISTRY_AUTH_TOKEN_ISSUER: "allgo_oauth"
REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE: "/certs/server.crt" REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE: "/certs/server.crt"
# CONTROLLER
######################################################################################################################
dev-controller: dev-controller:
container_name: dev-controller container_name: dev-controller
build: controller build: controller
#image: allgo/controller
volumes: volumes:
- "/data/dev/controller:/vol" - "/data/dev/controller:/vol"
- "./controller:/opt/allgo-docker" - "./controller:/opt/allgo-docker"
- "/:/vol/host:ro" - "/:/vol/host:ro"
environment: environment:
ENV: "dev" ENV: "dev"
REGISTRY: "localhost:8002/allgo/dev" REGISTRY: "localhost:8002/allgo/dev"
DEBUG: "1" DEBUG: "1"
networks: [dev]
# override default command (to allow running the controller manually with ./shell)
#command: ["/bin/bash"]
#tty: true
#stdin_open: true
networks: [dev] # MYSQL
######################################################################################################################
dev-mysql: dev-mysql:
container_name: dev-mysql container_name: dev-mysql
build: mysql build: mysql
#image: allgo/mysql
user: "$DOCKERUSER" user: "$DOCKERUSER"
ports:
- "3306:3306"
volumes: volumes:
- "/data/dev/mysql:/vol" - "/data/dev/mysql:/vol"
networks: [dev] networks: [dev]
# SSH
######################################################################################################################
dev-ssh: dev-ssh:
container_name: dev-ssh container_name: dev-ssh
build: ssh build: ssh
#image: allgo/ssh
ports: ports:
- "127.0.0.1:2222:22" - "127.0.0.1:2222:22"
volumes: volumes:
- "/data/dev/ssh:/vol" - "/data/dev/ssh:/vol"
- "./ssh:/opt/allgo-ssh" - "./ssh:/opt/allgo-ssh"
environment: environment:
ENV: "dev" ENV: "dev"
networks: [dev, sandboxes] networks: [dev, sandboxes]
# RAILS
######################################################################################################################
dev-rails: dev-rails:
container_name: dev-rails container_name: dev-rails
build: rails build: rails
#image: allgo/rails
user: "$DOCKERUSER" user: "$DOCKERUSER"
ports: ports:
- "127.0.0.1:3000:8080" - "127.0.0.1:3000:8080"
volumes: volumes:
- "/data/dev/rails:/vol" - "/data/dev/rails:/vol"
- "./rails:/opt/allgo" - "./rails:/opt/allgo"
environment: environment:
RAILS_ENV: development RAILS_ENV: development
networks: [dev]
tty: true
stdin_open: true
dev-django:
container_name: dev-django
build: django
#image: allgo/rails
user: "$DOCKERUSER"
ports:
- "127.0.0.1:4000:8080"
volumes:
- "/data/dev/django:/vol"
- "./django:/opt/allgo"
- "./certs:/certs"
networks: [dev] networks: [dev]
tty: true tty: true
stdin_open: true stdin_open: true
environment: # SMTP
SIGNING_KEY_PATH: "/certs/server.key" ######################################################################################################################
SIGNING_KEY_TYPE: "RSA"
SIGNING_KEY_ALG: "RS256"
ISSUER: "allgo_oauth"
TOKEN_EXPIRATION: "3600"
TOKEN_TYPE: "JWT"
dev-smtpsink: dev-smtpsink:
container_name: dev-smtpsink container_name: dev-smtpsink
build: smtpsink build: smtpsink
#image: allgo/smtpsink
ports: ports:
- "127.0.0.1:143:143" - "127.0.0.1:143:143"
volumes: volumes:
- "/data/dev/smtpsink:/vol" - "/data/dev/smtpsink:/vol"
networks: [dev] networks: [dev]
# NGINX
######################################################################################################################
dev-nginx: dev-nginx:
container_name: dev-nginx container_name: dev-nginx
build: nginx build: nginx
ports: ports:
- "127.0.0.1:80:80" - "127.0.0.1:80:80"
- "127.0.0.1:443:443" - "127.0.0.1:443:443"
volumes: volumes:
- "/data/dev/nginx:/vol" - "/data/dev/nginx:/vol"
networks: [dev] networks: [dev]
# TOOLBOX
######################################################################################################################
dev-toolbox: dev-toolbox:
container_name: dev-toolbox container_name: dev-toolbox
build: toolbox build: toolbox
volumes: volumes:
- "/data/dev/toolbox:/vol" - "/data/dev/toolbox:/vol"
\ No newline at end of file
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment