Commit Graph

52 Commits

Author SHA1 Message Date
kevgliss eea413a90f
Modifying the way we report metrics. Relying on metric tags instead of the the metric name for additional dimensions. (#1036) 2018-01-02 15:26:31 -08:00
kevgliss 9a0ada75fa
Upgrading satellizer library. (#1031) 2018-01-02 09:12:06 -08:00
kevgliss 848ce8c978
Refactoring authentincation to support GET and POST requests. Closes #990. (#1030) 2018-01-01 19:11:29 -08:00
Eric 6edc5180c7 fix roles assigned in the ui for sso (#1017)
This commit fixes the ability to assign roles to people in the ui
when the user is SSO. The idea is if a role is ever assigned via
SSO it becomes a "SSO Role" or a "Third Party" Role. by setting
third_party to true on the role object.

Once a role is marked as third party it can no longer be controlled
through the ui for SSO Users. (for ui users this poses no functional
change). It must be controlled via SSO.
2017-12-11 13:51:45 -08:00
Eric c402f1ff87 add per user api keys to the backend (#995)
Adds in per user api keys to the backend of lemur.
the basics are:
  - API Keys are really just JWTs with custom second length TTLs.
  - API Keys are provided in the exact same ways JWTs are now.
  - API Keys can be revoked/unrevoked at any time by their creator
    as well as have their TTL Change at anytime.
  - Users can create/view/list their own API Keys at will, and
    an admin role has permission to modify all api keys in the
    instance.

Adds in support for lemur api keys to the frontend of lemur.
doing this required a few changes to the backend as well, but it is
now all working (maybe not the best way though, review will determine
that).

  - fixes inconsistency in moduleauthor name I inputted during the
    first commit.
  - Allows the revoke schema to optionally allow a full api_key object.
  - Adds `/users/:user_id/api_keys/:api_key` and `/users/:user_id/api_keys`
    endpoints.
  - normalizes use of `userId` vs `userId`
  - makes `put` call respond with a JWT so the frontend can show
    the token on updating.
  - adds in the API Key views for clicking "API Keys" on the main nav.
  - adds in the API Key views for clicking into a users edit page.
  - adds tests for the API Key backend views I added.
2017-12-04 08:50:31 -08:00
Johannes Langer 041f3a22fa Added ability to set custom roles for users logging in via oauth provider (#985) 2017-11-10 08:38:33 -08:00
Johannes Langer 9319dda0ec Added ability to ignore cert for oauth2 provider (#971)
* Added ability to ignore cert for oauth2 provider

This is useful for development environments where the OAuth provider
doesn't have a valid cert!

* Setting default for OAUTH2_VERIFY_CERT to true
2017-10-20 16:36:14 -07:00
kevgliss e0d9443141 Ensuring existing users are also given the default role. (#960) 2017-10-05 16:47:52 -07:00
Marti Raudsepp 97d83890e0 Various minor cleanups and fixes (#938)
* Documentation fixes

* Various docstring and help string fixes

* Minor code cleanups

* Removed redundant .gitignore entry, ignored package-lock.json.
* 'return' statement in certificates.service.render was redundant
* Split up too long line
* Non-matching tags in templates
2017-09-25 15:33:42 -07:00
Ian Stahnke 79d12578c7 basic ldap support (#842) 2017-09-03 20:41:43 -07:00
Michael LoSapio 3141b47fba Catch OAuth providers that want the params sent as data (#800) 2017-05-25 10:21:29 -07:00
kevgliss 11bd42af82 Correct status code for basic-auth (#813)
* ensuring those using basic auth recieve a correct status code when their password is incorrect

* Fixing oauth status codes
2017-05-23 09:48:31 -07:00
kevgliss 307a73c752 Fixing some confusion between 401 vs 403 error code. 401 indicates that the user should attempt to authenticate again. Where as 403 indicates the user is authenticated but not allowed to complete an action. (#804)
Closes #767
2017-05-18 13:20:17 -07:00
Nevins 0326e1031f adding generic OAuth2 provider (#685)
* adding support for Okta Oauth2

* renaming to OAuth2

* adding documentation of options

* fixing flake8 problems
2017-02-03 10:36:49 -08:00
kevgliss 2f5f82d797 Ensures that in-active users are not allowed to login. (#618) 2016-12-19 22:58:57 -08:00
Marti Raudsepp 71ddbb409c Minor documentation fixes/tweaks (#597)
Mostly typos, grammar errors and inconsistent indentation in code
examples.

Some errors detected using Topy (https://github.com/intgr/topy), all
changes verified by hand.
2016-12-14 09:29:04 -08:00
kevgliss 727bc87ede Log fixes (#534)
* tying up some loose ends with event logging

* Ensuring creators can access
2016-11-28 14:13:16 -08:00
kevgliss 8e5323e2d7 migrating flask imports (#525) 2016-11-22 21:11:20 -08:00
kevgliss dd6d332166 Removing python2 compatibility. (#518) 2016-11-21 14:03:04 -08:00
cviecco 490d5b6e6c python2.x .base64url_decode has a single parameter and incoming data is utf-8.. need to convert so string (#463) 2016-10-26 00:50:00 -07:00
kevgliss c05a49f8c9 Fixes an issuer where a member of a role is not able to add new users to said role. (#445) 2016-10-11 17:24:15 -07:00
kevgliss a60e372c5a Ensuring that password hashes are compared correctly under python3 2016-09-07 13:25:51 -07:00
kevgliss 53d0636574 Python3 (#417)
* Fixing tests.

* Fixing issue where decrypted credentials were not returning valid strings.

* Fixing issues with python3 authentication.
2016-08-29 08:58:53 -07:00
kevgliss e34de921b6 Target Individuals for Certificates (#384)
* Allowing individual users to be targeted for a role.

* Ensuring that even new users get a per user-role
2016-07-01 09:04:39 -07:00
kevgliss 19b928d663 Fixes #367 2016-06-23 13:29:59 -07:00
kevgliss daea8f6ae4 Bug fixes (#355)
* we should not require password to update users

* Fixing an issue were roles would not be added.
2016-06-13 17:22:45 -07:00
Roi Martin 41d1fe9191 Using UTC time in JWT token creation (#354)
As stated in PyJWT's documentation [1] and JWT specification [2][3], UTC
times must be used. This commit fixes JWT decoding in servers not using
UTC time.

[1] https://pypi.python.org/pypi/PyJWT/1.4.0
[2] https://tools.ietf.org/html/rfc7519#section-4.1.6
[3] https://tools.ietf.org/html/rfc7519#section-2
2016-06-13 11:18:07 -07:00
kevgliss bd727b825d Making roles more apparent for certificates and authorities. (#327) 2016-05-20 12:48:12 -07:00
kevgliss 62d03b0d41 Closes #216 2016-04-01 16:54:33 -07:00
Mike Grima ba666ddbfa Removed deprecated auth api endpoint. 2016-02-16 15:04:53 -08:00
kevgliss 685e2c8b6d fixing typo 2016-01-05 09:40:53 -08:00
kevgliss 3f024c1ef4 Adds ability for domains to be marked as sensitive and only be allowed to be issued by an admin closes #5 2015-12-30 15:11:08 -08:00
kevgliss a7decc1948 Fixing some issues with dynamically supporting multiple SSO providers 2015-12-27 17:54:11 -05:00
Robert Picard 60856cb7b9 Add an endpoint to return active authentication providers
This endpoint can be used by Angular to figure out what authentication
options to display to the user. It returns a dictionary of configuration
details that the front-end needs for each provider.
2015-12-22 18:03:56 -05:00
Robert Picard 350d013043 Add Google SSO
This pull request adds Google SSO support. There are two main changes:

1. Add the Google auth view resource
2. Make passwords optional when creating a new user. This allows an admin
to create a user without a password so that they can only login via Google.
2015-12-22 13:44:30 -05:00
Robert Picard 2fc6d4cd21 Fix a handful of typos in documentation
As I was reading through the docs I made note of grammar issues and
typos I saw. Not a huge deal but might as well fix what I noticed.
2015-10-06 15:05:05 -07:00
kevgliss ef72de89b3 Minor fixes 2015-09-18 15:50:59 -07:00
kevgliss 480078da42 Removing str casting for role permission 2015-09-01 14:15:40 -07:00
kevgliss 70ccd137e1 removing netflix specific code from auth flow 2015-08-27 13:09:02 -07:00
kevgliss 45c442000e Fixing some unfortunate casting that prevent creators from viewing/updating their certs 2015-08-22 10:56:15 -07:00
kevgliss d62f57eab3 Fixing an issue with futures, unicode and b64 not being able to handle the unicode values 2015-08-20 15:49:08 -07:00
kevgliss 6b2da2fe6b Fixes #35 2015-08-19 18:05:18 -07:00
kevgliss f09f5eb0f1 Fixing issue with creating roles 2015-08-17 22:51:29 -07:00
kevgliss fc68552d0f Making Lemur py3 compatible 2015-08-03 21:07:28 -07:00
kevgliss a4ed83cb62 Refactoring out challenge 2015-07-23 08:52:30 -07:00
kevgliss c75e20a1ea Pleasing the PEP8 gods 2015-07-21 13:06:13 -07:00
kevgliss f660450043 Aligning config variables 2015-07-07 17:23:46 -07:00
kevgliss 95bab9331d Enabling CSR generation and reducing complexity of encryption/decrypting the 'key' dir. 2015-07-03 10:30:17 -07:00
Kevin Glisson 8a6abc6f82 Adding for handling proxy-based errors 2015-07-02 15:48:55 -07:00
Kevin Glisson 6aa1a12ef6 Removing netflix specific role 2015-07-02 15:48:55 -07:00