You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ponymail.apache.org by hu...@apache.org on 2020/12/12 11:04:42 UTC
[incubator-ponymail-foal] 01/04: Work in an admin switch for oauth
logins, to be used later.
This is an automated email from the ASF dual-hosted git repository.
humbedooh pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-ponymail-foal.git
commit a4432f3b3a930aa484440e1ae3fe8db9806962d1
Author: Daniel Gruno <hu...@apache.org>
AuthorDate: Tue Dec 1 13:01:03 2020 +0100
Work in an admin switch for oauth logins, to be used later.
---
server/endpoints/oauth.py | 6 ++++--
server/endpoints/preferences.py | 2 ++
server/plugins/configuration.py | 2 ++
server/plugins/session.py | 3 +++
tools/setup.py | 2 ++
5 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/server/endpoints/oauth.py b/server/endpoints/oauth.py
index 929e2c9..8ab02f6 100644
--- a/server/endpoints/oauth.py
+++ b/server/endpoints/oauth.py
@@ -64,6 +64,8 @@ async def process(
"ascii", "ignore"
)
).hexdigest(16)
+ authoritative = rv.get("oauth_domain", "generic") in server.config.oauth.authoritative_domains
+ admin = authoritative and rv.get('email') in server.config.oauth.admins
cookie = await plugins.session.set_session(
server,
cid,
@@ -72,10 +74,10 @@ async def process(
email=rv.get("email"),
# Authoritative if OAuth domain is in the authoritative oauth section in ponymail.yaml
# Required for access to private emails
- authoritative=rv.get("oauth_domain", "generic")
- in server.config.oauth.authoritative_domains,
+ authoritative=authoritative,
oauth_provider=rv.get("oauth_domain", "generic"),
oauth_data=rv,
+ admin=admin
)
# This could be improved upon, instead of a raw response return value
return aiohttp.web.Response(
diff --git a/server/endpoints/preferences.py b/server/endpoints/preferences.py
index 49dcff6..7a473aa 100644
--- a/server/endpoints/preferences.py
+++ b/server/endpoints/preferences.py
@@ -47,6 +47,8 @@ async def process(
"fullname": session.credentials.name,
}
}
+ if session.credentials.admin is True:
+ prefs['login']['credentials']['admin'] = True
# Logging out??
if indata.get('logout'):
diff --git a/server/plugins/configuration.py b/server/plugins/configuration.py
index 54417cb..4132511 100644
--- a/server/plugins/configuration.py
+++ b/server/plugins/configuration.py
@@ -33,12 +33,14 @@ class UIConfig:
class OAuthConfig:
authoritative_domains: list
+ admins: list
google_client_id: str
github_client_id: str
github_client_secret: str
def __init__(self, subyaml: dict):
self.authoritative_domains = subyaml.get("authoritative_domains", [])
+ self.admins = subyaml.get("admins", [])
self.google_client_id = subyaml.get("google_client_id", "")
self.github_client_id = subyaml.get("github_client_id", "")
self.github_client_secret = subyaml.get("github_client_secret", "")
diff --git a/server/plugins/session.py b/server/plugins/session.py
index e18a449..4ccd526 100644
--- a/server/plugins/session.py
+++ b/server/plugins/session.py
@@ -160,6 +160,8 @@ async def get_session(
)
creds["oauth_provider"] = internal.get("oauth_provider", "generic")
creds["oauth_data"] = internal.get("oauth_data", {})
+ # We update admin boolean whenever we fetch session doc, as they may have changed in yaml but not in ES.
+ creds["admin"] = creds["authoritative"] and creds.get('email') in server.config.oauth.admins
session.credentials = SessionCredentials(creds)
# Save in memory storage
@@ -231,6 +233,7 @@ async def save_credentials(session: SessionObject):
"internal": {
"oauth_provider": session.credentials.oauth_provider,
"oauth_data": session.credentials.oauth_data,
+ "admin": session.credentials.admin,
},
},
)
diff --git a/tools/setup.py b/tools/setup.py
index cbbadc9..69df254 100755
--- a/tools/setup.py
+++ b/tools/setup.py
@@ -463,6 +463,8 @@ oauth:
# authoritative_domains:
# - googleapis.com # OAuth via google is authoritative
# - github.com # GitHub OAuth is authoritative
+# admins:
+# - foo@example.org
google_client_id: ~
github_client_id: ~
github_client_secret: ~