Merge pull request #9 from parallelsystems/add-azure-sso

Add azure sso

Author: christosachilleoudis

Pipfile

@@ -40,6 +40,7 @@ raven = {extras = ["flask"], version = "*"}
 redis = "*"
 watchdog = "*"
 weber_utils = "*"
+msal = "*"
 
 [dev-packages]
 Flask-Loopback = "*"

Pipfile.lock

@@ -1,4 +1,4 @@
-FROM node:8 as frontend-builder
+FROM node:10 as frontend-builder
 # build frontend
 RUN npm install -g ember-cli
 

docker/Dockerfile

@@ -12,7 +12,7 @@
 
 from .config import get_runtime_config_private_dict
 from .models import db, Role, User
-from .utils.oauth2 import get_oauth2_identity
+from .utils.oauth2 import get_oauth2_identity, get_oauth2_identity_azure
 
 _logger = logbook.Logger(__name__)
 
@@ -52,9 +52,15 @@ def login():
         return _login_with_credentials(credentials)
 
     auth_code = credentials.get('authorizationCode')
-    if auth_code:
+    provider = credentials.get("provider")
+    redirect_uri = credentials.get("redirectUri")
+
+    if provider == "google-oauth2":
         return _login_with_google_oauth2(auth_code)
 
+    if provider == "azure-ad2-oauth2":
+        return _login_with_azure_oauth2(auth_code, redirect_uri)
+
     error_abort('No credentials were specified', code=requests.codes.unauthorized)
 
 
@@ -137,6 +143,19 @@ def _login_with_google_oauth2(auth_code):
 
     return _make_success_login_response(user, user_info)
 
+def _login_with_azure_oauth2(auth_code, redirect_uri):
+    """Logs in with azure oath2"""
+    user_info = get_oauth2_identity_azure(auth_code, redirect_uri)
+    if not user_info:
+        error_abort('Could not complete OAuth2 exchange', code=requests.codes.unauthorized)
+
+    _check_alowed_email_domain(user_info)
+
+    user = get_or_create_user(user_info)
+    login_user(user)
+
+    return _make_success_login_response(user, user_info)
+
 
 @auth.route("/logout", methods=['POST'])
 def logout():

flask_app/auth.py

@@ -27,6 +27,10 @@ def get_app_config():
     'google_oauth2_enabled': False,
     'google_oauth2_client_id': None,
     'google_oauth2_client_secret': None,
+    'azure_oauth2_enabled': False,
+    'azure_oauth2_client_id': None,
+    'azure_oauth2_client_secret': None,
+    'azure_oauth2_tenant_id': None,
     'ldap_login_enabled': False,
     'ldap_uri': None,
     'ldap_base_dn': None,

flask_app/blueprints/api/setup.py

@@ -4,6 +4,7 @@
 from httplib2 import Http
 from apiclient.discovery import build
 from oauth2client.client import OAuth2WebServerFlow
+import msal
 
 from .. import config
 
@@ -41,6 +42,42 @@ def get_oauth2_identity(auth_code):
     _logger.debug('Found user info: {}', info)
     return info
 
+def get_oauth2_identity_azure(auth_code, redirect_uri):
+    """Gets identity from azure auth_code""" 
+
+    config_dict = config.get_runtime_config_private_dict()
+    client_id = config_dict['azure_oauth2_client_id']
+    client_secret = config_dict['azure_oauth2_client_secret']
+    authority = f"https://login.microsoftonline.com/{config_dict['azure_oauth2_tenant_id']}"
+
+    if not client_id:
+        _logger.error('No OAuth2 client id configured')
+        return
+
+    if not client_secret:
+        _logger.error('No OAuth2 client secret configured')
+        return
+
+    _logger.info('get_oauth2_identity: Using redirect URI {!r}', redirect_uri)
+
+    client = msal.ConfidentialClientApplication(
+        client_id, authority=authority,
+        client_credential=client_secret, token_cache=None)
+
+    token = client.acquire_token_by_authorization_code(code=auth_code, scopes=["User.read"], redirect_uri=redirect_uri)
+
+    if "error" in token:
+        _logger.error(token["error_description"])
+        assert False
+    
+    user_info = token["id_token_claims"]
+
+    return {
+        "email" : user_info["email"], 
+        "first_name" : user_info["name"].split()[0],
+        "last_name" : user_info["name"].split()[-1],
+    }
+
 
 def _get_user_info(credentials):
     http_client = Http()

flask_app/utils/oauth2.py

@@ -130,7 +130,8 @@ def _ensure_conf():
     if not os.path.isfile(private_filename):
         with open(private_filename, 'w') as f:
             for secret_name in ('SECRET_KEY', 'SECURITY_PASSWORD_SALT'):
-                f.write('{}: {!r}\n'.format(secret_name, _generate_secret_string()))
+                # either pull value from environment or generate random value
+                f.write('{}: {!r}\n'.format(secret_name, os.environ.get(secret_name, _generate_secret_string())))
 
 def _generate_secret_string(length=50):
     return "".join([random.choice(string.ascii_letters) for i in range(length)])

manage.py

@@ -11,4 +11,5 @@ const App = Application.extend({
 
 loadInitializers(App, config.modulePrefix);
 config.torii.providers["google-oauth2"].redirectUri = window.location.origin;
+config.torii.providers["azure-ad2-oauth2"].redirectUri = window.location.origin;
 export default App;

webapp/app/app.js

@@ -29,6 +29,11 @@ export default Route.extend(ApplicationRouteMixin, {
       let cfg = config.torii;
       cfg.providers["google-oauth2"].apiKey =
         model.runtime_config.google_oauth2_client_id;
+      cfg.providers["azure-ad2-oauth2"].apiKey =
+        model.runtime_config.azure_oauth2_client_id;
+      cfg.providers["azure-ad2-oauth2"].tenantId =
+        model.runtime_config.azure_oauth2_tenant_id;
+
       this.load_current_user();
     }
   },

webapp/app/application/route.js

@@ -14,8 +14,8 @@ export default Controller.extend(UnauthenticatedRouteMixin, {
       self.set("login_error", null);
       const credentials = this.getProperties(["username", "password"]);
       self.get("session").authenticate("authenticator:token", credentials).then(
-        function() {},
-        function() {
+        function () { },
+        function () {
           self.set("login_error", "Invalid username and/or password");
         }
       );
@@ -28,24 +28,53 @@ export default Controller.extend(UnauthenticatedRouteMixin, {
       self
         .get("torii")
         .open("google-oauth2")
-        .then(function(auth) {
+        .then(function (auth) {
           return self
+
             .get("session")
             .authenticate("authenticator:token", auth)
             .then(
-              function(data) {
+              function (data) {
                 return data;
               },
-              function(error) {
+              function (error) {
                 self.set("login_error", error.error);
               }
             );
         })
-        .finally(function() {
+        .finally(function () {
+          self.set("loading", false);
+        });
+
+      return;
+    },
+
+    login_azure() {
+      let self = this;
+      self.set("loading", true);
+      self.set("login_error", null);
+      self
+        .get("torii")
+        .open("azure-ad2-oauth2", { "response_type": "id_token+code" })
+        .then(function (auth) {
+          return self
+            .get("session")
+            .authenticate("authenticator:token", auth)
+            .then(
+              function (data) {
+                return data;
+              },
+              function (error) {
+                self.set("login_error", error.error);
+              }
+            );
+        })
+        .finally(function () {
           self.set("loading", false);
         });
 
       return;
     }
+
   }
 });