Index par titre

Diagrammes de séquence

Faits sur https://www.websequencediagrams.com/

Avant

title Avant

participant "Navigateur" as N
participant "Site" as S

N->S: accède à l'accueil
S->N: renvoie le HTML de la page d'accueil
N->S: soumet son login/mot de passe
note right of S: validation du login/mot de passe
S->N: renvoie le cookie de session et le HTML de la page d'accueil en mode authentifié

Après (cas du raccordement)

title Après (cas du raccordement)

participant "IdP" as I
participant "Navigateur" as N
participant "Reverse-Proxy" as R
participant "Site" as S

N->R: accède à l'accueil
R->S: relaie la demande
S->R: renvoie le HTML de la page d'accueil
R->N: relaie la réponse et y ajoute les éléments d'intégration (bouton de raccordement)
N->R: l'utilisateur appuie sur le bouton de raccordement
R->N: redirection HTTP pour authentification sur l'IdP
N->I: conitnue la redirection
note over I: authentification sur l'IdP\navec le login et le mot de passe\ndu compte citoyen
I->N: redirection avec la clé de fédération (SAML 2.0)
N->R: continue la redirection et transmet le jeton
note over R: stocke le jeton dans la session en attente
R->N: affiche la page page de raccordement demandant un login et mot de passe local
N->R: soumet son login/mot de passe local
R->S: teste le login/mot de passe
note over S: identifiants valides
S->R: renvoie le cookie de session
note over R: stocke l'association entre\nla clé de fédération et\nles login et mot de passe\nlocaux en base
R->N: renvoie le cookie de session et une redirection vers la page d'accueil du site
N->R: conitnue la redirection vers la page d'accueil avec un cookie de session valide
R->S: relaie la demande
S->R: renvoie le HTML de la page d'acceuil en mode authentifié
R->N: relaie la réponse

Après (cas de la connexion)

title Après (cas de la connexion)

participant "IdP" as I
participant "Navigateur" as N
participant "Reverse-Proxy" as R
participant "Site" as S

N->R: accède à l'accueil
R->S: relaie la demande
S->R: renvoie le HTML de la page d'accueil
R->N: relaie la réponse et y ajoute les éléments d'intégration (bouton de connexion)
N->R: l'utilisateur appuie sur le bouton de connexion
R->N: redirection HTTP pour authentification sur l'IdP
N->I: continue la redirection
note over I: authentification sur l'IdP\navec le login et le mot de passe\ndu compte citoyen
I->N: redirection avec la clé de fédération (SAML 2.0)
N->R: continue la redirection et transmet la clé de fédération
note over R: le login et le mot de passe\nlocal sont retrouvés dans\nla base grâce à la clé\nde fédération
R->S: soumet les login et\nmot de passe locaux
note over S: identifiants valides
S->R: renvoie le cookie de session
R->N: renvoie le cookie de session et une redirection vers la page d'accueil du site
N->R: conitnue la redirection vers la page d'accueil avec un cookie de session valide
R->S: relaie la demande
S->R: renvoie le HTML de la page d'acceuil en mode authentifié
R->N: relaie la réponse


État de l'art

Conception intéressante

Les configurations

Les projets intéressants

Reverse proxy

Proxy

Bibliothèques réseau

Framework wsgi

WSGI Middleware


Fonctionnement

Etat des lieux sur l'exemple de la médiathèque de Montpellier:


Get the source code


MandayeJS

MandayeJS is an Authentication Reverse Proxy. Its purpose is to add s to add external
authentication systems to legacy application, i.e. SSO.

Installation

$ tar xzvf phantomjs.tar.gz
$ sudo mv phantomjs-2.1.1-linux-x86_64 /opt/phantomjs/
$ sudo apt install python-mandayejs mandayejs

vim /etc/mandayejs/settings.py

PHANTOM_JS_BINARY = '/opt/phantomjs/bin/phantomjs'

How does it work

AppSettings

AppSettings are simple classes defined in mandayejs/applications.py and represent the configuration of the legacy application for which MandayeJS will be the reverse proxy.
These classes have some mandatory attributes :

Example

class Example(AppSettings):
        # url of the login form
        SITE_LOGIN_PATH = '/' 

        # SITE_LOCATORS describe login form fiels
        # they're used to generate the association form
        SITE_LOCATORS = [ 
            {
                'id': '#username',
                'label': 'Username',
                'name': 'username', # always same as id
                'kind': 'string',
                'required': True,
                'help': '',
            },
            {
                'id': '#birth_date',
                'label': 'Birth date',
                'name': 'birth_date', # always same as id
                'kind': 'date',
                'required': True,
                'help': 'exemple 16/06/2008'
            },
            {
                'id': '#password',
                'label': 'Password',
                'name': 'password', # always same as id
                'kind': 'password',
                'required': True,
                'help': ''
            },
        ]

        # List of javascript scripts running on every pages.
        # they're loaded in panel.html
        SITE_APP_SCRIPTS = [
            'myapp/js/example.com.js',
        ]

        # JS Script asserting authentication through phantomjs
        # The authentication assertion function must be into
        # a var such as :
        #
        # $(function(){
        #   window.auth_success = function(){
        #       // your code
        #   }
        # });
        SITE_AUTH_CHECKER = 'myapp/js/auth.checker.js'

        # List of cookies to delete when dissociating an account
        SITE_AUTH_COOKIE_KEYS = [
            'UserSessionId',
        ]

        # URL on which the authentication is forced
        # if user is connected and already associated
        SITE_FORCE_REDIRECT_URL = '/login.php'

        # LOCATOR on which the authentication is forced
        # if user is connected and already associated
        SITE_FORCE_REDIRECT_LOCATOR = '#logon-form'

        # Locator used to catch the local application
        # logout process in order to launch a SLO
        SITE_LOGOUT_LOCATOR = '#account_logout'

        # Application's webservices 
        SITE_WEB_SERVICES = {
            'products': '/products/id',
        }

        # If your class inherits from another and
        # a SITE_LOGIN_PATH need to be set
        SITE_LOGIN_PATH_PREFIX = '/wonderland/'

Django Settings

SITE_APP = 'mandayejs.applications.Example'

The API

It's possible to associate/dissociate an account through the MandayeJS API. 3 methods are available :

* GET /_mandaye/api/ : # Returns SITE_LOCATORS 
    response :
        status_code : 200
        data :
            {
                "login": "",
                "password": "" 
            }

* POST /_mandaye/api : # Associates an user, create a new user when it doesn't exist
    data : {
        "name_id_content": "12345",
        "email": "kevin@fake.com",
        "first_name": "kevin",
        "last_name": "fake",
        "locators": {
            "login": "fake",
            "password": "fake" 
        }
    }

    response :
        status_code :
            - success : 200
            - failure : 401/403

* DELETE /_mandaye/api : # Dissociate an user account 
    data : {
        "name_id_content": "12345" 
    }
    response :
        status_code :
            - success : 200
            - failure : 403/404

Users Migration

1. Export users authentication data from database and ldap

COPY (SELECT idp.unique_id, sp.post_values FROM idp_user AS idp, sp_user AS sp WHERE sp.idp_user_id = idp.id) TO 'credentials.csv' DELIMITER ';';
$ sudo slapcat -a '(spName=<service_provider_name>)'  -l <dest_filename>

2. Convert name_id into uuid

 
import csv
from authentic2.saml.models import LibertyFederation

def csv_get_dict_data(filename):
    with open(filename, 'rb') as fd:
        fieldnames = ['username', 'credentials']
        reader = csv.DictReader(fd, delimiter=';', quotechar='|', fieldnames=fieldnames)
        return list(reader)
    return False

def csv_write_dict_data(data, filename):
   with open(filename, 'wb') as fd:
      writer = csv.DictWriter(fd, data[0].keys())
      writer.writerows(data)

data = csv_get_dict_data('credentials.csv')

def name_id_2_uuid(data):
  result = []
  for datum in data:
    try:
       federation = LibertyFederation.objects.get(name_id_content=datum['username'])
       user_uuid = federation.user.uuid
       result.append({'username': user_uuid, 'credentials': datum['credentials']})
    except (LibertyFederation.DoesNotExist,) as e:
       continue

  return result

csv_write_dict_data(name_id_2_uuid(data), 'credentials.csv')

3. Import users

$ mandayejs-manage migrate-user --csv credentials.csv

Static Files


Mandaye - modular reverse proxy to authenticate

Mandaye is a modular rewriting reverse proxy. Its main use is to add external
authentication systems to legacy application, i.e. SSO.
It dispatches HTTP requests to your applications and allow you to transform and
filter the request and the response.
Mandaye allows to couple your authentication provider with incompatible web
applications.

Copying

This software copyrighted by Entr'ouvert and is licensed under the GNU AGPL
version 3 for distribution.

Features

Installation

Dependencies

You must install the following packages to use Mandaye

You can install all those dependencies quickly using pip

pip install gevent poster SQLAlchemy Beaker Mako lxml gunicorn

or easy_install::

easy_install gevent poster SQLAlchemy Beaker Mako lxml gunicorn

or apt-get (Debian based distributions)::

apt-get install gunicorn python-poster python-sqlalchemy python-beaker python-mako python-lxml python-setuptools

It's recommended to install the following modules

You can install this Python modules with pip

    pip install pycrypto static

Quick installation

Install at least Python >=2.5 and setuptools or distribute and enter this command in a shell

$ python setup.py install

If you want to develop use this command line

$ python setup.py develop

Quick Start

Configure MANDAYE_PATH/mandaye/config.py with your own preferences.
You must configure the database uri and the log file.

First create your database

$ mandaye_admin.py --createdb

Launch mandaye server

$ mandaye_server.py

mandaye_server.py use gunicorn and gunicorn options (please read http://gunicorn.org/configure.html)

You could also use gunicorn.conf.py-sample (in the mandaye files)

$ mandaye_server.py -c PATH_TO_THE_FILE/gunicorn.conf.py

or

$ mandaye_server.py -c PATH_TO_THE_FILE/gunicorn.conf.py -b 0.0.0.0:4242

Configuration
TODO

EtatDelArt
Fonctionnement