MandayeJS¶
MandayeJS is an Authentication Reverse Proxy. Its purpose is to add s to add external
authentication systems to legacy application, i.e. SSO.
Installation¶
$ tar xzvf phantomjs.tar.gz $ sudo mv phantomjs-2.1.1-linux-x86_64 /opt/phantomjs/ $ sudo apt install python-mandayejs mandayejs
vim /etc/mandayejs/settings.py
PHANTOM_JS_BINARY = '/opt/phantomjs/bin/phantomjs'
How does it work¶
AppSettings¶
AppSettings are simple classes defined in mandayejs/applications.py and represent the configuration of the legacy application for which MandayeJS will be the reverse proxy.These classes have some mandatory attributes :
- SITE_LOGIN_PATH
- SITE_LOCATORS
- SITE_AUTH_CHECKER
- SITE_AUTH_COOKIE_KEYS
- SITE_LOGOUT_LOCATOR
- SITE_FORCE_REDIRECT_LOCATOR or SITE_FORCE_REDIRECT_URL
Example¶
class Example(AppSettings): # url of the login form SITE_LOGIN_PATH = '/' # SITE_LOCATORS describe login form fiels # they're used to generate the association form SITE_LOCATORS = [ { 'id': '#username', 'label': 'Username', 'name': 'username', # always same as id 'kind': 'string', 'required': True, 'help': '', }, { 'id': '#birth_date', 'label': 'Birth date', 'name': 'birth_date', # always same as id 'kind': 'date', 'required': True, 'help': 'exemple 16/06/2008' }, { 'id': '#password', 'label': 'Password', 'name': 'password', # always same as id 'kind': 'password', 'required': True, 'help': '' }, ] # List of javascript scripts running on every pages. # they're loaded in panel.html SITE_APP_SCRIPTS = [ 'myapp/js/example.com.js', ] # JS Script asserting authentication through phantomjs # The authentication assertion function must be into # a var such as : # # $(function(){ # window.auth_success = function(){ # // your code # } # }); SITE_AUTH_CHECKER = 'myapp/js/auth.checker.js' # List of cookies to delete when dissociating an account SITE_AUTH_COOKIE_KEYS = [ 'UserSessionId', ] # URL on which the authentication is forced # if user is connected and already associated SITE_FORCE_REDIRECT_URL = '/login.php' # LOCATOR on which the authentication is forced # if user is connected and already associated SITE_FORCE_REDIRECT_LOCATOR = '#logon-form' # Locator used to catch the local application # logout process in order to launch a SLO SITE_LOGOUT_LOCATOR = '#account_logout' # Application's webservices SITE_WEB_SERVICES = { 'products': '/products/id', } # If your class inherits from another and # a SITE_LOGIN_PATH need to be set SITE_LOGIN_PATH_PREFIX = '/wonderland/'
Django Settings¶
SITE_APP = 'mandayejs.applications.Example'
The API¶
It's possible to associate/dissociate an account through the MandayeJS API. 3 methods are available :
* GET /_mandaye/api/ : # Returns SITE_LOCATORS response : status_code : 200 data : { "login": "", "password": "" } * POST /_mandaye/api : # Associates an user, create a new user when it doesn't exist data : { "name_id_content": "12345", "email": "kevin@fake.com", "first_name": "kevin", "last_name": "fake", "locators": { "login": "fake", "password": "fake" } } response : status_code : - success : 200 - failure : 401/403 * DELETE /_mandaye/api : # Dissociate an user account data : { "name_id_content": "12345" } response : status_code : - success : 200 - failure : 403/404
Users Migration¶
1. Export users authentication data from database and ldap
COPY (SELECT idp.unique_id, sp.post_values FROM idp_user AS idp, sp_user AS sp WHERE sp.idp_user_id = idp.id) TO 'credentials.csv' DELIMITER ';';
$ sudo slapcat -a '(spName=<service_provider_name>)' -l <dest_filename>
2. Convert name_id
into uuid
import csv
from authentic2.saml.models import LibertyFederation
def csv_get_dict_data(filename):
with open(filename, 'rb') as fd:
fieldnames = ['username', 'credentials']
reader = csv.DictReader(fd, delimiter=';', quotechar='|', fieldnames=fieldnames)
return list(reader)
return False
def csv_write_dict_data(data, filename):
with open(filename, 'wb') as fd:
writer = csv.DictWriter(fd, data[0].keys())
writer.writerows(data)
data = csv_get_dict_data('credentials.csv')
def name_id_2_uuid(data):
result = []
for datum in data:
try:
federation = LibertyFederation.objects.get(name_id_content=datum['username'])
user_uuid = federation.user.uuid
result.append({'username': user_uuid, 'credentials': datum['credentials']})
except (LibertyFederation.DoesNotExist,) as e:
continue
return result
csv_write_dict_data(name_id_2_uuid(data), 'credentials.csv')
3. Import users
$ mandayejs-manage migrate-user --csv credentials.csv