cmdbox 0.5.0.7__py3-none-any.whl → 0.5.1__py3-none-any.whl

cmdbox/app/edge.py

@@ -149,6 +149,9 @@ class Edge(object):
                     msg = dict(warn=f"Please set the numeric value in the oauth2_port. oauth2_port={opt['oauth2_port']}")
                     return msg
                 opt['oauth2_port'] = int(opt['oauth2_port'])
+            if opt['oauth2'] == 'azure' and ('oauth2_tenant_id' not in opt or opt['oauth2_tenant_id'] is None):
+                msg = dict(warn=f"Please run the `edge config` command. And please set the oauth2_tenant_id.")
+                return msg
             if opt['auth_type'] == 'oauth2' and ('oauth2_client_id' not in opt or opt['oauth2_client_id'] is None):
                 msg = dict(warn=f"Please run the `edge config` command. And please set the oauth2_client_id.")
                 return msg
@@ -181,7 +184,8 @@ class Edge(object):
             if self.svcert_no_verify:
                 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
             status, msg = self.signin(opt['auth_type'], opt['user'], opt['password'], opt['apikey'],
-                                      opt['oauth2'], int(opt['oauth2_port']), opt['oauth2_client_id'], opt['oauth2_client_secret'],
+                                      opt['oauth2'], int(opt['oauth2_port']),
+                                      opt['oauth2_tenant_id'], opt['oauth2_client_id'], opt['oauth2_client_secret'],
                                       int(opt['oauth2_timeout']))
             if status != 0:
                 return msg
@@ -244,7 +248,7 @@ class Edge(object):
             resq:queue.Queue = pipe_cmd['resq']
             del pipe_cmd['resq']
             tool = Tool(self.logger, self.appcls, self.ver)
-            tool.set_session(self.session, self.svcert_no_verify, self.endpoint, self.icon_path, self.user_info)
+            tool.set_session(self.session, self.svcert_no_verify, self.endpoint, self.icon_path, self.user_info, self.oauth2)
             feat:feature.Feature = self.options.get_cmd_attr(pipe_cmd['mode'], pipe_cmd['cmd'], 'feature')
             while not thevent.is_set():
                 prevres = None if prevq is None else prevq.get(pipe_cmd['timeout'])
@@ -301,7 +305,7 @@ class Edge(object):
                 def mkcmd(opt):
                     def _ex():
                         tool = Tool(self.logger, self.appcls, self.ver)
-                        tool.set_session(self.session, self.svcert_no_verify, self.endpoint, self.icon_path, self.user_info)
+                        tool.set_session(self.session, self.svcert_no_verify, self.endpoint, self.icon_path, self.user_info, self.oauth2)
                         feat:feature.Feature = self.options.get_cmd_attr(opt['mode'], opt['cmd'], 'feature')
                         for status, ret in feat.edgerun(opt, tool, self.logger, self.timeout):
                             pass
@@ -348,7 +352,7 @@ class Edge(object):
         return status, json.loads(res)
 
     def signin(self, auth_type:str, user:str, password:str, apikey:str,
-               oauth2:str, oauth2_port:int, oauth2_client_id:str, oauth2_client_secret:str,
+               oauth2:str, oauth2_port:int, oauth2_tenant_id:str, oauth2_client_id:str, oauth2_client_secret:str,
                oauth2_timeout:int) -> Tuple[int, Dict[str, Any]]:
         """
         サインインを行います
@@ -360,6 +364,7 @@ class Edge(object):
             apikey (str): APIキー
             oauth2 (str): OAuth2
             oauth2_port (int): OAuth2ポート
+            oauth2_tenant_id (str): OAuth2テナントID
             oauth2_client_id (str): OAuth2クライアントID
             oauth2_client_secret (str): OAuth2クライアントシークレット
             oauth2_timeout (int): OAuth2タイムアウト
@@ -369,13 +374,14 @@ class Edge(object):
         """
         self.session = requests.Session()
         self.signed_in = False
+        self.oauth2 = oauth2
         if auth_type == "noauth":
             status, res, _ = self.site_request(self.session.get, "/gui")
             if status != 0: return status, res
             status, self.user_info = self.load_user_info()
             self.user_info['auth_type'] = auth_type
             if status != 0: return status, res
-            self.tool.set_session(self.session, self.svcert_no_verify, self.endpoint, self.icon_path, self.user_info)
+            self.tool.set_session(self.session, self.svcert_no_verify, self.endpoint, self.icon_path, self.user_info, self.oauth2)
             return 0, dict(success="No auth.")
 
         # ID/PW認証を使用する場合
@@ -392,7 +398,7 @@ class Edge(object):
             self.user_info['auth_type'] = auth_type
             self.user_info['password'] = password
             if status != 0: return status, res
-            self.tool.set_session(self.session, self.svcert_no_verify, self.endpoint, self.icon_path, self.user_info)
+            self.tool.set_session(self.session, self.svcert_no_verify, self.endpoint, self.icon_path, self.user_info, self.oauth2)
             return 0, dict(success="Signin Success.")
 
         # APIKEY認証を使用する場合
@@ -407,7 +413,7 @@ class Edge(object):
             self.user_info['auth_type'] = auth_type
             self.user_info['apikey'] = apikey
             if status != 0: return status, res
-            self.tool.set_session(self.session, self.svcert_no_verify, self.endpoint, self.icon_path, self.user_info)
+            self.tool.set_session(self.session, self.svcert_no_verify, self.endpoint, self.icon_path, self.user_info, self.oauth2)
             return 0, dict(success="Signin Success.")
 
         # OAuth2認証を使用する場合
@@ -449,7 +455,7 @@ class Edge(object):
                         self.user_info['access_token'] = access_token
                         if status != 0: return status, res
                         self.signed_in = True
-                        self.tool.set_session(self.session, self.svcert_no_verify, self.endpoint, self.icon_path, self.user_info)
+                        self.tool.set_session(self.session, self.svcert_no_verify, self.endpoint, self.icon_path, self.user_info, self.oauth2)
                         return dict(success="Signin success. Please close your browser.")
                     except Exception as e:
                         raise HTTPException(status_code=500, detail=f'Failed to get token. {e}')
@@ -515,7 +521,7 @@ class Edge(object):
                         self.user_info['access_token'] = access_token
                         if status != 0: return status, res
                         self.signed_in = True
-                        self.tool.set_session(self.session, self.svcert_no_verify, self.endpoint, self.icon_path, self.user_info)
+                        self.tool.set_session(self.session, self.svcert_no_verify, self.endpoint, self.icon_path, self.user_info, self.oauth2)
                         return dict(success="Signin success. Please close your browser.")
                     except Exception as e:
                         raise HTTPException(status_code=500, detail=f'Failed to get token. {e}')
@@ -543,6 +549,79 @@ class Edge(object):
                     time.sleep(1)
                 return 0, dict(success="Signin success.")
 
+
+            # Azure OAuth2を使用する場合
+            elif oauth2 == "azure":
+                if oauth2_tenant_id is None:
+                    return 1, dict(warn="Please specify the --oauth2_tenant_id option.")
+                if oauth2_client_id is None:
+                    return 1, dict(warn="Please specify the --oauth2_client_id option.")
+                if oauth2_client_secret is None:
+                    return 1, dict(warn="Please specify the --oauth2_client_secret option.")
+                if oauth2_timeout is None:
+                    return 1, dict(warn="Please specify the --oauth2_timeout option.")
+
+                redirect_uri = f'http://localhost:{oauth2_port}/oauth2/azure/callback'
+                # OAuth2認証のコールバックを受けるFastAPIサーバーを起動
+                fastapi = FastAPI()
+                @fastapi.get('/oauth2/azure/callback')
+                async def oauth2_azure_callback(req:Request):
+                    if req.query_params['state'] != 'edge':
+                        return dict(warn="Invalid state.")
+                    # アクセストークン取得
+                    headers = {'Content-Type': 'application/x-www-form-urlencoded',
+                               'Accept': 'application/json'}
+                    data = {'tenant': oauth2_tenant_id,
+                            'code': req.query_params['code'],
+                            'scope': " ".join(['openid', 'profile', 'email']),
+                            'client_id': oauth2_client_id,
+                            #'client_secret': oauth2_client_secret,
+                            'redirect_uri': redirect_uri,
+                            'grant_type': 'authorization_code'}
+                    query = '&'.join([f'{k}={urllib.parse.quote(v)}' for k, v in data.items()])
+                    try:
+                        token_resp = self.session.post(url=f'https://login.microsoftonline.com/{oauth2_tenant_id}/oauth2/v2.0/token', headers=headers, data=query,
+                                                       verify=not self.svcert_no_verify)
+                        token_resp.raise_for_status()
+                        token_json = token_resp.json()
+                        access_token = token_json['access_token']
+                        status, res, headers = self.site_request(self.session.get, f"/oauth2/azure/session/{access_token}/gui", ok_status=[200, 307])
+                        if status != 0 or headers.get('signin') is None:
+                            return dict(warn=f"Signin failed.")
+                        status, self.user_info = self.load_user_info()
+                        self.user_info['auth_type'] = auth_type
+                        self.user_info['access_token'] = access_token
+                        if status != 0: return status, res
+                        self.signed_in = True
+                        self.tool.set_session(self.session, self.svcert_no_verify, self.endpoint, self.icon_path, self.user_info, self.oauth2)
+                        return dict(success="Signin success. Please close your browser.")
+                    except Exception as e:
+                        raise HTTPException(status_code=500, detail=f'Failed to get token. {e}')
+
+                if not hasattr(self, 'thUvicorn') or not self.thUvicorn.is_alive():
+                    self.thUvicorn = web.ThreadedUvicorn(self.logger, Config(app=fastapi, host='localhost', port=oauth2_port), {})
+                    self.thUvicorn.start()
+                    time.sleep(1)
+
+                # OAuth2認証のリクエストを送信
+                data = {'scope': " ".join(['openid', 'profile', 'email']),
+                        'access_type': 'offline',
+                        'response_type': 'code',
+                        'redirect_uri': redirect_uri,
+                        'client_id': oauth2_client_id,
+                        'response_mode': 'query',
+                        'state': 'edge'}
+                query = '&'.join([f'{k}={urllib.parse.quote(v)}' for k, v in data.items()])
+                webbrowser.open(f'https://login.microsoftonline.com/{oauth2_tenant_id}/oauth2/v2.0/authorize?{query}')
+
+                # 認証完了まで指定秒数待つ
+                tm = time.time()
+                while not self.signed_in:
+                    if time.time() - tm > oauth2_timeout:
+                        return 1, dict(warn="Signin Timeout.")
+                    time.sleep(1)
+                return 0, dict(success="Signin success.")
+
         return 1, dict(warn="unsupported auth_type.")
 
 class Tool(object):
@@ -578,7 +657,7 @@ class Tool(object):
         except Exception as e:
             self.logger.error(f"notify error. {e}", exc_info=True)
 
-    def set_session(self, session:requests.Session, svcert_no_verify:bool, endpoint:str, icon_path:Path, user_info:Dict[str, Any]):
+    def set_session(self, session:requests.Session, svcert_no_verify:bool, endpoint:str, icon_path:Path, user_info:Dict[str, Any], oauth2:str):
         """
         セッションを設定します
 
@@ -588,12 +667,14 @@ class Tool(object):
             endpoint (str): エンドポイント
             icon_path (Path): アイコン画像のパス
             user_info (Dict[str, Any]): ユーザー情報
+            oauth2 (str): OAuth2
         """
         self.session = session
         self.svcert_no_verify = svcert_no_verify
         self.endpoint = endpoint
         self.icon_path = icon_path
         self.user = user_info
+        self.oauth2 = oauth2
 
     def exec_cmd(self, opt:Dict[str, Any], logger:logging.Logger, timeout:int, prevres:Any=None) -> Tuple[int, Dict[str, Any]]:
         """
@@ -694,9 +775,12 @@ class Tool(object):
             webbrowser.open(f"{self.endpoint}/dosignin_token/{token}{path}")
             return 0, dict(success="Open browser.")
         elif self.user['auth_type'] == "oauth2" and self.oauth2 == 'google':
-            webbrowser.open(f"{self.endpoint}/oauth2/google/session/{self.user['access_token']}/{path}")
+            webbrowser.open(f"{self.endpoint}/oauth2/google/session/{self.user['access_token']}{path}")
             return 0, dict(success="Open browser.")
         elif self.user['auth_type'] == "oauth2" and self.oauth2 == 'github':
-            webbrowser.open(f"{self.endpoint}/oauth2/github/session/{self.user['access_token']}/{path}")
+            webbrowser.open(f"{self.endpoint}/oauth2/github/session/{self.user['access_token']}{path}")
+            return 0, dict(success="Open browser.")
+        elif self.user['auth_type'] == "oauth2" and self.oauth2 == 'azure':
+            webbrowser.open(f"{self.endpoint}/oauth2/azure/session/{self.user['access_token']}{path}")
             return 0, dict(success="Open browser.")
         return 1, dict(warn="unsupported auth_type.")

cmdbox/app/features/cli/cmdbox_edge_config.py

@@ -49,7 +49,7 @@ class EdgeConfig(feature.UnsupportEdgeFeature):
                      discription_en="Specifies the authentication method for endpoint connections.",
                      choice_show=dict(idpw=["user","password"],
                                       apikey=["apikey"],
-                                      oauth2=["oauth2","oauth2_port","oauth2_client_id","oauth2_client_secret"]),),
+                                      oauth2=["oauth2","oauth2_port"]),),
                 dict(opt="user", type=Options.T_STR, default="user", required=False, multi=False, hide=False, choice=None,
                      discription_ja="エンドポイントへの接続ユーザーを指定します。",
                      discription_en="Specifies the user connecting to the endpoint."),
@@ -59,12 +59,18 @@ class EdgeConfig(feature.UnsupportEdgeFeature):
                 dict(opt="apikey", type=Options.T_STR, default=None, required=False, multi=False, hide=False, choice=None,
                      discription_ja="エンドポイントへの接続するためのAPIKEYを指定します。",
                      discription_en="Specify the APIKEY to connect to the endpoint."),
-                dict(opt="oauth2", type=Options.T_STR, default=None, required=False, multi=False, hide=False, choice=["", "google", "github"],
+                dict(opt="oauth2", type=Options.T_STR, default=None, required=False, multi=False, hide=False, choice=["", "google", "github", "azure"],
                      discription_ja="OAuth2認証を使用してエンドポイントに接続します。",
-                     discription_en="Connect to the endpoint using OAuth2 authentication."),
+                     discription_en="Connect to the endpoint using OAuth2 authentication.",
+                     choice_show=dict(google=["oauth2_client_id","oauth2_client_secret"],
+                                      github=["oauth2_client_id","oauth2_client_secret"],
+                                      azure=["oauth2_tenant_id","oauth2_client_id","oauth2_client_secret"])),
                 dict(opt="oauth2_port", type=Options.T_INT, default="8091", required=False, multi=False, hide=False, choice=None,
                      discription_ja="OAuth2認証を使用する場合のコールバックポートを指定します。省略した時は `8091` を使用します。",
                      discription_en="Specifies the callback port when OAuth2 authentication is used. If omitted, `8091` is used."),
+                dict(opt="oauth2_tenant_id", type=Options.T_STR, default=None, required=False, multi=False, hide=False, choice=None,
+                     discription_ja="OAuth2認証を使用するときのテナントIDを指定します。",
+                     discription_en="Specifies the tenant ID when OAuth2 authentication is used."),
                 dict(opt="oauth2_client_id", type=Options.T_STR, default=None, required=False, multi=False, hide=False, choice=None,
                      discription_ja="OAuth2認証を使用するときのクライアントIDを指定します。",
                      discription_en="Specifies the client ID when OAuth2 authentication is used."),

cmdbox/app/features/cli/cmdbox_gui_start.py

@@ -86,7 +86,7 @@ class GuiStart(feature.UnsupportEdgeFeature):
                 dict(opt="session_secure", type=Options.T_BOOL, default=False, required=False, multi=False, hide=True, choice=[True, False],
                      discription_ja="サインインしたユーザーのセッションにSecureフラグを設定します。",
                      discription_en="Set the Secure flag for the signed-in user's session."),
-                dict(opt="session_timeout", type=Options.T_INT, default="600", required=False, multi=False, hide=True, choice=None,
+                dict(opt="session_timeout", type=Options.T_INT, default="900", required=False, multi=False, hide=True, choice=None,
                      discription_ja="サインインしたユーザーのセッションタイムアウトの時間を秒で指定します。",
                      discription_en="Specify the session timeout in seconds for signed-in users."),
                 dict(opt="guvicorn_workers", type=Options.T_INT, default=multiprocessing.cpu_count()*2, required=False, multi=False, hide=True, choice=None,

cmdbox/app/features/cli/cmdbox_web_start.py

@@ -86,7 +86,7 @@ class WebStart(feature.UnsupportEdgeFeature):
                 dict(opt="session_secure", type=Options.T_BOOL, default=False, required=False, multi=False, hide=True, choice=[True, False],
                      discription_ja="サインインしたユーザーのセッションにSecureフラグを設定します。",
                      discription_en="Set the Secure flag for the signed-in user's session."),
-                dict(opt="session_timeout", type=Options.T_INT, default="600", required=False, multi=False, hide=True, choice=None,
+                dict(opt="session_timeout", type=Options.T_INT, default="900", required=False, multi=False, hide=True, choice=None,
                      discription_ja="サインインしたユーザーのセッションタイムアウトの時間を秒で指定します。",
                      discription_en="Specify the session timeout in seconds for signed-in users."),
                 dict(opt="guvicorn_workers", type=Options.T_INT, default=multiprocessing.cpu_count()*2, required=False, multi=False, hide=True, choice=None,
@@ -171,6 +171,7 @@ class WebStart(feature.UnsupportEdgeFeature):
             common.print_format(msg, args.format, tm, args.output_json, args.output_json_append, pf=pf)
             return 0, msg, w
         except Exception as e:
+            logger.error(f"Web server start error. {e}", exc_info=True)
             msg = dict(warn=f"Web server start error. {e}")
             common.print_format(msg, args.format, tm, args.output_json, args.output_json_append, pf=pf)
             return 1, msg, w

cmdbox/app/features/web/cmdbox_web_bbforce_cmd.py

@@ -15,7 +15,7 @@ class BbforceCmd(feature.WebFeature):
         """
         @app.get('/bbforce_cmd')
         async def del_cmd(req:Request, res:Response):
-            signin = web.check_signin(req, res)
+            signin = web.signin.check_signin(req, res)
             if signin is not None:
                 raise HTTPException(status_code=401, detail=self.DEFAULT_401_MESSAGE)
             if web.logger.level == logging.DEBUG:

cmdbox/app/features/web/cmdbox_web_copyright.py

@@ -15,7 +15,7 @@ class Copyright(feature.WebFeature):
         """
         @app.get('/copyright', response_class=PlainTextResponse)
         async def copyright(req:Request, res:Response):
-            signin = web.check_signin(req, res)
+            signin = web.signin.check_signin(req, res)
             if signin is not None:
                 raise HTTPException(status_code=401, detail=self.DEFAULT_401_MESSAGE)
             return self.ver.__copyright__

cmdbox/app/features/web/cmdbox_web_del_cmd.py

@@ -14,7 +14,7 @@ class DelCmd(feature.WebFeature):
         """
         @app.post('/gui/del_cmd')
         async def del_cmd(req:Request, res:Response):
-            signin = web.check_signin(req, res)
+            signin = web.signin.check_signin(req, res)
             if signin is not None:
                 raise HTTPException(status_code=401, detail=self.DEFAULT_401_MESSAGE)
             form = await req.form()

cmdbox/app/features/web/cmdbox_web_del_pipe.py

@@ -14,7 +14,7 @@ class DelPipe(feature.WebFeature):
         """
         @app.post('/gui/del_pipe')
         async def del_pipe(req:Request, res:Response):
-            signin = web.check_signin(req, res)
+            signin = web.signin.check_signin(req, res)
             if signin is not None:
                 raise HTTPException(status_code=401, detail=self.DEFAULT_401_MESSAGE)
             form = await req.form()

cmdbox/app/features/web/cmdbox_web_do_signin.py

@@ -1,4 +1,5 @@
-from cmdbox.app import common, signin
+from cmdbox.app import common
+from cmdbox.app.auth.signin import Signin
 from cmdbox.app.commons import convert
 from cmdbox.app.features.web import cmdbox_web_signin
 from cmdbox.app.web import Web
@@ -33,6 +34,7 @@ class DoSignin(cmdbox_web_signin.Signin):
             name = form.get('name')
             passwd = form.get('password')
             # edgeからtokenによる認証の場合
+            signin_data = web.signin.get_data()
             token_ok = False
             if token is not None:
                 if web.logger.level == logging.DEBUG:
@@ -40,7 +42,7 @@ class DoSignin(cmdbox_web_signin.Signin):
                 token = convert.b64str2str(token)
                 token = json.loads(token)
                 name = token['user']
-                user = [u for u in web.signin_file_data['users'] if u['name'] == name]
+                user = [u for u in signin_data['users'] if u['name'] == name]
                 if len(user) <= 0:
                     raise HTTPException(status_code=401, detail='Unauthorized')
                 user = user[0]
@@ -57,7 +59,7 @@ class DoSignin(cmdbox_web_signin.Signin):
             if not token_ok:
                 if name == '' or passwd == '':
                     return RedirectResponse(url=f'/signin/{next}?error=1')
-                user = [u for u in web.signin_file_data['users'] if u['name'] == name and u['hash'] != 'oauth2']
+                user = [u for u in signin_data['users'] if u['name'] == name and u['hash'] != 'oauth2']
                 if len(user) <= 0:
                     return RedirectResponse(url=f'/signin/{next}?error=1')
                 user = user[0]
@@ -67,9 +69,9 @@ class DoSignin(cmdbox_web_signin.Signin):
             # ロックアウトチェック
             pass_miss_count = web.user_data(None, uid, name, 'password', 'pass_miss_count')
             pass_miss_count = 0 if pass_miss_count is None else int(pass_miss_count)
-            if 'password' in web.signin_file_data and web.signin_file_data['password']['lockout']['enabled']:
-                threshold = web.signin_file_data['password']['lockout']['threshold']
-                reset = web.signin_file_data['password']['lockout']['reset']
+            if 'password' in signin_data and signin_data['password']['lockout']['enabled']:
+                threshold = signin_data['password']['lockout']['threshold']
+                reset = signin_data['password']['lockout']['reset']
                 pass_miss_last = web.user_data(None, uid, name, 'password', 'pass_miss_last')
                 if pass_miss_last is None:
                     pass_miss_last = web.user_data(None, uid, name, 'password', 'pass_miss_last', datetime.datetime.now().strftime('%Y-%m-%dT%H:%M:%S'))
@@ -95,17 +97,17 @@ class DoSignin(cmdbox_web_signin.Signin):
                     web.user_data(None, uid, name, 'password', 'pass_miss_count', pass_miss_count+1)
                     web.logger.warning(f'Failed to signin. name={name}, pass_miss_count={pass_miss_count+1}')
                     return RedirectResponse(url=f'/signin/{next}?error=1')
-            group_names = list(set(web.correct_group(user['groups'])))
-            gids = [g['gid'] for g in web.signin_file_data['groups'] if g['name'] in group_names]
+            group_names = list(set(web.signin.__class__.correct_group(signin_data, user['groups'], None)))
+            gids = [g['gid'] for g in signin_data['groups'] if g['name'] in group_names]
             email = user.get('email', '')
             # パスワード最終更新日時取得
             last_update = web.user_data(None, uid, name, 'password', 'last_update')
             notify_passchange = True if last_update is None else False
             # パスワード認証の場合はパスワード有効期限チェック
-            if user['hash']!='oauth2' and 'password' in web.signin_file_data and not notify_passchange:
+            if user['hash']!='oauth2' and 'password' in signin_data and not notify_passchange:
                 last_update = datetime.datetime.strptime(last_update, '%Y-%m-%dT%H:%M:%S')
                 # パスワード有効期限
-                expiration = web.signin_file_data['password']['expiration']
+                expiration = signin_data['password']['expiration']
                 if expiration['enabled']:
                     period = expiration['period']
                     notify = expiration['notify']
@@ -122,7 +124,7 @@ class DoSignin(cmdbox_web_signin.Signin):
             next = f"../{next}" if token_ok else next
             return RedirectResponse(url=f'../{next}{"?warn=passchange" if notify_passchange else ""}', headers=dict(signin="success")) # nginxのリバプロ対応のための相対パス
 
-        def _load_signin(signin_module:str, appcls, ver):
+        def _load_signin(web:Web, signin_module:str, appcls, ver):
             """
             サインインオブジェクトを読込む
             
@@ -138,26 +140,31 @@ class DoSignin(cmdbox_web_signin.Signin):
             try:
                 mod = importlib.import_module(signin_module)
                 members = inspect.getmembers(mod, inspect.isclass)
+                signin_data = web.signin.get_data()
                 for name, cls in members:
-                    if cls is not signin.Signin or not issubclass(cls, signin.Signin):
-                        continue
-                    sobj = cls(appcls, ver)
-                    return sobj
+                    if cls is Signin or issubclass(cls, Signin):
+                        sobj = cls(web.logger, web.signin_file, signin_data, appcls, ver)
+                        return sobj
                 return None
             except Exception as e:
                 web.logger.error(f'Failed to load signin. {e}', exc_info=True)
                 raise e
 
-        self.google_signin = signin.Signin(app, web.ver)
-        self.github_signin = signin.Signin(app, web.ver)
-        if web.signin_file_data is not None:
+        signin_data = web.signin.get_data()
+        self.google_signin = Signin(web.logger, web.signin_file, signin_data, self.appcls, self.ver)
+        self.github_signin = Signin(web.logger, web.signin_file, signin_data, self.appcls, self.ver)
+        self.azure_signin = Signin(web.logger, web.signin_file, signin_data, self.appcls, self.ver)
+        if signin_data is not None:
             # signinオブジェクトの指定があった場合読込む
-            if 'signin_module' in web.signin_file_data['oauth2']['providers']['google']:
-                sobj = _load_signin(web.signin_file_data['oauth2']['providers']['google']['signin_module'], self.appcls, self.ver)
+            if 'signin_module' in signin_data['oauth2']['providers']['google']:
+                sobj = _load_signin(web, signin_data['oauth2']['providers']['google']['signin_module'], self.appcls, self.ver)
                 self.google_signin = sobj if sobj is not None else self.google_signin
-            if 'signin_module' in web.signin_file_data['oauth2']['providers']['google']:
-                sobj = _load_signin(web.signin_file_data['oauth2']['providers']['github']['signin_module'], self.appcls, self.ver)
+            if 'signin_module' in signin_data['oauth2']['providers']['github']:
+                sobj = _load_signin(web, signin_data['oauth2']['providers']['github']['signin_module'], self.appcls, self.ver)
                 self.github_signin = sobj if sobj is not None else self.github_signin
+            if 'signin_module' in signin_data['oauth2']['providers']['azure']:
+                sobj = _load_signin(web, signin_data['oauth2']['providers']['azure']['signin_module'], self.appcls, self.ver)
+                self.azure_signin = sobj if sobj is not None else self.azure_signin
 
         def _set_session(req:Request, user:dict, email:str, hashed_password:str, access_token:str, group_names:list, gids:list):
             """
@@ -191,7 +198,7 @@ class DoSignin(cmdbox_web_signin.Signin):
 
         @app.get('/oauth2/google/callback')
         async def oauth2_google_callback(req:Request, res:Response):
-            conf = web.signin_file_data['oauth2']['providers']['google']
+            conf = web.signin.get_data()['oauth2']['providers']['google']
             headers = {'Content-Type': 'application/x-www-form-urlencoded'}
             next = req.query_params['state']
             data = {'code': req.query_params['code'],
@@ -206,7 +213,7 @@ class DoSignin(cmdbox_web_signin.Signin):
                 token_resp.raise_for_status()
                 token_json = token_resp.json()
                 access_token = token_json['access_token']
-                return await oauth2_google_session(next, access_token, req, res)
+                return await oauth2_google_session(access_token, next, req, res)
             except Exception as e:
                 web.logger.warning(f'Failed to get token. {e}', exc_info=True)
                 raise HTTPException(status_code=500, detail=f'Failed to get token. {e}')
@@ -223,12 +230,11 @@ class DoSignin(cmdbox_web_signin.Signin):
                 user_info_json = user_info_resp.json()
                 email = user_info_json['email']
                 # サインイン判定
-                copy_signin_data = copy.deepcopy(web.signin_file_data)
-                jadge, user = self.google_signin.jadge(access_token, email, copy_signin_data)
+                jadge, user = self.google_signin.jadge(access_token, email)
                 if not jadge:
                     return RedirectResponse(url=f'/signin/{next}?error=appdeny')
                 # グループ取得
-                group_names, gids = self.google_signin.get_groups(access_token, user, copy_signin_data)
+                group_names, gids = self.google_signin.get_groups(access_token, user)
                 # セッションに保存
                 _set_session(req, user, email, None, access_token, group_names, gids)
                 return RedirectResponse(url=f'../../{next}', headers=dict(signin="success")) # nginxのリバプロ対応のための相対パス
@@ -238,7 +244,7 @@ class DoSignin(cmdbox_web_signin.Signin):
 
         @app.get('/oauth2/github/callback')
         async def oauth2_github_callback(req:Request, res:Response):
-            conf = web.signin_file_data['oauth2']['providers']['github']
+            conf = web.signin.get_data()['oauth2']['providers']['github']
             headers = {'Content-Type': 'application/x-www-form-urlencoded',
                        'Accept': 'application/json'}
             next = req.query_params['state']
@@ -253,7 +259,7 @@ class DoSignin(cmdbox_web_signin.Signin):
                 token_resp.raise_for_status()
                 token_json = token_resp.json()
                 access_token = token_json['access_token']
-                return await oauth2_github_session(next, access_token, req, res)
+                return await oauth2_github_session(access_token, next, req, res)
             except Exception as e:
                 web.logger.warning(f'Failed to get token. {e}', exc_info=True)
                 raise HTTPException(status_code=500, detail=f'Failed to get token. {e}')
@@ -275,12 +281,62 @@ class DoSignin(cmdbox_web_signin.Signin):
                             email = u['email']
                             break
                 # サインイン判定
-                copy_signin_data = copy.deepcopy(web.signin_file_data)
-                jadge, user = self.github_signin.jadge(access_token, email, copy_signin_data)
+                jadge, user = self.github_signin.jadge(access_token, email)
                 if not jadge:
                     return RedirectResponse(url=f'/signin/{next}?error=appdeny')
                 # グループ取得
-                group_names, gids = self.github_signin.get_groups(access_token, user, copy_signin_data)
+                group_names, gids = self.github_signin.get_groups(access_token, user)
+                # セッションに保存
+                _set_session(req, user, email, None, access_token, group_names, gids)
+                return RedirectResponse(url=f'../../{next}', headers=dict(signin="success")) # nginxのリバプロ対応のための相対パス
+            except Exception as e:
+                web.logger.warning(f'Failed to get token. {e}', exc_info=True)
+                raise HTTPException(status_code=500, detail=f'Failed to get token. {e}')
+
+        @app.get('/oauth2/azure/callback')
+        async def oauth2_azure_callback(req:Request, res:Response):
+            conf = web.signin.get_data()['oauth2']['providers']['azure']
+            headers = {'Content-Type': 'application/x-www-form-urlencoded',
+                       'Accept': 'application/json'}
+            next = req.query_params['state']
+            data = {'tenant': conf['tenant_id'],
+                    'code': req.query_params['code'],
+                    'scope': " ".join(conf['scope']),
+                    'client_id': conf['client_id'],
+                    #'client_secret': conf['client_secret'],
+                    'redirect_uri': conf['redirect_uri'],
+                    'grant_type': 'authorization_code'}
+            query = '&'.join([f'{k}={urllib.parse.quote(v)}' for k, v in data.items()])
+            try:
+                # アクセストークン取得
+                token_resp = requests.post(url=f'https://login.microsoftonline.com/{conf["tenant_id"]}/oauth2/v2.0/token', headers=headers, data=query)
+                token_resp.raise_for_status()
+                token_json = token_resp.json()
+                access_token = token_json['access_token']
+                return await oauth2_azure_session(access_token, next, req, res)
+            except Exception as e:
+                web.logger.warning(f'Failed to get token. {e}', exc_info=True)
+                raise HTTPException(status_code=500, detail=f'Failed to get token. {e}')
+
+        @app.get('/oauth2/azure/session/{access_token}/{next}')
+        async def oauth2_azure_session(access_token:str, next:str, req:Request, res:Response):
+            try:
+                # ユーザー情報取得(email)
+                user_info_resp = requests.get(
+                    url='https://graph.microsoft.com/v1.0/me',
+                    #url='https://graph.microsoft.com/v1.0/me/transitiveMemberOf?$Top=999',
+                    headers={'Authorization': f'Bearer {access_token}'}
+                )
+                user_info_resp.raise_for_status()
+                user_info_json = user_info_resp.json()
+                if isinstance(user_info_json, dict):
+                    email = user_info_json.get('mail', 'notfound')
+                # サインイン判定
+                jadge, user = self.azure_signin.jadge(access_token, email)
+                if not jadge:
+                    return RedirectResponse(url=f'/signin/{next}?error=appdeny')
+                # グループ取得
+                group_names, gids = self.azure_signin.get_groups(access_token, user)
                 # セッションに保存
                 _set_session(req, user, email, None, access_token, group_names, gids)
                 return RedirectResponse(url=f'../../{next}', headers=dict(signin="success")) # nginxのリバプロ対応のための相対パス

cmdbox/app/features/web/cmdbox_web_exec_cmd.py

@@ -26,7 +26,7 @@ class ExecCmd(cmdbox_web_load_cmd.LoadCmd):
         @app.post('/exec_cmd/{title}')
         async def exec_cmd(req:Request, res:Response, title:str=None):
             try:
-                signin = web.check_signin(req, res)
+                signin = web.signin.check_signin(req, res)
                 if signin is not None:
                     raise HTTPException(status_code=401, detail=self.DEFAULT_401_MESSAGE)
                 opt = None
@@ -114,7 +114,7 @@ class ExecCmd(cmdbox_web_load_cmd.LoadCmd):
         appcls = app.CmdBoxApp if appcls is None else appcls
         web.container['cmdbox_app'] = ap = appcls.getInstance(appcls=appcls, ver=self.ver)
         if 'mode' in opt and 'cmd' in opt:
-            if not web.check_cmd(req, res, opt['mode'], opt['cmd']):
+            if not web.signin.check_cmd(req, res, opt['mode'], opt['cmd']):
                 return dict(warn=f'Command "{title}" failed. Execute command denyed. mode={opt["mode"]}, cmd={opt["cmd"]}')
         if 'host' in opt: opt['host'] = web.redis_host
         if 'port' in opt: opt['port'] = web.redis_port

cmdbox/app/features/web/cmdbox_web_exec_pipe.py

@@ -29,7 +29,7 @@ class ExecPipe(cmdbox_web_load_pipe.LoadPipe, cmdbox_web_raw_pipe.RawPipe):
         async def exec_pipe(req:Request, res:Response, title:str=None):
             upfiles = dict()
             try:
-                signin = web.check_signin(req, res)
+                signin = web.signin.check_signin(req, res)
                 if signin is not None:
                     raise HTTPException(status_code=401, detail=self.DEFAULT_401_MESSAGE)
                 opt = None
@@ -71,7 +71,7 @@ class ExecPipe(cmdbox_web_load_pipe.LoadPipe, cmdbox_web_raw_pipe.RawPipe):
                             msg = f'Command "{cmd_title}" failed. This command is not available in web mode.'
                             self.callback_return_pipe_exec_func(web, title, dict(warn=msg))
                             raise HTTPException(401, detail=msg)
-                        if not web.check_cmd(req, res, cmd_opt['mode'], cmd_opt['cmd']):
+                        if not web.signin.check_cmd(req, res, cmd_opt['mode'], cmd_opt['cmd']):
                             msg = f'Command "{cmd_title}" failed. Execute command denyed. mode={cmd_opt["mode"]}, cmd={cmd_opt["cmd"]}'
                             self.callback_return_pipe_exec_func(web, title, dict(warn=msg))
                             raise HTTPException(401, detail=msg)

cmdbox/app/features/web/cmdbox_web_filer download.py

@@ -3,9 +3,8 @@ from cmdbox.app.commons import convert
 from cmdbox.app.features.web import cmdbox_web_exec_cmd
 from cmdbox.app.web import Web
 from fastapi import FastAPI, Request, Response, HTTPException
-from fastapi.responses import HTMLResponse, StreamingResponse
+from fastapi.responses import StreamingResponse
 from pathlib import Path
-from typing import Dict, Any
 import io
 import urllib.parse
 
@@ -21,7 +20,7 @@ class FilerDownload(cmdbox_web_exec_cmd.ExecCmd):
         """
         @app.get('/filer/download/{constr:str}', response_class=StreamingResponse)
         async def filer_download(constr:str, req:Request, res:Response):
-            signin = web.check_signin(req, res)
+            signin = web.signin.check_signin(req, res)
             if signin is not None:
                 raise HTTPException(status_code=401, detail=self.DEFAULT_401_MESSAGE)
             try:

cmdbox/app/features/web/cmdbox_web_filer.py

@@ -23,7 +23,7 @@ class Filer(feature.WebFeature):
         @app.get('/filer', response_class=HTMLResponse)
         @app.post('/filer', response_class=HTMLResponse)
         async def filer(req:Request, res:Response):
-            signin = web.check_signin(req, res)
+            signin = web.signin.check_signin(req, res)
             if signin is not None:
                 return signin
             res.headers['Access-Control-Allow-Origin'] = '*'