cmdbox 0.5.3.1__py3-none-any.whl → 0.5.4__py3-none-any.whl

cmdbox/app/features/web/cmdbox_web_do_signin.py

@@ -1,18 +1,19 @@
+import urllib.parse
 from cmdbox.app import common
-from cmdbox.app.auth.signin import Signin
+from cmdbox.app.auth import signin, signin_saml, azure_signin, azure_signin_saml, github_signin, google_signin
 from cmdbox.app.commons import convert
 from cmdbox.app.features.web import cmdbox_web_signin
 from cmdbox.app.web import Web
 from fastapi import FastAPI, Request, Response, HTTPException
 from fastapi.responses import HTMLResponse, RedirectResponse
+from typing import Any, Dict
 import copy
 import datetime
 import importlib
 import inspect
 import json
 import logging
-import requests
-import urllib.parse
+import urllib
 
 
 class DoSignin(cmdbox_web_signin.Signin):
@@ -60,7 +61,7 @@ class DoSignin(cmdbox_web_signin.Signin):
                 if name == '' or passwd == '':
                     web.options.audit_exec(req, res, web, body=dict(msg='signin failed.'), audit_type='auth')
                     return RedirectResponse(url=f'/signin/{next}?error=1')
-                user = [u for u in signin_data['users'] if u['name'] == name and u['hash'] != 'oauth2']
+                user = [u for u in signin_data['users'] if u['name'] == name and u['hash'] != 'oauth2' and u['hash'] != 'saml']
                 if len(user) <= 0:
                     web.options.audit_exec(req, res, web, body=dict(msg='signin failed.'), audit_type='auth')
                     return RedirectResponse(url=f'/signin/{next}?error=1')
@@ -108,7 +109,7 @@ class DoSignin(cmdbox_web_signin.Signin):
             last_update = web.user_data(None, uid, name, 'password', 'last_update')
             notify_passchange = True if last_update is None else False
             # パスワード認証の場合はパスワード有効期限チェック
-            if user['hash']!='oauth2' and 'password' in signin_data and not notify_passchange:
+            if user['hash']!='oauth2' and user['hash']!='saml' and 'password' in signin_data and not notify_passchange:
                 last_update = datetime.datetime.strptime(last_update, '%Y-%m-%dT%H:%M:%S')
                 # パスワード有効期限
                 expiration = signin_data['password']['expiration']
@@ -152,7 +153,7 @@ class DoSignin(cmdbox_web_signin.Signin):
                 members = inspect.getmembers(mod, inspect.isclass)
                 signin_data = web.signin.get_data()
                 for name, cls in members:
-                    if cls is Signin or issubclass(cls, Signin):
+                    if cls is signin.Signin or issubclass(cls, signin.Signin):
                         sobj = cls(web.logger, web.signin_file, signin_data, appcls, ver)
                         return sobj
                 return None
@@ -161,9 +162,10 @@ class DoSignin(cmdbox_web_signin.Signin):
                 raise e
 
         signin_data = web.signin.get_data()
-        self.google_signin = Signin(web.logger, web.signin_file, signin_data, self.appcls, self.ver)
-        self.github_signin = Signin(web.logger, web.signin_file, signin_data, self.appcls, self.ver)
-        self.azure_signin = Signin(web.logger, web.signin_file, signin_data, self.appcls, self.ver)
+        self.google_signin = google_signin.GoogleSignin(web.logger, web.signin_file, signin_data, self.appcls, self.ver)
+        self.github_signin = github_signin.GithubSignin(web.logger, web.signin_file, signin_data, self.appcls, self.ver)
+        self.azure_signin = azure_signin.AzureSignin(web.logger, web.signin_file, signin_data, self.appcls, self.ver)
+        self.azure_saml_signin = azure_signin_saml.AzyreSigninSAML(web.logger, web.signin_file, signin_data, self.appcls, self.ver)
         if signin_data is not None:
             # signinオブジェクトの指定があった場合読込む
             if 'signin_module' in signin_data['oauth2']['providers']['google']:
@@ -175,6 +177,9 @@ class DoSignin(cmdbox_web_signin.Signin):
             if 'signin_module' in signin_data['oauth2']['providers']['azure']:
                 sobj = _load_signin(web, signin_data['oauth2']['providers']['azure']['signin_module'], self.appcls, self.ver)
                 self.azure_signin = sobj if sobj is not None else self.azure_signin
+            if 'signin_module' in signin_data['saml']['providers']['azure']:
+                sobj = _load_signin(web, signin_data['saml']['providers']['azure']['signin_module'], self.appcls, self.ver)
+                self.azure_saml_signin = sobj if sobj is not None else self.azure_saml_signin
 
         def _set_session(req:Request, user:dict, email:str, hashed_password:str, access_token:str, group_names:list, gids:list):
             """
@@ -209,20 +214,10 @@ class DoSignin(cmdbox_web_signin.Signin):
         @app.get('/oauth2/google/callback')
         async def oauth2_google_callback(req:Request, res:Response):
             conf = web.signin.get_data()['oauth2']['providers']['google']
-            headers = {'Content-Type': 'application/x-www-form-urlencoded'}
             next = req.query_params['state']
-            data = {'code': req.query_params['code'],
-                    'client_id': conf['client_id'],
-                    'client_secret': conf['client_secret'],
-                    'redirect_uri': conf['redirect_uri'],
-                    'grant_type': 'authorization_code'}
-            query = '&'.join([f'{k}={urllib.parse.quote(v)}' for k, v in data.items()])
             try:
                 # アクセストークン取得
-                token_resp = requests.post(url='https://oauth2.googleapis.com/token', headers=headers, data=query)
-                token_resp.raise_for_status()
-                token_json = token_resp.json()
-                access_token = token_json['access_token']
+                access_token = self.google_signin.request_access_token(conf, req, res)
                 return await oauth2_google_session(access_token, next, req, res)
             except Exception as e:
                 web.logger.warning(f'Failed to get token. {e}', exc_info=True)
@@ -230,45 +225,15 @@ class DoSignin(cmdbox_web_signin.Signin):
 
         @app.get('/oauth2/google/session/{access_token}/{next}')
         async def oauth2_google_session(access_token:str, next:str, req:Request, res:Response):
-            try:
-                # ユーザー情報取得(email)
-                user_info_resp = requests.get(
-                    url='https://www.googleapis.com/oauth2/v1/userinfo',
-                    headers={'Authorization': f'Bearer {access_token}'}
-                )
-                user_info_resp.raise_for_status()
-                user_info_json = user_info_resp.json()
-                email = user_info_json['email']
-                # サインイン判定
-                jadge, user = self.google_signin.jadge(access_token, email)
-                if not jadge:
-                    return RedirectResponse(url=f'/signin/{next}?error=appdeny')
-                # グループ取得
-                group_names, gids = self.google_signin.get_groups(access_token, user)
-                # セッションに保存
-                _set_session(req, user, email, None, access_token, group_names, gids)
-                return RedirectResponse(url=f'../../{next}', headers=dict(signin="success")) # nginxのリバプロ対応のための相対パス
-            except Exception as e:
-                web.logger.warning(f'Failed to get token. {e}', exc_info=True)
-                raise HTTPException(status_code=500, detail=f'Failed to get token. {e}')
+            return await oauth2_login_session(self.google_signin, access_token, next, req, res)
 
         @app.get('/oauth2/github/callback')
         async def oauth2_github_callback(req:Request, res:Response):
             conf = web.signin.get_data()['oauth2']['providers']['github']
-            headers = {'Content-Type': 'application/x-www-form-urlencoded',
-                       'Accept': 'application/json'}
             next = req.query_params['state']
-            data = {'code': req.query_params['code'],
-                    'client_id': conf['client_id'],
-                    'client_secret': conf['client_secret'],
-                    'redirect_uri': conf['redirect_uri']}
-            query = '&'.join([f'{k}={urllib.parse.quote(v)}' for k, v in data.items()])
             try:
                 # アクセストークン取得
-                token_resp = requests.post(url='https://github.com/login/oauth/access_token', headers=headers, data=query)
-                token_resp.raise_for_status()
-                token_json = token_resp.json()
-                access_token = token_json['access_token']
+                access_token = self.github_signin.request_access_token(conf, req, res)
                 return await oauth2_github_session(access_token, next, req, res)
             except Exception as e:
                 web.logger.warning(f'Failed to get token. {e}', exc_info=True)
@@ -276,53 +241,15 @@ class DoSignin(cmdbox_web_signin.Signin):
 
         @app.get('/oauth2/github/session/{access_token}/{next}')
         async def oauth2_github_session(access_token:str, next:str, req:Request, res:Response):
-            try:
-                # ユーザー情報取得(email)
-                user_info_resp = requests.get(
-                    url='https://api.github.com/user/emails',
-                    headers={'Authorization': f'Bearer {access_token}'}
-                )
-                user_info_resp.raise_for_status()
-                user_info_json = user_info_resp.json()
-                if type(user_info_json) == list:
-                    email = 'notfound'
-                    for u in user_info_json:
-                        if u['primary']:
-                            email = u['email']
-                            break
-                # サインイン判定
-                jadge, user = self.github_signin.jadge(access_token, email)
-                if not jadge:
-                    return RedirectResponse(url=f'/signin/{next}?error=appdeny')
-                # グループ取得
-                group_names, gids = self.github_signin.get_groups(access_token, user)
-                # セッションに保存
-                _set_session(req, user, email, None, access_token, group_names, gids)
-                return RedirectResponse(url=f'../../{next}', headers=dict(signin="success")) # nginxのリバプロ対応のための相対パス
-            except Exception as e:
-                web.logger.warning(f'Failed to get token. {e}', exc_info=True)
-                raise HTTPException(status_code=500, detail=f'Failed to get token. {e}')
+            return await oauth2_login_session(self.github_signin, access_token, next, req, res)
 
         @app.get('/oauth2/azure/callback')
         async def oauth2_azure_callback(req:Request, res:Response):
             conf = web.signin.get_data()['oauth2']['providers']['azure']
-            headers = {'Content-Type': 'application/x-www-form-urlencoded',
-                       'Accept': 'application/json'}
             next = req.query_params['state']
-            data = {'tenant': conf['tenant_id'],
-                    'code': req.query_params['code'],
-                    'scope': " ".join(conf['scope']),
-                    'client_id': conf['client_id'],
-                    #'client_secret': conf['client_secret'],
-                    'redirect_uri': conf['redirect_uri'],
-                    'grant_type': 'authorization_code'}
-            query = '&'.join([f'{k}={urllib.parse.quote(v)}' for k, v in data.items()])
             try:
                 # アクセストークン取得
-                token_resp = requests.post(url=f'https://login.microsoftonline.com/{conf["tenant_id"]}/oauth2/v2.0/token', headers=headers, data=query)
-                token_resp.raise_for_status()
-                token_json = token_resp.json()
-                access_token = token_json['access_token']
+                access_token = self.azure_signin.request_access_token(conf, req, res)
                 return await oauth2_azure_session(access_token, next, req, res)
             except Exception as e:
                 web.logger.warning(f'Failed to get token. {e}', exc_info=True)
@@ -330,26 +257,75 @@ class DoSignin(cmdbox_web_signin.Signin):
 
         @app.get('/oauth2/azure/session/{access_token}/{next}')
         async def oauth2_azure_session(access_token:str, next:str, req:Request, res:Response):
+            return await oauth2_login_session(self.azure_signin, access_token, next, req, res)
+
+        async def oauth2_login_session(signin:signin.Signin, access_token:str, next:str, req:Request, res:Response):
             try:
                 # ユーザー情報取得(email)
-                user_info_resp = requests.get(
-                    url='https://graph.microsoft.com/v1.0/me',
-                    #url='https://graph.microsoft.com/v1.0/me/transitiveMemberOf?$Top=999',
-                    headers={'Authorization': f'Bearer {access_token}'}
-                )
-                user_info_resp.raise_for_status()
-                user_info_json = user_info_resp.json()
-                if isinstance(user_info_json, dict):
-                    email = user_info_json.get('mail', 'notfound')
+                email = signin.get_email(access_token)
                 # サインイン判定
-                jadge, user = self.azure_signin.jadge(access_token, email)
+                jadge, user = signin.jadge(email)
                 if not jadge:
                     return RedirectResponse(url=f'/signin/{next}?error=appdeny')
                 # グループ取得
-                group_names, gids = self.azure_signin.get_groups(access_token, user)
+                group_names, gids = signin.get_groups(access_token, user)
                 # セッションに保存
                 _set_session(req, user, email, None, access_token, group_names, gids)
                 return RedirectResponse(url=f'../../{next}', headers=dict(signin="success")) # nginxのリバプロ対応のための相対パス
             except Exception as e:
                 web.logger.warning(f'Failed to get token. {e}', exc_info=True)
                 raise HTTPException(status_code=500, detail=f'Failed to get token. {e}')
+
+        @app.post('/saml/azure/callback')
+        async def saml_azure_callback(req:Request, res:Response):
+            form = await req.form()
+            return await saml_login_callback('azure', self.azure_saml_signin, form, None, req, res)
+
+        @app.get('/saml/azure/session/{saml_token}/{next}')
+        async def saml_azure_session(saml_token:str, next:str, req:Request, res:Response):
+            form = json.loads(convert.b64str2str(saml_token))
+            return await saml_login_callback('azure', self.azure_saml_signin, form, next, req, res)
+
+        async def saml_login_callback(prov, saml_signin:signin_saml.SigninSAML, form:Dict[str, Any], next:str, req:Request, res:Response):
+            """
+            SAML認証のコールバック処理を行います
+            Args:
+                prov (str): SAMLプロバイダ名
+                saml_signin (signin_saml.SigninSAML): SAMLサインインオブジェクト
+                form (Dict[str, Any]): フォームデータ
+                req (Request): Requestオブジェクト
+                res (Response): Responseオブジェクト
+            """
+            relay = form.get('RelayState')
+            query = urllib.parse.urlparse(relay).query if relay is not None else None
+            if next is None:
+                next = urllib.parse.parse_qs(query).get('next', None) if query is not None else None
+                next = next[0] if next is not None and len(next) > 0 else None
+            auth = await saml_signin.make_saml(prov, next, form, req, res)
+            auth.process_response() # Process IdP response
+            errors = auth.get_errors() # This method receives an array with the errors
+            if len(errors) == 0:
+                if not auth.is_authenticated(): # This check if the response was ok and the user data retrieved or not (user authenticated)
+                    return RedirectResponse(url=f'/signin/{next}?error=saml_not_auth')
+                else:
+                    # ユーザー情報取得
+                    email = saml_signin.get_email(auth)
+                    # サインイン判定
+                    jadge, user = saml_signin.jadge(email)
+                    if not jadge:
+                        return RedirectResponse(url=f'/signin/{next}?error=appdeny')
+                    # グループ取得
+                    group_names, gids = saml_signin.get_groups(None, user)
+                    # セッションに保存
+                    _set_session(req, user, email, None, None, group_names, gids)
+                    # SAML場合、ブラウザ制限によりリダイレクトでセッションクッキーが消えるので、HTMLで移動する
+                    html = """
+                    <html><head><meta http-equiv="refresh" content="0;url=../../{next}"></head>
+                    <body style="background-color:#212529;color:#fff;">loading..</body>
+                    <script type="text/javascript">window.location.href="../../{next}";</script></html>
+                    """.format(next=next)
+                    return HTMLResponse(content=html, headers=dict(signin="success"))
+            else:
+                msg = f"Error when processing SAML Response: {', '.join(errors)} {auth.get_last_error_reason()}"
+                web.logger.warning(msg)
+                raise HTTPException(status_code=500, detail=msg)

cmdbox/app/features/web/cmdbox_web_signin.py

@@ -1,9 +1,9 @@
-import urllib.parse
 from cmdbox.app import feature
 from cmdbox.app.web import Web
 from fastapi import FastAPI, Request, Response, HTTPException
 from fastapi.responses import HTMLResponse, RedirectResponse
 import urllib
+import urllib.parse
 
 
 class Signin(feature.WebFeature):
@@ -83,3 +83,25 @@ class Signin(feature.WebFeature):
             return dict(google=signin_data['oauth2']['providers']['google']['enabled'],
                         github=signin_data['oauth2']['providers']['github']['enabled'],
                         azure=signin_data['oauth2']['providers']['azure']['enabled'],)
+
+        @app.get('/saml/{prov}/{next}')
+        async def saml_login(prov:str, next:str, req:Request, res:Response):
+            """
+            SAML認証のログイン処理を行います
+
+            Args:
+                prov (str): SAMLプロバイダ名
+                next (str): リダイレクト先のURL
+                req (Request): Requestオブジェクト
+                res (Response): Responseオブジェクト
+            """
+            form = await req.form()
+            auth = await web.signin_saml.make_saml(prov, next, form, req, res)
+            return RedirectResponse(url=auth.login())
+
+        @app.get('/saml/enabled')
+        async def saml_enabled(req:Request, res:Response):
+            if web.signin_html_data is None:
+                return dict(azure=False)
+            signin_data = web.signin_saml.get_data()
+            return dict(azure=signin_data['saml']['providers']['azure']['enabled'],)

cmdbox/app/web.py

@@ -1,5 +1,5 @@
 from cmdbox.app import common, options
-from cmdbox.app.auth.signin import Signin
+from cmdbox.app.auth import signin, signin_saml
 from cmdbox.app.commons import module
 from fastapi import FastAPI, Request, Response, HTTPException
 from fastapi.responses import RedirectResponse
@@ -116,8 +116,9 @@ class Web:
         self.cb_queue = queue.Queue(1000)
         self.options = options.Options.getInstance()
         self.webcap_client = requests.Session()
-        signin_file_data = Signin.load_signin_file(self.signin_file)
-        self.signin = Signin(self.logger, self.signin_file, signin_file_data, self.appcls, self.ver)
+        signin_file_data = signin.Signin.load_signin_file(self.signin_file)
+        self.signin = signin.Signin(self.logger, self.signin_file, signin_file_data, self.appcls, self.ver)
+        self.signin_saml = signin_saml.SigninSAML(self.logger, self.signin_file, signin_file_data, self.appcls, self.ver)
 
         if self.logger.level == logging.DEBUG:
             self.logger.debug(f"web init parameter: data={self.data} -> {self.data.absolute() if self.data is not None else None}")
@@ -348,12 +349,12 @@ class Web:
         if 'hash' not in user or user['hash'] == '':
             raise ValueError(f"User hash is not found or empty. ({user})")
         hash = user['hash']
-        if hash!='oauth2' and ('password' not in user or user['password'] == ''):
+        if hash!='oauth2' and hash!='saml' and ('password' not in user or user['password'] == ''):
             raise ValueError(f"User password is not found or empty. ({user})")
         if 'email' not in user:
             raise ValueError(f"User email is not found. ({user})")
-        if hash=='oauth2' and (user['email'] is None or user['email']==''):
-            raise ValueError(f"Required when `email` is `oauth2`. ({user})")
+        if (hash=='oauth2' or hash=='saml') and (user['email'] is None or user['email']==''):
+            raise ValueError(f"Required when `email` is `oauth2` or `saml`. ({user})")
         if 'groups' not in user or type(user['groups']) is not list:
             raise ValueError(f"User groups is not found or empty. ({user})")
         for gn in user['groups']:
@@ -363,13 +364,13 @@ class Web:
             raise ValueError(f"User uid is already exists. ({user})")
         if len([u for u in signin_data['users'] if u['name'] == user['name']]) > 0:
             raise ValueError(f"User name is already exists. ({user})")
-        if hash not in ['oauth2', 'plain', 'md5', 'sha1', 'sha256']:
+        if hash not in ['oauth2', 'saml', 'plain', 'md5', 'sha1', 'sha256']:
             raise ValueError(f"User hash is not supported. ({user})")
         jadge, msg = self.signin.check_password_policy(user['name'], '', user['password'])
         if not jadge:
             raise ValueError(msg)
         if hash != 'plain':
-            user['password'] = common.hash_password(user['password'], hash if hash != 'oauth2' else 'sha1')
+            user['password'] = common.hash_password(user['password'], hash if hash != 'oauth2' and hash != 'saml' else 'sha1')
         else:
             user['password'] = user['password']
         signin_data['users'].append(user)
@@ -405,8 +406,8 @@ class Web:
         if 'email' not in user:
             raise ValueError(f"User email is not found. ({user})")
         hash = user['hash']
-        if hash=='oauth2' and (user['email'] is None or user['email']==''):
-            raise ValueError(f"Required when `email` is `oauth2`. ({user})")
+        if (hash=='oauth2' or hash=='saml') and (user['email'] is None or user['email']==''):
+            raise ValueError(f"Required when `email` is `oauth2` or `saml`. ({user})")
         if 'groups' not in user or type(user['groups']) is not list:
             raise ValueError(f"User groups is not found or empty. ({user})")
         for gn in user['groups']:
@@ -416,7 +417,7 @@ class Web:
             raise ValueError(f"User uid is not found. ({user})")
         if len([u for u in signin_data['users'] if u['name'] == user['name']]) <= 0:
             raise ValueError(f"User name is not found. ({user})")
-        if hash not in ['oauth2', 'plain', 'md5', 'sha1', 'sha256']:
+        if hash not in ['oauth2', 'saml', 'plain', 'md5', 'sha1', 'sha256']:
             raise ValueError(f"User hash is not supported. ({user})")
         for u in signin_data['users']:
             if u['uid'] == user['uid']:
@@ -426,7 +427,7 @@ class Web:
                     if not jadge:
                         raise ValueError(msg)
                     if hash != 'plain':
-                        u['password'] = common.hash_password(user['password'], hash if hash != 'oauth2' else 'sha1')
+                        u['password'] = common.hash_password(user['password'], hash if hash != 'oauth2' and hash != 'saml' else 'sha1')
                     else:
                         u['password'] = user['password']
                     # パスワード更新日時の保存

cmdbox/extensions/sample_project/sample/extensions/features.yml

@@ -46,3 +46,26 @@ aliases:                                # Specify the alias for the specified co
                                         #   e.g. /{1}_exec
         move:                           # Specify whether to move the regular expression group of the source to the target.
                                         #   e.g. true
+audit:
+  enabled: true                         # Specify whether to enable the audit function.
+  write:
+    mode: audit                         # Specify the mode of the feature to be writed.
+    cmd: write                          # Specify the command to be writed.
+  search:
+    mode: audit                         # Specify the mode of the feature to be searched.
+    cmd: search                         # Specify the command to be searched.
+  options:                              # Specify the options for the audit function.
+    host: localhost                     # Specify the service host of the audit Redis server.However, if it is specified as a command line argument, it is ignored.
+    port: 6379                          # Specify the service port of the audit Redis server.However, if it is specified as a command line argument, it is ignored.
+    password: password                  # Specify the access password of the audit Redis server.However, if it is specified as a command line argument, it is ignored.
+    svname: cmdbox                      # Specify the audit service name of the inference server.However, if it is specified as a command line argument, it is ignored.
+    retry_count: 3                      # Specifies the number of reconnections to the audit Redis server.If less than 0 is specified, reconnection is forever.
+    retry_interval: 1                   # Specifies the number of seconds before reconnecting to the audit Redis server.
+    timeout: 15                         # Specify the maximum waiting time until the server responds.
+    pg_enabled: False                   # Specify True if using the postgresql database server.
+    pg_host: localhost                  # Specify the postgresql host.
+    pg_port: 5432                       # Specify the postgresql port.
+    pg_user: postgres                   # Specify the postgresql user name.
+    pg_password: password               # Specify the postgresql password.
+    pg_dbname: audit                    # Specify the postgresql database name.
+    retention_period_days: 365          # Specify the number of days to retain audit logs.

cmdbox/extensions/sample_project/sample/extensions/user_list.yml

@@ -2,9 +2,9 @@ users:                         # A list of users, each of which is a map that co
 - uid: 1                       # An ID that identifies a user. No two users can have the same ID.
   name: admin                  # A name that identifies the user. No two users can have the same name.
   password: admin              # The user's password. The value is hashed with the hash function specified in the next hash field.
-  hash: plain                  # The hash function used to hash the password, which can be plain, md5, sha1, or sha256, or oauth2.
+  hash: plain                  # The hash function used to hash the password, which can be plain, md5, sha1, or sha256, or oauth2, or saml.
   groups: [admin]              # A list of groups to which the user belongs, as specified in the groups field.
-  email: admin@aaa.bbb.jp      # The email address of the user, used when authenticating using the provider specified in the oauth2 field.
+  email: admin@aaa.bbb.jp      # The email address of the user, used when authenticating using the provider specified in the oauth2 or saml field.
 - uid: 101
   name: user01
   password: b75705d7e35e7014521a46b532236ec3
@@ -36,7 +36,6 @@ groups:                        # A list of groups, each of which is a map that c
 - gid: 103
   name: editor
   parent: user
-
 cmdrule:                       # A list of command rules, Specify a rule that determines whether or not a command is executable when executed by a user in web mode.
   policy: deny                 # Specify the default policy for the rule. The value can be allow or deny.
   rules:                       # Specify rules to allow or deny execution of the command, depending on the group the user belongs to.
@@ -50,6 +49,10 @@ cmdrule:                       # A list of command rules, Specify a rule that de
     mode: server
     cmds: [list]
     rule: allow
+  - groups: [user, guest]
+    mode: audit
+    cmds: [write]
+    rule: allow
   - groups: [user, guest]
     mode: web
     cmds: [genpass]
@@ -70,6 +73,7 @@ pathrule:                      # List of RESTAPI rules, rules that determine whe
     rule: allow
   - groups: [user]
     paths: [/signin, /assets, /bbforce_cmd, /copyright, /dosignin, /dosignout, /password/change,
+            /gui/user_data/load, /gui/user_data/save, /gui/user_data/delete,
             /exec_cmd, /exec_pipe, /filer, /gui, /get_server_opt, /usesignout, /versions_cmdbox, /versions_used]
     rule: allow
   - groups: [readonly]
@@ -105,7 +109,8 @@ oauth2:                             # OAuth2 settings.
       client_secret: XXXXXXXXXXX    # Specify Google's OAuth2 client secret.
       redirect_uri: https://localhost:8443/oauth2/google/callback # Specify Google's OAuth2 redirect URI.
       scope: ['email']              # Specify the scope you want to retrieve with Google's OAuth2. Usually, just reading the email is sufficient.
-      signin_module:                # Specify the module name that implements the sign-in. see, cmdbox.app.signin.SignIn
+      signin_module:                # Specify the module name that implements the sign-in.
+        cmdbox.app.auth.google_signin
       note:                         # Specify a description such as Google's OAuth2 reference site.
       - https://developers.google.com/identity/protocols/oauth2/web-server?hl=ja#httprest
     github:                         # OAuth2 settings for GitHub.
@@ -114,7 +119,8 @@ oauth2:                             # OAuth2 settings.
       client_secret: XXXXXXXXXXX    # Specify the GitHub OAuth2 client secret.
       redirect_uri: https://localhost:8443/oauth2/github/callback # Specify the OAuth2 redirect URI for GitHub.
       scope: ['user:email']         # Specify the scope you want to get from GitHub's OAuth2. Usually, just reading the email is sufficient.
-      signin_module:                # Specify the module name that implements the sign-in. see, cmdbox.app.signin.SignIn
+      signin_module:                # Specify the module name that implements the sign-in.
+        cmdbox.app.auth.github_signin
       note:                         # Specify a description, such as a reference site for OAuth2 on GitHub.
       - https://docs.github.com/ja/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps#scopes
     azure:                          # OAuth2 settings for Azure AD.
@@ -124,6 +130,34 @@ oauth2:                             # OAuth2 settings.
       client_secret: XXXXXXXXXXX    # Specify the Azure AD OAuth2 client secret.
       redirect_uri: https://localhost:8443/oauth2/azure/callback # Specify the OAuth2 redirect URI for Azure AD.
       scope: ['openid', 'profile', 'email', 'https://graph.microsoft.com/mail.read']
-      signin_module:                # Specify the module name that implements the sign-in. see, cmdbox.app.signin.SignIn
+      signin_module:                # Specify the module name that implements the sign-in.
+        cmdbox.app.auth.azure_signin
       note:                         # Specify a description, such as a reference site for Azure AD's OAuth2.
       - https://learn.microsoft.com/ja-jp/entra/identity-platform/v2-oauth2-auth-code-flow
+saml:                               # SAML settings.
+  providers:                        # This is a per-provider setting for OAuth2.
+    azure:                          # SAML settings for Azure AD.
+      enabled: false                # Specify whether to enable SAML authentication for Azure AD.
+      signin_module:                # Specify the module name that implements the sign-in.
+        cmdbox.app.auth.azure_signin_saml # Specify the python3-saml configuration.
+                                    # see) https://github.com/SAML-Toolkits/python3-saml
+      sp:
+        entityId: https://localhost:8443/
+        assertionConsumerService:
+          url: https://localhost:8443/saml/azure/callback
+          binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
+        attributeConsumingService: {}
+        singleLogoutService:
+          binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
+        NameIDFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+        x509cert: ''
+        privateKey: ''
+      idp:
+        entityId: https://sts.windows.net/{tenant-id}/
+        singleSignOnService:
+          url: https://login.microsoftonline.com/{tenant-id}/saml2
+          binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
+        x509cert: XXXXXXXXXXX
+        singleLogoutService: {}
+        certFingerprint: ''
+        certFingerprintAlgorithm: sha1

cmdbox/extensions/user_list.yml

@@ -2,9 +2,9 @@ users:                         # A list of users, each of which is a map that co
 - uid: 1                       # An ID that identifies a user. No two users can have the same ID.
   name: admin                  # A name that identifies the user. No two users can have the same name.
   password: admin              # The user's password. The value is hashed with the hash function specified in the next hash field.
-  hash: plain                  # The hash function used to hash the password, which can be plain, md5, sha1, or sha256, or oauth2.
+  hash: plain                  # The hash function used to hash the password, which can be plain, md5, sha1, or sha256, or oauth2, or saml.
   groups: [admin]              # A list of groups to which the user belongs, as specified in the groups field.
-  email: admin@aaa.bbb.jp      # The email address of the user, used when authenticating using the provider specified in the oauth2 field.
+  email: admin@aaa.bbb.jp      # The email address of the user, used when authenticating using the provider specified in the oauth2 or saml field.
 - uid: 101
   name: user01
   password: b75705d7e35e7014521a46b532236ec3
@@ -74,7 +74,7 @@ pathrule:                      # List of RESTAPI rules, rules that determine whe
   - groups: [user]
     paths: [/signin, /assets, /bbforce_cmd, /copyright, /dosignin, /dosignout, /password/change,
             /gui/user_data/load, /gui/user_data/save, /gui/user_data/delete,
-            /exec_cmd, /exec_pipe, /filer, /gui, /get_server_opt, /usesignout, /versions_cmdbox, /versions_used]
+            /exec_cmd, /exec_pipe, /filer, /result, /gui, /get_server_opt, /usesignout, /versions_cmdbox, /versions_used]
     rule: allow
   - groups: [readonly]
     paths: [/gui/del_cmd, /gui/del_pipe, /gui/save_cmd, /gui/save_pipe]
@@ -109,7 +109,8 @@ oauth2:                             # OAuth2 settings.
       client_secret: XXXXXXXXXXX    # Specify Google's OAuth2 client secret.
       redirect_uri: https://localhost:8443/oauth2/google/callback # Specify Google's OAuth2 redirect URI.
       scope: ['email']              # Specify the scope you want to retrieve with Google's OAuth2. Usually, just reading the email is sufficient.
-      signin_module:                # Specify the module name that implements the sign-in. see, cmdbox.app.signin.SignIn
+      signin_module:                # Specify the module name that implements the sign-in.
+        cmdbox.app.auth.google_signin
       note:                         # Specify a description such as Google's OAuth2 reference site.
       - https://developers.google.com/identity/protocols/oauth2/web-server?hl=ja#httprest
     github:                         # OAuth2 settings for GitHub.
@@ -118,7 +119,8 @@ oauth2:                             # OAuth2 settings.
       client_secret: XXXXXXXXXXX    # Specify the GitHub OAuth2 client secret.
       redirect_uri: https://localhost:8443/oauth2/github/callback # Specify the OAuth2 redirect URI for GitHub.
       scope: ['user:email']         # Specify the scope you want to get from GitHub's OAuth2. Usually, just reading the email is sufficient.
-      signin_module:                # Specify the module name that implements the sign-in. see, cmdbox.app.signin.SignIn
+      signin_module:                # Specify the module name that implements the sign-in.
+        cmdbox.app.auth.github_signin
       note:                         # Specify a description, such as a reference site for OAuth2 on GitHub.
       - https://docs.github.com/ja/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps#scopes
     azure:                          # OAuth2 settings for Azure AD.
@@ -128,6 +130,34 @@ oauth2:                             # OAuth2 settings.
       client_secret: XXXXXXXXXXX    # Specify the Azure AD OAuth2 client secret.
       redirect_uri: https://localhost:8443/oauth2/azure/callback # Specify the OAuth2 redirect URI for Azure AD.
       scope: ['openid', 'profile', 'email', 'https://graph.microsoft.com/mail.read']
-      signin_module:                # Specify the module name that implements the sign-in. see, cmdbox.app.signin.SignIn
+      signin_module:                # Specify the module name that implements the sign-in.
+        cmdbox.app.auth.azure_signin
       note:                         # Specify a description, such as a reference site for Azure AD's OAuth2.
       - https://learn.microsoft.com/ja-jp/entra/identity-platform/v2-oauth2-auth-code-flow
+saml:                               # SAML settings.
+  providers:                        # This is a per-provider setting for OAuth2.
+    azure:                          # SAML settings for Azure AD.
+      enabled: false                # Specify whether to enable SAML authentication for Azure AD.
+      signin_module:                # Specify the module name that implements the sign-in.
+        cmdbox.app.auth.azure_signin_saml # Specify the python3-saml configuration.
+                                    # see) https://github.com/SAML-Toolkits/python3-saml
+      sp:
+        entityId: https://localhost:8443/
+        assertionConsumerService:
+          url: https://localhost:8443/saml/azure/callback
+          binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
+        attributeConsumingService: {}
+        singleLogoutService:
+          binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
+        NameIDFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+        x509cert: ''
+        privateKey: ''
+      idp:
+        entityId: https://sts.windows.net/{tenant-id}/
+        singleSignOnService:
+          url: https://login.microsoftonline.com/{tenant-id}/saml2
+          binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
+        x509cert: XXXXXXXXXXX
+        singleLogoutService: {}
+        certFingerprint: ''
+        certFingerprintAlgorithm: sha1

cmdbox/licenses/{LICENSE.python-multipart.0.0.17(Apache Software License).txt → LICENSE.async-timeout.5.0.1(Apache Software License).txt }

@@ -1,14 +1,13 @@
-Copyright 2012, Andrew Dunham
+Copyright 2016-2020 aio-libs collaboration.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
 
-   https://www.apache.org/licenses/LICENSE-2.0
+   http://www.apache.org/licenses/LICENSE-2.0
 
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
-