cmdbox 0.5.3__tar.gz → 0.5.4__tar.gz

{cmdbox-0.5.3/cmdbox.egg-info → cmdbox-0.5.4}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: cmdbox
-Version: 0.5.3
+Version: 0.5.4
 Summary: cmdbox: It is a command line application with a plugin mechanism.
 Home-page: https://github.com/hamacom2004jp/cmdbox
 Download-URL: https://github.com/hamacom2004jp/cmdbox
@@ -41,6 +41,12 @@ pip install cmdbox
 cmdbox -v
 ```
 
+- When using SAML in web mode, install the modules with dependencies.
+```bash
+pip install xmlsec==1.3.13 python3-saml
+apt-get install -y pkg-config libxml2-dev libxmlsec1-dev libxmlsec1-openssl build-essential libopencv-dev
+```
+
 - Also install the docker version of the redis server.
 
 ```bash
@@ -173,7 +179,7 @@ class ServerTime(feature.Feature):
                 dict(opt="password", type=Options.T_STR, default=self.default_pass, required=True, multi=False, hide=True, choice=None,
                         discription_ja="Redisサーバーのアクセスパスワード(任意)を指定します。省略時は `password` を使用します。",
                         discription_en="Specify the access password of the Redis server (optional). If omitted, `password` is used."),
-                dict(opt="svname", type=Options.T_STR, default="server", required=True, multi=False, hide=True, choice=None,
+                dict(opt="svname", type=Options.T_STR, default=self.default_svname, required=True, multi=False, hide=True, choice=None,
                         discription_ja="サーバーのサービス名を指定します。省略時は `server` を使用します。",
                         discription_en="Specify the service name of the inference server. If omitted, `server` is used."),
                 dict(opt="timedelta", type=Options.T_INT, default=9, required=False, multi=False, hide=False, choice=None,
@@ -276,10 +282,10 @@ aliases:                                # Specify the alias for the specified co
       mode: audit                       # Specify the mode of the feature to be searched.
       cmd: search                       # Specify the command to be searched.
     options:                            # Specify the options for the audit function.
-      host: localhost                   # Specify the service host of the audit Redis server.
-      port: 6379                        # Specify the service port of the audit Redis server.
-      password: password                # Specify the access password of the audit Redis server.
-      svname: server                    # Specify the audit service name of the inference server.
+      host: localhost                   # Specify the service host of the audit Redis server.However, if it is specified as a command line argument, it is ignored.
+      port: 6379                        # Specify the service port of the audit Redis server.However, if it is specified as a command line argument, it is ignored.
+      password: password                # Specify the access password of the audit Redis server.However, if it is specified as a command line argument, it is ignored.
+      svname: server                    # Specify the audit service name of the inference server.However, if it is specified as a command line argument, it is ignored.
       retry_count: 3                    # Specifies the number of reconnections to the audit Redis server.If less than 0 is specified, reconnection is forever.
       retry_interval: 1                 # Specifies the number of seconds before reconnecting to the audit Redis server.
       timeout: 15                       # Specify the maximum waiting time until the server responds.
@@ -303,25 +309,25 @@ aliases:                                # Specify the alias for the specified co
 users:                         # A list of users, each of which is a map that contains the following fields.
 - uid: 1                       # An ID that identifies a user. No two users can have the same ID.
   name: admin                  # A name that identifies the user. No two users can have the same name.
-  password: XXXXXXXXXXX        # The user's password. The value is hashed with the hash function specified in the next hash field.
-  hash: plain                  # The hash function used to hash the password, which can be plain, md5, sha1, or sha256, or oauth2.
+  password: XXXXXXXXXXXXXXXX   # The user's password. The value is hashed with the hash function specified in the next hash field.
+  hash: plain                  # The hash function used to hash the password, which can be plain, md5, sha1, or sha256, or oauth2, or saml.
   groups: [admin]              # A list of groups to which the user belongs, as specified in the groups field.
-  email: admin@aaa.bbb.jp      # The email address of the user, used when authenticating using the provider specified in the oauth2 field.
+  email: admin@aaa.bbb.jp      # The email address of the user, used when authenticating using the provider specified in the oauth2 or saml field.
 - uid: 101
   name: user01
-  password: XXXXXXXXXXX
+  password: XXXXXXXXXXXXXXXX
   hash: md5
   groups: [user]
   email: user01@aaa.bbb.jp
 - uid: 102
   name: user02
-  password: XXXXXXXXXXX
+  password: XXXXXXXXXXXXXXXX
   hash: sha1
   groups: [readonly]
   email: user02@aaa.bbb.jp
 - uid: 103
   name: user03
-  password: XXXXXXXXXXX
+  password: XXXXXXXXXXXXXXXX
   hash: sha256
   groups: [editor]
   email: user03@aaa.bbb.jp
@@ -351,6 +357,10 @@ cmdrule:                       # A list of command rules, Specify a rule that de
     mode: server
     cmds: [list]
     rule: allow
+  - groups: [user, guest]
+    mode: audit
+    cmds: [write]
+    rule: allow
   - groups: [user, guest]
     mode: web
     cmds: [genpass]
@@ -371,7 +381,8 @@ pathrule:                      # List of RESTAPI rules, rules that determine whe
     rule: allow
   - groups: [user]
     paths: [/signin, /assets, /bbforce_cmd, /copyright, /dosignin, /dosignout, /password/change,
-            /exec_cmd, /exec_pipe, /filer, /gui, /get_server_opt, /usesignout, /versions_cmdbox, /versions_used]
+            /gui/user_data/load, /gui/user_data/save, /gui/user_data/delete,
+            /exec_cmd, /exec_pipe, /filer, /result, /gui, /get_server_opt, /usesignout, /versions_cmdbox, /versions_used]
     rule: allow
   - groups: [readonly]
     paths: [/gui/del_cmd, /gui/del_pipe, /gui/save_cmd, /gui/save_pipe]
@@ -406,7 +417,8 @@ oauth2:                             # OAuth2 settings.
       client_secret: XXXXXXXXXXX    # Specify Google's OAuth2 client secret.
       redirect_uri: https://localhost:8443/oauth2/google/callback # Specify Google's OAuth2 redirect URI.
       scope: ['email']              # Specify the scope you want to retrieve with Google's OAuth2. Usually, just reading the email is sufficient.
-      signin_module:                # Specify the module name that implements the sign-in. see, cmdbox.app.signin.SignIn
+      signin_module:                # Specify the module name that implements the sign-in.
+        cmdbox.app.auth.google_signin
       note:                         # Specify a description such as Google's OAuth2 reference site.
       - https://developers.google.com/identity/protocols/oauth2/web-server?hl=ja#httprest
     github:                         # OAuth2 settings for GitHub.
@@ -415,9 +427,50 @@ oauth2:                             # OAuth2 settings.
       client_secret: XXXXXXXXXXX    # Specify the GitHub OAuth2 client secret.
       redirect_uri: https://localhost:8443/oauth2/github/callback # Specify the OAuth2 redirect URI for GitHub.
       scope: ['user:email']         # Specify the scope you want to get from GitHub's OAuth2. Usually, just reading the email is sufficient.
-      signin_module:                # Specify the module name that implements the sign-in. see, cmdbox.app.signin.SignIn
+      signin_module:                # Specify the module name that implements the sign-in.
+        cmdbox.app.auth.github_signin
       note:                         # Specify a description, such as a reference site for OAuth2 on GitHub.
       - https://docs.github.com/ja/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps#scopes
+    azure:                          # OAuth2 settings for Azure AD.
+      enabled: false                # Specify whether to enable OAuth2 for Azure AD.
+      tenant_id: XXXXXXXXXXX        # Specify the tenant ID for Azure AD.
+      client_id: XXXXXXXXXXX        # Specify the OAuth2 client ID for Azure AD.
+      client_secret: XXXXXXXXXXX    # Specify the Azure AD OAuth2 client secret.
+      redirect_uri: https://localhost:8443/oauth2/azure/callback # Specify the OAuth2 redirect URI for Azure AD.
+      scope: ['openid', 'profile', 'email', 'https://graph.microsoft.com/mail.read']
+      signin_module:                # Specify the module name that implements the sign-in.
+        cmdbox.app.auth.azure_signin
+      note:                         # Specify a description, such as a reference site for Azure AD's OAuth2.
+      - https://learn.microsoft.com/ja-jp/entra/identity-platform/v2-oauth2-auth-code-flow
+saml:                               # SAML settings.
+  providers:                        # This is a per-provider setting for OAuth2.
+    azure:                          # SAML settings for Azure AD.
+      enabled: false                # Specify whether to enable SAML authentication for Azure AD.
+      signin_module:                # Specify the module name that implements the sign-in.
+        cmdbox.app.auth.azure_signin_saml # Specify the python3-saml configuration.
+                                    # see) https://github.com/SAML-Toolkits/python3-saml
+      sp:
+        entityId: https://localhost:8443/
+        assertionConsumerService:
+          url: https://localhost:8443/saml/azure/callback
+          binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
+        attributeConsumingService: {}
+        singleLogoutService:
+          binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
+        NameIDFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+        x509cert: ''
+        privateKey: ''
+      idp:
+        entityId: https://sts.windows.net/{tenant-id}/
+        singleSignOnService:
+          url: https://login.microsoftonline.com/{tenant-id}/saml2
+          binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
+        x509cert: XXXXXXXXXXX
+        singleLogoutService: {}
+        certFingerprint: ''
+        certFingerprintAlgorithm: sha1
+
+
 ```
 
 - See the documentation for references to each file.

{cmdbox-0.5.3 → cmdbox-0.5.4}/README.md

@@ -17,6 +17,12 @@ pip install cmdbox
 cmdbox -v
 ```
 
+- When using SAML in web mode, install the modules with dependencies.
+```bash
+pip install xmlsec==1.3.13 python3-saml
+apt-get install -y pkg-config libxml2-dev libxmlsec1-dev libxmlsec1-openssl build-essential libopencv-dev
+```
+
 - Also install the docker version of the redis server.
 
 ```bash
@@ -149,7 +155,7 @@ class ServerTime(feature.Feature):
                 dict(opt="password", type=Options.T_STR, default=self.default_pass, required=True, multi=False, hide=True, choice=None,
                         discription_ja="Redisサーバーのアクセスパスワード(任意)を指定します。省略時は `password` を使用します。",
                         discription_en="Specify the access password of the Redis server (optional). If omitted, `password` is used."),
-                dict(opt="svname", type=Options.T_STR, default="server", required=True, multi=False, hide=True, choice=None,
+                dict(opt="svname", type=Options.T_STR, default=self.default_svname, required=True, multi=False, hide=True, choice=None,
                         discription_ja="サーバーのサービス名を指定します。省略時は `server` を使用します。",
                         discription_en="Specify the service name of the inference server. If omitted, `server` is used."),
                 dict(opt="timedelta", type=Options.T_INT, default=9, required=False, multi=False, hide=False, choice=None,
@@ -252,10 +258,10 @@ aliases:                                # Specify the alias for the specified co
       mode: audit                       # Specify the mode of the feature to be searched.
       cmd: search                       # Specify the command to be searched.
     options:                            # Specify the options for the audit function.
-      host: localhost                   # Specify the service host of the audit Redis server.
-      port: 6379                        # Specify the service port of the audit Redis server.
-      password: password                # Specify the access password of the audit Redis server.
-      svname: server                    # Specify the audit service name of the inference server.
+      host: localhost                   # Specify the service host of the audit Redis server.However, if it is specified as a command line argument, it is ignored.
+      port: 6379                        # Specify the service port of the audit Redis server.However, if it is specified as a command line argument, it is ignored.
+      password: password                # Specify the access password of the audit Redis server.However, if it is specified as a command line argument, it is ignored.
+      svname: server                    # Specify the audit service name of the inference server.However, if it is specified as a command line argument, it is ignored.
       retry_count: 3                    # Specifies the number of reconnections to the audit Redis server.If less than 0 is specified, reconnection is forever.
       retry_interval: 1                 # Specifies the number of seconds before reconnecting to the audit Redis server.
       timeout: 15                       # Specify the maximum waiting time until the server responds.
@@ -279,25 +285,25 @@ aliases:                                # Specify the alias for the specified co
 users:                         # A list of users, each of which is a map that contains the following fields.
 - uid: 1                       # An ID that identifies a user. No two users can have the same ID.
   name: admin                  # A name that identifies the user. No two users can have the same name.
-  password: XXXXXXXXXXX        # The user's password. The value is hashed with the hash function specified in the next hash field.
-  hash: plain                  # The hash function used to hash the password, which can be plain, md5, sha1, or sha256, or oauth2.
+  password: XXXXXXXXXXXXXXXX   # The user's password. The value is hashed with the hash function specified in the next hash field.
+  hash: plain                  # The hash function used to hash the password, which can be plain, md5, sha1, or sha256, or oauth2, or saml.
   groups: [admin]              # A list of groups to which the user belongs, as specified in the groups field.
-  email: admin@aaa.bbb.jp      # The email address of the user, used when authenticating using the provider specified in the oauth2 field.
+  email: admin@aaa.bbb.jp      # The email address of the user, used when authenticating using the provider specified in the oauth2 or saml field.
 - uid: 101
   name: user01
-  password: XXXXXXXXXXX
+  password: XXXXXXXXXXXXXXXX
   hash: md5
   groups: [user]
   email: user01@aaa.bbb.jp
 - uid: 102
   name: user02
-  password: XXXXXXXXXXX
+  password: XXXXXXXXXXXXXXXX
   hash: sha1
   groups: [readonly]
   email: user02@aaa.bbb.jp
 - uid: 103
   name: user03
-  password: XXXXXXXXXXX
+  password: XXXXXXXXXXXXXXXX
   hash: sha256
   groups: [editor]
   email: user03@aaa.bbb.jp
@@ -327,6 +333,10 @@ cmdrule:                       # A list of command rules, Specify a rule that de
     mode: server
     cmds: [list]
     rule: allow
+  - groups: [user, guest]
+    mode: audit
+    cmds: [write]
+    rule: allow
   - groups: [user, guest]
     mode: web
     cmds: [genpass]
@@ -347,7 +357,8 @@ pathrule:                      # List of RESTAPI rules, rules that determine whe
     rule: allow
   - groups: [user]
     paths: [/signin, /assets, /bbforce_cmd, /copyright, /dosignin, /dosignout, /password/change,
-            /exec_cmd, /exec_pipe, /filer, /gui, /get_server_opt, /usesignout, /versions_cmdbox, /versions_used]
+            /gui/user_data/load, /gui/user_data/save, /gui/user_data/delete,
+            /exec_cmd, /exec_pipe, /filer, /result, /gui, /get_server_opt, /usesignout, /versions_cmdbox, /versions_used]
     rule: allow
   - groups: [readonly]
     paths: [/gui/del_cmd, /gui/del_pipe, /gui/save_cmd, /gui/save_pipe]
@@ -382,7 +393,8 @@ oauth2:                             # OAuth2 settings.
       client_secret: XXXXXXXXXXX    # Specify Google's OAuth2 client secret.
       redirect_uri: https://localhost:8443/oauth2/google/callback # Specify Google's OAuth2 redirect URI.
       scope: ['email']              # Specify the scope you want to retrieve with Google's OAuth2. Usually, just reading the email is sufficient.
-      signin_module:                # Specify the module name that implements the sign-in. see, cmdbox.app.signin.SignIn
+      signin_module:                # Specify the module name that implements the sign-in.
+        cmdbox.app.auth.google_signin
       note:                         # Specify a description such as Google's OAuth2 reference site.
       - https://developers.google.com/identity/protocols/oauth2/web-server?hl=ja#httprest
     github:                         # OAuth2 settings for GitHub.
@@ -391,9 +403,50 @@ oauth2:                             # OAuth2 settings.
       client_secret: XXXXXXXXXXX    # Specify the GitHub OAuth2 client secret.
       redirect_uri: https://localhost:8443/oauth2/github/callback # Specify the OAuth2 redirect URI for GitHub.
       scope: ['user:email']         # Specify the scope you want to get from GitHub's OAuth2. Usually, just reading the email is sufficient.
-      signin_module:                # Specify the module name that implements the sign-in. see, cmdbox.app.signin.SignIn
+      signin_module:                # Specify the module name that implements the sign-in.
+        cmdbox.app.auth.github_signin
       note:                         # Specify a description, such as a reference site for OAuth2 on GitHub.
       - https://docs.github.com/ja/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps#scopes
+    azure:                          # OAuth2 settings for Azure AD.
+      enabled: false                # Specify whether to enable OAuth2 for Azure AD.
+      tenant_id: XXXXXXXXXXX        # Specify the tenant ID for Azure AD.
+      client_id: XXXXXXXXXXX        # Specify the OAuth2 client ID for Azure AD.
+      client_secret: XXXXXXXXXXX    # Specify the Azure AD OAuth2 client secret.
+      redirect_uri: https://localhost:8443/oauth2/azure/callback # Specify the OAuth2 redirect URI for Azure AD.
+      scope: ['openid', 'profile', 'email', 'https://graph.microsoft.com/mail.read']
+      signin_module:                # Specify the module name that implements the sign-in.
+        cmdbox.app.auth.azure_signin
+      note:                         # Specify a description, such as a reference site for Azure AD's OAuth2.
+      - https://learn.microsoft.com/ja-jp/entra/identity-platform/v2-oauth2-auth-code-flow
+saml:                               # SAML settings.
+  providers:                        # This is a per-provider setting for OAuth2.
+    azure:                          # SAML settings for Azure AD.
+      enabled: false                # Specify whether to enable SAML authentication for Azure AD.
+      signin_module:                # Specify the module name that implements the sign-in.
+        cmdbox.app.auth.azure_signin_saml # Specify the python3-saml configuration.
+                                    # see) https://github.com/SAML-Toolkits/python3-saml
+      sp:
+        entityId: https://localhost:8443/
+        assertionConsumerService:
+          url: https://localhost:8443/saml/azure/callback
+          binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
+        attributeConsumingService: {}
+        singleLogoutService:
+          binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
+        NameIDFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+        x509cert: ''
+        privateKey: ''
+      idp:
+        entityId: https://sts.windows.net/{tenant-id}/
+        singleSignOnService:
+          url: https://login.microsoftonline.com/{tenant-id}/saml2
+          binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
+        x509cert: XXXXXXXXXXX
+        singleLogoutService: {}
+        certFingerprint: ''
+        certFingerprintAlgorithm: sha1
+
+
 ```
 
 - See the documentation for references to each file.

cmdbox-0.5.4/cmdbox/app/auth/azure_signin.py

@@ -0,0 +1,38 @@
+from cmdbox.app.auth.signin import Signin
+from fastapi import Request, Response
+from typing import Any, Dict
+import requests
+import urllib
+
+
+class AzureSignin(Signin):
+    @classmethod
+    def get_email(cls, data:Any) -> str:
+        user_info_resp = requests.get(
+            url='https://graph.microsoft.com/v1.0/me',
+            #url='https://graph.microsoft.com/v1.0/me/transitiveMemberOf?$Top=999',
+            headers={'Authorization': f'Bearer {data}'}
+        )
+        user_info_resp.raise_for_status()
+        user_info_json = user_info_resp.json()
+        if isinstance(user_info_json, dict):
+            email = user_info_json.get('mail', 'notfound')
+            return email
+        return 'notfound'
+    
+    def request_access_token(self, conf:Dict, req:Request, res:Response) -> str:
+        headers = {'Content-Type': 'application/x-www-form-urlencoded',
+                    'Accept': 'application/json'}
+        data = {'tenant': conf['tenant_id'],
+                'code': req.query_params['code'],
+                'scope': " ".join(conf['scope']),
+                'client_id': conf['client_id'],
+                #'client_secret': conf['client_secret'],
+                'redirect_uri': conf['redirect_uri'],
+                'grant_type': 'authorization_code'}
+        query = '&'.join([f'{k}={urllib.parse.quote(v)}' for k, v in data.items()])
+        # アクセストークン取得
+        token_resp = requests.post(url=f'https://login.microsoftonline.com/{conf["tenant_id"]}/oauth2/v2.0/token', headers=headers, data=query)
+        token_resp.raise_for_status()
+        token_json = token_resp.json()
+        return token_json['access_token']

cmdbox-0.5.4/cmdbox/app/auth/azure_signin_saml.py

@@ -0,0 +1,12 @@
+from cmdbox.app.auth.signin_saml import SigninSAML
+from typing import Any
+
+
+class AzyreSigninSAML(SigninSAML):
+    @classmethod
+    def get_email(cls, data:Any) -> str:
+        user_info_json = data.get_attributes()
+        if isinstance(user_info_json, dict):
+            email = user_info_json.get('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress', ['notfound'])
+            return email[0] if len(email) > 0 else 'notfound'
+        return 'notfound'

cmdbox-0.5.4/cmdbox/app/auth/github_signin.py

@@ -0,0 +1,38 @@
+from cmdbox.app.auth.signin import Signin
+from fastapi import Request, Response
+from typing import Any, Dict
+import requests
+import urllib.parse
+
+
+class GithubSignin(Signin):
+    @classmethod
+    def get_email(cls, data:Any) -> str:
+        user_info_resp = requests.get(
+            url='https://api.github.com/user/emails',
+            headers={'Authorization': f'Bearer {data}'}
+        )
+        user_info_resp.raise_for_status()
+        user_info_json = user_info_resp.json()
+        if type(user_info_json) == list:
+            email = 'notfound'
+            for u in user_info_json:
+                if u['primary']:
+                    email = u['email']
+                    break
+            return email
+        return 'notfound'
+
+    def request_access_token(self, conf:Dict, req:Request, res:Response) -> str:
+        headers = {'Content-Type': 'application/x-www-form-urlencoded',
+                    'Accept': 'application/json'}
+        data = {'code': req.query_params['code'],
+                'client_id': conf['client_id'],
+                'client_secret': conf['client_secret'],
+                'redirect_uri': conf['redirect_uri']}
+        query = '&'.join([f'{k}={urllib.parse.quote(v)}' for k, v in data.items()])
+        # アクセストークン取得
+        token_resp = requests.post(url='https://github.com/login/oauth/access_token', headers=headers, data=query)
+        token_resp.raise_for_status()
+        token_json = token_resp.json()
+        return token_json['access_token']

cmdbox-0.5.4/cmdbox/app/auth/google_signin.py

@@ -0,0 +1,32 @@
+from cmdbox.app.auth.signin import Signin
+from fastapi import Request, Response
+from typing import Any, Dict
+import requests
+import urllib.parse
+
+
+class GoogleSignin(Signin):
+    @classmethod
+    def get_email(cls, data:Any) -> str:
+        user_info_resp = requests.get(
+            url='https://www.googleapis.com/oauth2/v1/userinfo',
+            headers={'Authorization': f'Bearer {data}'}
+        )
+        user_info_resp.raise_for_status()
+        user_info_json = user_info_resp.json()
+        return user_info_json['email'] if 'email' in user_info_json else 'notfound'
+
+    def request_access_token(self, conf:Dict, req:Request, res:Response) -> str:
+        headers = {'Content-Type': 'application/x-www-form-urlencoded'}
+        next = req.query_params['state']
+        data = {'code': req.query_params['code'],
+                'client_id': conf['client_id'],
+                'client_secret': conf['client_secret'],
+                'redirect_uri': conf['redirect_uri'],
+                'grant_type': 'authorization_code'}
+        query = '&'.join([f'{k}={urllib.parse.quote(v)}' for k, v in data.items()])
+        # アクセストークン取得
+        token_resp = requests.post(url='https://oauth2.googleapis.com/token', headers=headers, data=query)
+        token_resp.raise_for_status()
+        token_json = token_resp.json()
+        return token_json['access_token']

{cmdbox-0.5.3 → cmdbox-0.5.4}/cmdbox/app/auth/signin.py

@@ -27,13 +27,12 @@ class Signin(object):
         """
         return self.signin_file_data
 
-    def jadge(self, access_token:str, email:str) -> Tuple[bool, Dict[str, Any]]:
+    def jadge(self, email:str) -> Tuple[bool, Dict[str, Any]]:
         """
         サインインを成功させるかどうかを判定します。
         返すユーザーデータには、uid, name, email, groups, hash が必要です。
 
         Args:
-            access_token (str): アクセストークン
             email (str): メールアドレス
 
         Returns:
@@ -203,8 +202,8 @@ class Signin(object):
                     raise HTTPException(status_code=500, detail=f'signin_file format error. "password" not found or empty. ({signin_file})')
                 if 'hash' not in user or user['hash'] is None:
                     raise HTTPException(status_code=500, detail=f'signin_file format error. "hash" not found or empty. ({signin_file})')
-                if user['hash'] not in ['oauth2', 'plain', 'md5', 'sha1', 'sha256']:
-                    raise HTTPException(status_code=500, detail=f'signin_file format error. Algorithms not supported. ({signin_file}). hash={user["hash"]} "oauth2", "plain", "md5", "sha1", "sha256" only.')
+                if user['hash'] not in ['oauth2', 'saml', 'plain', 'md5', 'sha1', 'sha256']:
+                    raise HTTPException(status_code=500, detail=f'signin_file format error. Algorithms not supported. ({signin_file}). hash={user["hash"]} "oauth2", "saml", "plain", "md5", "sha1", "sha256" only.')
                 if 'groups' not in user or type(user['groups']) is not list:
                     raise HTTPException(status_code=500, detail=f'signin_file format error. "groups" not found or not list type. ({signin_file})')
                 if len([ug for ug in user['groups'] if ug not in groups]) > 0:
@@ -416,6 +415,24 @@ class Signin(object):
                 raise HTTPException(status_code=500, detail=f'signin_file format error. "scope" not list type in "azure". ({signin_file})')
             if 'signin_module' not in yml['oauth2']['providers']['azure']:
                 raise HTTPException(status_code=500, detail=f'signin_file format error. "signin_module" not found in "azure". ({signin_file})')
+            # samlのフォーマットチェック
+            if 'saml' not in yml:
+                raise HTTPException(status_code=500, detail=f'signin_file format error. "saml" not found. ({signin_file})')
+            if 'providers' not in yml['saml']:
+                raise HTTPException(status_code=500, detail=f'signin_file format error. "providers" not found in "saml". ({signin_file})')
+            # azure
+            if 'azure' not in yml['saml']['providers']:
+                raise HTTPException(status_code=500, detail=f'signin_file format error. "azure" not found in "providers". ({signin_file})')
+            if 'enabled' not in yml['saml']['providers']['azure']:
+                raise HTTPException(status_code=500, detail=f'signin_file format error. "enabled" not found in "azure". ({signin_file})')
+            if type(yml['saml']['providers']['azure']['enabled']) is not bool:
+                raise HTTPException(status_code=500, detail=f'signin_file format error. "enabled" not bool type in "azure". ({signin_file})')
+            if 'signin_module' not in yml['saml']['providers']['azure']:
+                raise HTTPException(status_code=500, detail=f'signin_file format error. "signin_module" not found in "azure". ({signin_file})')
+            if 'sp' not in yml['saml']['providers']['azure']:
+                raise HTTPException(status_code=500, detail=f'signin_file format error. "sp" not found in "azure". ({signin_file})')
+            if 'idp' not in yml['saml']['providers']['azure']:
+                raise HTTPException(status_code=500, detail=f'signin_file format error. "idp" not found in "azure". ({signin_file})')
             # フォーマットチェックOK
             return yml
 
@@ -632,3 +649,29 @@ class Signin(object):
             return False, f"Password policy error. not_contain_username=True"
         self.logger.info(f"Password policy OK.")
         return True, "Password policy OK."
+
+    def request_access_token(self, conf:Dict, req:Request, res:Response) -> str:
+        """
+        アクセストークンを取得します
+
+        Args:
+            conf (Dict): サインインモジュールの設定
+            req (Request): リクエスト
+            res (Response): レスポンス
+
+        Returns:
+            str: アクセストークン
+        """
+        raise NotImplementedError("request_access_token() is not implemented.")
+
+    def get_email(self, data:Any) -> str:
+        """
+        アクセストークンからメールアドレスを取得します
+
+        Args:
+            data (str): アクセストークン又は属性データ
+
+        Returns:
+            str: メールアドレス
+        """
+        return self.__class__.get_email(data)

cmdbox-0.5.4/cmdbox/app/auth/signin_saml.py

@@ -0,0 +1,61 @@
+from cmdbox.app.auth.signin import Signin
+from fastapi import Request, Response
+from typing import Any, Dict, Tuple
+import copy
+import logging
+
+
+class SigninSAML(Signin):
+
+    def jadge(self, email:str) -> Tuple[bool, Dict[str, Any]]:
+        """
+        サインインを成功させるかどうかを判定します。
+        返すユーザーデータには、uid, name, email, groups, hash が必要です。
+
+        Args:
+            email (str): メールアドレス
+
+        Returns:
+            Tuple[bool, Dict[str, Any]]: (成功かどうか, ユーザーデータ)
+        """
+        copy_signin_data = copy.deepcopy(self.signin_file_data)
+        users = [u for u in copy_signin_data['users'] if u['email'] == email and u['hash'] == 'saml']
+        return len(users) > 0, users[0] if len(users) > 0 else None
+
+    async def make_saml(self, prov:str, next:str, form_data:Dict[str, Any], req:Request, res:Response) -> Any:
+        """
+        SAML認証のリダイレクトURLを取得する
+        Args:
+            prov (str): プロバイダ名
+            next (str): リダイレクト先のURL
+            req (Request): リクエスト
+            res (Response): レスポンス
+        Returns:
+            OneLogin_Saml2_Auth: SAML認証オブジェクト
+        """
+        sd = self.get_data()
+        saml_settings = dict(
+            strict=False,
+            debug=self.logger.level==logging.DEBUG,
+            idp=sd['saml']['providers'][prov]['idp'],
+            sp=sd['saml']['providers'][prov]['sp'])
+        # SAML認証のリダイレクトURLを取得
+        request_data = dict(
+            https='on' if req.url.scheme=='https' else 'off',
+            http_host=req.client.host,
+            server_port=req.url.port,
+            script_name=f'{req.url.path}?next={next}',
+            post_data=dict(),
+            get_data=dict(),
+        )
+        if (req.query_params):
+            request_data["get_data"] = req.query_params,
+        if "SAMLResponse" in form_data:
+            SAMLResponse = form_data["SAMLResponse"]
+            request_data["post_data"]["SAMLResponse"] = SAMLResponse
+        if "RelayState" in form_data:
+            RelayState = form_data["RelayState"]
+            request_data["post_data"]["RelayState"] = RelayState
+        from onelogin.saml2.auth import OneLogin_Saml2_Auth
+        auth = OneLogin_Saml2_Auth(request_data=request_data, old_settings=saml_settings)
+        return auth