Website : customer workflow #10

New Issue

realaravinth · 2022-03-15T04:49:24Z

realaravinth commented

2022-03-15 04:49:24 +00:00

(Migrated from git.batsense.net)

Priority levels:

@dachary: priority 1
@realaravinth: priority 2

Resources:

Gitea's OAuth2.0 docs

Priority levels: - @dachary: priority 1 - @realaravinth: priority 2 ## Resources: - [Gitea's OAuth2.0 docs](https://docs.gitea.io/en-us/oauth2-provider/)

realaravinth self-assigned this 2022-04-27 09:50:04 +00:00

realaravinth added spent time 2022-04-28 14:07:15 +00:00

5h 30min

realaravinth commented

2022-04-28 14:07:16 +00:00

Hostea/dashboard(not accounted for in time logged; mostly copied Hostea/payments) is bootstrapped for this purpose.

Tasks accomplished

Evaluated OpenID Connect(OIDC) provider Python libraries with Django compatibility for providing basic, Hostea-wide SSO:
i. django-odic-provider
- Lacks maintenance
- Supports very old Django releases(2.0 while latest Django release and the one used by Hostea/dashboard is 4.x)
ii. Authlib
- Lacks documentation
Test-drove Keycloak:
i. Deployed a local instance via Docker
ii. Configured an application for OIDC login and integrated with keycloak-provided demo app to evaluate user experience
iii. Tried to integrate with Gitea but wasn't successful. Task is unimportant, but will come back to it if Gitea/any Hostea software integration with Hostea/dashboard

I made the decision to roll out a custom OIDC provider implementation so spent time reading the OIDC Core specification. I'm half-way through and worst-case scenario, I should be done with it by Sunday.

[Hostea/dashboard](https://gitea.hostea.org/Hostea/dashboard)(not accounted for in time logged; mostly copied Hostea/payments) is bootstrapped for this purpose. ## Tasks accomplished 1. Evaluated OpenID Connect(OIDC) provider Python libraries with Django compatibility for providing basic, Hostea-wide SSO: i. [django-odic-provider](https://django-oidc-provider.readthedocs.io/en/latest/index.html) - Lacks maintenance - Supports very old Django releases(2.0 while latest Django release and the one used by Hostea/dashboard is 4.x) ii. [Authlib](https://docs.authlib.org/en/latest/index.html) - Lacks documentation 2. Test-drove [Keycloak](https://keycloak.org): i. Deployed a local instance via Docker ii. Configured an application for OIDC login and integrated with [keycloak-provided demo app](https://www.keycloak.org/app/) to evaluate user experience iii. Tried to integrate with Gitea but wasn't successful. Task is unimportant, but will come back to it if Gitea/any Hostea software integration with Hostea/dashboard I made the decision to roll out a custom OIDC provider implementation so spent time reading the [OIDC Core specification](https://openid.net/specs/openid-connect-core-1_0.html). I'm half-way through and worst-case scenario, I should be done with it by Sunday.

👍 1

dachary commented

2022-04-28 14:44:38 +00:00

s/django-odic-provider/django-oidc-provider/

😆 1

realaravinth commented

2022-04-29 13:59:52 +00:00

OIDC Core Specification was heavily referring to validation mechanisms detailed in the OAuth 2.0 specification(RFC 6749) so I read it to familiarize myself with the OAuth 2.0.

Summary

OAuth 2.0 offers four mechanisms to receive authorization:

1. Authorization Code Grant:

i. client server requests the user for consent via the authorization server(OAuth server/Hostea dashboard). ii. If user consents, authorization server will redirect the user with the authorization code encoded in URI parameters
iii. The client server uses this code to get the access token.
The access token is the secret that gives access to the user's resources on the OAuth server.

Conclusions

i. Secure since access token isn't present in URI parameter
ii. Suitable for Hostea since Hostea has server components.

2. Implicit Grant:

Same as Authorization Code Grant but differs by returning access token directly upon receiving user's consent.
Designed to accommodate browser-only clients, where redirection with authorization grant and getting access token using it introduces unnecessary delay

Conclusions

Hostea doesn't have browser-only components
Insecure, in context of Hostea's needs

3. Resource Owner Password Credentials Grant

Instead of redirecting to OAuth server for user's consent, the user's credentials are sent as an implicit display of consent.
Meant to be used by clients running in high-trust environments like native clients on OSes

Conclusions

Insecure for Hostea's setting

4. Client credentials grant

Client has credentials registered with the OAuth server, uses it to receive access token.
Should only be used when the client is also the resource owner. In Hostea's setting, the client would be Hostea/payments, gitea.hostea.org, etc. services so not suitable for Hostea

Decisions

For the MVP, I only plan to support Authorization code grant flow.

Interestingly, the authorization flows have parallels in OpenID connect where there are three authentication flows:

Authorization Code Flow
Implicit Flow
Hybrid Flow

Please see "OpenID Connect Authentication flow" table for comparisons.

Yesterday, I made the decision to only implement support for Authorization Code Flow for the MVP and conveniently, implementing OAuth's Authorization code grant flow will allow us to do just that! :)

[OIDC Core Specification](https://openid.net/specs/openid-connect-core-1_0.html) was heavily referring to validation mechanisms detailed in the OAuth 2.0 specification(RFC 6749) so I read it to familiarize myself with the OAuth 2.0. ## Summary OAuth 2.0 offers four mechanisms to receive authorization: ### 1. [Authorization Code Grant](https://www.ietf.org/rfc/rfc6749.html#section-4.1): i. client server requests the user for consent via the authorization server(OAuth server/Hostea dashboard). ii. If user consents, authorization server will redirect the user with the authorization code encoded in URI parameters iii. The client server uses this code to get the access token. The access token is the secret that gives access to the user's resources on the OAuth server. #### Conclusions i. Secure since access token isn't present in URI parameter ii. Suitable for Hostea since Hostea has server components. ### 2. [Implicit Grant](https://www.ietf.org/rfc/rfc6749.html#section-4.2): - Same as Authorization Code Grant but differs by returning access token directly upon receiving user's consent. - Designed to accommodate browser-only clients, where redirection with authorization grant and getting access token using it introduces unnecessary delay #### Conclusions - Hostea doesn't have browser-only components - Insecure, in context of Hostea's needs ### 3. [Resource Owner Password Credentials Grant](https://www.ietf.org/rfc/rfc6749.html#section-4.3) - Instead of redirecting to OAuth server for user's consent, the user's credentials are sent as an implicit display of consent. - Meant to be used by clients running in high-trust environments like native clients on OSes #### Conclusions - Insecure for Hostea's setting ### 4. [Client credentials grant](https://www.ietf.org/rfc/rfc6749.html#section-4.4) - Client has credentials registered with the OAuth server, uses it to receive access token. - Should only be used when the client is also the resource owner. In Hostea's setting, the client would be Hostea/payments, gitea.hostea.org, etc. services so not suitable for Hostea ## Decisions **For the MVP, I only plan to support Authorization code grant flow.** Interestingly, the authorization flows have parallels in OpenID connect where there are three authentication flows: 1. Authorization Code Flow 2. Implicit Flow 3. Hybrid Flow > Please see ["OpenID Connect Authentication flow" table](https://openid.net/specs/openid-connect-core-1_0.html#Authentication) for comparisons. Yesterday, I made the decision to only implement support for Authorization Code Flow for the MVP and conveniently, implementing OAuth's Authorization code grant flow will allow us to do just that! :)

👍 1

realaravinth added spent time 2022-04-29 14:00:17 +00:00

3h 30min

realaravinth commented

2022-04-30 07:43:49 +00:00

I read two OAuth-related RFCs today. OAuth and to some extent, even OIDC core is incomplete for our use cases, so I plan to work my way through OAuth-related and OIDC-related RFCs listed here over the weekend to gain a reasonably complete picture of how things work.

RFC 6750: OAuth 2.0 Bearer Token Usage

Bearer token is used as an opaque secret to authenticate a
client/relying party to a resource server. Using it requires no
additional proof-of-possession.

Summary

RFC 6750 lists three methods of transmitting bearer tokens in requests
to resource servers

Authorization Request Header Field

Transmit base64 encoded bearer token in Authorization header of the
request.
Support: MUST

Form-Encoded Body Parameter

Transmit in application/x-www-form-urlencoded request body with the access_token parameter. There are some conditions associated with it, which are mentioned in the linked section but not going into detail as they are irrelevant for the MVP.
Support: MAY

URI Query Parameter

Transmit in URI Query parameter with the access_token parameter
Not recommended for security reasons: URI will be logged by proxies, compromising secrecy of the access token
Support: MAY

Threat Mitigation

Use digital signature or Message Authentication Code(MAC) or opaque tokens containing references to authorization information rather than encoding information directly.
Bearer tokens MUST NOT be stored in cookies as they are typically transmitted in the clear
replay attack mitigation: limit lifetime(1 hour or less is recommended by the RFC).

RFC 7636: Proof Key for Code Exchange by OAuth Public Clients

An attacker can intercept authorization code issued to public clients and exchange it to gain access tokens.

PKCE is irrelevant for July MVP since all our OAuth clients will be running on trusted environments but the RFC seemed interesting so 🤷‍♂️

Attack scenario

Public clients like native applications request authorization code via browser and register redirection URI with custom schemes for call back purposes.
The malicious app could, in addition to the legitimate app, register itself as a handler for said scheme and intercept authorization code call backs.
The authorization code returned post user consent may be intercepted by malicious app and exchanged for access token

The RFC lists a long set of pre-conditions that will have to be met for the attack to be successful. Though long and specific, the RFC says this type of attack has been observed in the wild.

Mitigation

This extension uses a one-time cryptographic key sent over TLS with the authorization request for code proof-of-procession verification.

Client generates and stores secret called code_verifier and derives t(code_verifier) = code_challenge from it and sends it with authorization request
Authorization server returns authorization code and stores code_challenge and transformation method(example: SHA256)
Client sends authorization code in access token request and as usual but also includes code_verifier secret generated at step 1.
Authorization server performs transformation on code_verifier with the recorded method in step 2 and compares it with code_challenge. If they match, then proof-of-procession is verified.

Attacker that intercepts callbacks is unaware of code_verifier secret so they won't be able to send access token request

Conclusions

As stated in the entry remark, PKCE is not in the scope of July MVP but implementing support post-MVP is strongly recommended.

I read two OAuth-related RFCs today. OAuth and to some extent, even OIDC core is incomplete for our use cases, so I plan to work my way through OAuth-related and OIDC-related RFCs listed [here](https://www.oauth.com/oauth2-servers/map-oauth-2-0-specs/) over the weekend to gain a reasonably complete picture of how things work. ## RFC 6750: OAuth 2.0 Bearer Token Usage Bearer token is used as an opaque secret to authenticate a client/relying party to a resource server. Using it requires no additional proof-of-possession. ### Summary RFC 6750 lists three methods of transmitting bearer tokens in requests to resource servers 1. [Authorization Request Header Field](https://datatracker.ietf.org/doc/html/rfc6750#section-2.1) - Transmit base64 encoded bearer token in `Authorization` header of the request. - **Support: MUST** 2. Form-Encoded Body Parameter - Transmit in `application/x-www-form-urlencoded` request body with the `access_token` parameter. There are some conditions associated with it, which are mentioned in the [linked section](https://datatracker.ietf.org/doc/html/rfc6750#section-2.1) but not going into detail as they are irrelevant for the MVP. - **Support: MAY** 3. [URI Query Parameter](https://datatracker.ietf.org/doc/html/rfc6750#section-2.3) - Transmit in URI Query parameter with the `access_token` parameter - **Not recommended for security reasons: URI will be logged by proxies, compromising secrecy of the access token** - **Support: MAY** ### Threat Mitigation - Use digital signature or Message Authentication Code(MAC) or opaque tokens containing references to authorization information rather than encoding information directly. - **Bearer tokens MUST NOT be stored in cookies as they are typically transmitted in the clear** - replay attack mitigation: limit lifetime(1 hour or less is recommended by the RFC). ## RFC 7636: Proof Key for Code Exchange by OAuth Public Clients An attacker can intercept authorization code issued to public clients and exchange it to gain access tokens. > PKCE is irrelevant for July MVP since all our OAuth clients will be running on trusted environments but the RFC seemed interesting so 🤷‍♂️ ### Attack scenario - Public clients like native applications request `authorization code` via browser and register redirection URI with custom schemes for call back purposes. - The malicious app could, in addition to the legitimate app, register itself as a handler for said scheme and intercept `authorization code` call backs. - The `authorization code` returned post user consent may be intercepted by malicious app and exchanged for `access token` The RFC lists a long set of pre-conditions that will have to be met for the attack to be successful. Though long and specific, the RFC says this type of attack has been observed in the wild. ### Mitigation This extension uses a one-time cryptographic key sent over TLS with the authorization request for code proof-of-procession verification. 1. Client generates and stores secret called `code_verifier` and derives `t(code_verifier) = code_challenge` from it and sends it with authorization request 2. Authorization server returns `authorization code` and stores `code_challenge` and transformation method(example: `SHA256`) 3. Client sends `authorization code` in `access token request` and as usual but also includes `code_verifier` secret generated at step 1. 4. Authorization server performs transformation on `code_verifier` with the recorded method in step 2 and compares it with `code_challenge`. If they match, then proof-of-procession is verified. Attacker that intercepts callbacks is unaware of `code_verifier` secret so they won't be able to send access `token request` ### Conclusions As stated in the entry remark, PKCE is not in the scope of July MVP but implementing support post-MVP is strongly recommended.

👍 1

realaravinth added spent time 2022-04-30 07:44:06 +00:00

3h

realaravinth commented

2022-05-06 10:53:07 +00:00

I couldn't log my time during the weekend(went on a holiday) but here are the RFCs that I read during that time:

RFC 7009: OAuth 2.0 Token Revocation

Relying parties(all services dependent on the Hostea/dashboard SSO) should revoke unused tokens(refresh, access, etc.) for security reasons. Scenarios that warrant token revocation:

User initiates a password reset
User logs out
User deletes account/uninstalls program(the Hostea equivalent is opting out of a service?)

This RFC describes the request and response and schemas for token revocation but doesn't say anything about the location of the revocation endpoint(recommends documenting it in the service documentation)

Example request

POST /revoke HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
token=45ghiukldjahdnhzdauz&token_type_hint=refresh_token

Optionally recommends a token_type_hint in the revocation request payload for optimizing database lookups. The RFC also warns that the endpoint can be a source of DOS attacks so recommends the usage of this parameter. When token_type_hint is absent in request, the RFC recommends searching for a match against all issued tokens are revoking successful matches. If all token types(in Hostea's context: refresh and access tokens) share the same namespace, then only one match will be yielded when the token_type_hint is not present and so all token types must be searched and matches revoked.
May optionally support CORS for the benefit of user-agent(example: browser) based relying parties.

Security recommendations

Requires(MUST) TLS fore revocation endpoint but if HTTP support is present/client accidentally transmits revocation request(request contains access token), then the authorization server MUST process request and revoke the token.
Where relevant, all related tokens must be revoked too. For instance, an access token revocation might, depending on the authorization server's revocation policy, warrant revoking the corresponding refresh token too.

Conclusions

There are two ways to implement tokens: digital signature or Message Authentication Code(MAC) and opaque tokens. Revoking MAC tokens would require the authorization server to either store a list of blacklisted/revoked tokens and check token-authenticated request against it or rotate the key that signed produced MAC. The blacklist approach does away with the advantage of using MAC --- avoiding database lookups for authentication. And the key rotation is impractical at scale. Therefore, the opaque approach, though costly, is the feasible on.

RFC 7662: Auth 2.0 Token Introspection

Token introspection standards to query token metadata by authenticated parties(token audience, etc.).

Example introspection request:

POST /introspect HTTP/1.1
Host: server.example.com
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
token=mF_9.B5f-4.1JqM&token_type_hint=access_token

Example response

HTTP/1.1 200 OK
Content-Type: application/json
{
"active": true,
"client_id": "l238j323ds-23ij4",
"username": "jdoe",
"scope": "read write dolphin",
"sub": "Z5O3upPC88QrAjx00dis",
"aud": "https://protected.example.net/resource",
"iss": "https://server.example.com/",
"exp": 1419356238,
"iat": 1419350238,
"extension_field": "twenty-seven"
}

Client ID and secret are used for authentication

All introspection requests must be authenticated and use HTTP POST request to avoid token leakage in server/proxy logs.
Introspection endpoint location is out of scope, should document it in service documentation.
Response: Only active status of the recommended metadata is mandatory. For full list kindly see here.
Introspection requests may be expensive so the endpoint must be protected and/or rate limited.
May use caching, but cache lifetime must be lower than token's expiry. Cache lifetime determination is left to the implementor.

Other RFCs/documents

I also had a cursory glance of OAuth 2.0 Security Best Current Practice (Security BCP) and Threat Model and Security Considerations (RFC 6819). They document implicit suggestions by RFC6749(OAuth 2.0 core) and other extensions or assumptions that one would make to secure their OAuth implementation, so there's nothing unique to report. I will, however, use those documents as a checklist to audit our implementation every step of the way.

Game plan

I'm currently reading JWT (RFC7519) and Dynamic Client Registration (RFC 7591) and I have the following in my reading list:

Dynamic Client Management (RFC 7592)
Authorization Server Metadata (RFC 8414)
IndieAuth

And if time permits, I will read the OpenID Connect optional specifications listed here. But this will be async and not blocking progress as it is the situation right now.

I couldn't log my time during the weekend(went on a holiday) but here are the RFCs that I read during that time: ## [RFC 7009: OAuth 2.0 Token Revocation](https://datatracker.ietf.org/doc/html/rfc7009) Relying parties(all services dependent on the Hostea/dashboard SSO) should revoke unused tokens(refresh, access, etc.) for security reasons. Scenarios that warrant token revocation: - User initiates a password reset - User logs out - User deletes account/uninstalls program(the Hostea equivalent is opting out of a service?) This RFC describes the request and response and schemas for token revocation but doesn't say anything about the location of the revocation endpoint(recommends documenting it in the service documentation) ### Example request ``` POST /revoke HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW token=45ghiukldjahdnhzdauz&token_type_hint=refresh_token ``` - Optionally recommends a `token_type_hint` in the revocation request payload for optimizing database lookups. The RFC also warns that the endpoint can be a source of DOS attacks so recommends the usage of this parameter. When `token_type_hint` is absent in request, the RFC recommends searching for a match against all issued tokens are revoking successful matches. If all token types(in Hostea's context: refresh and access tokens) share the same namespace, then only one match will be yielded when the `token_type_hint` is not present and so all token types must be searched and matches revoked. - May optionally support CORS for the benefit of user-agent(example: browser) based relying parties. ### Security recommendations - Requires(MUST) TLS fore revocation endpoint but if HTTP support is present/client accidentally transmits revocation request(request contains access token), then the authorization server MUST process request and revoke the token. - Where relevant, all related tokens must be revoked too. For instance, an access token revocation might, depending on the authorization server's revocation policy, warrant revoking the corresponding refresh token too. ## Conclusions There are two ways to implement tokens: digital signature or Message Authentication Code(MAC) and opaque tokens. Revoking MAC tokens would require the authorization server to either store a list of blacklisted/revoked tokens and check token-authenticated request against it or rotate the key that signed produced MAC. The blacklist approach does away with the advantage of using MAC --- avoiding database lookups for authentication. And the key rotation is impractical at scale. Therefore, the opaque approach, though costly, is the feasible on. ## [RFC 7662: Auth 2.0 Token Introspection](https://datatracker.ietf.org/doc/html/rfc7662) Token introspection standards to query token metadata by authenticated parties(token audience, etc.). ### Example introspection request: ``` POST /introspect HTTP/1.1 Host: server.example.com Accept: application/json Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW token=mF_9.B5f-4.1JqM&token_type_hint=access_token ``` ### Example response ``` HTTP/1.1 200 OK Content-Type: application/json { "active": true, "client_id": "l238j323ds-23ij4", "username": "jdoe", "scope": "read write dolphin", "sub": "Z5O3upPC88QrAjx00dis", "aud": "https://protected.example.net/resource", "iss": "https://server.example.com/", "exp": 1419356238, "iat": 1419350238, "extension_field": "twenty-seven" } ``` Client ID and secret are used for authentication - All introspection requests must be authenticated and use HTTP POST request to avoid token leakage in server/proxy logs. - Introspection endpoint location is out of scope, should document it in service documentation. - Response: Only `active` status of the recommended metadata is mandatory. For full list kindly see [here](https://datatracker.ietf.org/doc/html/rfc7662#section-2.2). - Introspection requests may be expensive so the endpoint must be protected and/or rate limited. - May use caching, but cache lifetime must be lower than token's expiry. Cache lifetime determination is left to the implementor. ## Other RFCs/documents I also had a cursory glance of [OAuth 2.0 Security Best Current Practice (Security BCP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics) and [Threat Model and Security Considerations (RFC 6819)](https://datatracker.ietf.org/doc/html/rfc6819). They document implicit suggestions by RFC6749(OAuth 2.0 core) and other extensions or assumptions that one would make to secure their OAuth implementation, so there's nothing unique to report. I will, however, use those documents as a checklist to audit our implementation every step of the way. ## Game plan I'm currently reading JWT (RFC7519) and Dynamic Client Registration (RFC 7591) and I have the following in my reading list: - Dynamic Client Management (RFC 7592) - Authorization Server Metadata (RFC 8414) - IndieAuth And if time permits, I will read the OpenID Connect optional specifications listed [here](https://openid.net/connect/). But this will be async and not blocking progress as it is the situation right now.

realaravinth added spent time 2022-05-06 10:53:27 +00:00

5h

realaravinth commented

2022-06-06 05:32:37 +00:00

Log

Bootstrapped OIDC Client registration: 9c5f4d, d3eb1, 152603
Docs: README(761e3b) and HACKING instructions(43d60e)

Unfortunately(or maybe fortunately?) all this code is going drown the drain:

I was looking up information on implementing basic and bearer token authentication, since the default Django authentication uses cookie based sessions which is not ergonomic for programmatic access. I landed on the Django REST framework page for authentication, which contained a link to Django OAuth toolkit(BSD 3-Clause). Django OAuth toolkit implements OIDC and looks alive(last commit was from two days ago).

I will investigate and evaluate django-oauth-toolkit feasibility for use in Hostea software.

## Log - Bootstrapped OIDC Client registration: [`9c5f4d`](https://gitea.hostea.org/Hostea/dashboard/commit/2ed3786fad39f46a0cb0a5f67702d608e398c50b), [`d3eb1`](https://gitea.hostea.org/Hostea/dashboard/commit/d3eb1cf688a35e40ea860c6f32960ddcbd98797f), [`152603`](https://gitea.hostea.org/Hostea/dashboard/commit/152603cf9de4cfd643ce3a3ada67cfe81f2dcc86) - Docs: README([`761e3b`](https://gitea.hostea.org/Hostea/dashboard/commit/761e3beed9c3dd455955b9cfa2081a1906c49f66)) and HACKING instructions([`43d60e`](https://gitea.hostea.org/Hostea/dashboard/commit/43d60e076517349a61f4d03e8864e9243386aeb7)) Unfortunately(or maybe fortunately?) all this code is going drown the drain: I was looking up information on implementing basic and bearer token authentication, since the default Django authentication uses cookie based sessions which is not ergonomic for programmatic access. I landed on the [Django REST framework page for authentication](https://www.django-rest-framework.org/api-guide/authentication/#authentication), which contained a link to [Django OAuth toolkit](https://django-oauth-toolkit.readthedocs.io/en/latest/index.html)(BSD 3-Clause). Django OAuth toolkit [implements OIDC](https://django-oauth-toolkit.readthedocs.io/en/latest/oidc.html) and looks alive(last commit was from two days ago). I will investigate and evaluate `django-oauth-toolkit` feasibility for use in Hostea software.

👍 1

realaravinth added spent time 2022-06-06 05:33:00 +00:00

2h

realaravinth commented

2022-06-07 14:05:46 +00:00

start: 11:00 IST, end: 19:30 IST(should start using in-built timer)

Tasks

OAuth2 setup

Setup dummy OAuth2 application with a bunch of scripts and manual browser link clicking
Configured django-oauth-toolkit within a django project to OAuth2 provider capabilities
(Manually)Verified OAuth2 workflow implemented within django-oauth-toolkit
Configured OAuth2 authenticated access to protected resources in the django project

OIDC provider

Modified django-oauth-toolkit configuration to enable OIDC capabilities
django-oauth-toolkit by default enforces PKCE(RFC 7636, notes) but Gitea in client/Relying Party mode doesn't do PKCE since it is a confidential client and so not required. So disabled PKCE on django-oauth-toolkit globally. Ideally, I wish this were a per-application basis PKCE configuration. The library supports multiple client types, so not enforcing PKCE on confidential clients would be nice.
Configured Gitea to use OIDC via the web interface:
i) OIDC configuration was a little weird:
In Site Administration> Add Authentication Source select "OAuth2" for "Authentication Type" and under "OAuth2 Provider" select "OpenID Connect".
By default, selcting "OAuth2" for "Authentication Type" shows popular third-party SSO providers like GitHub, Google, Discord, etc and OIDC is hidden deep in the menu. Unintuitive. Wasted ~20 minutes.

ii) Gitea's redirection URI(required when configuring app on django-oauth-toolkit) is http://gitea.example.org/user/oauth2//callback where authentication name is a field in "Add Authentication Source" form

iii) django-oauth-toolkit requires scope to be set to openid. If scope unspecified, request will be treated as regular OAuth2 request.
Gitea OIDC integration was partially successful, the following things worked out of the box:
i) OIDC service auto-discovery
ii) Authorization and subsequent authorization code grant generation

But access token generation fails with: json { "error": "invalid_client" }

I tried identifying the cause fist on Gitea's side, which took through multiple interfaces and then to gothic, this SSO library that Gitea uses. Everything checked out fine. And then I tried doing the same on django-oauth-toolkit's side and the same process ensued: multiple interfaces and then to the OAuth dependency it uses.

I faced similar issues with plain OAuth2 trials({"error": "invalid_grant"} due to no support for PKCE on client side) so I believe django-oauth-toolkit is expecting something that Gitea isn't providing.

Tomorrow I will intercept Gitea's request payload and try to compare it with django-oauth-toolkit's expected payload.

If I'm able to figure out how to get the library working with Gitea, we'll have zero-code SSO via Hostea/dashbaord 🙃

> start: 11:00 IST, end: 19:30 IST(should start using in-built timer) ## Tasks ### OAuth2 setup 1. Setup dummy OAuth2 application with a bunch of scripts and manual browser link clicking 2. Configured `django-oauth-toolkit` within a django project to OAuth2 provider capabilities 3. (Manually)Verified OAuth2 workflow implemented within `django-oauth-toolkit` 4. Configured OAuth2 authenticated access to protected resources in the django project ### OIDC provider 1. Modified `django-oauth-toolkit` configuration to enable OIDC capabilities 2. `django-oauth-toolkit` by default enforces PKCE(RFC 7636, [notes](https://gitea.hostea.org/Hostea/july-mvp/issues/10#issuecomment-317)) but Gitea in client/Relying Party mode doesn't do PKCE since it is a confidential client and so not required. So disabled PKCE on `django-oauth-toolkit` globally. Ideally, I wish this were a per-application basis PKCE configuration. The library supports multiple client types, so not enforcing PKCE on confidential clients would be nice. 3. Configured Gitea to use OIDC via the web interface: i) OIDC configuration was a little weird: In Site Administration> Add Authentication Source select "OAuth2" for "Authentication Type" and under "OAuth2 Provider" select "OpenID Connect". By default, selcting "OAuth2" for "Authentication Type" shows popular third-party SSO providers like GitHub, Google, Discord, etc and OIDC is hidden deep in the menu. Unintuitive. Wasted ~20 minutes. ii) Gitea's redirection URI(required when configuring app on `django-oauth-toolkit`) is http://gitea.example.org/user/oauth2/<authentication-name>/callback where authentication name is a field in "Add Authentication Source" form iii) `django-oauth-toolkit` requires scope to be set to `openid`. If scope unspecified, request will be treated as regular OAuth2 request. 4. Gitea OIDC integration was partially successful, the following things worked out of the box: i) OIDC service auto-discovery ii) Authorization and subsequent authorization code grant generation But access token generation fails with: `json { "error": "invalid_client" } ` I tried identifying the cause fist on Gitea's side, which took through multiple interfaces and then to [gothic](https://github.com/markbates/goth/), this SSO library that Gitea uses. Everything checked out fine. And then I tried doing the same on `django-oauth-toolkit`'s side and the same process ensued: multiple interfaces and then to the OAuth dependency it uses. I faced similar issues with plain OAuth2 trials(`{"error": "invalid_grant"}` due to no support for PKCE on client side) so I believe `django-oauth-toolkit` is expecting something that Gitea isn't providing. Tomorrow I will intercept Gitea's request payload and try to compare it with `django-oauth-toolkit`'s expected payload. If I'm able to figure out how to get the library working with Gitea, we'll have zero-code SSO via Hostea/dashbaord 🙃

👍 1

realaravinth added spent time 2022-06-07 14:11:36 +00:00

8h 30min

realaravinth commented

2022-06-08 14:55:26 +00:00

OIDC SSO is ready and working 🎉

Long story

django-oauth-toolkit offers OIDC with with two cryptographic options:

RSA + SHA2 256
symmetric key HMAC + SHA2 256

The difference between the options is available in the docs.

I couldn't get RSA + SHA2 256 working yesterday, so as mentioned I wrote a simple HTTP server to intercept all Gitea communications with the OIDC provider to figure out why OIDC integration with Gitea was failing. Everything from Gitea's side checked out so I switched to the symmetric key HMAC + SHA2 256 to see if it was working. And it did! :)

In Hostea's context, we could get by with symmetric key HMAC + SHA2 256 since all our clients/relying parties will be running in trusted environments.

Currently, to add an application to django-oauth-toolkit, one has to interact with the forms it exposes, which is not ergonomic for automation. I will create APIs to enable programmatic interaction with django-oauth-toolking, which, I think, will be the only customisation that Hostea will be making.

OIDC SSO is ready and working :tada: ![image](/attachments/d230918b-67c1-432d-9df1-51d0d2033e5f) ## Long story `django-oauth-toolkit` offers OIDC with with two cryptographic options: 1) RSA + SHA2 256 2) symmetric key HMAC + SHA2 256 The difference between the options is [available in the docs](https://django-oauth-toolkit.readthedocs.io/en/latest/oidc.html#openid-connect-support). I couldn't get `RSA + SHA2 256` working yesterday, so as mentioned I wrote a simple HTTP server to intercept all Gitea communications with the OIDC provider to figure out why OIDC integration with Gitea was failing. Everything from Gitea's side checked out so I switched to the `symmetric key HMAC + SHA2 256` to see if it was working. And it did! :) In Hostea's context, we could get by with `symmetric key HMAC + SHA2 256` since all our clients/relying parties will be running in trusted environments. Currently, to add an application to `django-oauth-toolkit`, one has to interact with the forms it exposes, which is not ergonomic for automation. I will create APIs to enable programmatic interaction with `django-oauth-toolking`, which, I think, will be the only customisation that Hostea will be making.

image.png

38 KiB

🚀 1

realaravinth added spent time 2022-06-08 14:55:40 +00:00

4h

dachary commented

2022-06-08 15:13:13 +00:00

Good sleuth work 👍

😆 1

realaravinth started working 2022-06-10 09:40:27 +00:00

realaravinth stopped working 2022-06-10 11:55:17 +00:00

2h 14min 50s

realaravinth commented

2022-06-10 12:00:50 +00:00

Tasks accomplished

frontend is bootstrapped #344ffa
login view with pre-login URL redirection
deleted oauth app; will setup django-oauth-toolkit in subsequent commits
investigated django support for i18ln: first class support via Python's gettext but I've decided i18ln to be a non-MVP goal as I'm not familiar with the DSL that gettext uses. Also, will have to setup weblate to see how integration is possible so will get back to it post-MVP.

## Tasks accomplished - frontend is bootstrapped [#344ffa](https://gitea.hostea.org/Hostea/dashboard/commit/344ffaa4b8867fe96badf48c50236a74c2a0c48f) - login view with pre-login URL redirection - deleted oauth app; will setup `django-oauth-toolkit` in subsequent commits - investigated django support for i18ln: [first class support](https://docs.djangoproject.com/en/4.0/topics/i18n/translation/) via Python's gettext but I've decided i18ln to be a non-MVP goal as I'm not familiar with the DSL that gettext uses. Also, will have to setup weblate to see how integration is possible so will get back to it post-MVP. ![image](/attachments/f320fa35-33a0-4615-9c00-b800762f333a)

image.png

88 KiB

🚀 1

realaravinth started working 2022-06-10 12:28:02 +00:00

dachary commented

2022-06-10 12:38:13 +00:00

l10n can be done post MVP, this is sensible. Enough has a weblate playbook and that can be integrated with the CI so the gettext binary files are updated on a regular basis.

👍 1

realaravinth commented

2022-06-10 17:38:58 +00:00

Tasks

Registration templates and views
Docs: instructions to setup local SMTP server
Configure CI to run test SMTP server
Registration with email verification and resend verification email functionality
Registration tests

## Tasks - Registration templates and views - Docs: instructions to setup local SMTP server - Configure CI to run test SMTP server - Registration with email verification and resend verification email functionality - Registration tests

realaravinth stopped working 2022-06-10 17:39:08 +00:00

5h 11min 6s

realaravinth started working 2022-06-11 10:37:00 +00:00

realaravinth stopped working 2022-06-11 13:11:43 +00:00

2h 34min 43s

realaravinth commented

2022-06-11 13:18:58 +00:00

Tasks

Added management command(commands available via python manage.py to clear unverified users that exceed a configurable tolerance period
bother @dachary about the Hostea revenue sharing model 🤪

## Tasks - Added management command(commands available via `python manage.py` to clear unverified users that exceed a configurable tolerance period - bother @dachary about the Hostea revenue sharing model 🤪

😆 1

realaravinth started working 2022-06-17 08:38:37 +00:00

realaravinth stopped working 2022-06-17 12:46:28 +00:00

4h 7min 51s

realaravinth started working 2022-06-17 13:33:02 +00:00

realaravinth stopped working 2022-06-17 15:13:32 +00:00

1h 40min 30s

realaravinth started working 2022-06-17 16:17:56 +00:00

realaravinth commented

2022-06-17 18:30:09 +00:00

Tasks:

Bootstraped Hostea dashboard templates
Support integration with Gitea: simply redirects user to Hostea's support issue tracker, when the user wishes to see all pending issues and new issue page on Gitea. Hostea meta Gitea instace and Hostea support repository is configurable, please see here for instructions.
Configurable Hostea VM specs(via admin panel)
Create Hostea VM(see linked image)
Generate coverage report at the end of every CI run. Report is only available in CI logs, will generate badge and HTML report and check into the repository post-MVP

## Tasks: 1. Bootstraped Hostea dashboard templates 2. Support integration with Gitea: simply redirects user to Hostea's support issue tracker, when the user wishes to see all pending issues and new issue page on Gitea. Hostea meta Gitea instace and Hostea support repository is configurable, please see [here for instructions](https://gitea.hostea.org/Hostea/dashboard/src/branch/master/docs/INSTALL.md#support-platform-integration). 3. Configurable Hostea VM specs(via admin panel) 4. Create Hostea VM(see linked image) 5. Generate coverage report at the end of every CI run. Report is only available in CI logs, will generate badge and HTML report and check into the repository post-MVP ![image](/attachments/4eb0692a-9373-44a0-8ab5-d6bd39d4c065)

image.png

88 KiB

realaravinth stopped working 2022-06-17 18:30:17 +00:00

2h 12min 21s

dachary commented

2022-06-17 20:14:42 +00:00

Create Hostea VM(see linked image)

Good call on using "t-shirt" sizes rather than allowing the user to independently choose the size of each resource 👍 Here are the available sizes for the MVP:

$ enough --domain hostea.org openstack -- flavor show -c name -c  ram -c vcpus -c disk  s1-2
+-------+-------+
| Field | Value |
+-------+-------+
| disk  | 10    |
| name  | s1-2  |
| ram   | 2000  |
| vcpus | 1     |
+-------+-------+
$ enough --domain hostea.org openstack -- flavor show -c name -c  ram -c vcpus -c disk  s1-4
+-------+-------+
| Field | Value |
+-------+-------+
| disk  | 20    |
| name  | s1-4  |
| ram   | 4000  |
| vcpus | 1     |
+-------+-------+
$ enough --domain hostea.org openstack -- flavor show -c name -c  ram -c vcpus -c disk  s1-8
+-------+-------+
| Field | Value |
+-------+-------+
| disk  | 40    |
| name  | s1-8  |
| ram   | 8000  |
| vcpus | 2     |
+-------+-------+

As for the price, although it will need adjusting, I suggest making it roughly double what it actually costs to be realistic:

s1-2 10€
s1-4 20€
s1-8 40€

Update:

s1-2 == openstack_flavor_small
s1-4 == openstack_flavor_medium
s1-8 == openstack_flavor_large

> Create Hostea VM(see linked image) Good call on using "t-shirt" sizes rather than allowing the user to independently choose the size of each resource 👍 Here are the available sizes for the MVP: ``` $ enough --domain hostea.org openstack -- flavor show -c name -c ram -c vcpus -c disk s1-2 +-------+-------+ | Field | Value | +-------+-------+ | disk | 10 | | name | s1-2 | | ram | 2000 | | vcpus | 1 | +-------+-------+ $ enough --domain hostea.org openstack -- flavor show -c name -c ram -c vcpus -c disk s1-4 +-------+-------+ | Field | Value | +-------+-------+ | disk | 20 | | name | s1-4 | | ram | 4000 | | vcpus | 1 | +-------+-------+ $ enough --domain hostea.org openstack -- flavor show -c name -c ram -c vcpus -c disk s1-8 +-------+-------+ | Field | Value | +-------+-------+ | disk | 40 | | name | s1-8 | | ram | 8000 | | vcpus | 2 | +-------+-------+ ``` As for the price, although it will need adjusting, I suggest making it roughly double what it actually costs to be realistic: * s1-2 10€ * s1-4 20€ * s1-8 40€ Update: * s1-2 == openstack_flavor_small * s1-4 == openstack_flavor_medium * s1-8 == openstack_flavor_large

👍 1

realaravinth commented

2022-06-17 21:44:08 +00:00

The VM configurations can be set at runtime. I feel this options will allow each Hostea admin to choose a price and offering that is optimal for their operation.

Tomorrow, I will create a management command(manage.py commands) to create VM configurations.

Do you want me to set VM configurations defaults per the list you've mentioned above?

The VM configurations can be set at runtime. I feel this options will allow each Hostea admin to choose a price and offering that is optimal for their operation. Tomorrow, I will create a management command(`manage.py` commands) to create VM configurations. Do you want me to set VM configurations defaults per the list you've mentioned above? ![image](/attachments/257d991b-4c36-41c1-bb04-963e69648a1f) ![image](/attachments/1998672a-8a72-41b7-a884-ecf50f381d93)

image.png

70 KiB

image.png

51 KiB

dachary commented

2022-06-17 22:38:38 +00:00

Do you want me to set VM configurations defaults per the list you've mentioned above?

It would make sense since it is what the backend implements. It has a lot more but those three are the cheapest.

$ enough --domain hostea.org openstack -- flavor list
+--------------------------------------+-----------------+--------+------+-----------+-------+-----------+
| ID                                   | Name            |    RAM | Disk | Ephemeral | VCPUs | Is Public |
+--------------------------------------+-----------------+--------+------+-----------+-------+-----------+
| 036e9748-b11e-427e-83af-407b2deee51b | win-b2-15       |  15000 |  100 |         0 |     4 | True      |
| 0b790592-f47c-4a52-ba56-3923a3013607 | c2-60-flex      |  60000 |   50 |         0 |    16 | True      |
| 0f7e0bf9-8100-4fd4-b238-29b1915481c4 | win-r2-15       |  15000 |   50 |         0 |     2 | True      |
| 119f1b5b-7744-43a5-bd40-bc54e18f1609 | c2-30           |  30000 |  200 |         0 |     8 | True      |
| 1a5fddab-4ddc-4619-ad29-09932b6bcb9f | r2-60           |  60000 |  100 |         0 |     4 | True      |
| 1faed731-1de8-4f04-97c0-e6e976c8445e | win-b2-7        |   7000 |   50 |         0 |     2 | True      |
| 20ae3286-a9f4-4c65-9502-c8545be102f3 | win-r2-60-flex  |  60000 |   50 |         0 |     4 | True      |
| 24ff2c52-c553-4e5f-95c1-1c1a14ade841 | win-b2-120-flex | 120000 |   50 |         0 |    32 | True      |
| 2dc9d22f-3038-4ebf-a159-8994fca1c438 | win-r2-240      | 240000 |  400 |         0 |    16 | True      |
| 2ed0b117-1b2a-4f86-bb76-05c20ae70298 | c2-7-flex       |   7000 |   50 |         0 |     2 | True      |
| 2ee71e14-d56f-47ff-8634-3ee532f5f191 | win-c2-7-flex   |   7000 |   50 |         0 |     2 | True      |
| 36ca564b-21ad-49ec-a91b-d6f8d3897d13 | r2-120          | 120000 |  200 |         0 |     8 | True      |
| 3b137bad-0d92-470d-9f19-3ee31e4da2db | win-r2-30       |  30000 |   50 |         0 |     2 | True      |
| 3c83dfbd-abdb-43d0-b041-3ac44009c2f7 | s1-4            |   4000 |   20 |         0 |     1 | True      |
| 3d5a3aae-8e32-40fe-ab2c-4ca2eea56901 | win-b2-30       |  30000 |  200 |         0 |     8 | True      |
| 3f49b79b-a36f-46ca-8ec6-7d061c46ed5d | win-b2-60-flex  |  60000 |   50 |         0 |    16 | True      |
| 40276e6d-1d7f-4a8c-a78d-f46ddbb8e90b | c2-15-flex      |  15000 |   50 |         0 |     4 | True      |
| 405a4af2-32a1-457d-affe-36f4cface892 | win-b2-7-flex   |   7000 |   50 |         0 |     2 | True      |
| 4756bafe-fd58-44be-aa3c-33eb7c791a8e | d2-4            |   4000 |   50 |         0 |     2 | True      |
| 47dc8a6a-859d-421a-b471-cce00e471e42 | win-c2-30       |  30000 |  200 |         0 |     8 | True      |
| 4ad11f1c-f78c-4d3e-87c2-cc04224b87f7 | c2-30-flex      |  30000 |   50 |         0 |     8 | True      |
| 4eab6165-1a5b-46d5-b5ba-498a9168a432 | b2-60-flex      |  60000 |   50 |         0 |    16 | True      |
| 519c1424-f034-4a1b-989b-5fca4fc82789 | win-i1-180      | 180000 |   50 |         0 |    32 | True      |
| 52922717-0944-406f-97e6-8e3a1fc5293d | win-b2-120      | 120000 |  400 |         0 |    32 | True      |
| 5c6189d1-b235-4a39-ad26-c6fd4bb6c851 | win-r2-30-flex  |  30000 |   50 |         0 |     2 | True      |
| 5c77cf3e-a030-4415-99e3-0e61c3605a10 | r2-240-flex     | 240000 |   50 |         0 |    16 | True      |
| 601b0915-73e1-4264-93e5-8242d31e3283 | win-r2-240-flex | 240000 |   50 |         0 |    16 | True      |
| 61979bc1-f22a-4f6e-9cca-7300841ea820 | b2-15-flex      |  15000 |   50 |         0 |     4 | True      |
| 6f63e9d4-0989-4483-a69c-ec9184931a61 | win-i1-45       |  45000 |   50 |         0 |     8 | True      |
| 71c811a5-fefb-4cab-8cae-a484bf8c8769 | c2-120          | 120000 |  400 |         0 |    32 | True      |
| 7c98f8c1-76ea-494a-b006-350d699b4507 | r2-240          | 240000 |  400 |         0 |    16 | True      |
| 7e13aa46-de5e-4176-8524-208b694a81a5 | win-i1-90       |  90000 |   50 |         0 |    16 | True      |
| 7ef5fbb6-1b2f-4135-9b97-b62b6bb82d04 | c2-15           |  15000 |  100 |         0 |     4 | True      |
| 815dcab4-cbca-4abb-bbfd-b080b28a4fea | win-c2-60-flex  |  60000 |   50 |         0 |    16 | True      |
| 83cc4f84-36ed-4b9b-bab0-ea729dc3936c | b2-30           |  30000 |  200 |         0 |     8 | True      |
| 8cd9b182-776d-4250-a516-9ec143889ac1 | win-c2-60       |  60000 |  400 |         0 |    16 | True      |
| 8edec7c7-07d5-4e77-ae92-95cd64758bd4 | r2-30-flex      |  30000 |   50 |         0 |     2 | True      |
| 91e5eb72-e4c2-46dc-bdf5-f3dee0b6e312 | win-r2-60       |  60000 |  100 |         0 |     4 | True      |
| 926ec51c-eed7-443e-972a-9b07ba0e03ff | d2-8            |   8000 |   50 |         0 |     4 | True      |
| 966408e5-58ee-4f4c-bda2-c1b4d592018b | b2-30-flex      |  30000 |   50 |         0 |     8 | True      |
| 9774dc04-22e0-4a11-99fd-16f076d53084 | b2-7-flex       |   7000 |   50 |         0 |     2 | True      |
| 97c61e10-bf43-4f95-9e2d-fd757ba75e27 | win-b2-30-flex  |  30000 |   50 |         0 |     8 | True      |
| 9a92fbc6-b781-4afd-92ad-d282400ea6db | r2-120-flex     | 120000 |   50 |         0 |     8 | True      |
| 9b2c1323-7ea0-40be-9e2a-bf5d7d3cc338 | i1-180          | 180000 |   50 |         0 |    32 | True      |
| 9b312f04-e6ff-493f-bbd1-134510f49258 | b2-7            |   7000 |   50 |         0 |     2 | True      |
| 9ea2f388-35ea-4ebf-ac6b-bc40ddcfa952 | win-r2-120      | 120000 |  200 |         0 |     8 | True      |
| a14c66cb-2469-4f7b-baea-945cb3eb488a | win-c2-120      | 120000 |  400 |         0 |    32 | True      |
| adab7207-c4cb-4c44-8845-b69763a10d03 | win-c2-30-flex  |  30000 |   50 |         0 |     8 | True      |
| b58f0da8-d3da-47aa-b75c-7452b487ab13 | i1-90           |  90000 |   50 |         0 |    16 | True      |
| b602260e-782f-470c-8760-77bdfa0644ce | b2-120-flex     | 120000 |   50 |         0 |    32 | True      |
| bd21e95a-b7ab-4fb8-b73d-9da625f6733d | r2-15           |  15000 |   50 |         0 |     2 | True      |
| c8e55a81-8424-4f93-a03d-36bdac69a1e1 | win-c2-7        |   7000 |   50 |         0 |     2 | True      |
| ca4c4774-a9bf-4739-b424-6c6f54ced3bf | s1-8            |   8000 |   40 |         0 |     2 | True      |
| ca7afaa2-2820-4dca-9a12-d8255a0a2e84 | win-b2-15-flex  |  15000 |   50 |         0 |     4 | True      |
| cc02ff1f-d7a1-4562-a584-a4dfa23948a0 | win-c2-15-flex  |  15000 |   50 |         0 |     4 | True      |
| ce07016c-95df-4085-bb5a-565caffc2063 | s1-2            |   2000 |   10 |         0 |     1 | True      |
| d00fdefc-9ada-4fc0-86b4-db505b6c1408 | win-r2-120-flex | 120000 |   50 |         0 |     8 | True      |
| d2ca0c8c-871e-462a-aa05-35b9265275ca | r2-30           |  30000 |   50 |         0 |     2 | True      |
| d5acc03f-46cb-410b-821b-baadc550348e | win-r2-15-flex  |  15000 |   50 |         0 |     2 | True      |
| dc3fe9e7-e374-4ad8-b200-fa3bdf45069f | d2-2            |   2000 |   25 |         0 |     1 | True      |
| dcf3e3c7-abd6-4362-9ee3-2f150fe1d2cc | win-c2-120-flex | 120000 |   50 |         0 |    32 | True      |
| defef2bf-9d1a-4d74-b1ca-2766c498967e | win-c2-15       |  15000 |  100 |         0 |     4 | True      |
| e084e7f8-f005-4e22-ad56-115d1170c99e | win-b2-60       |  60000 |  400 |         0 |    16 | True      |
| e19b1c0e-0665-4512-be90-edb24180e5ec | c2-60           |  60000 |  400 |         0 |    16 | True      |
| e9e90064-01cb-47f3-a9b1-c46380d5bdb7 | b2-120          | 120000 |  400 |         0 |    32 | True      |
| ecbc5dbf-a81e-4498-805a-7b753e0097b7 | c2-120-flex     | 120000 |   50 |         0 |    32 | True      |
| eee980b8-fe6d-49b5-b27c-a928aacf8c74 | r2-15-flex      |  15000 |   50 |         0 |     2 | True      |
| ef3e8b84-a855-4fbe-8824-33c5e4ba570d | i1-45           |  45000 |   50 |         0 |     8 | True      |
| f4aebbe1-3726-4399-bbd5-43604228f1d2 | b2-60           |  60000 |  400 |         0 |    16 | True      |
| f57ad8c7-7d7a-4456-b16a-e9dbe5cf56ef | b2-15           |  15000 |  100 |         0 |     4 | True      |
| f9859b04-e523-4877-9068-20b5f9ad6e64 | r2-60-flex      |  60000 |   50 |         0 |     4 | True      |
| fc8c7a4b-aa5c-4b7c-8a97-287eec05c5ed | c2-7            |   7000 |   50 |         0 |     2 | True      |
+--------------------------------------+-----------------+--------+------+-----------+-------+-----------+

> Do you want me to set VM configurations defaults per the list you've mentioned above? It would make sense since it is what the backend implements. It has a lot more but those three are the cheapest. ``` $ enough --domain hostea.org openstack -- flavor list +--------------------------------------+-----------------+--------+------+-----------+-------+-----------+ | ID | Name | RAM | Disk | Ephemeral | VCPUs | Is Public | +--------------------------------------+-----------------+--------+------+-----------+-------+-----------+ | 036e9748-b11e-427e-83af-407b2deee51b | win-b2-15 | 15000 | 100 | 0 | 4 | True | | 0b790592-f47c-4a52-ba56-3923a3013607 | c2-60-flex | 60000 | 50 | 0 | 16 | True | | 0f7e0bf9-8100-4fd4-b238-29b1915481c4 | win-r2-15 | 15000 | 50 | 0 | 2 | True | | 119f1b5b-7744-43a5-bd40-bc54e18f1609 | c2-30 | 30000 | 200 | 0 | 8 | True | | 1a5fddab-4ddc-4619-ad29-09932b6bcb9f | r2-60 | 60000 | 100 | 0 | 4 | True | | 1faed731-1de8-4f04-97c0-e6e976c8445e | win-b2-7 | 7000 | 50 | 0 | 2 | True | | 20ae3286-a9f4-4c65-9502-c8545be102f3 | win-r2-60-flex | 60000 | 50 | 0 | 4 | True | | 24ff2c52-c553-4e5f-95c1-1c1a14ade841 | win-b2-120-flex | 120000 | 50 | 0 | 32 | True | | 2dc9d22f-3038-4ebf-a159-8994fca1c438 | win-r2-240 | 240000 | 400 | 0 | 16 | True | | 2ed0b117-1b2a-4f86-bb76-05c20ae70298 | c2-7-flex | 7000 | 50 | 0 | 2 | True | | 2ee71e14-d56f-47ff-8634-3ee532f5f191 | win-c2-7-flex | 7000 | 50 | 0 | 2 | True | | 36ca564b-21ad-49ec-a91b-d6f8d3897d13 | r2-120 | 120000 | 200 | 0 | 8 | True | | 3b137bad-0d92-470d-9f19-3ee31e4da2db | win-r2-30 | 30000 | 50 | 0 | 2 | True | | 3c83dfbd-abdb-43d0-b041-3ac44009c2f7 | s1-4 | 4000 | 20 | 0 | 1 | True | | 3d5a3aae-8e32-40fe-ab2c-4ca2eea56901 | win-b2-30 | 30000 | 200 | 0 | 8 | True | | 3f49b79b-a36f-46ca-8ec6-7d061c46ed5d | win-b2-60-flex | 60000 | 50 | 0 | 16 | True | | 40276e6d-1d7f-4a8c-a78d-f46ddbb8e90b | c2-15-flex | 15000 | 50 | 0 | 4 | True | | 405a4af2-32a1-457d-affe-36f4cface892 | win-b2-7-flex | 7000 | 50 | 0 | 2 | True | | 4756bafe-fd58-44be-aa3c-33eb7c791a8e | d2-4 | 4000 | 50 | 0 | 2 | True | | 47dc8a6a-859d-421a-b471-cce00e471e42 | win-c2-30 | 30000 | 200 | 0 | 8 | True | | 4ad11f1c-f78c-4d3e-87c2-cc04224b87f7 | c2-30-flex | 30000 | 50 | 0 | 8 | True | | 4eab6165-1a5b-46d5-b5ba-498a9168a432 | b2-60-flex | 60000 | 50 | 0 | 16 | True | | 519c1424-f034-4a1b-989b-5fca4fc82789 | win-i1-180 | 180000 | 50 | 0 | 32 | True | | 52922717-0944-406f-97e6-8e3a1fc5293d | win-b2-120 | 120000 | 400 | 0 | 32 | True | | 5c6189d1-b235-4a39-ad26-c6fd4bb6c851 | win-r2-30-flex | 30000 | 50 | 0 | 2 | True | | 5c77cf3e-a030-4415-99e3-0e61c3605a10 | r2-240-flex | 240000 | 50 | 0 | 16 | True | | 601b0915-73e1-4264-93e5-8242d31e3283 | win-r2-240-flex | 240000 | 50 | 0 | 16 | True | | 61979bc1-f22a-4f6e-9cca-7300841ea820 | b2-15-flex | 15000 | 50 | 0 | 4 | True | | 6f63e9d4-0989-4483-a69c-ec9184931a61 | win-i1-45 | 45000 | 50 | 0 | 8 | True | | 71c811a5-fefb-4cab-8cae-a484bf8c8769 | c2-120 | 120000 | 400 | 0 | 32 | True | | 7c98f8c1-76ea-494a-b006-350d699b4507 | r2-240 | 240000 | 400 | 0 | 16 | True | | 7e13aa46-de5e-4176-8524-208b694a81a5 | win-i1-90 | 90000 | 50 | 0 | 16 | True | | 7ef5fbb6-1b2f-4135-9b97-b62b6bb82d04 | c2-15 | 15000 | 100 | 0 | 4 | True | | 815dcab4-cbca-4abb-bbfd-b080b28a4fea | win-c2-60-flex | 60000 | 50 | 0 | 16 | True | | 83cc4f84-36ed-4b9b-bab0-ea729dc3936c | b2-30 | 30000 | 200 | 0 | 8 | True | | 8cd9b182-776d-4250-a516-9ec143889ac1 | win-c2-60 | 60000 | 400 | 0 | 16 | True | | 8edec7c7-07d5-4e77-ae92-95cd64758bd4 | r2-30-flex | 30000 | 50 | 0 | 2 | True | | 91e5eb72-e4c2-46dc-bdf5-f3dee0b6e312 | win-r2-60 | 60000 | 100 | 0 | 4 | True | | 926ec51c-eed7-443e-972a-9b07ba0e03ff | d2-8 | 8000 | 50 | 0 | 4 | True | | 966408e5-58ee-4f4c-bda2-c1b4d592018b | b2-30-flex | 30000 | 50 | 0 | 8 | True | | 9774dc04-22e0-4a11-99fd-16f076d53084 | b2-7-flex | 7000 | 50 | 0 | 2 | True | | 97c61e10-bf43-4f95-9e2d-fd757ba75e27 | win-b2-30-flex | 30000 | 50 | 0 | 8 | True | | 9a92fbc6-b781-4afd-92ad-d282400ea6db | r2-120-flex | 120000 | 50 | 0 | 8 | True | | 9b2c1323-7ea0-40be-9e2a-bf5d7d3cc338 | i1-180 | 180000 | 50 | 0 | 32 | True | | 9b312f04-e6ff-493f-bbd1-134510f49258 | b2-7 | 7000 | 50 | 0 | 2 | True | | 9ea2f388-35ea-4ebf-ac6b-bc40ddcfa952 | win-r2-120 | 120000 | 200 | 0 | 8 | True | | a14c66cb-2469-4f7b-baea-945cb3eb488a | win-c2-120 | 120000 | 400 | 0 | 32 | True | | adab7207-c4cb-4c44-8845-b69763a10d03 | win-c2-30-flex | 30000 | 50 | 0 | 8 | True | | b58f0da8-d3da-47aa-b75c-7452b487ab13 | i1-90 | 90000 | 50 | 0 | 16 | True | | b602260e-782f-470c-8760-77bdfa0644ce | b2-120-flex | 120000 | 50 | 0 | 32 | True | | bd21e95a-b7ab-4fb8-b73d-9da625f6733d | r2-15 | 15000 | 50 | 0 | 2 | True | | c8e55a81-8424-4f93-a03d-36bdac69a1e1 | win-c2-7 | 7000 | 50 | 0 | 2 | True | | ca4c4774-a9bf-4739-b424-6c6f54ced3bf | s1-8 | 8000 | 40 | 0 | 2 | True | | ca7afaa2-2820-4dca-9a12-d8255a0a2e84 | win-b2-15-flex | 15000 | 50 | 0 | 4 | True | | cc02ff1f-d7a1-4562-a584-a4dfa23948a0 | win-c2-15-flex | 15000 | 50 | 0 | 4 | True | | ce07016c-95df-4085-bb5a-565caffc2063 | s1-2 | 2000 | 10 | 0 | 1 | True | | d00fdefc-9ada-4fc0-86b4-db505b6c1408 | win-r2-120-flex | 120000 | 50 | 0 | 8 | True | | d2ca0c8c-871e-462a-aa05-35b9265275ca | r2-30 | 30000 | 50 | 0 | 2 | True | | d5acc03f-46cb-410b-821b-baadc550348e | win-r2-15-flex | 15000 | 50 | 0 | 2 | True | | dc3fe9e7-e374-4ad8-b200-fa3bdf45069f | d2-2 | 2000 | 25 | 0 | 1 | True | | dcf3e3c7-abd6-4362-9ee3-2f150fe1d2cc | win-c2-120-flex | 120000 | 50 | 0 | 32 | True | | defef2bf-9d1a-4d74-b1ca-2766c498967e | win-c2-15 | 15000 | 100 | 0 | 4 | True | | e084e7f8-f005-4e22-ad56-115d1170c99e | win-b2-60 | 60000 | 400 | 0 | 16 | True | | e19b1c0e-0665-4512-be90-edb24180e5ec | c2-60 | 60000 | 400 | 0 | 16 | True | | e9e90064-01cb-47f3-a9b1-c46380d5bdb7 | b2-120 | 120000 | 400 | 0 | 32 | True | | ecbc5dbf-a81e-4498-805a-7b753e0097b7 | c2-120-flex | 120000 | 50 | 0 | 32 | True | | eee980b8-fe6d-49b5-b27c-a928aacf8c74 | r2-15-flex | 15000 | 50 | 0 | 2 | True | | ef3e8b84-a855-4fbe-8824-33c5e4ba570d | i1-45 | 45000 | 50 | 0 | 8 | True | | f4aebbe1-3726-4399-bbd5-43604228f1d2 | b2-60 | 60000 | 400 | 0 | 16 | True | | f57ad8c7-7d7a-4456-b16a-e9dbe5cf56ef | b2-15 | 15000 | 100 | 0 | 4 | True | | f9859b04-e523-4877-9068-20b5f9ad6e64 | r2-60-flex | 60000 | 50 | 0 | 4 | True | | fc8c7a4b-aa5c-4b7c-8a97-287eec05c5ed | c2-7 | 7000 | 50 | 0 | 2 | True | +--------------------------------------+-----------------+--------+------+-----------+-------+-----------+ ```

👍 1

realaravinth started working 2022-06-18 07:33:05 +00:00

realaravinth stopped working 2022-06-18 09:25:55 +00:00

1h 52min 50s

realaravinth started working 2022-06-18 14:12:56 +00:00

realaravinth commented

2022-06-18 16:46:15 +00:00

Tasks accomplished

confirm_access decorator for protecting privileged views like deleting VMs(only usage, at the moment
list user's VM view
specific VM view
delete VM view
default VM configurations, as requested
improve general test coverage and as a result,
fix logout view: logout route was mapped to login view(!), tests pointed it out

## Tasks accomplished - confirm_access decorator for protecting privileged views like deleting VMs(only usage, at the moment - list user's VM view - specific VM view - delete VM view - default VM configurations, as requested - improve general test coverage and as a result, - fix logout view: logout route was mapped to login view(!), tests pointed it out

👍 1

realaravinth stopped working 2022-06-18 16:46:22 +00:00

2h 33min 26s

realaravinth commented

2022-06-18 17:04:14 +00:00

Default VM configuration creation is causing problems. My local DB instance's migrations were current when I ran the test but spinning up a fresh DB instance and then trying to apply migrations is causing issues(failed CI run.

The error says that the target table is unavailable but everything works when I comment out the stuff that creates default configurations.
My guess is that Python->SQL translation is entering into some circular loop, because of the way I'm creating default configurations.

Will fix it tomorrow.

Default VM configuration creation is causing problems. My local DB instance's migrations were current when I ran the test but spinning up a fresh DB instance and then trying to apply migrations is causing issues([failed CI run](https://woodpecker.hostea.org/Hostea/dashboard/build/19/1). The error says that the target table is unavailable but everything works when I comment out the stuff that creates default configurations. My guess is that Python->SQL translation is entering into some circular loop, because of the way I'm creating default configurations. Will fix it tomorrow.

👀 1

realaravinth started working 2022-06-19 08:06:02 +00:00

realaravinth stopped working 2022-06-19 09:52:52 +00:00

1h 46min 50s

realaravinth started working 2022-06-19 13:53:30 +00:00

realaravinth commented

2022-06-19 17:17:56 +00:00

Tasks accomplished

Fixed default VM configuration saving
Updated styling for view VM template
Created and discarded get_user_id management command, which could have been used with django-oauth-toolkit's createapplication management command. Removed becuase it is now integrated with create_oidc(see below).
Custom management command create_oidc to create OIDC applications, that is opinionated in a manner that is suitable for Hostea(sets default for algorithm, authorisation grant type and client type) and more ergonomic than django-oauth-toolkit's createapplication.

`create_oidc`

Usage:

10:34:45 (venv) atm@lab dashboard ±|master|→ python manage.py create_oidc --help
usage: manage.py create_oidc [-h] [--version] [-v {0,1,2,3}] [--settings SETTINGS]
                             [--pythonpath PYTHONPATH] [--traceback] [--no-color] [--force-color]
                             [--skip-checks]
                             app_name username redirect_uri

Get user ID from username

positional arguments:
  app_name              The application name
  username              The username of user who will own this app
  redirect_uri          The username of user who will own this app

options:
  -h, --help            show this help message and exit
  --version             Show program's version number and exit.
  -v {0,1,2,3}, --verbosity {0,1,2,3}
                        Verbosity level; 0=minimal output, 1=normal output, 2=verbose output, 3=very
                        verbose output
  --settings SETTINGS   The Python path to a settings module, e.g. "myproject.settings.main". If this isn't
                        provided, the DJANGO_SETTINGS_MODULE environment variable will be used.
  --pythonpath PYTHONPATH
                        A directory to add to the Python path, e.g. "/home/djangoprojects/myproject".
  --traceback           Raise on CommandError exceptions.
  --no-color            Don't colorize the command output.
  --force-color         Force colorization of the command output.
  --skip-checks         Skip system checks.

Example:

10:37:17 (venv) atm@lab dashboard ±|master|→ python manage.py create_oidc gitea atm http://localhost:8080/user/oauth2/hostea-dash-local/callback
New application gitea created successfully.
client_id: DuHVtUTFoea1gL4mMD3d8w5j1snbLoqDTAEw5oUZ
client_secret: nmCjopnxlsvYqGgBpqgqCqbzOmCvu67WZxO1IijOuYZuj9MOoxGzNoQAO0fEnaWtGVCUsNL9Vij5DyrUyPYD0mTt4K6jAj6gAw5nx3oG8tWkcTKAMNKXB9FmS5IWB8cO

Please note that redirection URI(third positional parameter and only URI passed in the above command) is an actual Gitea redirection URL.

Gitea's redirection URI is in the form:

{{GITEAHOST}}/user/oauth2/{{OIDC App name}}/callback

client_id and client_secret will be auto-generated by create_oidc and should be parsed and supplied to Gitea.

Configuring SSO on Gitea

To configure Gitea with the SSO implemented in Hostea/dashboard:

Generate OIDC client configuration with create_oidc. Parse and save client_id and client_secret, as mentioned above.
Configure Gitea as shown in image:

## Tasks accomplished - Fixed default VM configuration saving - Updated styling for view VM template - Created and discarded `get_user_id` management command, which could have been used with `django-oauth-toolkit`'s `createapplication` management command. Removed becuase it is now integrated with `create_oidc`(see below). - Custom management command `create_oidc` to create OIDC applications, that is opinionated in a manner that is suitable for Hostea(sets default for algorithm, authorisation grant type and client type) and more ergonomic than `django-oauth-toolkit`'s `createapplication`. ## `create_oidc` ### Usage: ```bash 10:34:45 (venv) atm@lab dashboard ±|master|→ python manage.py create_oidc --help usage: manage.py create_oidc [-h] [--version] [-v {0,1,2,3}] [--settings SETTINGS] [--pythonpath PYTHONPATH] [--traceback] [--no-color] [--force-color] [--skip-checks] app_name username redirect_uri Get user ID from username positional arguments: app_name The application name username The username of user who will own this app redirect_uri The username of user who will own this app options: -h, --help show this help message and exit --version Show program's version number and exit. -v {0,1,2,3}, --verbosity {0,1,2,3} Verbosity level; 0=minimal output, 1=normal output, 2=verbose output, 3=very verbose output --settings SETTINGS The Python path to a settings module, e.g. "myproject.settings.main". If this isn't provided, the DJANGO_SETTINGS_MODULE environment variable will be used. --pythonpath PYTHONPATH A directory to add to the Python path, e.g. "/home/djangoprojects/myproject". --traceback Raise on CommandError exceptions. --no-color Don't colorize the command output. --force-color Force colorization of the command output. --skip-checks Skip system checks. ``` ### Example: ```bash 10:37:17 (venv) atm@lab dashboard ±|master|→ python manage.py create_oidc gitea atm http://localhost:8080/user/oauth2/hostea-dash-local/callback New application gitea created successfully. client_id: DuHVtUTFoea1gL4mMD3d8w5j1snbLoqDTAEw5oUZ client_secret: nmCjopnxlsvYqGgBpqgqCqbzOmCvu67WZxO1IijOuYZuj9MOoxGzNoQAO0fEnaWtGVCUsNL9Vij5DyrUyPYD0mTt4K6jAj6gAw5nx3oG8tWkcTKAMNKXB9FmS5IWB8cO ``` Please note that redirection URI(third positional parameter and only URI passed in the above command) is an actual Gitea redirection URL. Gitea's redirection URI is in the form: ``` {{GITEAHOST}}/user/oauth2/{{OIDC App name}}/callback ``` `client_id` and `client_secret` will be auto-generated by `create_oidc` and should be parsed and supplied to Gitea. ## Configuring SSO on Gitea To configure Gitea with the SSO implemented in `Hostea/dashboard`: 1. Generate OIDC client configuration with `create_oidc`. Parse and save `client_id` and `client_secret`, as mentioned above. 2. Configure Gitea as shown in image: ![image](/attachments/2646c9b0-e7b3-4768-bcd1-b6dfeb19f46e)

image.png

55 KiB

👍 1

realaravinth stopped working 2022-06-19 17:18:01 +00:00

3h 24min 31s

dachary commented

2022-06-19 18:08:25 +00:00

The goal here is that the dashboard provides a SSO so that the user can:

File an issue on https://gitea.hostea.org without creating a second account
Login as an admin on their https://hostea001.d.hostea.org instance after it is created without creating a third account

Is this correct?

The best way to script this seems to be gitea admin auth add-oauth.

The goal here is that the dashboard provides a SSO so that the user can: * File an issue on https://gitea.hostea.org without creating a second account * Login as an admin on their https://hostea001.d.hostea.org instance after it is created without creating a third account Is this correct? The best way to script this seems to be [gitea admin auth add-oauth](https://docs.gitea.io/en-us/command-line/#admin).

realaravinth commented

2022-06-19 18:42:10 +00:00

File an issue on https://gitea.hostea.org without creating a second account

Yes. But, at the moment the support application in Hostea/Dashboard only redirects to the issue tracker support repository.

Additionally, the SSO can be configured to work with https://forum.hostea.org, too. But that's for another time.

Login as an admin on their https://hostea001.d.hostea.org instance after it is created without creating a third account

This is out of scope of the SSO.

If a user's Hostea instance is configured to work with the SSO, then all Hostea users will be able to log in to the user's private Hostea instance.

Also, Gitea shows SSO options on the login webpage, so users on the private Gitea might necessarily try to create accounts on the Dashboard.

The best way to script this seems to be gitea admin auth add-oauth.

The Gitea screenshot is for illustrative purposes only. You are welcome to use any method that you prefer to configure the Gitea side of things. :)

> File an issue on https://gitea.hostea.org without creating a second account Yes. But, at the moment the support application in Hostea/Dashboard only redirects to the issue tracker [support repository](https://gitea.hostea.org/Hostea/support). Additionally, the SSO can be configured to work with https://forum.hostea.org, too. But that's for another time. > Login as an admin on their https://hostea001.d.hostea.org instance after it is created without creating a third account This is out of scope of the SSO. If a user's Hostea instance is configured to work with the SSO, then all Hostea users will be able to log in to the user's private Hostea instance. Also, Gitea shows SSO options on the login webpage, so users on the private Gitea might necessarily try to create accounts on the Dashboard. > The best way to script this seems to be gitea admin auth add-oauth. The Gitea screenshot is for illustrative purposes only. You are welcome to use any method that you prefer to configure the Gitea side of things. :)

dachary commented

2022-06-19 19:22:00 +00:00

Thanks for clarifying. In that case the easiest way to achive this

File an issue on https://gitea.hostea.org without creating a second account

Yes. But, at the moment the support application in Hostea/Dashboard only redirects to the issue tracker support repository.

So the workflow would be:

User is on the dashboard
Clicks on the support link
Clicks on Sign In (top right)

Clicks on OpenID

Enters a URL here (which one)
Goes back to support link
Files an issue

Or is it something else?

Thanks for clarifying. In that case the easiest way to achive this > > File an issue on https://gitea.hostea.org without creating a second account > > Yes. But, at the moment the support application in Hostea/Dashboard only redirects to the issue tracker [support repository](https://gitea.hostea.org/Hostea/support). > So the workflow would be: * User is on the dashboard * Clicks on the [support link](https://gitea.hostea.org/Hostea/support) * Clicks on Sign In (top right) ![image](/attachments/4eac426f-3530-40e5-8dff-72b18e4f11f5) * Clicks on OpenID ![image](/attachments/0b1250be-36f6-41f7-8b91-baa16f4094c8) * Enters a URL here (which one) * Goes back to [support link](https://gitea.hostea.org/Hostea/support) * Files an issue Or is it something else?

image.png

25 KiB

image.png

20 KiB

realaravinth commented

2022-06-19 19:39:55 +00:00

With the Gitea configuration, we can offer a much more seamless experience.

Please see this screen capture(ephemeral link, valid for 1 week from now).

With the Gitea configuration, we can offer a much more seamless experience. Please [see this screen capture](https://linx.batsense.net/hostea-support-new-ticket-workflow.mkv)(ephemeral link, valid for 1 week from now).

dachary commented

2022-06-19 19:52:19 +00:00

Thanks for clarifying. I now understand how it fits. Nothing related to OpenID really. Perfect.

👍 1

dachary commented

2022-06-19 20:00:42 +00:00

So I'll make a note to modify the playbook so that it:

Calls python manage.py create_oidc gitea atm http://localhost:8080/user/oauth2/hostea-dash-local/callback
Call gitea admin auth add-oauth with the output

I'll leave the writing of the test to check that it works to you, if that's ok?

Login the dashboard
Click on create new ticket
Click on the Hostea OAuth login

Copy/pasting from hoteasetup.py may help since it has web scraping logic for woodpecker already.

So I'll make a note to modify the playbook so that it: * Calls `python manage.py create_oidc gitea atm http://localhost:8080/user/oauth2/hostea-dash-local/callback` * Call [gitea admin auth add-oauth](https://docs.gitea.io/en-us/command-line/#admin) with the output I'll leave the writing of the test to check that it works to you, if that's ok? * Login the dashboard * Click on create new ticket * Click on the Hostea OAuth login Copy/pasting from [hoteasetup.py](https://lab.enough.community/main/infrastructure/-/blob/master/playbooks/hostea/roles/hostea/files/hosteasetup.py) may help since it has web scraping logic for woodpecker already.

dachary commented

2022-06-19 20:05:17 +00:00

Just to make sure there is no misunderstanding, I'll wait on you to give me the greenlight before I do that. Preferably when everything else is ready so I can do it at once.

realaravinth commented

2022-06-19 20:07:29 +00:00

Actually, we can do better and skip the whole Gitea login screen:

Instead of redirecting to https://gitea.hostea.org/Hostea/support/issues/new, I can redirect the user to http://gitea.hostea.org/user/oauth2/hostea-sso?redirect_to=/hostea/support/issues/new(assuming the SSO is named "hostea-sso" on the Hostea Gitea). This way, the user will be automatically authenticated on the Hostea Gitea via the SSO and directly visit new issues webpage!

edit: accidentally closed the issue and also this method doesn't work. Gitea doesn't send redirect_to along with the authorisation request. There is a parallel redirection mechanism via cookies that Gitea uses in such cases. We could run a custom JavaScript script at http://gitea.hostea.org/user/oauth2/hostea-sso?redirect_to=/hostea/support/issues/new to set the cookie but doesn't seem right.

Actually, we can do better and skip the whole Gitea login screen: Instead of redirecting to https://gitea.hostea.org/Hostea/support/issues/new, I can redirect the user to http://gitea.hostea.org/user/oauth2/hostea-sso?redirect_to=/hostea/support/issues/new(assuming the SSO is named "hostea-sso" on the Hostea Gitea). This way, the user will be automatically authenticated on the Hostea Gitea via the SSO and directly visit new issues webpage! edit: accidentally closed the issue and also this method doesn't work. Gitea doesn't send `redirect_to` along with the authorisation request. There is a parallel redirection mechanism via cookies that Gitea uses in such cases. We could run a custom JavaScript script at http://gitea.hostea.org/user/oauth2/hostea-sso?redirect_to=/hostea/support/issues/new to set the cookie but doesn't seem right.

👍 1 ❤️ 1 🎉 1 😆 1 🚀 1

realaravinth closed this issue

2022-06-19 20:07:29 +00:00

realaravinth reopened this issue

2022-06-19 20:07:36 +00:00

realaravinth commented

2022-06-19 20:13:47 +00:00

So I'll make a note to modify the playbook so that it:

Calls python manage.py create_oidc gitea atm http://localhost:8080/user/oauth2/hostea-dash-local/callback

Call gitea admin auth add-oauth with the output

Yes, perfect!

I'll leave the writing of the test to check that it works to you, if that's ok?

Login the dashboard

Click on create new ticket

Click on the Hostea OAuth login

Gladly!

> So I'll make a note to modify the playbook so that it: > > * Calls `python manage.py create_oidc gitea atm http://localhost:8080/user/oauth2/hostea-dash-local/callback` > * Call [gitea admin auth add-oauth](https://docs.gitea.io/en-us/command-line/#admin) with the output > Yes, perfect! > I'll leave the writing of the test to check that it works to you, if that's ok? > > * Login the dashboard > * Click on create new ticket > * Click on the Hostea OAuth login > Gladly!

realaravinth commented

2022-06-21 14:34:14 +00:00

As for the price, although it will need adjusting, I suggest making it roughly double what it actually costs to be realistic:

s1-2 10€

s1-4 20€

s1-8 40€

@dachary: These prices include tax, right? The billing system requires me to specify taxes. Tax rates might be different for each Hostea operator.

For the MVP I'd like to set the price with taxes included and set the tax=0. Tax computation based on configurable rates will be implemented post-MVP.

> As for the price, although it will need adjusting, I suggest making it roughly double what it actually costs to be realistic: > > * s1-2 10€ > * s1-4 20€ > * s1-8 40€ > @dachary: These prices include tax, right? The billing system requires me to specify taxes. Tax rates might be different for each Hostea operator. For the MVP I'd like to set the price with taxes included and set the `tax=0`. Tax computation based on configurable rates will be implemented post-MVP.

👍 1

dachary commented

2022-06-21 14:41:00 +00:00

Yes, lets' make it tax included.

👍 1

realaravinth started working 2022-06-22 06:23:37 +00:00

realaravinth stopped working 2022-06-22 08:28:59 +00:00

2h 5min 22s

realaravinth started working 2022-06-23 09:17:46 +00:00

realaravinth commented

2022-06-23 16:09:17 +00:00

Tasks

Copy/pasting from commit message

SUMMARY
    integration/__main__.py is a CLI-based HTTP client that can interact
    with Hostea Dashboard and Gitea.

    Integration tests are run via integration/tests.sh, which is a
    driver for the HTTP client at integration/__main__.py. The script is
    capable of spinning up a test environment consisting of services
    defined in docker-compose-dev-deps.yml and the Hostea Dashboard and
    tearing it down after a successful run.

    The credentials used to create various accounts and other parameters
    are all defined in integration/tests.sh script it self. So it is
    self contained.

CLIENT FUNCTIONALITY:

    HOSTEA DASHBOARD:
	 - register user with email verification
	 - login
	 - create OIDC app
	 - visit support page

    GITEA:
	 - Install Gitea(DB configuration, etc. The first form that's
	 presented to the visitor after a new instance is deployed)
	 - Register User
	 - Login User
	 - Create repository
	 - Configure OIDC SSO
	 - Login via SSO

The tests are working locally, because I run all service containers in network_mode=host, which is apparently a privileged operation in Woodpecker CI. I could enable higher privileges in the CI dashboard, but I think that would be unsafe: as the containers might bleed into the underlying host's networking.

It is important that the Gitea container is able to talk to the dashboard instance that the integration test script spins up. Without that, I won't be able to test SSO functionality.

Tomorrow, I will try packaging the Dashboard into a Docker container, and run it instead of spinning up an instance using python manage.py.

## Tasks Copy/pasting from [commit message](https://gitea.hostea.org/Hostea/dashboard/commit/1a8bc9c1ab4c64785f42c1faef93ab79c0fa10b8) ``` SUMMARY integration/__main__.py is a CLI-based HTTP client that can interact with Hostea Dashboard and Gitea. Integration tests are run via integration/tests.sh, which is a driver for the HTTP client at integration/__main__.py. The script is capable of spinning up a test environment consisting of services defined in docker-compose-dev-deps.yml and the Hostea Dashboard and tearing it down after a successful run. The credentials used to create various accounts and other parameters are all defined in integration/tests.sh script it self. So it is self contained. CLIENT FUNCTIONALITY: HOSTEA DASHBOARD: - register user with email verification - login - create OIDC app - visit support page GITEA: - Install Gitea(DB configuration, etc. The first form that's presented to the visitor after a new instance is deployed) - Register User - Login User - Create repository - Configure OIDC SSO - Login via SSO ``` The tests are working locally, because I run all service containers in `network_mode=host`, which is apparently a privileged operation in Woodpecker CI. I could enable higher privileges in the CI dashboard, but I think that would be unsafe: as the containers might bleed into the underlying host's networking. It is important that the Gitea container is able to talk to the dashboard instance that the integration test script spins up. Without that, I won't be able to test SSO functionality. Tomorrow, I will try packaging the Dashboard into a Docker container, and run it instead of spinning up an instance using `python manage.py`.

🚀 1

realaravinth stopped working 2022-06-23 16:09:23 +00:00

6h 51min 37s

realaravinth started working 2022-06-23 17:08:18 +00:00

realaravinth stopped working 2022-06-23 19:24:35 +00:00

2h 16min 17s

realaravinth commented

2022-06-23 19:33:44 +00:00

I tried to spin up a Gitea instance outside of docker, in an attempt to simplify the networking issues I faced earler but wasn't successful.

There is a step in the integration test script which checks if all needed services are up and running. For some reason, both Gitea and the Dashboard instances are not running and so the script went into a deadlock.

I ran the build locally, using woodpecker-cli

woodpecker-cli exec

And I faced the same issue.

I then logged into the woodpecker build container with docker exec and found issues with the Gitea instance: Gitea's RUN_USER was set to my local user, where as woodpecker was running as root.

I don't know why the dashboard was failing.

I tried to spin up a Gitea instance outside of docker, in an attempt to simplify the networking issues I faced earler but wasn't successful. There is a step in the integration test script which checks if all needed services are up and running. For some reason, both Gitea and the Dashboard instances are not running and so the script went into a deadlock. I ran the build locally, using woodpecker-cli ```bash woodpecker-cli exec ``` And I faced the same issue. I then logged into the woodpecker build container with `docker exec` and found issues with the Gitea instance: Gitea's `RUN_USER` was set to my local user, where as woodpecker was running as root. I don't know why the dashboard was failing.

dachary commented

2022-06-23 19:49:44 +00:00

It's very tricky. You're essentially retracing the steps that brought me to write hosteasetup.py and it took me a day or two to get it right.

It's very tricky. You're essentially retracing the steps that brought me to write [hosteasetup.py](https://lab.enough.community/main/infrastructure/-/blob/master/playbooks/hostea/roles/hostea/files/hosteasetup.py) and it took me a day or two to get it right.

👀 1 😆 1

realaravinth started working 2022-06-24 11:15:09 +00:00

realaravinth stopped working 2022-06-24 14:56:40 +00:00

3h 41min 31s

realaravinth commented

2022-06-24 15:19:38 +00:00

Tasks

Bootstrap integration app
Create utilities to add/remove VMs to the infrastructure repository
Configuration docs

Please see here for the WIP pull reqeust

## Tasks - Bootstrap integration app - Create utilities to add/remove VMs to the infrastructure repository - Configuration docs Please see [here](https://gitea.hostea.org/Hostea/dashboard/pulls/1#issuecomment-745) for the WIP pull reqeust

realaravinth added spent time 2022-06-25 13:32:12 +00:00

3h 13min

realaravinth commented

2022-06-25 13:36:09 +00:00

Tasks(Hostea/Dashboard)

local_settings.example.py template to override settings.py
fixed integration/templates/integration/* backend-templates
payments check before VM creation
git pull before write and git push post write
and some test suite client up

## Tasks(Hostea/Dashboard) - local_settings.example.py template to override settings.py - fixed integration/templates/integration/* backend-templates - payments check before VM creation - `git pull` before write and `git push` post write - and some test suite client up

realaravinth added spent time 2022-06-25 23:23:17 +00:00

2h

realaravinth added spent time 2022-06-26 23:34:18 +00:00

3h

realaravinth commented

2022-06-26 23:38:46 +00:00

Tasks

tests to verify fleet repository changes are being pushed:
implement add deploy key functionality on integration/ tool
implement init fleet repository functionality on integration/lib.sh
refactor integration/lib.sh to use separate configuration for CI and local environments
dashboard/local_settings.ci.py: defaults for CI environment, read from env vars. Will be copied to local_settings.py by the integration test script, when run from within the CI.

## Tasks - tests to verify fleet repository changes are being pushed: - implement add deploy key functionality on integration/ tool - implement init fleet repository functionality on integration/lib.sh - refactor integration/lib.sh to use separate configuration for CI and local environments - dashboard/local_settings.ci.py: defaults for CI environment, read from env vars. Will be copied to local_settings.py by the integration test script, when run from within the CI.

realaravinth started working 2022-06-27 14:07:26 +00:00

realaravinth stopped working 2022-06-27 15:38:08 +00:00

1h 30min 42s

realaravinth started working 2022-06-27 17:38:58 +00:00

realaravinth commented

2022-06-27 20:03:37 +00:00

Implemented add/delete VM from command line and related tests

👍 1

realaravinth stopped working 2022-06-27 20:03:44 +00:00

2h 24min 47s

dachary commented

2022-06-27 22:05:26 +00:00

wrote the corresponding test and reported an issue on the dashboard, prepared the coworking session

🚀 1

dachary added spent time 2022-06-27 22:05:41 +00:00

4h

realaravinth started working 2022-06-28 18:39:25 +00:00

realaravinth commented

2022-06-28 19:23:08 +00:00

redirect user after successful payments for VM creation
show Gitea admin's login credentials and send creds via email to admin

- redirect user after successful payments for VM creation - show Gitea admin's login credentials and send creds via email to admin

👍 1

realaravinth stopped working 2022-06-28 19:23:14 +00:00

43min 49s

realaravinth added spent time 2022-06-29 17:37:34 +00:00

3h

realaravinth started working 2022-06-29 17:37:40 +00:00

realaravinth stopped working 2022-06-29 19:42:06 +00:00

2h 4min 27s

realaravinth commented

2022-06-29 19:43:12 +00:00

Poll and send email notification to user when their Gitea instance is online and reachable. Please see associated PR

Poll and send email notification to user when their Gitea instance is online and reachable. Please see [associated PR](https://gitea.hostea.org/Hostea/dashboard/pulls/14)

realaravinth started working 2022-06-30 07:32:14 +00:00

realaravinth stopped working 2022-06-30 08:19:06 +00:00

46min 52s

realaravinth added spent time 2022-06-30 17:46:41 +00:00

4h

realaravinth commented

2022-06-30 17:49:35 +00:00

Tasks accomplished:

Each test uses a separate fleet repository
e2e unit testing: all DB instance record creation now creates an instance on fleet repository too.
footer links correction
Gitea/Woodpecker link generation

## Tasks accomplished: - Each test uses a separate fleet repository - e2e unit testing: all DB instance record creation now creates an instance on fleet repository too. - footer links correction - Gitea/Woodpecker link generation

realaravinth added spent time 2022-07-02 03:48:41 +00:00

2h

realaravinth commented

2022-07-02 03:49:34 +00:00

debug tests
(logging yesterday's work)

debug tests (logging yesterday's work)

dachary commented

2022-07-02 10:59:46 +00:00

help with debug

👍 1

dachary added spent time 2022-07-02 11:00:00 +00:00

4h