From a67a7e01b4a0f781885fd6cd3b9633f21cf1f230 Mon Sep 17 00:00:00 2001
From: eabdullin <ed.abdullin.1@gmail.com>
Date: Tue, 23 May 2023 10:08:08 +0300
Subject: [PATCH] Update saml auth patch

---
 SOURCES/faf-saml-auth.patch | 442 +++++++++++++++---------------------
 SPECS/faf.spec              |   2 +-
 2 files changed, 179 insertions(+), 265 deletions(-)

diff --git a/SOURCES/faf-saml-auth.patch b/SOURCES/faf-saml-auth.patch
index fd33988..f7a7e07 100644
--- a/SOURCES/faf-saml-auth.patch
+++ b/SOURCES/faf-saml-auth.patch
@@ -1,264 +1,178 @@
-diff -crB src.orig/webfaf/config.py src/webfaf/config.py
-*** src.orig/webfaf/config.py	2021-02-11 11:31:10.000000000 +0200
---- src/webfaf/config.py	2021-02-11 11:43:27.000000000 +0200
-***************
-*** 10,15 ****
---- 10,16 ----
-  
-  
-  class Config(object):
-+     SAML_CONFIG_DIR = '/etc/faf/saml'
-      DEBUG = False
-      TESTING = False
-      SECRET_KEY = 'NOT_A_RANDOM_STRING'
-diff -crB src.orig/webfaf/login.py src/webfaf/login.py
-*** src.orig/webfaf/login.py	2021-02-11 11:31:10.000000000 +0200
---- src/webfaf/login.py	2021-02-11 11:44:30.000000000 +0200
-***************
-*** 1,56 ****
-  import flask
-  from openid_teams import teams
-  from werkzeug.wrappers import Response
-  
-  from pyfaf.storage.user import User
-  from webfaf.webfaf_main import db, oid, app
-  from webfaf.utils import fed_raw_name
-  
-! login = flask.Blueprint("login", __name__)
-  
-  
-! @login.route("/login/", methods=["GET"])
-! @oid.loginhandler
-! def do_login() -> Response:
-!     if flask.g.user is not None:
-!         return flask.redirect(oid.get_next_url())
-! 
-!     teams_req = teams.TeamsRequest(app.config["OPENID_PRIVILEGED_TEAMS"])
-!     return oid.try_login("https://id.fedoraproject.org/",
-!                          ask_for=["email"], extensions=[teams_req])
-! 
-! 
-! @oid.after_login
-! def create_or_login(resp) -> Response:
-!     flask.session["openid"] = resp.identity_url
-!     username = fed_raw_name(resp.identity_url)
-  
-      privileged = False
-!     # "lp" is the namespace for openid-teams
-!     if "lp" in resp.extensions and any(group in app.config["OPENID_PRIVILEGED_TEAMS"]
-!                                        for group in resp.extensions["lp"].teams):
-          privileged = True
-  
-      user = db.session.query(User).filter(User.username == username).first()
-      if not user:  # create
-!         user = User(username=username, mail=resp.email, privileged=privileged)
-      else:
-!         user.mail = resp.email
-          user.privileged = privileged
-  
-      db.session.add(user)
-      db.session.commit()
-      flask.flash(u"Welcome, {0}".format(user.username))
-      flask.g.user = user
-  
-!     if flask.request.url_root == oid.get_next_url():
-!         return flask.redirect(flask.url_for("summary.index"))
-  
-!     return flask.redirect(oid.get_next_url())
-  
-  
-  @login.route("/logout/")
-  def do_logout() -> Response:
-!     flask.session.pop("openid", None)
-      flask.flash(u"You were signed out")
-!     return flask.redirect(oid.get_next_url())
---- 1,113 ----
-  import flask
-  from openid_teams import teams
-  from werkzeug.wrappers import Response
-+ from urllib.parse import urlparse, urljoin
-  
-  from pyfaf.storage.user import User
-  from webfaf.webfaf_main import db, oid, app
-  from webfaf.utils import fed_raw_name
-+ from onelogin.saml2.auth import OneLogin_Saml2_Auth
-  
-! login = flask.Blueprint('login', __name__)
-  
-  
-! def init_saml_auth(req):
-!     saml_config_dir = app.config['SAML_CONFIG_DIR']
-!     return OneLogin_Saml2_Auth(req, custom_base_path=saml_config_dir)
-! 
-! 
-! def prepare_flask_request(req):
-!     parsed_url = urlparse(req.url)
-!     return {
-!         'https': 'on' if req.scheme == 'https' else 'off',
-!         'http_host': req.host,
-!         'server_port': parsed_url.port,
-!         'script_name': req.script_root + req.path,
-!         'get_data': req.args.copy(),
-!         'post_data': req.form.copy(),
-!         'query_string': req.query_string
-!     }
-! 
-! 
-! @login.route('/login/', methods=('GET',))
-! def do_login():
-!     """SSO authentication entry-point."""
-!     req = prepare_flask_request(flask.request)
-!     comeback_url = urljoin(flask.request.host_url, '/faf/summary')
-!     return_to = flask.request.args.get('return_to')
-!     if return_to:
-!         comeback_url += '?return_to={0}'.format(return_to)
-!     auth = init_saml_auth(req)
-!     return flask.redirect(auth.login(comeback_url))
-! 
-! 
-! @login.route('/acs/', methods=('POST',))
-! def acs():
-!     req = prepare_flask_request(flask.request)
-!     auth = init_saml_auth(req)
-!     auth.process_response()
-!     errors = auth.get_errors()
-!     if errors:
-!         return flask.helpers.make_response('Error: {0}'.format(', '.join(errors)), 500)
-!     elif not auth.is_authenticated():
-!         return flask.helpers.make_response('Error: authentication failed', 401)
-!     user_attrs = auth.get_attributes()
-  
-      privileged = False
-!     is_admin = False
-!     if any(group in user_attrs['groups'] for group in ('alma_retrace_admin', 'admins')):
-          privileged = True
-+         is_admin = True
-  
-+     email = user_attrs['email'][0]
-+     username = email.split('@')[0]
-      user = db.session.query(User).filter(User.username == username).first()
-      if not user:  # create
-!         user = User(username=username, mail=email, privileged=privileged, admin=is_admin)
-      else:
-!         user.mail = email
-          user.privileged = privileged
-+         user.admin = is_admin
-  
-      db.session.add(user)
-      db.session.commit()
-      flask.flash(u"Welcome, {0}".format(user.username))
-      flask.g.user = user
-+     flask.session['username'] = username
-  
-!     return flask.redirect(flask.request.form['RelayState'])
-  
-! 
-! @login.route('/metadata/', methods=('GET',))
-! def metadata():
-!     """
-!     Returns the Build System IDP provider metadata.
-! 
-!     Returns
-!     -------
-!     flask.wrappers.Response
-!         IDP provider metadata response.
-! 
-!     See Also
-!     --------
-!     https://en.wikipedia.org/wiki/SAML_Metadata#Identity_Provider_Metadata
-!     """
-!     req = prepare_flask_request(flask.request)
-!     auth = init_saml_auth(req)
-!     settings = auth.get_settings()
-!     metadata = settings.get_sp_metadata()
-!     errors = settings.validate_metadata(metadata)
-!     if errors:
-!         rsp = flask.make_response(', '.join(errors), 500)
-!     else:
-!         rsp = flask.make_response(metadata, 200)
-!         rsp.headers['Content-Type'] = 'text/xml'
-!     return rsp
-  
-  
-  @login.route("/logout/")
-  def do_logout() -> Response:
-!     flask.session.pop("username", None)
-      flask.flash(u"You were signed out")
-!     return flask.redirect(flask.url_for("summary.index"))
-! 
-diff -crB src.orig/webfaf/templates/base.html src/webfaf/templates/base.html
-*** src.orig/webfaf/templates/base.html	2021-02-11 11:31:12.000000000 +0200
---- src/webfaf/templates/base.html	2021-02-11 13:09:20.000000000 +0200
-***************
-*** 71,77 ****
-              </ul>
-              {% if config['OPENID_ENABLED'] %}
-                <ul class="nav navbar-nav navbar-utility">
--                 <li><a href="https://apps.fedoraproject.org/notifications" class="fa fa-bell notifications" title="Notifications preferences"></a></li>
-                  {% if g.user %}
-                  <li class="dropdown">
-                    <a id="user-dropdown" role="button" data-toggle="dropdown">
---- 71,76 ----
-diff -crB src.orig/webfaf/webfaf_main.py src/webfaf/webfaf_main.py
-*** src.orig/webfaf/webfaf_main.py	2021-02-11 11:31:15.000000000 +0200
---- src/webfaf/webfaf_main.py	2021-02-10 19:55:36.000000000 +0200
-***************
-*** 14,20 ****
-  import munch
-  from ratelimitingfilter import RateLimitingFilter
-  from werkzeug.local import LocalProxy
-! from werkzeug.middleware.proxy_fix import ProxyFix
-  
-  from pyfaf.storage.user import User
-  from pyfaf.storage import OpSysComponent, Report
---- 14,23 ----
-  import munch
-  from ratelimitingfilter import RateLimitingFilter
-  from werkzeug.local import LocalProxy
-! try:
-!     from werkzeug.middleware.proxy_fix import ProxyFix
-! except ModuleNotFoundError:
-!     from werkzeug.contrib.fixers import ProxyFix
-  
-  from pyfaf.storage.user import User
-  from pyfaf.storage import OpSysComponent, Report
-***************
-*** 167,174 ****
-  @app.before_request
-  def before_request() -> None:
-      flask.g.user = None
-!     if "openid" in flask.session:
-!         username = fed_raw_name(flask.session["openid"])
-          flask.g.user = (db.session.query(User)
-                          .filter(User.username == username)
-                          .first())
---- 170,177 ----
-  @app.before_request
-  def before_request() -> None:
-      flask.g.user = None
-!     if "username" in flask.session:
-!         username = flask.session["username"]
-          flask.g.user = (db.session.query(User)
-                          .filter(User.username == username)
-                          .first())
-diff -crB tests.orig/test_webfaf/test_user.py tests/test_webfaf/test_user.py
-*** tests.orig/test_webfaf/test_user.py	2021-02-11 11:31:18.000000000 +0200
---- tests/test_webfaf/test_user.py	2021-02-11 11:55:50.000000000 +0200
-***************
-*** 24,30 ****
-          self.db.session.commit()
-  
-          with self.app.session_transaction() as session:
-!             session['openid'] = 'faker1'
-  
-      def test_delete_user_data(self):
-          """
---- 24,30 ----
-          self.db.session.commit()
-  
-          with self.app.session_transaction() as session:
-!             session['username'] = 'faker1'
-  
-      def test_delete_user_data(self):
-          """
- 
\ No newline at end of file
+diff -aruN faf-2.6.1/src/webfaf/config.py faf-2.6.1.alma/src/webfaf/config.py
+--- faf-2.6.1/src/webfaf/config.py	2023-01-11 17:35:16
++++ faf-2.6.1.alma/src/webfaf/config.py	2023-05-23 09:47:50
+@@ -13,6 +13,7 @@
+ 
+ 
+ class Config:
++    SAML_CONFIG_DIR = '/etc/faf/saml'
+     DEBUG = False
+     TESTING = False
+     SECRET_KEY = "NOT_A_RANDOM_STRING"
+diff -aruN faf-2.6.1/src/webfaf/login.py faf-2.6.1.alma/src/webfaf/login.py
+--- faf-2.6.1/src/webfaf/login.py	2023-01-11 17:35:16
++++ faf-2.6.1.alma/src/webfaf/login.py	2023-05-23 09:50:08
+@@ -1,58 +1,112 @@
+ import flask
+ from openid_teams import teams
+ from werkzeug.wrappers import Response
++from urllib.parse import urlparse, urljoin
+ 
+ from pyfaf.storage.user import User
+ from webfaf.webfaf_main import db, oid, app
+ from webfaf.utils import fed_raw_name
++from onelogin.saml2.auth import OneLogin_Saml2_Auth
+ 
+-login = flask.Blueprint("login", __name__)
++login = flask.Blueprint('login', __name__)
+ 
+ 
+-@login.route("/login/", methods=["GET"])
+-@oid.loginhandler
+-def do_login() -> Response:
+-    if flask.g.user is not None:
+-        return flask.redirect(oid.get_next_url())
++def init_saml_auth(req):
++    saml_config_dir = app.config['SAML_CONFIG_DIR']
++    return OneLogin_Saml2_Auth(req, custom_base_path=saml_config_dir)
+ 
+-    teams_req = teams.TeamsRequest(app.config["OPENID_PRIVILEGED_TEAMS"])
+-    return oid.try_login("https://id.fedoraproject.org/",
+-                         ask_for=["email"], extensions=[teams_req])
+ 
++def prepare_flask_request(req):
++    parsed_url = urlparse(req.url)
++    return {
++        'https': 'on' if req.scheme == 'https' else 'off',
++        'http_host': req.host,
++        'server_port': parsed_url.port,
++        'script_name': req.script_root + req.path,
++        'get_data': req.args.copy(),
++        'post_data': req.form.copy(),
++        'query_string': req.query_string
++    }
+ 
+-@oid.after_login
+-def create_or_login(resp) -> Response:
+-    flask.session["openid"] = resp.identity_url
+-    username = fed_raw_name(resp.identity_url)
+ 
++@login.route('/login/', methods=('GET',))
++def do_login():
++    """SSO authentication entry-point."""
++    req = prepare_flask_request(flask.request)
++    comeback_url = urljoin(flask.request.host_url, '/faf/summary')
++    return_to = flask.request.args.get('return_to')
++    if return_to:
++        comeback_url += '?return_to={0}'.format(return_to)
++    auth = init_saml_auth(req)
++    return flask.redirect(auth.login(comeback_url))
++
++
++@login.route('/acs/', methods=('POST',))
++def acs():
++    req = prepare_flask_request(flask.request)
++    auth = init_saml_auth(req)
++    auth.process_response()
++    errors = auth.get_errors()
++    if errors:
++        return flask.helpers.make_response('Error: {0}'.format(', '.join(errors)), 500)
++    elif not auth.is_authenticated():
++        return flask.helpers.make_response('Error: authentication failed', 401)
++    user_attrs = auth.get_attributes()
++
+     privileged = False
+-    # "lp" is the namespace for openid-teams
+-    if "lp" in resp.extensions and any(group in app.config["OPENID_PRIVILEGED_TEAMS"]
+-                                       for group in resp.extensions["lp"].teams):
++    is_admin = False
++    if any(group in user_attrs['groups'] for group in ('alma_retrace_admin', 'admins')):
+         privileged = True
++        is_admin = True
+ 
++    email = user_attrs['email'][0]
++    username = email.split('@')[0]
+     user = db.session.query(User).filter(User.username == username).first()
+     if not user:  # create
+-        user = User(username=username, mail=resp.email, privileged=privileged)
++        user = User(username=username, mail=email, privileged=privileged, admin=is_admin)
+     else:
+-        user.mail = resp.email
++        user.mail = email
+         user.privileged = privileged
++        user.admin = is_admin
+ 
+     db.session.add(user)
+     db.session.commit()
+     flask.flash(u"Welcome, {0}".format(user.username))
+-    # This is okay: https://flask.palletsprojects.com/en/2.0.x/api/#flask.g
+-    # pylint: disable=assigning-non-slot
+     flask.g.user = user
++    flask.session['username'] = username
+ 
+-    if flask.request.url_root == oid.get_next_url():
+-        return flask.redirect(flask.url_for("summary.index"))
++    return flask.redirect(flask.request.form['RelayState'])
+ 
+-    return flask.redirect(oid.get_next_url())
+ 
++@login.route('/metadata/', methods=('GET',))
++def metadata():
++    """
++    Returns the Build System IDP provider metadata.
+ 
++    Returns
++    -------
++    flask.wrappers.Response
++        IDP provider metadata response.
++
++    See Also
++    --------
++    https://en.wikipedia.org/wiki/SAML_Metadata#Identity_Provider_Metadata
++    """
++    req = prepare_flask_request(flask.request)
++    auth = init_saml_auth(req)
++    settings = auth.get_settings()
++    metadata = settings.get_sp_metadata()
++    errors = settings.validate_metadata(metadata)
++    if errors:
++        rsp = flask.make_response(', '.join(errors), 500)
++    else:
++        rsp = flask.make_response(metadata, 200)
++        rsp.headers['Content-Type'] = 'text/xml'
++    return rsp
++
++
+ @login.route("/logout/")
+ def do_logout() -> Response:
+-    flask.session.pop("openid", None)
++    flask.session.pop("username", None)
+     flask.flash(u"You were signed out")
+-    return flask.redirect(oid.get_next_url())
++    return flask.redirect(flask.url_for("summary.index"))
+diff -aruN faf-2.6.1/src/webfaf/webfaf_main.py faf-2.6.1.alma/src/webfaf/webfaf_main.py
+--- faf-2.6.1/src/webfaf/webfaf_main.py	2023-01-11 17:35:16
++++ faf-2.6.1.alma/src/webfaf/webfaf_main.py	2023-05-23 09:53:06
+@@ -170,8 +170,8 @@
+ @app.before_request
+ def before_request() -> None:
+     flask.g.user = None
+-    if "openid" in flask.session:
+-        username = fed_raw_name(flask.session["openid"])
++    if "username" in flask.session:
++        username = flask.session["username"]
+         flask.g.user = (db.session.query(User)
+                         .filter(User.username == username)
+                         .first())
+diff -aruN faf-2.6.1/tests/test_webfaf/test_user.py faf-2.6.1.alma/tests/test_webfaf/test_user.py
+--- faf-2.6.1/tests/test_webfaf/test_user.py	2023-01-11 17:35:16
++++ faf-2.6.1.alma/tests/test_webfaf/test_user.py	2023-05-23 09:53:28
+@@ -24,7 +24,7 @@
+         self.db.session.commit()
+ 
+         with self.app.session_transaction() as session:
+-            session['openid'] = 'faker1'
++            session['username'] = 'faker1'
+ 
+     def test_delete_user_data(self):
+         """
diff --git a/SPECS/faf.spec b/SPECS/faf.spec
index cf187e4..fe405c8 100644
--- a/SPECS/faf.spec
+++ b/SPECS/faf.spec
@@ -571,7 +571,7 @@ systemd services for the Celery task queue.
 %setup -q
 # AlmaLinux support patches
 %patch0 -p1
-%patch1 -p0
+%patch1 -p1
 
 NOCONFIGURE=1 ./autogen.sh