app/__init__.py

@@ -30,7 +30,7 @@ def create_app(environment='development'):
     config[env].configure(app)
     app.config['APP_TZ'] = os.environ.get('TZ', 'UTC')
     app.config['ADMIN_GROUPS'] = list(
-        map(str.strip, app.config['ADMIN_GROUPS'].split(',')))
+        map(str.strip, app.config.get('ADMIN_GROUPS', "").split(',')))
     app.logger.debug(f"admin groups: {app.config['ADMIN_GROUPS']}")
 
     app.logger.info("middleware init: mobility")
@@ -41,12 +41,12 @@ def create_app(environment='development'):
 
     # Register blueprints.
     from .views import main_blueprint, rest_blueprint
-    app.logger.info(f"registering main blueprint with prefix '{
+    app.logger.info(f"register blueprint: 'main' [prefix '{
-                    main_blueprint.url_prefix}'")
+                    main_blueprint.url_prefix}']")
     app.register_blueprint(main_blueprint)
 
-    app.logger.info(f"registering rest blueprint with prefix '{
+    app.logger.info(f"register blueprint: 'rest' [prefix '{
-                    rest_blueprint.url_prefix}'")
+                    rest_blueprint.url_prefix}']")
     app.register_blueprint(rest_blueprint)
 
     app.logger.info("jinja2 custom filters loaded")

app/lib.py

@@ -2,7 +2,7 @@ import os
 import functools
 
 from flask import request, abort, current_app
-from flask import session as flask_session
+from flask import session as flask_session, jsonify
 from flask_pyoidc import OIDCAuthentication as _OIDCAuth
 from flask_pyoidc.user_session import UserSession
 from flask_pyoidc.provider_configuration import ProviderConfiguration, ClientMetadata
@@ -21,19 +21,6 @@ def remote_ip() -> str:
         return str(request.environ.get('REMOTE_ADDR'))
 
 
-def username() -> str:
-    userinfo = flask_session['userinfo']
-    return userinfo['email'].split('@')[0]
-
-
-def login_name() -> str:
-    userinfo = flask_session['userinfo']
-    if 'preferred_username' in userinfo:
-        return userinfo['preferred_username']
-    else:
-        return username()
-
-
 def webMode() -> bool:
     is_gunicorn = "gunicorn" in os.environ.get('SERVER_SOFTWARE', '')
     is_werkzeug = os.environ.get('WERKZEUG_RUN_MAIN', False) == "true"
@@ -64,6 +51,53 @@ class OIDCAuthentication(_OIDCAuth):
         super().init_app(app)
         app.auth = self
 
+    @property
+    def username(self) -> str:
+        userinfo = flask_session['userinfo']
+        return userinfo['email'].split('@')[0]
+
+    @property
+    def login_name(self) -> str:
+        userinfo = flask_session['userinfo']
+        return userinfo.get('preferred_username', self.username)
+
+    @property
+    def isAdmin(self) -> bool:
+        userinfo = flask_session['userinfo']
+        user_groups = userinfo.get('groups', [])
+        with current_app.app_context():
+            admin_groups = current_app.config.get('ADMIN_GROUPS', [])
+            admin_users = current_app.config.get('ADMIN_USERS', [])
+
+            authorized_groups = set(admin_groups).intersection(user_groups)
+
+            if len(authorized_groups):
+                log.debug(f"'{self.username}' is a member of {
+                          authorized_groups}")
+                return True
+
+            if self.username in admin_users:
+                log.debug(f"'{self.username}' is an admin user")
+                return True
+        return False
+
+    @property
+    def unathorized(self):
+        response = jsonify(
+            {'message': f"not authorized",
+             'comment': 'nice try, info logged',
+             'logged': f"'{self.username}@{remote_ip()}",
+             'result': 'GO AWAY!'})
+        log.warning(
+            f"user '{self.username}' attempted denied operation from {remote_ip()}")
+        return response, 403
+
+    def userOrAdmin(self, username: str):
+        """
+        Check is the current user is an admin OR the username passed as argument
+        """
+        return self.isAdmin or self.username == username
+
     def authorize(self, provider_name: str, authz_fn: Callable, **kwargs):
         if provider_name not in self._provider_configurations:
             raise ValueError(
@@ -165,23 +199,7 @@ class OIDCAuthentication(_OIDCAuth):
         """
 
         def _authz_fn(session) -> bool:
-            user_groups = session.userinfo.get('groups', [])
+            return self.isAdmin
-            username = session.userinfo.get('preferred_username', "")
-            with current_app.app_context():
-                admin_groups = current_app.config.get('ADMIN_GROUPS', [])
-                admin_users = current_app.config.get('ADMIN_USERS', [])
-
-                authorized_groups = set(admin_groups).intersection(user_groups)
-
-                if len(authorized_groups):
-                    log.debug(f"'{username}' is a member of {
-                              authorized_groups}")
-                    return True
-
-                if username in admin_users:
-                    log.debug(f"'{username}' is an admin user")
-                    return True
-            return False
 
         return self.authorize(provider_name,
                               authz_fn=_authz_fn)

app/templates/index.html

@@ -55,6 +55,18 @@
     </div>
 </div>
         {% endfor %}
+<div class="row data">
+    <div class="col col-2">
+        <strong>access level</strong>
+    </div>
+    <div class="col col-6">
+        {% if auth.isAdmin %}
+        <span class="badge badge-pill badge-danger">ADMIN</span>
+        {% else %}
+        <span class="badge badge-pill badge-info">USER</span>
+        {% endif %}
+    </div>
+</div>
 <hr>
 <h4>your devices</h4>
 <div class="row strong">
@@ -67,7 +79,7 @@
 {% for node in userNodeList %}
 <div class="row data">
     <div class="col col-2">
-        {{ node.givenName}}
+        <a href="{{url_for('main.node', nodeId=node.id) }}">{{ node.givenName}}</a>
     </div>
     <div class="col col-2">
         <span data-toggle="tooltip" data-placement="right" title="{{ node.createdAt | fmt_datetime }}">
@@ -84,7 +96,7 @@
     </div>
     <div class="col col-2">
         <span data-toggle="tooltip" data-placement="right" title="delete">
-            <a class="nodeco" href="{{ url_for('rest.deleteOwnNode', nodeId=node.id) }}">
+            <a class="nodeco" href="{{ url_for('rest.deleteNode', nodeId=node.id) }}">
                 <i class="fas fa-trash"></i>
             </a>
         </span>

app/templates/node.html

@@ -74,7 +74,10 @@
 {% for ip in node.ipAddresses %}
 <div class="row data">
     <div class="col col-3">
+        <span class="address copy"
+            value="{{ ip }}">
         {{ ip }}
+        </spanundefined>
     </div>
 </div>
 {% endfor %}
@@ -210,3 +213,13 @@
     </div>
 </div>
 {% endblock %}
+
+{% block scripts %}
+<script>
+    $(function () {
+        $('.address.copy').on('click', function() {
+            copyToClipboard(this)
+        })
+    })
+</script>
+{% endblock %}

app/templates/nodes.html

@@ -52,7 +52,7 @@
             <td class="no-sort">
                 {% if node.expireDate and not node.expired %}
                 <span data-toggle="tooltip" data-placement="right" title="expire/disconnect">
-                    <a class="nodeco" href="{{ url_for('rest.expireNodeList', nodeId=node.id) }}">
+                    <a class="nodeco" href="{{ url_for('rest.expireNode', nodeId=node.id) }}">
                         <i class="fas fa-plug"></i>
                     </a>
                 </span>

app/templates/user.html

@@ -49,7 +49,7 @@
             <td class="no-sort">
                 {% if node.expireDate and not node.expired %}
                 <span data-toggle="tooltip" data-placement="right" title="expire/disconnect">
-                    <a class="nodeco" href="{{ url_for('rest.expireNodeUser', nodeId=node.id) }}">
+                    <a class="nodeco" href="{{ url_for('rest.expireNode', nodeId=node.id) }}">
                         <i class="fas fa-plug"></i>
                     </a>
                 </span>
@@ -57,7 +57,7 @@
                     <i class="fas fa-plug disabled"></i>
                 {% endif %}
                 <span data-toggle="tooltip" data-placement="right" title="delete">
-                    <a class="nodeco" href="{{ url_for('rest.deleteNodeUser', nodeId=node.id) }}">
+                    <a class="nodeco" href="{{ url_for('rest.deleteNode', nodeId=node.id) }}">
                         <i class="fas fa-trash"></i>
                     </a>
                 </span>

app/views/main.py

@@ -26,6 +26,15 @@ def health():
     return jsonify(dict(status="OK", version=current_app.config['APP_VERSION']))
 
 
+@main_blueprint.route('/token', methods=['GET', 'POST'])
+@auth.authorize_admins('default')
+def token():
+    user_session = UserSession(session)
+    return jsonify(access_token=user_session.access_token,
+                   id_token=user_session.id_token,
+                   userinfo=user_session.userinfo)
+
+
 @main_blueprint.route('/', methods=['GET', 'POST'])
 @auth.access_control('default')
 def index():
@@ -34,17 +43,8 @@ def index():
     userNodeList = [n for n in Node().list().nodes if n.user.name == hs_user]
     return render_template('index.html',
                            userNodeList=userNodeList,
-                           session=user_session)
+                           session=user_session,
-
+                           auth=auth)
-
-@main_blueprint.route('/token', methods=['GET', 'POST'])
-@auth.authorize_admins('default')
-def token():
-    user_session = UserSession(session)
-    # return jsonify(user_session.userinfo)
-    return jsonify(access_token=user_session.access_token,
-                   id_token=user_session.id_token,
-                   userinfo=user_session.userinfo)
 
 
 @main_blueprint.route('/logout')
@@ -62,12 +62,14 @@ def nodes():
 
 
 @main_blueprint.route('/node/<int:nodeId>', methods=['GET'])
-@auth.authorize_admins('default')
+@auth.access_control('default')
 def node(nodeId):
     # There is a bug in HS api with retrieving a single node
     # and we added a workaround to hsapi, so node.get() returns a
     # v1Node object instead of v1NodeResponse, so we access directly
     # `node`, instead of `node.node`
+    if not auth.userOrAdmin(auth.username):
+        return auth.unathorized
     node = Node().get(nodeId)
     routes = Node().routes(nodeId)
     isExitNode = any(

app/views/rest.py

@@ -4,7 +4,7 @@ from flask import Blueprint, request
 from flask import redirect, url_for
 from app import auth
 
-from ..lib import login_name, username
+# from ..lib import login_name, username
 
 from flask import jsonify
 
@@ -35,75 +35,35 @@ def routeToggle(routeId: int):
             action = 'enabled'
         log.info(
             f"route '{route.prefix}' via '{route.node.givenName}'"
-            f"{action} by '{username()}'")
+            f"{action} by '{auth.username}'")
-    return redirect(url_for("main.routes"))
+    return redirect(request.referrer)
 
 
 @rest_blueprint.route('/node/<int:nodeId>/expire', methods=['GET'])
-@auth.authorize_admins('default')
+@auth.access_control('default')
 def expireNode(nodeId: int):
-    """
-    This expires a node from the node page.
-    The difference from above is that it returns to the /node/nodeId page
-    """
-    Node().expire(nodeId)
-    log.info(f"node '{nodeId}' expired by '{username()}'")
-    return redirect(url_for("main.node", nodeId=nodeId))
-
-
-@rest_blueprint.route('/node/<int:nodeId>/user-expire', methods=['GET'])
-@auth.authorize_admins('default')
-def expireNodeUser(nodeId: int):
     """
     This expires a node from the node page.
     The difference from above is that it returns to the /node/nodeId page
     """
     node = Node().get(nodeId)
-    userName = node.user.name
+    if not auth.userOrAdmin(node.user.name):
+        return auth.unathorized
     Node().expire(nodeId)
-    log.info(f"node '{nodeId}' expired by '{username()}'")
+    log.info(f"node '{nodeId}' expired by '{auth.username}'")
-    return redirect(url_for("main.user", userName=userName))
+    return redirect(request.referrer)
-
-
-@rest_blueprint.route('/node/<int:nodeId>/list-expire', methods=['GET'])
-@auth.authorize_admins('default')
-def expireNodeList(nodeId: int):
-    """
-    This expires a node from the node list.
-    The difference from above is that it returns to the /nodes page
-    """
-    Node().expire(nodeId)
-    log.info(f"node '{nodeId}' expired by '{username()}'")
-    return redirect(url_for("main.nodes"))
 
 
 @rest_blueprint.route('/node/<int:nodeId>/delete', methods=['GET'])
-@ auth.authorize_admins('default')
+@auth.access_control('default')
 def deleteNode(nodeId: int):
-    Node().delete(nodeId)
-    log.info(f"node '{nodeId}' deleted by '{username()}'")
-    return redirect(url_for("main.nodes"))
-
-
-@rest_blueprint.route('/node/<int:nodeId>/delete-own', methods=['GET'])
-@auth.access_control('default')
-def deleteOwnNode(nodeId: int):
     node = Node().get(nodeId)
-    if node.user.name != username():
+    if not auth.userOrAdmin(node.user.name):
-        response = jsonify({'message': 'not authorized'})
+        return auth.unathorized
-        return response, 401
+    Node().expire(nodeId)
     Node().delete(nodeId)
-    log.info(f"'{username()}' delete their own node '{nodeId}'")
+    log.info(f"node '{nodeId}' deleted by '{auth.username}'")
-    return redirect(url_for("main.index"))
+    return redirect(request.referrer)
-
-
-@rest_blueprint.route('/node/<int:nodeId>/delete-user', methods=['GET'])
-@auth.access_control('default')
-def deleteNodeUser(nodeId: int):
-    node = Node().get(nodeId)
-    Node().delete(nodeId)
-    log.info(f"'{username()}' delete their own node '{nodeId}'")
-    return redirect(url_for("main.user", userName=node.user.name))
 
 
 @rest_blueprint.route('/node/<int:nodeId>/rename/<newName>', methods=['GET'])

config.py

@@ -17,7 +17,7 @@ class BaseConfig(object):
     # All the followinf vars can be overriden
     # in the environment, using `HSMAN_` prefix
     SECRET_KEY = "secreto"
-    ADMIN_GROUPS = ["adminGroup"]
+    ADMIN_GROUPS = "adminGroup"
     OIDC_CLIENT_ID = 'client-id'
     OIDC_CLIENT_SECRET = 'client-secreto'
     OIDC_URL = "https://myidp.example.com/auth"