Dev

.vscode/launch.json

@@ -4,7 +4,6 @@
     // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
     "version": "0.2.0",
     "configurations": [
-
         {
             "name": "abcdesktop.io",
             "type": "debugpy",

Dockerfile.alpine

@@ -14,8 +14,9 @@ RUN apk update --no-cache && \
 	krb5 \
 	krb5-libs \
 	libgsasl \
-	"libssl3>3.5.4" \
-	"libcrypto3>3.5.4"
+	bash
+
+SHELL ["/bin/bash", "-c"]
 
 #   gss-ntlmssp 
 #   krb5-user 
@@ -40,9 +41,9 @@ RUN apk add --no-cache \
 	musl-dev \
 	py3-ldap \
 	py3-ldap-pyc \
-    py3-python-gssapi-pyc \
-    py3-python-gssapi \
-    krb5-dev \
+    	py3-python-gssapi-pyc \
+    	py3-python-gssapi \
+    	krb5-dev \
 	geoip-dev \
 	openldap-dev
 
@@ -67,16 +68,24 @@ COPY . .
 RUN pip install --upgrade pip && \
     pip install --no-cache-dir -r requirements.txt
 
+
+# get ASNNumber database
+# IPASN data files can be created by downloading MRT/RIB BGP archives from Routeviews (or similar sources), 
+# and parsing them using provided scripts that tail the BGP AS-Path.
+RUN pyasn_util_download.py --latestv46 --filename rib.bz2 && \
+    pyasn_util_convert.py --single rib.bz2 ipasn_db.dat && \
+    rm -f rib.bz2 
+
 # remove dev package
 # should better use a builder instance
 # but I can't find how to grab all new libraries
 RUN apk del --no-cache \
 	krb5-dev \
-    gcc \
-    musl-dev \
-    krb5-dev \
-    geoip-dev \
-    openldap-dev
+    	gcc \
+    	musl-dev \
+    	krb5-dev \
+    	geoip-dev \
+    	openldap-dev
 
 # create log directory
 RUN mkdir -p /var/pyos/logs

Dockerfile.ubuntu

@@ -8,25 +8,25 @@ RUN apt-get update && apt-get upgrade -y && apt-get clean  && rm -rf /var/lib/ap
 
 # install python
 RUN apt-get update && apt-get install -y --no-install-recommends \
-	python3 \	
+    python3 \	
     python3-pip \
-	python3-virtualenv \
+    python3-virtualenv \
     && apt-get clean  \
     && rm -rf /var/lib/apt/lists/*
 
 # install python dev
 RUN apt-get update && apt-get install -y --no-install-recommends \
 	wget \
 	gcc \
-    make \
-    python3-dev \
+   	make \
+    	python3-dev \
 	libffi-dev \
 	libkrb5-dev \
-    libsasl2-dev \ 
-    libsasl2-dev \
-    libldap2-dev \
+    	libsasl2-dev \ 
+    	libsasl2-dev \
+    	libldap2-dev \
 	libgeoip-dev \
-    libssl-dev \
+    	libssl-dev \
 	rustc \
     && apt-get clean            \
     && rm -rf /var/lib/apt/lists/*
@@ -81,6 +81,13 @@ RUN virtualenv /var/pyos && \
     source /var/pyos/bin/activate && \
     pip install --no-cache-dir -r requirements.txt
 
+# get ASNNumber database
+# IPASN data files can be created by downloading MRT/RIB BGP archives from Routeviews (or similar sources), 
+# and parsing them using provided scripts that tail the BGP AS-Path.
+RUN source /var/pyos/bin/activate && \
+    python3 bin/pyasn_util_download.py --latestv46 --filename rib.bz2 && \
+    python3 bin/pyasn_util_convert.py --single rib.bz2 ipasn_db.dat && \
+    rm -f rib.bz2
 
 # remove dev lib 
 RUN apt-get remove -y \

controllers/auth_controller.py

@@ -359,9 +359,8 @@ def buildsecret(self):
         password = args.get('password')
         if not isinstance(password, str):
             raise cherrypy.HTTPError(400, 'Bad request invalid password parameter')
-
 
-        (auth, user ) = self.validate_env()
+        (auth, user, roles) = self.validate_env()
 
         # build a login dict arg object with provider set to AD
         args_login = {  
@@ -675,12 +674,12 @@ def login(self):
         # get params from json request
         args = cherrypy.request.json
         # can raise exception
-        (auth, user ) = self.validate_env()
+        (auth, user, roles) = self.validate_env()
 
         # push a start message to database cache info
         services.messageinfo.start( user.userid, "b.Launching desktop")
         # launch the user desktop 
-        return self.root.composer._launchdesktop( auth, user, args)
+        return self.root.composer._launchdesktop( auth, user, roles, args)
 
 
     @cherrypy.expose
@@ -691,9 +690,9 @@ def refreshtoken(self):
         # no params from json request
         # args = cherrypy.request.json
         # can raise exception
-        (auth, user) = self.validate_env()
+        (auth, user, roles) = self.validate_env()
         # update token
-        jwt_user_token = services.auth.update_token( auth=auth, user=user, roles=None )
+        jwt_user_token = services.auth.update_token( auth=auth, user=user, roles=roles )
         # add no-cache nosniff HTTP headers
         cherrypy.response.headers[ 'Cache-Control'] = 'no-cache, private'
         # disable content or MIME sniffing which is used to override response Content-Type headers 

controllers/composer_controller.py

@@ -25,6 +25,8 @@
 
 from oc.cherrypy import Results
 from oc.od.base_controller import BaseController
+from oc.auth.authservice  import AuthInfo, AuthUser, AuthRoles # to read AuthInfo, AuthUser, AuthRoles
+
 
 
 logger = logging.getLogger(__name__)
@@ -46,7 +48,7 @@ def __init__(self, config_controller=None):
     @cherrypy.tools.json_out()
     def ocrun(self):
         self.logger.debug('')
-        (auth, user ) = self.validate_env()
+        (auth, user, roles) = self.validate_env()
         args = cherrypy.request.json
         if not isinstance(args, dict):
             raise cherrypy.HTTPError( status=400, message='invalid parameters')
@@ -64,7 +66,7 @@ def ocrun(self):
              raise cherrypy.HTTPError( status=400, message='ocrun error')
         return Results.success(result=result)
 
-    def LocaleSettingsLanguage( self, user ):
+    def LocaleSettingsLanguage( self, user:dict ):
         # add current locale from http Accept-Language to AuthUser 
         locale = oc.i18n.detectLocale(cherrypy.request.headers.get('Accept-Language'), oc.od.settings.supportedLocales)
         user['locale'] = locale
@@ -76,19 +78,19 @@ def launchdesktop(self):
         # increase timeout when creating the first user pod
         cherrypy.response.timeout = 300
         self.logger.debug('launchdesktop:validate_env')
-        (auth, user ) = self.validate_env()
+        (auth, user, roles) = self.validate_env()
         # add lang to user dict   
         self.logger.debug('launchdesktop:LocaleSettingsLanguage')
         self.LocaleSettingsLanguage( user )
         self.logger.debug('launchdesktop:_launchdesktop')
-        result = self._launchdesktop(auth, user, cherrypy.request.json)
+        result = self._launchdesktop(auth, user, roles, cherrypy.request.json)
         return result
 
     @cherrypy.expose
     @cherrypy.tools.json_in()
     @cherrypy.tools.json_out()
     def list_applications_by_phase(self):
-        (auth, user ) = self.validate_env()
+        (auth, user, roles) = self.validate_env()
         args = cherrypy.request.json
         if type(args) is not dict:
             return cherrypy.HTTPError( status=400, message='invalid args parameters')
@@ -103,7 +105,7 @@ def list_applications_by_phase(self):
     @cherrypy.tools.json_in()
     def getlogs(self):
         self.logger.debug('')
-        (auth, user ) = self.validate_env()
+        (auth, user, roles ) = self.validate_env()
         logs = oc.od.composer.logdesktop(auth, user)
         return Results.success(result=logs)
 
@@ -112,7 +114,7 @@ def getlogs(self):
     @cherrypy.tools.json_out()
     def stopcontainer(self):
         self.logger.debug('')
-        (auth, user ) = self.validate_env()
+        (auth, user, roles) = self.validate_env()
         args = cherrypy.request.json
         if type(args) is not dict:
             return cherrypy.HTTPError( status=400, message='invalid args parameters')
@@ -134,7 +136,7 @@ def stopcontainer(self):
     @cherrypy.tools.json_out()
     def logcontainer(self):
         self.logger.debug('')
-        (auth, user ) = self.validate_env()
+        (auth, user, roles) = self.validate_env()
         args = cherrypy.request.json
         if not isinstance( args, dict):
             return cherrypy.HTTPError( status=400, message='invalid parameters')
@@ -158,7 +160,7 @@ def logcontainer(self):
     @cherrypy.tools.json_out()
     def envcontainer(self):
         self.logger.debug('')
-        (auth, user ) = self.validate_env()
+        (auth, user, roles) = self.validate_env()
         args = cherrypy.request.json
         if not isinstance( args, dict):
             raise cherrypy.HTTPError( status=400, message='invalid parameters' )
@@ -181,7 +183,7 @@ def envcontainer(self):
     @cherrypy.tools.json_out()
     def removecontainer(self):
         self.logger.debug('')
-        (auth, user ) = self.validate_env()
+        (auth, user, roles) = self.validate_env()
         args = cherrypy.request.json
         if not isinstance( args, dict):
             return cherrypy.HTTPError( status=400, message='invalid parameters' )
@@ -208,7 +210,7 @@ def removecontainer(self):
     @cherrypy.tools.json_out()
     def listcontainer(self):
         self.logger.debug('')
-        (auth, user ) = self.validate_env()
+        (auth, user, roles) = self.validate_env()
         result = oc.od.composer.listContainerApps(auth, user)
         return Results.success(result=result)
 
@@ -217,7 +219,7 @@ def listcontainer(self):
     @cherrypy.tools.json_in()
     def refreshdesktoptoken(self):
         self.logger.debug('')
-        (auth, user ) = self.validate_env()
+        (auth, user, roles) = self.validate_env()
         desktop = oc.od.composer.finddesktop(authinfo=auth, userinfo=user)
 
         # check desktop object
@@ -256,7 +258,7 @@ def getdesktopdescription(self):
         # check if request is allowed, raise an exception if deny
         self.is_permit_request()
         # check if user is authenticated and identified, raise an exception if not
-        (auth, user ) = self.validate_env()
+        (auth, user, roles) = self.validate_env()
         result = oc.od.composer.getdesktopdescription(auth, user)
         if not isinstance( result, dict ):
             raise cherrypy.HTTPError( status=400, message='failed to getdesktopdescription')
@@ -269,7 +271,7 @@ def getdesktopdescription(self):
     def getuserapplist(self):
         self.logger.debug('')
 
-        (auth, user ) = self.validate_env()
+        (auth, user, roles) = self.validate_env()
         userappdict = {}
         # list all applications allowed for this user (auth)
         appdict = services.apps.user_appdict( auth, filtered_public_attr_list=True)
@@ -285,8 +287,9 @@ def getuserapplist(self):
         userapplist = list( userappdict.values() )
         # return succes data 
         return Results.success(result=userapplist)    
+
 
-    def _launchdesktop(self, auth, user, args):
+    def _launchdesktop(self, auth:AuthInfo, user:AuthUser, roles:AuthRoles, args:dict):
         self.logger.debug('')
 
         #
@@ -297,12 +300,7 @@ def _launchdesktop(self, auth, user, args):
         # raise it again
         #
         try:
-            # read the user ip source address for accounting and log history data
-            webclient_sourceipaddr = oc.cherrypy.getclientipaddr()
-            args[ 'WEBCLIENT_SOURCEIPADDR' ] = webclient_sourceipaddr
-
-            # open a new desktop
-            desktop = oc.od.composer.opendesktop( auth, user, args ) 
+            desktop = oc.od.composer.opendesktop( auth, user, roles, args ) 
 
             # safe check for desktop type
             if not isinstance(desktop, oc.od.desktop.ODDesktop):  
@@ -408,7 +406,7 @@ def get_target_ip_route(self, target, websocketrouting ):
     @cherrypy.tools.json_out()
     @cherrypy.tools.json_in()
     def listsecrets(self):    
-        (auth, user ) = self.validate_env()
+        (auth, user,roles) = self.validate_env()
         # list secrets
         secrets = oc.od.composer.listAllSecretsByUser(auth, user)
         list_secrets = list( secrets )

controllers/core_controller.py

@@ -96,7 +96,7 @@ def getmessageinfo(self)->bytes:
         # route content type to handler
         routecontenttype = { 'text/plain': self.handler_messageinfo_text, 'application/json': self.handler_messageinfo_json }
         try:
-            (_, user ) = self.validate_env()
+            (_auth, user, _roles) = self.validate_env()
             message = services.messageinfo.popflush(user.userid)
             lambdaroute = self.getlambdaroute( routecontenttype, defaultcontenttype='application/json' )( message )
         except Exception as e:

controllers/manager_controller.py

@@ -333,7 +333,7 @@ def desktop( self, *args ):
     @cherrypy.tools.json_out()
     def images( self )->str:
         self.is_permit_request()
-        if   cherrypy.request.method == 'GET':
+        if cherrypy.request.method == 'GET':
             return self.handle_images_GET()
         elif cherrypy.request.method == 'DELETE':
             return self.handle_images_DELETE()
@@ -356,7 +356,7 @@ def handle_images_GET( self )->str:
     @cherrypy.tools.json_out()
     def image( self, image:str=None, node:str=None ):
         self.is_permit_request()
-        if   cherrypy.request.method == 'GET':
+        if cherrypy.request.method == 'GET':
             return self.handle_image_GET( image=image )
         elif cherrypy.request.method == 'PUT':
             return self.handle_image_PUT( json_images=cherrypy.request.json, node=node )
@@ -645,6 +645,6 @@ def handle_ban_DELETE( self, collection, args ):
     @cherrypy.tools.json_out()
     def dry_run_desktop(self):
         self.logger.debug('validate_env')
-        (auth, user ) = self.validate_env()
+        (auth, user, roles) = self.validate_env()
         result = oc.od.composer.sampledesktop(auth, user)
         return result

controllers/store_controller.py

@@ -36,7 +36,7 @@ def __init__(self, config_controller=None):
     @cherrypy.tools.json_in()
     def set(self):
         # Check auth 
-        (auth, user ) = self.validate_env()
+        (auth, user, roles ) = self.validate_env()
         arguments = cherrypy.request.json
         if not isinstance(arguments,dict) :
             return Results.error( message='invalid parameters' )
@@ -58,7 +58,7 @@ def set(self):
     def get(self):
 
         # Check auth 
-        (auth, user ) = self.validate_env()
+        (auth, user, roles ) = self.validate_env()
         arguments = cherrypy.request.json
 
         if not isinstance(arguments,dict) :
@@ -93,7 +93,7 @@ def wrapped_get( self, userid, key ):
     @cherrypy.tools.json_in()
     @cherrypy.tools.allow(methods=['POST'])
     def getcollection(self):
-        (auth, user ) = self.validate_env()
+        (auth, user, roles) = self.validate_env()
         userid = user.userid
         arguments = cherrypy.request.json
         if not isinstance(arguments,dict) :

controllers/user_controller.py

@@ -45,7 +45,7 @@ def getinfo(self):
     @cherrypy.tools.json_in()
     def getlocation(self):
         # self.logger.debug('')
-        (auth, user) = self.validate_env() 
+        (auth, user, roles) = self.validate_env() 
         location = oc.od.user.getlocation( auth )
         return Results.success(result=location)
 
@@ -56,10 +56,12 @@ def whoami(self):
         # self.logger.debug('')  
         auth = None
         user = None
+        roles = None
         # same has super().validate_env 
         # but do not fail or ban ipaddr
         if services.auth.isauthenticated and services.auth.isidentified:
             user = services.auth.user
             auth = services.auth.auth
+            roles = services.auth.roles
         userinfo = oc.od.user.whoami( auth, user )
         return userinfo