merge of Gsoc2023 nilupul manodya (#2069)

* remove inputs from conditions (#1808)

* Setup sp and idp for the sso (#1809)

* configure sp and idp

* update meta.yml remove cherypy

* fixes previous

* update notice

* update readme

* regroup idp_uwsgi

* regroup app.py

* regroup, change wsgi server to flask

* Update conf_sp_idp/README.md

Co-authored-by: Matthias Riße <[email protected]>

* hide secrets by config

* update copy-paste-able command for creating keys and certificates

* Update README.md

* correct copyright lines

* remove make_metadata.py file and update doc with new flow

* remove idp.xml file

* remove condition libxmlsec1

* Update conf_sp_idp/sp/app/conf.py

Co-authored-by: Matthias Riße <[email protected]>

* Update conf_sp_idp/idp/idp.py

Co-authored-by: Matthias Riße <[email protected]>

* remove generate_metadatascript

* remove hardcoded path

* recorrect copyrights

---------

Co-authored-by: Matthias Riße <[email protected]>

* Split conf sp idp (#1811)

* split sp and idp

* generate doc

* remove prints idp.py

* update comeponents.rst

* UI changes in Qt for SSO (#1813)

* ui changes in qt for sso

* fixes qt UI implementation

* get idp_enabled response from server

* update tests for test_hello

* update test utils

* Update mslib/msui/mscolab.py

Co-authored-by: Matthias Riße <[email protected]>

* fix typo

* move downed idp_enabled exception

* increase height ui_mscolab_connect_dialog

* resolve comments

---------

Co-authored-by: Matthias Riße <[email protected]>

* web browser implementation (#1814)

* web browser implementation

* update gitgnore

* resolve comments

* update docstring

* Configure mscolab for sso (#1818)

* db modeling

* add users into id[

* backend yaml implementation

* set server conf

* config server for sso

* qt ui implmentation

* backend html templates implementation

* update testcases

* config qt client app

* update gitignore

* set yaml endpoints

* update docs

* update test utill, and fix error

* fix test utils

* remove disabled pylint

* add libxmlsec1 into dep

* set IDP ENabled false

* Update mslib/mscolab/server.py

Co-authored-by: Matthias Riße <[email protected]>

* recorrect commit

* update db modeling with authentication_backend for multiple idps

* update conf for the multiple idps

* template implementation

* msui update redirect url for multiple idps

* saml update for multiple idps

* update mscolab server for multiple idps

* update doc for multiple idps

* automate CERTs generation and paths

* update doc

* correct typo in doc

* update doc

* fix typos update gitignore

* fix config idp_conf

* update gitignore

* set one time token access

* add params for cert creation

* set idp token for  one time validation

* fix  unnnescessary debug

* remove duplicate imports

* Update mslib/mscolab/mscolab.py

Co-authored-by: Matthias Riße <[email protected]>

* automate saml yaml file and improve error handling

* rename IDP_ENABLED to USE_SAML2

* update error template

* update doc

* add todo idp_wsgi

* update db models

* recorrect doc

* add todo refactors

---------

Co-authored-by: Matthias Riße <[email protected]>

* To do fixes #1818 (#1974)

* remove global var

* remove idp.subjects file dirs

* remove relaystste, rndstr and use secrets

* remove shell=True

* correct typos

* fix group order

* enable flake8 for GSOC2023-NilupulManodya

* fix lint

* fix lint

* fixes comments

* resolve comments

* fix comments

* update doc

* improve code for multiple Idps

* conf routes for multiple conf

* remove uncessary .yaml

* update cmd metadata

* update conf

* update saml handler for multiple idps

* pinning of xmlschema

* pin werkzeug

* disable pytests for todo refactor

* disbale whole file gsoc_testing

* fix conf

* resolve comments

* resolve comments

* manual conflict resolve ui_mscolab_connect_dialog.ui file

* resolve flake8

* set SSL certificate verification enablement (#2062)

* ssl verification enablement for SSO

* add hint

* Remove testing SP (#2066)

* remove testing sp

* remove documentation auth_client_sp

* Create documentation for SSO integration through SAML (#2064)

* create documentation sso integration

* added into makefile components

* change dir images

* resolve comments, add sample files

* resolve comments

* change cookies dir of web browser (#2063)

* change cookies dir of web browser

* Update mslib/msui/msui_web_browser.py

Co-authored-by: Matthias Riße <[email protected]>

---------

Co-authored-by: Matthias Riße <[email protected]>

* improve accessibility saml2 urls (#2068)

* improve accessibility saml2 urls

* resolve comments

---------

Co-authored-by: Nilupul Manodya <[email protected]>
Co-authored-by: Matthias Riße <[email protected]>
Co-authored-by: Matthias Riße <[email protected]>
Co-authored-by: nilupulmanodya <[email protected]>

.gitignore

@@ -24,4 +24,5 @@ build/
 mss.egg-info/
 tutorials/recordings
 tutorials/cursor_image.png
-
+__pycache__/
+instance/

NOTICE

@@ -130,3 +130,14 @@ License: https://github.com/PaulSchweizer/qt-json-view/blob/master/LICENSE (MIT
 
 Package for working with JSON files in PyQt5.
 Obtained from Github (https://github.com/PaulSchweizer/qt-json-view), on 23/7/2021.
+
+Identity Provider
+-----------------
+
+We utilize example files from the pysaml2 library to set up the configuration for our local Identity Provider (IdP).
+Obtained from GitHub (https://github.com/IdentityPython/pysaml2/tree/master/example/idp2) on 13/07/2023
+
+Copyright: 2018 Roland Hedberg
+
+License: https://github.com/IdentityPython/pysaml2/blob/master/LICENSE (Apache License 2.0)
+Further Information: https://pysaml2.readthedocs.io/en/

conftest.py

@@ -182,6 +182,9 @@ def pytest_generate_tests(metafunc):
 </FlightTrack>
 """
 enable_basic_http_authentication = False
+
+# enable login by identity provider
+USE_SAML2 = False
 '''
     ROOT_FS = fs.open_fs(constants.ROOT_DIR)
     if not ROOT_FS.exists('mscolab'):

docs/components.rst

@@ -10,5 +10,6 @@ Components
    mscolab
    gentutorials
    mssautoplot
-
-
+   conf_auth_client_sp_idp
+   conf_sso_test_msscolab
+   sso_via_saml_mscolab

docs/conf_sso_test_msscolab.rst

@@ -0,0 +1,117 @@
+Configuration MSS Colab Server with Testing IdP for SSO
+=======================================================
+Testing IDP (`mslib/msidp`) is specifically designed for testing the Single Sign-On (SSO) process with the mscolab server using PySAML2.
+
+Here is documentation that explains the configuration of the MSS Colab Server with the testing IdP.
+
+Getting started
+---------------
+
+To set up a local identity provider with the mscolab server, you'll first need to generate the required keys and certificates for both the Identity Provider and the mscolab server. Follow these steps to configure the system:
+
+    1. Initial Steps
+    2. Generate Keys and Certificates
+    3. Enable USE_SAML2
+    4. Generate Metadata Files
+    5. Start the Identity Provider
+    6. Start the mscolab Server
+    7. Test the Single Sign-On (SSO) Process
+
+
+1. Initial Steps
+----------------
+Before getting started, you should correctly activate the environments, set the correct Python path as explained in the mss instructions : https://github.com/Open-MSS/MSS/tree/develop#readme
+
+
+
+2. Generate Keys, Certificates, and backend_saml files
+------------------------------------------------------
+
+This involves generating both `.key` files and `.crt` files for both the Identity provider and mscolab server and `backend_saml.yaml` file. 
+
+Before running the command make sure to set `USE_SAML2 = False` in your `mscolab_settings.py` file,  You can accomplish this by following these steps:
+
+- Add to the `PYTHONPATH` where your `mscolab_settings.py`.
+- Add `USE_SAML2 = False` in your `mscolab_settings.py` file.
+
+.. note::
+    If you set `USE_SAML2 = True` without keys and certificates, this will not execute. So, make sure to set `USE_SAML2 = False` before executing the command.
+
+If everything is correctly set, you can generate keys and certificates simply by running
+
+.. code:: text
+
+    $ mscolab sso_conf --init_sso_crts
+
+.. note::
+    This process generating keys and certificates for both Identity provider and mscolab server by default, If you need configure with different keys and certificates for the Identity provider, You should manually update the path of `SERVER_CERT` with the path of the generated .crt file for Identity provider, and `SERVER_KEY` with the path of the generated .key file for the Identity provider in the file `MSS/mslib/idp/idp_conf.py`.
+
+
+3. Enable USE_SAML2
+-------------------
+
+To enable SAML2-based login (identity provider-based login), 
+
+- To start the process update `USE_SAML2 = True` in your `mscolab_settings.py` file.
+
+.. note::
+    After enabling the `USE_SAML2` option, the subsequent step involves adding the `CONFIGURED_IDPS` dictionary for the MSS Colab Server. This dictionary must contain keys for each active Identity Provider, denoted by their `idp_identity_name`, along with their respective `idp_name`. Once this dictionary is configured, it should be utilized to update several aspects of the mscolab server, including the SAML2Client configuration in the .yml file. This ensures seamless integration with the enabled IDPs. By default, configuration has been set up for the localhost IDP, and any additional configurations required should be performed by the developer.
+
+4. Generate metadata files
+--------------------------
+
+This involves generating necessary metadata files for both the identity provider and the service provider. You can generate them by simply running the below command.
+
+.. note::
+    Before executing this, you should set `USE_SAML2=True` as described in the third step(Enable USE_SAML2).
+
+.. code:: text
+
+    $ mscolab sso_conf --init_sso_metadata
+
+
+5. Start Identity provider
+--------------------------
+
+Once you set certificates and metada files you can start mscolab server and local identity provider. To start local identity provider, simply execute:
+
+.. code:: text
+
+    $ msidp
+
+
+6. Start the mscolab Server
+---------------------------
+
+Before Starting the mscolab server, make sure to do necessary database migrations.
+
+When this is the first time you setup a mscolab server, you have to initialize the database by:
+
+.. code:: text
+
+    $ mscolab db --init
+
+.. note::
+   An existing database maybe needs a migration, have a look for this on our documentation.
+
+   https://mss.readthedocs.io/en/stable/mscolab.html#data-base-migration
+
+When migrations finished, you can start mscolab server  using the following command:
+
+.. code:: text
+
+    $ mscolab start
+
+
+7. Testing Single Sign-On (SSO) process
+---------------------------------------
+
+* Once you have successfully launched the server and identity provider, you can begin testing the Single Sign-On (SSO) process.
+* Start MSS PyQt application:
+
+.. code:: text
+
+    $ msui
+
+* Login with identity provider through Qt Client application.
+* To log in to the mscolab server through the identity provider, you can use the credentials specified in the ``PASSWD`` section of the ``MSS/mslib/msidp/idp.py`` file. Look for the relevant section in the file to find the necessary login credentials.

docs/samples/config/mscolab/mscolab_settings.py.sample

@@ -85,8 +85,14 @@ STUB_CODE = """<?xml version="1.0" encoding="utf-8"?>
 </FlightTrack>
 """
 
+# enable login by identity provider
+USE_SAML2 = False
+
 # looks for a given category forn a operation ending with GROUP_POSTFIX
 # e.g. category = Tex will look for TexGroup
 # all users in that Group are set to the operations of that category
 # having the roles in the TexGroup
 GROUP_POSTFIX = "Group"
+
+# dir where mscolab single sign process files are stored
+MSCOLAB_SSO_DIR = os.path.join(DATA_DIR, 'datasso')

docs/samples/config/mscolab/mss_saml2_backend.yaml.samlple

@@ -0,0 +1,116 @@
+name: Saml2
+config:
+  entityid_endpoint: true
+  mirror_force_authn: no
+  memorize_idp: no
+  use_memorized_idp_when_force_authn: no
+  send_requester_id: no
+  enable_metadata_reload: no
+
+  # SP Configuration for localhost_test_idp
+  localhost_test_idp:
+    name: "MSS Colab Server - Testing IDP(localhost)"
+    description: "MSS Collaboration Server with Testing IDP(localhost)"
+    key_file: path/to/key_sp.key # Will be set from the mscolab server
+    cert_file: path/to/crt_sp.crt # Will be set from the mscolab server
+    verify_ssl_cert: true # Specifies if the SSL certificates should be verified.
+    organization: {display_name: Open-MSS, name: Mission Support System, url: 'https://open-mss.github.io/about/'}
+    contact_person:
+    - {contact_type: technical, email_address: [email protected], given_name: Technical}
+    - {contact_type: support, email_address: [email protected], given_name: Support}
+
+    metadata:
+      local: [path/to/idp.xml] # Will be set from the mscolab server
+
+    entityid: http://localhost:5000/proxy_saml2_backend.xml
+    accepted_time_diff: 60
+    service:
+      sp:
+        ui_info:
+          display_name:
+            - lang: en
+              text: "Open MSS"
+          description:
+            - lang: en
+              text: "Mission Support System"
+          information_url:
+            - lang: en
+              text: "https://open-mss.github.io/about/"
+          privacy_statement_url:
+            - lang: en
+              text: "https://open-mss.github.io/about/"
+          keywords:
+            - lang: en
+              text: ["MSS"]
+            - lang: en
+              text: ["OpenMSS"]
+          logo:
+            text: "https://open-mss.github.io/assets/logo.png"
+            width: "100"
+            height: "100"
+        authn_requests_signed: true
+        want_response_signed: true
+        want_assertion_signed: true
+        allow_unknown_attributes: true
+        allow_unsolicited: true
+        endpoints:
+          assertion_consumer_service:
+            - [http://localhost:8083/localhost_test_idp/acs/post, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
+          discovery_response:
+          - [<base_url>/<name>/disco, 'urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol']
+        name_id_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
+        name_id_format_allow_create: true
+
+
+  # # SP Configuration for IDP 2
+  # sp_config_idp_2:
+  #   name: "MSS Colab Server - Testing IDP(localhost)"
+  #   description: "MSS Collaboration Server with Testing IDP(localhost)"
+  #   key_file: mslib/mscolab/app/key_sp.key
+  #   cert_file: mslib/mscolab/app/crt_sp.crt
+  #   organization: {display_name: Open-MSS, name: Mission Support System, url: 'https://open-mss.github.io/about/'}
+  #   contact_person:
+  #   - {contact_type: technical, email_address: [email protected], given_name: Technical}
+  #   - {contact_type: support, email_address: [email protected], given_name: Support}
+
+  #   metadata:
+  #     local: [mslib/mscolab/app/idp.xml]
+
+  #   entityid: http://localhost:5000/proxy_saml2_backend.xml
+  #   accepted_time_diff: 60
+  #   service:
+  #     sp:
+  #       ui_info:
+  #         display_name:
+  #           - lang: en
+  #             text: "Open MSS"
+  #         description:
+  #           - lang: en
+  #             text: "Mission Support System"
+  #         information_url:
+  #           - lang: en
+  #             text: "https://open-mss.github.io/about/"
+  #         privacy_statement_url:
+  #           - lang: en
+  #             text: "https://open-mss.github.io/about/"
+  #         keywords:
+  #           - lang: en
+  #             text: ["MSS"]
+  #           - lang: en
+  #             text: ["OpenMSS"]
+  #         logo:
+  #           text: "https://open-mss.github.io/assets/logo.png"
+  #           width: "100"
+  #           height: "100"
+  #       authn_requests_signed: true
+  #       want_response_signed: true
+  #       want_assertion_signed: true
+  #       allow_unknown_attributes: true
+  #       allow_unsolicited: true
+  #       endpoints:
+  #         assertion_consumer_service:
+  #           - [http://localhost:8083/idp2/acs/post, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
+  #         discovery_response:
+  #         - [<base_url>/<name>/disco, 'urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol']
+  #       name_id_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
+  #       name_id_format_allow_create: true

docs/samples/config/mscolab/setup_saml2_backend.py.sample

@@ -0,0 +1,68 @@
+import os
+import sys
+import warnings
+import yaml
+from saml2 import SAMLError
+from saml2.client import Saml2Client
+from saml2.config import SPConfig
+from urllib.parse import urlparse
+
+
+class setup_saml2_backend:
+    from mslib.mscolab.conf import mscolab_settings
+
+    CONFIGURED_IDPS = [
+        # configure your idps here
+        {
+            'idp_identity_name': 'localhost_test_idp',  #  make sure to use underscore for the blanks
+            'idp_data': {
+                'idp_name': 'Testing Identity Provider',  # this name is used on the Login page to connect to the Provider.
+            }
+        },
+
+    ]
+
+    if os.path.exists(f"{mscolab_settings.MSCOLAB_SSO_DIR}/mss_saml2_backend.yaml"):
+        with open(f"{mscolab_settings.MSCOLAB_SSO_DIR}/mss_saml2_backend.yaml", encoding="utf-8") as fobj:
+            yaml_data = yaml.safe_load(fobj)
+        # go through configured IDPs and set conf file paths for particular files
+        for configured_idp in CONFIGURED_IDPS:
+            # set CRTs and metadata paths for the localhost_test_idp
+            if 'localhost_test_idp' == configured_idp['idp_identity_name']:
+                yaml_data["config"]["localhost_test_idp"]["key_file"] = \
+                    f'{mscolab_settings.MSCOLAB_SSO_DIR}/key_mscolab.key'  # set path to your mscolab key file
+                yaml_data["config"]["localhost_test_idp"]["cert_file"] = \
+                    f'{mscolab_settings.MSCOLAB_SSO_DIR}/crt_mscolab.crt'  # set path to your mscolab certiticate file
+                yaml_data["config"]["localhost_test_idp"]["metadata"]["local"][0] = \
+                    f'{mscolab_settings.MSCOLAB_SSO_DIR}/idp.xml'  # set path to your idp metadata xml file
+
+                # configuration localhost_test_idp Saml2Client
+                try:
+                    if not os.path.exists(yaml_data["config"]["localhost_test_idp"]["metadata"]["local"][0]):
+                        yaml_data["config"]["localhost_test_idp"]["metadata"]["local"] = []
+                        warnings.warn("idp.xml file does not exists !\
+                                        Ignore this warning when you initializeing metadata.")
+
+                    localhost_test_idp = SPConfig().load(yaml_data["config"]["localhost_test_idp"])
+                    sp_localhost_test_idp = Saml2Client(localhost_test_idp)
+
+                    configured_idp['idp_data']['saml2client'] = sp_localhost_test_idp
+                    for url_pair in (yaml_data["config"]["localhost_test_idp"]
+                                     ["service"]["sp"]["endpoints"]["assertion_consumer_service"]):
+                        saml_url, binding = url_pair
+                        path = urlparse(saml_url).path
+                        configured_idp['idp_data']['assertion_consumer_endpoints'] = \
+                            configured_idp['idp_data'].get('assertion_consumer_endpoints', []) + [path]
+
+                except SAMLError:
+                    warnings.warn("Invalid Saml2Client Config with localhost_test_idp ! Please configure with\
+                                    valid CRTs metadata and try again.")
+                    sys.exit()
+
+                # if multiple IdPs exists, development should need to implement accordingly below
+                """
+                    if 'idp_2'== configured_idp['idp_identity_name']:
+                        # rest of code
+                        # set CRTs and metadata paths for the idp_2
+                        # configuration idp_2 Saml2Client
+                """