From 714eab17a7b49633053e6bf948fe66fe06637922 Mon Sep 17 00:00:00 2001 From: Mikko Keskinen Date: Thu, 14 Sep 2023 14:46:48 +0300 Subject: [PATCH 1/6] HP-2024 Update uwsgi from 2.0.18 to 2.0.22 uwsgi had at least one vulnerability: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27522 --- requirements-prod.txt | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/requirements-prod.txt b/requirements-prod.txt index b81ba79a..68f0700a 100644 --- a/requirements-prod.txt +++ b/requirements-prod.txt @@ -1,7 +1,8 @@ # -# This file is autogenerated by pip-compile -# To update, run: +# This file is autogenerated by pip-compile with Python 3.8 +# by the following command: # # pip-compile requirements-prod.in # -uwsgi==2.0.18 # via -r requirements-prod.in +uwsgi==2.0.22 + # via -r requirements-prod.in From cf2edefab3e78365671f045afaf8e7e27d76a176 Mon Sep 17 00:00:00 2001 From: Mikko Keskinen Date: Thu, 14 Sep 2023 14:49:48 +0300 Subject: [PATCH 2/6] HP-2024 Update certifi from 2022.12.7 to 2023.7.22 The new version removes a possibly compromised root certificate --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 23bf4e08..bb8d26ed 100644 --- a/requirements.txt +++ b/requirements.txt @@ -8,7 +8,7 @@ asgiref==3.4.1 # via django -certifi==2022.12.7 +certifi==2023.7.22 # via requests cffi==1.14.4 # via cryptography From 57ca9f21b39d64bccfeaaf494debc86aafe094c0 Mon Sep 17 00:00:00 2001 From: Mikko Keskinen Date: Thu, 14 Sep 2023 15:40:58 +0300 Subject: [PATCH 3/6] HP-2024 Update cryptography from 40.0.1 to 41.0.3 Cryptography had 5 vulnerabilities - https://nvd.nist.gov/vuln/detail/CVE-2023-2650 - https://www.cve.org/CVERecord?id=CVE-2023-38325 - https://nvd.nist.gov/vuln/detail/CVE-2023-2975 - https://www.cve.org/CVERecord?id=CVE-2023-3446 - https://www.cve.org/CVERecord?id=CVE-2023-3817 --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index bb8d26ed..d6526605 100644 --- a/requirements.txt +++ b/requirements.txt @@ -18,7 +18,7 @@ coreapi==2.3.3 # via -r requirements.in coreschema==0.0.4 # via coreapi -cryptography==40.0.1 +cryptography==41.0.3 # via # -r requirements.in # jwcrypto From 033017f0f0a9d89d4b8c629e6427acbb5ba9cbe5 Mon Sep 17 00:00:00 2001 From: Mikko Keskinen Date: Thu, 14 Sep 2023 15:44:05 +0300 Subject: [PATCH 4/6] HP-2024 Update django from 3.2.19 to 3.2.21 Django had 3 vulnerabilities - https://www.cve.org/CVERecord?id=CVE-2023-31047 - https://www.cve.org/CVERecord?id=CVE-2023-36053 - https://security.snyk.io/vuln/SNYK-PYTHON-DJANGO-5880505 --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index d6526605..cf8c48e0 100644 --- a/requirements.txt +++ b/requirements.txt @@ -31,7 +31,7 @@ defusedxml==0.5.0 # social-auth-core deprecated==1.2.13 # via jwcrypto -django==3.2.19 +django==3.2.21 # via # -r requirements.in # django-appconf From 74615e2c3c57b335165d1c85ef21e02bbf3b0e87 Mon Sep 17 00:00:00 2001 From: Mikko Keskinen Date: Wed, 27 Sep 2023 08:57:51 +0300 Subject: [PATCH 5/6] HP-2017 Add new "helsinki_tunnus" social auth backend The backend is a subclass of the existing HelsinkiTunnistus backend. The new backend is needed to add a second client (and login method) in Helsinki Tunnistus Keycloak for logging in with username and password. --- auth_backends/helsinki_tunnus.py | 8 ++++++++ helsinki_theme/static/css/helsinki_theme.scss | 12 ++++++++++++ tunnistamo/settings.py | 13 +++++++++++++ .../0033_alter_loginmethod_provider_id.py | 18 ++++++++++++++++++ 4 files changed, 51 insertions(+) create mode 100644 auth_backends/helsinki_tunnus.py create mode 100644 users/migrations/0033_alter_loginmethod_provider_id.py diff --git a/auth_backends/helsinki_tunnus.py b/auth_backends/helsinki_tunnus.py new file mode 100644 index 00000000..6be7b4c4 --- /dev/null +++ b/auth_backends/helsinki_tunnus.py @@ -0,0 +1,8 @@ +from auth_backends.helsinki_tunnistus_suomifi import HelsinkiTunnistus + + +class HelsinkiTunnus(HelsinkiTunnistus): + """A subclass of HelsinkiTunnistus that only changes the name + + New backend is needed to have a second client in Helsinki tunnistus Keycloak""" + name = 'helsinki_tunnus' diff --git a/helsinki_theme/static/css/helsinki_theme.scss b/helsinki_theme/static/css/helsinki_theme.scss index 2b19d9db..58b56d40 100644 --- a/helsinki_theme/static/css/helsinki_theme.scss +++ b/helsinki_theme/static/css/helsinki_theme.scss @@ -102,6 +102,12 @@ $fa-font-path: "../fonts/font-awesome"; background-size: 85%; } +.fa-helsinki_tunnus { + &:before { + content: $fa-var-envelope-o; + } +} + .login-method.login-method-yletunnus a.btn.btn-social { background-color: #00b4c8; border-color: #00b4c8; @@ -147,3 +153,9 @@ $fa-font-path: "../fonts/font-awesome"; background-color: #ffffff; border-color: #dddddd; } + +.login-method.login-method-helsinki_tunnus a.btn.btn-social { + color: #1a1a1a; + background-color: $hel-gold; + border-color: $hel-gold; +} diff --git a/tunnistamo/settings.py b/tunnistamo/settings.py index b0f55457..79a0b0b0 100644 --- a/tunnistamo/settings.py +++ b/tunnistamo/settings.py @@ -71,6 +71,10 @@ # Client secret SOCIAL_AUTH_HELTUNNISTUSSUOMIFI_SECRET=(str, ""), + SOCIAL_AUTH_HELSINKI_TUNNUS_OIDC_ENDPOINT=(str, ""), + SOCIAL_AUTH_HELSINKI_TUNNUS_KEY=(str, ""), + SOCIAL_AUTH_HELSINKI_TUNNUS_SECRET=(str, ""), + SOCIAL_AUTH_ESPOO_ADFS_KEY=(str, ""), SOCIAL_AUTH_ESPOO_ADFS_SECRET=(str, ""), @@ -206,6 +210,7 @@ 'auth_backends.adfs.helsinki_library_asko.HelsinkiLibraryAskoADFS', 'auth_backends.helsinki_username.HelsinkiUsername', 'auth_backends.helsinki_tunnistus_suomifi.HelsinkiTunnistus', + 'auth_backends.helsinki_tunnus.HelsinkiTunnus', 'yletunnus.backends.YleTunnusOAuth2', 'django.contrib.auth.backends.ModelBackend', 'auth_backends.suomifi.SuomiFiSAMLAuth', @@ -552,6 +557,14 @@ SOCIAL_AUTH_HELTUNNISTUSSUOMIFI_REDIRECT_LOGOUT_TO_END_SESSION = True SOCIAL_AUTH_HELTUNNISTUSSUOMIFI_ON_AUTH_ERROR_REDIRECT_TO_CLIENT = True +SOCIAL_AUTH_HELSINKI_TUNNUS_OIDC_ENDPOINT = env("SOCIAL_AUTH_HELSINKI_TUNNUS_OIDC_ENDPOINT") +SOCIAL_AUTH_HELSINKI_TUNNUS_KEY = env("SOCIAL_AUTH_HELSINKI_TUNNUS_KEY") +SOCIAL_AUTH_HELSINKI_TUNNUS_SECRET = env("SOCIAL_AUTH_HELSINKI_TUNNUS_SECRET") +# Helsinki Tunnistus (Keycloak) sets the uuid for easier migration +SOCIAL_AUTH_HELSINKI_TUNNUS_USER_FIELDS = ['username', 'email', 'uuid'] +SOCIAL_AUTH_HELSINKI_TUNNUS_REDIRECT_LOGOUT_TO_END_SESSION = True +SOCIAL_AUTH_HELSINKI_TUNNUS_ON_AUTH_ERROR_REDIRECT_TO_CLIENT = True + SOCIAL_AUTH_YLETUNNUS_APP_ID = env("SOCIAL_AUTH_YLETUNNUS_APP_ID") SOCIAL_AUTH_YLETUNNUS_APP_KEY = env("SOCIAL_AUTH_YLETUNNUS_APP_KEY") SOCIAL_AUTH_YLETUNNUS_SECRET = env("SOCIAL_AUTH_YLETUNNUS_SECRET") diff --git a/users/migrations/0033_alter_loginmethod_provider_id.py b/users/migrations/0033_alter_loginmethod_provider_id.py new file mode 100644 index 00000000..cd4393d2 --- /dev/null +++ b/users/migrations/0033_alter_loginmethod_provider_id.py @@ -0,0 +1,18 @@ +# Generated by Django 3.2.19 on 2023-09-26 10:34 + +from django.db import migrations, models + + +class Migration(migrations.Migration): + + dependencies = [ + ('users', '0032_add_vakehyvaazuread_to_loginmethod_provider_id_choices'), + ] + + operations = [ + migrations.AlterField( + model_name='loginmethod', + name='provider_id', + field=models.CharField(choices=[('eduhelfi', 'eduhelfi'), ('espoo', 'espoo'), ('espooazuread', 'espooazuread'), ('facebook', 'facebook'), ('github', 'github'), ('google', 'google'), ('helsinki_adfs', 'helsinki_adfs'), ('helsinki_library_asko_adfs', 'helsinki_library_asko_adfs'), ('helsinki_tunnus', 'helsinki_tunnus'), ('helsinkiazuread', 'helsinkiazuread'), ('heltunnistussuomifi', 'heltunnistussuomifi'), ('helusername', 'helusername'), ('suomifi', 'suomifi'), ('tunnistamo', 'tunnistamo'), ('vakehyvaazuread', 'vakehyvaazuread'), ('vantaaazuread', 'vantaaazuread'), ('yletunnus', 'yletunnus')], max_length=50, unique=True), + ), + ] From 42662ed519b491d36fabcd9f8077e491aa46dfae Mon Sep 17 00:00:00 2001 From: Aki Koskinen Date: Tue, 10 Oct 2023 17:06:56 +0300 Subject: [PATCH 6/6] Add Github action for building and publishing an image The action triggers on pushes to the `develop` branch. It builds a container image and pushes it to ghcr.io. Based largely on the example from Github's documentation [1]. There used to be actions that, among other things, also built and published a similar kind of image. But those were removed in commit 69b20c86. [1] https://docs.github.com/en/actions/publishing-packages/publishing-docker-images#publishing-images-to-github-packages --- .github/workflows/build-push-image.yml | 50 ++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 .github/workflows/build-push-image.yml diff --git a/.github/workflows/build-push-image.yml b/.github/workflows/build-push-image.yml new file mode 100644 index 00000000..3f298c7f --- /dev/null +++ b/.github/workflows/build-push-image.yml @@ -0,0 +1,50 @@ +name: Build and publish a container image + +on: + push: + branches: + - "develop" + +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + +jobs: + build-and-push-image: + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # https://github.com/docker/login-action + - name: Log into registry ${{ env.REGISTRY }} + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + # https://github.com/docker/metadata-action + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + # For backwards compatibility, prefix branch tags with `refs-heads-` + tags: | + type=ref,event=branch,prefix=refs-heads- + + # https://github.com/docker/build-push-action + - name: Build and push Docker image + uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 + with: + context: . + # Build only the `production` target from Dockerfile + target: production + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }}