From 46c51284185902efdc063738f50eb95473913161 Mon Sep 17 00:00:00 2001 From: wh1te909 <7434746+wh1te909@users.noreply.github.com> Date: Mon, 4 Nov 2024 21:58:37 +0000 Subject: [PATCH] move callback url info to the backend --- .../accounts/management/commands/reset_2fa.py | 5 ++-- api/tacticalrmm/accounts/serializers.py | 5 ++-- .../core/management/commands/get_config.py | 12 ++++++-- api/tacticalrmm/ee/sso/views.py | 29 +++++++++++++++++-- api/tacticalrmm/tacticalrmm/helpers.py | 12 -------- api/tacticalrmm/tacticalrmm/settings.py | 13 ++++----- api/tacticalrmm/tacticalrmm/util_settings.py | 23 +++++++++++++++ 7 files changed, 72 insertions(+), 27 deletions(-) create mode 100644 api/tacticalrmm/tacticalrmm/util_settings.py diff --git a/api/tacticalrmm/accounts/management/commands/reset_2fa.py b/api/tacticalrmm/accounts/management/commands/reset_2fa.py index 4a71fb3d..8e659722 100644 --- a/api/tacticalrmm/accounts/management/commands/reset_2fa.py +++ b/api/tacticalrmm/accounts/management/commands/reset_2fa.py @@ -1,10 +1,11 @@ import subprocess import pyotp +from django.conf import settings from django.core.management.base import BaseCommand from accounts.models import User -from tacticalrmm.helpers import get_webdomain +from tacticalrmm.util_settings import get_webdomain class Command(BaseCommand): @@ -26,7 +27,7 @@ class Command(BaseCommand): user.save(update_fields=["totp_key"]) url = pyotp.totp.TOTP(code).provisioning_uri( - username, issuer_name=get_webdomain() + username, issuer_name=get_webdomain(settings.CORS_ORIGIN_WHITELIST[0]) ) subprocess.run(f'qr "{url}"', shell=True) self.stdout.write( diff --git a/api/tacticalrmm/accounts/serializers.py b/api/tacticalrmm/accounts/serializers.py index 78186aef..c6717333 100644 --- a/api/tacticalrmm/accounts/serializers.py +++ b/api/tacticalrmm/accounts/serializers.py @@ -1,11 +1,12 @@ import pyotp +from django.conf import settings from rest_framework.serializers import ( ModelSerializer, ReadOnlyField, SerializerMethodField, ) -from tacticalrmm.helpers import get_webdomain +from tacticalrmm.util_settings import get_webdomain from .models import APIKey, Role, User @@ -63,7 +64,7 @@ class TOTPSetupSerializer(ModelSerializer): def get_qr_url(self, obj): return pyotp.totp.TOTP(obj.totp_key).provisioning_uri( - obj.username, issuer_name=get_webdomain() + obj.username, issuer_name=get_webdomain(settings.CORS_ORIGIN_WHITELIST[0]) ) diff --git a/api/tacticalrmm/core/management/commands/get_config.py b/api/tacticalrmm/core/management/commands/get_config.py index 0a76344f..ba9f26cb 100644 --- a/api/tacticalrmm/core/management/commands/get_config.py +++ b/api/tacticalrmm/core/management/commands/get_config.py @@ -3,7 +3,7 @@ from urllib.parse import urlparse from django.conf import settings from django.core.management.base import BaseCommand -from tacticalrmm.helpers import get_root_domain, get_webdomain +from tacticalrmm.util_settings import get_backend_url, get_root_domain, get_webdomain from tacticalrmm.utils import get_certs @@ -29,8 +29,16 @@ class Command(BaseCommand): self.stdout.write(settings.NATS_SERVER_VER) case "frontend": self.stdout.write(settings.CORS_ORIGIN_WHITELIST[0]) + case "backend_url": + self.stdout.write( + get_backend_url( + settings.ALLOWED_HOSTS[0], + settings.TRMM_PROTO, + settings.TRMM_BACKEND_PORT, + ) + ) case "webdomain": - self.stdout.write(get_webdomain()) + self.stdout.write(get_webdomain(settings.CORS_ORIGIN_WHITELIST[0])) case "djangoadmin": url = f"https://{settings.ALLOWED_HOSTS[0]}/{settings.ADMIN_URL}" self.stdout.write(url) diff --git a/api/tacticalrmm/ee/sso/views.py b/api/tacticalrmm/ee/sso/views.py index 465b80d4..1a8dfe20 100644 --- a/api/tacticalrmm/ee/sso/views.py +++ b/api/tacticalrmm/ee/sso/views.py @@ -7,6 +7,7 @@ For details, see: https://license.tacticalrmm.com/ee import re from allauth.socialaccount.models import SocialAccount, SocialApp +from django.conf import settings from django.contrib.auth import logout from django.core.exceptions import ValidationError from django.shortcuts import get_object_or_404 @@ -16,11 +17,16 @@ from rest_framework import status from rest_framework.authentication import SessionAuthentication from rest_framework.permissions import IsAuthenticated from rest_framework.response import Response -from rest_framework.serializers import ModelSerializer, ReadOnlyField +from rest_framework.serializers import ( + ModelSerializer, + ReadOnlyField, + SerializerMethodField, +) from rest_framework.views import APIView from accounts.permissions import AccountsPerms from logs.models import AuditLog +from tacticalrmm.util_settings import get_backend_url from tacticalrmm.utils import get_core_settings from .permissions import SSOLoginPerms @@ -29,6 +35,15 @@ from .permissions import SSOLoginPerms class SocialAppSerializer(ModelSerializer): server_url = ReadOnlyField(source="settings.server_url") role = ReadOnlyField(source="settings.role") + callback_url = SerializerMethodField() + javascript_origin_url = SerializerMethodField() + + def get_callback_url(self, obj): + backend_url = self.context["backend_url"] + return f"{backend_url}/accounts/oidc/{obj.provider_id}/login/callback/" + + def get_javascript_origin_url(self, obj): + return self.context["frontend_url"] class Meta: model = SocialApp @@ -42,6 +57,8 @@ class SocialAppSerializer(ModelSerializer): "server_url", "settings", "role", + "callback_url", + "javascript_origin_url", ] @@ -49,8 +66,16 @@ class GetAddSSOProvider(APIView): permission_classes = [IsAuthenticated, AccountsPerms] def get(self, request): + ctx = { + "backend_url": get_backend_url( + settings.ALLOWED_HOSTS[0], + settings.TRMM_PROTO, + settings.TRMM_BACKEND_PORT, + ), + "frontend_url": settings.CORS_ORIGIN_WHITELIST[0], + } providers = SocialApp.objects.all() - return Response(SocialAppSerializer(providers, many=True).data) + return Response(SocialAppSerializer(providers, many=True, context=ctx).data) class InputSerializer(ModelSerializer): server_url = ReadOnlyField() diff --git a/api/tacticalrmm/tacticalrmm/helpers.py b/api/tacticalrmm/tacticalrmm/helpers.py index fbd9f796..00ef28f3 100644 --- a/api/tacticalrmm/tacticalrmm/helpers.py +++ b/api/tacticalrmm/tacticalrmm/helpers.py @@ -6,10 +6,8 @@ import secrets import string from pathlib import Path from typing import TYPE_CHECKING, Any, Literal -from urllib.parse import urlparse from zoneinfo import ZoneInfo -import tldextract from cryptography import x509 from django.conf import settings from django.utils import timezone as djangotime @@ -104,16 +102,6 @@ def date_is_in_past(*, datetime_obj: "datetime", agent_tz: str) -> bool: return djangotime.now() > utc_time -def get_webdomain() -> str: - return urlparse(settings.CORS_ORIGIN_WHITELIST[0]).netloc - - -def get_root_domain(subdomain) -> str: - no_fetch_extract = tldextract.TLDExtract(suffix_list_urls=()) - extracted = no_fetch_extract(subdomain) - return f"{extracted.domain}.{extracted.suffix}" - - def rand_range(min: int, max: int) -> float: """ Input is milliseconds. diff --git a/api/tacticalrmm/tacticalrmm/settings.py b/api/tacticalrmm/tacticalrmm/settings.py index 3f9a5e1c..99bfc3de 100644 --- a/api/tacticalrmm/tacticalrmm/settings.py +++ b/api/tacticalrmm/tacticalrmm/settings.py @@ -3,7 +3,8 @@ import sys from contextlib import suppress from datetime import timedelta from pathlib import Path -from tacticalrmm.helpers import get_root_domain, get_webdomain + +from tacticalrmm.util_settings import get_backend_url, get_root_domain, get_webdomain BASE_DIR = Path(__file__).resolve().parent.parent @@ -117,12 +118,12 @@ SWAGGER_ENABLED = False REDIS_HOST = "127.0.0.1" TRMM_LOG_LEVEL = "ERROR" TRMM_LOG_TO = "file" +TRMM_PROTO = "https" +TRMM_BACKEND_PORT = None if not DOCKER_BUILD: ALLOWED_HOSTS = [] CORS_ORIGIN_WHITELIST = [] - TRMM_PROTO = "https" - TRMM_BACKEND_PORT = None with suppress(ImportError): from ee.sso.sso_settings import * # noqa @@ -154,16 +155,14 @@ if "GHACTIONS" in os.environ: if not DOCKER_BUILD: TRMM_ROOT_DOMAIN = get_root_domain(ALLOWED_HOSTS[0]) - frontend_domain = get_webdomain().split(":")[0] + frontend_domain = get_webdomain(CORS_ORIGIN_WHITELIST[0]).split(":")[0] ALLOWED_HOSTS.append(frontend_domain) if DEBUG: ALLOWED_HOSTS.append("*") - backend_url = f"{TRMM_PROTO}://{ALLOWED_HOSTS[0]}" - if TRMM_BACKEND_PORT: - backend_url = f"{backend_url}:{TRMM_BACKEND_PORT}" + backend_url = get_backend_url(ALLOWED_HOSTS[0], TRMM_PROTO, TRMM_BACKEND_PORT) SESSION_COOKIE_DOMAIN = TRMM_ROOT_DOMAIN CSRF_COOKIE_DOMAIN = TRMM_ROOT_DOMAIN diff --git a/api/tacticalrmm/tacticalrmm/util_settings.py b/api/tacticalrmm/tacticalrmm/util_settings.py new file mode 100644 index 00000000..ccd977e6 --- /dev/null +++ b/api/tacticalrmm/tacticalrmm/util_settings.py @@ -0,0 +1,23 @@ +# this file must not import anything from django settings to avoid circular import issues + +from urllib.parse import urlparse + +import tldextract + + +def get_webdomain(url: str) -> str: + return urlparse(url).netloc + + +def get_root_domain(subdomain) -> str: + no_fetch_extract = tldextract.TLDExtract(suffix_list_urls=()) + extracted = no_fetch_extract(subdomain) + return f"{extracted.domain}.{extracted.suffix}" + + +def get_backend_url(subdomain, proto, port) -> str: + url = f"{proto}://{subdomain}" + if port: + url = f"{url}:{port}" + + return url