Giters

pneff / devpi-saml

SAML authentication for devpi

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

devpi-saml: SAML authentication for devpi

This plugin extends devpi with SAML Single Sign-On authentication.

It also extends devpi by protecting read-only access as well, similarly to devpi-lockdown which does the same for the default password logins.

As SAML authentication can not be used on the command line, it also adds user interface support for devpi-tokens to create tokens that can be used to log into devpi.

Installation

devpi-saml needs to be installed alongside devpi-server.

You can install it with:

pip install devpi-saml

This package has only been tested with version 6.9 of devpi-server.

Usage

To lock down read access to devpi, you need a proxy in front of devpi which can use the provided views to limit access.

This has been tested with nginx, where the auth_request module is required. The config generation is not yet included in this plugin. Follow the `devpi manual`_ for creating the nginx configuration, and then extend it manually with the following.

# this redirects to the SSO view when not logged in
error_page 401 = @error401;
location @error401 {
    return 302 http://$host/sso?redirect=$request_uri;
}

# the location to check whether the provided infos authenticate the user
location = /+authcheck {
    internal;

    proxy_pass_request_body off;
    proxy_set_header Content-Length "";
    proxy_set_header X-Original-URI $request_uri;
    proxy_set_header X-Outside-URL https://$host;
    proxy_pass http://localhost:3141;
}

# lock down everything by default
auth_request /+authcheck;

# pass on the various SSO routes without authentication
location /sso {
    auth_request off;
    proxy_set_header X-Outside-URL https://$host;
    proxy_pass http://localhost:3141;
}
location /slo {
    auth_request off;
    proxy_set_header X-Outside-URL https://$host;
    proxy_pass http://localhost:3141;
}
location /acs {
    auth_request off;
    proxy_set_header X-Outside-URL https://$host;
    proxy_pass http://localhost:3141;
}
location /sls {
    auth_request off;
    proxy_set_header X-Outside-URL https://$host;
    proxy_pass http://localhost:3141;
}
location /metadata {
    auth_request off;
    proxy_set_header X-Outside-URL https://$host;
    proxy_pass http://localhost:3141;
}

# pass on /+api without authentication check for URL endpoint discovery
location ~ /\+api$ {
    auth_request off;
    proxy_set_header X-Outside-URL https://$host;
    proxy_pass http://localhost:3141;
}

# pass on /+static without authentication check for browser access to css etc
location /+static/ {
    auth_request off;
    proxy_set_header X-Outside-URL https://$host;
    proxy_pass http://localhost:3141;
}
location = /favicon.ico {
    auth_request off;
    proxy_set_header X-Outside-URL https://$host;
    proxy_pass http://localhost:3141;
}

# try serving static files directly
location ~ /\+f/ {
    # workaround to pass non-GET/HEAD requests through to the named location below
    error_page 418 = @proxy_to_app;
    if ($request_method !~ (GET)|(HEAD)) {
        return 418;
    }

    expires max;
    try_files /+files$uri @proxy_to_app;
}

# try serving docs directly
location ~ /\+doc/ {
    # if the --documentation-path option of devpi-web is used,
    # then the root must be set accordingly here
    # root /tmp/home/mydevpiserver;
    try_files $uri @proxy_to_app;
}

About

SAML authentication for devpi

Languages

Language:Python 100.0%