vulncheck
25c8ef0866
Phase 1 of the LDAPS / SAML 2.0 / OIDC integration. Lays the abstraction so subsequent provider strategies (LDAP, OIDC, SAML) plug in without re-wiring the login endpoint. Backend changes: - Alembic migration 008 adds users.auth_provider (enum: local/ldap/saml/oidc), external_id (indexed), external_groups (JSON), totp_secret, totp_enabled, last_provider_sync. password_hash becomes nullable for external users. Audit event enum extended with LOGIN_LDAP_SUCCESS, LOGIN_SSO_SUCCESS, AUTH_PROVIDER_FAILED, JIT_USER_CREATED, EXTERNAL_ROLE_MAPPED, USER_AUTO_LINKED, MFA_ENABLED/DISABLED/VERIFIED/FAILED. - app/auth/strategies/ — Strategy Pattern: AuthStrategy ABC + ExternalIdentity portable identity + AuthResult. LocalAuthStrategy refactors existing bcrypt login. Constant-time dummy verify on user-not-found to defeat enumeration. - app/auth/totp.py — RFC 6238 helpers (pyotp). Secret encrypted at rest with Fernet (key from AUTH_PROVIDER_CRYPTO_KEY env var). Never logged. - app/auth/role_mapper.py — fnmatch-based external-groups -> UserRole mapping; rules in settings.auth_role_mappings JSON, admin-editable (Phase 5 UI to follow). - app/auth/jit_provisioner.py — JIT user creation with auto-link by email on first SSO login (per requirements). Re-evaluates role on every login. - app/auth/orchestrator.py — chains credential strategies in configurable AUTH_LOOKUP_ORDER. Generic safe message for every failure (audit logs the real reason). - /auth/login refactored to use orchestrator. MFA gate: returns mfa_required=true + short-lived mfa_token if user has TOTP enabled; client POSTs /auth/mfa/verify with code to complete login. - New endpoints: /auth/mfa/setup, /auth/mfa/activate, /auth/mfa/disable, /auth/providers (public — frontend uses to render correct buttons). - requirements.txt: pyotp, cryptography, ldap3, authlib, itsdangerous, python3-saml, lxml. - Dockerfile: libxml2-dev, libxmlsec1-dev, libxmlsec1-openssl, pkg-config for python3-saml; libsasl2/libldap/libssl-dev for future python-ldap. Phase 2 (LDAPS), Phase 3 (OIDC), Phase 4 (SAML), Phase 5 (Admin UI for provider config + role-mapping) will follow as separate commits.
62 lines
1.6 KiB
Docker
62 lines
1.6 KiB
Docker
# VulnManager Dockerfile
|
|
FROM python:3.11-slim
|
|
|
|
# Security: Run as non-root user
|
|
RUN useradd -m -u 1000 vulnmanager
|
|
|
|
WORKDIR /app
|
|
|
|
# Install system dependencies.
|
|
# - postgresql-client: alembic / psql tooling
|
|
# - dos2unix: entrypoint line-endings
|
|
# - libxml2-dev, libxmlsec1-dev, libxmlsec1-openssl, pkg-config:
|
|
# required by python3-saml (XML signature validation)
|
|
# - libsasl2-dev, libldap2-dev, libssl-dev:
|
|
# required by python-ldap if used (ldap3 is pure-python so optional,
|
|
# kept here for future flexibility)
|
|
RUN apt-get update && apt-get install -y --no-install-recommends \
|
|
postgresql-client \
|
|
dos2unix \
|
|
libxml2-dev \
|
|
libxmlsec1-dev \
|
|
libxmlsec1-openssl \
|
|
pkg-config \
|
|
libsasl2-dev \
|
|
libldap2-dev \
|
|
libssl-dev \
|
|
ca-certificates \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
# Copy requirements and install Python dependencies
|
|
COPY requirements.txt .
|
|
RUN pip install --no-cache-dir -r requirements.txt
|
|
|
|
# Copy application code (and entrypoint)
|
|
COPY . .
|
|
|
|
# Set permissions for entrypoint
|
|
RUN dos2unix /app/entrypoint.sh
|
|
RUN chmod +x /app/entrypoint.sh
|
|
RUN chown -R vulnmanager:vulnmanager /app
|
|
|
|
# Switch to non-root user
|
|
USER vulnmanager
|
|
|
|
# Env vars defaults
|
|
ENV POSTGRES_HOST=postgres
|
|
ENV POSTGRES_USER=vulnmanager
|
|
ENV POSTGRES_DB=vulnmanager
|
|
|
|
# Expose port
|
|
EXPOSE 8000
|
|
|
|
# Health check
|
|
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
|
|
CMD python -c "import urllib.request; urllib.request.urlopen('http://localhost:8000/health')"
|
|
|
|
# Entrypoint
|
|
ENTRYPOINT ["/app/entrypoint.sh"]
|
|
|
|
# Start application
|
|
CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000"]
|