vulncheck/vulncheck
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f61de08d95aac2f00e02df1086aa0d432770e912
vulncheck/requirements.txt
T
vulncheck 25c8ef0866 feat(auth): multi-provider auth foundation (Strategy pattern + TOTP) 
Phase 1 of the LDAPS / SAML 2.0 / OIDC integration. Lays the abstraction
so subsequent provider strategies (LDAP, OIDC, SAML) plug in without
re-wiring the login endpoint.

Backend changes:
- Alembic migration 008 adds users.auth_provider (enum: local/ldap/saml/oidc),
  external_id (indexed), external_groups (JSON), totp_secret, totp_enabled,
  last_provider_sync. password_hash becomes nullable for external users.
  Audit event enum extended with LOGIN_LDAP_SUCCESS, LOGIN_SSO_SUCCESS,
  AUTH_PROVIDER_FAILED, JIT_USER_CREATED, EXTERNAL_ROLE_MAPPED,
  USER_AUTO_LINKED, MFA_ENABLED/DISABLED/VERIFIED/FAILED.
- app/auth/strategies/ — Strategy Pattern: AuthStrategy ABC + ExternalIdentity
  portable identity + AuthResult. LocalAuthStrategy refactors existing
  bcrypt login. Constant-time dummy verify on user-not-found to defeat
  enumeration.
- app/auth/totp.py — RFC 6238 helpers (pyotp). Secret encrypted at rest
  with Fernet (key from AUTH_PROVIDER_CRYPTO_KEY env var). Never logged.
- app/auth/role_mapper.py — fnmatch-based external-groups -> UserRole
  mapping; rules in settings.auth_role_mappings JSON, admin-editable
  (Phase 5 UI to follow).
- app/auth/jit_provisioner.py — JIT user creation with auto-link by email
  on first SSO login (per requirements). Re-evaluates role on every login.
- app/auth/orchestrator.py — chains credential strategies in configurable
  AUTH_LOOKUP_ORDER. Generic safe message for every failure (audit logs
  the real reason).
- /auth/login refactored to use orchestrator. MFA gate: returns
  mfa_required=true + short-lived mfa_token if user has TOTP enabled;
  client POSTs /auth/mfa/verify with code to complete login.
- New endpoints: /auth/mfa/setup, /auth/mfa/activate, /auth/mfa/disable,
  /auth/providers (public — frontend uses to render correct buttons).
- requirements.txt: pyotp, cryptography, ldap3, authlib, itsdangerous,
  python3-saml, lxml.
- Dockerfile: libxml2-dev, libxmlsec1-dev, libxmlsec1-openssl, pkg-config
  for python3-saml; libsasl2/libldap/libssl-dev for future python-ldap.

Phase 2 (LDAPS), Phase 3 (OIDC), Phase 4 (SAML), Phase 5 (Admin UI for
provider config + role-mapping) will follow as separate commits.
2026-05-12 19:02:47 +02:00

64 lines
1.3 KiB
Plaintext
Raw Blame History

# VulnManager Dependencies (Python 3.13 kompatibel)
# FastAPI & Server
fastapi==0.115.6
uvicorn[standard]==0.32.1
python-multipart==0.0.20
# Database
sqlalchemy==2.0.36
alembic==1.14.0
psycopg2-binary==2.9.10 # Updated für Python 3.13
# Authentication & Security
pyjwt[crypto]==2.10.1
passlib[bcrypt]==1.7.4
bcrypt==3.2.2 # Downgraded for passlib compatibility
# HTTP Clients
httpx==0.28.1 # Updated
tenacity==9.0.0 # Updated
# Rate Limiting
slowapi==0.1.9
# Validation
pydantic==2.10.5 # Updated für Python 3.13
pydantic-settings==2.7.1 # Updated
email-validator==2.2.0 # Updated
# Scheduling
apscheduler==3.10.4
# Environment
python-dotenv==1.0.1
# Logging & Monitoring (optional)
python-json-logger==3.2.1 # Updated
# Testing (Development)
pytest==8.3.4 # Updated
pytest-asyncio==0.24.0 # Updated
# Reporting
reportlab==4.4.9
# ============================================
# Multi-provider authentication (Phase 1: foundation; Phase 2+: LDAP/OIDC/SAML)
# ============================================
# TOTP / MFA
pyotp==2.9.0
# Fernet for encrypting LDAP bind-pw + TOTP secrets at rest
cryptography==43.0.3
# LDAPS (Phase 2)
ldap3==2.9.1
# OAuth2 / OIDC (Phase 3)
authlib==1.3.2
itsdangerous==2.2.0
# SAML 2.0 (Phase 4) — requires system libs xmlsec1, libxml2-dev, libxmlsec1-dev
python3-saml==1.16.0
lxml==5.3.0
Reference in New Issue View Git Blame Copy Permalink