-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathapp.py
288 lines (228 loc) · 8.25 KB
/
app.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
#
#
from flask import Flask, g, redirect, url_for, request, render_template, session, logging
from flask_session.__init__ import Session
from flask import request
from os import environ
import functions
import json,os,sys, random, string, re, logging, time, datetime, requests
from flask import Flask
from flask_oidc import OpenIDConnect
from itsdangerous.url_safe import URLSafeTimedSerializer as Serializer
from okta import UsersClient
from oauth2client.client import OAuth2Credentials
app = Flask(__name__)
app.config['VERSION'] = '2.0f'
app.config['SESSION_TYPE'] = 'filesystem'
app.config['SECRET_KEY'] = 'asjhd4895647664745464138537262ds00cd'
app.config['OIDC_CLIENT_SECRETS'] = 'client_secrets.json'
app.config['OIDC_COOKIE_SECURE'] = False
app.config['OIDC_CALLBACK_ROUTE'] = '/oidc/callback'
app.config['OIDC_SCOPES'] = ['openid', 'email', 'profile']
oidc = OpenIDConnect(app)
sess = Session()
gunicorn_logger = logging.getLogger('gunicorn.error')
app.logger.handlers = gunicorn_logger.handlers
app.logger.setLevel(gunicorn_logger.level)
OKTA_TOKEN=''
OKTA_URLBASE=''
try:
OKTA_TOKEN = os.environ.get('TOKEN')
OKTA_URLBASE = os.environ.get("URLBASE")
app.config['OKTA_URLBASE'] = OKTA_URLBASE
except:
functions.log_msg('oidc', 'ENV vars are not set!')
if not OKTA_TOKEN:
functions.log_msg('oidc', 'ENV var OKTA_TOKEN not set!')
if not OKTA_URLBASE:
functions.log_msg('oidc', 'ENV var OKTA_URLBASE not set!')
# main routes
@app.route('/')
def home():
if not oidc.user_loggedin:
session['user_loggedin'] = ""
return render_template('home.html')
else:
return render_template('panel.html')
@app.route('/panel')
@oidc.require_login
def panel():
if oidc.user_loggedin:
if session['user_loggedin'] == "":
functions.log_msg(oidc, "User Logged in")
session['okta_name'] = oidc.user_getfield('name')
session['user_loggedin'] = "yes"
return render_template('panel.html')
else:
session['user_loggedin'] = ""
return render_template('home.html')
@app.route('/users/search/<pattern>')
def show_users(pattern):
if not oidc.user_loggedin:
session['user_loggedin'] = ""
return render_template('home.html')
if pattern == "disabled":
user_data = get_disabled_users()
session['pattern'] = "disabled"
functions.log_msg(oidc, "Showing disabled users")
else:
user_data = get_users(pattern)
session['pattern'] = pattern
functions.log_msg(oidc, "Showing users for: " + pattern)
if user_data == 'err':
return render_template('panel.html', msg="Permission error. Please contact your Okta admin.")
return render_template('users.html', user_data=user_data)
@app.route('/logout')
def logout():
oidc.logout()
session['user_loggedin'] = ""
return render_template('home.html')
@app.route('/delfactor/<userid>/<factorid>',methods=['GET'])
def factordelete(userid, factorid):
if userid and factorid:
url = OKTA_URLBASE + '/api/v1/users/' + userid + '/factors/' + factorid
res = call_okta('delete', url)
return redirect('/users/' + userid + '/view?param=factordel') # go back
else:
return render_template('panel.html')
@app.route('/users/<userid>/<action>',methods=['GET', 'POST'])
def useractions(userid, action):
try:
param = request.args.get('param', None)
except:
param=""
if not oidc.user_loggedin:
session['user_loggedin'] = ""
return render_template('home.html')
if action == 'view':
user_data = get_user(userid)
if user_data == 'err':
return redirect('/panel') # go back
session['custemail'] = user_data['profile']['email']
factor_data = get_user_factors(userid)
role_data = get_user_roles(userid)
if role_data != 'err':
try:
admin_bool=functions.check_admin_role(role_data)
except:
functions.log_msg(oidc, "check_admin_role error. Make sure API user is Super admin. ")
return render_template('showuser.html', factor_data=factor_data, pattern=session['pattern'], admin_bool=admin_bool, param=param, user_data=user_data)
else:
return render_template('panel.html', msg="Permission error. Please contact your Okta admin.")
if action == 'edit':
user_data = get_user(userid)
if user_data == 'err':
return redirect('/panel') # go back
return render_template('edituser.html', user_data=user_data)
if action == 'deactivate':
update_user_status(userid, 'deactivate')
res = update_user_status(userid, 'reset_factors')
if res == 'err':
return redirect('/users/' + userid + '/view?param=error') # go back
return redirect('/users/' + userid + '/view?param=deactivate') # go back
if action == 'activate':
res = update_user_status(userid, 'activate')
if res == 'err':
return redirect('/users/' + userid + '/view?param=error') # go back
return redirect('/users/' + userid + '/view?param=activate') # go back
if action == 'delete':
res=delete_user(userid)
if res == 'err':
return render_template('panel.html', msg="Delete action failed.")
else:
return render_template('panel.html', msg="User was deleted.")
if action == 'reset':
update_user_status(userid, 'reset_password?sendEmail=true')
return redirect('/users/' + userid + '/view?param=reset') # go back
if action == 'unlock':
update_user_status(userid, 'unlock')
return redirect('/users/' + userid + '/view?param=unlock') # go back
if action == 'save':
if request.method == 'POST':
fname = request.form['fname']
lname = request.form['lname']
mobile = request.form['mobile']
if fname and lname and mobile:
res=update_user(userid, fname, lname, mobile)
if res == 'err':
return redirect('/users/' + userid + '/view?param=error') # go back
return redirect('/users/' + userid + '/view?param=save') # go back
@app.route('/user/search/submit',methods = ['POST'])
def searchsubmit_result():
if request.method == 'POST':
pattern = request.form['pattern']
try:
disabled_cb = request.form['disabled_cb']
except:
disabled_cb=""
if disabled_cb:
pattern="disabled"
if pattern:
return redirect('/users/search/' + pattern) # show users
return redirect('/panel') # go back
###########################################################################
# Base functions
def get_users(pattern):
url = OKTA_URLBASE + '/api/v1/users?q=' + pattern + '&limit=100'
res = call_okta('get', url)
return(res)
def get_disabled_users():
url = OKTA_URLBASE + '/api/v1/users?filter=status%20eq%20"DEPROVISIONED"'
res = call_okta('get', url)
return(res)
def get_user(userid):
url = OKTA_URLBASE + '/api/v1/users/' + userid
res = call_okta('get', url)
return(res)
def get_user_roles(userid):
url = OKTA_URLBASE + '/api/v1/users/' + userid + '/roles'
res = call_okta('get', url)
return(res)
def get_user_factors(userid):
url = OKTA_URLBASE + '/api/v1/users/' + userid + '/factors'
res = call_okta('get', url)
return(res)
def delete_user(userid):
url = OKTA_URLBASE + '/api/v1/users/' + userid
res = call_okta('delete', url)
functions.log_msg(oidc, "Deleted user: " + session['custemail'])
return(res)
def update_user(userid, fname, lname, phone):
url = OKTA_URLBASE + '/api/v1/users/' + userid
data = {
"profile": {
"firstName": fname,
"lastName": lname,
"mobilePhone": phone
}
}
res = call_okta('post', url, json.dumps(data))
functions.log_msg(oidc, "Updated information for user: " + session['custemail'])
return(res)
def update_user_status(userid, action):
url = OKTA_URLBASE + '/api/v1/users/' + userid + '/lifecycle/' + action
res = call_okta('post', url)
functions.log_msg(oidc, "Updated user: " + session['custemail'] + " to status: " + action)
return(res)
def call_okta(action, url, data=""):
headers = {'Content-type': 'application/json', 'Accept': 'application/json', 'Authorization': 'SSWS ' + OKTA_TOKEN}
try:
if action == 'get':
result = requests.get(url, data=data, headers=headers)
if action == 'post':
result = requests.post(url, data=data, headers=headers)
if action == 'delete':
result = requests.delete(url, data=data, headers=headers)
result.raise_for_status()
if action == 'delete':
return('ok')
parsed_json = json.loads(result.text)
return(parsed_json)
except requests.exceptions.HTTPError as errh:
parsed_json = json.loads(result.text)
functions.log_msg(oidc, "Okta error: " + parsed_json['errorSummary'])
return('err')
###########################################################################
# run the APP
if __name__ == '__main__':
app.run(debug=False,host='0.0.0.0')