Switch to OIDC authentication

web/__init__.py

@@ -3,7 +3,6 @@ import syslog
 import secrets
 
 import flask
-import flask_ldap3_login
 import flask_login
 
 def create_app(test_config=None):
@@ -14,13 +13,13 @@ def create_app(test_config=None):
     settings = {
         'secret_key': secrets.token_hex(),
         'ldap_host': '',
-        'ldap_port': '636',
         'ldap_user': '',
         'ldap_pass': '',
-        'ldap_admin': '',
         'ldap_base_dn': '',
-        'ldap_user_dn': '',
-        'ldap_login_attr': 'userPrincipalName',
+        'oidc_tenant': '',
+        'oidc_client_id': '',
+        'oidc_client_secret': '',
+        'admin_group': '',
         'admin_mail': '',
         'wg_endpoint': '',
         'wg_port': '51820',
@@ -35,18 +34,15 @@ def create_app(test_config=None):
         db.write('settings', settings)
 
     app.config['SECRET_KEY'] = settings.get('secret_key', '')
-    app.config['LDAP_USE_SSL'] = True
-    app.config['LDAP_HOST'] = settings.get('ldap_host', '')
-    app.config['LDAP_PORT'] = int(settings.get('ldap_port', '636'))
-    app.config['LDAP_BASE_DN'] = settings.get('ldap_base_dn', '')
-    app.config['LDAP_USER_DN'] = settings.get('ldap_user_dn', '')
-    app.config['LDAP_BIND_USER_DN'] = settings.get('ldap_user', '')
-    app.config['LDAP_BIND_USER_PASSWORD'] = settings.get('ldap_pass', '')
-    app.config['LDAP_USER_LOGIN_ATTR'] = settings.get('ldap_login_attr', 'userPrincipalName')
-    app.config['LDAP_USER_SEARCH_SCOPE'] = 'SUBTREE'
 
     from . import auth
-    app.register_blueprint(auth.blueprint)
+    auth.init_app(app)
+
+    from . import errors
+    errors.init_app(app)
+
+    from . import system
+    system.init_app(app)
 
     from . import config
     app.register_blueprint(config.blueprint)
@@ -63,36 +59,6 @@ def create_app(test_config=None):
     from . import vpn
     app.register_blueprint(vpn.blueprint)
 
-    from . import system
-    system.init_app(app)
-
-    login_manager = flask_login.LoginManager(app)
-    ldap_manager = flask_ldap3_login.LDAP3LoginManager(app)
-    users = {}
-
-    @login_manager.user_loader
-    def load_user(id):
-        return users.get(id)
-
-    @ldap_manager.save_user
-    def save_user(dn, username, data, memberships):
-        user = auth.User(dn, username, data)
-        users[dn] = user
-        return user
-
-    @login_manager.unauthorized_handler
-    def unauth_handler():
-        return flask.redirect(flask.url_for('auth.login', next=flask.request.endpoint))
-
-    @app.errorhandler(TimeoutError)
-    def timeout_error(e):
-        return flask.render_template('busy.html')
-
-    @app.errorhandler(Exception)
-    def internal_server_error(e):
-        return flask.Response(f'something went catastrophically wrong: {e}',
-                status=500, mimetype='text/plain')
-
     @app.route('/')
     @flask_login.login_required
     def home():
@@ -101,17 +67,11 @@ def create_app(test_config=None):
     @app.route('/nodes')
     @flask_login.login_required
     def nodes():
-        try:
-            if not flask_login.current_user.is_admin:
-                return flask.Response('forbidden', status=403, mimetype='text/plain')
-            with db.locked('nodes'):
-                version = db.load('settings').get('version')
-                nodes = db.read('nodes')
-            return flask.render_template('nodes.html', version=version, nodes=nodes)
-        except TimeoutError:
-            return flask.render_template('busy.html')
-        except Exception as e:
-            return flask.Response(f'something went catastrophically wrong: {e}',
-                    status=400, mimetype='text/plain')
+        if not flask_login.current_user.is_admin:
+            return flask.Response('forbidden', status=403, mimetype='text/plain')
+        with db.locked('nodes'):
+            version = db.load('settings').get('version')
+            nodes = db.read('nodes')
+        return flask.render_template('nodes.html', version=version, nodes=nodes)
 
     return app