Python CSC Electronic Office
Go to file
Max Erenberg fce58cebee
continuous-integration/drone/pr Build is failing Details
Merge branch 'v1' into db-api
2021-08-26 03:21:19 +00:00
.drone remove hostname from /etc/hosts in auth1 2021-08-21 07:13:36 +00:00
ceo Merge branch 'v1' into db-api 2021-08-26 03:21:19 +00:00
ceo_common Merge branch 'v1' into db-api 2021-08-26 03:21:19 +00:00
ceod Merge branch 'v1' into db-api 2021-08-26 03:21:19 +00:00
tests Merge branch 'v1' into db-api 2021-08-26 03:21:19 +00:00
.drone.yml update .drone.yml 2021-08-26 02:20:24 +00:00
.gitignore Merge branch 'v1' into db-api 2021-08-26 03:21:19 +00:00
README.md Merge branch 'v1' into db-api 2021-08-26 03:21:19 +00:00
architecture.md use GSSAPI delegation 2021-08-26 02:19:18 +00:00
clear_cache.sh move all tests to top-level folder 2021-08-14 00:11:56 +00:00
dev-requirements.txt use GSSAPI delegation 2021-08-26 02:19:18 +00:00
gen_cred.py add Kerberos delegation 2021-08-18 01:59:24 +00:00
requirements.txt merge upstream 2021-08-25 14:34:56 -04:00
setup.cfg add test for RemoteMailmanService 2021-08-19 22:08:48 +00:00

README.md

pyceo

Build Status

CEO (CSC Electronic Office) is the tool used by CSC to manage club accounts and memberships. See architecture.md for an overview of its architecture.

Development

First, make sure that you have installed the syscom dev environment. This will setup all of the services needed for ceo to work. You should clone this repo in the phosphoric-acid container under ctdalek's home directory; you will then be able to access it from any container thanks to NFS.

Environment setup

Once you have the dev environment setup, there are a few more steps you'll need to do for ceo.

Kerberos principals

First, you'll need ceod/<hostname> principals for each of phosphoric-acid, coffee and mail. (coffee is taking over the role of caffeine for the DB endpoints). For example, in the phosphoric-acid container:

kadmin -p sysadmin/admin
<password is krb5>
addprinc -randkey ceod/phosphoric-acid.csclub.internal
ktadd ceod/phosphoric-acid.csclub.internal

Do this for coffee and mail as well. You need to actually be in the appropriate container when running these commands, since the credentials are being added to the local keytab. On phosphoric-acid, you will additionally need to create a principal called ceod/admin (remember to addprinc and ktadd).

Database

create superuser mysql with password mysql

mysql -u root

CREATE USER 'mysql'@'localhost' IDENTIFIED BY 'mysql';
GRANT ALL PRIVILEGES ON *.* TO 'mysql'@'localhost' WITH GRANT OPTION;

modify superuser postgres for password authentication and restrict new users

su postgres
psql

ALTER USER postgres WITH PASSWORD 'postgres';
REVOKE ALL ON SCHEMA public FROM public;
GRANT ALL ON SCHEMA public TO postgres;

create a new pg_hba.conf to force password authentication and reject non local

cd /etc/postgresql/<version>/<branch>/
mv pg_hba.conf pg_hba.conf.old
# new pg_hba.conf
# TYPE  DATABASE        USER            ADDRESS                 METHOD
local   all             postgres                                md5
local   sameuser        all                                     md5
host    all             all             0.0.0.0/0               reject
systemctl restart postgresql

Mailman

You should create the following mailing lists from the mail container:

/opt/mailman3/bin/mailman create syscom@csclub.internal
/opt/mailman3/bin/mailman create syscom-alerts@csclub.internal
/opt/mailman3/bin/mailman create exec@csclub.internal
/opt/mailman3/bin/mailman create ceo@csclub.internal

See https://git.uwaterloo.ca/csc/syscom-dev-environment/-/tree/master/mail for instructions on how to access the Mailman UI from your browser.

If you want to actually see the archived messages, you'll need to tweak the settings for each list from the UI so that non-member messages get accepted (by default they get held).

Dependencies

Next, install and activate a virtualenv:

sudo apt install libkrb5-dev python3-dev
python3 -m venv venv
. venv/bin/activate
pip install -r requirements.txt
pip install -r dev-requirements.txt

Running the application

ceod is a distributed application, with instances on different hosts offering different services. Therefore, you will need to run ceod on multiple hosts. Currently, those are phosphoric-acid, mail and caffeine (in the dev environment, caffeine is replaced by coffee).

To run ceod on a single host (as root, since the app needs to read the keytab):

export FLASK_APP=ceod.api
export FLASK_ENV=development
flask run -h 0.0.0.0 -p 9987

Sometimes changes you make in the source code don't show up while Flask is running. Stop the flask app (Ctrl-C), run clear_cache.sh, then restart the app.

Interacting with the application

The client part of ceo hasn't been written yet, so we'll use curl to interact with ceod for now.

ceod uses SPNEGO for authentication, and TLS for confidentiality and integrity. In development mode, TLS can be disabled.

First, make sure that your version of curl has been compiled with SPNEGO support:

curl -V

Your should see 'SPNEGO' in the 'Features' section.

Here's an example of making a request to an endpoint which writes to LDAP:

# Get a Kerberos TGT first
kinit
# Make the request
curl --negotiate -u : --service-name ceod --delegation always \
    -d '{"uid":"test_1","cn":"Test One","program":"Math","terms":["s2021"]}' \
    -X POST http://phosphoric-acid:9987/api/members