From e844d2995ae3e4cb805e759fa6e785c34d49fa3b Mon Sep 17 00:00:00 2001 From: Bishtawi Date: Sun, 24 Nov 2024 12:31:17 -0800 Subject: [PATCH 1/3] Support reading secrets from files --- boot.sh | 14 +++++++++++++- docs/features/authentication.md | 25 ++++++++++++++++--------- docs/system/configuration.md | 24 ++++++++++++++++++++---- 3 files changed, 49 insertions(+), 14 deletions(-) diff --git a/boot.sh b/boot.sh index 9f70a535c3..03f6e82dab 100644 --- a/boot.sh +++ b/boot.sh @@ -29,6 +29,18 @@ if [ -z "${SECRET_KEY}" ]; then display_warning "The environment variable 'SECRET_KEY' (or 'SECRET_KEY_FILE' that points to an existing file) is not set but REQUIRED for running Tandoor!" fi +if [ -f "${AUTH_LDAP_BIND_PASSWORD_FILE}" ]; then + export AUTH_LDAP_BIND_PASSWORD=$(cat "$AUTH_LDAP_BIND_PASSWORD_FILE") +fi + +if [ -f "${EMAIL_HOST_PASSWORD_FILE}" ]; then + export EMAIL_HOST_PASSWORD=$(cat "$EMAIL_HOST_PASSWORD_FILE") +fi + +if [ -f "${SOCIALACCOUNT_PROVIDERS_FILE}" ]; then + export SOCIALACCOUNT_PROVIDERS=$(cat "$SOCIALACCOUNT_PROVIDERS_FILE") +fi + echo "Waiting for database to be ready..." @@ -83,4 +95,4 @@ if [ "$ipv6_disable" -eq 0 ]; then exec gunicorn -b "[::]:$TANDOOR_PORT" --workers $GUNICORN_WORKERS --threads $GUNICORN_THREADS --access-logfile - --error-logfile - --log-level $GUNICORN_LOG_LEVEL recipes.wsgi else exec gunicorn -b ":$TANDOOR_PORT" --workers $GUNICORN_WORKERS --threads $GUNICORN_THREADS --access-logfile - --error-logfile - --log-level $GUNICORN_LOG_LEVEL recipes.wsgi -fi \ No newline at end of file +fi diff --git a/docs/features/authentication.md b/docs/features/authentication.md index 34a7970fb3..81152e8648 100644 --- a/docs/features/authentication.md +++ b/docs/features/authentication.md @@ -1,8 +1,8 @@ -Besides the normal django username and password authentication this application supports multiple +Besides the normal django username and password authentication this application supports multiple methods of central account management and authentication. ## Allauth -[Django Allauth](https://django-allauth.readthedocs.io/en/latest/index.html) is an awesome project that +[Django Allauth](https://django-allauth.readthedocs.io/en/latest/index.html) is an awesome project that allows you to use a [huge number](https://docs.allauth.org/en/latest/socialaccount/providers/index.html) of different authentication providers. @@ -11,8 +11,8 @@ They basically explain everything in their documentation, but the following is a !!! warning "Public Providers" If you choose Google, Github or any other publicly available service as your authentication provider anyone with an account on that site can create an account on your installation. - A new account does not have any permission but it is still **not recommended** to give public access to - your installation. + A new account does not have any permission but it is still **not recommended** to give public access to + your installation. Choose a provider from the [list](https://docs.allauth.org/en/latest/socialaccount/providers/index.html) and install it using the environment variable `SOCIAL_PROVIDERS` as shown in the example below. @@ -28,15 +28,15 @@ SOCIAL_PROVIDERS=allauth.socialaccount.providers.openid_connect,allauth.socialac ### Configuration, via environment -Depending on your authentication provider you **might need** to configure it. -This needs to be done through the settings system. To make the system flexible (allow multiple providers) and to +Depending on your authentication provider you **might need** to configure it. +This needs to be done through the settings system. To make the system flexible (allow multiple providers) and to not require another file to be mounted into the container the configuration ins done through a single environment variable. The downside of this approach is that the configuration needs to be put into a single line as environment files loaded by docker compose don't support multiple lines for a single variable. The line data needs to either be in json or as Python dictionary syntax. -Take the example configuration from the allauth docs, fill in your settings and then inline the whole object +Take the example configuration from the allauth docs, fill in your settings and then inline the whole object (you can use a service like [www.freeformatter.com](https://www.freeformatter.com/json-formatter.html) for formatting). Assign it to the additional `SOCIALACCOUNT_PROVIDERS` variable. @@ -46,6 +46,13 @@ The example below is for a generic OIDC provider with PKCE enabled. Most values SOCIALACCOUNT_PROVIDERS = "{ 'openid_connect': { 'OAUTH_PKCE_ENABLED': True, 'APPS': [ { 'provider_id': 'oidc', 'name': 'My-IDM', 'client_id': 'my_client_id', 'secret': 'my_client_secret', 'settings': { 'server_url': 'https://idm.example.com/oidc/recipes' } } ] } }" ``` +Because this JSON contains sensitive data (client id and secret), you may instead choose to save the JSON in a file +and set the environment variable `SOCIALACCOUNT_PROVIDERS_FILE` to the path of the file containing the JSON. + +``` +SOCIALACCOUNT_PROVIDERS_FILE=/run/secrets/socialaccount_providers.txt +``` + !!! success "Improvements ?" There are most likely ways to achieve the same goal but with a cleaner or simpler system. If you know such a way feel free to let me know. @@ -81,7 +88,7 @@ SOCIALACCOUNT_PROVIDERS='{"openid_connect":{"APPS":[{"provider_id":"keycloak","n You are now able to sign in using Keycloak after a restart of the service. ### Linking accounts -To link an account to an already existing normal user go to the settings page of the user and link it. +To link an account to an already existing normal user go to the settings page of the user and link it. Here you can also unlink your account if you no longer want to use a social login method. ## LDAP @@ -111,7 +118,7 @@ AUTH_LDAP_TLS_CACERTFILE=/etc/ssl/certs/own-ca.pem If you just set `REMOTE_USER_AUTH=1` without any additional configuration, _anybody_ can authenticate with _any_ username! !!! Info "Community Contributed Tutorial" - This tutorial was provided by a community member. We are not able to provide any support! Please only use, if you know what you are doing! + This tutorial was provided by a community member. We are not able to provide any support! Please only use, if you know what you are doing! In order use external authentication (i.e. using a proxy auth like Authelia, Authentik, etc.) you will need to: diff --git a/docs/system/configuration.md b/docs/system/configuration.md index 8325f3fcc7..e2f52d1468 100644 --- a/docs/system/configuration.md +++ b/docs/system/configuration.md @@ -354,7 +354,7 @@ SOCIAL_PROVIDERS = allauth.socialaccount.providers.github, allauth.socialaccount Allow authentication via the REMOTE-USER header (can be used for e.g. authelia). !!! danger - Leave off if you don't know what you are doing! Enabling this without proper configuration will enable anybody + Leave off if you don't know what you are doing! Enabling this without proper configuration will enable anybody to login with any username! ``` @@ -377,6 +377,14 @@ AUTH_LDAP_TLS_CACERTFILE= AUTH_LDAP_START_TLS= ``` +Instead of passing the LDAP password directly through the environment variable `AUTH_LDAP_BIND_PASSWORD`, +you can set the password in a file and set the environment variable `AUTH_LDAP_BIND_PASSWORD_FILE` +to the path of the file containing the ldap secret. + +``` +AUTH_LDAP_BIND_PASSWORD_FILE=/run/secrets/ldap_password.txt +``` + ### External Services #### Email @@ -396,6 +404,14 @@ EMAIL_USE_SSL=0 DEFAULT_FROM_EMAIL= ``` +Instead of passing the email password directly through the environment variable `EMAIL_HOST_PASSWORD`, +you can set the password in a file and set the environment variable `EMAIL_HOST_PASSWORD_FILE` +to the path of the file containing the ldap secret. + +``` +EMAIL_HOST_PASSWORD_FILE=/run/secrets/email_password.txt +``` + Optional settings (only copy the ones you need) ``` @@ -561,7 +577,7 @@ STICKY_NAV_PREF_DEFAULT=1 > default `100` - options: `0-X` -The default for the number of spaces a user can own. By setting to 0 space creation for users will be disabled. +The default for the number of spaces a user can own. By setting to 0 space creation for users will be disabled. Superusers can always bypass this limit. ``` @@ -586,7 +602,7 @@ TZ=Europe/Berlin #### Default Theme > default `0` - options `1-X` (space ID) -Tandoors appearance can be changed on a user and space level but unauthenticated users always see the tandoor default style. +Tandoors appearance can be changed on a user and space level but unauthenticated users always see the tandoor default style. With this setting you can specify the ID of a space of which the appearance settings should be applied if a user is not logged in. ``` @@ -633,7 +649,7 @@ DRF_THROTTLE_RECIPE_URL_IMPORT=60/hour #### Default Space Limits You might want to limit how many resources a user might create. The following settings apply automatically to newly -created spaces. These defaults can be changed in the admin view after a space has been created. +created spaces. These defaults can be changed in the admin view after a space has been created. If unset, all settings default to unlimited/enabled From 683f1ac10a01e077280a2c940dc39c77f895c502 Mon Sep 17 00:00:00 2001 From: Anders Obro Date: Sun, 24 Nov 2024 18:11:52 +0000 Subject: [PATCH 2/3] Translated using Weblate (Danish) Currently translated at 100.0% (570 of 570 strings) Translation: Tandoor/Recipes Frontend Translate-URL: http://translate.tandoor.dev/projects/tandoor/recipes-frontend/da/ --- vue/src/locales/da.json | 31 ++++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/vue/src/locales/da.json b/vue/src/locales/da.json index 623ae2d60c..c2ff16d54f 100644 --- a/vue/src/locales/da.json +++ b/vue/src/locales/da.json @@ -539,5 +539,34 @@ "err_importing_recipe": "Der opstod en fejl under importeringen af opskriften!", "Properties_Food_Amount": "Egenskaber Ingrediens Mængde", "FDC_Search": "FDC søgning", - "Calculator": "Lommeregner" + "Calculator": "Lommeregner", + "Undo": "Fortryd", + "NoMoreUndo": "Ingen ændringer at fortryde.", + "Input": "Input", + "Delete_All": "Slet alle", + "CustomNavLogoHelp": "Upload et billede til brug som navigationsbarrelogo.", + "ShowRecentlyCompleted": "Vis nyligt gennemførte emner", + "ShoppingBackgroundSyncWarning": "Dårligt netværk, afventer synkronisering ...", + "CustomTheme": "Personaliseret tema", + "CustomThemeHelp": "Overskriv det valgte temas stil ved at uploade en personlig CSS-fil.", + "property_type_fdc_hint": "Kun egenskabstyper med et FDC ID kan automatisk trække data fra FDC databasen", + "Property_Editor": "Egenskabsredaktør", + "us_cup": "cup (US, volumen)", + "Show_Logo_Help": "Vis Tandoor eller område-logo i navigationsbarre.", + "Nav_Text_Mode": "Navigation textmodus", + "Nav_Text_Mode_Help": "Opfører sig forskelligt for hvert tema.", + "Shopping_input_placeholder": "Fx kartoffel/100 kartofler/100g kartofler", + "CustomImageHelp": "Upload et billede for at vise dets plade i område-oversigten.", + "CustomLogoHelp": "Upload kvadratiske billeder i forskellige størrelser for at ændre logoet i browser-faneblad og installeret web-app.", + "CustomLogos": "Personlige logoer", + "Updated": "Opdateret", + "Unchanged": "Uændret", + "Error": "Fejl", + "Logo": "Logo", + "Show_Logo": "Vis logo", + "Space_Cosmetic_Settings": "Visse kosmetiske indstillinger kan ændres af område-administratorer og vil overskrive klient-indstillinger for pågældende område.", + "Enable": "Aktiver", + "created_by": "Skabt af", + "Created": "Skabt", + "DefaultPage": "Startside" } From e6087d5129cc9d0c24278948872377e66c2a2c20 Mon Sep 17 00:00:00 2001 From: vabene1111 Date: Tue, 26 Nov 2024 17:18:47 +0100 Subject: [PATCH 3/3] use Sandbox Environment to render templates --- cookbook/helper/template_helper.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/cookbook/helper/template_helper.py b/cookbook/helper/template_helper.py index 4db1f5bcb4..339a35d79e 100644 --- a/cookbook/helper/template_helper.py +++ b/cookbook/helper/template_helper.py @@ -3,6 +3,8 @@ import bleach import markdown as md from jinja2 import Template, TemplateSyntaxError, UndefinedError +from jinja2.exceptions import SecurityError +from jinja2.sandbox import SandboxedEnvironment from markdown.extensions.tables import TableExtension from cookbook.helper.mdx_attributes import MarkdownFormatExtension @@ -89,11 +91,13 @@ def scale(number): return f"" try: - template = Template(instructions) - instructions = template.render(ingredients=ingredients, scale=scale) + env = SandboxedEnvironment() + instructions = env.from_string(instructions).render(ingredients=ingredients, scale=scale) except TemplateSyntaxError: return _('Could not parse template code.') + ' Error: Template Syntax broken' except UndefinedError: return _('Could not parse template code.') + ' Error: Undefined Error' + except SecurityError: + return _('Could not parse template code.') + ' Error: Security Error' return instructions