diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 000000000..1750cd364 --- /dev/null +++ b/.dockerignore @@ -0,0 +1,8 @@ +.git +secmonkey.env +boto.cfg +.travis.yml +#docs +supervisor +config-default.py +generate-docs.py diff --git a/.gitignore b/.gitignore index 18a7937b3..2de573b06 100644 --- a/.gitignore +++ b/.gitignore @@ -53,3 +53,8 @@ devlog/ venv/ .idea/ +boto.cfg +secmonkey.env +*.crt +*.key + diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 000000000..5a4806779 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,44 @@ + +# Copyright 2014 Netflix, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM ubuntu:14.04 +MAINTAINER Netflix Open Source Development + +ENV SECURITY_MONKEY_VERSION=v0.7.0 \ + SECURITY_MONKEY_SETTINGS=/usr/local/src/security_monkey/env-config/config-docker.py + +RUN apt-get update &&\ + apt-get -y -q install python-software-properties software-properties-common postgresql-9.3 postgresql-client-9.3 postgresql-contrib-9.3 curl &&\ + apt-get install -y python-pip python-dev python-psycopg2 libffi-dev libpq-dev libyaml-dev libxml2-dev libxmlsec1-dev git sudo swig &&\ + rm -rf /var/lib/apt/lists/* + +RUN cd /usr/local/src &&\ +# git clone --branch $SECURITY_MONKEY_VERSION https://github.com/Netflix/security_monkey.git + /bin/mkdir -p security_monkey +ADD . /usr/local/src/security_monkey + +RUN cd /usr/local/src/security_monkey &&\ + python setup.py install &&\ + /bin/mkdir -p /var/log/security_monkey/ + +RUN chmod +x /usr/local/src/security_monkey/docker/*.sh &&\ + mkdir -pv /var/log/security_monkey &&\ + /usr/bin/touch /var/log/security_monkey/securitymonkey.log + # ln -s /dev/stdout /var/log/security_monkey/securitymonkey.log + +WORKDIR /usr/local/src/security_monkey +EXPOSE 5000 + +ENTRYPOINT ["/usr/local/src/security_monkey/docker/api-start.sh"] \ No newline at end of file diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 000000000..57d61f52a --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,86 @@ +--- + +### +# +# Documentation: http://securitymonkey.readthedocs.io/en/latest/index.html +# http://securitymonkey.readthedocs.io/en/latest/docker.html +# +# shortcuts +# open https://$(docker-machine active | xargs docker-machine ip) +# +### + + +version: '2' +services: + postgres: + container_name: secmonkey-db + image: postgres:9 + # volumes: + # - ./postgres-data/:/var/lib/postgresql/data + + api: + container_name: secmonkey-api + image: secmonkey:latest + volumes_from: + - init + depends_on: + - postgres + env_file: secmonkey.env + entrypoint: ["/usr/local/src/security_monkey/docker/api-start.sh"] + + scheduler: + container_name: secmonkey-scheduler + image: secmonkey:latest + volumes_from: + - init + depends_on: + - api + env_file: secmonkey.env + entrypoint: ["/usr/local/src/security_monkey/docker/scheduler-start.sh"] + + nginx: + container_name: secmonkey-nginx + build: + context: ./ + dockerfile: ./docker/nginx/Dockerfile + image: secmonkey-nginx:latest + working_dir: /etc/nginx + volumes: + - ./docker/nginx/server.crt:/etc/nginx/ssl/server.crt + - ./docker/nginx/server.key:/etc/nginx/ssl/server.key + - ./docker/nginx/securitymonkey.conf:/etc/nginx/conf.d/securitymonkey.conf + - ./docker/nginx/start-nginx.sh:/usr/local/src/security_monkey/docker/nginx/start-nginx.sh + depends_on: + - api + ports: + - 80:80 + - 443:443 + links: + - api:smapi + +# volumes: +# - postgres-data: {} + +### ### ### + ### ### ### + + init: + container_name: init + build: . + image: secmonkey:latest + working_dir: /usr/local/src/security_monkey + volumes: + - ./data/aws_accounts.json:/usr/local/src/security_monkey/data/aws_accounts.json + - ./docker:/usr/local/src/security_monkey/docker/ + - ./env-config/config-docker.py:/usr/local/src/security_monkey/env-config/config-docker.py + depends_on: + - postgres + env_file: secmonkey.env + # environment: + # - AWS_ACCESS_KEY_ID= + # - AWS_SECRET_ACCESS_KEY= + # - SECURITY_MONKEY_POSTGRES_HOST= + entrypoint: # /usr/local/src/security_monkey/docker/api-init.sh + - sleep + - 8h diff --git a/docker/README.rst b/docker/README.rst new file mode 100644 index 000000000..04d86b4e2 --- /dev/null +++ b/docker/README.rst @@ -0,0 +1,9 @@ +************************ +Docker local development +************************ + +Project resources +================= + +- `Docker documentation `_ +- `Development documentation `_ diff --git a/docker/api-init.sh b/docker/api-init.sh new file mode 100755 index 000000000..74bb8182f --- /dev/null +++ b/docker/api-init.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +sudo -u ${SECURITY_MONKEY_POSTGRES_USER:-postgres} psql\ + -h ${SECURITY_MONKEY_POSTGRES_HOST:-postgres} -p ${SECURITY_MONKEY_POSTGRES_PORT:-5432}\ + --command "ALTER USER ${SECURITY_MONKEY_POSTGRES_USER:-postgres} with PASSWORD '${SECURITY_MONKEY_POSTGRES_PASSWORD:-securitymonkeypassword}';" + +sudo -u ${SECURITY_MONKEY_POSTGRES_USER:-postgres} createdb\ + -h ${SECURITY_MONKEY_POSTGRES_HOST:-postgres} -p ${SECURITY_MONKEY_POSTGRES_PORT:-5432}\ + -O ${SECURITY_MONKEY_POSTGRES_USER:-postgres} ${SECURITY_MONKEY_POSTGRES_DATABASE:-secmonkey} + +mkdir -p /var/log/security_monkey/ +touch "/var/log/security_monkey/security_monkey-deploy.log" + +cd /usr/local/src/security_monkey +python manage.py db upgrade diff --git a/docker/api-start.sh b/docker/api-start.sh new file mode 100755 index 000000000..d02689d4a --- /dev/null +++ b/docker/api-start.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +cd /usr/local/src/security_monkey +python manage.py run_api_server -b 0.0.0.0:${SECURITY_MONKEY_API_PORT:-5000} diff --git a/docker/nginx/Dockerfile b/docker/nginx/Dockerfile new file mode 100644 index 000000000..d888efc56 --- /dev/null +++ b/docker/nginx/Dockerfile @@ -0,0 +1,50 @@ +# Copyright 2014 Netflix, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM nginx:1.11.4 +MAINTAINER Netflix Open Source Development + +ENV SECURITY_MONKEY_VERSION=v0.7.0 +RUN apt-get update &&\ + apt-get install -y curl git sudo apt-transport-https &&\ + curl https://dl-ssl.google.com/linux/linux_signing_key.pub | apt-key add - &&\ + curl https://storage.googleapis.com/download.dartlang.org/linux/debian/dart_stable.list > /etc/apt/sources.list.d/dart_stable.list && \ + apt-get update &&\ + apt-get install -y -q dart &&\ + rm -rf /var/lib/apt/lists/* + +RUN cd /usr/local/src &&\ +# git clone -b $SECURITY_MONKEY_VERSION https://github.com/Netflix/security_monkey.git + mkdir -p security_monkey +ADD . /usr/local/src/security_monkey + +RUN cd /usr/local/src/security_monkey/dart &&\ + /usr/lib/dart/bin/pub get &&\ + /usr/lib/dart/bin/pub build &&\ + /bin/mkdir -p /usr/local/src/security_monkey/security_monkey/static/ &&\ + /bin/cp -R /usr/local/src/security_monkey/dart/build/web/* /usr/local/src/security_monkey/security_monkey/static/ + +RUN /bin/rm /etc/nginx/conf.d/default.conf &&\ + /bin/mkdir -p /var/log/security_monkey/ /etc/nginx/ssl/ &&\ + ln -s /dev/stdout /var/log/security_monkey/security_monkey.access.log &&\ + ln -s /dev/stderr /var/log/security_monkey/security_monkey.error.log + +WORKDIR /etc/nginx +EXPOSE 443 + +ADD docker/nginx/securitymonkey.conf /etc/nginx/conf.d/securitymonkey.conf +COPY docker/nginx/nginx.conf /etc/nginx/nginx.conf +# ADD docker/nginx/server.crt docker/nginx/server.key /etc/nginx/ssl/ + +ENTRYPOINT ["/usr/local/src/security_monkey/docker/nginx/start-nginx.sh"] diff --git a/docker/nginx/nginx.conf b/docker/nginx/nginx.conf new file mode 100644 index 000000000..7e0e29ff1 --- /dev/null +++ b/docker/nginx/nginx.conf @@ -0,0 +1,33 @@ + +user nginx; +worker_processes 1; +daemon off; + +error_log /var/log/nginx/error.log warn; +pid /var/run/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + #gzip on; + + include /etc/nginx/conf.d/*.conf; +} diff --git a/docker/nginx/securitymonkey.conf b/docker/nginx/securitymonkey.conf new file mode 100644 index 000000000..75489d142 --- /dev/null +++ b/docker/nginx/securitymonkey.conf @@ -0,0 +1,37 @@ +add_header X-Content-Type-Options "nosniff"; +add_header X-XSS-Protection "1; mode=block"; +add_header X-Frame-Options "SAMEORIGIN"; +add_header Strict-Transport-Security "max-age=631138519"; +add_header Content-Security-Policy "default-src 'self'; font-src 'self' https://fonts.gstatic.com; script-src 'self' https://ajax.googleapis.com; style-src 'self' https://fonts.googleapis.com;"; + +server { + listen 0.0.0.0:80; + listen 0.0.0.0:443 ssl; + ssl_certificate /etc/nginx/ssl/server.crt; + ssl_certificate_key /etc/nginx/ssl/server.key; + access_log /var/log/security_monkey/security_monkey.access.log; + error_log /var/log/security_monkey/security_monkey.error.log; + + location ~* ^/(reset|confirm|healthcheck|register|login|logout|api) { + proxy_read_timeout 120; + proxy_pass http://smapi:5000; + proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504; + proxy_redirect off; + proxy_buffering off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + location /static { + rewrite ^/static/(.*)$ /$1 break; + root /usr/local/src/security_monkey/security_monkey/static; + index ui.html; + } + + location / { + root /usr/local/src/security_monkey/security_monkey/static; + index ui.html; + } + +} diff --git a/docker/nginx/start-nginx.sh b/docker/nginx/start-nginx.sh new file mode 100755 index 000000000..efeed4d59 --- /dev/null +++ b/docker/nginx/start-nginx.sh @@ -0,0 +1,14 @@ +#!/usr/bin/env bash + +SECURITY_MONKEY_SSL_CERT=${SECURITY_MONKEY_SSL_CERT:-/etc/nginx/ssl/server.crt} +SECURITY_MONKEY_SSL_KEY=${SECURITY_MONKEY_SSL_KEY:-/etc/nginx/ssl/server.key} + +if [ ! -f "$SECURITY_MONKEY_SSL_CERT" ] || [ ! -f "$SECURITY_MONKEY_SSL_KEY" ]; then + # Fail if SSL is unavailable + echo "$(date) Error: Missing files required for SSL" + # exit 1 + sed -i.bak 's@.*ssl@# &@' /etc/nginx/conf.d/securitymonkey.conf &&\ + echo "$(date) Warn: Disabled ssl in securitymonkey.conf" +fi + +exec nginx diff --git a/docker/scheduler-start.sh b/docker/scheduler-start.sh new file mode 100755 index 000000000..0f70228f1 --- /dev/null +++ b/docker/scheduler-start.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +mkdir -p /var/log/security_monkey +touch /var/log/security_monkey/security_monkey-deploy.log + +cd /usr/local/src/security_monkey +python manage.py start_scheduler diff --git a/docs/docker.rst b/docs/docker.rst new file mode 100644 index 000000000..6e0844fd2 --- /dev/null +++ b/docs/docker.rst @@ -0,0 +1,51 @@ +Docker Instructions +=================== + +The docker-compose.yml file describes the SecurityMonkey environment. This is intended for local development with the intention of deploying SecurityMonkey containers with a Docker Orchestration tool like Kubernetes. + +The Dockerfile builds SecurityMonkey into a container with several different entrypoints. These are for the different responsibilities SecurityMonkey has. +Also, the docker/nginx/Dockerfile file is used to build an NGINX container that will front the API, serve the static assets, and provide TLS. + +Quick Start: +------------ + Define your specific settings in **secmonkey.env** file. For example, this file will look like:: + + AWS_ACCESS_KEY_ID= + AWS_SECRET_ACCESS_KEY= + SECURITY_MONKEY_POSTGRES_HOST=postgres + SECURITY_MONKEY_FQDN=192.168.99.100 + + $ docker-compose build + ``this will locally build all the containers necessary`` + + $ docker-compose up -d postgres + ``this will start the database container`` + + $ docker-compose up -d init + ``this will start a container in which you canuse to setup the database, create users, and other manual configurations, see the below section for more info`` + + $ docker-compose up + ``this will bring up the remaining containers (scheduler and nginx)`` + +Commands: +--------- + + $ docker-compose build ``[api | scheduler | nginx | init]`` + + $ docker-compose up -d ``[postgres | api | scheduler | nginx | init]`` + +More Info: +---------- +:: + + $ docker-compose up -d init + +The init container is where the SecurityMonkey code is available for you to run manual configurations such as:: + + $ python manage.py create_user admin@example.com Admin + +and/or:: + + $ python manage.py add_account --number $account --name $name -r SecurityMonkey + +The init container provides a sandbox and is useful for local development. It is not required otherwise. diff --git a/docs/quickstart.rst b/docs/quickstart.rst index 9bf174f3a..6a02937fe 100644 --- a/docs/quickstart.rst +++ b/docs/quickstart.rst @@ -8,6 +8,8 @@ Docker Images Before we start, consider following the `docker instructions `_ . Docker helps simplify the process to get up and running. The docker images are not currently ready for production use, but are good enough to get up and running with an instance of security_monkey. +Local `docker instructions <./docker.html>`_ + Not into the docker thing? Keep reading. Setup IAM Roles diff --git a/env-config/config-docker.py b/env-config/config-docker.py new file mode 100644 index 000000000..20127e133 --- /dev/null +++ b/env-config/config-docker.py @@ -0,0 +1,253 @@ +# Copyright 2014 Netflix, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# Insert any config items here. +# This will be fed into Flask/SQLAlchemy inside security_monkey/__init__.py + +import os + + +def env_to_bool(input): + """ + Must change String from environment variable into Boolean + defaults to True + """ + if isinstance(input, str): + if input == 'False': + return False + else: + return True + else: + return input + + +LOG_CFG = { + 'version': 1, + 'disable_existing_loggers': False, + 'formatters': { + 'standard': { + 'format': '%(asctime)s %(levelname)s: %(message)s ' + '[in %(pathname)s:%(lineno)d]' + } + }, + 'handlers': { + 'file': { + 'class': 'logging.handlers.RotatingFileHandler', + 'level': 'DEBUG', + 'formatter': 'standard', + 'filename': '/var/log/security_monkey/securitymonkey.log', + 'maxBytes': 10485760, + 'backupCount': 100, + 'encoding': 'utf8' + }, + 'console': { + 'class': 'logging.StreamHandler', + 'level': 'DEBUG', + 'formatter': 'standard', + 'stream': 'ext://sys.stdout' + } + }, + 'loggers': { + 'security_monkey': { + 'handlers': ['console'], + 'level': os.getenv('SM_CONSOLE_LOG_LEVEL', 'DEBUG') + }, + 'apscheduler': { + 'handlers': ['console'], + 'level': os.getenv('SM_APPSCHEDULER_LOG_LEVEL', 'INFO') + } + } +} + +SQLALCHEMY_DATABASE_URI = 'postgresql://%s:%s@%s:%d/%s' % ( + os.getenv('SECURITY_MONKEY_POSTGRES_USER', 'postgres'), + os.getenv('SECURITY_MONKEY_POSTGRES_PASSWORD', 'securitymonkeypassword'), + os.getenv('SECURITY_MONKEY_POSTGRES_HOST', 'localhost'), + os.getenv('SECURITY_MONKEY_POSTGRES_PORT', 5432), + os.getenv('SECURITY_MONKEY_POSTGRES_DATABASE', 'secmonkey') +) + +# print postgres +# print SQLALCHEMY_DATABASE_URI + +SQLALCHEMY_POOL_SIZE = 50 +SQLALCHEMY_MAX_OVERFLOW = 15 +ENVIRONMENT = 'ec2' +USE_ROUTE53 = False +FQDN = os.getenv('SECURITY_MONKEY_FQDN', 'ec2-XX-XXX-XXX-XXX.compute-1.amazonaws.com') +API_PORT = '5000' +WEB_PORT = '443' +WEB_PATH = '/static/ui.html' +FRONTED_BY_NGINX = True +NGINX_PORT = '443' +BASE_URL = 'https://{}/'.format(FQDN) + +SECRET_KEY = '' + +MAIL_DEFAULT_SENDER = os.getenv('SECURITY_MONKEY_EMAIL_DEFAULT_SENDER', 'securitymonkey@example.com') +SECURITY_REGISTERABLE = True +SECURITY_CONFIRMABLE = False +SECURITY_RECOVERABLE = False +SECURITY_PASSWORD_HASH = 'bcrypt' +SECURITY_PASSWORD_SALT = '' +SECURITY_TRACKABLE = True + +SECURITY_POST_LOGIN_VIEW = BASE_URL +SECURITY_POST_REGISTER_VIEW = BASE_URL +SECURITY_POST_CONFIRM_VIEW = BASE_URL +SECURITY_POST_RESET_VIEW = BASE_URL +SECURITY_POST_CHANGE_VIEW = BASE_URL + +# This address gets all change notifications (i.e. 'securityteam@example.com') +SECURITY_TEAM_EMAIL = os.getenv('SECURITY_MONKEY_SECURITY_TEAM_EMAIL', []) + +# These are only required if using SMTP instead of SES +EMAILS_USE_SMTP = env_to_bool(os.getenv('SECURITY_MONKEY_SMTP', True)) # Otherwise, Use SES +SES_REGION = os.getenv('SECURITY_MONKEY_SES_REGION', 'us-east-1') +MAIL_SERVER = os.getenv('SECURITY_MONKEY_EMAIL_SERVER', 'smtp.example.com') +MAIL_PORT = 465 +MAIL_USE_SSL = True +MAIL_USERNAME = os.getenv('SECURITY_MONKEY_EMAIL_USERNAME', 'username') +MAIL_PASSWORD = os.getenv('SECURITY_MONKEY_EMAIL_PASSWORD', 'password') + +WTF_CSRF_ENABLED = env_to_bool(os.getenv('SM_WTF_CSRF_ENABLED', True)) +# Checks Referer Header. Set to False for API access. +WTF_CSRF_SSL_STRICT = env_to_bool(os.getenv('SM_WTF_CSRF_SSL_STRICT', True)) +WTF_CSRF_METHODS = ['DELETE', 'POST', 'PUT', 'PATCH'] + +# "NONE", "SUMMARY", or "FULL" +SECURITYGROUP_INSTANCE_DETAIL = 'FULL' + +# Threads used by the scheduler. +# You will likely need at least one core thread for every account being monitored. +CORE_THREADS = 25 +MAX_THREADS = 30 + +# SSO SETTINGS: +ACTIVE_PROVIDERS = [] # "ping", "google" or "onelogin" + +PING_NAME = '' # Use to override the Ping name in the UI. +PING_REDIRECT_URI = "{BASE}api/1/auth/ping".format(BASE=BASE_URL) +PING_CLIENT_ID = '' # Provided by your administrator +PING_AUTH_ENDPOINT = '' # Often something ending in authorization.oauth2 +PING_ACCESS_TOKEN_URL = '' # Often something ending in token.oauth2 +PING_USER_API_URL = '' # Often something ending in idp/userinfo.openid +PING_JWKS_URL = '' # Often something ending in JWKS +PING_SECRET = '' # Provided by your administrator + +GOOGLE_CLIENT_ID = '' +GOOGLE_AUTH_ENDPOINT = '' +GOOGLE_SECRET = '' + +ONELOGIN_APP_ID = '' # OneLogin App ID provider by your administrator +ONELOGIN_EMAIL_FIELD = 'User.email' # SAML attribute used to provide email address +ONELOGIN_DEFAULT_ROLE = 'View' # Default RBAC when user doesn't already exist +ONELOGIN_HTTPS = True # If using HTTPS strict mode will check the requests are HTTPS +ONELOGIN_SETTINGS = { + # If strict is True, then the Python Toolkit will reject unsigned + # or unencrypted messages if it expects them to be signed or encrypted. + # Also it will reject the messages if the SAML standard is not strictly + # followed. Destination, NameId, Conditions ... are validated too. + "strict": True, + + # Enable debug mode (outputs errors). + "debug": True, + + # Service Provider Data that we are deploying. + "sp": { + # Identifier of the SP entity (must be a URI) + "entityId": "{BASE}metadata/".format(BASE=BASE_URL), + # Specifies info about where and how the message MUST be + # returned to the requester, in this case our SP. + "assertionConsumerService": { + # URL Location where the from the IdP will be returned + "url": "{BASE}api/1/auth/onelogin?acs".format(BASE=BASE_URL), + # SAML protocol binding to be used when returning the + # message. OneLogin Toolkit supports this endpoint for the + # HTTP-POST binding only. + "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" + }, + # If you need to specify requested attributes, set a + # attributeConsumingService. nameFormat, attributeValue and + # friendlyName can be omitted + #"attributeConsumingService": { + # "ServiceName": "SP test", + # "serviceDescription": "Test Service", + # "requestedAttributes": [ + # { + # "name": "", + # "isRequired": False, + # "nameFormat": "", + # "friendlyName": "", + # "attributeValue": "" + # } + # ] + #}, + # Specifies info about where and how the message MUST be + # returned to the requester, in this case our SP. + "singleLogoutService": { + # URL Location where the from the IdP will be returned + "url": "{BASE}api/1/auth/onelogin?sls".format(BASE=BASE_URL), + # SAML protocol binding to be used when returning the + # message. OneLogin Toolkit supports the HTTP-Redirect binding + # only for this endpoint. + "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" + }, + # Specifies the constraints on the name identifier to be used to + # represent the requested subject. + # Take a look on src/onelogin/saml2/constants.py to see the NameIdFormat that are supported. + "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", + # Usually x509cert and privateKey of the SP are provided by files placed at + # the certs folder. But we can also provide them with the following parameters + "x509cert": "", + "privateKey": "" + }, + + # Identity Provider Data that we want connected with our SP. + "idp": { + # Identifier of the IdP entity (must be a URI) + "entityId": "https://app.onelogin.com/saml/metadata/{APP_ID}".format(APP_ID=ONELOGIN_APP_ID), + # SSO endpoint info of the IdP. (Authentication Request protocol) + "singleSignOnService": { + # URL Target of the IdP where the Authentication Request Message + # will be sent. + "url": "https://app.onelogin.com/trust/saml2/http-post/sso/{APP_ID}".format(APP_ID=ONELOGIN_APP_ID), + # SAML protocol binding to be used when returning the + # message. OneLogin Toolkit supports the HTTP-Redirect binding + # only for this endpoint. + "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" + }, + # SLO endpoint info of the IdP. + "singleLogoutService": { + # URL Location of the IdP where SLO Request will be sent. + "url": "https://app.onelogin.com/trust/saml2/http-redirect/slo/{APP_ID}".format(APP_ID=ONELOGIN_APP_ID), + # SAML protocol binding to be used when returning the + # message. OneLogin Toolkit supports the HTTP-Redirect binding + # only for this endpoint. + "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" + }, + # Public x509 certificate of the IdP + "x509cert": "" + } +} + +from datetime import timedelta +PERMANENT_SESSION_LIFETIME=timedelta(minutes=60) +SESSION_REFRESH_EACH_REQUEST=True +SESSION_COOKIE_SECURE=True +SESSION_COOKIE_HTTPONLY=True +PREFERRED_URL_SCHEME='https' + +REMEMBER_COOKIE_DURATION=timedelta(minutes=60) # Can make longer if you want remember_me to be useful. +REMEMBER_COOKIE_SECURE=True +REMEMBER_COOKIE_HTTPONLY=True