From c49192a6d77619a3674b5133b2406677f7eda520 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jorge=20Enrique=20G=C3=B3mez=20G=C3=B3mez?= Date: Thu, 28 Jul 2022 22:49:18 +0000 Subject: [PATCH] Minor adjustments for prototype --- README.md | 40 ++++++++++++++++++++++++++++++++++++++++ main.py | 11 ++++++----- requirements.txt | 7 +++++++ 3 files changed, 53 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index abdd26b..8af33ae 100644 --- a/README.md +++ b/README.md @@ -31,3 +31,43 @@ Add this code to the nginx configuration file for the virtual host: } ``` +## Decided, pending to be done + +* Create a separate group in LDAP for non-Workspace users +* Change **Google Cloud Directory Sync** configuration to skip users in this + group +* List all non-Workspace users with access to Odoo and create them in LDAP + +## To be decided + +* The Flask app will be installed in a central container? or a separate + instance on every Raspberry Pi display? +* If every display has an instance, how to prevent direct connections + to it, that bypass Authelia? +* Different QR codes pointing to different URLs (perhaps with the same + UUID?) for entrance/exit, very clearly labeled. +* How to allow the display to show the main screen without having to + login to Authelia? (remember that the Authelia registration cookie + expires every month), and still requiring login for everyone else? +* How to prevent users from accessing the main page and displaying the QR code? + Perhaps using a separate attendance-checking domain? + +### Odoo login: OIDC or LDAP? + +* Install [OIDC module][1] in Odoo to allow access and login via Authelia +* Configure Authelia to require password from users in this LDAP group + when accessing Odoo. +* Change nginx configuration in Odoo server to force users to go through + Authelia (internal connections will be allowed using the _bypass_ option + in Authelia; non-Workspace users who have logged into Authelia will be able + to login to Odoo using one click). + +* Another option is to install the LDAP authentication module in Odoo, + and allow users to enter their username and password, instead of their + personal Google account (not sure if it's possible), or a manually + assigned password. The user would login twice in this scenario: + once to Authelia for their attendance registration, and again in + Odoo (using the same user and password). + +[1]: https://pypi.org/project/odoo14-addon-auth-oidc/ + diff --git a/main.py b/main.py index 31a771e..bcde793 100755 --- a/main.py +++ b/main.py @@ -34,9 +34,11 @@ def show_qr_and_list(): data = conn.execute('SELECT * FROM hits ORDER BY id DESC LIMIT 10').fetchall() conn.close() - # TODO: next_ uuid should be in global state, to verify it when it's received + # TODO: store next_uuid in a queue, and remove it once it's used. Accept only ids + # from the queue + next_uuid = uuid.uuid1() return render_template("template.html", - next_uuid=str(uuid.uuid1()), + next_uuid=str(next_uuid), hits=data) @app.route('/') @@ -49,11 +51,10 @@ def catch_uuids(id): conn = get_db_connection() existing = conn.execute( 'SELECT * FROM hits WHERE uuid = ?', (str(id),)).fetchone() - existing = False # Temporary, for easier development - if id.fields[5] != uuid.getnode(): - error = 'DIFFERENT_NODE' if not ua: error = 'NO_USERNAME' + elif id.fields[5] != uuid.getnode(): + error = 'DIFFERENT_NODE' elif existing: error = 'ALREADY_USED' else: diff --git a/requirements.txt b/requirements.txt index a27bddb..acb6733 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,10 +1,17 @@ +bidict==0.22.0 click==8.1.3 Flask==2.1.3 Flask-QRcode==3.1.0 +Flask-SocketIO==5.2.0 Flask-UUID==0.2 +h11==0.13.0 itsdangerous==2.1.2 Jinja2==3.1.2 MarkupSafe==2.1.1 Pillow==9.2.0 +python-engineio==4.3.3 +python-socketio==5.7.1 qrcode==7.3.1 +simple-websocket==0.7.0 Werkzeug==2.2.1 +wsproto==1.1.0