Commit ecff9e9f authored by David Seaward's avatar David Seaward

update license (switch to AGPL-3.0+)

* include links to code
* clean up README, COPYING and associated files
parent 65a4fa72
This diff is collapsed.
This diff is collapsed.
Purist account manager
======================
Purist services middleware
==========================
A Django site for account registration and management for Purist
services. In particular, user registration creates an LDAP user,
which is used for authentication by other services.
[project] | [code] | [tracker] | *snippets*
Expects to be hosted at <https://example.com>
A middleware application for managing Purist accounts and services,
including resource management and user-facing registration. Account
registration creates an LDAP user, which is used for authentication by
other services.
Follows an opinionated installation process (specifically expecting
one-instance-per-server), but also includes a number of configuration
options.
[project]: https://plan.puri.st/module/middleware
[code]: https://code.puri.sm/purist/middleware
[tracker]: https://code.puri.sm/purist/middleware/issues
[snippets]: https://code.puri.sm/purist/snippets/src/master/middleware
Prerequisites
-------------
* Debian 8
* Python 3.4 or 3.5
* Debian 9
* Python 3.5
* Django 1.11 (included in Python packages below)
* Nginx
* RabbitMQ server
* Accessible at `amqp://guest:guest@localhost:5672//`
* Must be accessible at `amqp://guest:guest@localhost:5672//`
* This can be achieved with just `apt install rabbitmq-server`
* Additional dependency packages:
* `libsasl2-dev`
......@@ -32,131 +42,29 @@ Prerequisites
* LDAP database
* WooCommerce instance (REST API)
* SSH access to an OpenVPN server with `create_new_ovpn_config`
* The Nginx user (`www-data`) needs SSH access to the server
* Typically, the Nginx user (`www-data`) will need SSH access
* Test with `sudo -u www-data ssh -p PORT REMOTE_USER@HOSTNAME`
* The user needing access can be changed in `purist_account_monitor.conf`
Other versions and alternatives may work but are untested.
Setup
-----
* Install Debian packages (`apt install libsasl2-dev libldap2-dev...`)
* Create installation folders:
* `/opt/purist/account/` (code)
* `/opt/purist/account_virtualenv/` (Python environment)
* `/etc/opt/purist/account/` (configuration)
* `/var/opt/purist/account/static/` (data and static web files)
* `/var/log/purist/account/` (logs)
* Populate brand data (if it doesn't already exist):
* Create `/var/opt/purist/brand/` (shared data and static web files)
* Populate `brand` folder
* `chown --recursive www-data:www-data /var/opt/purist`
* Copy project code:
* Copy code into `/opt/purist/account/`
* `chown --recursive www-data:www-data /opt/purist`
* Set up virtualenv:
* Create virtualenv (`virtualenv /opt/purist/account_virtualenv --python=python3`)
* `cd /opt/purist/account`
* Activate virtualenv (`source ../account_virtualenv/bin/activate`)
* Install Python packages (`pip install --requirement requires/requirements.txt`)
* Confirm packages by comparing `pip freeze` output with `requires/requirements.txt`
* Deactivate virtualenv (`deactivate`)
* Complete Django settings:
* `cp ./conf/etc/config.ini /etc/opt/purist/account/`
* `cp ./conf/etc/secret.ini /etc/opt/purist/account/`
* Fill in settings
* Run initial setup:
* Activate virtualenv (`source ../account_virtualenv/bin/activate`)
* `./manage.py collectstatic`
* `./manage.py migrate`
* `./manage.py createsuperuser`
* When prompted, enter the credentials of your LDAP superuser /
account manager
* Deactivate virtualenv (`deactivate`)
* Hook up Nginx:
* `cp ./config/nginx/purist_account /etc/nginx/available_sites/`
* Update `server_name` value
* `cd /etc/nginx/sites-enabled`
* `ln --symbolic ../sites-available/purist_account`
* Hook up uWSGI:
* `sudo apt install uwsgi uwsgi-emperor uwsgi-plugin-python3`
* `cp ./conf/uwsgi_emperor_vassals/purist_account.ini /etc/uwsgi-emperor/vassals/`
* Hook up Supervisor (supervisord):
* `sudo apt install supervisor`
* `cp ./conf/supervisord/purist_account_monitor.conf /etc/supervisor/conf.d/`
* Restart services:
* `sudo service rabbitmq-server restart`
* `sudo service uwsgi-emperor restart`
* `sudo service nginx restart`
* `sudo service supervisor restart`
* Check logs:
* `/var/log/uwsgi/emperor.log`
* `/var/log/uwsgi/app/purist_account.log`
* `/var/log/nginx/error.log`
* `/var/log/nginx/access.log`
* `/var/log/supervisor/supervisord.log`
* `/var/log/purist/account/beat.log`
For more options and details see
<https://docs.djangoproject.com/en/1.11/#the-development-process>
Update
------
* Stop site
* Update packages with `apt update && apt upgrade`
* Update code in `/opt/purist/account/`
* Update settings in `/etc/opt/purist/account/`
* Update virtualenv:
* Activate virtualenv (`./bin/activate.py`)
* Update Python packages (`pip install --requirement requires/requirements.txt`)
* Do not use `pip install --update` as this will not respect requirements
* Update site:
* Run `./manage.py collectstatic`
* Run `./manage.py migrate` (see **Migrations** below)
* Start site
Migrations
----------
This is a workaround for [django-ldapdb issue #155](https://github.com/django-ldapdb/django-ldapdb/issues/115).
If you need to make a new migration:
* Open `ldapregister.0003_ldapgroup_ldapperson`
* Switch `LdapGroup.cn` and `LdapPerson.uid` from non-primary to primary
* Run `makemigrations`
* Switch `LdapGroup.cn` and `LdapPerson.uid` back to non-primary
* If you have just added a new LDAP table, switch `NewTable.key` to
non-primary too
* Run `migrate`
You only need to do this when creating new migrations (`makemigrations`)
not when running existing migrations (`migrate`).
Usage
-----
* Start Django site as system service, or with `./manage.py runserver`
* Install by following the instructions [SETUP.md](SETUP.md) to install.
* Start Django site as a system service, or with `./manage.py runserver`
* Visit <https://example.com/account> and follow login and/or
registration links
registration links.
Sharing
-------
Purist account manager, for registration and account management <br />
Purist services middleware <br />
Copyright 2017 Purism SPC and contributors <br />
SPDX-License-Identifier: GPL-3.0+
Shared under GPLv3-or-later, see [COPYING.md](COPYING.md) for details.
Contributions under the same terms are welcome.
SPDX-License-Identifier: AGPL-3.0+
Also includes code portions from:
Shared under AGPLv3-or-later, see [COPYING.AGPL.md](COPYING.AGPL.md)
for details. Contributions under the same terms are welcome.
* https://github.com/RatanShreshtha/django-registration-templates
(Copyright 2015 Anders Hofstee and contributors, Expat/MIT)
* https://github.com/asyd/pyldap_orm/blob/master/pyldap_orm/controls.py
(Copyright 2016 Bruno Bonfils, Apache 2.0)
* https://github.com/celery/celery/blob/master/extra/supervisord/celerybeat.conf
(Copyright 2009-2012, 2015-2016 Ask Solem and contributors, 2012-2014 GoPivotal, Inc, BSD 3-Clause)
Contributions and license notices from other sources are listed in
[COPYING.md](COPYING.md)
Setup
-----
* Install Debian packages (`apt install libsasl2-dev libldap2-dev...`)
* Create installation folders:
* `/opt/purist/account/` (code)
* `/opt/purist/account_virtualenv/` (Python environment)
* `/etc/opt/purist/account/` (configuration)
* `/var/opt/purist/account/static/` (data and static web files)
* `/var/log/purist/account/` (logs)
* Populate brand data (if it doesn't already exist):
* Create `/var/opt/purist/brand/` (shared data and static web files)
* Populate `brand` folder
* `chown --recursive www-data:www-data /var/opt/purist`
* Copy project code:
* Copy code into `/opt/purist/account/`
* `chown --recursive www-data:www-data /opt/purist`
* Set up virtualenv:
* Create virtualenv (`virtualenv /opt/purist/account_virtualenv --python=python3`)
* `cd /opt/purist/account`
* Activate virtualenv (`source ../account_virtualenv/bin/activate`)
* Install Python packages (`pip install --requirement requires/requirements.txt`)
* Confirm packages by comparing `pip freeze` output with `requires/requirements.txt`
* Deactivate virtualenv (`deactivate`)
* Complete Django settings:
* `cp ./conf/etc/config.ini /etc/opt/purist/account/`
* `cp ./conf/etc/secret.ini /etc/opt/purist/account/`
* Fill in settings
* Run initial setup:
* Activate virtualenv (`source ../account_virtualenv/bin/activate`)
* `./manage.py collectstatic`
* `./manage.py migrate`
* `./manage.py createsuperuser`
* When prompted, enter the credentials of your LDAP superuser /
account manager
* Deactivate virtualenv (`deactivate`)
* Hook up Nginx:
* `cp ./config/nginx/purist_account /etc/nginx/available_sites/`
* Update `server_name` value
* `cd /etc/nginx/sites-enabled`
* `ln --symbolic ../sites-available/purist_account`
* Hook up uWSGI:
* `sudo apt install uwsgi uwsgi-emperor uwsgi-plugin-python3`
* `cp ./conf/uwsgi_emperor_vassals/purist_account.ini /etc/uwsgi-emperor/vassals/`
* Hook up Supervisor (supervisord):
* `sudo apt install supervisor`
* `cp ./conf/supervisord/purist_account_monitor.conf /etc/supervisor/conf.d/`
* Restart services:
* `sudo service rabbitmq-server restart`
* `sudo service uwsgi-emperor restart`
* `sudo service nginx restart`
* `sudo service supervisor restart`
* Check logs:
* `/var/log/uwsgi/emperor.log`
* `/var/log/uwsgi/app/purist_account.log`
* `/var/log/nginx/error.log`
* `/var/log/nginx/access.log`
* `/var/log/supervisor/supervisord.log`
* `/var/log/purist/account/beat.log`
For more options and details see
<https://docs.djangoproject.com/en/1.11/#the-development-process>
Update
------
* Stop site
* Update packages with `apt update && apt upgrade`
* Update code in `/opt/purist/account/`
* Update settings in `/etc/opt/purist/account/`
* Update virtualenv:
* Activate virtualenv (`./bin/activate.py`)
* Update Python packages (`pip install --requirement requires/requirements.txt`)
* Do not use `pip install --update` as this will not respect requirements
* Update site:
* Run `./manage.py collectstatic`
* Run `./manage.py migrate` (see **Migrations** below)
* Start site
Migrations
----------
This is a workaround for [django-ldapdb issue #155](https://github.com/django-ldapdb/django-ldapdb/issues/115).
If you need to make a new migration:
* Open `ldapregister.0003_ldapgroup_ldapperson`
* Switch `LdapGroup.cn` and `LdapPerson.uid` from non-primary to primary
* Run `makemigrations`
* Switch `LdapGroup.cn` and `LdapPerson.uid` back to non-primary
* If you have just added a new LDAP table, switch `NewTable.key` to
non-primary too
* Run `migrate`
You only need to do this when creating new migrations (`makemigrations`)
not when running existing migrations (`migrate`).
Usage
-----
See [README.md](README.md)
Roadmap
=======
## Basic tests
* ~~Login: user exists (logged in)~~
* ~~Login: user does not exist (should fail)~~
* ~~Register: user exists (should fail)~~
* ~~Register: user does not exist (logged in)~~
* ~~Logout: (logged out)~~
## Login
* Django + LDAP users exist
* LDAP user exists
* Django user exists (should fail)
* Neither user exists (should fail)
## Registration
* Django + LDAP users exist (should skip)
* LDAP user exists
* Django user exists
* Neither user exists
## Change password
* Django + LDAP users exist
* LDAP user exists
* Django user exists (should fail)
* Neither user exists (should fail)
## Future
* Disable registration actions we don't require
* Rate-limit registrations (+ other abusive behaviour?)
* Enabling/disabling services (implement as pre-existing LDAP groups?)
; stored as /etc/supervisor/conf.d/purist_account_monitor.conf
; Copyright 2017 Purism SPC and contributors
; SPDX-License-Identifier: GPL-3.0+
; SPDX-License-Identifier: AGPL-3.0+
; Adapted from extra/supervisord/celerybeat.conf in Celery
; Copyright 2012-2014 GoPivotal, Inc.
......
......@@ -48,5 +48,10 @@ SPDX-License-Identifier: CC-BY-SA-4.0
<a href="https://plan.puri.st/project/overview/design/logo">Openclipart</a> [CC0].
</p>
<p style="font-size: small">
Purist services middleware. Copyright 2016 Purism SPC and contributors. Shared under AGPL-3.0+
<a href="{% url 'download-zip' %}">Download source</a>
</p>
</body>
</html>
# Copyright 2017 Purism SPC and contributors
# SPDX-License-Identifier: GPL-3.0+
# SPDX-License-Identifier: AGPL-3.0+
# Original file from Celery 4.0.2 documentation
# Copyright 2009-2016 Ask Solem
......
......@@ -31,7 +31,15 @@ ALLOWED_HOSTS = config("ALLOWED_HOSTS", cast=Csv())
# REGISTRATION APPLICATION
#
INSTALLED_APPS += ["crispy_forms", "django_celery_beat", "ldapregister", "limitmonitor", ]
INSTALLED_APPS += ["crispy_forms", "django_agpl", "django_celery_beat", "ldapregister", "limitmonitor", ]
#
# AGPL APPLICATION
#
AGPL_ROOT = os.path.abspath(os.path.dirname(__file__) + "/..")
AGPL_FILENAME_PREFIX = 'purist_middleware'
# no exclusions are required, configuration and secrets are not stored in the site folder
#
# REGISTRATION APPLICATION
......
......@@ -41,4 +41,5 @@ urlpatterns = [
url(r'^accounts/profile/purist.ovpn', limitmonitor.views.ovpn_userfile, name='ovpn_userfile'),
url(r'^accounts/register/$', RegistrationView.as_view(form_class=RegistrationForm), name='registration_register'),
url(r'^accounts/', include('registration.backends.simple.urls')),
url(r'^download/', include('django_agpl.urls')),
]
......@@ -2,9 +2,10 @@ Django==1.11.4
Jinja2==2.9.6
WooCommerce==1.2.1
celery==4.0.2
django-celery-beat==1.0.1
dj-database-url==0.4.2
django-auth-ldap==1.2.13
django-agpl==4.0.0
django-celery-beat==1.0.1
django-crispy-forms==1.6.1
django-ldapdb==0.9.0
django-registration==2.2
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment