diff --git a/modules/weko-accounts/weko_accounts/templates/weko_accounts/login_user.html b/modules/weko-accounts/weko_accounts/templates/weko_accounts/login_user.html
index 5ae2666a90..d486b46664 100644
--- a/modules/weko-accounts/weko_accounts/templates/weko_accounts/login_user.html
+++ b/modules/weko-accounts/weko_accounts/templates/weko_accounts/login_user.html
@@ -1,363 +1,54 @@
-{#
-# This file is part of WEKO3.
-# Copyright (C) 2017 National Institute of Informatics.
-#
-# WEKO3 is free software; you can redistribute it
-# and/or modify it under the terms of the GNU General Public License as
-# published by the Free Software Foundation; either version 2 of the
-# License, or (at your option) any later version.
-#
-# WEKO3 is distributed in the hope that it will be
-# useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-# General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with WEKO3; if not, write to the
-# Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston,
-# MA 02111-1307, USA.
-#}
+{%- extends config.ACCOUNTS_COVER_TEMPLATE %}
-{%- if config.WEKO_ACCOUNTS_SHIB_LOGIN_ENABLED and config.WEKO_ACCOUNTS_SHIB_INST_LOGIN_DIRECTLY_ENABLED and config.WEKO_ACCOUNTS_SHIB_IDP_LOGIN_ENABLED %}
-{%- set url_args = request.args.get('next', '/') | urlencode -%}
-
-{%- else %}
- {%- extends config.ACCOUNTS_COVER_TEMPLATE %}
+{% from "invenio_accounts/_macros.html" import render_field, form_errors %}
- {% from "invenio_accounts/_macros.html" import render_field, form_errors %}
+{%- block css %}
+{{ super() }}
+{% assets "weko_accounts_css" %}
+
+
+
+ {%- block form_header %}
+ {%- set site_info = site_info|get_site_info %}
+ {% if site_info.get("enable_notify") %}
+
{{_(config.WEKO_ACCOUNTS_LOGIN_LABEL)}}
+
+ {{site_info.get("login_instructions")}}
+
+ {% else %}
+
{{_('Log in to account') }}
+ {% endif %}
+ {%- endblock form_header %}
- {%- block css %}
- {{ super() }}
- {% assets "weko_accounts_css" %}
-
{% endassets %}
- {%- endblock css %}
- {% block panel %}
-
-
-
-
- {%- block form_header %}
- {%- set site_info = site_info|get_site_info %}
- {% if site_info.get("enable_notify") %}
-
{{_(config.WEKO_ACCOUNTS_LOGIN_LABEL)}}
-
- {{site_info.get("login_instructions")}}
-
- {% else %}
-
{{_('Log in to account') }}
- {% endif %}
- {%- endblock form_header %}
-
- {%- if config['WEKO_ACCOUNTS_SHIB_LOGIN_ENABLED'] %}
-
-
{{_('Institutional Login for institutions in Japan.')}}
-
-
-
-
-
-
-
-
-
-
- Login: Javascript is not available for your web browser. Therefore, please proceed manually .
-
-
-
-
-
- OR
-
- {%- endif %}
-
- {%- block form_outer %}
- {%- with form = login_user_form %}
-
- {%- endwith %}
- {%- endblock form_outer %}
-
+ {%- block form_outer %}
+ {%- with form = login_user_form %}
+
+ {%- endwith %}
+ {%- endblock form_outer %}
+
{%- block registerable %}
{%- if security.registerable %}
- {%- endif %}
- {%- endblock %}
+
{% trans sitename=config.ACCOUNTS_SITENAME %}New to {{sitename}}?{% endtrans %} {{_('Sign Up')}}
- {%- block recoverable %}
- {%- if security.recoverable %}
-
{{_('Forgot password?')}}
{%- endif %}
{%- endblock %}
- {% endblock panel %}
+ {%- block recoverable %}
+ {%- if security.recoverable %}
+
{{_('Forgot password?')}}
{%- endif %}
+ {%- endblock %}
+
+{% endblock panel %}
\ No newline at end of file
diff --git a/modules/weko-accounts/weko_accounts/utils.py b/modules/weko-accounts/weko_accounts/utils.py
index bc688620de..eed4ea6017 100644
--- a/modules/weko-accounts/weko_accounts/utils.py
+++ b/modules/weko-accounts/weko_accounts/utils.py
@@ -29,12 +29,17 @@
from flask_login.config import EXEMPT_METHODS
import hashlib
-from .config import WEKO_API_LIMIT_RATE_DEFAULT
+from .config import (
+ WEKO_API_LIMIT_RATE_DEFAULT,
+ WEKO_ACCOUNTS_WAYF_URL,
+ WEKO_ACCOUNTS_WAYF_ADDITIONAL_IDPS,
+ WEKO_ACCOUNTS_DEFAULT_IDP,
+)
limiter = Limiter(
app=None,
key_func=lambda: f"{request.endpoint}_{get_remote_addr()}",
- default_limits=WEKO_API_LIMIT_RATE_DEFAULT
+ default_limits=WEKO_API_LIMIT_RATE_DEFAULT,
)
"""Limiter for API rate per user.
@@ -65,28 +70,31 @@ def get_remote_addr():
# __file__, 'get_remote_addr()', 'request.headers', request.headers))
address = None
- if "WEKO_ACCOUNTS_REAL_IP" not in current_app.config or current_app.config["WEKO_ACCOUNTS_REAL_IP"] == None:
- address = request.headers.get('X-Real-IP', None)
+ if (
+ "WEKO_ACCOUNTS_REAL_IP" not in current_app.config
+ or current_app.config["WEKO_ACCOUNTS_REAL_IP"] == None
+ ):
+ address = request.headers.get("X-Real-IP", None)
if address is None:
- address = request.headers.get('X-Forwarded-For', None)
+ address = request.headers.get("X-Forwarded-For", None)
if address is not None:
- address = address.encode('utf-8').split(b',')[0].strip().decode()
+ address = address.encode("utf-8").split(b",")[0].strip().decode()
elif current_app.config["WEKO_ACCOUNTS_REAL_IP"] == "remote_addr":
- address =request.remote_addr
+ address = request.remote_addr
elif current_app.config["WEKO_ACCOUNTS_REAL_IP"] == "x_real_ip":
- address = request.headers.get('X-Real-IP', None)
+ address = request.headers.get("X-Real-IP", None)
elif current_app.config["WEKO_ACCOUNTS_REAL_IP"] == "x_forwarded_for":
- address = request.headers.get('X-Forwarded-For', None)
+ address = request.headers.get("X-Forwarded-For", None)
if address is not None:
- _tmp = address.encode('utf-8').split(b',')
+ _tmp = address.encode("utf-8").split(b",")
address = _tmp[0].strip().decode()
elif current_app.config["WEKO_ACCOUNTS_REAL_IP"] == "x_forwarded_for_rev":
- address = request.headers.get('X-Forwarded-For', None)
+ address = request.headers.get("X-Forwarded-For", None)
if address is not None:
- _tmp = address.encode('utf-8').split(b',')
- address = _tmp[len(_tmp)-1].strip().decode()
+ _tmp = address.encode("utf-8").split(b",")
+ address = _tmp[len(_tmp) - 1].strip().decode()
- if address == None or len(address)==0:
+ if address == None or len(address) == 0:
address = request.remote_addr
current_app.logger.debug("IP Address:{}".format(address))
@@ -98,9 +106,8 @@ def generate_random_str(length=128):
"""Generate secret key."""
rng = random.SystemRandom()
- return ''.join(
- rng.choice(string.ascii_letters + string.digits)
- for _ in range(0, length)
+ return "".join(
+ rng.choice(string.ascii_letters + string.digits) for _ in range(0, length)
)
@@ -111,29 +118,36 @@ def parse_attributes():
# Get attribute mapping from admin settings
from weko_admin.models import AdminSettings
- admin_settings = AdminSettings.get('attribute_mapping', dict_to_object=False)
- for header, attr in current_app.config[
- 'WEKO_ACCOUNTS_SSO_ATTRIBUTE_MAP'].items():
+ admin_settings = AdminSettings.get("attribute_mapping", dict_to_object=False)
+
+ for header, attr in current_app.config["WEKO_ACCOUNTS_SSO_ATTRIBUTE_MAP"].items():
required, name = attr
if admin_settings:
target = admin_settings.get(name, header)
else:
target = header
- value = request.form.get(target, '') if request.method == 'POST' \
- else request.args.get(target, '')
+ value = (
+ request.form.get(target, "")
+ if request.method == "POST"
+ else request.args.get(target, "")
+ )
attrs[name] = value
if required and not value:
error = True
- if not error and not attrs.get('shib_user_name') and attrs.get('shib_eppn'):
- if len(attrs['shib_eppn']) > current_app.config[
- 'WEKO_ACCOUNTS_SHIB_USER_NAME_NO_HASH_LENGTH']:
- eppn = hashlib.sha256(attrs['shib_eppn'].encode('utf-8')).hexdigest()
+ if not error and not attrs.get("shib_user_name") and attrs.get("shib_eppn"):
+ if (
+ len(attrs["shib_eppn"])
+ > current_app.config["WEKO_ACCOUNTS_SHIB_USER_NAME_NO_HASH_LENGTH"]
+ ):
+ eppn = hashlib.sha256(attrs["shib_eppn"].encode("utf-8")).hexdigest()
else:
- eppn = attrs['shib_eppn']
- attrs['shib_user_name'] = current_app.config['WEKO_ACCOUNTS_GAKUNIN_USER_NAME_PREFIX'] + eppn
+ eppn = attrs["shib_eppn"]
+ attrs["shib_user_name"] = (
+ current_app.config["WEKO_ACCOUNTS_GAKUNIN_USER_NAME_PREFIX"] + eppn
+ )
return attrs, error
@@ -172,6 +186,7 @@ def post():
:param func: The view function to decorate.
:type func: function
"""
+
@wraps(func)
def decorated_view(*args, **kwargs):
if request.method in EXEMPT_METHODS:
@@ -179,11 +194,12 @@ def decorated_view(*args, **kwargs):
elif current_app.login_manager._login_disabled:
return func(*args, **kwargs)
elif not current_user.is_authenticated:
- guest_token = session.get('guest_token')
+ guest_token = session.get("guest_token")
if guest_token:
return func(*args, **kwargs)
return current_app.login_manager.unauthorized()
return func(*args, **kwargs)
+
return decorated_view
@@ -193,6 +209,7 @@ def roles_required(roles, allow_anonymous=False):
Args:
roles (list): List roles.
"""
+
def decorator(func):
@wraps(func)
def decorated_view(*args, **kwargs):
@@ -201,7 +218,7 @@ def decorated_view(*args, **kwargs):
elif current_app.login_manager._login_disabled:
return func(*args, **kwargs)
elif not current_user.is_authenticated:
- guest_token = session.get('guest_token')
+ guest_token = session.get("guest_token")
if guest_token:
return func(*args, **kwargs)
abort(401)
@@ -216,30 +233,48 @@ def decorated_view(*args, **kwargs):
if not can:
abort(403)
return func(*args, **kwargs)
+
return decorated_view
+
return decorator
+
def get_sp_info():
"""Get Service Provider (SP) information for Shibboleth login.
-
+
Returns:
dict: A dictionary containing SP entityID, handlerURL, and return URL.
"""
- _shib_login_url = current_app.config['WEKO_ACCOUNTS_SHIB_IDP_LOGIN_URL']
+ _shib_login_url = current_app.config["WEKO_ACCOUNTS_SHIB_IDP_LOGIN_URL"]
- session['next'] = request.args.get('next', '/')
+ session["next"] = request.args.get("next", "/")
return_url = _shib_login_url.format(request.url_root)
- sp_entityID = 'https://' + current_app.config['WEB_HOST_NAME'] + '/shibboleth-sp'
- if 'SP_ENTITYID' in current_app.config:
- sp_entityID = current_app.config['SP_ENTITYID']
-
- sp_handlerURL = 'https://' + current_app.config['WEB_HOST_NAME'] + '/Shibboleth.sso'
- if 'SP_HANDLERURL' in current_app.config:
- sp_handlerURL = current_app.config['SP_HANDLERURL']
+ sp_entityID = "https://" + current_app.config["WEB_HOST_NAME"] + "/shibboleth-sp"
+ if "SP_ENTITYID" in current_app.config:
+ sp_entityID = current_app.config["SP_ENTITYID"]
+
+ sp_handlerURL = "https://" + current_app.config["WEB_HOST_NAME"] + "/Shibboleth.sso"
+ if "SP_HANDLERURL" in current_app.config:
+ sp_handlerURL = current_app.config["SP_HANDLERURL"]
+
+ wayf_url = WEKO_ACCOUNTS_WAYF_URL
+ if "WEKO_ACCOUNTS_WAYF_URL" in current_app.config:
+ wayf_url = current_app.config["WEKO_ACCOUNTS_WAYF_URL"]
+
+ wayf_additional_idps = WEKO_ACCOUNTS_WAYF_ADDITIONAL_IDPS
+ if "WEKO_ACCOUNTS_WAYF_ADDITIONAL_IDPS" in current_app.config:
+ wayf_additional_idps = current_app.config["WEKO_ACCOUNTS_WAYF_ADDITIONAL_IDPS"]
+
+ default_idp = WEKO_ACCOUNTS_DEFAULT_IDP
+ if "WEKO_ACCOUNTS_DEFAULT_IDP" in current_app.config:
+ default_idp = current_app.config["WEKO_ACCOUNTS_DEFAULT_IDP"]
return {
- 'sp_entityID': sp_entityID,
- 'sp_handlerURL': sp_handlerURL,
- 'return_url': return_url,
+ "sp_entityID": sp_entityID,
+ "sp_handlerURL": sp_handlerURL,
+ "return_url": return_url,
+ "wayf_url": wayf_url,
+ "wayf_additional_idps": wayf_additional_idps,
+ "default_idp": default_idp,
}
diff --git a/nginx/info.py b/nginx/info.py
new file mode 100644
index 0000000000..00e50fb649
--- /dev/null
+++ b/nginx/info.py
@@ -0,0 +1,71 @@
+#!/usr/bin/env python3
+import os
+import sys
+import platform
+import html
+
+# HTTPヘッダーの出力
+print("Content-Type: text/html; charset=utf-8")
+print()
+
+def generate_table(title, data_dict):
+ """辞書データをHTMLのテーブルに変換する"""
+ rows = []
+ # キーでソートして見やすくする
+ for key in sorted(data_dict.keys()):
+ value = data_dict[key]
+ rows.append(f"""
+
+ {html.escape(str(key))}
+ {html.escape(str(value))}
+
+ """)
+
+ return f"""
+
{title}
+
+ """
+
+# HTMLの組み立て
+style = """
+
+"""
+
+print(f"""
+
+
+
+
pythoninfo()
+ {style}
+
+
+
Python Information
+""")
+
+# 1. Pythonの基本情報
+core_info = {
+ "Python Version": sys.version,
+ "Python Executable": sys.executable,
+ "Platform": platform.platform(),
+ "Implementation": platform.python_implementation(),
+ "Filesystem Encoding": sys.getfilesystemencoding(),
+}
+print(generate_table("Python Core", core_info))
+
+# 2. CGI環境変数 (PHPの $_SERVER に相当)
+print(generate_table("Environment Variables (CGI)", os.environ))
+
+print("""
+
+
+""")
\ No newline at end of file
diff --git a/nginx/weko.conf b/nginx/weko.conf
index 4847a3ed68..907134dcf2 100644
--- a/nginx/weko.conf
+++ b/nginx/weko.conf
@@ -102,42 +102,86 @@ server {
alias /usr/share/shibboleth/;
}
- #A secured location.(Extension: .php)
- location ~ /secure/(.*\.php)$ {
- shib_request /shibauthorizer;
- shib_request_use_headers on;
- include shib_fastcgi_params;
- include shib_clear_headers;
-
- more_clear_input_headers 'EPPN' 'DisplayName' 'Email' 'Persistent-Id';
-
- fastcgi_pass unix:/tmp/php7.4-fpm.sock;
- fastcgi_index index.php;
- fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
- include fastcgi_params;
- root /usr/share/nginx/html;
+ # #A secured location.(Extension: .php)
+ # location ~ /secure/(.*\.php)$ {
+ # shib_request /shibauthorizer;
+ # shib_request_use_headers on;
+ # include shib_fastcgi_params;
+ # include shib_clear_headers;
+
+ # more_clear_input_headers 'EPPN' 'DisplayName' 'Email' 'Persistent-Id';
+
+ # fastcgi_pass unix:/tmp/php7.4-fpm.sock;
+ # fastcgi_index index.php;
+ # fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ # include fastcgi_params;
+ # root /usr/share/nginx/html;
+
+ # fastcgi_param NO_CHECK_WEKOSOCIETYAFFILIATION TRUE;
+ # }
- fastcgi_param NO_CHECK_WEKOSOCIETYAFFILIATION TRUE;
- }
+ # #A secured location.(Extension: .py)
+ # location ~ /secure/(.*\.py)$ {
+ # shib_request /shibauthorizer;
+ # shib_request_use_headers on;
+ # include shib_fastcgi_params;
+ # include shib_clear_headers;
- #A secured location.(Extension: .py)
- location ~ /secure/(.*\.py)$ {
- shib_request /shibauthorizer;
- shib_request_use_headers on;
- include shib_fastcgi_params;
- include shib_clear_headers;
+ # more_clear_input_headers 'EPPN' 'DisplayName' 'Email' 'Persistent-Id';
- more_clear_input_headers 'EPPN' 'DisplayName' 'Email' 'Persistent-Id';
+ # fastcgi_pass unix:/usr/lib/systemd/system/fcgiwrap.socket;
+ # # fastcgi_index index.php;
+ # fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ # include fastcgi_params;
+ # root /usr/share/nginx/html;
- fastcgi_pass unix:/usr/lib/systemd/system/fcgiwrap.socket;
- # fastcgi_index index.php;
- fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
- include fastcgi_params;
- root /usr/share/nginx/html;
+ # fastcgi_param NO_CHECK_WEKOSOCIETYAFFILIATION TRUE;
+ # }
- fastcgi_param NO_CHECK_WEKOSOCIETYAFFILIATION TRUE;
- }
+ location ~ /secure/ {
+ #include shib_clear_headers;
+ more_clear_input_headers 'Shib-Session-ID' 'Shib-Session-Index' 'Remote-User' 'eppn' 'mail' 'isMemberOf' 'DisplayName';
+ shib_request /shibauthorizer;
+ shib_request_use_headers on;
+ include fastcgi_params;
+ #include shib_fastcgi_params;
+
+ shib_request_set $shib_shib_session_id $upstream_http_variable_shib_session_id;
+ fastcgi_param Shib-Session-ID $shib_shib_session_id;
+
+ shib_request_set $shib_shib_session_index $upstream_http_variable_shib_session_index;
+ fastcgi_param Shib-Session-Index $shib_shib_session_index;
+
+ shib_request_set $shib_remote_user $upstream_http_variable_remote_user;
+ fastcgi_param Remote-User $shib_remote_user;
+
+ #shib_request_set $shib_eppn $upstream_http_variable_eppn;
+ #fastcgi_param eppn $shib_eppn;
+
+ shib_request_set $shib_mail $upstream_http_variable_mail;
+ fastcgi_param mail $shib_mail;
+
+ shib_request_set $shib_isMemberOf $upstream_http_variable_isMemberOf;
+ fastcgi_param isMemberOf $shib_isMemberOf;
+
+ shib_request_set $shib_displayname $upstream_http_variable_displayname;
+ fastcgi_param DisplayName $shib_displayname;
+
+ #shib_request_set $shib_persistent_id $upstream_http_variable_persistent_id;
+ #fastcgi_param eppn $shib_persistent_id;
+
+ shib_request_set $shib_eppn $upstream_http_variable_eppn;
+ fastcgi_param eppn $shib_eppn;
+
+ fastcgi_split_path_info ^(.+\.py)(.*)$;
+
+ fastcgi_pass unix:/usr/lib/systemd/system/fcgiwrap.socket;
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ root /usr/share/nginx/html;
+ fastcgi_param NO_CHECK_WEKOSOCIETYAFFILIATION FALSE;
+ }
+
#location /simplesaml {
# proxy_pass https://idp:443;
# proxy_set_header Host $host;
+