From f22f2e813b1b0fe5d98dd77cd22aa668220c0100 Mon Sep 17 00:00:00 2001 From: Sam Oehlert Date: Thu, 14 Nov 2024 15:32:12 -0600 Subject: [PATCH 01/25] refactor(auth): move auth_method to production which is the only file we use it in also appeases flake8 --- config/settings/production.py | 103 ++++++++++++++++++++-------------- 1 file changed, 62 insertions(+), 41 deletions(-) diff --git a/config/settings/production.py b/config/settings/production.py index 6d4484cc..e06d8fa2 100644 --- a/config/settings/production.py +++ b/config/settings/production.py @@ -1,3 +1,4 @@ +import logging import os from .base import * # noqa @@ -141,44 +142,64 @@ # Your stuff... # ------------------------------------------------------------------------------ -# Extend middleware to add OIDC middleware -MIDDLEWARE += ["mozilla_django_oidc.middleware.SessionRefresh"] # noqa F405 - -# Extend middleware to add OIDC auth backend -AUTHENTICATION_BACKENDS += ["scram.route_manager.authentication_backends.ESnetAuthBackend"] # noqa F405 - -# https://docs.djangoproject.com/en/dev/ref/settings/#login-url -LOGIN_URL = "oidc_authentication_init" - -# https://docs.djangoproject.com/en/dev/ref/settings/#login-redirect-url -LOGIN_REDIRECT_URL = "/" - -# https://docs.djangoproject.com/en/dev/ref/settings/#logout-url -LOGOUT_URL = "oidc_logout" - -# Need to point somewhere otherwise /oidc/logout/ redirects to /oidc/logout/None which 404s -# https://github.com/mozilla/mozilla-django-oidc/issues/118 -# Using `/` because named urls don't work for this package -# https://github.com/mozilla/mozilla-django-oidc/issues/434 -LOGOUT_REDIRECT_URL = "/" - -OIDC_OP_JWKS_ENDPOINT = os.environ.get( - "OIDC_OP_JWKS_ENDPOINT", - "https://example.com/auth/realms/example/protocol/openid-connect/certs", -) -OIDC_OP_AUTHORIZATION_ENDPOINT = os.environ.get( - "OIDC_OP_AUTHORIZATION_ENDPOINT", - "https://example.com/auth/realms/example/protocol/openid-connect/auth", -) -OIDC_OP_TOKEN_ENDPOINT = os.environ.get( - "OIDC_OP_TOKEN_ENDPOINT", - "https://example.com/auth/realms/example/protocol/openid-connect/token", -) -OIDC_OP_USER_ENDPOINT = os.environ.get( - "OIDC_OP_USER_ENDPOINT", - "https://example.com/auth/realms/example/protocol/openid-connect/userinfo", -) -OIDC_RP_SIGN_ALGO = "RS256" - -OIDC_RP_CLIENT_ID = os.environ.get("OIDC_RP_CLIENT_ID") -OIDC_RP_CLIENT_SECRET = os.environ.get("OIDC_RP_CLIENT_SECRET") +# Are you using local passwords or oidc? +AUTH_METHOD = os.environ.get("SCRAM_AUTH_METHOD", "local").lower() + +logging.info(f"Using AUTH METHOD = {AUTH_METHOD}") +if AUTH_METHOD == "oidc": + # Extend middleware to add OIDC middleware + MIDDLEWARE += ["mozilla_django_oidc.middleware.SessionRefresh"] # noqa F405 + + # Extend middleware to add OIDC auth backend + AUTHENTICATION_BACKENDS += ["scram.route_manager.authentication_backends.ESnetAuthBackend"] # noqa F405 + + # https://docs.djangoproject.com/en/dev/ref/settings/#login-url + LOGIN_URL = "oidc_authentication_init" + + # https://docs.djangoproject.com/en/dev/ref/settings/#login-redirect-url + LOGIN_REDIRECT_URL = "/" + + # https://docs.djangoproject.com/en/dev/ref/settings/#logout-url + LOGOUT_URL = "oidc_logout" + + # Need to point somewhere otherwise /oidc/logout/ redirects to /oidc/logout/None which 404s + # https://github.com/mozilla/mozilla-django-oidc/issues/118 + # Using `/` because named urls don't work for this package + # https://github.com/mozilla/mozilla-django-oidc/issues/434 + LOGOUT_REDIRECT_URL = "/" + + OIDC_OP_JWKS_ENDPOINT = os.environ.get( + "OIDC_OP_JWKS_ENDPOINT", + "https://example.com/auth/realms/example/protocol/openid-connect/certs", + ) + OIDC_OP_AUTHORIZATION_ENDPOINT = os.environ.get( + "OIDC_OP_AUTHORIZATION_ENDPOINT", + "https://example.com/auth/realms/example/protocol/openid-connect/auth", + ) + OIDC_OP_TOKEN_ENDPOINT = os.environ.get( + "OIDC_OP_TOKEN_ENDPOINT", + "https://example.com/auth/realms/example/protocol/openid-connect/token", + ) + OIDC_OP_USER_ENDPOINT = os.environ.get( + "OIDC_OP_USER_ENDPOINT", + "https://example.com/auth/realms/example/protocol/openid-connect/userinfo", + ) + OIDC_RP_SIGN_ALGO = "RS256" + + OIDC_RP_CLIENT_ID = os.environ.get("OIDC_RP_CLIENT_ID") + OIDC_RP_CLIENT_SECRET = os.environ.get("OIDC_RP_CLIENT_SECRET") + +elif AUTH_METHOD == "local": + # https://docs.djangoproject.com/en/dev/ref/settings/#login-url + LOGIN_URL = "/login" + + # https://docs.djangoproject.com/en/dev/ref/settings/#login-redirect-url + LOGIN_REDIRECT_URL = "route_manager:home" + + # https://docs.djangoproject.com/en/dev/ref/settings/#logout-url + LOGOUT_URL = "/logout" + + # https://docs.djangoproject.com/en/dev/ref/settings/#logout-redirect-url + LOGOUT_REDIRECT_URL = "/" +else: + raise Exception(f"Invalid authentication method: {AUTH_METHOD}. Please choose 'local' or 'oidc'") From d34334efa99284b786338ff21da0c19cab3d9dcd Mon Sep 17 00:00:00 2001 From: Sam Oehlert Date: Thu, 14 Nov 2024 15:35:16 -0600 Subject: [PATCH 02/25] style(isort): run isort on base.py --- config/settings/base.py | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/config/settings/base.py b/config/settings/base.py index b9e1ca01..91e609e0 100644 --- a/config/settings/base.py +++ b/config/settings/base.py @@ -1,7 +1,6 @@ """ Base settings to build other settings files upon. """ -import os from pathlib import Path import environ @@ -97,12 +96,6 @@ ] # https://docs.djangoproject.com/en/dev/ref/settings/#auth-user-model AUTH_USER_MODEL = "users.User" -# https://docs.djangoproject.com/en/dev/ref/settings/#login-redirect-url -LOGIN_REDIRECT_URL = "route_manager:home" -# https://docs.djangoproject.com/en/dev/ref/settings/#login-url -LOGIN_URL = "admin:login" -# https://docs.djangoproject.com/en/dev/ref/settings/#logout-url -LOGOUT_URL = "admin:logout" # PASSWORDS # ------------------------------------------------------------------------------ @@ -293,9 +286,6 @@ SIMPLE_HISTORY_HISTORY_CHANGE_REASON_USE_TEXT_FIELD = True SIMPLE_HISTORY_ENABLED = True -# Are you using local passwords or oidc? -AUTH_METHOD = os.environ.get("SCRAM_AUTH_METHOD", "local") - # Users in these groups have full privileges, including Django is_superuser SCRAM_ADMIN_GROUPS = ["svc_scram_admin"] From d98363acced7118af2aee89a93d2e88dd2c2b131 Mon Sep 17 00:00:00 2001 From: Sam Oehlert Date: Thu, 14 Nov 2024 15:35:55 -0600 Subject: [PATCH 03/25] refactor(settings): put auth settings for a make toggle-local situation in our local settings instead of inheriting them --- config/settings/local.py | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/config/settings/local.py b/config/settings/local.py index 14ec647b..9a6fd4de 100644 --- a/config/settings/local.py +++ b/config/settings/local.py @@ -67,3 +67,12 @@ # Behave Django testing framework INSTALLED_APPS += ["behave_django"] # noqa F405 + +# AUTHENTICATION +# ------------------------------------------------------------------------------ +# https://docs.djangoproject.com/en/dev/ref/settings/#login-redirect-url +LOGIN_REDIRECT_URL = "route_manager:home" +# https://docs.djangoproject.com/en/dev/ref/settings/#login-url +LOGIN_URL = "admin:login" +# https://docs.djangoproject.com/en/dev/ref/settings/#logout-url +LOGOUT_URL = "admin:logout" From ecd90d177088055e87d987adbd0c3554880012c7 Mon Sep 17 00:00:00 2001 From: Sam Oehlert Date: Thu, 14 Nov 2024 16:11:16 -0600 Subject: [PATCH 04/25] style(precommit): ran hooks --- scram/local_auth/__init__.py | 0 scram/local_auth/urls.py | 9 +++++++++ scram/local_auth/views.py | 9 +++++++++ 3 files changed, 18 insertions(+) create mode 100644 scram/local_auth/__init__.py create mode 100644 scram/local_auth/urls.py create mode 100644 scram/local_auth/views.py diff --git a/scram/local_auth/__init__.py b/scram/local_auth/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/scram/local_auth/urls.py b/scram/local_auth/urls.py new file mode 100644 index 00000000..0c8f7345 --- /dev/null +++ b/scram/local_auth/urls.py @@ -0,0 +1,9 @@ +from django.urls import path + +from scram.local_auth.views import login, logout + +app_name = "users" +urlpatterns = [ + path("login/", view=login, name="update"), + path("logout/", view=logout, name="detail"), +] diff --git a/scram/local_auth/views.py b/scram/local_auth/views.py new file mode 100644 index 00000000..d4d0cb8c --- /dev/null +++ b/scram/local_auth/views.py @@ -0,0 +1,9 @@ +from django.shortcuts import render + + +def login(request): + return render(request, "account/login.html") + + +def logout(request): + return render(request, "account/logout.html") From 08625aa6770a27f5c0acb2d9c12605a31b21741f Mon Sep 17 00:00:00 2001 From: Sam Oehlert Date: Thu, 14 Nov 2024 16:12:16 -0600 Subject: [PATCH 05/25] feat(local_auth): set up the urls and point to them for the make toggle-prod with local auth use case --- config/settings/production.py | 6 +++--- config/urls.py | 3 ++- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/config/settings/production.py b/config/settings/production.py index e06d8fa2..258f4877 100644 --- a/config/settings/production.py +++ b/config/settings/production.py @@ -191,15 +191,15 @@ elif AUTH_METHOD == "local": # https://docs.djangoproject.com/en/dev/ref/settings/#login-url - LOGIN_URL = "/login" + LOGIN_URL = "local_auth:login" # https://docs.djangoproject.com/en/dev/ref/settings/#login-redirect-url LOGIN_REDIRECT_URL = "route_manager:home" # https://docs.djangoproject.com/en/dev/ref/settings/#logout-url - LOGOUT_URL = "/logout" + LOGOUT_URL = "local_auth:logout" # https://docs.djangoproject.com/en/dev/ref/settings/#logout-redirect-url - LOGOUT_REDIRECT_URL = "/" + LOGOUT_REDIRECT_URL = "route_manager:home" else: raise Exception(f"Invalid authentication method: {AUTH_METHOD}. Please choose 'local' or 'oidc'") diff --git a/config/urls.py b/config/urls.py index a52cd002..ec9e5b7b 100644 --- a/config/urls.py +++ b/config/urls.py @@ -28,7 +28,8 @@ import mozilla_django_oidc # noqa: F401 urlpatterns += [path("oidc/", include("mozilla_django_oidc.urls"))] - +elif settings.AUTH_METHOD == "local": + urlpatterns += [path("auth/", include("scram.local_auth.urls", namespace="local_auth"))] # API URLS api_version_urls = ( [ From 2fc25a53509a33870095bbfb8364f491d30d569a Mon Sep 17 00:00:00 2001 From: Sam Oehlert Date: Thu, 14 Nov 2024 16:14:24 -0600 Subject: [PATCH 06/25] refactor(formatting): fix formatting --- scram/templates/account/login.html | 25 +------------------------ scram/templates/account/logout.html | 3 +-- 2 files changed, 2 insertions(+), 26 deletions(-) diff --git a/scram/templates/account/login.html b/scram/templates/account/login.html index 2cadea6a..ea2c5642 100644 --- a/scram/templates/account/login.html +++ b/scram/templates/account/login.html @@ -1,7 +1,6 @@ {% extends "account/base.html" %} {% load i18n %} -{% load account socialaccount %} {% load crispy_forms_tags %} {% block head_title %}{% trans "Sign In" %}{% endblock %} @@ -10,39 +9,17 @@

{% trans "Sign In" %}

-{% get_providers as socialaccount_providers %} -{% if socialaccount_providers %} -

{% blocktrans with site.name as site_name %}Please sign in with one -of your existing third party accounts. Or, sign up -for a {{ site_name }} account and sign in below:{% endblocktrans %}

- -
- -
    - {% include "socialaccount/snippets/provider_list.html" with process="login" %} -
- - - -
- -{% include "socialaccount/snippets/login_extra.html" %} - -{% else %}

{% blocktrans %}If you have not created an account yet, then please sign up first.{% endblocktrans %}

-{% endif %} - {% endblock %} - diff --git a/scram/templates/account/logout.html b/scram/templates/account/logout.html index 8e2e6754..6a6d9263 100644 --- a/scram/templates/account/logout.html +++ b/scram/templates/account/logout.html @@ -9,7 +9,7 @@

{% trans "Sign Out" %}

{% trans 'Are you sure you want to sign out?' %}

-
+ {% csrf_token %} {% if redirect_field_value %} @@ -19,4 +19,3 @@

{% trans "Sign Out" %}

{% endblock %} - From 3cb82d68df3eca6d18aa35578742c051fb10d9a2 Mon Sep 17 00:00:00 2001 From: Sam Oehlert Date: Fri, 15 Nov 2024 11:10:04 -0600 Subject: [PATCH 07/25] style(hooks): ran precommit --- config/settings/production.py | 4 ++-- scram/local_auth/urls.py | 8 ++++---- scram/local_auth/views.py | 9 --------- scram/templates/account/login.html | 6 +++--- scram/templates/account/logout.html | 4 ++-- 5 files changed, 11 insertions(+), 20 deletions(-) delete mode 100644 scram/local_auth/views.py diff --git a/config/settings/production.py b/config/settings/production.py index 258f4877..ed5d707c 100644 --- a/config/settings/production.py +++ b/config/settings/production.py @@ -157,7 +157,7 @@ LOGIN_URL = "oidc_authentication_init" # https://docs.djangoproject.com/en/dev/ref/settings/#login-redirect-url - LOGIN_REDIRECT_URL = "/" + LOGIN_REDIRECT_URL = "route_manager:home" # https://docs.djangoproject.com/en/dev/ref/settings/#logout-url LOGOUT_URL = "oidc_logout" @@ -166,7 +166,7 @@ # https://github.com/mozilla/mozilla-django-oidc/issues/118 # Using `/` because named urls don't work for this package # https://github.com/mozilla/mozilla-django-oidc/issues/434 - LOGOUT_REDIRECT_URL = "/" + LOGOUT_REDIRECT_URL = "route_manager:home" OIDC_OP_JWKS_ENDPOINT = os.environ.get( "OIDC_OP_JWKS_ENDPOINT", diff --git a/scram/local_auth/urls.py b/scram/local_auth/urls.py index 0c8f7345..a6fe2555 100644 --- a/scram/local_auth/urls.py +++ b/scram/local_auth/urls.py @@ -1,9 +1,9 @@ +from django.contrib.auth import views as auth_views from django.urls import path -from scram.local_auth.views import login, logout +app_name = "local_auth" -app_name = "users" urlpatterns = [ - path("login/", view=login, name="update"), - path("logout/", view=logout, name="detail"), + path("login/", auth_views.login, {"template_name": "account/login.html"}, name="login"), + path("logout/", auth_views.logout, {"template_name": "logged_out.html"}, name="logout"), ] diff --git a/scram/local_auth/views.py b/scram/local_auth/views.py deleted file mode 100644 index d4d0cb8c..00000000 --- a/scram/local_auth/views.py +++ /dev/null @@ -1,9 +0,0 @@ -from django.shortcuts import render - - -def login(request): - return render(request, "account/login.html") - - -def logout(request): - return render(request, "account/logout.html") diff --git a/scram/templates/account/login.html b/scram/templates/account/login.html index ea2c5642..46db8b4c 100644 --- a/scram/templates/account/login.html +++ b/scram/templates/account/login.html @@ -1,11 +1,11 @@ -{% extends "account/base.html" %} +{% extends "base.html" %} {% load i18n %} {% load crispy_forms_tags %} {% block head_title %}{% trans "Sign In" %}{% endblock %} -{% block inner %} +{% block content %}

{% trans "Sign In" %}

@@ -13,7 +13,7 @@

{% trans "Sign In" %}

{% blocktrans %}If you have not created an account yet, then please sign up first.{% endblocktrans %}

- + {% csrf_token %} {{ form|crispy }} {% if redirect_field_value %} diff --git a/scram/templates/account/logout.html b/scram/templates/account/logout.html index 6a6d9263..2fcbdf09 100644 --- a/scram/templates/account/logout.html +++ b/scram/templates/account/logout.html @@ -1,10 +1,10 @@ -{% extends "account/base.html" %} +{% extends "base.html" %} {% load i18n %} {% block head_title %}{% trans "Sign Out" %}{% endblock %} -{% block inner %} +{% block content %}

{% trans "Sign Out" %}

{% trans 'Are you sure you want to sign out?' %}

From 4cc628ed2947dce568652f22fc7742986bed1cc8 Mon Sep 17 00:00:00 2001 From: Sam Oehlert Date: Fri, 15 Nov 2024 12:38:25 -0600 Subject: [PATCH 08/25] feat(auth): set up the most basic working version of local auth use the django provided views and keep the template very basic for now. also remove unnecessary templates from the cookiecutter --- .env | 2 - scram/local_auth/urls.py | 10 ++- scram/templates/account/account_inactive.html | 12 --- scram/templates/account/base.html | 10 --- scram/templates/account/email.html | 80 ------------------- scram/templates/account/email_confirm.html | 32 -------- scram/templates/account/login.html | 25 ------ scram/templates/account/logout.html | 21 ----- scram/templates/account/password_change.html | 17 ---- scram/templates/account/password_reset.html | 25 ------ .../account/password_reset_done.html | 16 ---- .../account/password_reset_from_key.html | 24 ------ .../account/password_reset_from_key_done.html | 10 --- scram/templates/account/password_set.html | 17 ---- scram/templates/account/signup.html | 23 ------ scram/templates/account/signup_closed.html | 12 --- .../templates/account/verification_sent.html | 13 --- .../account/verified_email_required.html | 24 ------ scram/templates/local_auth/login.html | 12 +++ 19 files changed, 19 insertions(+), 366 deletions(-) delete mode 100644 .env delete mode 100644 scram/templates/account/account_inactive.html delete mode 100644 scram/templates/account/base.html delete mode 100644 scram/templates/account/email.html delete mode 100644 scram/templates/account/email_confirm.html delete mode 100644 scram/templates/account/login.html delete mode 100644 scram/templates/account/logout.html delete mode 100644 scram/templates/account/password_change.html delete mode 100644 scram/templates/account/password_reset.html delete mode 100644 scram/templates/account/password_reset_done.html delete mode 100644 scram/templates/account/password_reset_from_key.html delete mode 100644 scram/templates/account/password_reset_from_key_done.html delete mode 100644 scram/templates/account/password_set.html delete mode 100644 scram/templates/account/signup.html delete mode 100644 scram/templates/account/signup_closed.html delete mode 100644 scram/templates/account/verification_sent.html delete mode 100644 scram/templates/account/verified_email_required.html create mode 100644 scram/templates/local_auth/login.html diff --git a/.env b/.env deleted file mode 100644 index 3a5ce563..00000000 --- a/.env +++ /dev/null @@ -1,2 +0,0 @@ -CI_PROJECT_DIR=. -HOSTNAME=$(hostname) diff --git a/scram/local_auth/urls.py b/scram/local_auth/urls.py index a6fe2555..0d930946 100644 --- a/scram/local_auth/urls.py +++ b/scram/local_auth/urls.py @@ -1,9 +1,13 @@ -from django.contrib.auth import views as auth_views +from django.contrib.auth.views import LoginView, LogoutView from django.urls import path app_name = "local_auth" urlpatterns = [ - path("login/", auth_views.login, {"template_name": "account/login.html"}, name="login"), - path("logout/", auth_views.logout, {"template_name": "logged_out.html"}, name="logout"), + path( + "login/", + LoginView.as_view(template_name="local_auth/login.html", success_url="route_manager:home"), + name="login", + ), + path("logout/", LogoutView.as_view(), name="logout"), ] diff --git a/scram/templates/account/account_inactive.html b/scram/templates/account/account_inactive.html deleted file mode 100644 index 17c21577..00000000 --- a/scram/templates/account/account_inactive.html +++ /dev/null @@ -1,12 +0,0 @@ -{% extends "account/base.html" %} - -{% load i18n %} - -{% block head_title %}{% trans "Account Inactive" %}{% endblock %} - -{% block inner %} -

{% trans "Account Inactive" %}

- -

{% trans "This account is inactive." %}

-{% endblock %} - diff --git a/scram/templates/account/base.html b/scram/templates/account/base.html deleted file mode 100644 index 97f4ddb8..00000000 --- a/scram/templates/account/base.html +++ /dev/null @@ -1,10 +0,0 @@ -{% extends "../base.html" %} -{% block title %}{% block head_title %}{% endblock head_title %}{% endblock title %} - -{% block content %} -
-
- {% block inner %}{% endblock %} -
-
-{% endblock %} diff --git a/scram/templates/account/email.html b/scram/templates/account/email.html deleted file mode 100644 index 8eef4159..00000000 --- a/scram/templates/account/email.html +++ /dev/null @@ -1,80 +0,0 @@ - -{% extends "account/base.html" %} - -{% load i18n %} -{% load crispy_forms_tags %} - -{% block head_title %}{% trans "Account" %}{% endblock %} - -{% block inner %} -

{% trans "E-mail Addresses" %}

- -{% if user.emailaddress_set.all %} -

{% trans 'The following e-mail addresses are associated with your account:' %}

- - -{% csrf_token %} -
- - {% for emailaddress in user.emailaddress_set.all %} -
- -
- {% endfor %} - -
- - - -
- -
- - -{% else %} -

{% trans 'Warning:'%} {% trans "You currently do not have any e-mail address set up. You should really add an e-mail address so you can receive notifications, reset your password, etc." %}

- -{% endif %} - - -

{% trans "Add E-mail Address" %}

- -
- {% csrf_token %} - {{ form|crispy }} - -
- -{% endblock %} - - -{% block inline_javascript %} -{{ block.super }} - -{% endblock %} - diff --git a/scram/templates/account/email_confirm.html b/scram/templates/account/email_confirm.html deleted file mode 100644 index 46c78126..00000000 --- a/scram/templates/account/email_confirm.html +++ /dev/null @@ -1,32 +0,0 @@ -{% extends "account/base.html" %} - -{% load i18n %} -{% load account %} - -{% block head_title %}{% trans "Confirm E-mail Address" %}{% endblock %} - - -{% block inner %} -

{% trans "Confirm E-mail Address" %}

- -{% if confirmation %} - -{% user_display confirmation.email_address.user as user_display %} - -

{% blocktrans with confirmation.email_address.email as email %}Please confirm that {{ email }} is an e-mail address for user {{ user_display }}.{% endblocktrans %}

- -
-{% csrf_token %} - -
- -{% else %} - -{% url 'account_email' as email_url %} - -

{% blocktrans %}This e-mail confirmation link expired or is invalid. Please issue a new e-mail confirmation request.{% endblocktrans %}

- -{% endif %} - -{% endblock %} - diff --git a/scram/templates/account/login.html b/scram/templates/account/login.html deleted file mode 100644 index 46db8b4c..00000000 --- a/scram/templates/account/login.html +++ /dev/null @@ -1,25 +0,0 @@ -{% extends "base.html" %} - -{% load i18n %} -{% load crispy_forms_tags %} - -{% block head_title %}{% trans "Sign In" %}{% endblock %} - -{% block content %} - -

{% trans "Sign In" %}

- - -

{% blocktrans %}If you have not created an account yet, then please -sign up first.{% endblocktrans %}

- - - -{% endblock %} diff --git a/scram/templates/account/logout.html b/scram/templates/account/logout.html deleted file mode 100644 index 2fcbdf09..00000000 --- a/scram/templates/account/logout.html +++ /dev/null @@ -1,21 +0,0 @@ -{% extends "base.html" %} - -{% load i18n %} - -{% block head_title %}{% trans "Sign Out" %}{% endblock %} - -{% block content %} -

{% trans "Sign Out" %}

- -

{% trans 'Are you sure you want to sign out?' %}

- -
- {% csrf_token %} - {% if redirect_field_value %} - - {% endif %} - -
- - -{% endblock %} diff --git a/scram/templates/account/password_change.html b/scram/templates/account/password_change.html deleted file mode 100644 index b72ca068..00000000 --- a/scram/templates/account/password_change.html +++ /dev/null @@ -1,17 +0,0 @@ -{% extends "account/base.html" %} - -{% load i18n %} -{% load crispy_forms_tags %} - -{% block head_title %}{% trans "Change Password" %}{% endblock %} - -{% block inner %} -

{% trans "Change Password" %}

- -
- {% csrf_token %} - {{ form|crispy }} - -
-{% endblock %} - diff --git a/scram/templates/account/password_reset.html b/scram/templates/account/password_reset.html deleted file mode 100644 index c98f28c1..00000000 --- a/scram/templates/account/password_reset.html +++ /dev/null @@ -1,25 +0,0 @@ -{% extends "account/base.html" %} - -{% load i18n %} -{% load account %} -{% load crispy_forms_tags %} - -{% block head_title %}{% trans "Password Reset" %}{% endblock %} - -{% block inner %} - -

{% trans "Password Reset" %}

- {% if user.is_authenticated %} - {% include "/snippets/already_logged_in.html" %} - {% endif %} - -

{% trans "Forgotten your password? Enter your e-mail address below, and we'll send you an e-mail allowing you to reset it." %}

- -
- {% csrf_token %} - {{ form|crispy }} - -
- -

{% blocktrans %}Please contact us if you have any trouble resetting your password.{% endblocktrans %}

-{% endblock %} diff --git a/scram/templates/account/password_reset_done.html b/scram/templates/account/password_reset_done.html deleted file mode 100644 index 835156ca..00000000 --- a/scram/templates/account/password_reset_done.html +++ /dev/null @@ -1,16 +0,0 @@ -{% extends "account/base.html" %} - -{% load i18n %} -{% load account %} - -{% block head_title %}{% trans "Password Reset" %}{% endblock %} - -{% block inner %} -

{% trans "Password Reset" %}

- - {% if user.is_authenticated %} - {% include "/snippets/already_logged_in.html" %} - {% endif %} - -

{% blocktrans %}We have sent you an e-mail. Please contact us if you do not receive it within a few minutes.{% endblocktrans %}

-{% endblock %} diff --git a/scram/templates/account/password_reset_from_key.html b/scram/templates/account/password_reset_from_key.html deleted file mode 100644 index 2e2cd194..00000000 --- a/scram/templates/account/password_reset_from_key.html +++ /dev/null @@ -1,24 +0,0 @@ -{% extends "account/base.html" %} - -{% load i18n %} -{% load crispy_forms_tags %} -{% block head_title %}{% trans "Change Password" %}{% endblock %} - -{% block inner %} -

{% if token_fail %}{% trans "Bad Token" %}{% else %}{% trans "Change Password" %}{% endif %}

- - {% if token_fail %} - {% url 'account_reset_password' as passwd_reset_url %} -

{% blocktrans %}The password reset link was invalid, possibly because it has already been used. Please request a new password reset.{% endblocktrans %}

- {% else %} - {% if form %} -
- {% csrf_token %} - {{ form|crispy }} - -
- {% else %} -

{% trans 'Your password is now changed.' %}

- {% endif %} - {% endif %} -{% endblock %} diff --git a/scram/templates/account/password_reset_from_key_done.html b/scram/templates/account/password_reset_from_key_done.html deleted file mode 100644 index 89be086f..00000000 --- a/scram/templates/account/password_reset_from_key_done.html +++ /dev/null @@ -1,10 +0,0 @@ -{% extends "account/base.html" %} - -{% load i18n %} -{% block head_title %}{% trans "Change Password" %}{% endblock %} - -{% block inner %} -

{% trans "Change Password" %}

-

{% trans 'Your password is now changed.' %}

-{% endblock %} - diff --git a/scram/templates/account/password_set.html b/scram/templates/account/password_set.html deleted file mode 100644 index 22322235..00000000 --- a/scram/templates/account/password_set.html +++ /dev/null @@ -1,17 +0,0 @@ -{% extends "account/base.html" %} - -{% load i18n %} -{% load crispy_forms_tags %} - -{% block head_title %}{% trans "Set Password" %}{% endblock %} - -{% block inner %} -

{% trans "Set Password" %}

- -
- {% csrf_token %} - {{ form|crispy }} - -
-{% endblock %} - diff --git a/scram/templates/account/signup.html b/scram/templates/account/signup.html deleted file mode 100644 index 6a2954eb..00000000 --- a/scram/templates/account/signup.html +++ /dev/null @@ -1,23 +0,0 @@ -{% extends "account/base.html" %} - -{% load i18n %} -{% load crispy_forms_tags %} - -{% block head_title %}{% trans "Signup" %}{% endblock %} - -{% block inner %} -

{% trans "Sign Up" %}

- -

{% blocktrans %}Already have an account? Then please sign in.{% endblocktrans %}

- - - -{% endblock %} - diff --git a/scram/templates/account/signup_closed.html b/scram/templates/account/signup_closed.html deleted file mode 100644 index 2322f176..00000000 --- a/scram/templates/account/signup_closed.html +++ /dev/null @@ -1,12 +0,0 @@ -{% extends "account/base.html" %} - -{% load i18n %} - -{% block head_title %}{% trans "Sign Up Closed" %}{% endblock %} - -{% block inner %} -

{% trans "Sign Up Closed" %}

- -

{% trans "We are sorry, but the sign up is currently closed." %}

-{% endblock %} - diff --git a/scram/templates/account/verification_sent.html b/scram/templates/account/verification_sent.html deleted file mode 100644 index ad093fd4..00000000 --- a/scram/templates/account/verification_sent.html +++ /dev/null @@ -1,13 +0,0 @@ -{% extends "account/base.html" %} - -{% load i18n %} - -{% block head_title %}{% trans "Verify Your E-mail Address" %}{% endblock %} - -{% block inner %} -

{% trans "Verify Your E-mail Address" %}

- -

{% blocktrans %}We have sent an e-mail to you for verification. Follow the link provided to finalize the signup process. Please contact us if you do not receive it within a few minutes.{% endblocktrans %}

- -{% endblock %} - diff --git a/scram/templates/account/verified_email_required.html b/scram/templates/account/verified_email_required.html deleted file mode 100644 index 09d4fde7..00000000 --- a/scram/templates/account/verified_email_required.html +++ /dev/null @@ -1,24 +0,0 @@ -{% extends "account/base.html" %} - -{% load i18n %} - -{% block head_title %}{% trans "Verify Your E-mail Address" %}{% endblock %} - -{% block inner %} -

{% trans "Verify Your E-mail Address" %}

- -{% url 'account_email' as email_url %} - -

{% blocktrans %}This part of the site requires us to verify that -you are who you claim to be. For this purpose, we require that you -verify ownership of your e-mail address. {% endblocktrans %}

- -

{% blocktrans %}We have sent an e-mail to you for -verification. Please click on the link inside this e-mail. Please -contact us if you do not receive it within a few minutes.{% endblocktrans %}

- -

{% blocktrans %}Note: you can still change your e-mail address.{% endblocktrans %}

- - -{% endblock %} - diff --git a/scram/templates/local_auth/login.html b/scram/templates/local_auth/login.html new file mode 100644 index 00000000..e2355d27 --- /dev/null +++ b/scram/templates/local_auth/login.html @@ -0,0 +1,12 @@ +{% extends 'base.html' %} + +{% block title %}Login{% endblock %} + +{% block content %} +

Login

+
+ {% csrf_token %} + {{ form.as_p }} + +
+{% endblock %} From 95b921d43266deed804cd07a7f26911959a53c21 Mon Sep 17 00:00:00 2001 From: Sam Oehlert Date: Fri, 15 Nov 2024 12:45:47 -0600 Subject: [PATCH 09/25] fix(gh-actions): pull in docs temp fix --- .github/workflows/docs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 1f7e14f0..d3fbb051 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -3,7 +3,7 @@ name: Build sphinx docs on: push: branches: - - '**' + - 'main' # Allows you to run this workflow manually from the Actions tab workflow_dispatch: From 2074d72a300ba1095b5e182ded708ca49b74e7aa Mon Sep 17 00:00:00 2001 From: Sam Oehlert Date: Fri, 15 Nov 2024 12:53:28 -0600 Subject: [PATCH 10/25] fix(env-file): replace the .env file that i deleted thinking we didnt need but we sure do --- .env | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 .env diff --git a/.env b/.env new file mode 100644 index 00000000..3a5ce563 --- /dev/null +++ b/.env @@ -0,0 +1,2 @@ +CI_PROJECT_DIR=. +HOSTNAME=$(hostname) From b6bfd9bc21e91eedfe359f927f55acb1790e36b0 Mon Sep 17 00:00:00 2001 From: Sam Oehlert Date: Fri, 15 Nov 2024 13:04:43 -0600 Subject: [PATCH 11/25] style(hookes): ran precommit --- config/settings/base.py | 4 ++++ config/settings/production.py | 5 +---- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/config/settings/base.py b/config/settings/base.py index 91e609e0..26ed8ec8 100644 --- a/config/settings/base.py +++ b/config/settings/base.py @@ -1,6 +1,8 @@ """ Base settings to build other settings files upon. """ + +import os from pathlib import Path import environ @@ -274,6 +276,8 @@ CORS_URLS_REGEX = r"^/api/.*$" # Your stuff... # ------------------------------------------------------------------------------ +# Are you using local passwords or oidc? +AUTH_METHOD = os.environ.get("SCRAM_AUTH_METHOD", "local").lower() # Should we create an admin user for you AUTOCREATE_ADMIN = True diff --git a/config/settings/production.py b/config/settings/production.py index ed5d707c..0d1ef70f 100644 --- a/config/settings/production.py +++ b/config/settings/production.py @@ -2,7 +2,7 @@ import os from .base import * # noqa -from .base import AUTHENTICATION_BACKENDS, MIDDLEWARE, env +from .base import AUTH_METHOD, AUTHENTICATION_BACKENDS, MIDDLEWARE, env # GENERAL # ------------------------------------------------------------------------------ @@ -142,9 +142,6 @@ # Your stuff... # ------------------------------------------------------------------------------ -# Are you using local passwords or oidc? -AUTH_METHOD = os.environ.get("SCRAM_AUTH_METHOD", "local").lower() - logging.info(f"Using AUTH METHOD = {AUTH_METHOD}") if AUTH_METHOD == "oidc": # Extend middleware to add OIDC middleware From 602767ecb574f4b5ea10c5fd18c2d3f3d9c9803d Mon Sep 17 00:00:00 2001 From: Sam Oehlert Date: Fri, 15 Nov 2024 13:19:40 -0600 Subject: [PATCH 12/25] refactor(hooks): ran precommit --- config/settings/test.py | 78 +++++++++++++++++++++++++++++------------ 1 file changed, 56 insertions(+), 22 deletions(-) diff --git a/config/settings/test.py b/config/settings/test.py index 1eb5ed4a..9c89f01c 100644 --- a/config/settings/test.py +++ b/config/settings/test.py @@ -5,7 +5,7 @@ import os from .base import * # noqa -from .base import env +from .base import AUTH_METHOD, env # GENERAL # ------------------------------------------------------------------------------ @@ -41,26 +41,60 @@ # Your stuff... # ------------------------------------------------------------------------------ -# Extend middleware to add OIDC middleware -MIDDLEWARE += ["mozilla_django_oidc.middleware.SessionRefresh"] # noqa F405 +if AUTH_METHOD == "oidc": + # Extend middleware to add OIDC middleware + MIDDLEWARE += ["mozilla_django_oidc.middleware.SessionRefresh"] # noqa F405 -OIDC_OP_JWKS_ENDPOINT = os.environ.get( - "OIDC_OP_JWKS_ENDPOINT", - "https://example.com/auth/realms/example/protocol/openid-connect/certs", -) -OIDC_OP_AUTHORIZATION_ENDPOINT = os.environ.get( - "OIDC_OP_AUTHORIZATION_ENDPOINT", - "https://example.com/auth/realms/example/protocol/openid-connect/auth", -) -OIDC_OP_TOKEN_ENDPOINT = os.environ.get( - "OIDC_OP_TOKEN_ENDPOINT", - "https://example.com/auth/realms/example/protocol/openid-connect/token", -) -OIDC_OP_USER_ENDPOINT = os.environ.get( - "OIDC_OP_USER_ENDPOINT", - "https://example.com/auth/realms/example/protocol/openid-connect/userinfo", -) -OIDC_RP_SIGN_ALGO = "RS256" + # Extend middleware to add OIDC auth backend + AUTHENTICATION_BACKENDS += ["scram.route_manager.authentication_backends.ESnetAuthBackend"] # noqa F405 + + # https://docs.djangoproject.com/en/dev/ref/settings/#login-url + LOGIN_URL = "oidc_authentication_init" + + # https://docs.djangoproject.com/en/dev/ref/settings/#login-redirect-url + LOGIN_REDIRECT_URL = "route_manager:home" + + # https://docs.djangoproject.com/en/dev/ref/settings/#logout-url + LOGOUT_URL = "oidc_logout" + + # Need to point somewhere otherwise /oidc/logout/ redirects to /oidc/logout/None which 404s + # https://github.com/mozilla/mozilla-django-oidc/issues/118 + # Using `/` because named urls don't work for this package + # https://github.com/mozilla/mozilla-django-oidc/issues/434 + LOGOUT_REDIRECT_URL = "route_manager:home" + + OIDC_OP_JWKS_ENDPOINT = os.environ.get( + "OIDC_OP_JWKS_ENDPOINT", + "https://example.com/auth/realms/example/protocol/openid-connect/certs", + ) + OIDC_OP_AUTHORIZATION_ENDPOINT = os.environ.get( + "OIDC_OP_AUTHORIZATION_ENDPOINT", + "https://example.com/auth/realms/example/protocol/openid-connect/auth", + ) + OIDC_OP_TOKEN_ENDPOINT = os.environ.get( + "OIDC_OP_TOKEN_ENDPOINT", + "https://example.com/auth/realms/example/protocol/openid-connect/token", + ) + OIDC_OP_USER_ENDPOINT = os.environ.get( + "OIDC_OP_USER_ENDPOINT", + "https://example.com/auth/realms/example/protocol/openid-connect/userinfo", + ) + OIDC_RP_SIGN_ALGO = "RS256" + + OIDC_RP_CLIENT_ID = os.environ.get("OIDC_RP_CLIENT_ID") + OIDC_RP_CLIENT_SECRET = os.environ.get("OIDC_RP_CLIENT_SECRET") + +elif AUTH_METHOD == "local": + # https://docs.djangoproject.com/en/dev/ref/settings/#login-url + LOGIN_URL = "local_auth:login" + + # https://docs.djangoproject.com/en/dev/ref/settings/#login-redirect-url + LOGIN_REDIRECT_URL = "route_manager:home" + + # https://docs.djangoproject.com/en/dev/ref/settings/#logout-url + LOGOUT_URL = "local_auth:logout" -OIDC_RP_CLIENT_ID = os.environ.get("OIDC_RP_CLIENT_ID", "client_id") -OIDC_RP_CLIENT_SECRET = os.environ.get("OIDC_RP_CLIENT_SECRET", "client_secret") + # https://docs.djangoproject.com/en/dev/ref/settings/#logout-redirect-url + LOGOUT_REDIRECT_URL = "route_manager:home" +else: + raise Exception(f"Invalid authentication method: {AUTH_METHOD}. Please choose 'local' or 'oidc'") From 4fbfcb98dd4bd9136e0a7ada352dd2c0aa8acaa3 Mon Sep 17 00:00:00 2001 From: Sam Oehlert Date: Fri, 15 Nov 2024 14:19:03 -0600 Subject: [PATCH 13/25] refactor(hooks): ran precommit --- config/settings/test.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/config/settings/test.py b/config/settings/test.py index 9c89f01c..8d3a6cd5 100644 --- a/config/settings/test.py +++ b/config/settings/test.py @@ -41,6 +41,14 @@ # Your stuff... # ------------------------------------------------------------------------------ +OIDC_OP_JWKS_ENDPOINT = "https://example.com/auth/realms/example/protocol/openid-connect/certs" +OIDC_OP_AUTHORIZATION_ENDPOINT = "https://example.com/auth/realms/example/protocol/openid-connect/auth" +OIDC_OP_TOKEN_ENDPOINT = "https://example.com/auth/realms/example/protocol/openid-connect/token" +OIDC_OP_USER_ENDPOINT = "https://example.com/auth/realms/example/protocol/openid-connect/userinfo" +OIDC_RP_SIGN_ALGO = "RS256" +OIDC_RP_CLIENT_ID = "" +OIDC_RP_CLIENT_SECRET = "" + if AUTH_METHOD == "oidc": # Extend middleware to add OIDC middleware MIDDLEWARE += ["mozilla_django_oidc.middleware.SessionRefresh"] # noqa F405 From f0334b72d699504478388ce4b14f02830241a8b7 Mon Sep 17 00:00:00 2001 From: Sam Oehlert Date: Fri, 15 Nov 2024 14:19:39 -0600 Subject: [PATCH 14/25] test(naming): update the name of the test case to better match reality --- scram/route_manager/tests/test_authorization.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scram/route_manager/tests/test_authorization.py b/scram/route_manager/tests/test_authorization.py index 6f4269d1..cb4a52f4 100644 --- a/scram/route_manager/tests/test_authorization.py +++ b/scram/route_manager/tests/test_authorization.py @@ -125,7 +125,7 @@ def test_unauthorized_after_group_removal(self): self.assertEqual(response.status_code, 302) -class OidcTest(TestCase): +class ESnetAuthBackendTest(TestCase): def setUp(self): self.client = Client() self.claims = { From 29d29ab8a329dff8f3e86552691da74b39ced7b6 Mon Sep 17 00:00:00 2001 From: Sam Oehlert Date: Fri, 15 Nov 2024 14:28:26 -0600 Subject: [PATCH 15/25] refactor(linting): should not be raising a raw exception --- config/settings/production.py | 2 +- config/settings/test.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/config/settings/production.py b/config/settings/production.py index 0d1ef70f..5e45125c 100644 --- a/config/settings/production.py +++ b/config/settings/production.py @@ -199,4 +199,4 @@ # https://docs.djangoproject.com/en/dev/ref/settings/#logout-redirect-url LOGOUT_REDIRECT_URL = "route_manager:home" else: - raise Exception(f"Invalid authentication method: {AUTH_METHOD}. Please choose 'local' or 'oidc'") + raise ValueError(f"Invalid authentication method: {AUTH_METHOD}. Please choose 'local' or 'oidc'") diff --git a/config/settings/test.py b/config/settings/test.py index 8d3a6cd5..01f0cc8d 100644 --- a/config/settings/test.py +++ b/config/settings/test.py @@ -105,4 +105,4 @@ # https://docs.djangoproject.com/en/dev/ref/settings/#logout-redirect-url LOGOUT_REDIRECT_URL = "route_manager:home" else: - raise Exception(f"Invalid authentication method: {AUTH_METHOD}. Please choose 'local' or 'oidc'") + raise ValueError(f"Invalid authentication method: {AUTH_METHOD}. Please choose 'local' or 'oidc'") From a969cc8b296d204910c8a0559c060ac7874e1b77 Mon Sep 17 00:00:00 2001 From: Sam Oehlert Date: Sun, 17 Nov 2024 15:36:32 -0600 Subject: [PATCH 16/25] docs(envvars): Document all our envvars This is the ones we use in our ansible role; we should still do a better job documenting the required ones with their defaults --- docs/environment_variables.md | 76 +++++++++++++++++++++++++++++++++++ 1 file changed, 76 insertions(+) create mode 100644 docs/environment_variables.md diff --git a/docs/environment_variables.md b/docs/environment_variables.md new file mode 100644 index 00000000..c44629a7 --- /dev/null +++ b/docs/environment_variables.md @@ -0,0 +1,76 @@ +## Environment Variables to Set for Deployment +[comment]: # Which branch of SCRAM to use (you probably want to set it to a release tag) +scram_code_branch: +#### Systems +[comment]: # Email of the main admin +scram_manager_email: +[comment]: # Set to true for production mode; set to false to set up the compose.override.local.yml stack +scram_prod: true +[comment]: # Set to true if you want ansible to install a scram user +scram_install_user: true +[comment]: # What group to put `scram` user in +scram_group: 'scram' +[comment]: # What username to use for `scram` user +scram_user: '' +[comment]: # WHat uid to use for `scram` user +scram_uid: '' +[comment]: # What directory to use for base of the repo +scram_home: '/usr/local/scram' +[comment]: # IP or DNS record for your postgres host +scram_postgres_host: +[comment]: # What postgres user to use +scram_postgres_user: '' + +#### Authentication +[comment]: # This chooses if you want to use oidc or local accounts. This can be local or oidc only. Default: `local` +scram_auth_method: "local" +[comment]: # This client id (username) for your oidc connection. Only need to set this if you are trying to do oidc. +scram_oidc_client_id: + +#### Networking +[comment]: # What is the peering interface docker uses for gobgp to talk to the router +scram_peering_iface: 'ens192' +[comment]: # The v6 network of your peering connection +scram_v4_subnet: '10.0.0.0/24' +[comment]: # The v4 IP of the peering connection for the router side +scram_v4_gateway: '10.0.0.1' +[comment]: # The v4 IP of the peering connection for gobgp side +scram_v4_address: '10.0.0.2' +[comment]: # The v6 network of your peering connection +scram_v6_subnet: '2001:db8::/64' +[comment]: # The v6 IP of the peering connection for the router side +scram_v6_gateway: '2001:db8::2' +[comment]: # The v6 IP of the peering connection for the gobgp side +scram_v6_address: '2001:db8::3' +[comment]: # The AS you want to use for gobgp +scram_as: +[comment]: # A string representing your gobgp instance. Often seen as the local IP of the gobgp instance +scram_router_id: +[comment]: # +scram_peer_as: +[comment]: # The AS you want to use for gobgp side (can this be the same as `scram_as`?) +scram_local_as: +[comment]: # The fqdn of the server hosting this - to be used for nginx +scram_nginx_host: +[comment]: # List of allowed hosts per the django setting "ALLOWED_HOSTS". This should be a list of strings in shell +[comment]: # `django` is required for the websockets to work +[comment]: # Our Ansible assumes `django` + `scram_nginx_host` +scram_django_allowed_hosts: "django" +[comment]: # The fqdn of the server hosting this - to be used for nginx +scram_server_alias: +[comment]: # Do you want to set an md5 for authentication of bgp +scram_bgp_md5_enabled: false +[comment]: # The neighbor config of your gobgp config +scram_neighbors: +[comment]: # The v6 address of your neighbor + - neighbor_address: 2001:db8::2 +[comment]: # This is a v6 address so don't use v4 + ipv4: false +[comment]: # This is a v6 address so use v6 + ipv6: true +[comment]: # The v4 address of your neighbor + - neighbor_address: 10.0.0.200 +[comment]: # This is a v4 address so use v4 + ipv4: true +[comment]: # This is a v4 address so don't use v6 + ipv6: false From 7ca1132942b43a418a59058ca62829a191c6c889 Mon Sep 17 00:00:00 2001 From: Sam Oehlert Date: Sun, 17 Nov 2024 15:39:45 -0600 Subject: [PATCH 17/25] docs(installation): add beginnings of environment variable instructions --- README.rst | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.rst b/README.rst index 9be49463..6e488bff 100644 --- a/README.rst +++ b/README.rst @@ -48,6 +48,9 @@ To get a basic implementation up and running locally: - Create ``$scram_home/.envs/.production/.postgres`` a template exists in the docs/templates directory - Make sure to set the right credentials - By default this template assumes you have a service defined in docker compose file called postgres. If you use another postgres server, make sure to update that setting as well +- Create a ``.env`` file with the necessary environment variables: + - [comment]: # This chooses if you want to use oidc or local accounts. This can be local or oidc only. Default: `local` + - scram_auth_method: "local" - ``make build`` - ``make toggle-prod`` - This will turn off debug mode in django and start using nginx to reverse proxy for the app From 53153c1e8f8c597a2523ff9a48b8e5f7af7794ae Mon Sep 17 00:00:00 2001 From: Sam Oehlert Date: Sun, 17 Nov 2024 22:47:10 -0600 Subject: [PATCH 18/25] refactor(authentication-settings): move settings back into base and just override in local.py it was redundant between production and test. this does mean that you have to set the auth_method envvar even if you are using the local stack, but that's fine. --- config/settings/base.py | 61 +++++++++++++++++++++++++++++++ config/settings/local.py | 8 ++-- config/settings/production.py | 63 +------------------------------- config/settings/test.py | 69 +---------------------------------- 4 files changed, 68 insertions(+), 133 deletions(-) diff --git a/config/settings/base.py b/config/settings/base.py index 26ed8ec8..20e9e558 100644 --- a/config/settings/base.py +++ b/config/settings/base.py @@ -2,6 +2,7 @@ Base settings to build other settings files upon. """ +import logging import os from pathlib import Path @@ -279,6 +280,66 @@ # Are you using local passwords or oidc? AUTH_METHOD = os.environ.get("SCRAM_AUTH_METHOD", "local").lower() +logging.info(f"Using AUTH METHOD = {AUTH_METHOD}") +if AUTH_METHOD == "oidc": + # Extend middleware to add OIDC middleware + MIDDLEWARE += ["mozilla_django_oidc.middleware.SessionRefresh"] # noqa F405 + + # Extend middleware to add OIDC auth backend + AUTHENTICATION_BACKENDS += ["scram.route_manager.authentication_backends.ESnetAuthBackend"] # noqa F405 + + # https://docs.djangoproject.com/en/dev/ref/settings/#login-url + LOGIN_URL = "oidc_authentication_init" + + # https://docs.djangoproject.com/en/dev/ref/settings/#login-redirect-url + LOGIN_REDIRECT_URL = "route_manager:home" + + # https://docs.djangoproject.com/en/dev/ref/settings/#logout-url + LOGOUT_URL = "oidc_logout" + + # Need to point somewhere otherwise /oidc/logout/ redirects to /oidc/logout/None which 404s + # https://github.com/mozilla/mozilla-django-oidc/issues/118 + # Using `/` because named urls don't work for this package + # https://github.com/mozilla/mozilla-django-oidc/issues/434 + LOGOUT_REDIRECT_URL = "route_manager:home" + + OIDC_OP_JWKS_ENDPOINT = os.environ.get( + "OIDC_OP_JWKS_ENDPOINT", + "https://example.com/auth/realms/example/protocol/openid-connect/certs", + ) + OIDC_OP_AUTHORIZATION_ENDPOINT = os.environ.get( + "OIDC_OP_AUTHORIZATION_ENDPOINT", + "https://example.com/auth/realms/example/protocol/openid-connect/auth", + ) + OIDC_OP_TOKEN_ENDPOINT = os.environ.get( + "OIDC_OP_TOKEN_ENDPOINT", + "https://example.com/auth/realms/example/protocol/openid-connect/token", + ) + OIDC_OP_USER_ENDPOINT = os.environ.get( + "OIDC_OP_USER_ENDPOINT", + "https://example.com/auth/realms/example/protocol/openid-connect/userinfo", + ) + OIDC_RP_SIGN_ALGO = "RS256" + + OIDC_RP_CLIENT_ID = os.environ.get("OIDC_RP_CLIENT_ID") + OIDC_RP_CLIENT_SECRET = os.environ.get("OIDC_RP_CLIENT_SECRET") + +elif AUTH_METHOD == "local": + # https://docs.djangoproject.com/en/dev/ref/settings/#login-url + LOGIN_URL = "local_auth:login" + + # https://docs.djangoproject.com/en/dev/ref/settings/#login-redirect-url + LOGIN_REDIRECT_URL = "route_manager:home" + + # https://docs.djangoproject.com/en/dev/ref/settings/#logout-url + LOGOUT_URL = "local_auth:logout" + + # https://docs.djangoproject.com/en/dev/ref/settings/#logout-redirect-url + LOGOUT_REDIRECT_URL = "route_manager:home" +else: + raise ValueError(f"Invalid authentication method: {AUTH_METHOD}. Please choose 'local' or 'oidc'") + + # Should we create an admin user for you AUTOCREATE_ADMIN = True diff --git a/config/settings/local.py b/config/settings/local.py index 9a6fd4de..74d6d0e0 100644 --- a/config/settings/local.py +++ b/config/settings/local.py @@ -1,5 +1,5 @@ from .base import * # noqa -from .base import env +from .base import AUTH_METHOD, env # GENERAL # ------------------------------------------------------------------------------ @@ -70,8 +70,10 @@ # AUTHENTICATION # ------------------------------------------------------------------------------ -# https://docs.djangoproject.com/en/dev/ref/settings/#login-redirect-url -LOGIN_REDIRECT_URL = "route_manager:home" +# We shouldn't be using OIDC in local dev mode as of now, but might be worth pursuing later +if AUTH_METHOD == "oidc": + raise NotImplementedError("oidc is not yet implemented") + # https://docs.djangoproject.com/en/dev/ref/settings/#login-url LOGIN_URL = "admin:login" # https://docs.djangoproject.com/en/dev/ref/settings/#logout-url diff --git a/config/settings/production.py b/config/settings/production.py index 5e45125c..8f62b5d4 100644 --- a/config/settings/production.py +++ b/config/settings/production.py @@ -1,8 +1,5 @@ -import logging -import os - from .base import * # noqa -from .base import AUTH_METHOD, AUTHENTICATION_BACKENDS, MIDDLEWARE, env +from .base import env # GENERAL # ------------------------------------------------------------------------------ @@ -142,61 +139,3 @@ # Your stuff... # ------------------------------------------------------------------------------ -logging.info(f"Using AUTH METHOD = {AUTH_METHOD}") -if AUTH_METHOD == "oidc": - # Extend middleware to add OIDC middleware - MIDDLEWARE += ["mozilla_django_oidc.middleware.SessionRefresh"] # noqa F405 - - # Extend middleware to add OIDC auth backend - AUTHENTICATION_BACKENDS += ["scram.route_manager.authentication_backends.ESnetAuthBackend"] # noqa F405 - - # https://docs.djangoproject.com/en/dev/ref/settings/#login-url - LOGIN_URL = "oidc_authentication_init" - - # https://docs.djangoproject.com/en/dev/ref/settings/#login-redirect-url - LOGIN_REDIRECT_URL = "route_manager:home" - - # https://docs.djangoproject.com/en/dev/ref/settings/#logout-url - LOGOUT_URL = "oidc_logout" - - # Need to point somewhere otherwise /oidc/logout/ redirects to /oidc/logout/None which 404s - # https://github.com/mozilla/mozilla-django-oidc/issues/118 - # Using `/` because named urls don't work for this package - # https://github.com/mozilla/mozilla-django-oidc/issues/434 - LOGOUT_REDIRECT_URL = "route_manager:home" - - OIDC_OP_JWKS_ENDPOINT = os.environ.get( - "OIDC_OP_JWKS_ENDPOINT", - "https://example.com/auth/realms/example/protocol/openid-connect/certs", - ) - OIDC_OP_AUTHORIZATION_ENDPOINT = os.environ.get( - "OIDC_OP_AUTHORIZATION_ENDPOINT", - "https://example.com/auth/realms/example/protocol/openid-connect/auth", - ) - OIDC_OP_TOKEN_ENDPOINT = os.environ.get( - "OIDC_OP_TOKEN_ENDPOINT", - "https://example.com/auth/realms/example/protocol/openid-connect/token", - ) - OIDC_OP_USER_ENDPOINT = os.environ.get( - "OIDC_OP_USER_ENDPOINT", - "https://example.com/auth/realms/example/protocol/openid-connect/userinfo", - ) - OIDC_RP_SIGN_ALGO = "RS256" - - OIDC_RP_CLIENT_ID = os.environ.get("OIDC_RP_CLIENT_ID") - OIDC_RP_CLIENT_SECRET = os.environ.get("OIDC_RP_CLIENT_SECRET") - -elif AUTH_METHOD == "local": - # https://docs.djangoproject.com/en/dev/ref/settings/#login-url - LOGIN_URL = "local_auth:login" - - # https://docs.djangoproject.com/en/dev/ref/settings/#login-redirect-url - LOGIN_REDIRECT_URL = "route_manager:home" - - # https://docs.djangoproject.com/en/dev/ref/settings/#logout-url - LOGOUT_URL = "local_auth:logout" - - # https://docs.djangoproject.com/en/dev/ref/settings/#logout-redirect-url - LOGOUT_REDIRECT_URL = "route_manager:home" -else: - raise ValueError(f"Invalid authentication method: {AUTH_METHOD}. Please choose 'local' or 'oidc'") diff --git a/config/settings/test.py b/config/settings/test.py index 01f0cc8d..0163e07c 100644 --- a/config/settings/test.py +++ b/config/settings/test.py @@ -2,10 +2,8 @@ With these settings, tests run faster. """ -import os - from .base import * # noqa -from .base import AUTH_METHOD, env +from .base import env # GENERAL # ------------------------------------------------------------------------------ @@ -41,68 +39,3 @@ # Your stuff... # ------------------------------------------------------------------------------ -OIDC_OP_JWKS_ENDPOINT = "https://example.com/auth/realms/example/protocol/openid-connect/certs" -OIDC_OP_AUTHORIZATION_ENDPOINT = "https://example.com/auth/realms/example/protocol/openid-connect/auth" -OIDC_OP_TOKEN_ENDPOINT = "https://example.com/auth/realms/example/protocol/openid-connect/token" -OIDC_OP_USER_ENDPOINT = "https://example.com/auth/realms/example/protocol/openid-connect/userinfo" -OIDC_RP_SIGN_ALGO = "RS256" -OIDC_RP_CLIENT_ID = "" -OIDC_RP_CLIENT_SECRET = "" - -if AUTH_METHOD == "oidc": - # Extend middleware to add OIDC middleware - MIDDLEWARE += ["mozilla_django_oidc.middleware.SessionRefresh"] # noqa F405 - - # Extend middleware to add OIDC auth backend - AUTHENTICATION_BACKENDS += ["scram.route_manager.authentication_backends.ESnetAuthBackend"] # noqa F405 - - # https://docs.djangoproject.com/en/dev/ref/settings/#login-url - LOGIN_URL = "oidc_authentication_init" - - # https://docs.djangoproject.com/en/dev/ref/settings/#login-redirect-url - LOGIN_REDIRECT_URL = "route_manager:home" - - # https://docs.djangoproject.com/en/dev/ref/settings/#logout-url - LOGOUT_URL = "oidc_logout" - - # Need to point somewhere otherwise /oidc/logout/ redirects to /oidc/logout/None which 404s - # https://github.com/mozilla/mozilla-django-oidc/issues/118 - # Using `/` because named urls don't work for this package - # https://github.com/mozilla/mozilla-django-oidc/issues/434 - LOGOUT_REDIRECT_URL = "route_manager:home" - - OIDC_OP_JWKS_ENDPOINT = os.environ.get( - "OIDC_OP_JWKS_ENDPOINT", - "https://example.com/auth/realms/example/protocol/openid-connect/certs", - ) - OIDC_OP_AUTHORIZATION_ENDPOINT = os.environ.get( - "OIDC_OP_AUTHORIZATION_ENDPOINT", - "https://example.com/auth/realms/example/protocol/openid-connect/auth", - ) - OIDC_OP_TOKEN_ENDPOINT = os.environ.get( - "OIDC_OP_TOKEN_ENDPOINT", - "https://example.com/auth/realms/example/protocol/openid-connect/token", - ) - OIDC_OP_USER_ENDPOINT = os.environ.get( - "OIDC_OP_USER_ENDPOINT", - "https://example.com/auth/realms/example/protocol/openid-connect/userinfo", - ) - OIDC_RP_SIGN_ALGO = "RS256" - - OIDC_RP_CLIENT_ID = os.environ.get("OIDC_RP_CLIENT_ID") - OIDC_RP_CLIENT_SECRET = os.environ.get("OIDC_RP_CLIENT_SECRET") - -elif AUTH_METHOD == "local": - # https://docs.djangoproject.com/en/dev/ref/settings/#login-url - LOGIN_URL = "local_auth:login" - - # https://docs.djangoproject.com/en/dev/ref/settings/#login-redirect-url - LOGIN_REDIRECT_URL = "route_manager:home" - - # https://docs.djangoproject.com/en/dev/ref/settings/#logout-url - LOGOUT_URL = "local_auth:logout" - - # https://docs.djangoproject.com/en/dev/ref/settings/#logout-redirect-url - LOGOUT_REDIRECT_URL = "route_manager:home" -else: - raise ValueError(f"Invalid authentication method: {AUTH_METHOD}. Please choose 'local' or 'oidc'") From 46d11fdb2d7be7984baf31cd9e0d1089a145f115 Mon Sep 17 00:00:00 2001 From: Sam Oehlert Date: Sun, 17 Nov 2024 23:06:40 -0600 Subject: [PATCH 19/25] fix(test.py): OidcTest requires that we have these set even to dummy values We need this as soon as we load ESnetAuthBackend --- config/settings/test.py | 7 +++++++ scram/route_manager/tests/test_autocreate_admin.py | 0 2 files changed, 7 insertions(+) create mode 100644 scram/route_manager/tests/test_autocreate_admin.py diff --git a/config/settings/test.py b/config/settings/test.py index 0163e07c..44352142 100644 --- a/config/settings/test.py +++ b/config/settings/test.py @@ -39,3 +39,10 @@ # Your stuff... # ------------------------------------------------------------------------------ +OIDC_OP_JWKS_ENDPOINT = "https://example.com/auth/realms/example/protocol/openid-connect/certs" +OIDC_OP_AUTHORIZATION_ENDPOINT = "https://example.com/auth/realms/example/protocol/openid-connect/auth" +OIDC_OP_TOKEN_ENDPOINT = "https://example.com/auth/realms/example/protocol/openid-connect/token" +OIDC_OP_USER_ENDPOINT = "https://example.com/auth/realms/example/protocol/openid-connect/userinfo" +OIDC_RP_SIGN_ALGO = "RS256" +OIDC_RP_CLIENT_ID = "" +OIDC_RP_CLIENT_SECRET = "" diff --git a/scram/route_manager/tests/test_autocreate_admin.py b/scram/route_manager/tests/test_autocreate_admin.py new file mode 100644 index 00000000..e69de29b From d387849ab4d1efa63a0d30ec21ab83aa6642ddce Mon Sep 17 00:00:00 2001 From: Sam Oehlert Date: Sun, 17 Nov 2024 23:54:51 -0600 Subject: [PATCH 20/25] fix(OidcTest): OIDC vars required by our OidcTest case --- config/settings/test.py | 1 + 1 file changed, 1 insertion(+) diff --git a/config/settings/test.py b/config/settings/test.py index 44352142..a4951b2c 100644 --- a/config/settings/test.py +++ b/config/settings/test.py @@ -39,6 +39,7 @@ # Your stuff... # ------------------------------------------------------------------------------ +# These variables are required by the ESnetAuthBackend called in our OidcTest case OIDC_OP_JWKS_ENDPOINT = "https://example.com/auth/realms/example/protocol/openid-connect/certs" OIDC_OP_AUTHORIZATION_ENDPOINT = "https://example.com/auth/realms/example/protocol/openid-connect/auth" OIDC_OP_TOKEN_ENDPOINT = "https://example.com/auth/realms/example/protocol/openid-connect/token" From 712815ca4b164e6017f37efbd47801ec5a802d15 Mon Sep 17 00:00:00 2001 From: Sam Oehlert Date: Sun, 17 Nov 2024 23:55:57 -0600 Subject: [PATCH 21/25] build(sugar): this package needed to be updated to avoid a bug we started seeing while running tests See https://github.com/Teemu/pytest-sugar/issues/241 for more info --- requirements/local.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements/local.txt b/requirements/local.txt index a0fbe77b..eef7c4bf 100644 --- a/requirements/local.txt +++ b/requirements/local.txt @@ -8,7 +8,7 @@ watchgod==0.8.2 # https://github.com/samuelcolvin/watchgod # Testing # ------------------------------------------------------------------------------ django-stubs==1.11.0 # https://github.com/typeddjango/django-stubs -pytest-sugar==0.9.4 # https://github.com/Frozenball/pytest-sugar +pytest-sugar==0.9.6 # https://github.com/Frozenball/pytest-sugar behave-django==1.4.0 # https://github.com/behave/behave-django # Documentation From 8bd0c441dc7587997d486351d7c56779d18ffa70 Mon Sep 17 00:00:00 2001 From: Sam Oehlert Date: Mon, 18 Nov 2024 00:01:26 -0600 Subject: [PATCH 22/25] test(autocreate_admin): make sure to test our autocreation of the admin user on first startup --- .../tests/test_autocreate_admin.py | 51 +++++++++++++++++++ 1 file changed, 51 insertions(+) diff --git a/scram/route_manager/tests/test_autocreate_admin.py b/scram/route_manager/tests/test_autocreate_admin.py index e69de29b..b5e7751b 100644 --- a/scram/route_manager/tests/test_autocreate_admin.py +++ b/scram/route_manager/tests/test_autocreate_admin.py @@ -0,0 +1,51 @@ +"""This file contains tests for the auto-creation of an admin user.""" + +import pytest +from django.contrib.auth.models import User +from django.contrib.messages import get_messages +from django.test import Client +from django.urls import reverse + +from scram.users.models import User + + +@pytest.mark.django_db +def test_autocreate_admin(settings): + """Test that an admin user is auto-created when AUTOCREATE_ADMIN is True.""" + + settings.AUTOCREATE_ADMIN = True + client = Client() + response = client.get(reverse("route_manager:home")) + assert response.status_code == 200 + assert User.objects.count() == 1 + user = User.objects.get(username="admin") + assert user.is_superuser + assert user.email == "admin@example.com" + messages = list(get_messages(response.wsgi_request)) + assert len(messages) == 2 + assert messages[0].level == 25 # SUCCESS + assert messages[1].level == 20 # INFO + + +@pytest.mark.django_db +def test_autocreate_admin_disabled(settings): + """Test that an admin user is not auto-created when AUTOCREATE_ADMIN is False.""" + + settings.AUTOCREATE_ADMIN = False + client = Client() + response = client.get(reverse("route_manager:home")) + assert response.status_code == 200 + assert User.objects.count() == 0 + + +@pytest.mark.django_db +def test_autocreate_admin_existing_user(settings): + """Test that an admin user is not auto-created when an existing user is present.""" + + settings.AUTOCREATE_ADMIN = True + User.objects.create_user("testuser", "test@example.com", "password") + client = Client() + response = client.get(reverse("route_manager:home")) + assert response.status_code == 200 + assert User.objects.count() == 1 + assert not User.objects.filter(username="admin").exists() From d28086114ee49499e47360f17f917b44e9f3f81f Mon Sep 17 00:00:00 2001 From: Sam Oehlert Date: Mon, 18 Nov 2024 10:18:49 -0600 Subject: [PATCH 23/25] style(flake8): update docstrings and spacing for flake8 --- scram/local_auth/__init__.py | 1 + scram/local_auth/urls.py | 2 ++ scram/route_manager/tests/test_authorization.py | 3 ++- scram/route_manager/tests/test_autocreate_admin.py | 3 --- 4 files changed, 5 insertions(+), 4 deletions(-) diff --git a/scram/local_auth/__init__.py b/scram/local_auth/__init__.py index e69de29b..113a7bfa 100644 --- a/scram/local_auth/__init__.py +++ b/scram/local_auth/__init__.py @@ -0,0 +1 @@ +"""Local_auth is the app that holds urls we want to use with local Django auth.""" diff --git a/scram/local_auth/urls.py b/scram/local_auth/urls.py index 0d930946..56c7b727 100644 --- a/scram/local_auth/urls.py +++ b/scram/local_auth/urls.py @@ -1,3 +1,5 @@ +"""Register URLs for local auth known to Django, and the View that will handle each.""" + from django.contrib.auth.views import LoginView, LogoutView from django.urls import path diff --git a/scram/route_manager/tests/test_authorization.py b/scram/route_manager/tests/test_authorization.py index e1b7f83f..17de2b6d 100644 --- a/scram/route_manager/tests/test_authorization.py +++ b/scram/route_manager/tests/test_authorization.py @@ -132,8 +132,9 @@ def test_unauthorized_after_group_removal(self): self.assertEqual(response.status_code, 302) - class ESnetAuthBackendTest(TestCase): + """Define tests using OIDC authentication with our ESnetAuthBackend.""" + def setUp(self): """Create a sample OIDC user.""" self.client = Client() diff --git a/scram/route_manager/tests/test_autocreate_admin.py b/scram/route_manager/tests/test_autocreate_admin.py index b5e7751b..b9d2e432 100644 --- a/scram/route_manager/tests/test_autocreate_admin.py +++ b/scram/route_manager/tests/test_autocreate_admin.py @@ -12,7 +12,6 @@ @pytest.mark.django_db def test_autocreate_admin(settings): """Test that an admin user is auto-created when AUTOCREATE_ADMIN is True.""" - settings.AUTOCREATE_ADMIN = True client = Client() response = client.get(reverse("route_manager:home")) @@ -30,7 +29,6 @@ def test_autocreate_admin(settings): @pytest.mark.django_db def test_autocreate_admin_disabled(settings): """Test that an admin user is not auto-created when AUTOCREATE_ADMIN is False.""" - settings.AUTOCREATE_ADMIN = False client = Client() response = client.get(reverse("route_manager:home")) @@ -41,7 +39,6 @@ def test_autocreate_admin_disabled(settings): @pytest.mark.django_db def test_autocreate_admin_existing_user(settings): """Test that an admin user is not auto-created when an existing user is present.""" - settings.AUTOCREATE_ADMIN = True User.objects.create_user("testuser", "test@example.com", "password") client = Client() From 2a4f8e5abfa38431d4993817787e1a7344b526ed Mon Sep 17 00:00:00 2001 From: Sam Oehlert Date: Tue, 19 Nov 2024 12:01:54 -0600 Subject: [PATCH 24/25] refactor(login_redirect_url): no need to set this twice since both paths use the same value --- config/settings/base.py | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/config/settings/base.py b/config/settings/base.py index 20e9e558..ce4407c0 100644 --- a/config/settings/base.py +++ b/config/settings/base.py @@ -280,6 +280,9 @@ # Are you using local passwords or oidc? AUTH_METHOD = os.environ.get("SCRAM_AUTH_METHOD", "local").lower() +# https://docs.djangoproject.com/en/dev/ref/settings/#login-redirect-url +LOGIN_REDIRECT_URL = "route_manager:home" + logging.info(f"Using AUTH METHOD = {AUTH_METHOD}") if AUTH_METHOD == "oidc": # Extend middleware to add OIDC middleware @@ -291,9 +294,6 @@ # https://docs.djangoproject.com/en/dev/ref/settings/#login-url LOGIN_URL = "oidc_authentication_init" - # https://docs.djangoproject.com/en/dev/ref/settings/#login-redirect-url - LOGIN_REDIRECT_URL = "route_manager:home" - # https://docs.djangoproject.com/en/dev/ref/settings/#logout-url LOGOUT_URL = "oidc_logout" @@ -328,9 +328,6 @@ # https://docs.djangoproject.com/en/dev/ref/settings/#login-url LOGIN_URL = "local_auth:login" - # https://docs.djangoproject.com/en/dev/ref/settings/#login-redirect-url - LOGIN_REDIRECT_URL = "route_manager:home" - # https://docs.djangoproject.com/en/dev/ref/settings/#logout-url LOGOUT_URL = "local_auth:logout" @@ -366,8 +363,6 @@ # This is the set of all the groups SCRAM_GROUPS = SCRAM_ADMIN_GROUPS + SCRAM_READWRITE_GROUPS + SCRAM_READONLY_GROUPS + SCRAM_DENIED_GROUPS -# This is the full set of groups - # How many entries to show PER Actiontype on the home page RECENT_LIMIT = 10 # What is the largest cidr range we'll accept entries for From 7fdb6abdb2a25551bc163083e95b470d9e0f632e Mon Sep 17 00:00:00 2001 From: Sam Oehlert Date: Tue, 19 Nov 2024 22:23:24 -0600 Subject: [PATCH 25/25] refactor(OIDC-settings): move OIDC settings outside of the if statement this way we have defaults set and it doesn't harm anything to have them set but unused if we dont need them --- config/settings/base.py | 51 +++++++++++++++++++---------------------- 1 file changed, 24 insertions(+), 27 deletions(-) diff --git a/config/settings/base.py b/config/settings/base.py index ce4407c0..766d785e 100644 --- a/config/settings/base.py +++ b/config/settings/base.py @@ -283,6 +283,30 @@ # https://docs.djangoproject.com/en/dev/ref/settings/#login-redirect-url LOGIN_REDIRECT_URL = "route_manager:home" +# Need to point somewhere otherwise /oidc/logout/ redirects to /oidc/logout/None which 404s +# https://github.com/mozilla/mozilla-django-oidc/issues/118 +# Using `/` because named urls don't work for this package +# https://github.com/mozilla/mozilla-django-oidc/issues/434 +LOGOUT_REDIRECT_URL = "route_manager:home" + +OIDC_OP_JWKS_ENDPOINT = os.environ.get( + "OIDC_OP_JWKS_ENDPOINT", + "https://example.com/auth/realms/example/protocol/openid-connect/certs", +) +OIDC_OP_AUTHORIZATION_ENDPOINT = os.environ.get( + "OIDC_OP_AUTHORIZATION_ENDPOINT", + "https://example.com/auth/realms/example/protocol/openid-connect/auth", +) +OIDC_OP_TOKEN_ENDPOINT = os.environ.get( + "OIDC_OP_TOKEN_ENDPOINT", + "https://example.com/auth/realms/example/protocol/openid-connect/token", +) +OIDC_OP_USER_ENDPOINT = os.environ.get( + "OIDC_OP_USER_ENDPOINT", + "https://example.com/auth/realms/example/protocol/openid-connect/userinfo", +) +OIDC_RP_SIGN_ALGO = "RS256" + logging.info(f"Using AUTH METHOD = {AUTH_METHOD}") if AUTH_METHOD == "oidc": # Extend middleware to add OIDC middleware @@ -297,30 +321,6 @@ # https://docs.djangoproject.com/en/dev/ref/settings/#logout-url LOGOUT_URL = "oidc_logout" - # Need to point somewhere otherwise /oidc/logout/ redirects to /oidc/logout/None which 404s - # https://github.com/mozilla/mozilla-django-oidc/issues/118 - # Using `/` because named urls don't work for this package - # https://github.com/mozilla/mozilla-django-oidc/issues/434 - LOGOUT_REDIRECT_URL = "route_manager:home" - - OIDC_OP_JWKS_ENDPOINT = os.environ.get( - "OIDC_OP_JWKS_ENDPOINT", - "https://example.com/auth/realms/example/protocol/openid-connect/certs", - ) - OIDC_OP_AUTHORIZATION_ENDPOINT = os.environ.get( - "OIDC_OP_AUTHORIZATION_ENDPOINT", - "https://example.com/auth/realms/example/protocol/openid-connect/auth", - ) - OIDC_OP_TOKEN_ENDPOINT = os.environ.get( - "OIDC_OP_TOKEN_ENDPOINT", - "https://example.com/auth/realms/example/protocol/openid-connect/token", - ) - OIDC_OP_USER_ENDPOINT = os.environ.get( - "OIDC_OP_USER_ENDPOINT", - "https://example.com/auth/realms/example/protocol/openid-connect/userinfo", - ) - OIDC_RP_SIGN_ALGO = "RS256" - OIDC_RP_CLIENT_ID = os.environ.get("OIDC_RP_CLIENT_ID") OIDC_RP_CLIENT_SECRET = os.environ.get("OIDC_RP_CLIENT_SECRET") @@ -330,9 +330,6 @@ # https://docs.djangoproject.com/en/dev/ref/settings/#logout-url LOGOUT_URL = "local_auth:logout" - - # https://docs.djangoproject.com/en/dev/ref/settings/#logout-redirect-url - LOGOUT_REDIRECT_URL = "route_manager:home" else: raise ValueError(f"Invalid authentication method: {AUTH_METHOD}. Please choose 'local' or 'oidc'")