From a63529a9cf9887017a342d7a344a9b174814d8ad Mon Sep 17 00:00:00 2001 From: Oliver Date: Mon, 18 Dec 2023 17:35:36 +1100 Subject: [PATCH] Update django-allauth version (#6099) * Patch for django-allauth 0.55.0 - Some breaking changes here - Add logger error if auth provider cannot be imported - Fix for API endpoints * Only provide URLs for configured plugins * Update for django-allauth 0.56.0 - Remove support for keycloak - Remove example from configuration template * Update django-allauth in requirements.txt * Update requirements.in * Refactor SSO functions into common file * Update config template file * Update docs * Fix template files * Log SSO exceptions to the database - WIll help greatly with debugging installs * Add note about error handling in docs --- InvenTree/InvenTree/forms.py | 12 ++- InvenTree/InvenTree/settings.py | 8 ++ InvenTree/InvenTree/social_auth_urls.py | 46 +++++------ InvenTree/InvenTree/sso.py | 81 +++++++++++++++++++ InvenTree/config_template.yaml | 8 +- InvenTree/part/templatetags/sso.py | 36 ++------- .../socialaccount/authentication_error.html | 2 +- InvenTree/templates/socialaccount/login.html | 2 +- InvenTree/templates/socialaccount/signup.html | 2 +- docs/docs/settings/SSO.md | 7 ++ requirements.in | 2 +- requirements.txt | 4 +- 12 files changed, 142 insertions(+), 68 deletions(-) create mode 100644 InvenTree/InvenTree/sso.py diff --git a/InvenTree/InvenTree/forms.py b/InvenTree/InvenTree/forms.py index b3ca485fd9..3532218d02 100644 --- a/InvenTree/InvenTree/forms.py +++ b/InvenTree/InvenTree/forms.py @@ -13,7 +13,7 @@ from django.utils.translation import gettext_lazy as _ from allauth.account.adapter import DefaultAccountAdapter from allauth.account.forms import LoginForm, SignupForm, set_form_field_order -from allauth.exceptions import ImmediateHttpResponse +from allauth.core.exceptions import ImmediateHttpResponse from allauth.socialaccount.adapter import DefaultSocialAccountAdapter from allauth_2fa.adapter import OTPAdapter from allauth_2fa.utils import user_has_valid_totp_device @@ -24,6 +24,7 @@ from crispy_forms.layout import Field, Layout from dj_rest_auth.registration.serializers import RegisterSerializer from rest_framework import serializers +import InvenTree.sso from common.models import InvenTreeSetting from InvenTree.exceptions import log_error @@ -228,7 +229,7 @@ class CustomSignupForm(SignupForm): def registration_enabled(): """Determine whether user registration is enabled.""" - if InvenTreeSetting.get_setting('LOGIN_ENABLE_REG') or InvenTreeSetting.get_setting('LOGIN_ENABLE_SSO_REG'): + if InvenTreeSetting.get_setting('LOGIN_ENABLE_REG') or InvenTree.sso.registration_enabled(): if settings.EMAIL_HOST: return True else: @@ -358,6 +359,13 @@ class CustomSocialAccountAdapter(CustomUrlMixin, RegistratonMixin, DefaultSocial # Otherwise defer to the original allauth adapter. return super().login(request, user) + def authentication_error(self, request, provider_id, error=None, exception=None, extra_context=None): + """Callback method for authentication errors.""" + + # Log the error to the database + log_error(request.path if request else 'sso') + logger.error("SSO error for provider '%s' - check admin error log", provider_id) + # override dj-rest-auth class CustomRegisterSerializer(RegisterSerializer): diff --git a/InvenTree/InvenTree/settings.py b/InvenTree/InvenTree/settings.py index 6888c30f1d..213f62734d 100644 --- a/InvenTree/InvenTree/settings.py +++ b/InvenTree/InvenTree/settings.py @@ -288,6 +288,7 @@ MIDDLEWARE = CONFIG.get('middleware', [ 'InvenTree.middleware.InvenTreeRemoteUserMiddleware', # Remote / proxy auth 'django_otp.middleware.OTPMiddleware', # MFA support 'InvenTree.middleware.CustomAllauthTwoFactorMiddleware', # Flow control for allauth + 'allauth.account.middleware.AccountMiddleware', 'django.contrib.messages.middleware.MessageMiddleware', 'django.middleware.clickjacking.XFrameOptionsMiddleware', 'InvenTree.middleware.AuthRequiredMiddleware', @@ -956,6 +957,13 @@ SITE_ID = 1 SOCIAL_BACKENDS = get_setting('INVENTREE_SOCIAL_BACKENDS', 'social_backends', [], typecast=list) for app in SOCIAL_BACKENDS: + + # Ensure that the app starts with 'allauth.socialaccount.providers' + social_prefix = 'allauth.socialaccount.providers.' + + if not app.startswith(social_prefix): # pragma: no cover + app = social_prefix + app + INSTALLED_APPS.append(app) # pragma: no cover SOCIALACCOUNT_PROVIDERS = get_setting('INVENTREE_SOCIAL_PROVIDERS', 'social_providers', None, typecast=dict) diff --git a/InvenTree/InvenTree/social_auth_urls.py b/InvenTree/InvenTree/social_auth_urls.py index c2755acb9d..5eca51210e 100644 --- a/InvenTree/InvenTree/social_auth_urls.py +++ b/InvenTree/InvenTree/social_auth_urls.py @@ -2,13 +2,10 @@ import logging from importlib import import_module -from django.urls import include, path, reverse +from django.urls import NoReverseMatch, include, path, reverse from allauth.account.models import EmailAddress from allauth.socialaccount import providers -from allauth.socialaccount.models import SocialApp -from allauth.socialaccount.providers.keycloak.views import \ - KeycloakOAuth2Adapter from allauth.socialaccount.providers.oauth2.views import (OAuth2Adapter, OAuth2LoginView) from drf_spectacular.utils import OpenApiResponse, extend_schema @@ -16,6 +13,7 @@ from rest_framework.exceptions import NotFound from rest_framework.permissions import AllowAny, IsAuthenticated from rest_framework.response import Response +import InvenTree.sso from common.models import InvenTreeSetting from InvenTree.mixins import CreateAPI, ListAPI, ListCreateAPI from InvenTree.serializers import InvenTreeModelSerializer @@ -51,14 +49,6 @@ def handle_oauth2(adapter: OAuth2Adapter): ] -def handle_keycloak(): - """Define urls for keycloak.""" - return [ - path('login/', GenericOAuth2ApiLoginView.adapter_view(KeycloakOAuth2Adapter), name='keycloak_api_login'), - path('connect/', GenericOAuth2ApiConnectView.adapter_view(KeycloakOAuth2Adapter), name='keycloak_api_connet'), - ] - - legacy = { 'twitter': 'twitter_oauth2', 'bitbucket': 'bitbucket_oauth2', @@ -72,10 +62,13 @@ legacy = { social_auth_urlpatterns = [] provider_urlpatterns = [] -for provider in providers.registry.get_list(): + +for name, provider in providers.registry.provider_map.items(): + try: prov_mod = import_module(provider.get_package() + ".views") except ImportError: + logger.exception("Could not import authentication provider %s", name) continue # Try to extract the adapter class @@ -89,8 +82,6 @@ for provider in providers.registry.get_list(): if provider.id in legacy: logger.warning('`%s` is not supported on platform UI. Use `%s` instead.', provider.id, legacy[provider.id]) continue - elif provider.id == 'keycloak': - urls = handle_keycloak() else: logger.error('Found handler that is not yet ready for platform UI: `%s`. Open an feature request on GitHub if you need it implemented.', provider.id) continue @@ -107,26 +98,31 @@ class SocialProviderListView(ListAPI): def get(self, request, *args, **kwargs): """Get the list of providers.""" provider_list = [] - for provider in providers.registry.get_list(): + for provider in providers.registry.provider_map.values(): provider_data = { 'id': provider.id, 'name': provider.name, - 'login': request.build_absolute_uri(reverse(f'{provider.id}_api_login')), - 'connect': request.build_absolute_uri(reverse(f'{provider.id}_api_connect')), 'configured': False } + try: - provider_app = provider.get_app(request) - provider_data['display_name'] = provider_app.name - provider_data['configured'] = True - except SocialApp.DoesNotExist: - provider_data['display_name'] = provider.name + provider_data['login'] = request.build_absolute_uri(reverse(f'{provider.id}_api_login')) + except NoReverseMatch: + provider_data['login'] = None + + try: + provider_data['connect'] = request.build_absolute_uri(reverse(f'{provider.id}_api_connect')) + except NoReverseMatch: + provider_data['connect'] = None + + provider_data['configured'] = InvenTree.sso.check_provider(provider) + provider_data['display_name'] = InvenTree.sso.provider_display_name(provider) provider_list.append(provider_data) data = { - 'sso_enabled': InvenTreeSetting.get_setting('LOGIN_ENABLE_SSO'), - 'sso_registration': InvenTreeSetting.get_setting('LOGIN_ENABLE_SSO_REG'), + 'sso_enabled': InvenTree.sso.login_enabled(), + 'sso_registration': InvenTree.sso.registration_enabled(), 'mfa_required': InvenTreeSetting.get_setting('LOGIN_ENFORCE_MFA'), 'providers': provider_list } diff --git a/InvenTree/InvenTree/sso.py b/InvenTree/InvenTree/sso.py new file mode 100644 index 0000000000..3fc126e3e4 --- /dev/null +++ b/InvenTree/InvenTree/sso.py @@ -0,0 +1,81 @@ +"""Helper functions for Single Sign On functionality""" + + +import logging + +from common.models import InvenTreeSetting +from InvenTree.helpers import str2bool + +logger = logging.getLogger('inventree') + + +def get_provider_app(provider): + """Return the SocialApp object for the given provider""" + + from allauth.socialaccount.models import SocialApp + + try: + apps = SocialApp.objects.filter(provider__iexact=provider.id) + except SocialApp.DoesNotExist: + logger.warning("SSO SocialApp not found for provider '%s'", provider.id) + return None + + if apps.count() > 1: + logger.warning("Multiple SocialApps found for provider '%s'", provider.id) + + if apps.count() == 0: + logger.warning("SSO SocialApp not found for provider '%s'", provider.id) + + return apps.first() + + +def check_provider(provider, raise_error=False): + """Check if the given provider is correctly configured. + + To be correctly configured, the following must be true: + + - Provider must either have a registered SocialApp + - Must have at least one site enabled + """ + + import allauth.app_settings + + # First, check that the provider is enabled + app = get_provider_app(provider) + + if not app: + return False + + if allauth.app_settings.SITES_ENABLED: + # At least one matching site must be specified + if not app.sites.exists(): + logger.error("SocialApp %s has no sites configured", app) + return False + + # At this point, we assume that the provider is correctly configured + return True + + +def provider_display_name(provider): + """Return the 'display name' for the given provider""" + + if app := get_provider_app(provider): + return app.name + + # Fallback value if app not found + return provider.name + + +def login_enabled() -> bool: + """Return True if SSO login is enabled""" + return str2bool(InvenTreeSetting.get_setting('LOGIN_ENABLE_SSO')) + + +def registration_enabled() -> bool: + """Return True if SSO registration is enabled""" + return str2bool(InvenTreeSetting.get_setting('LOGIN_ENABLE_SSO_REG')) + + +def auto_registration_enabled() -> bool: + """Return True if SSO auto-registration is enabled""" + return str2bool(InvenTreeSetting.get_setting('LOGIN_SIGNUP_SSO_AUTO')) diff --git a/InvenTree/config_template.yaml b/InvenTree/config_template.yaml index 2d7ecf54b6..182e31fe1b 100644 --- a/InvenTree/config_template.yaml +++ b/InvenTree/config_template.yaml @@ -233,13 +233,13 @@ remote_login_header: HTTP_REMOTE_USER # social_backends: # - 'allauth.socialaccount.providers.google' # - 'allauth.socialaccount.providers.github' -# - 'allauth.socialaccount.providers.keycloak' # Add specific settings for social account providers (if required) +# Refer to the djngo-allauth documentation for more details: +# https://docs.allauth.org/en/latest/socialaccount/provider_configuration.html # social_providers: -# keycloak: -# KEYCLOAK_URL: 'https://keycloak.custom/auth' -# KEYCLOAK_REALM: 'master' +# github: +# VERIFIED_EMAIL: true # Add LDAP support # ldap: diff --git a/InvenTree/part/templatetags/sso.py b/InvenTree/part/templatetags/sso.py index ecd6d19ef6..f77c0518f2 100644 --- a/InvenTree/part/templatetags/sso.py +++ b/InvenTree/part/templatetags/sso.py @@ -1,58 +1,32 @@ """This module provides template tags pertaining to SSO functionality""" -import logging - from django import template -from common.models import InvenTreeSetting -from InvenTree.helpers import str2bool +import InvenTree.sso register = template.Library() -logger = logging.getLogger('inventree') @register.simple_tag() def sso_login_enabled(): """Return True if single-sign-on is enabled""" - return str2bool(InvenTreeSetting.get_setting('LOGIN_ENABLE_SSO')) + return InvenTree.sso.login_enabled() @register.simple_tag() def sso_reg_enabled(): """Return True if single-sign-on is enabled for self-registration""" - return str2bool(InvenTreeSetting.get_setting('LOGIN_ENABLE_SSO_REG')) + return InvenTree.sso.registration_enabled() @register.simple_tag() def sso_auto_enabled(): """Return True if single-sign-on is enabled for auto-registration""" - return str2bool(InvenTreeSetting.get_setting('LOGIN_SIGNUP_SSO_AUTO')) + return InvenTree.sso.auto_registration_enabled() @register.simple_tag() def sso_check_provider(provider): """Return True if the given provider is correctly configured""" - import allauth.app_settings - from allauth.socialaccount.models import SocialApp - # First, check that the provider is enabled - apps = SocialApp.objects.filter(provider__iexact=provider.id) - - if not apps.exists(): - logging.error( - "SSO SocialApp %s does not exist (known providers: %s)", - provider.id, [obj.provider for obj in SocialApp.objects.all()] - ) - return False - - # Next, check that the provider is correctly configured - app = apps.first() - - if allauth.app_settings.SITES_ENABLED: - # At least one matching site must be specified - if not app.sites.exists(): - logger.error("SocialApp %s has no sites configured", app) - return False - - # At this point, we assume that the provider is correctly configured - return True + return InvenTree.sso.check_provider(provider) diff --git a/InvenTree/templates/socialaccount/authentication_error.html b/InvenTree/templates/socialaccount/authentication_error.html index 047ccdb760..9cc638f1d4 100644 --- a/InvenTree/templates/socialaccount/authentication_error.html +++ b/InvenTree/templates/socialaccount/authentication_error.html @@ -1,4 +1,4 @@ -{% extends "socialaccount/base.html" %} +{% extends "account/base.html" %} {% load i18n %} diff --git a/InvenTree/templates/socialaccount/login.html b/InvenTree/templates/socialaccount/login.html index cffccca193..9cfb3163cd 100644 --- a/InvenTree/templates/socialaccount/login.html +++ b/InvenTree/templates/socialaccount/login.html @@ -1,4 +1,4 @@ -{% extends "socialaccount/base.html" %} +{% extends "account/base.html" %} {% load i18n %} {% load sso %} diff --git a/InvenTree/templates/socialaccount/signup.html b/InvenTree/templates/socialaccount/signup.html index 7c217ff86b..78bf0377e5 100644 --- a/InvenTree/templates/socialaccount/signup.html +++ b/InvenTree/templates/socialaccount/signup.html @@ -1,4 +1,4 @@ -{% extends "socialaccount/base.html" %} +{% extends "account/base.html" %} {% load i18n crispy_forms_tags inventree_extras %} diff --git a/docs/docs/settings/SSO.md b/docs/docs/settings/SSO.md index 3ca9a7d863..a6c503af1d 100644 --- a/docs/docs/settings/SSO.md +++ b/docs/docs/settings/SSO.md @@ -9,6 +9,9 @@ InvenTree provides the possibility to use 3rd party services to authenticate use !!! tip "Provider Documentation" There are a lot of technical considerations when configuring a particular SSO provider. A good starting point is the [django-allauth documentation](https://django-allauth.readthedocs.io/en/latest/socialaccount/providers/index.html) +!!! warning "Advanced Users" + The SSO functionality provided by django-allauth is powerful, but can prove challenging to configure. Please ensure that you understand the implications of enabling SSO for your InvenTree instance. Specific technical details of each available SSO provider are beyond the scope of this documentation - please refer to the [django-allauth documentation](https://django-allauth.readthedocs.io/en/latest/socialaccount/providers/index.html) for more information. + ## SSO Configuration The basic requirements for configuring SSO are outlined below: @@ -131,3 +134,7 @@ Make sure all users with admin privileges have sufficient passwords - they can r !!! warning "It's a secret!" Never share the secret key associated with your InvenTree install! + +## Error Handling + +If you encounter an error during the SSO process, the error should be logged in the InvenTree database. You can view the [error log](./logs.md) in the [admin interface](./admin.md) to see the details of the error. diff --git a/requirements.in b/requirements.in index 9a7c7e339d..77bfe14863 100644 --- a/requirements.in +++ b/requirements.in @@ -2,7 +2,7 @@ Django>=3.2.14,<4 # Django package coreapi # API documentation for djangorestframework cryptography>=40.0.0,!=40.0.2 # Core cryptographic functionality -django-allauth<0.55.0 # SSO for external providers via OpenID # FIXED 2023-09-06 due to https://github.com/iMerica/dj-rest-auth/issues/534 +django-allauth # SSO for external providers via OpenID django-allauth-2fa # MFA / 2FA django-cleanup # Automated deletion of old / unused uploaded files django-cors-headers # CORS headers extension for DRF diff --git a/requirements.txt b/requirements.txt index 6410fa1c3e..1921cc1d57 100644 --- a/requirements.txt +++ b/requirements.txt @@ -45,7 +45,7 @@ defusedxml==0.7.1 # python3-openid diff-match-patch==20230430 # via django-import-export -dj-rest-auth==5.0.1 +dj-rest-auth==5.0.2 # via -r requirements.in django==3.2.23 # via @@ -81,7 +81,7 @@ django==3.2.23 # djangorestframework # djangorestframework-simplejwt # drf-spectacular -django-allauth==0.54.0 +django-allauth==0.59.0 # via # -r requirements.in # django-allauth-2fa