Merge branch 'devel' into add_service_id

Author: AlanCoding

.github/workflows/ci.yml

@@ -48,7 +48,7 @@ jobs:
           python-version: ${{ matrix.tests.python-version }}
 
       - name: Install tox
-        run: pip${{ matrix.tests.python-version }} install tox
+        run: pip${{ matrix.tests.python-version }} install tox tox-docker
 
       - name: Run tox
         run: |

.github/workflows/release.yml

@@ -3,17 +3,15 @@ name: Release django-ansible-base
 
 env:
   LC_ALL: "C.UTF-8" # prevent ERROR: Ansible could not initialize the preferred locale: unsupported locale setting
+  PROJECT_NAME: django-ansible-base
 
 on:
   workflow_dispatch:
 
 jobs:
-  stage:
+  build:
     runs-on: ubuntu-latest
-    timeout-minutes: 90
-    permissions:
-      packages: write
-      contents: write
+    timeout-minutes: 2
     steps:
       - name: Checkout dab
         uses: actions/checkout@v4
@@ -24,12 +22,80 @@ jobs:
         run: echo py_version=`make PYTHON_VERSION` >> $GITHUB_ENV
 
       - name: Install python ${{ env.py_version }}
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: ${{ env.py_version }}
 
-      - name: Install python deeps
+      - name: Install python deps
         run: pip install -r requirements/requirements_dev.txt
 
-      - name: Create release
-        run: ansible-playbook tools/ansible/release.yml -i localhost -e github_token=${{ secrets.GITHUB_TOKEN }}
+      - name: Build the dists
+        run: >-
+          ansible-playbook
+          tools/ansible/release.yml
+          -i localhost
+          -e github_token=${{ secrets.GITHUB_TOKEN }}
+          -t build
+
+      - name: Store the distribution packages
+        uses: actions/upload-artifact@v4
+        with:
+          name: python-package-distributions
+          path: |
+            dist/*.tar.gz
+            dist/*.whl
+          retention-days: 90
+
+  publish-pypi:
+    name: Publish to PyPI
+    needs:
+      - build
+
+    runs-on: ubuntu-latest
+
+    timeout-minutes: 1
+
+    environment:
+      name: pypi
+      url: https://pypi.org/project/${{ env.PROJECT_NAME }}
+
+    permissions:
+      contents: read  # This job doesn't need to `git push` anything
+      id-token: write  # PyPI Trusted Publishing (OIDC)
+
+    steps:
+      - name: Download all the dists
+        uses: actions/download-artifact@v4
+        with:
+          name: python-package-distributions
+          path: dist/
+      - name: Publish dists to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+
+  post-release-repo-update:
+    name: Make a GitHub Release
+    needs:
+      - publish-pypi
+
+    runs-on: ubuntu-latest
+
+    timeout-minutes: 2
+
+    permissions:
+      packages: write
+      contents: write
+
+    steps:
+      - name: Download all the dists
+        uses: actions/download-artifact@v4
+        with:
+          name: python-package-distributions
+          path: dist/
+
+      - name: Create a GitHub Release uploading the dists
+        run: >-
+          ansible-playbook
+          tools/ansible/release.yml
+          -i localhost
+          -e github_token=${{ secrets.GITHUB_TOKEN }}
+          -t github

ansible_base/authentication/authenticator_plugins/_radiusauth.py

@@ -39,6 +39,9 @@
 #Handle custom user models
 from django.contrib.auth import get_user_model
 from django.contrib.auth.models import Group
+
+logger = logging.getLogger('ansible_base.authentication.authenticator_plugins._radiusauth')
+
 User = get_user_model()
 
 DICTIONARY = u"""
@@ -149,23 +152,23 @@ def _perform_radius_auth(self, client, packet):
         try:
             reply = client.SendPacket(packet)
         except Timeout as e:
-            logging.error("RADIUS timeout occurred contacting %s:%s" % (
+            logger.error("RADIUS timeout occurred contacting %s:%s" % (
                 client.server, client.authport))
             return None
         except Exception as e:
-            logging.error("RADIUS error: %s" % e)
+            logger.error("RADIUS error: %s" % e)
             return None
 
         if reply.code == AccessReject:
-            logging.warning("RADIUS access rejected for user '%s'" % (
+            logger.warning("RADIUS access rejected for user '%s'" % (
                 packet['User-Name']))
             return None
         elif reply.code != AccessAccept:
-            logging.error("RADIUS access error for user '%s' (code %s)" % (
+            logger.error("RADIUS access error for user '%s' (code %s)" % (
                 packet['User-Name'], reply.code))
             return None
 
-        logging.info("RADIUS access granted for user '%s'" % (
+        logger.info("RADIUS access granted for user '%s'" % (
             packet['User-Name']))
 
         if "Class" not in reply.keys():
@@ -190,7 +193,7 @@ def _perform_radius_auth(self, client, packet):
                 elif role == "superuser":
                     is_superuser = True
                 else:
-                    logging.warning("RADIUS Attribute Class contains unknown role '%s'. Only roles 'staff' and 'superuser' are allowed" % cl)
+                    logger.warning("RADIUS Attribute Class contains unknown role '%s'. Only roles 'staff' and 'superuser' are allowed" % cl)
         return groups, is_staff, is_superuser
 
     def _radius_auth(self, server, username, password):
@@ -232,7 +235,7 @@ def get_user_groups(self, group_names):
         groups = Group.objects.filter(name__in=group_names)
         if len(groups) != len(group_names):
             local_group_names = [g.name for g in groups]
-            logging.warning("RADIUS reply contains %d user groups (%s), but only %d (%s) found" % (
+            logger.warning("RADIUS reply contains %d user groups (%s), but only %d (%s) found" % (
                 len(group_names), ", ".join(group_names), len(groups), ", ".join(local_group_names)))
         return groups
 

ansible_base/authentication/authenticator_plugins/base.py

@@ -1,5 +1,6 @@
 import logging
 
+from django.db import IntegrityError, transaction
 from django.utils.translation import gettext_lazy as _
 from rest_framework import serializers
 from rest_framework.fields import empty
@@ -134,3 +135,61 @@ def add_related_fields(self, request, authenticator):
 
     def validate(self, serializer, data):
         return data
+
+    def move_authenticator_user_to(self, new_user, old_authenticator_user):
+        """
+        new_user: django User instance. User that we're moving this account to.
+        old_authenticator_user: AuthenticatorUser instance from this authenticator that is being removed.
+        """
+        exclude_fields = (
+            "social_auth",
+            "authenticator_users",
+            "groups",
+            "has_roles",
+            # We're ignoring role assignments for two reasons: 1. this isn't safe to copy right now, as it
+            # could break the caching layer, 2. roles are intented to come from the authenticator via an
+            # authenticator map, so when a user is move to a new authenticator, they're old roles should
+            # be removed.
+            "role_assignments",
+            "logentry",
+        )
+
+        old_user = old_authenticator_user.user
+
+        # Delete the old authenticator user
+        old_authenticator_user.delete()
+
+        if new_user.pk == old_user.pk:
+            return
+
+        # Copy all of the relationships from the old user to the new one
+        for field in new_user._meta.get_fields():
+            if field.many_to_many is True or field.one_to_many is True:
+                name = field.name
+                if name in exclude_fields:
+                    continue
+                if not hasattr(old_user, name) or not hasattr(new_user, name):
+                    continue
+                for x in getattr(old_user, name).all():
+                    # The only case where this might fail is if the relationship has a uniqueness
+                    # contraint on the user. In this case, all we can do is skip.
+                    try:
+                        # This atomic block is here to prevent a failure that is best described by
+                        # this stack overflow: https://stackoverflow.com/questions/21458387
+                        with transaction.atomic():
+                            getattr(new_user, name).add(x)
+                    except IntegrityError as e:
+                        logger.warning(f"Could not add {name} to {new_user.username}. Error: {e}")
+                        continue
+
+        return old_user
+
+    def get_alternative_uid(self, **kwargs):
+        """
+        This method can be used to provide an alternative UID for the user in case we need to match
+        UIDs across different authenticators (as is the case for auto_migrate_users_to). It receives
+        the kwargs from the social auth pipeline (https://python-social-auth.readthedocs.io/en/latest/pipeline.html).
+
+        For a good example of this method in action, check out the keycloak authenticator.
+        """
+        return None

ansible_base/authentication/authenticator_plugins/google_oauth2.py

@@ -7,7 +7,7 @@
 from ansible_base.authentication.social_auth import SocialAuthMixin, SocialAuthValidateCallbackMixin
 from ansible_base.lib.serializers.fields import BooleanField, CharField, ChoiceField, ListField, URLField
 
-logger = logging.getLogger('ansible_base.authentication.authenticator_plugins.oidc')
+logger = logging.getLogger('ansible_base.authentication.authenticator_plugins.google_oauth2')
 
 
 class GoogleOAuth2Configuration(BaseAuthenticatorConfiguration):

ansible_base/authentication/authenticator_plugins/keycloak.py

@@ -58,3 +58,6 @@ def extra_data(self, user, backend, response, *args, **kwargs):
 
     def get_user_groups(self, extra_groups=[]):
         return extra_groups
+
+    def get_alternative_uid(self, **kwargs):
+        return kwargs.get("response", {}).get("sub", None)

ansible_base/authentication/authenticator_plugins/ldap.py

@@ -374,7 +374,8 @@ def authenticate(self, request, username=None, password=None, **kwargs) -> (obje
         # Ensure USER_SEARCH and GROUP_SEARCH are converted into a search object
         for field, search_must_have_user in [('GROUP_SEARCH', False), ('USER_SEARCH', True)]:
             data = getattr(self.settings, field, None)
-            if data is None:
+            # Ignore None or empty (e.g., [])
+            if not data:
                 setattr(self.settings, field, None)
             elif not isinstance(data, config.LDAPSearch):
                 try:

ansible_base/authentication/authenticator_plugins/oidc.py

@@ -201,6 +201,14 @@ class OpenIdConnectConfiguration(BaseAuthenticatorConfiguration):
         ui_field_label=_("Username Key"),
     )
 
+    GROUPS_CLAIM = CharField(
+        help_text=_("The JSON key used to extract the user's groups from the ID token or userinfo endpoint."),
+        required=False,
+        allow_null=True,
+        default="Group",
+        ui_field_label=_("Groups Claim"),
+    )
+
 
 class AuthenticatorPlugin(SocialAuthMixin, OpenIdConnectAuth, AbstractAuthenticatorPlugin):
     configuration_class = OpenIdConnectConfiguration
@@ -209,6 +217,10 @@ class AuthenticatorPlugin(SocialAuthMixin, OpenIdConnectAuth, AbstractAuthentica
     category = "sso"
     configuration_encrypted_fields = ['SECRET']
 
+    @property
+    def groups_claim(self):
+        return self.setting('GROUPS_CLAIM')
+
     def extra_data(self, user, backend, response, *args, **kwargs):
         for perm in ["is_superuser", get_setting('ANSIBLE_BASE_SOCIAL_AUDITOR_FLAG')]:
             if perm in response:
@@ -270,3 +282,12 @@ def user_data(self, access_token, *args, **kwargs):
                 logger.error(_(f"Unable to decode user info response JWT: {e}"))
                 return None
         return user_data.json()
+
+    def get_alternative_uid(self, **kwargs):
+        preferred_username = kwargs.get("response", {}).get("preferred_username", None)
+        uid = kwargs.get("uid", None)
+
+        if preferred_username != uid:
+            return preferred_username
+
+        return None

ansible_base/authentication/authenticator_plugins/saml.py

@@ -301,6 +301,13 @@ def extra_data(self, user, backend, response, *args, **kwargs):
     def get_user_groups(self, extra_groups=[]):
         return extra_groups
 
+    def get_alternative_uid(self, **kwargs):
+        if uid := kwargs.get("uid", None):
+            if ":" in uid:
+                return uid.split(":", maxsplit=1)[1]
+
+        return None
+
 
 class SAMLMetadataView(View):
     def get(self, request, pk=None, format=None):

ansible_base/authentication/migrations/0014_authenticator_auto_migrate_users_to.py

@@ -0,0 +1,19 @@
+# Generated by Django 4.2.11 on 2024-09-10 14:32
+
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('dab_authentication', '0013_alter_authenticator_order'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='authenticator',
+            name='auto_migrate_users_to',
+            field=models.ForeignKey(help_text='Automatically move users from this authenticator to the target authenticator when a matching user logs in via the target authenticator. For this to work, the field used for the user ID on both authenticators needs to have the same value. This should only be used when migrating users between two authentication mechanisms that share the same user database (such as when both IDPs share the same LDAP user directory).', null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='auto_migrate_users_from', to='dab_authentication.authenticator'),
+        ),
+    ]