External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-03-01 00:38:45 -03:30
Code Issues Packages Projects Releases Wiki Activity

Add logging and improve validation for certain auth backends

Browse Source 
* Abstract authention to provide a hook for emitting an error message
* Perform some license validation that wasn't present before for
  enterprise licenses
This commit is contained in:
Matthew Jones
2015-11-02 11:59:17 -05:00
parent 045014f3bc
commit dd29bc40d9
3 changed files with 70 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

67
awx/main/backend.py
View File

@@ -1,17 +1,29 @@
# Copyright (c) 2015 Ansible, Inc. # Copyright (c) 2015 Ansible, Inc.
# All Rights Reserved. # All Rights Reserved.
# Python
import logging
# Django # Django
from django.dispatch import receiver from django.dispatch import receiver
from django.conf import settings as django_settings
# django-auth-ldap # django-auth-ldap
from django_auth_ldap.backend import LDAPSettings as BaseLDAPSettings from django_auth_ldap.backend import LDAPSettings as BaseLDAPSettings
from django_auth_ldap.backend import LDAPBackend as BaseLDAPBackend from django_auth_ldap.backend import LDAPBackend as BaseLDAPBackend
from django_auth_ldap.backend import populate_user from django_auth_ldap.backend import populate_user
# radiusauth
from radiusauth.backends import RADIUSBackend as BaseRADIUSBackend
# social
from social.backends.saml import SAMLAuth as BaseSAMLAuth
# Ansible Tower # Ansible Tower
from awx.api.license import feature_enabled from awx.api.license import feature_enabled
logger = logging.getLogger('awx.main.backend')
class LDAPSettings(BaseLDAPSettings): class LDAPSettings(BaseLDAPSettings):
defaults = dict(BaseLDAPSettings.defaults.items() + { defaults = dict(BaseLDAPSettings.defaults.items() + {
@@ -19,6 +31,7 @@ class LDAPSettings(BaseLDAPSettings):
'TEAM_MAP': {}, 'TEAM_MAP': {},
}.items()) }.items())
class LDAPBackend(BaseLDAPBackend): class LDAPBackend(BaseLDAPBackend):
''' '''
Custom LDAP backend for AWX. Custom LDAP backend for AWX.
@@ -37,7 +50,10 @@ class LDAPBackend(BaseLDAPBackend):
settings = property(_get_settings, _set_settings) settings = property(_get_settings, _set_settings)
def authenticate(self, username, password): def authenticate(self, username, password):
if not self.settings.SERVER_URI or not feature_enabled('ldap'): if not self.settings.SERVER_URI:
return None
if self.settings.SERVER_URI and not feature_enabled('ldap'):
logger.error("LDAP authenticate failed for missing license feature")
return None return None
return super(LDAPBackend, self).authenticate(username, password) return super(LDAPBackend, self).authenticate(username, password)
@@ -60,6 +76,55 @@ class LDAPBackend(BaseLDAPBackend):
def get_group_permissions(self, user, obj=None): def get_group_permissions(self, user, obj=None):
return set() return set()
class RADIUSBackend(BaseRADIUSBackend):
'''
Custom Radius backend to verify license status
'''
def authenticate(self, username, password):
if not django_settings.RADIUS_SERVER:
return None
if not feature_enabled('enterprise_auth'):
logger.error("RADIUS authenticate failed for missing license feature")
return None
return super(RADIUSBackend, self).authenticate(username, password)
def get_user(self, user_id):
if not django_settings.RADIUS_SERVER:
return None
if not feature_enabled('enterprise_auth'):
logger.error("RADIUS get_user failed for missing license feature")
return None
return super(RADIUSBackend, self).get_user(user_id)
class SAMLAuth(BaseSAMLAuth):
'''
Custom SAMLAuth backend to verify license status
'''
def authenticate(self, username, password):
if not all([django_settings.SOCIAL_AUTH_SAML_SP_ENTITY_ID, django_settings.SOCIAL_AUTH_SAML_SP_PUBLIC_CERT,
django_settings.SOCIAL_AUTH_SAML_SP_PRIVATE_KEY, django_settings.SOCIAL_AUTH_SAML_ORG_INFO,
django_settings.SOCIAL_AUTH_SAML_TECHNICAL_CONTACT, django_settings.SOCIAL_AUTH_SAML_SUPPORT_CONTACT,
django_settings.SOCIAL_AUTH_SAML_ENABLED_IDPS]):
return None
if not feature_enabled('enterprise_auth'):
logger.error("SAML authenticate failed for missing license feature")
return None
return super(SAMLAuth, self).authenticate(username, password)
def get_user(self, user_id):
if not all([django_settings.SOCIAL_AUTH_SAML_SP_ENTITY_ID, django_settings.SOCIAL_AUTH_SAML_SP_PUBLIC_CERT,
django_settings.SOCIAL_AUTH_SAML_SP_PRIVATE_KEY, django_settings.SOCIAL_AUTH_SAML_ORG_INFO,
django_settings.SOCIAL_AUTH_SAML_TECHNICAL_CONTACT, django_settings.SOCIAL_AUTH_SAML_SUPPORT_CONTACT,
django_settings.SOCIAL_AUTH_SAML_ENABLED_IDPS]):
return None
if not feature_enabled('enterprise_auth'):
logger.error("SAML get_user failed for missing license feature")
return None
return super(SAMLAuth, self).get_user(user_id)
def _update_m2m_from_groups(user, ldap_user, rel, opts, remove=False): def _update_m2m_from_groups(user, ldap_user, rel, opts, remove=False):
''' '''
Hepler function to update m2m relationship based on LDAP group membership. Hepler function to update m2m relationship based on LDAP group membership.

4
awx/settings/defaults.py
View File

@@ -218,12 +218,12 @@ REST_FRAMEWORK = {
AUTHENTICATION_BACKENDS = ( AUTHENTICATION_BACKENDS = (
'awx.main.backend.LDAPBackend', 'awx.main.backend.LDAPBackend',
'radiusauth.backends.RADIUSBackend', 'awx.main.backend.RADIUSBackend',
'social.backends.google.GoogleOAuth2', 'social.backends.google.GoogleOAuth2',
'social.backends.github.GithubOAuth2', 'social.backends.github.GithubOAuth2',
'social.backends.github.GithubOrganizationOAuth2', 'social.backends.github.GithubOrganizationOAuth2',
'social.backends.github.GithubTeamOAuth2', 'social.backends.github.GithubTeamOAuth2',
'social.backends.saml.SAMLAuth', 'awx.main.backend.SAMLAuth',
'django.contrib.auth.backends.ModelBackend', 'django.contrib.auth.backends.ModelBackend',
) )

4
awx/settings/postprocess.py
View File

@@ -10,7 +10,7 @@ if not AUTH_LDAP_SERVER_URI:
AUTHENTICATION_BACKENDS = [x for x in AUTHENTICATION_BACKENDS if x != 'awx.main.backend.LDAPBackend'] AUTHENTICATION_BACKENDS = [x for x in AUTHENTICATION_BACKENDS if x != 'awx.main.backend.LDAPBackend']
if not RADIUS_SERVER: if not RADIUS_SERVER:
AUTHENTICATION_BACKENDS = [x for x in AUTHENTICATION_BACKENDS if x != 'radiusauth.backends.RADIUSBackend'] AUTHENTICATION_BACKENDS = [x for x in AUTHENTICATION_BACKENDS if x != 'awx.main.backend.RADIUSBackend']
if not all([SOCIAL_AUTH_GOOGLE_OAUTH2_KEY, SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET]): if not all([SOCIAL_AUTH_GOOGLE_OAUTH2_KEY, SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET]):
AUTHENTICATION_BACKENDS = [x for x in AUTHENTICATION_BACKENDS if x != 'social.backends.google.GoogleOAuth2'] AUTHENTICATION_BACKENDS = [x for x in AUTHENTICATION_BACKENDS if x != 'social.backends.google.GoogleOAuth2']
@@ -28,7 +28,7 @@ if not all([SOCIAL_AUTH_SAML_SP_ENTITY_ID, SOCIAL_AUTH_SAML_SP_PUBLIC_CERT,
SOCIAL_AUTH_SAML_SP_PRIVATE_KEY, SOCIAL_AUTH_SAML_ORG_INFO, SOCIAL_AUTH_SAML_SP_PRIVATE_KEY, SOCIAL_AUTH_SAML_ORG_INFO,
SOCIAL_AUTH_SAML_TECHNICAL_CONTACT, SOCIAL_AUTH_SAML_SUPPORT_CONTACT, SOCIAL_AUTH_SAML_TECHNICAL_CONTACT, SOCIAL_AUTH_SAML_SUPPORT_CONTACT,
SOCIAL_AUTH_SAML_ENABLED_IDPS]): SOCIAL_AUTH_SAML_ENABLED_IDPS]):
AUTHENTICATION_BACKENDS = [x for x in AUTHENTICATION_BACKENDS if x != 'social.backends.saml.SAMLAuth'] AUTHENTICATION_BACKENDS = [x for x in AUTHENTICATION_BACKENDS if x != 'awx.main.backend.SAMLAuth']
if not AUTH_BASIC_ENABLED: if not AUTH_BASIC_ENABLED:
REST_FRAMEWORK['DEFAULT_AUTHENTICATION_CLASSES'] = [x for x in REST_FRAMEWORK['DEFAULT_AUTHENTICATION_CLASSES'] if x != 'rest_framework.authentication.BasicAuthentication'] REST_FRAMEWORK['DEFAULT_AUTHENTICATION_CLASSES'] = [x for x in REST_FRAMEWORK['DEFAULT_AUTHENTICATION_CLASSES'] if x != 'rest_framework.authentication.BasicAuthentication']