mirror of
https://github.com/ansible/awx.git
synced 2026-04-27 04:35:22 -02:30
Remove LDAP authentication (#15546)
Remove LDAP authentication from AWX
This commit is contained in:
Djebran Lezzoum
committed by
jessicamack
jessicamack
parent
6dea7bfe17
commit
f22b192fb4
@@ -1,13 +1,11 @@
|
||||
# -*- coding: utf-8 -*-
|
||||
from __future__ import unicode_literals
|
||||
|
||||
# AWX
|
||||
from awx.conf.migrations._ldap_group_type import fill_ldap_group_type_params
|
||||
|
||||
from django.db import migrations
|
||||
|
||||
|
||||
class Migration(migrations.Migration):
|
||||
dependencies = [('conf', '0005_v330_rename_two_session_settings')]
|
||||
|
||||
operations = [migrations.RunPython(fill_ldap_group_type_params)]
|
||||
# this migration is doing nothing, and is here to preserve migrations files integrity
|
||||
operations = []
|
||||
|
||||
115
awx/conf/migrations/0011_remove_ldap_auth_conf.py
Normal file
115
awx/conf/migrations/0011_remove_ldap_auth_conf.py
Normal file
@@ -0,0 +1,115 @@
|
||||
from django.db import migrations
|
||||
|
||||
LDAP_AUTH_CONF_KEYS = [
|
||||
'AUTH_LDAP_SERVER_URI',
|
||||
'AUTH_LDAP_BIND_DN',
|
||||
'AUTH_LDAP_BIND_PASSWORD',
|
||||
'AUTH_LDAP_START_TLS',
|
||||
'AUTH_LDAP_CONNECTION_OPTIONS',
|
||||
'AUTH_LDAP_USER_SEARCH',
|
||||
'AUTH_LDAP_USER_DN_TEMPLATE',
|
||||
'AUTH_LDAP_USER_ATTR_MAP',
|
||||
'AUTH_LDAP_GROUP_SEARCH',
|
||||
'AUTH_LDAP_GROUP_TYPE',
|
||||
'AUTH_LDAP_GROUP_TYPE_PARAMS',
|
||||
'AUTH_LDAP_REQUIRE_GROUP',
|
||||
'AUTH_LDAP_DENY_GROUP',
|
||||
'AUTH_LDAP_USER_FLAGS_BY_GROUP',
|
||||
'AUTH_LDAP_ORGANIZATION_MAP',
|
||||
'AUTH_LDAP_TEAM_MAP',
|
||||
'AUTH_LDAP_1_SERVER_URI',
|
||||
'AUTH_LDAP_1_BIND_DN',
|
||||
'AUTH_LDAP_1_BIND_PASSWORD',
|
||||
'AUTH_LDAP_1_START_TLS',
|
||||
'AUTH_LDAP_1_CONNECTION_OPTIONS',
|
||||
'AUTH_LDAP_1_USER_SEARCH',
|
||||
'AUTH_LDAP_1_USER_DN_TEMPLATE',
|
||||
'AUTH_LDAP_1_USER_ATTR_MAP',
|
||||
'AUTH_LDAP_1_GROUP_SEARCH',
|
||||
'AUTH_LDAP_1_GROUP_TYPE',
|
||||
'AUTH_LDAP_1_GROUP_TYPE_PARAMS',
|
||||
'AUTH_LDAP_1_REQUIRE_GROUP',
|
||||
'AUTH_LDAP_1_DENY_GROUP',
|
||||
'AUTH_LDAP_1_USER_FLAGS_BY_GROUP',
|
||||
'AUTH_LDAP_1_ORGANIZATION_MAP',
|
||||
'AUTH_LDAP_1_TEAM_MAP',
|
||||
'AUTH_LDAP_2_SERVER_URI',
|
||||
'AUTH_LDAP_2_BIND_DN',
|
||||
'AUTH_LDAP_2_BIND_PASSWORD',
|
||||
'AUTH_LDAP_2_START_TLS',
|
||||
'AUTH_LDAP_2_CONNECTION_OPTIONS',
|
||||
'AUTH_LDAP_2_USER_SEARCH',
|
||||
'AUTH_LDAP_2_USER_DN_TEMPLATE',
|
||||
'AUTH_LDAP_2_USER_ATTR_MAP',
|
||||
'AUTH_LDAP_2_GROUP_SEARCH',
|
||||
'AUTH_LDAP_2_GROUP_TYPE',
|
||||
'AUTH_LDAP_2_GROUP_TYPE_PARAMS',
|
||||
'AUTH_LDAP_2_REQUIRE_GROUP',
|
||||
'AUTH_LDAP_2_DENY_GROUP',
|
||||
'AUTH_LDAP_2_USER_FLAGS_BY_GROUP',
|
||||
'AUTH_LDAP_2_ORGANIZATION_MAP',
|
||||
'AUTH_LDAP_2_TEAM_MAP',
|
||||
'AUTH_LDAP_3_SERVER_URI',
|
||||
'AUTH_LDAP_3_BIND_DN',
|
||||
'AUTH_LDAP_3_BIND_PASSWORD',
|
||||
'AUTH_LDAP_3_START_TLS',
|
||||
'AUTH_LDAP_3_CONNECTION_OPTIONS',
|
||||
'AUTH_LDAP_3_USER_SEARCH',
|
||||
'AUTH_LDAP_3_USER_DN_TEMPLATE',
|
||||
'AUTH_LDAP_3_USER_ATTR_MAP',
|
||||
'AUTH_LDAP_3_GROUP_SEARCH',
|
||||
'AUTH_LDAP_3_GROUP_TYPE',
|
||||
'AUTH_LDAP_3_GROUP_TYPE_PARAMS',
|
||||
'AUTH_LDAP_3_REQUIRE_GROUP',
|
||||
'AUTH_LDAP_3_DENY_GROUP',
|
||||
'AUTH_LDAP_3_USER_FLAGS_BY_GROUP',
|
||||
'AUTH_LDAP_3_ORGANIZATION_MAP',
|
||||
'AUTH_LDAP_3_TEAM_MAP',
|
||||
'AUTH_LDAP_4_SERVER_URI',
|
||||
'AUTH_LDAP_4_BIND_DN',
|
||||
'AUTH_LDAP_4_BIND_PASSWORD',
|
||||
'AUTH_LDAP_4_START_TLS',
|
||||
'AUTH_LDAP_4_CONNECTION_OPTIONS',
|
||||
'AUTH_LDAP_4_USER_SEARCH',
|
||||
'AUTH_LDAP_4_USER_DN_TEMPLATE',
|
||||
'AUTH_LDAP_4_USER_ATTR_MAP',
|
||||
'AUTH_LDAP_4_GROUP_SEARCH',
|
||||
'AUTH_LDAP_4_GROUP_TYPE',
|
||||
'AUTH_LDAP_4_GROUP_TYPE_PARAMS',
|
||||
'AUTH_LDAP_4_REQUIRE_GROUP',
|
||||
'AUTH_LDAP_4_DENY_GROUP',
|
||||
'AUTH_LDAP_4_USER_FLAGS_BY_GROUP',
|
||||
'AUTH_LDAP_4_ORGANIZATION_MAP',
|
||||
'AUTH_LDAP_4_TEAM_MAP',
|
||||
'AUTH_LDAP_5_SERVER_URI',
|
||||
'AUTH_LDAP_5_BIND_DN',
|
||||
'AUTH_LDAP_5_BIND_PASSWORD',
|
||||
'AUTH_LDAP_5_START_TLS',
|
||||
'AUTH_LDAP_5_CONNECTION_OPTIONS',
|
||||
'AUTH_LDAP_5_USER_SEARCH',
|
||||
'AUTH_LDAP_5_USER_DN_TEMPLATE',
|
||||
'AUTH_LDAP_5_USER_ATTR_MAP',
|
||||
'AUTH_LDAP_5_GROUP_SEARCH',
|
||||
'AUTH_LDAP_5_GROUP_TYPE',
|
||||
'AUTH_LDAP_5_GROUP_TYPE_PARAMS',
|
||||
'AUTH_LDAP_5_REQUIRE_GROUP',
|
||||
'AUTH_LDAP_5_DENY_GROUP',
|
||||
'AUTH_LDAP_5_USER_FLAGS_BY_GROUP',
|
||||
'AUTH_LDAP_5_ORGANIZATION_MAP',
|
||||
'AUTH_LDAP_5_TEAM_MAP',
|
||||
]
|
||||
|
||||
|
||||
def remove_ldap_auth_conf(apps, scheme_editor):
|
||||
setting = apps.get_model('conf', 'Setting')
|
||||
setting.objects.filter(key__in=LDAP_AUTH_CONF_KEYS).delete()
|
||||
|
||||
|
||||
class Migration(migrations.Migration):
|
||||
dependencies = [
|
||||
('conf', '0010_change_to_JSONField'),
|
||||
]
|
||||
|
||||
operations = [
|
||||
migrations.RunPython(remove_ldap_auth_conf),
|
||||
]
|
||||
@@ -1,31 +0,0 @@
|
||||
import inspect
|
||||
|
||||
from django.conf import settings
|
||||
|
||||
import logging
|
||||
|
||||
|
||||
logger = logging.getLogger('awx.conf.migrations')
|
||||
|
||||
|
||||
def fill_ldap_group_type_params(apps, schema_editor):
|
||||
group_type = getattr(settings, 'AUTH_LDAP_GROUP_TYPE', None)
|
||||
Setting = apps.get_model('conf', 'Setting')
|
||||
|
||||
group_type_params = {'name_attr': 'cn', 'member_attr': 'member'}
|
||||
qs = Setting.objects.filter(key='AUTH_LDAP_GROUP_TYPE_PARAMS')
|
||||
entry = None
|
||||
if qs.exists():
|
||||
entry = qs[0]
|
||||
group_type_params = entry.value
|
||||
else:
|
||||
return # for new installs we prefer to use the default value
|
||||
|
||||
init_attrs = set(inspect.getfullargspec(group_type.__init__).args[1:])
|
||||
for k in list(group_type_params.keys()):
|
||||
if k not in init_attrs:
|
||||
del group_type_params[k]
|
||||
|
||||
entry.value = group_type_params
|
||||
logger.warning(f'Migration updating AUTH_LDAP_GROUP_TYPE_PARAMS with value {entry.value}')
|
||||
entry.save()
|
||||
@@ -73,6 +73,6 @@ def disable_local_auth(**kwargs):
|
||||
|
||||
logger.warning("Triggering token invalidation for local users.")
|
||||
|
||||
qs = User.objects.filter(profile__ldap_dn='', enterprise_auth__isnull=True, social_auth__isnull=True)
|
||||
qs = User.objects.filter(enterprise_auth__isnull=True, social_auth__isnull=True)
|
||||
revoke_tokens(RefreshToken.objects.filter(revoked=None, user__in=qs))
|
||||
revoke_tokens(OAuth2AccessToken.objects.filter(user__in=qs))
|
||||
|
||||
@@ -1,25 +0,0 @@
|
||||
import pytest
|
||||
|
||||
from awx.conf.migrations._ldap_group_type import fill_ldap_group_type_params
|
||||
from awx.conf.models import Setting
|
||||
|
||||
from django.apps import apps
|
||||
|
||||
|
||||
@pytest.mark.django_db
|
||||
def test_fill_group_type_params_no_op():
|
||||
fill_ldap_group_type_params(apps, 'dont-use-me')
|
||||
assert Setting.objects.count() == 0
|
||||
|
||||
|
||||
@pytest.mark.django_db
|
||||
def test_keep_old_setting_with_default_value():
|
||||
Setting.objects.create(key='AUTH_LDAP_GROUP_TYPE', value={'name_attr': 'cn', 'member_attr': 'member'})
|
||||
fill_ldap_group_type_params(apps, 'dont-use-me')
|
||||
assert Setting.objects.count() == 1
|
||||
s = Setting.objects.first()
|
||||
assert s.value == {'name_attr': 'cn', 'member_attr': 'member'}
|
||||
|
||||
|
||||
# NOTE: would be good to test the removal of attributes by migration
|
||||
# but this requires fighting with the validator and is not done here
|
||||
Reference in New Issue
Block a user