Automatically link the superuser account to federated service for auth
When the user commits the configuration, if they have chosen a non-DB auth system, we now auto-link the superuser account to that auth system, to ensure they can login again after restart.
This commit is contained in:
Joseph Schorr
parent
33b54218cc
commit
38a6b3621c
5 changed files with 37 additions and 5 deletions
|
|
@ -295,6 +295,15 @@ def list_entity_robot_permission_teams(entity_name, include_permissions=False):
|
|||
return TupleSelector(query, fields)
|
||||
|
||||
|
||||
def confirm_attached_federated_login(user, service_name):
|
||||
""" Verifies that the given user has a federated service identity for the specified service.
|
||||
If none found, a row is added for that service and user.
|
||||
"""
|
||||
with db_transaction():
|
||||
if not lookup_federated_login(user, service_name):
|
||||
attach_federated_login(user, service_name, user.username)
|
||||
|
||||
|
||||
def create_federated_user(username, email, service_name, service_id,
|
||||
set_password_notification, metadata={}):
|
||||
if not is_create_user_allowed():
|
||||
|
|
|
|||
|
|
@ -15,6 +15,19 @@ from util.aes import AESCipher
|
|||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
def get_federated_service_name(authentication_type):
|
||||
if authentication_type == 'LDAP':
|
||||
return 'ldap'
|
||||
|
||||
if authentication_type == 'JWT':
|
||||
return 'jwtauthn'
|
||||
|
||||
if authentication_type == 'Keystone':
|
||||
return 'keystone'
|
||||
|
||||
raise Exception('Unknown auth type: %s' % authentication_type)
|
||||
|
||||
|
||||
class UserAuthentication(object):
|
||||
def __init__(self, app=None, override_config_dir=None):
|
||||
self.app_secret_key = None
|
||||
|
|
@ -45,8 +58,8 @@ class UserAuthentication(object):
|
|||
verify_url = app.config.get('JWT_VERIFY_ENDPOINT')
|
||||
issuer = app.config.get('JWT_AUTH_ISSUER')
|
||||
max_fresh_s = app.config.get('JWT_AUTH_MAX_FRESH_S', 300)
|
||||
users = ExternalJWTAuthN(verify_url, issuer, override_config_dir, max_fresh_s,
|
||||
app.config['HTTPCLIENT'])
|
||||
users = ExternalJWTAuthN(verify_url, issuer, override_config_dir,
|
||||
app.config['HTTPCLIENT'], max_fresh_s)
|
||||
elif authentication_type == 'Keystone':
|
||||
auth_url = app.config.get('KEYSTONE_AUTH_URL')
|
||||
keystone_admin_username = app.config.get('KEYSTONE_ADMIN_USERNAME')
|
||||
|
|
|
|||
|
|
@ -13,10 +13,12 @@ from app import app, CONFIG_PROVIDER, superusers
|
|||
from data import model
|
||||
from data.database import configure
|
||||
from auth.permissions import SuperUserPermission
|
||||
from auth.auth_context import get_authenticated_user
|
||||
from data.database import User
|
||||
from util.config.configutil import add_enterprise_config_defaults
|
||||
from util.config.validator import validate_service_for_config, CONFIG_FILENAMES
|
||||
from data.runmigration import run_alembic_migration
|
||||
from data.users import get_federated_service_name
|
||||
|
||||
import features
|
||||
|
||||
|
|
@ -208,6 +210,13 @@ class SuperUserConfig(ApiResource):
|
|||
# Write the configuration changes to the YAML file.
|
||||
CONFIG_PROVIDER.save_yaml(config_object)
|
||||
|
||||
# If the authentication system is not the database, link the superuser account to the
|
||||
# the authentication system chosen.
|
||||
if config_object.get('AUTHENTICATION_TYPE', 'Database') != 'Database':
|
||||
service_name = get_federated_service_name(config_object['AUTHENTICATION_TYPE'])
|
||||
current_user = get_authenticated_user()
|
||||
model.user.confirm_attached_federated_login(current_user, service_name)
|
||||
|
||||
return {
|
||||
'exists': True,
|
||||
'config': config_object
|
||||
|
|
|
|||
|
|
@ -207,7 +207,7 @@ angular.module("core-config-setup", ['angularFileUpload'])
|
|||
'</form>',
|
||||
"title": 'Enter Password',
|
||||
"buttons": {
|
||||
"verify": {
|
||||
"success": {
|
||||
"label": "Validate Config",
|
||||
"className": "btn-success",
|
||||
"callback": function() {
|
||||
|
|
|
|||
|
|
@ -344,7 +344,8 @@ def _validate_jwt(config, password):
|
|||
# Try to instatiate the JWT authentication mechanism. This will raise an exception if
|
||||
# the key cannot be found.
|
||||
users = ExternalJWTAuthN(verify_endpoint, issuer, OVERRIDE_CONFIG_DIRECTORY,
|
||||
app.config['HTTPCLIENT'])
|
||||
app.config['HTTPCLIENT'],
|
||||
app.config.get('JWT_AUTH_MAX_FRESH_S', 300))
|
||||
|
||||
# Verify that the superuser exists. If not, raise an exception.
|
||||
username = get_authenticated_user().username
|
||||
|
|
@ -403,4 +404,4 @@ _VALIDATORS = {
|
|||
'ldap': _validate_ldap,
|
||||
'jwt': _validate_jwt,
|
||||
'keystone': _validate_keystone,
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Reference in a new issue