flake8
failed.
JSHint
failed.
flake8
-
reviewboard/accounts/sso/backends/saml/sso_backend.py (Diff revision 1) Show all issues
Add SAML 2.0 SSO.
Review Request #12254 — Created April 24, 2022 and updated
| Information | |
|---|---|
| david | |
| Review Board | |
| release-5.0.x | |
| Reviewers | |
| reviewboard | |
This change adds SAML 2.0 support for single-sign-on authentication. It
includes a few major pieces:
- Infrastructure for SSO backends including registry, configuration
machinery, and URL registration. - Updates to settings forms to allow me to toggle some subforms based on
a checkbox enabler rather than via drop-downs. - SAML 2.0 backend which includes configuration, login/logout, and user
provisioning.
The vast majority of the settings available are specific to SAML,
including the various URLs and method settings. Because of some user
feedback we've already recieved, I've added a toggle to control the
behavior of user provisioning. In most cases, the person using this has
absolute trust in the integrity and correctness of their IdP, but in
some cases that may not be true. If the "username" parameter can not
necessarily be trusted, there's an option to force existing users to log
in with their Review Board password at least once.
Testing was done with a test application on onelogin.com with the
relevant configuration to authenticate to my server on localhost.
- Logged in with existing user that had a username match.
- Logged in with user that had an email match and saw correct detection
of the existing user. - Logged in with a user that had no existing match and saw provision
screen. Proceeded and was logged in with a new user with correct
name/email/etc. - Tested behavior of "require login" toggle.
- Logged out from onelogin portal and saw GET request to the SLS
endpoint which flushed the session and then redirected back to the
onelogin login page. - Tested authentication configuration page, enabling/disabling settings,
and making changes to settings. Tested behavior when the
python3-samlpackage wasn't installed. - Tested text of button on login page, and that it redirected to the SSO
login flow. - Ran unit tests.
| Summary | |
|---|---|
| Description | From | Last Updated |
|---|---|---|
|
Looks good. Since this is WIP, I won't give it a Ship It!, but we're ready to move onto the ... |
 chipx86
|
|
|
Do we need to do this, or can we rely on lazy population in the registry? |
chipx86
|
|
|
Blank line between these. |
chipx86
|
|
|
extra_data is worth having, but I think we may want to include something specific for credential data that we'd never ... |
chipx86
|
|
|
Missing docstring. |
chipx86
|
|
|
Rather than this format, cna we do: for _module, _backend_cls_name in (('saml.sso_backend', 'SAMLSSOBackend'),): ... Or define the list separately. |
chipx86
|
|
|
Missing docs in this file. |
chipx86
|
|
|
This should be after __init__. |
chipx86
|
|
|
F821 undefined name 'ModuleNotFoundError' |
 reviewbot
|
|
|
conf before contrib. |
chipx86
|
|
|
404 before Response. |
chipx86
|
|
|
These are in reverse order. |
chipx86
|
|
|
These are in reverse order. |
chipx86
|
|
|
Same with these. |
chipx86
|
|
|
Missing docs. |
chipx86
|
|
|
We should have some else case, even if that's just raising an exception. |
chipx86
|
|
|
No need to .save() after .create(). |
chipx86
|
|
|
Shouldn't have a trailing comma for a function call. |
chipx86
|
|
|
Missing a Version Added. |
chipx86
|
|
|
Missing a Version Added. We should put them in the functions as well. Same comments for other new modules. |
chipx86
|
|
|
These should be swapped. |
chipx86
|
|
|
Let's wrap any calls in an exception, in case any extension-provided backends (or ours) ever misbehave. |
chipx86
|
|
|
Should we conditionally save ones with _enabled? |
chipx86
|
|
|
Typo: flieds. |
chipx86
|
|
|
Col: 40 Missing semicolon. |
reviewbot
|
|
|
Missing ; |
chipx86
|
|
|
Col: 64 Missing semicolon. |
reviewbot
|
|
|
Missing ; |
chipx86
|
|
|
Thes should be indented 1 space. No need for />. Same elsewhere. These apply to the other templates as well. |
chipx86
|
|
|
F821 undefined name 'ModuleNotFoundError' |
reviewbot
|
|
|
F401 'django.contrib.auth.login' imported but unused |
reviewbot
|
|
|
F401 'reviewboard.accounts.backends.standard.StandardAuthBackend' imported but unused |
reviewbot
|
|
|
F401 'django.utils.translation.gettext_lazy as _' imported but unused |
reviewbot
|
-
I think this all looks really good. There are a lot of moving pieces, so I'm not sure how much I've internalized (it would be nice to ultimately break this out into a change for the subform code, and then maybe SSO vs. SAML implementation), but nothing stands out as wrong.
I have a handful of comments in here. Most are things like doc fixes or style/ordering fixes, which I stopped providing because I know it's WIP. Only a few are on design.
-
reviewboard/accounts/__init__.py (Diff revision 1) Do we need to do this, or can we rely on lazy population in the registry?
-
-
reviewboard/accounts/models.py (Diff revision 1) extra_datais worth having, but I think we may want to include something specific for credential data that we'd never want to expose via the API.HostingServiceAccounthas adata = JSONField()where those go. Maybe aservice_data =would be appropriate. -
-
reviewboard/accounts/sso/backends/registry.py (Diff revision 1) Rather than this format, cna we do:
for _module, _backend_cls_name in (('saml.sso_backend', 'SAMLSSOBackend'),): ...
Or define the list separately.
-
-
reviewboard/accounts/sso/backends/saml/sso_backend.py (Diff revision 1) This should be after
__init__. -
-
-
-
-
-
-
reviewboard/accounts/sso/backends/saml/views.py (Diff revision 1) We should have some
elsecase, even if that's just raising an exception. -
reviewboard/accounts/sso/backends/saml/views.py (Diff revision 1) No need to
.save()after.create(). -
reviewboard/accounts/sso/backends/saml/views.py (Diff revision 1) Shouldn't have a trailing comma for a function call.
-
-
reviewboard/accounts/sso/users.py (Diff revision 1) Missing a
Version Added. We should put them in the functions as well.Same comments for other new modules.
-
-
reviewboard/admin/forms/auth_settings.py (Diff revision 1) Let's wrap any calls in an exception, in case any extension-provided backends (or ours) ever misbehave.
-
reviewboard/admin/forms/auth_settings.py (Diff revision 1) Should we conditionally save ones with
_enabled? -
-
-
-
reviewboard/templates/accounts/sso/link-user-connect-existing.html (Diff revision 1) Thes should be indented 1 space.
No need for
/>. Same elsewhere.These apply to the other templates as well.
Description: |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Testing Done: |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Commits: |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Diff: |
Revision 2 (+3742 -42) |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Checks run (1 failed, 1 succeeded)
flake8
failed.
JSHint
passed.
flake8
-
reviewboard/accounts/sso/backends/saml/sso_backend.py (Diff revision 2) F821 undefined name 'ModuleNotFoundError'
Change Summary:
Switch to
ImportErrorfor import test, since that's a parent class ofModuleNotFoundError, and works with python 2.7 and the version of flake8 we're running.
Commits: |
|
|||||||||
|---|---|---|---|---|---|---|---|---|---|---|
Diff: |
Revision 3 (+3742 -42) |
|||||||||
Checks run (2 succeeded)
flake8
passed.
JSHint
passed.
Change Summary:
- Docstrings
- Use common
login_usermethod.
Description: |
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Commits: |
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Diff: |
Revision 4 (+3890 -42) |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Checks run (1 failed, 1 succeeded)
flake8
failed.
JSHint
passed.
flake8
-
reviewboard/accounts/sso/backends/saml/views.py (Diff revision 4) F401 'django.contrib.auth.login' imported but unused
-
reviewboard/accounts/sso/backends/saml/views.py (Diff revision 4) F401 'reviewboard.accounts.backends.standard.StandardAuthBackend' imported but unused
Commits: |
|
|||||||||
|---|---|---|---|---|---|---|---|---|---|---|
Diff: |
Revision 5 (+3886 -42) |
|||||||||
Checks run (2 succeeded)
flake8
passed.
JSHint
passed.
Change Summary:
- Added login button.
- Added docs to admin manual.
- Validation for settings form fields.
- Removed configurable NameID format, since we require NameID to be the username (and anything else doesn't make sense for us).
- Added a bunch of unit tests.
Description: |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Commits: |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Diff: |
Revision 6 (+4432 -46) |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Checks run (2 succeeded)
flake8
passed.
JSHint
passed.
Change Summary:
Fix up description/testing done.
Description: |
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Testing Done: |
|
Change Summary:
Remove debug print statements.
Commits: |
|
|||||||||
|---|---|---|---|---|---|---|---|---|---|---|
Diff: |
Revision 7 (+4420 -46) |
|||||||||
Checks run (2 succeeded)
flake8
passed.
JSHint
passed.
Change Summary:
Out of WIP.
Summary: |
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Description: |
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Commits: |
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Diff: |
Revision 8 (+4838 -46) |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Checks run (1 failed, 1 succeeded)
flake8
failed.
JSHint
passed.
flake8
-
reviewboard/accounts/sso/backends/saml/views.py (Diff revision 8) F401 'django.utils.translation.gettext_lazy as _' imported but unused
Commits: |
|
|||||||||
|---|---|---|---|---|---|---|---|---|---|---|
Diff: |
Revision 9 (+4836 -46) |
|||||||||
Checks run (2 succeeded)
flake8
passed.
JSHint
passed.