Merge branch 'master' of https://github.com/inventree/InvenTree into …

…matmair/issue5578
inventree · SchrodingersGat · Apr 3, 2024 · Sep 21, 2023 · Sep 21, 2023 · Sep 21, 2023
commit e8131ad791ce57e2369595ce319be5609d40ed25
diff --git a/contrib/packager.io/functions.sh b/contrib/packager.io/functions.sh
@@ -236,7 +236,7 @@ function update_or_install() {
   # Run update as app user
   echo "# Updating InvenTree"
   sudo -u ${APP_USER} --preserve-env=$SETUP_ENVS bash -c "cd ${APP_HOME} && pip install wheel"
-  sudo -u ${APP_USER} --preserve-env=$SETUP_ENVS bash -c "cd ${APP_HOME} && invoke update --no-frontend | sed -e 's/^/# inv update| /;'"
+  sudo -u ${APP_USER} --preserve-env=$SETUP_ENVS bash -c "cd ${APP_HOME} && invoke update | sed -e 's/^/# inv update| /;'"
 
   # Make sure permissions are correct again
   echo "# Set permissions for data dir and media: ${DATA_DIR}"

diff --git a/docs/docs/settings/SSO.md b/docs/docs/settings/SSO.md
@@ -9,6 +9,9 @@ InvenTree provides the possibility to use 3rd party services to authenticate use
 !!! tip "Provider Documentation"
     There are a lot of technical considerations when configuring a particular SSO provider. A good starting point is the [django-allauth documentation](https://django-allauth.readthedocs.io/en/latest/socialaccount/providers/index.html)
 
+!!! warning "Advanced Users"
+    The SSO functionality provided by django-allauth is powerful, but can prove challenging to configure. Please ensure that you understand the implications of enabling SSO for your InvenTree instance. Specific technical details of each available SSO provider are beyond the scope of this documentation - please refer to the [django-allauth documentation](https://django-allauth.readthedocs.io/en/latest/socialaccount/providers/index.html) for more information.
+
 ## SSO Configuration
 
 The basic requirements for configuring SSO are outlined below:
@@ -131,3 +134,7 @@ Make sure all users with admin privileges have sufficient passwords - they can r
 
 !!! warning "It's a secret!"
     Never share the secret key associated with your InvenTree install!
+
+## Error Handling
+
+If you encounter an error during the SSO process, the error should be logged in the InvenTree database. You can view the [error log](./logs.md) in the [admin interface](./admin.md) to see the details of the error.
@@ -47,7 +47,7 @@ defusedxml==0.7.1
     #   python3-openid
 diff-match-patch==20230430
     # via django-import-export
-dj-rest-auth==5.0.1
+dj-rest-auth==5.0.2
     # via -r requirements.in
 django==3.2.23
     # via
@@ -83,7 +83,7 @@ django==3.2.23
     #   djangorestframework
     #   djangorestframework-simplejwt
     #   drf-spectacular
-django-allauth==0.54.0
+django-allauth==0.59.0
     # via
     #   -r requirements.in
     #   django-allauth-2fa

@@ -13,7 +13,7 @@
 
 from allauth.account.adapter import DefaultAccountAdapter
 from allauth.account.forms import LoginForm, SignupForm, set_form_field_order
-from allauth.exceptions import ImmediateHttpResponse
+from allauth.core.exceptions import ImmediateHttpResponse
 from allauth.socialaccount.adapter import DefaultSocialAccountAdapter
 from allauth_2fa.adapter import OTPAdapter
 from allauth_2fa.utils import user_has_valid_totp_device
@@ -24,6 +24,7 @@
 from dj_rest_auth.registration.serializers import RegisterSerializer
 from rest_framework import serializers
 
+import InvenTree.sso
 from common.models import InvenTreeSetting
 from InvenTree.exceptions import log_error
 
@@ -228,7 +229,7 @@ def clean(self):
 
 def registration_enabled():
     """Determine whether user registration is enabled."""
-    if InvenTreeSetting.get_setting('LOGIN_ENABLE_REG') or InvenTreeSetting.get_setting('LOGIN_ENABLE_SSO_REG'):
+    if InvenTreeSetting.get_setting('LOGIN_ENABLE_REG') or InvenTree.sso.registration_enabled():
         if settings.EMAIL_HOST:
             return True
         else:
@@ -358,6 +359,13 @@ def login(self, request, user):
         # Otherwise defer to the original allauth adapter.
         return super().login(request, user)
 
+    def authentication_error(self, request, provider_id, error=None, exception=None, extra_context=None):
+        """Callback method for authentication errors."""
+
+        # Log the error to the database
+        log_error(request.path if request else 'sso')
+        logger.error("SSO error for provider '%s' - check admin error log", provider_id)
+
 
 # override dj-rest-auth
 class CustomRegisterSerializer(RegisterSerializer):

@@ -288,6 +288,7 @@
     'InvenTree.middleware.InvenTreeRemoteUserMiddleware',       # Remote / proxy auth
     'django_otp.middleware.OTPMiddleware',                      # MFA support
     'InvenTree.middleware.CustomAllauthTwoFactorMiddleware',    # Flow control for allauth
+    'allauth.account.middleware.AccountMiddleware',
     'django.contrib.messages.middleware.MessageMiddleware',
     'django.middleware.clickjacking.XFrameOptionsMiddleware',
     'InvenTree.middleware.AuthRequiredMiddleware',
@@ -956,6 +957,13 @@
 SOCIAL_BACKENDS = get_setting('INVENTREE_SOCIAL_BACKENDS', 'social_backends', [], typecast=list)
 
 for app in SOCIAL_BACKENDS:
+
+    # Ensure that the app starts with 'allauth.socialaccount.providers'
+    social_prefix = 'allauth.socialaccount.providers.'
+
+    if not app.startswith(social_prefix):  # pragma: no cover
+        app = social_prefix + app
+
     INSTALLED_APPS.append(app)  # pragma: no cover
 
 SOCIALACCOUNT_PROVIDERS = get_setting('INVENTREE_SOCIAL_PROVIDERS', 'social_providers', None, typecast=dict)

@@ -2,20 +2,18 @@
 import logging
 from importlib import import_module
 
-from django.urls import include, path, reverse
+from django.urls import NoReverseMatch, include, path, reverse
 
 from allauth.account.models import EmailAddress
 from allauth.socialaccount import providers
-from allauth.socialaccount.models import SocialApp
-from allauth.socialaccount.providers.keycloak.views import \
-    KeycloakOAuth2Adapter
 from allauth.socialaccount.providers.oauth2.views import (OAuth2Adapter,
                                                           OAuth2LoginView)
 from drf_spectacular.utils import OpenApiResponse, extend_schema
 from rest_framework.exceptions import NotFound
 from rest_framework.permissions import AllowAny, IsAuthenticated
 from rest_framework.response import Response
 
+import InvenTree.sso
 from common.models import InvenTreeSetting
 from InvenTree.mixins import CreateAPI, ListAPI, ListCreateAPI
 from InvenTree.serializers import InvenTreeModelSerializer
@@ -51,14 +49,6 @@ def handle_oauth2(adapter: OAuth2Adapter):
     ]
 
 
-def handle_keycloak():
-    """Define urls for keycloak."""
-    return [
-        path('login/', GenericOAuth2ApiLoginView.adapter_view(KeycloakOAuth2Adapter), name='keycloak_api_login'),
-        path('connect/', GenericOAuth2ApiConnectView.adapter_view(KeycloakOAuth2Adapter), name='keycloak_api_connet'),
-    ]
-
-
 legacy = {
     'twitter': 'twitter_oauth2',
     'bitbucket': 'bitbucket_oauth2',
@@ -72,10 +62,13 @@ def handle_keycloak():
 social_auth_urlpatterns = []
 
 provider_urlpatterns = []
-for provider in providers.registry.get_list():
+
+for name, provider in providers.registry.provider_map.items():
+
     try:
         prov_mod = import_module(provider.get_package() + ".views")
     except ImportError:
+        logger.exception("Could not import authentication provider %s", name)
         continue
 
     # Try to extract the adapter class
@@ -89,8 +82,6 @@ def handle_keycloak():
         if provider.id in legacy:
             logger.warning('`%s` is not supported on platform UI. Use `%s` instead.', provider.id, legacy[provider.id])
             continue
-        elif provider.id == 'keycloak':
-            urls = handle_keycloak()
         else:
             logger.error('Found handler that is not yet ready for platform UI: `%s`. Open an feature request on GitHub if you need it implemented.', provider.id)
             continue
@@ -107,26 +98,31 @@ class SocialProviderListView(ListAPI):
     def get(self, request, *args, **kwargs):
         """Get the list of providers."""
         provider_list = []
-        for provider in providers.registry.get_list():
+        for provider in providers.registry.provider_map.values():
             provider_data = {
                 'id': provider.id,
                 'name': provider.name,
-                'login': request.build_absolute_uri(reverse(f'{provider.id}_api_login')),
-                'connect': request.build_absolute_uri(reverse(f'{provider.id}_api_connect')),
                 'configured': False
             }
+
             try:
-                provider_app = provider.get_app(request)
-                provider_data['display_name'] = provider_app.name
-                provider_data['configured'] = True
-            except SocialApp.DoesNotExist:
-                provider_data['display_name'] = provider.name
+                provider_data['login'] = request.build_absolute_uri(reverse(f'{provider.id}_api_login'))
+            except NoReverseMatch:
+                provider_data['login'] = None
+
+            try:
+                provider_data['connect'] = request.build_absolute_uri(reverse(f'{provider.id}_api_connect'))
+            except NoReverseMatch:
+                provider_data['connect'] = None
+
+            provider_data['configured'] = InvenTree.sso.check_provider(provider)
+            provider_data['display_name'] = InvenTree.sso.provider_display_name(provider)
 
             provider_list.append(provider_data)
 
         data = {
-            'sso_enabled': InvenTreeSetting.get_setting('LOGIN_ENABLE_SSO'),
-            'sso_registration': InvenTreeSetting.get_setting('LOGIN_ENABLE_SSO_REG'),
+            'sso_enabled': InvenTree.sso.login_enabled(),
+            'sso_registration': InvenTree.sso.registration_enabled(),
             'mfa_required': InvenTreeSetting.get_setting('LOGIN_ENFORCE_MFA'),
             'providers': provider_list
         }

@@ -0,0 +1,81 @@
+"""Helper functions for Single Sign On functionality"""
+
+
+import logging
+
+from common.models import InvenTreeSetting
+from InvenTree.helpers import str2bool
+
+logger = logging.getLogger('inventree')
+
+
+def get_provider_app(provider):
+    """Return the SocialApp object for the given provider"""
+
+    from allauth.socialaccount.models import SocialApp
+
+    try:
+        apps = SocialApp.objects.filter(provider__iexact=provider.id)
+    except SocialApp.DoesNotExist:
+        logger.warning("SSO SocialApp not found for provider '%s'", provider.id)
+        return None
+
+    if apps.count() > 1:
+        logger.warning("Multiple SocialApps found for provider '%s'", provider.id)
+
+    if apps.count() == 0:
+        logger.warning("SSO SocialApp not found for provider '%s'", provider.id)
+
+    return apps.first()
+
+
+def check_provider(provider, raise_error=False):
+    """Check if the given provider is correctly configured.
+
+    To be correctly configured, the following must be true:
+
+    - Provider must either have a registered SocialApp
+    - Must have at least one site enabled
+    """
+
+    import allauth.app_settings
+
+    # First, check that the provider is enabled
+    app = get_provider_app(provider)
+
+    if not app:
+        return False
+
+    if allauth.app_settings.SITES_ENABLED:
+        # At least one matching site must be specified
+        if not app.sites.exists():
+            logger.error("SocialApp %s has no sites configured", app)
+            return False
+
+    # At this point, we assume that the provider is correctly configured
+    return True
+
+
+def provider_display_name(provider):
+    """Return the 'display name' for the given provider"""
+
+    if app := get_provider_app(provider):
+        return app.name
+
+    # Fallback value if app not found
+    return provider.name
+
+
+def login_enabled() -> bool:
+    """Return True if SSO login is enabled"""
+    return str2bool(InvenTreeSetting.get_setting('LOGIN_ENABLE_SSO'))
+
+
+def registration_enabled() -> bool:
+    """Return True if SSO registration is enabled"""
+    return str2bool(InvenTreeSetting.get_setting('LOGIN_ENABLE_SSO_REG'))
+
+
+def auto_registration_enabled() -> bool:
+    """Return True if SSO auto-registration is enabled"""
+    return str2bool(InvenTreeSetting.get_setting('LOGIN_SIGNUP_SSO_AUTO'))
@@ -233,13 +233,13 @@ remote_login_header: HTTP_REMOTE_USER
 # social_backends:
 #  - 'allauth.socialaccount.providers.google'
 #  - 'allauth.socialaccount.providers.github'
-#  - 'allauth.socialaccount.providers.keycloak'
 
 # Add specific settings for social account providers (if required)
+# Refer to the djngo-allauth documentation for more details:
+# https://docs.allauth.org/en/latest/socialaccount/provider_configuration.html
 # social_providers:
-#   keycloak:
-#     KEYCLOAK_URL: 'https://keycloak.custom/auth'
-#     KEYCLOAK_REALM: 'master'
+#   github:
+#     VERIFIED_EMAIL: true
 
 # Add LDAP support
 # ldap: