50 Commits

Author SHA1 Message Date
Tobias Urdin
6a3fa87cde Pass client IP to keystoneauth1 session
This passes the client IP to the keystoneauth1 Session's
original_ip parameter.

This sets the Forwarder HTTP header so that when the request
lands in Keystone the request can actually be interpreted who
made the request and not only that it was proxied by Horizon.

  Forwarded: for=100.64.10.1;by=openstack_auth keystoneauth1/4.4.0 python-requests/2.25.1 CPython/3.6.8

In the above example header the 100.64.10.1 is the client IP
that is sent from a load balancer in the X-Forwarded-For header
while the actual REMOTE_ADDR in the HTTP request is the load balancers
IP address.

Change-Id: I52da9dcd7fb6b1ac46852718f285795628121e26
2022-05-24 10:38:02 +00:00
manchandavishal
33efe3179d Address RemovedInDjango40Warning
This patch is a follow-up patch of 00def145de which renamed
is_safe_url() -> url_has_allowed_host_and_scheme() because
is_safe_url() is deprecated in Django 3.0.
For more info, please refer [1].

[1] https://docs.djangoproject.com/en/4.0/releases/3.0/#deprecated-features-3-0

Change-Id: I419f328916650093396fc153932a5053c3fa6b0e
2022-03-31 11:07:32 +05:30
Zuul
1bb9092abf Merge "Address RemovedInDjango40Warning (7)" 2022-03-12 22:02:49 +00:00
Zuul
ec634c937d Merge "Address RemovedInDjango40Warning (6)" 2022-03-12 22:02:46 +00:00
Zuul
dd9e4c82b5 Merge "Address RemovedInDjango40Warning (2)" 2022-03-03 10:14:04 +00:00
Radomir Dopieralski
88dd887ad3 Fix getting defaults from cookie for region field in password form
Since the normal form doesn't have a request attribute, we have to
pass the initial value for the region from the view.

Change-Id: Icea647ad13718b74528922f362ad665be1392e9b
Closes-bug: #1957926
2022-02-04 18:08:42 +01:00
Akihiro Motoki
7052b7f065 Address RemovedInDjango40Warning (7)
HttpRequest.is_ajax() was marked as deprecated since Django 3.1 and will be
removed in Django 4.0 [1].

While the current implementation of is_ajax() relies on a jQuery-specific way
of signifying AJAX as noted in the Django relnotes, horizon works with this.
Thus this commit copies the existing logic of HttpRequest.is_ajax() to the
horizon repo (as horizon.utils.http.is_ajax()) and consumes it.

https: //docs.djangoproject.com/en/4.0/releases/3.1/#features-deprecated-in-3-1
Change-Id: I3def53033524985818a891a1b9d4659fad4ba2ba
2022-02-04 16:27:32 +09:00
Akihiro Motoki
00def145de Address RemovedInDjango40Warning (6)
Django 3.0 renamed is_safe_url() to url_has_allowed_host_and_scheme()
and deprecated is_safe_url().

https: //docs.djangoproject.com/en/4.0/releases/3.0/#deprecated-features-3-0
Change-Id: Ic970a93a2083525139d8741a4150e643264be43b
2022-02-04 16:27:32 +09:00
Akihiro Motoki
cd7c1b5110 Address RemovedInDjango40Warning (2)
django.utils.translation.ugettext(), ugettext_lazy(), ugettext_noop(),
ungettext(), and ungettext_lazy() are deprecated in favor of the
functions that they’re aliases for: django.utils.translation.gettext(),
gettext_lazy(), gettext_noop(), ngettext(), and ngettext_lazy().

https://docs.djangoproject.com/en/4.0/releases/3.0/#id3

Change-Id: I77878f84e9d10cf6a136dada81eabf4e18676250
2022-02-04 16:22:07 +09:00
Zuul
855bd80ec8 Merge "Add system scope support to context switcher" 2022-01-15 12:06:04 +00:00
Zuul
8fe5bbc8da Merge "Use OPENSTACK_KEYSTONE_URL instead of HTTP_REFERRER" 2022-01-12 12:15:26 +00:00
Georgina Shippey
33292ca0a4 Use OPENSTACK_KEYSTONE_URL instead of HTTP_REFERRER
By using OPENSTACK_KEYSTONE_URL instead of the HTTP_REFERRER
the authentication request between Horizon and Keystone continues
to work in situations where the HTTP_REFERRER is an external keystone
endpoint that Horizon does not have access to.

Change-Id: I9c5c8d59c5f5a8570dbb563ae224d45406a73ba5
Closes-bug: #1874705
2022-01-12 08:29:29 +00:00
Radomir Dopieralski
34a0159d1a Add system scope support to context switcher
Change-Id: Idd2ec7ae6e978a358b4b3639e86cadae06c90976
2021-11-26 14:09:46 +01:00
Zuul
6c2a98c9fe Merge "Escape unicode characters when setting logout_reason cookie" 2021-09-17 19:49:31 +00:00
Akihiro Motoki
6dfcb90131 Support Django 3.0 and 3.1 support (1)
* Django 3.0 dropped django.utils.decorators.available_attrs()
  in favor of functools.WRAPPER_ASSIGNMENTS.
* Django 3.0 dropped django.utils.functional.curry()
  in favor of functools.partial() or functools.partialmethod().

https://docs.djangoproject.com/en/3.1/releases/3.0/#removed-private-python-2-compatibility-apis

Change-Id: I4ab0e720a8ffe13a08f5e607a59e39f252338b90
2021-09-14 12:54:01 +00:00
Radomir Dopieralski
e68e239373 Escape unicode characters when setting logout_reason cookie
Change-Id: Ic61a3958461a4a939acc40d1039881e2d4c3a1cd
Closes-bug: #1894801
2021-09-08 16:26:30 +02:00
Zuul
c8d92aebb1 Merge "pylint: Address no-else-return warning" 2020-10-26 11:15:25 +00:00
Ivan Kolodyazhny
8a963626e1 Added validation for csrf_failure GET argument
During csrf_failure argument validation horizon drops unknown messages
so nobody can't inject any message to login view.

Change-Id: I78a7592562a6249629f4d236ca59eb83d9094123
Closes-Bug: #1898465
2020-10-12 14:37:07 +03:00
Akihiro Motoki
692778f8cf pylint: Address no-else-return warning
This pylint check 'no-else-return' might be debatable.
but as far as I checked it works in most cases.

Change-Id: Ie8574d4a529454c6e050fa62a7a17ea097d00240
2020-09-27 12:44:16 +09:00
Radomir Dopieralski
6ffeb3caba Fix template lookup errors on the login page
This patch makes sure that all the variables and attributes that the
login page templates use are always defined, to avoid annoying lookup
errors in the logs.

There is still an error about request.COOKIES.logout_reason because
I'm not entirely sure how to best handle that one.

Change-Id: I692ea70bc09b819b39587f5bd6cb4e729731754f
2020-05-18 16:05:11 +02:00
Ivan Kolodyazhny
ee6fa9a245 Remove Keystone v2 related code
Kyestone V2 support was removed in Train, so it's safe to do such cleanup.

* Functions which just return horizon settings are dropped and
  the settings are referred directly now.
* The service catalog in the sample test data is updated to match
  the format of the keystone API v3.
* Related to the above change of the sample service catalog,
  openstack_dashboard.test.unit.api.test_keystone.ServiceAPITests is
  updated to specify the region name explicitly because 'RegionTwo'
  endpoint is no longer the second entry of the endpoint list in the
  keystone API v3.

Co-Authored-By: Akihiro Motoki <amotoki@gmail.com>
Change-Id: Ib60f360c96341fa5c618595f4a9bfdfe7ec5ae83
2020-04-23 11:43:12 +09:00
Ivan Kolodyazhny
086c6607ef Add auth_type to template context for openrc file rendering
We need to path auth_type value to the template because different
templates could be rendered for credentials and websso auth_type.

Closes-Bug: #1871806
Change-Id: If218813e0b4a8cc51c4e590081c5f3c50b35b8a7
2020-04-09 09:19:47 +00:00
Ivan Kolodyazhny
5dd2bf5fb6 Remove six usage from openstack_auth package
We don't support Python 2 anymore so we don't need this
compatibility library.

Change-Id: I0ecd706af1b4432fe439472189444141853c9d0b
2020-01-09 16:54:54 +02:00
Zuul
fd08f3672f Merge "Don't display expiration warning for expiration date in the past" 2019-09-25 22:42:04 +00:00
Radomir Dopieralski
3ba5da30d3 Don't display expiration warning for expiration date in the past
If the expiration date of a password is in the past, don't display the
expiration warning, as it's not helpful and confuses the user.

This can happen after a user whose password was set to be changed on the
first login changes it, but probably also in other situations, depending
on how many more bugs in Keystone there are around expiring passwords.

Change-Id: Ib79f6ef354c456bbdc2d7c1d4371ae15e825b557
2019-09-17 20:55:34 +02:00
Radomir Dopieralski
9d98a0c24d Automatically redirect to the password change when it's expired
Unfortunately the only way we can know the user_id at this point is
by parsing the error message.

I also refactored the exceptions in openstack_auth to make them use
different classes (but one common superclass).

Partially implements blueprint: allow-users-change-expired-password

Change-Id: Ieceee09db21040b96577db19bd195dc3799e3892
2019-09-16 12:45:23 +02:00
Radomir Dopieralski
ceb221f6ac Add a view for changing user password while not logged in
Keystone's API for changing the user password doesn't require
authentication, so we can have a page that doesn't require it too.
In order to change the password, the user has to provide their old
password. This is needed for when the password is expired or when
it has to be changed on first use.

The next step will be adding a redirect to this page when a password
is expired or required to be changed.

Part of blueprint: allow-users-change-expired-password
Change-Id: I3b207ef6c5a3095022a2acb64d3988e127f0f49a
2019-09-13 00:03:08 +09:00
Akihiro Motoki
e56e076ea8 Define default settings explicitly (openstack_auth)
This commit also moves descriptions of settings defined in openstack_auth
from openstack_dashboard/settings.py and local_settings.py(.example)
to openstack_auth/settings.py.

Note that if openstack_dashboard has different default settings
from openstack_auth defaults, they are now moved to
openstack_dashboard/defaults.py.

Part of blueprint ini-based-configuration
Change-Id: I59eebc388de0bcbd4d1fe35c6138efbd3e04c5b8
2019-09-12 15:05:56 +09:00
Zuul
3abaeda160 Merge "trivial: Remove vendored 'is_safe_url' function" 2019-09-11 06:14:00 +00:00
Zuul
10bb108cb8 Merge "trivial: Add TODOs for remaining function-based views" 2019-09-11 04:40:38 +00:00
Stephen Finucane
1de8e806e0 trivial: Remove vendored 'is_safe_url' function
This has been present since at least Django 1.6 [1], though the comment
on the removed function suggests it might have been earlier (pre-Git
days, perhaps?).

[1] https://github.com/django/django/commit/a2f2a399566

Change-Id: Ib6978ffa8d3962383fbc0a1c3cfd9da9e162f7dd
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
2019-09-11 03:33:41 +00:00
Stephen Finucane
ea24949ede trivial: Add TODOs for remaining function-based views
These are going the way of the dinosaur and will eventually need to be
replaced, some of them in coming patches.

Change-Id: I3a1d514c8770478349b4f91b128c8230b108d979
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
2019-09-11 07:29:49 +09:00
Stephen Finucane
97993e0c6f django22: Call 'is_safe_url' with 'allowed_hosts'
Per the Django 2.1 release notes [1]:

  'allowed_hosts' is now a required argument of private API
  'django.utils.http.is_safe_url()'.

This was actually changed in [2], [3].

[1] https://docs.djangoproject.com/en/2.2/releases/2.1/#miscellaneous
[2] https://github.com/django/django/commit/96107e2844d
[3] https://github.com/django/django/commit/1e81a4b897b

Change-Id: Ibfd61c7197602aad9a833280f74f50e7819a39dd
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
2019-08-27 11:19:25 +01:00
Stephen Finucane
fff89e69df django22: Add 'request' as first argument to 'authenticate'
As noted in the Django 2.1 release notes [1]:

  The authenticate() method of authentication backends requires request
  as the first positional argument.

This can be seen here [2]. Simple enough, though it took me ages to
figure this out because Django gave me *zero* warning that a backend
because of this change. Heck, raising the TypeError would have helped :(

[1] https://docs.djangoproject.com/en/2.2/releases/2.1/#features-removed-in-2-1
[2] https://github.com/django/django/commit/5e31be1b96f

Change-Id: I0dd37d33c8e42a70c00a9f1460c1cec86c5b6006
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
2019-08-27 11:19:25 +01:00
Stephen Finucane
7938f36016 django22: The 'login' functional-based view is gone (pt. 2)
This is the larger change. We could attempt to rewrite this whole thing
to a class-based view but that's more work that it's worth right now.
Instead, we simply do what the now-removed 'login' function-based view
was doing, as seen at [1].

A lot of never-used customizability is removed because it's not needed
and made things more complicated than it needed to be.

[1] https://github.com/django/django/blob/1.11/django/contrib/auth/views.py#L133-L139

Change-Id: Ib934d8a2c32cb32761558a68f061f415bb8737c4
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
2019-08-27 11:19:25 +01:00
zhufl
080373033e Add missing ws separator between words
This is to add missing ws separator between words.

Change-Id: Icfe0c1f6893b5c54dfa0ef7fe15499b3b50079ed
2019-04-15 15:07:11 +08:00
Sergey Vilgelm
2842d7df37
Fix untrusted dashboard host
The `openstack_auth login` view uses `request.build_absolute_uri` function
to build an origin uri when websso is enabled and
the WEBSSO_DEFAULT_REDIRECT_PROTOCOL is set.
This function doesn't insert the `WEBROOT` variable into uri what causes an
error:
    http://domain.name/auth/websso/ is not a trusted dashboard host
Using the `build_absolute_uri` from `utils` module fixes this problem. It
generates the right uri:
    http://domain.name/dashboard/auth/websso/

Change-Id: I94100f66a9f07eb8da75d344cbd120838fe25d1e
2019-01-22 23:17:33 -06:00
Akihiro Motoki
6ce323307d pylint: fixes several errors
openstack_dashboard/hooks.py:16:0: E0611: No name 'command' in module 'distutils' (no-name-in-module)

openstack_dashboard/dashboards/project/networks/ports/sg_base.py:52:12: E1111: Assigning result of a function call, where the function has no return (assignment-from-no-return)
BaseSecurityGroupsAction._get_initial_security_groups() is now marked
as abstract method because this method must be implemented in subclasses.
BaseSecurityGroupsAction.handle() is now dropped because there is
no difference from the parent class (horizon.workflows.Action).

openstack_auth/views.py:211:4: E1206: Not enough arguments for logging format string (logging-too-few-args)
openstack_auth/views.py:269:8: E1206: Not enough arguments for logging format string (logging-too-few-args)
openstack_auth/plugin/base.py:237:20: E1206: Not enough arguments for logging format string (logging-too-few-args)

horizon/base.py:166:24: E1133: Non-iterable value self.policy_rules is used in an iterating context (not-an-iterable)
horizon/tabs/base.py:489:40: E1133: Non-iterable value self.table_classes is used in an iterating context (not-an-iterable)

Change-Id: I0b045d04af251854b5017c9f698e3b40503a0724
2019-01-16 00:00:07 +09:00
Akihiro Motoki
6e1348d05f pylint: fix several warnings
openstack_dashboard/theme_settings.py:63:8: W1201: Specify string format arguments as logging function parameters (logging-not-lazy)
openstack_dashboard/settings.py:412:24: W0122: Use of exec (exec-used)
openstack_dashboard/dashboards/identity/domains/workflows.py:476:44: W0640: Cell variable group_id defined in loop (cell-var-from-loop)
openstack_dashboard/dashboards/identity/projects/workflows.py:906:49: W0640: Cell variable group_id defined in loop (cell-var-from-loop)
openstack_dashboard/dashboards/admin/networks/views.py:42:0: W0404: Reimport 'views' (imported line 28) (reimported)
openstack_dashboard/api/swift.py:204:0: W0102: Dangerous default value {} as argument (dangerous-default-value)
openstack_dashboard/api/swift.py:214:0: W0102: Dangerous default value {} as argument (dangerous-default-value)
openstack_dashboard/api/cinder.py:248:30: W0631: Using possibly undefined loop variable 'cinder_url' (undefined-loop-variable)
openstack_auth/backend.py:123:28: W0631: Using possibly undefined loop variable 'plugin' (undefined-loop-variable)
openstack_auth/backend.py:129:39: W0631: Using possibly undefined loop variable 'plugin' (undefined-loop-variable)
openstack_auth/backend.py:131:39: W0631: Using possibly undefined loop variable 'plugin' (undefined-loop-variable)
openstack_auth/views.py:39:0: W0611: Unused Login imported from openstack_auth.forms (unused-import)
horizon/exceptions.py:348:8: W0125: Using a conditional statement with a constant value (using-constant-test)
horizon/tables/base.py:353:12: W0715: Exception arguments suggest string formatting might be intended (raising-format-tuple)

Change-Id: Icf4f22abda77c9dbf98c780de876b7836c31d669
2019-01-15 00:22:27 +09:00
sapd
f8eb17c59b Get scope token of current project when switch Keystone Provider
Closes-Bug: #1806621

Change-Id: Ice5b56777967566770454bfbd6800bf3b8c57a37
2018-12-10 00:15:36 +07:00
Zuul
b30331224f Merge "Bump hacking to 1.1.0" 2018-11-14 09:19:47 +00:00
Akihiro Motoki
cebe212d00 Bump hacking to 1.1.0
Fix the following new errors:
* E305 expected 2 blank lines after class or function definition, found 1
* E126 continuation line over-indented for hanging indent

max_line_length is set to 80 as the default value in pycodestyle is 79
but horizon uses 80 as max_line_length.

Ignore W504 and F405 by configurations.
Reasons of disabling them are explained as comments in tox.ini.

Change-Id: Iee8bcd60c30883fc8c74f08cf20af853cbb5e271
2018-11-10 16:44:25 +09:00
Radomir Dopieralski
1953c689e8 Properly calculate auth_url for WEBSSO from POST data
The redirect for WEBSSO takes its data directly from the request's
POST data, and the format of that data has changed, so now we need
to convert it for it to work correctly.

Change-Id: I5b18e555a9bc6b24be1e59465f07e73e99739e22
closes-bug: #1794710
2018-10-31 14:49:06 +01:00
Guang Yee
a53f012fa1 support WEBSSO_KEYSTONE_URL
Add a new optional WEBSSO_KEYSTONE_URL property to facilitate WEBSSO
deployments where network segmentation is used per security requirement.
In this case, the controllers are not reachable from public network.
Therefore, user's browser will not be able to reach OPENSTACK_KEYSTONE_URL
if it is set to the internal endpoint.

If WEBSSO_KEYSTONE_URL is set, it will be used instead of
OPENSTACK_KEYSTONE_URL.

Change-Id: I05ea4227aa4c2cb0a73015ed7fd29cf1a96e696a
Closes-bug: #1544703
2018-10-08 10:44:25 -07:00
Jose Castro Leon
7fc8018956 Allow to specify redirections on single IdP scenarios
In scenarios where the cloud operators have only a single Identity Provider,
we can have a default redirection to remove unnecessary user clicks and
improve user experience.

Closes-bug: #1784368

Change-Id: I251703dcaeac43174fbcba7e0658c6f92098b2e0
2018-08-13 12:11:45 +02:00
vmarkov
61a79a9b7a Show WEBSSO disclaimer only when it is needed
Horizon can support several auth mechanisms, i.e. Keystone creds and
OpenID. User allowed to choose proper way of auth and disclaimer is
shown. But it is possible to allow choose from the only variant, and in
this case disclaimer also shown, which is confusing. Proposed patch fix
disclaimer display and makes it reasonable

Closes-bug: #1774623
Change-Id: Ib039c6fdf1e4cd21b5ebe426fe2a15355a37353c
2018-06-04 15:49:54 +03:00
Akihiro Motoki
71993e3c98 Drop deprecated settings
- HORIZON_IMAGES_ALLOW_UPLOAD (deprecated in Newton)
- CUSTOM_THEME_PATH (deprecated in Mitaka)
- DEFAULT_THEME_PATH (deprecated in Mitaka)
- OPENSTACK_TOKEN_HASH_ENABLED (deprecated in Mitaka)
- TOKEN_DELETION_DISABLED
  (not documented but it was marked as deprecated in Ocata
   in django-openstack-auth commit 5810f9c6)

The related logics related to dropped deprecated settings
have been dropped too.

- custom_path and default_path of get_available_themes() were
  dropped as they are no longer needed in favor of
  the removal of CUSTOM_THEME_PATH and DEFAULT_THEME_PATH.
- Unused remove_project_cache(), is_token_deletion_disabled()
  and delete_token() have been dropped.

Change-Id: Ic9406623cc092884c4136f78fb967b129bfda487
2018-03-23 18:37:02 +09:00
Akihiro Motoki
1a252cb5e8 django2: is_authenticated/is_anonymous is now property only
https://docs.djangoproject.com/en/2.0/releases/1.10/#user-is-auth-anon-deprecation

blueprint django2-support
Change-Id: I57a39417f0595eae8d1c06d7e61d0a67078bb231
2018-02-17 01:36:54 +09:00
Ola Khalifa
c9a143fab4 Horizon UI message when browser cookies disabled
Used dijango's CSRF_FAILURE_VIEW setting to create
a view indicating the reason the request was rejected.
This information is passed on to the login page so it
can render the error.

Change-Id: I61c7195c9bafb269816fde12b058e19ebc69953c
Closes-Bug: #1412483
2018-01-29 07:58:41 +00:00
Rob Cresswell
e3e5812b19 Add Django OpenStack Auth to Horizon
Moves Django OpenStack Auth content to Horizon, since they are so
tightly coupled. This cleans up the development workflow and should
make keystone / auth related contributions easier.

Implements: blueprint merge-openstack-auth
Change-Id: Ia1cdc47bad1ca6e633073a9f9445b0c7f70d05bc
2017-09-27 12:06:57 +01:00