Currently, the value stored in the services_region cookie is ignored
when logging into horizon. This causes confusion for users that have
previously selected one region, to find themselves in a different
region after their token expires and are forced to log in again.
This change sets the services_region session value to the value present
in the cookie, with a fallback to the login region.
Closes-bug: #2040455
Change-Id: I051648844bf8dffce792ff553e9949285b1be6d4
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
These imports were kept to keep compatibility between separate
django-openstack-auth and horizon, but is no longer necessary since
horizon adopted to the new path and also django-openstack-auth was
merged into horizon very long ago.
Change-Id: I12dc4d585352477fded1aa96e8f712242849f843
This patch adds support for MFA TOTP on openstack dashboard.
A new configuration variable OPENSTACK_KEYSTONE_MFA_TOTP_ENABLED
was added false by default.
If enabled, users needing TOTP are prompted with a new form.
keystone doc: https://docs.openstack.org/keystone/latest/admin/auth-totp.html
Demonstration video : https://youtu.be/prDJJdFoMpM
Change-Id: I1047102a379c8a900a5e6840096bb671da4fd2ff
Blueprint: #totp-support
Closes-Bug: #2030477
This passes the client IP to the keystoneauth1 Session's
original_ip parameter.
This sets the Forwarder HTTP header so that when the request
lands in Keystone the request can actually be interpreted who
made the request and not only that it was proxied by Horizon.
Forwarded: for=100.64.10.1;by=openstack_auth keystoneauth1/4.4.0 python-requests/2.25.1 CPython/3.6.8
In the above example header the 100.64.10.1 is the client IP
that is sent from a load balancer in the X-Forwarded-For header
while the actual REMOTE_ADDR in the HTTP request is the load balancers
IP address.
Change-Id: I52da9dcd7fb6b1ac46852718f285795628121e26
This patch is a follow-up patch of 00def145de which renamed
is_safe_url() -> url_has_allowed_host_and_scheme() because
is_safe_url() is deprecated in Django 3.0.
For more info, please refer [1].
[1] https://docs.djangoproject.com/en/4.0/releases/3.0/#deprecated-features-3-0
Change-Id: I419f328916650093396fc153932a5053c3fa6b0e
Since the normal form doesn't have a request attribute, we have to
pass the initial value for the region from the view.
Change-Id: Icea647ad13718b74528922f362ad665be1392e9b
Closes-bug: #1957926
HttpRequest.is_ajax() was marked as deprecated since Django 3.1 and will be
removed in Django 4.0 [1].
While the current implementation of is_ajax() relies on a jQuery-specific way
of signifying AJAX as noted in the Django relnotes, horizon works with this.
Thus this commit copies the existing logic of HttpRequest.is_ajax() to the
horizon repo (as horizon.utils.http.is_ajax()) and consumes it.
https: //docs.djangoproject.com/en/4.0/releases/3.1/#features-deprecated-in-3-1
Change-Id: I3def53033524985818a891a1b9d4659fad4ba2ba
django.utils.translation.ugettext(), ugettext_lazy(), ugettext_noop(),
ungettext(), and ungettext_lazy() are deprecated in favor of the
functions that they’re aliases for: django.utils.translation.gettext(),
gettext_lazy(), gettext_noop(), ngettext(), and ngettext_lazy().
https://docs.djangoproject.com/en/4.0/releases/3.0/#id3
Change-Id: I77878f84e9d10cf6a136dada81eabf4e18676250
By using OPENSTACK_KEYSTONE_URL instead of the HTTP_REFERRER
the authentication request between Horizon and Keystone continues
to work in situations where the HTTP_REFERRER is an external keystone
endpoint that Horizon does not have access to.
Change-Id: I9c5c8d59c5f5a8570dbb563ae224d45406a73ba5
Closes-bug: #1874705
This pylint check 'no-else-return' might be debatable.
but as far as I checked it works in most cases.
Change-Id: Ie8574d4a529454c6e050fa62a7a17ea097d00240
This patch makes sure that all the variables and attributes that the
login page templates use are always defined, to avoid annoying lookup
errors in the logs.
There is still an error about request.COOKIES.logout_reason because
I'm not entirely sure how to best handle that one.
Change-Id: I692ea70bc09b819b39587f5bd6cb4e729731754f
Kyestone V2 support was removed in Train, so it's safe to do such cleanup.
* Functions which just return horizon settings are dropped and
the settings are referred directly now.
* The service catalog in the sample test data is updated to match
the format of the keystone API v3.
* Related to the above change of the sample service catalog,
openstack_dashboard.test.unit.api.test_keystone.ServiceAPITests is
updated to specify the region name explicitly because 'RegionTwo'
endpoint is no longer the second entry of the endpoint list in the
keystone API v3.
Co-Authored-By: Akihiro Motoki <amotoki@gmail.com>
Change-Id: Ib60f360c96341fa5c618595f4a9bfdfe7ec5ae83
We need to path auth_type value to the template because different
templates could be rendered for credentials and websso auth_type.
Closes-Bug: #1871806
Change-Id: If218813e0b4a8cc51c4e590081c5f3c50b35b8a7
If the expiration date of a password is in the past, don't display the
expiration warning, as it's not helpful and confuses the user.
This can happen after a user whose password was set to be changed on the
first login changes it, but probably also in other situations, depending
on how many more bugs in Keystone there are around expiring passwords.
Change-Id: Ib79f6ef354c456bbdc2d7c1d4371ae15e825b557
Unfortunately the only way we can know the user_id at this point is
by parsing the error message.
I also refactored the exceptions in openstack_auth to make them use
different classes (but one common superclass).
Partially implements blueprint: allow-users-change-expired-password
Change-Id: Ieceee09db21040b96577db19bd195dc3799e3892
Keystone's API for changing the user password doesn't require
authentication, so we can have a page that doesn't require it too.
In order to change the password, the user has to provide their old
password. This is needed for when the password is expired or when
it has to be changed on first use.
The next step will be adding a redirect to this page when a password
is expired or required to be changed.
Part of blueprint: allow-users-change-expired-password
Change-Id: I3b207ef6c5a3095022a2acb64d3988e127f0f49a
This commit also moves descriptions of settings defined in openstack_auth
from openstack_dashboard/settings.py and local_settings.py(.example)
to openstack_auth/settings.py.
Note that if openstack_dashboard has different default settings
from openstack_auth defaults, they are now moved to
openstack_dashboard/defaults.py.
Part of blueprint ini-based-configuration
Change-Id: I59eebc388de0bcbd4d1fe35c6138efbd3e04c5b8
This has been present since at least Django 1.6 [1], though the comment
on the removed function suggests it might have been earlier (pre-Git
days, perhaps?).
[1] https://github.com/django/django/commit/a2f2a399566
Change-Id: Ib6978ffa8d3962383fbc0a1c3cfd9da9e162f7dd
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
These are going the way of the dinosaur and will eventually need to be
replaced, some of them in coming patches.
Change-Id: I3a1d514c8770478349b4f91b128c8230b108d979
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
As noted in the Django 2.1 release notes [1]:
The authenticate() method of authentication backends requires request
as the first positional argument.
This can be seen here [2]. Simple enough, though it took me ages to
figure this out because Django gave me *zero* warning that a backend
because of this change. Heck, raising the TypeError would have helped :(
[1] https://docs.djangoproject.com/en/2.2/releases/2.1/#features-removed-in-2-1
[2] https://github.com/django/django/commit/5e31be1b96f
Change-Id: I0dd37d33c8e42a70c00a9f1460c1cec86c5b6006
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
This is the larger change. We could attempt to rewrite this whole thing
to a class-based view but that's more work that it's worth right now.
Instead, we simply do what the now-removed 'login' function-based view
was doing, as seen at [1].
A lot of never-used customizability is removed because it's not needed
and made things more complicated than it needed to be.
[1] https://github.com/django/django/blob/1.11/django/contrib/auth/views.py#L133-L139
Change-Id: Ib934d8a2c32cb32761558a68f061f415bb8737c4
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
The `openstack_auth login` view uses `request.build_absolute_uri` function
to build an origin uri when websso is enabled and
the WEBSSO_DEFAULT_REDIRECT_PROTOCOL is set.
This function doesn't insert the `WEBROOT` variable into uri what causes an
error:
http://domain.name/auth/websso/ is not a trusted dashboard host
Using the `build_absolute_uri` from `utils` module fixes this problem. It
generates the right uri:
http://domain.name/dashboard/auth/websso/
Change-Id: I94100f66a9f07eb8da75d344cbd120838fe25d1e
openstack_dashboard/hooks.py:16:0: E0611: No name 'command' in module 'distutils' (no-name-in-module)
openstack_dashboard/dashboards/project/networks/ports/sg_base.py:52:12: E1111: Assigning result of a function call, where the function has no return (assignment-from-no-return)
BaseSecurityGroupsAction._get_initial_security_groups() is now marked
as abstract method because this method must be implemented in subclasses.
BaseSecurityGroupsAction.handle() is now dropped because there is
no difference from the parent class (horizon.workflows.Action).
openstack_auth/views.py:211:4: E1206: Not enough arguments for logging format string (logging-too-few-args)
openstack_auth/views.py:269:8: E1206: Not enough arguments for logging format string (logging-too-few-args)
openstack_auth/plugin/base.py:237:20: E1206: Not enough arguments for logging format string (logging-too-few-args)
horizon/base.py:166:24: E1133: Non-iterable value self.policy_rules is used in an iterating context (not-an-iterable)
horizon/tabs/base.py:489:40: E1133: Non-iterable value self.table_classes is used in an iterating context (not-an-iterable)
Change-Id: I0b045d04af251854b5017c9f698e3b40503a0724
Fix the following new errors:
* E305 expected 2 blank lines after class or function definition, found 1
* E126 continuation line over-indented for hanging indent
max_line_length is set to 80 as the default value in pycodestyle is 79
but horizon uses 80 as max_line_length.
Ignore W504 and F405 by configurations.
Reasons of disabling them are explained as comments in tox.ini.
Change-Id: Iee8bcd60c30883fc8c74f08cf20af853cbb5e271
The redirect for WEBSSO takes its data directly from the request's
POST data, and the format of that data has changed, so now we need
to convert it for it to work correctly.
Change-Id: I5b18e555a9bc6b24be1e59465f07e73e99739e22
closes-bug: #1794710
Add a new optional WEBSSO_KEYSTONE_URL property to facilitate WEBSSO
deployments where network segmentation is used per security requirement.
In this case, the controllers are not reachable from public network.
Therefore, user's browser will not be able to reach OPENSTACK_KEYSTONE_URL
if it is set to the internal endpoint.
If WEBSSO_KEYSTONE_URL is set, it will be used instead of
OPENSTACK_KEYSTONE_URL.
Change-Id: I05ea4227aa4c2cb0a73015ed7fd29cf1a96e696a
Closes-bug: #1544703