Horizon openstack dashboard rest API unit tests only
pass the project_id to oslo.policy to vrify the service
policy rule RBAC. This was passing till now as services
allow 'owner' (which only check project_id) to pass
the policy checks.
As per new RBAC, project_id is not enough and proper
role should be passed. For example 'owner' means in new
RBAC is either 'member' or 'reader' role with project_id.
oslo.policy 4.4.0 enable the new RBAC by default
- https://review.opendev.org/c/openstack/releases/+/925032
and requirement change to use the oslo.policy 4.4.0 in
upper-constraints is blocked with the horizon failure
- https://review.opendev.org/c/openstack/requirements/+/925464
This commit fixes the test to use the right role along with
the project_id so that policy rules can be checked correctly.
Needed-By: https://review.opendev.org/c/openstack/requirements/+/925464
Change-Id: I840996fd2635bca853da02c630a7ab3761576821
Python >= 3.9 provides the zoneinfo module to manipulate timezones.
Replace pytz by the built-in library to reduce external dependency.
Change-Id: I22707f966b692c056cedecaa83bf2cb0a29c09aa
Currently, the value stored in the services_region cookie is ignored
when logging into horizon. This causes confusion for users that have
previously selected one region, to find themselves in a different
region after their token expires and are forced to log in again.
This change sets the services_region session value to the value present
in the cookie, with a fallback to the login region.
Closes-bug: #2040455
Change-Id: I051648844bf8dffce792ff553e9949285b1be6d4
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
These imports were kept to keep compatibility between separate
django-openstack-auth and horizon, but is no longer necessary since
horizon adopted to the new path and also django-openstack-auth was
merged into horizon very long ago.
Change-Id: I12dc4d585352477fded1aa96e8f712242849f843
This patch adds support for MFA TOTP on openstack dashboard.
A new configuration variable OPENSTACK_KEYSTONE_MFA_TOTP_ENABLED
was added false by default.
If enabled, users needing TOTP are prompted with a new form.
keystone doc: https://docs.openstack.org/keystone/latest/admin/auth-totp.html
Demonstration video : https://youtu.be/prDJJdFoMpM
Change-Id: I1047102a379c8a900a5e6840096bb671da4fd2ff
Blueprint: #totp-support
Closes-Bug: #2030477
This is follow-up of I8438bedaf7cead452fc499e484d23690b48894d9 and
ensures the OPENSTACK_ENDPOINT_TYPE parameter is used when
OPENSTACK_KEYSTONE_ENDPOINT_TYPE is not set. This avoids backward-
incompatible change which affects deployments with endpoint type set
to non-default values.
Co-Authored-By: Akihiro Motoki <amotoki@gmail.com>
Change-Id: I94d2d3e31fc0103773fb5d3ed2f5f792e8851f78
The [1] changed the previous behavior of Horizon by
changing the hardcoded internal endpoint type to using
OPENSTACK_ENDPOINT_TYPE so it's no longer possible to use
internal endpoint type for Keystone but public for others.
This adds the OPENSTACK_KEYSTONE_ENDPOINT_TYPE config opt
to set the endpoint type for Keystone when grabbing it from
the service catalog.
[1] https://review.opendev.org/c/openstack/horizon/+/730781
Change-Id: I8438bedaf7cead452fc499e484d23690b48894d9
This passes the client IP to the keystoneauth1 Session's
original_ip parameter.
This sets the Forwarder HTTP header so that when the request
lands in Keystone the request can actually be interpreted who
made the request and not only that it was proxied by Horizon.
Forwarded: for=100.64.10.1;by=openstack_auth keystoneauth1/4.4.0 python-requests/2.25.1 CPython/3.6.8
In the above example header the 100.64.10.1 is the client IP
that is sent from a load balancer in the X-Forwarded-For header
while the actual REMOTE_ADDR in the HTTP request is the load balancers
IP address.
Change-Id: I52da9dcd7fb6b1ac46852718f285795628121e26
This patch is a follow-up patch of 00def145de which renamed
is_safe_url() -> url_has_allowed_host_and_scheme() because
is_safe_url() is deprecated in Django 3.0.
For more info, please refer [1].
[1] https://docs.djangoproject.com/en/4.0/releases/3.0/#deprecated-features-3-0
Change-Id: I419f328916650093396fc153932a5053c3fa6b0e
Since the normal form doesn't have a request attribute, we have to
pass the initial value for the region from the view.
Change-Id: Icea647ad13718b74528922f362ad665be1392e9b
Closes-bug: #1957926
HttpRequest.is_ajax() was marked as deprecated since Django 3.1 and will be
removed in Django 4.0 [1].
While the current implementation of is_ajax() relies on a jQuery-specific way
of signifying AJAX as noted in the Django relnotes, horizon works with this.
Thus this commit copies the existing logic of HttpRequest.is_ajax() to the
horizon repo (as horizon.utils.http.is_ajax()) and consumes it.
https: //docs.djangoproject.com/en/4.0/releases/3.1/#features-deprecated-in-3-1
Change-Id: I3def53033524985818a891a1b9d4659fad4ba2ba
django.utils.translation.ugettext(), ugettext_lazy(), ugettext_noop(),
ungettext(), and ungettext_lazy() are deprecated in favor of the
functions that they’re aliases for: django.utils.translation.gettext(),
gettext_lazy(), gettext_noop(), ngettext(), and ngettext_lazy().
https://docs.djangoproject.com/en/4.0/releases/3.0/#id3
Change-Id: I77878f84e9d10cf6a136dada81eabf4e18676250
By using OPENSTACK_KEYSTONE_URL instead of the HTTP_REFERRER
the authentication request between Horizon and Keystone continues
to work in situations where the HTTP_REFERRER is an external keystone
endpoint that Horizon does not have access to.
Change-Id: I9c5c8d59c5f5a8570dbb563ae224d45406a73ba5
Closes-bug: #1874705
Autofocus on the login screen now is on the first field. It's either
"User Name" or "Domain" with multidomain support. However it appears
to be more convenient to keep the focus on "User Name" whether there
is multidomain support or not. Also "Domain" is pre-filled with the
last domain used, so often there's no need to change it.
This patch moves "Domain" field under "User Name" and "Password" and
keeps autofocus always on "User Name".
Closes-Bug: #1916958
Change-Id: I590ce3a5cbaa0ebb470228a7114a60ff89467835
This change ensures that horizon tries to load all policy files even
if an invalid policy file is found, so that horizon can use as many
policy rules as it can parse.
Closes-Bug: #1917483
Change-Id: I24f8da71460129ee7162af5f307a7e405addb15d
Some tests in openstack_auth test_policy explicity calls enable/disable
of settings class. We usually use @override_settings decorator and
it automatically disables setting overriding when existing the decorator.
Let's use it for consistency.
Change-Id: I30cc97798ddf0c55ef4e05c885ffc8ef99a7be81
This commit allows horizon to handle deprecated policy rules.
The approach is explained in the document updated by this change.
oslo.policy requirement is updated. oslo.policy 3.2.0 is chosen
just because it is the first release in Victoria cycle.
requirements.txt and lower-constraints.txt are updated accordingly
including oslo.policy dependencies.
Change-Id: If5059d03f6bd7e94796065aa1b51c0c23ac85f5e