Skip to content

Sso clean up #14615

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
Maffooch wants to merge 2 commits into from
Closed

Sso clean up #14615

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
6934876
Isolate all SSO code into dojo/sso/ as a plain Python package
Maffooch Mar 31, 2026
6ca8fb5
Fix ruff lint errors in SSO isolation changes
Maffooch Mar 31, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .dryrunsecurity.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,8 +40,8 @@ sensitiveCodepaths:
- 'dojo/middleware.py'
- 'dojo/models.py'
- 'dojo/okta.py'
- 'dojo/pipeline.py'
- 'dojo/remote_user.py'
- 'dojo/sso/pipeline.py'
- 'dojo/sso/remote_user.py'
- 'dojo/tasks.py'
- 'dojo/urls.py'
- 'dojo/utils.py'
Expand Down
16 changes: 0 additions & 16 deletions dojo/context_processors.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,22 +16,6 @@ def globalize_vars(request):
"FORGOT_PASSWORD": settings.FORGOT_PASSWORD,
"FORGOT_USERNAME": settings.FORGOT_USERNAME,
"CLASSIC_AUTH_ENABLED": settings.CLASSIC_AUTH_ENABLED,
"OIDC_ENABLED": settings.OIDC_AUTH_ENABLED,
"SOCIAL_AUTH_OIDC_LOGIN_BUTTON_TEXT": settings.SOCIAL_AUTH_OIDC_LOGIN_BUTTON_TEXT,
"AUTH0_ENABLED": settings.AUTH0_OAUTH2_ENABLED,
"GOOGLE_ENABLED": settings.GOOGLE_OAUTH_ENABLED,
"OKTA_ENABLED": settings.OKTA_OAUTH_ENABLED,
"GITLAB_ENABLED": settings.GITLAB_OAUTH2_ENABLED,
"AZUREAD_TENANT_OAUTH2_ENABLED": settings.AZUREAD_TENANT_OAUTH2_ENABLED,
"AZUREAD_TENANT_OAUTH2_GET_GROUPS": settings.AZUREAD_TENANT_OAUTH2_GET_GROUPS,
"AZUREAD_TENANT_OAUTH2_GROUPS_FILTER": settings.AZUREAD_TENANT_OAUTH2_GROUPS_FILTER,
"AZUREAD_TENANT_OAUTH2_CLEANUP_GROUPS": settings.AZUREAD_TENANT_OAUTH2_CLEANUP_GROUPS,
"KEYCLOAK_ENABLED": settings.KEYCLOAK_OAUTH2_ENABLED,
"SOCIAL_AUTH_KEYCLOAK_LOGIN_BUTTON_TEXT": settings.SOCIAL_AUTH_KEYCLOAK_LOGIN_BUTTON_TEXT,
"GITHUB_ENTERPRISE_ENABLED": settings.GITHUB_ENTERPRISE_OAUTH2_ENABLED,
"SAML2_ENABLED": settings.SAML2_ENABLED,
"SAML2_LOGIN_BUTTON_TEXT": settings.SAML2_LOGIN_BUTTON_TEXT,
"SAML2_LOGOUT_URL": settings.SAML2_LOGOUT_URL,
"DOCUMENTATION_URL": settings.DOCUMENTATION_URL,
"API_TOKENS_ENABLED": settings.API_TOKENS_ENABLED,
"API_TOKEN_AUTH_ENDPOINT_ENABLED": settings.API_TOKEN_AUTH_ENDPOINT_ENABLED,
Expand Down
30 changes: 0 additions & 30 deletions dojo/middleware.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,15 +6,10 @@
from urllib.parse import quote

import pghistory.middleware
import requests
from django.conf import settings
from django.contrib import messages
from django.db import models
from django.http import HttpResponseRedirect
from django.shortcuts import redirect
from django.urls import reverse
from social_core.exceptions import AuthCanceled, AuthFailed, AuthForbidden, AuthTokenError
from social_django.middleware import SocialAuthExceptionMiddleware
from watson.middleware import SearchContextMiddleware
from watson.search import search_context_manager

Expand Down Expand Up @@ -79,31 +74,6 @@ def __call__(self, request):
return response


class CustomSocialAuthExceptionMiddleware(SocialAuthExceptionMiddleware):
def process_exception(self, request, exception):
if isinstance(exception, requests.exceptions.RequestException):
messages.error(request, settings.SOCIAL_AUTH_EXCEPTION_MESSAGE_REQUEST_EXCEPTION)
return redirect("/login?force_login_form")
if isinstance(exception, AuthCanceled):
messages.warning(request, settings.SOCIAL_AUTH_EXCEPTION_MESSAGE_AUTH_CANCELED)
return redirect("/login?force_login_form")
if isinstance(exception, AuthFailed):
messages.error(request, settings.SOCIAL_AUTH_EXCEPTION_MESSAGE_AUTH_FAILED)
return redirect("/login?force_login_form")
if isinstance(exception, AuthForbidden):
messages.error(request, settings.SOCIAL_AUTH_EXCEPTION_MESSAGE_AUTH_FORBIDDEN)
return redirect("/login?force_login_form")
if isinstance(exception, AuthTokenError):
messages.error(request, settings.SOCIAL_AUTH_EXCEPTION_MESSAGE_AUTH_TOKEN_ERROR)
return redirect("/login?force_login_form")
if isinstance(exception, TypeError) and "'NoneType' object is not iterable" in str(exception):
logger.warning("OIDC login error: NoneType is not iterable")
messages.error(request, settings.SOCIAL_AUTH_EXCEPTION_MESSAGE_NONE_TYPE)
return redirect("/login?force_login_form")
logger.error(f"Unhandled exception during social login: {exception}")
return super().process_exception(request, exception)


class DojoSytemSettingsMiddleware:
_thread_local = local()

Expand Down
446 changes: 17 additions & 429 deletions dojo/settings/settings.dist.py
View file
Open in desktop

Large diffs are not rendered by default.

0 dojo/settings/attribute-maps/__init__.py → dojo/sso/__init__.py
View file
Open in desktop
File renamed without changes.
Empty file added dojo/sso/attribute_maps/__init__.py
View file
Open in desktop
Empty file.
0 ...ettings/attribute-maps/django_saml_uri.py → dojo/sso/attribute_maps/django_saml_uri.py
View file
Open in desktop
File renamed without changes.
0 dojo/settings/attribute-maps/saml_uri.py → dojo/sso/attribute_maps/saml_uri.py
View file
Open in desktop
File renamed without changes.
22 changes: 22 additions & 0 deletions dojo/sso/context_processors.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
from django.conf import settings


def sso_context(request):
return {
"OIDC_ENABLED": settings.OIDC_AUTH_ENABLED,
"SOCIAL_AUTH_OIDC_LOGIN_BUTTON_TEXT": settings.SOCIAL_AUTH_OIDC_LOGIN_BUTTON_TEXT,
"AUTH0_ENABLED": settings.AUTH0_OAUTH2_ENABLED,
"GOOGLE_ENABLED": settings.GOOGLE_OAUTH_ENABLED,
"OKTA_ENABLED": settings.OKTA_OAUTH_ENABLED,
"GITLAB_ENABLED": settings.GITLAB_OAUTH2_ENABLED,
"AZUREAD_TENANT_OAUTH2_ENABLED": settings.AZUREAD_TENANT_OAUTH2_ENABLED,
"AZUREAD_TENANT_OAUTH2_GET_GROUPS": settings.AZUREAD_TENANT_OAUTH2_GET_GROUPS,
"AZUREAD_TENANT_OAUTH2_GROUPS_FILTER": settings.AZUREAD_TENANT_OAUTH2_GROUPS_FILTER,
"AZUREAD_TENANT_OAUTH2_CLEANUP_GROUPS": settings.AZUREAD_TENANT_OAUTH2_CLEANUP_GROUPS,
"KEYCLOAK_ENABLED": settings.KEYCLOAK_OAUTH2_ENABLED,
"SOCIAL_AUTH_KEYCLOAK_LOGIN_BUTTON_TEXT": settings.SOCIAL_AUTH_KEYCLOAK_LOGIN_BUTTON_TEXT,
"GITHUB_ENTERPRISE_ENABLED": settings.GITHUB_ENTERPRISE_OAUTH2_ENABLED,
"SAML2_ENABLED": settings.SAML2_ENABLED,
"SAML2_LOGIN_BUTTON_TEXT": settings.SAML2_LOGIN_BUTTON_TEXT,
"SAML2_LOGOUT_URL": settings.SAML2_LOGOUT_URL,
}
35 changes: 35 additions & 0 deletions dojo/sso/middleware.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
import logging

import requests
from django.conf import settings
from django.contrib import messages
from django.shortcuts import redirect
from social_core.exceptions import AuthCanceled, AuthFailed, AuthForbidden, AuthTokenError
from social_django.middleware import SocialAuthExceptionMiddleware

logger = logging.getLogger(__name__)


class CustomSocialAuthExceptionMiddleware(SocialAuthExceptionMiddleware):
def process_exception(self, request, exception):
if isinstance(exception, requests.exceptions.RequestException):
messages.error(request, settings.SOCIAL_AUTH_EXCEPTION_MESSAGE_REQUEST_EXCEPTION)
return redirect("/login?force_login_form")
if isinstance(exception, AuthCanceled):
messages.warning(request, settings.SOCIAL_AUTH_EXCEPTION_MESSAGE_AUTH_CANCELED)
return redirect("/login?force_login_form")
if isinstance(exception, AuthFailed):
messages.error(request, settings.SOCIAL_AUTH_EXCEPTION_MESSAGE_AUTH_FAILED)
return redirect("/login?force_login_form")
if isinstance(exception, AuthForbidden):
messages.error(request, settings.SOCIAL_AUTH_EXCEPTION_MESSAGE_AUTH_FORBIDDEN)
return redirect("/login?force_login_form")
if isinstance(exception, AuthTokenError):
messages.error(request, settings.SOCIAL_AUTH_EXCEPTION_MESSAGE_AUTH_TOKEN_ERROR)
return redirect("/login?force_login_form")
if isinstance(exception, TypeError) and "'NoneType' object is not iterable" in str(exception):
logger.warning("OIDC login error: NoneType is not iterable")
messages.error(request, settings.SOCIAL_AUTH_EXCEPTION_MESSAGE_NONE_TYPE)
return redirect("/login?force_login_form")
logger.error(f"Unhandled exception during social login: {exception}")
return super().process_exception(request, exception)
0 dojo/pipeline.py → dojo/sso/pipeline.py
View file
Open in desktop
File renamed without changes.
4 changes: 2 additions & 2 deletions dojo/remote_user.py → dojo/sso/remote_user.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
from rest_framework.authentication import RemoteUserAuthentication as OriginalRemoteUserAuthentication

from dojo.models import Dojo_Group
from dojo.pipeline import assign_user_to_groups, cleanup_old_groups_for_user
from dojo.sso.pipeline import assign_user_to_groups, cleanup_old_groups_for_user

logger = logging.getLogger(__name__)

Expand Down Expand Up @@ -90,7 +90,7 @@ def configure_user(self, request, user, *, created=True):


class RemoteUserScheme(OpenApiAuthenticationExtension):
target_class = "dojo.remote_user.RemoteUserAuthentication"
target_class = "dojo.sso.remote_user.RemoteUserAuthentication"
name = "remoteUserAuth"
match_subclasses = True
priority = 1
Expand Down
Loading
Loading