diff --git a/awx/api/views/__init__.py b/awx/api/views/__init__.py index b93a7d8d5e53..b1d0e087fe75 100644 --- a/awx/api/views/__init__.py +++ b/awx/api/views/__init__.py @@ -689,8 +689,8 @@ def get(self, request): data = OrderedDict() err_backend, err_message = request.session.get('social_auth_error', (None, None)) auth_backends = list(load_backends(settings.AUTHENTICATION_BACKENDS, force_load=True).items()) - # Return auth backends in consistent order: Google, GitHub, SAML. - auth_backends.sort(key=lambda x: 'g' if x[0] == 'google-oauth2' else x[0]) + # Return auth backends in consistent order: oidc, saml. + auth_backends.sort(key=lambda x: x[0]) for name, backend in auth_backends: login_url = reverse('social:begin', args=(name,)) complete_url = request.build_absolute_uri(reverse('social:complete', args=(name,))) diff --git a/awx/conf/migrations/0011_remove_social_oauth_conf.py b/awx/conf/migrations/0011_remove_social_oauth_conf.py new file mode 100644 index 000000000000..b72db9398b61 --- /dev/null +++ b/awx/conf/migrations/0011_remove_social_oauth_conf.py @@ -0,0 +1,82 @@ +# Generated by Django 4.2.10 on 2024-08-13 11:14 + +from django.db import migrations + +SOCIAL_OAUTH_CONF_KEYS = [ + # MICROSOFT AZURE ACTIVE DIRECTORY SETTINGS + 'SOCIAL_AUTH_AZUREAD_OAUTH2_CALLBACK_URL', + 'SOCIAL_AUTH_AZUREAD_OAUTH2_KEY', + 'SOCIAL_AUTH_AZUREAD_OAUTH2_SECRET', + 'SOCIAL_AUTH_AZUREAD_OAUTH2_ORGANIZATION_MAP', + 'SOCIAL_AUTH_AZUREAD_OAUTH2_TEAM_MAP', + # GOOGLE OAUTH2 AUTHENTICATION SETTINGS + 'SOCIAL_AUTH_GOOGLE_OAUTH2_CALLBACK_URL', + 'SOCIAL_AUTH_GOOGLE_OAUTH2_KEY', + 'SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET', + 'SOCIAL_AUTH_GOOGLE_OAUTH2_WHITELISTED_DOMAINS', + 'SOCIAL_AUTH_GOOGLE_OAUTH2_AUTH_EXTRA_ARGUMENTS', + 'SOCIAL_AUTH_GOOGLE_OAUTH2_ORGANIZATION_MAP', + 'SOCIAL_AUTH_GOOGLE_OAUTH2_TEAM_MAP', + # GITHUB OAUTH2 AUTHENTICATION SETTINGS + 'SOCIAL_AUTH_GITHUB_CALLBACK_URL', + 'SOCIAL_AUTH_GITHUB_KEY', + 'SOCIAL_AUTH_GITHUB_SECRET', + 'SOCIAL_AUTH_GITHUB_ORGANIZATION_MAP', + 'SOCIAL_AUTH_GITHUB_TEAM_MAP', + # GITHUB ORG OAUTH2 AUTHENTICATION SETTINGS + 'SOCIAL_AUTH_GITHUB_ORG_CALLBACK_URL', + 'SOCIAL_AUTH_GITHUB_ORG_KEY', + 'SOCIAL_AUTH_GITHUB_ORG_SECRET', + 'SOCIAL_AUTH_GITHUB_ORG_NAME', + 'SOCIAL_AUTH_GITHUB_ORG_ORGANIZATION_MAP', + 'SOCIAL_AUTH_GITHUB_ORG_TEAM_MAP', + # GITHUB TEAM OAUTH2 AUTHENTICATION SETTINGS + 'SOCIAL_AUTH_GITHUB_TEAM_CALLBACK_URL', + 'SOCIAL_AUTH_GITHUB_TEAM_KEY', + 'SOCIAL_AUTH_GITHUB_TEAM_SECRET', + 'SOCIAL_AUTH_GITHUB_TEAM_ID', + 'SOCIAL_AUTH_GITHUB_TEAM_ORGANIZATION_MAP', + 'SOCIAL_AUTH_GITHUB_TEAM_TEAM_MAP', + # GITHUB ENTERPRISE OAUTH2 AUTHENTICATION SETTINGS + 'SOCIAL_AUTH_GITHUB_ENTERPRISE_CALLBACK_URL', + 'SOCIAL_AUTH_GITHUB_ENTERPRISE_URL', + 'SOCIAL_AUTH_GITHUB_ENTERPRISE_API_URL', + 'SOCIAL_AUTH_GITHUB_ENTERPRISE_KEY', + 'SOCIAL_AUTH_GITHUB_ENTERPRISE_SECRET', + 'SOCIAL_AUTH_GITHUB_ENTERPRISE_ORGANIZATION_MAP', + 'SOCIAL_AUTH_GITHUB_ENTERPRISE_TEAM_MAP', + # GITHUB ENTERPRISE ORG OAUTH2 AUTHENTICATION SETTINGS + 'SOCIAL_AUTH_GITHUB_ENTERPRISE_ORG_CALLBACK_URL', + 'SOCIAL_AUTH_GITHUB_ENTERPRISE_ORG_URL', + 'SOCIAL_AUTH_GITHUB_ENTERPRISE_ORG_API_URL', + 'SOCIAL_AUTH_GITHUB_ENTERPRISE_ORG_KEY', + 'SOCIAL_AUTH_GITHUB_ENTERPRISE_ORG_SECRET', + 'SOCIAL_AUTH_GITHUB_ENTERPRISE_ORG_NAME', + 'SOCIAL_AUTH_GITHUB_ENTERPRISE_ORG_ORGANIZATION_MAP', + 'SOCIAL_AUTH_GITHUB_ENTERPRISE_ORG_TEAM_MAP', + # GITHUB ENTERPRISE TEAM OAUTH2 AUTHENTICATION SETTINGS + 'SOCIAL_AUTH_GITHUB_ENTERPRISE_TEAM_CALLBACK_URL', + 'SOCIAL_AUTH_GITHUB_ENTERPRISE_TEAM_URL', + 'SOCIAL_AUTH_GITHUB_ENTERPRISE_TEAM_API_URL', + 'SOCIAL_AUTH_GITHUB_ENTERPRISE_TEAM_KEY', + 'SOCIAL_AUTH_GITHUB_ENTERPRISE_TEAM_SECRET', + 'SOCIAL_AUTH_GITHUB_ENTERPRISE_TEAM_ID', + 'SOCIAL_AUTH_GITHUB_ENTERPRISE_TEAM_ORGANIZATION_MAP', + 'SOCIAL_AUTH_GITHUB_ENTERPRISE_TEAM_TEAM_MAP', +] + + +def remove_social_oauth_conf(apps, scheme_editor): + setting = apps.get_model('conf', 'Setting') + setting.objects.filter(key__in=SOCIAL_OAUTH_CONF_KEYS).delete() + + +class Migration(migrations.Migration): + + dependencies = [ + ('conf', '0010_change_to_JSONField'), + ] + + operations = [ + migrations.RunPython(remove_social_oauth_conf), + ] diff --git a/awx/main/tests/functional/api/test_settings.py b/awx/main/tests/functional/api/test_settings.py index 04dd616c33da..5224833684d0 100644 --- a/awx/main/tests/functional/api/test_settings.py +++ b/awx/main/tests/functional/api/test_settings.py @@ -221,48 +221,3 @@ def test_saml_x509cert_validation(patch, get, admin, headers): }, ) assert resp.status_code == 200 - - -@pytest.mark.django_db -def test_github_settings(get, put, patch, delete, admin): - url = reverse('api:setting_singleton_detail', kwargs={'category_slug': 'github'}) - get(url, user=admin, expect=200) - delete(url, user=admin, expect=204) - response = get(url, user=admin, expect=200) - data = dict(response.data.items()) - put(url, user=admin, data=data, expect=200) - patch(url, user=admin, data={'SOCIAL_AUTH_GITHUB_KEY': '???'}, expect=200) - response = get(url, user=admin, expect=200) - assert response.data['SOCIAL_AUTH_GITHUB_KEY'] == '???' - data.pop('SOCIAL_AUTH_GITHUB_KEY') - put(url, user=admin, data=data, expect=200) - response = get(url, user=admin, expect=200) - assert response.data['SOCIAL_AUTH_GITHUB_KEY'] == '' - - -@pytest.mark.django_db -def test_github_enterprise_settings(get, put, patch, delete, admin): - url = reverse('api:setting_singleton_detail', kwargs={'category_slug': 'github-enterprise'}) - get(url, user=admin, expect=200) - delete(url, user=admin, expect=204) - response = get(url, user=admin, expect=200) - data = dict(response.data.items()) - put(url, user=admin, data=data, expect=200) - patch( - url, - user=admin, - data={ - 'SOCIAL_AUTH_GITHUB_ENTERPRISE_URL': 'example.com', - 'SOCIAL_AUTH_GITHUB_ENTERPRISE_API_URL': 'example.com', - }, - expect=200, - ) - response = get(url, user=admin, expect=200) - assert response.data['SOCIAL_AUTH_GITHUB_ENTERPRISE_URL'] == 'example.com' - assert response.data['SOCIAL_AUTH_GITHUB_ENTERPRISE_API_URL'] == 'example.com' - data.pop('SOCIAL_AUTH_GITHUB_ENTERPRISE_URL') - data.pop('SOCIAL_AUTH_GITHUB_ENTERPRISE_API_URL') - put(url, user=admin, data=data, expect=200) - response = get(url, user=admin, expect=200) - assert response.data['SOCIAL_AUTH_GITHUB_ENTERPRISE_URL'] == '' - assert response.data['SOCIAL_AUTH_GITHUB_ENTERPRISE_API_URL'] == '' diff --git a/awx/settings/defaults.py b/awx/settings/defaults.py index 599c7fdd2d1b..da317a6e687c 100644 --- a/awx/settings/defaults.py +++ b/awx/settings/defaults.py @@ -392,15 +392,7 @@ } AUTHENTICATION_BACKENDS = ( - 'social_core.backends.google.GoogleOAuth2', - 'social_core.backends.github.GithubOAuth2', - 'social_core.backends.github.GithubOrganizationOAuth2', - 'social_core.backends.github.GithubTeamOAuth2', - 'social_core.backends.github_enterprise.GithubEnterpriseOAuth2', - 'social_core.backends.github_enterprise.GithubEnterpriseOrganizationOAuth2', - 'social_core.backends.github_enterprise.GithubEnterpriseTeamOAuth2', 'social_core.backends.open_id_connect.OpenIdConnectAuth', - 'social_core.backends.azuread.AzureADOAuth2', 'awx.sso.backends.SAMLAuth', 'awx.main.backends.AWXModelBackend', ) @@ -518,41 +510,6 @@ SOCIAL_AUTH_REDIRECT_IS_HTTPS = False # Note: These settings may be overridden by database settings. -SOCIAL_AUTH_GOOGLE_OAUTH2_KEY = '' -SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET = '' -SOCIAL_AUTH_GOOGLE_OAUTH2_SCOPE = ['profile'] - -SOCIAL_AUTH_GITHUB_KEY = '' -SOCIAL_AUTH_GITHUB_SECRET = '' -SOCIAL_AUTH_GITHUB_SCOPE = ['user:email', 'read:org'] - -SOCIAL_AUTH_GITHUB_ORG_KEY = '' -SOCIAL_AUTH_GITHUB_ORG_SECRET = '' -SOCIAL_AUTH_GITHUB_ORG_NAME = '' -SOCIAL_AUTH_GITHUB_ORG_SCOPE = ['user:email', 'read:org'] - -SOCIAL_AUTH_GITHUB_TEAM_KEY = '' -SOCIAL_AUTH_GITHUB_TEAM_SECRET = '' -SOCIAL_AUTH_GITHUB_TEAM_ID = '' -SOCIAL_AUTH_GITHUB_TEAM_SCOPE = ['user:email', 'read:org'] - -SOCIAL_AUTH_GITHUB_ENTERPRISE_KEY = '' -SOCIAL_AUTH_GITHUB_ENTERPRISE_SECRET = '' -SOCIAL_AUTH_GITHUB_ENTERPRISE_SCOPE = ['user:email', 'read:org'] - -SOCIAL_AUTH_GITHUB_ENTERPRISE_ORG_KEY = '' -SOCIAL_AUTH_GITHUB_ENTERPRISE_ORG_SECRET = '' -SOCIAL_AUTH_GITHUB_ENTERPRISE_ORG_NAME = '' -SOCIAL_AUTH_GITHUB_ENTERPRISE_ORG_SCOPE = ['user:email', 'read:org'] - -SOCIAL_AUTH_GITHUB_ENTERPRISE_TEAM_KEY = '' -SOCIAL_AUTH_GITHUB_ENTERPRISE_TEAM_SECRET = '' -SOCIAL_AUTH_GITHUB_ENTERPRISE_TEAM_ID = '' -SOCIAL_AUTH_GITHUB_ENTERPRISE_TEAM_SCOPE = ['user:email', 'read:org'] - -SOCIAL_AUTH_AZUREAD_OAUTH2_KEY = '' -SOCIAL_AUTH_AZUREAD_OAUTH2_SECRET = '' - SOCIAL_AUTH_SAML_SP_ENTITY_ID = '' SOCIAL_AUTH_SAML_SP_PUBLIC_CERT = '' SOCIAL_AUTH_SAML_SP_PRIVATE_KEY = '' diff --git a/awx/sso/conf.py b/awx/sso/conf.py index e6c239ddebf8..09befcaa0fc4 100644 --- a/awx/sso/conf.py +++ b/awx/sso/conf.py @@ -143,677 +143,6 @@ def __call__(self): category_slug='authentication', ) - ############################################################################### - # GOOGLE OAUTH2 AUTHENTICATION SETTINGS - ############################################################################### - - register( - 'SOCIAL_AUTH_GOOGLE_OAUTH2_CALLBACK_URL', - field_class=fields.CharField, - read_only=True, - default=SocialAuthCallbackURL('google-oauth2'), - label=_('Google OAuth2 Callback URL'), - help_text=_( - 'Provide this URL as the callback URL for your application as part of your registration process. Refer to the documentation for more detail.' - ), - category=_('Google OAuth2'), - category_slug='google-oauth2', - depends_on=['TOWER_URL_BASE'], - ) - - register( - 'SOCIAL_AUTH_GOOGLE_OAUTH2_KEY', - field_class=fields.CharField, - allow_blank=True, - default='', - label=_('Google OAuth2 Key'), - help_text=_('The OAuth2 key from your web application.'), - category=_('Google OAuth2'), - category_slug='google-oauth2', - placeholder='528620852399-gm2dt4hrl2tsj67fqamk09k1e0ad6gd8.apps.googleusercontent.com', - ) - - register( - 'SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET', - field_class=fields.CharField, - allow_blank=True, - default='', - label=_('Google OAuth2 Secret'), - help_text=_('The OAuth2 secret from your web application.'), - category=_('Google OAuth2'), - category_slug='google-oauth2', - placeholder='q2fMVCmEregbg-drvebPp8OW', - encrypted=True, - ) - - register( - 'SOCIAL_AUTH_GOOGLE_OAUTH2_WHITELISTED_DOMAINS', - field_class=fields.StringListField, - default=[], - label=_('Google OAuth2 Allowed Domains'), - help_text=_('Update this setting to restrict the domains who are allowed to login using Google OAuth2.'), - category=_('Google OAuth2'), - category_slug='google-oauth2', - placeholder=['example.com'], - ) - - register( - 'SOCIAL_AUTH_GOOGLE_OAUTH2_AUTH_EXTRA_ARGUMENTS', - field_class=fields.DictField, - default={}, - label=_('Google OAuth2 Extra Arguments'), - help_text=_( - 'Extra arguments for Google OAuth2 login. You can restrict it to' - ' only allow a single domain to authenticate, even if the user is' - ' logged in with multple Google accounts. Refer to the' - ' documentation for more detail.' - ), - category=_('Google OAuth2'), - category_slug='google-oauth2', - placeholder={'hd': 'example.com'}, - ) - - register( - 'SOCIAL_AUTH_GOOGLE_OAUTH2_ORGANIZATION_MAP', - field_class=SocialOrganizationMapField, - allow_null=True, - default=None, - label=_('Google OAuth2 Organization Map'), - help_text=SOCIAL_AUTH_ORGANIZATION_MAP_HELP_TEXT, - category=_('Google OAuth2'), - category_slug='google-oauth2', - placeholder=SOCIAL_AUTH_ORGANIZATION_MAP_PLACEHOLDER, - ) - - register( - 'SOCIAL_AUTH_GOOGLE_OAUTH2_TEAM_MAP', - field_class=SocialTeamMapField, - allow_null=True, - default=None, - label=_('Google OAuth2 Team Map'), - help_text=SOCIAL_AUTH_TEAM_MAP_HELP_TEXT, - category=_('Google OAuth2'), - category_slug='google-oauth2', - placeholder=SOCIAL_AUTH_TEAM_MAP_PLACEHOLDER, - ) - - ############################################################################### - # GITHUB OAUTH2 AUTHENTICATION SETTINGS - ############################################################################### - - register( - 'SOCIAL_AUTH_GITHUB_CALLBACK_URL', - field_class=fields.CharField, - read_only=True, - default=SocialAuthCallbackURL('github'), - label=_('GitHub OAuth2 Callback URL'), - help_text=_( - 'Provide this URL as the callback URL for your application as part of your registration process. Refer to the documentation for more detail.' - ), - category=_('GitHub OAuth2'), - category_slug='github', - depends_on=['TOWER_URL_BASE'], - ) - - register( - 'SOCIAL_AUTH_GITHUB_KEY', - field_class=fields.CharField, - allow_blank=True, - default='', - label=_('GitHub OAuth2 Key'), - help_text=_('The OAuth2 key (Client ID) from your GitHub developer application.'), - category=_('GitHub OAuth2'), - category_slug='github', - ) - - register( - 'SOCIAL_AUTH_GITHUB_SECRET', - field_class=fields.CharField, - allow_blank=True, - default='', - label=_('GitHub OAuth2 Secret'), - help_text=_('The OAuth2 secret (Client Secret) from your GitHub developer application.'), - category=_('GitHub OAuth2'), - category_slug='github', - encrypted=True, - ) - - register( - 'SOCIAL_AUTH_GITHUB_ORGANIZATION_MAP', - field_class=SocialOrganizationMapField, - allow_null=True, - default=None, - label=_('GitHub OAuth2 Organization Map'), - help_text=SOCIAL_AUTH_ORGANIZATION_MAP_HELP_TEXT, - category=_('GitHub OAuth2'), - category_slug='github', - placeholder=SOCIAL_AUTH_ORGANIZATION_MAP_PLACEHOLDER, - ) - - register( - 'SOCIAL_AUTH_GITHUB_TEAM_MAP', - field_class=SocialTeamMapField, - allow_null=True, - default=None, - label=_('GitHub OAuth2 Team Map'), - help_text=SOCIAL_AUTH_TEAM_MAP_HELP_TEXT, - category=_('GitHub OAuth2'), - category_slug='github', - placeholder=SOCIAL_AUTH_TEAM_MAP_PLACEHOLDER, - ) - - ############################################################################### - # GITHUB ORG OAUTH2 AUTHENTICATION SETTINGS - ############################################################################### - - register( - 'SOCIAL_AUTH_GITHUB_ORG_CALLBACK_URL', - field_class=fields.CharField, - read_only=True, - default=SocialAuthCallbackURL('github-org'), - label=_('GitHub Organization OAuth2 Callback URL'), - help_text=_( - 'Provide this URL as the callback URL for your application as part of your registration process. Refer to the documentation for more detail.' - ), - category=_('GitHub Organization OAuth2'), - category_slug='github-org', - depends_on=['TOWER_URL_BASE'], - ) - - register( - 'SOCIAL_AUTH_GITHUB_ORG_KEY', - field_class=fields.CharField, - allow_blank=True, - default='', - label=_('GitHub Organization OAuth2 Key'), - help_text=_('The OAuth2 key (Client ID) from your GitHub organization application.'), - category=_('GitHub Organization OAuth2'), - category_slug='github-org', - ) - - register( - 'SOCIAL_AUTH_GITHUB_ORG_SECRET', - field_class=fields.CharField, - allow_blank=True, - default='', - label=_('GitHub Organization OAuth2 Secret'), - help_text=_('The OAuth2 secret (Client Secret) from your GitHub organization application.'), - category=_('GitHub Organization OAuth2'), - category_slug='github-org', - encrypted=True, - ) - - register( - 'SOCIAL_AUTH_GITHUB_ORG_NAME', - field_class=fields.CharField, - allow_blank=True, - default='', - label=_('GitHub Organization Name'), - help_text=_('The name of your GitHub organization, as used in your organization\'s URL: https://github.com//.'), - category=_('GitHub Organization OAuth2'), - category_slug='github-org', - ) - - register( - 'SOCIAL_AUTH_GITHUB_ORG_ORGANIZATION_MAP', - field_class=SocialOrganizationMapField, - allow_null=True, - default=None, - label=_('GitHub Organization OAuth2 Organization Map'), - help_text=SOCIAL_AUTH_ORGANIZATION_MAP_HELP_TEXT, - category=_('GitHub Organization OAuth2'), - category_slug='github-org', - placeholder=SOCIAL_AUTH_ORGANIZATION_MAP_PLACEHOLDER, - ) - - register( - 'SOCIAL_AUTH_GITHUB_ORG_TEAM_MAP', - field_class=SocialTeamMapField, - allow_null=True, - default=None, - label=_('GitHub Organization OAuth2 Team Map'), - help_text=SOCIAL_AUTH_TEAM_MAP_HELP_TEXT, - category=_('GitHub Organization OAuth2'), - category_slug='github-org', - placeholder=SOCIAL_AUTH_TEAM_MAP_PLACEHOLDER, - ) - - ############################################################################### - # GITHUB TEAM OAUTH2 AUTHENTICATION SETTINGS - ############################################################################### - - register( - 'SOCIAL_AUTH_GITHUB_TEAM_CALLBACK_URL', - field_class=fields.CharField, - read_only=True, - default=SocialAuthCallbackURL('github-team'), - label=_('GitHub Team OAuth2 Callback URL'), - help_text=_( - 'Create an organization-owned application at ' - 'https://github.com/organizations//settings/applications ' - 'and obtain an OAuth2 key (Client ID) and secret (Client Secret). ' - 'Provide this URL as the callback URL for your application.' - ), - category=_('GitHub Team OAuth2'), - category_slug='github-team', - depends_on=['TOWER_URL_BASE'], - ) - - register( - 'SOCIAL_AUTH_GITHUB_TEAM_KEY', - field_class=fields.CharField, - allow_blank=True, - default='', - label=_('GitHub Team OAuth2 Key'), - help_text=_('The OAuth2 key (Client ID) from your GitHub organization application.'), - category=_('GitHub Team OAuth2'), - category_slug='github-team', - ) - - register( - 'SOCIAL_AUTH_GITHUB_TEAM_SECRET', - field_class=fields.CharField, - allow_blank=True, - default='', - label=_('GitHub Team OAuth2 Secret'), - help_text=_('The OAuth2 secret (Client Secret) from your GitHub organization application.'), - category=_('GitHub Team OAuth2'), - category_slug='github-team', - encrypted=True, - ) - - register( - 'SOCIAL_AUTH_GITHUB_TEAM_ID', - field_class=fields.CharField, - allow_blank=True, - default='', - label=_('GitHub Team ID'), - help_text=_('Find the numeric team ID using the Github API: http://fabian-kostadinov.github.io/2015/01/16/how-to-find-a-github-team-id/.'), - category=_('GitHub Team OAuth2'), - category_slug='github-team', - ) - - register( - 'SOCIAL_AUTH_GITHUB_TEAM_ORGANIZATION_MAP', - field_class=SocialOrganizationMapField, - allow_null=True, - default=None, - label=_('GitHub Team OAuth2 Organization Map'), - help_text=SOCIAL_AUTH_ORGANIZATION_MAP_HELP_TEXT, - category=_('GitHub Team OAuth2'), - category_slug='github-team', - placeholder=SOCIAL_AUTH_ORGANIZATION_MAP_PLACEHOLDER, - ) - - register( - 'SOCIAL_AUTH_GITHUB_TEAM_TEAM_MAP', - field_class=SocialTeamMapField, - allow_null=True, - default=None, - label=_('GitHub Team OAuth2 Team Map'), - help_text=SOCIAL_AUTH_TEAM_MAP_HELP_TEXT, - category=_('GitHub Team OAuth2'), - category_slug='github-team', - placeholder=SOCIAL_AUTH_TEAM_MAP_PLACEHOLDER, - ) - - ############################################################################### - # GITHUB ENTERPRISE OAUTH2 AUTHENTICATION SETTINGS - ############################################################################### - - register( - 'SOCIAL_AUTH_GITHUB_ENTERPRISE_CALLBACK_URL', - field_class=fields.CharField, - read_only=True, - default=SocialAuthCallbackURL('github-enterprise'), - label=_('GitHub Enterprise OAuth2 Callback URL'), - help_text=_( - 'Provide this URL as the callback URL for your application as part of your registration process. Refer to the documentation for more detail.' - ), - category=_('GitHub Enterprise OAuth2'), - category_slug='github-enterprise', - depends_on=['TOWER_URL_BASE'], - ) - - register( - 'SOCIAL_AUTH_GITHUB_ENTERPRISE_URL', - field_class=fields.CharField, - allow_blank=True, - default='', - label=_('GitHub Enterprise URL'), - help_text=_('The URL for your Github Enterprise instance, e.g.: http(s)://hostname/. Refer to Github Enterprise documentation for more details.'), - category=_('GitHub Enterprise OAuth2'), - category_slug='github-enterprise', - ) - - register( - 'SOCIAL_AUTH_GITHUB_ENTERPRISE_API_URL', - field_class=fields.CharField, - allow_blank=True, - default='', - label=_('GitHub Enterprise API URL'), - help_text=_( - 'The API URL for your GitHub Enterprise instance, e.g.: http(s)://hostname/api/v3/. Refer to Github Enterprise documentation for more details.' - ), - category=_('GitHub Enterprise OAuth2'), - category_slug='github-enterprise', - ) - - register( - 'SOCIAL_AUTH_GITHUB_ENTERPRISE_KEY', - field_class=fields.CharField, - allow_blank=True, - default='', - label=_('GitHub Enterprise OAuth2 Key'), - help_text=_('The OAuth2 key (Client ID) from your GitHub Enterprise developer application.'), - category=_('GitHub Enterprise OAuth2'), - category_slug='github-enterprise', - ) - - register( - 'SOCIAL_AUTH_GITHUB_ENTERPRISE_SECRET', - field_class=fields.CharField, - allow_blank=True, - default='', - label=_('GitHub Enterprise OAuth2 Secret'), - help_text=_('The OAuth2 secret (Client Secret) from your GitHub Enterprise developer application.'), - category=_('GitHub OAuth2'), - category_slug='github-enterprise', - encrypted=True, - ) - - register( - 'SOCIAL_AUTH_GITHUB_ENTERPRISE_ORGANIZATION_MAP', - field_class=SocialOrganizationMapField, - allow_null=True, - default=None, - label=_('GitHub Enterprise OAuth2 Organization Map'), - help_text=SOCIAL_AUTH_ORGANIZATION_MAP_HELP_TEXT, - category=_('GitHub Enterprise OAuth2'), - category_slug='github-enterprise', - placeholder=SOCIAL_AUTH_ORGANIZATION_MAP_PLACEHOLDER, - ) - - register( - 'SOCIAL_AUTH_GITHUB_ENTERPRISE_TEAM_MAP', - field_class=SocialTeamMapField, - allow_null=True, - default=None, - label=_('GitHub Enterprise OAuth2 Team Map'), - help_text=SOCIAL_AUTH_TEAM_MAP_HELP_TEXT, - category=_('GitHub Enterprise OAuth2'), - category_slug='github-enterprise', - placeholder=SOCIAL_AUTH_TEAM_MAP_PLACEHOLDER, - ) - - ############################################################################### - # GITHUB ENTERPRISE ORG OAUTH2 AUTHENTICATION SETTINGS - ############################################################################### - - register( - 'SOCIAL_AUTH_GITHUB_ENTERPRISE_ORG_CALLBACK_URL', - field_class=fields.CharField, - read_only=True, - default=SocialAuthCallbackURL('github-enterprise-org'), - label=_('GitHub Enterprise Organization OAuth2 Callback URL'), - help_text=_( - 'Provide this URL as the callback URL for your application as part of your registration process. Refer to the documentation for more detail.' - ), - category=_('GitHub Enterprise Organization OAuth2'), - category_slug='github-enterprise-org', - depends_on=['TOWER_URL_BASE'], - ) - - register( - 'SOCIAL_AUTH_GITHUB_ENTERPRISE_ORG_URL', - field_class=fields.CharField, - allow_blank=True, - default='', - label=_('GitHub Enterprise Organization URL'), - help_text=_('The URL for your Github Enterprise instance, e.g.: http(s)://hostname/. Refer to Github Enterprise documentation for more details.'), - category=_('GitHub Enterprise OAuth2'), - category_slug='github-enterprise-org', - ) - - register( - 'SOCIAL_AUTH_GITHUB_ENTERPRISE_ORG_API_URL', - field_class=fields.CharField, - allow_blank=True, - default='', - label=_('GitHub Enterprise Organization API URL'), - help_text=_( - 'The API URL for your GitHub Enterprise instance, e.g.: http(s)://hostname/api/v3/. Refer to Github Enterprise documentation for more details.' - ), - category=_('GitHub Enterprise OAuth2'), - category_slug='github-enterprise-org', - ) - - register( - 'SOCIAL_AUTH_GITHUB_ENTERPRISE_ORG_KEY', - field_class=fields.CharField, - allow_blank=True, - default='', - label=_('GitHub Enterprise Organization OAuth2 Key'), - help_text=_('The OAuth2 key (Client ID) from your GitHub Enterprise organization application.'), - category=_('GitHub Enterprise Organization OAuth2'), - category_slug='github-enterprise-org', - ) - - register( - 'SOCIAL_AUTH_GITHUB_ENTERPRISE_ORG_SECRET', - field_class=fields.CharField, - allow_blank=True, - default='', - label=_('GitHub Enterprise Organization OAuth2 Secret'), - help_text=_('The OAuth2 secret (Client Secret) from your GitHub Enterprise organization application.'), - category=_('GitHub Enterprise Organization OAuth2'), - category_slug='github-enterprise-org', - encrypted=True, - ) - - register( - 'SOCIAL_AUTH_GITHUB_ENTERPRISE_ORG_NAME', - field_class=fields.CharField, - allow_blank=True, - default='', - label=_('GitHub Enterprise Organization Name'), - help_text=_('The name of your GitHub Enterprise organization, as used in your organization\'s URL: https://github.com//.'), - category=_('GitHub Enterprise Organization OAuth2'), - category_slug='github-enterprise-org', - ) - - register( - 'SOCIAL_AUTH_GITHUB_ENTERPRISE_ORG_ORGANIZATION_MAP', - field_class=SocialOrganizationMapField, - allow_null=True, - default=None, - label=_('GitHub Enterprise Organization OAuth2 Organization Map'), - help_text=SOCIAL_AUTH_ORGANIZATION_MAP_HELP_TEXT, - category=_('GitHub Enterprise Organization OAuth2'), - category_slug='github-enterprise-org', - placeholder=SOCIAL_AUTH_ORGANIZATION_MAP_PLACEHOLDER, - ) - - register( - 'SOCIAL_AUTH_GITHUB_ENTERPRISE_ORG_TEAM_MAP', - field_class=SocialTeamMapField, - allow_null=True, - default=None, - label=_('GitHub Enterprise Organization OAuth2 Team Map'), - help_text=SOCIAL_AUTH_TEAM_MAP_HELP_TEXT, - category=_('GitHub Enterprise Organization OAuth2'), - category_slug='github-enterprise-org', - placeholder=SOCIAL_AUTH_TEAM_MAP_PLACEHOLDER, - ) - - ############################################################################### - # GITHUB ENTERPRISE TEAM OAUTH2 AUTHENTICATION SETTINGS - ############################################################################### - - register( - 'SOCIAL_AUTH_GITHUB_ENTERPRISE_TEAM_CALLBACK_URL', - field_class=fields.CharField, - read_only=True, - default=SocialAuthCallbackURL('github-enterprise-team'), - label=_('GitHub Enterprise Team OAuth2 Callback URL'), - help_text=_( - 'Create an organization-owned application at ' - 'https://github.com/organizations//settings/applications ' - 'and obtain an OAuth2 key (Client ID) and secret (Client Secret). ' - 'Provide this URL as the callback URL for your application.' - ), - category=_('GitHub Enterprise Team OAuth2'), - category_slug='github-enterprise-team', - depends_on=['TOWER_URL_BASE'], - ) - - register( - 'SOCIAL_AUTH_GITHUB_ENTERPRISE_TEAM_URL', - field_class=fields.CharField, - allow_blank=True, - default='', - label=_('GitHub Enterprise Team URL'), - help_text=_('The URL for your Github Enterprise instance, e.g.: http(s)://hostname/. Refer to Github Enterprise documentation for more details.'), - category=_('GitHub Enterprise OAuth2'), - category_slug='github-enterprise-team', - ) - - register( - 'SOCIAL_AUTH_GITHUB_ENTERPRISE_TEAM_API_URL', - field_class=fields.CharField, - allow_blank=True, - default='', - label=_('GitHub Enterprise Team API URL'), - help_text=_( - 'The API URL for your GitHub Enterprise instance, e.g.: http(s)://hostname/api/v3/. Refer to Github Enterprise documentation for more details.' - ), - category=_('GitHub Enterprise OAuth2'), - category_slug='github-enterprise-team', - ) - - register( - 'SOCIAL_AUTH_GITHUB_ENTERPRISE_TEAM_KEY', - field_class=fields.CharField, - allow_blank=True, - default='', - label=_('GitHub Enterprise Team OAuth2 Key'), - help_text=_('The OAuth2 key (Client ID) from your GitHub Enterprise organization application.'), - category=_('GitHub Enterprise Team OAuth2'), - category_slug='github-enterprise-team', - ) - - register( - 'SOCIAL_AUTH_GITHUB_ENTERPRISE_TEAM_SECRET', - field_class=fields.CharField, - allow_blank=True, - default='', - label=_('GitHub Enterprise Team OAuth2 Secret'), - help_text=_('The OAuth2 secret (Client Secret) from your GitHub Enterprise organization application.'), - category=_('GitHub Enterprise Team OAuth2'), - category_slug='github-enterprise-team', - encrypted=True, - ) - - register( - 'SOCIAL_AUTH_GITHUB_ENTERPRISE_TEAM_ID', - field_class=fields.CharField, - allow_blank=True, - default='', - label=_('GitHub Enterprise Team ID'), - help_text=_('Find the numeric team ID using the Github Enterprise API: http://fabian-kostadinov.github.io/2015/01/16/how-to-find-a-github-team-id/.'), - category=_('GitHub Enterprise Team OAuth2'), - category_slug='github-enterprise-team', - ) - - register( - 'SOCIAL_AUTH_GITHUB_ENTERPRISE_TEAM_ORGANIZATION_MAP', - field_class=SocialOrganizationMapField, - allow_null=True, - default=None, - label=_('GitHub Enterprise Team OAuth2 Organization Map'), - help_text=SOCIAL_AUTH_ORGANIZATION_MAP_HELP_TEXT, - category=_('GitHub Enterprise Team OAuth2'), - category_slug='github-enterprise-team', - placeholder=SOCIAL_AUTH_ORGANIZATION_MAP_PLACEHOLDER, - ) - - register( - 'SOCIAL_AUTH_GITHUB_ENTERPRISE_TEAM_TEAM_MAP', - field_class=SocialTeamMapField, - allow_null=True, - default=None, - label=_('GitHub Enterprise Team OAuth2 Team Map'), - help_text=SOCIAL_AUTH_TEAM_MAP_HELP_TEXT, - category=_('GitHub Enterprise Team OAuth2'), - category_slug='github-enterprise-team', - placeholder=SOCIAL_AUTH_TEAM_MAP_PLACEHOLDER, - ) - - ############################################################################### - # MICROSOFT AZURE ACTIVE DIRECTORY SETTINGS - ############################################################################### - - register( - 'SOCIAL_AUTH_AZUREAD_OAUTH2_CALLBACK_URL', - field_class=fields.CharField, - read_only=True, - default=SocialAuthCallbackURL('azuread-oauth2'), - label=_('Azure AD OAuth2 Callback URL'), - help_text=_( - 'Provide this URL as the callback URL for your application as part of your registration process. Refer to the documentation for more detail. ' - ), - category=_('Azure AD OAuth2'), - category_slug='azuread-oauth2', - depends_on=['TOWER_URL_BASE'], - ) - - register( - 'SOCIAL_AUTH_AZUREAD_OAUTH2_KEY', - field_class=fields.CharField, - allow_blank=True, - default='', - label=_('Azure AD OAuth2 Key'), - help_text=_('The OAuth2 key (Client ID) from your Azure AD application.'), - category=_('Azure AD OAuth2'), - category_slug='azuread-oauth2', - ) - - register( - 'SOCIAL_AUTH_AZUREAD_OAUTH2_SECRET', - field_class=fields.CharField, - allow_blank=True, - default='', - label=_('Azure AD OAuth2 Secret'), - help_text=_('The OAuth2 secret (Client Secret) from your Azure AD application.'), - category=_('Azure AD OAuth2'), - category_slug='azuread-oauth2', - encrypted=True, - ) - - register( - 'SOCIAL_AUTH_AZUREAD_OAUTH2_ORGANIZATION_MAP', - field_class=SocialOrganizationMapField, - allow_null=True, - default=None, - label=_('Azure AD OAuth2 Organization Map'), - help_text=SOCIAL_AUTH_ORGANIZATION_MAP_HELP_TEXT, - category=_('Azure AD OAuth2'), - category_slug='azuread-oauth2', - placeholder=SOCIAL_AUTH_ORGANIZATION_MAP_PLACEHOLDER, - ) - - register( - 'SOCIAL_AUTH_AZUREAD_OAUTH2_TEAM_MAP', - field_class=SocialTeamMapField, - allow_null=True, - default=None, - label=_('Azure AD OAuth2 Team Map'), - help_text=SOCIAL_AUTH_TEAM_MAP_HELP_TEXT, - category=_('Azure AD OAuth2'), - category_slug='azuread-oauth2', - placeholder=SOCIAL_AUTH_TEAM_MAP_PLACEHOLDER, - ) - ############################################################################### # Generic OIDC AUTHENTICATION SETTINGS ############################################################################### diff --git a/awx/sso/fields.py b/awx/sso/fields.py index f67874695574..e809f004a617 100644 --- a/awx/sso/fields.py +++ b/awx/sso/fields.py @@ -107,44 +107,7 @@ class AuthenticationBackendsField(fields.StringListField): # authentication backend. REQUIRED_BACKEND_SETTINGS = collections.OrderedDict( [ - ('social_core.backends.google.GoogleOAuth2', ['SOCIAL_AUTH_GOOGLE_OAUTH2_KEY', 'SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET']), - ('social_core.backends.github.GithubOAuth2', ['SOCIAL_AUTH_GITHUB_KEY', 'SOCIAL_AUTH_GITHUB_SECRET']), ('social_core.backends.open_id_connect.OpenIdConnectAuth', ['SOCIAL_AUTH_OIDC_KEY', 'SOCIAL_AUTH_OIDC_SECRET', 'SOCIAL_AUTH_OIDC_OIDC_ENDPOINT']), - ( - 'social_core.backends.github.GithubOrganizationOAuth2', - ['SOCIAL_AUTH_GITHUB_ORG_KEY', 'SOCIAL_AUTH_GITHUB_ORG_SECRET', 'SOCIAL_AUTH_GITHUB_ORG_NAME'], - ), - ('social_core.backends.github.GithubTeamOAuth2', ['SOCIAL_AUTH_GITHUB_TEAM_KEY', 'SOCIAL_AUTH_GITHUB_TEAM_SECRET', 'SOCIAL_AUTH_GITHUB_TEAM_ID']), - ( - 'social_core.backends.github_enterprise.GithubEnterpriseOAuth2', - [ - 'SOCIAL_AUTH_GITHUB_ENTERPRISE_URL', - 'SOCIAL_AUTH_GITHUB_ENTERPRISE_API_URL', - 'SOCIAL_AUTH_GITHUB_ENTERPRISE_KEY', - 'SOCIAL_AUTH_GITHUB_ENTERPRISE_SECRET', - ], - ), - ( - 'social_core.backends.github_enterprise.GithubEnterpriseOrganizationOAuth2', - [ - 'SOCIAL_AUTH_GITHUB_ENTERPRISE_ORG_URL', - 'SOCIAL_AUTH_GITHUB_ENTERPRISE_ORG_API_URL', - 'SOCIAL_AUTH_GITHUB_ENTERPRISE_ORG_KEY', - 'SOCIAL_AUTH_GITHUB_ENTERPRISE_ORG_SECRET', - 'SOCIAL_AUTH_GITHUB_ENTERPRISE_ORG_NAME', - ], - ), - ( - 'social_core.backends.github_enterprise.GithubEnterpriseTeamOAuth2', - [ - 'SOCIAL_AUTH_GITHUB_ENTERPRISE_TEAM_URL', - 'SOCIAL_AUTH_GITHUB_ENTERPRISE_TEAM_API_URL', - 'SOCIAL_AUTH_GITHUB_ENTERPRISE_TEAM_KEY', - 'SOCIAL_AUTH_GITHUB_ENTERPRISE_TEAM_SECRET', - 'SOCIAL_AUTH_GITHUB_ENTERPRISE_TEAM_ID', - ], - ), - ('social_core.backends.azuread.AzureADOAuth2', ['SOCIAL_AUTH_AZUREAD_OAUTH2_KEY', 'SOCIAL_AUTH_AZUREAD_OAUTH2_SECRET']), ( 'awx.sso.backends.SAMLAuth', [ diff --git a/awx/sso/tests/functional/test_common.py b/awx/sso/tests/functional/test_common.py index 79b97831bf02..8a7456b70380 100644 --- a/awx/sso/tests/functional/test_common.py +++ b/awx/sso/tests/functional/test_common.py @@ -336,14 +336,6 @@ def test_get_external_account(self, enable_social, enable_enterprise, expected_r ('JUNK_SETTING', False), ('SOCIAL_AUTH_SAML_ENABLED_IDPS', True), # Set some SOCIAL_SOCIAL_AUTH_OIDC_KEYAUTH_*_KEY settings - ('SOCIAL_AUTH_AZUREAD_OAUTH2_KEY', True), - ('SOCIAL_AUTH_GITHUB_ENTERPRISE_KEY', True), - ('SOCIAL_AUTH_GITHUB_ENTERPRISE_ORG_KEY', True), - ('SOCIAL_AUTH_GITHUB_ENTERPRISE_TEAM_KEY', True), - ('SOCIAL_AUTH_GITHUB_KEY', True), - ('SOCIAL_AUTH_GITHUB_ORG_KEY', True), - ('SOCIAL_AUTH_GITHUB_TEAM_KEY', True), - ('SOCIAL_AUTH_GOOGLE_OAUTH2_KEY', True), ('SOCIAL_AUTH_OIDC_KEY', True), # Try a hypothetical future one ('SOCIAL_AUTH_GIBBERISH_KEY', True), @@ -359,8 +351,6 @@ def test_is_remote_auth_enabled(self, setting, expected): "key_one, key_one_value, key_two, key_two_value, expected", [ ('JUNK_SETTING', True, 'JUNK2_SETTING', True, False), - ('JUNK_SETTING', True, 'SOCIAL_AUTH_AZUREAD_OAUTH2_KEY', True, True), - ('JUNK_SETTING', True, 'SOCIAL_AUTH_AZUREAD_OAUTH2_KEY', False, False), ], ) def test_is_remote_auth_enabled_multiple_keys(self, key_one, key_one_value, key_two, key_two_value, expected): diff --git a/awxkit/awxkit/api/pages/settings.py b/awxkit/awxkit/api/pages/settings.py index 2070768fbc34..572636c34dc0 100644 --- a/awxkit/awxkit/api/pages/settings.py +++ b/awxkit/awxkit/api/pages/settings.py @@ -13,10 +13,6 @@ class Setting(base.Base): resources.settings_all, resources.settings_authentication, resources.settings_changed, - resources.settings_github, - resources.settings_github_org, - resources.settings_github_team, - resources.settings_google_oauth2, resources.settings_jobs, resources.settings_saml, resources.settings_system, diff --git a/awxkit/awxkit/api/resources.py b/awxkit/awxkit/api/resources.py index 389851b15022..5fcb6495111d 100644 --- a/awxkit/awxkit/api/resources.py +++ b/awxkit/awxkit/api/resources.py @@ -208,12 +208,7 @@ class Resources(object): _settings = 'settings/' _settings_all = 'settings/all/' _settings_authentication = 'settings/authentication/' - _settings_azuread_oauth2 = 'settings/azuread-oauth2/' _settings_changed = 'settings/changed/' - _settings_github = 'settings/github/' - _settings_github_org = 'settings/github-org/' - _settings_github_team = 'settings/github-team/' - _settings_google_oauth2 = 'settings/google-oauth2/' _settings_jobs = 'settings/jobs/' _settings_logging = 'settings/logging/' _settings_named_url = 'settings/named-url/' diff --git a/docs/auth/README.md b/docs/auth/README.md index 9cb4d662146f..eaec48265c40 100644 --- a/docs/auth/README.md +++ b/docs/auth/README.md @@ -1,14 +1,7 @@ This folder describes third-party authentications supported by AWX. These authentications can be configured and enabled inside AWX. When a user wants to log into AWX, she can explicitly choose some of the supported authentications to log in instead of AWX's own authentication using username and password. Here is a list of such authentications: -* Google OAuth2 -* Github OAuth2 -* Github Organization OAuth2 -* Github Team OAuth2 -* Github Enterprise OAuth2 -* Github Enterprise Organization OAuth2 -* Github Enterprise Team OAuth2 -* Microsoft Azure Active Directory (AD) OAuth2 +* OIDC (OpenID Connect) On the other hand, the other authentication methods use the same types of login info (username and password), but authenticate using external auth systems rather than AWX's own database. If some of these methods are enabled, AWX will try authenticating using the enabled methods *before AWX's own authentication method*. The order of precedence is: * SAML diff --git a/docs/credentials/extract_credentials.md b/docs/credentials/extract_credentials.md index abbbdad88aea..12fe0fea5cd3 100644 --- a/docs/credentials/extract_credentials.md +++ b/docs/credentials/extract_credentials.md @@ -15,7 +15,7 @@ If necessary, credentials and encrypted settings can be extracted using the AWX $ awx-manage shell_plus >>> from awx.main.utils import decrypt_field >>> print(decrypt_field(Credential.objects.get(name="my private key"), "ssh_key_data")) # Example for a credential ->>> print(decrypt_field(Setting.objects.get(key='SOCIAL_AUTH_AZUREAD_OAUTH2_SECRET'), 'value')) # Example for a setting +>>> print(decrypt_field(Setting.objects.get(key='SOCIAL_AUTH_OIDC_SECRET'), 'value')) # Example for a setting ``` If you are running a kubernetes based deployment, you can execute awx-manage like this: diff --git a/docs/docsite/rst/administration/configure_awx_authentication.rst b/docs/docsite/rst/administration/configure_awx_authentication.rst index 6658bc137279..fdcf35d4783c 100644 --- a/docs/docsite/rst/administration/configure_awx_authentication.rst +++ b/docs/docsite/rst/administration/configure_awx_authentication.rst @@ -2,10 +2,6 @@ 2. The left side of the Settings window is a set of configurable Authentication settings. Select from the following options: -- :ref:`ag_auth_azure` -- :ref:`ag_auth_github` -- :ref:`ag_auth_google_oauth2` - Different authentication types require you to enter different information. Be sure to include all the information as required. 3. Click **Save** to apply the settings or **Cancel** to abandon the changes. \ No newline at end of file diff --git a/docs/docsite/rst/administration/ent_auth.rst b/docs/docsite/rst/administration/ent_auth.rst index 942210e56f8e..aaec518c5816 100644 --- a/docs/docsite/rst/administration/ent_auth.rst +++ b/docs/docsite/rst/administration/ent_auth.rst @@ -17,42 +17,3 @@ This section describes setting up authentication for the following enterprise sy - Enterprise users cannot be created/authenticated if non-enterprise users with the same name has already been created in AWX. - AWX passwords of enterprise users should always be empty and cannot be set by any user if there are enterprise backend-enabled. - If enterprise backends are disabled, an enterprise user can be converted to a normal AWX user by setting the password field. However, this operation is irreversible, as the converted AWX user can no longer be treated as enterprise user. - - -.. _ag_auth_azure: - -Azure AD settings -------------------- - -.. index:: - pair: authentication; Azure AD - -To set up enterprise authentication for Microsoft Azure Active Directory (AD), you will need to obtain an OAuth2 key and secret by registering your organization-owned application from Azure at https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app. Each key and secret must belong to a unique application and cannot be shared or reused between different authentication backends. In order to register the application, you must supply it with your webpage URL, which is the Callback URL shown in the Settings Authentication screen. - -1. Click **Settings** from the left navigation bar. - -2. On the left side of the Settings window, click **Azure AD settings** from the list of Authentication options. - -3. The **Azure AD OAuth2 Callback URL** field is already pre-populated and non-editable. - Once the application is registered, Azure displays the Application ID and Object ID. - -4. Click **Edit** and copy and paste Azure's Application ID to the **Azure AD OAuth2 Key** field. - - Following Azure AD's documentation for connecting your app to Microsoft Azure Active Directory, supply the key (shown at one time only) to the client for authentication. - -5. Copy and paste the actual secret key created for your Azure AD application to the **Azure AD OAuth2 Secret** field of the Settings - Authentication screen. - -6. For details on completing the mapping fields, see :ref:`ag_org_team_maps`. - -7. Click **Save** when done. - -8. To verify that the authentication was configured correctly, logout of AWX and the login screen will now display the Microsoft Azure logo to allow logging in with those credentials. - -.. image:: ../common/images/configure-awx-auth-azure-logo.png - :alt: AWX login screen displaying the Microsoft Azure logo for authentication. - - -For application registering basics in Azure AD, refer to the `Azure AD Identity Platform (v2)`_ overview. - -.. _`Azure AD Identity Platform (v2)`: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-overview - diff --git a/docs/docsite/rst/administration/social_auth.rst b/docs/docsite/rst/administration/social_auth.rst index 682aff105a70..603bf5ee1b9c 100644 --- a/docs/docsite/rst/administration/social_auth.rst +++ b/docs/docsite/rst/administration/social_auth.rst @@ -11,268 +11,6 @@ Authentication methods help simplify logins for end users--offering single sign- Account authentication can be configured in the AWX User Interface and saved to the PostgreSQL database. For instructions, refer to the :ref:`ag_configure_awx` section. - -.. _ag_auth_github: - -GitHub settings ----------------- - -.. index:: - pair: authentication; GitHub OAuth2 - -To set up social authentication for GitHub, you will need to obtain an OAuth2 key and secret for a web application. To do this, you must first register the new application with GitHub at https://github.com/settings/developers. In order to register the application, you must supply it with your homepage URL, which is the **Callback URL** shown in the Details tab for the GitHub default settings page. The OAuth2 key (Client ID) and secret (Client Secret) will be used to supply the required fields in the AWX User Interface. - -1. Click **Settings** from the left navigation bar. - -2. On the left side of the Settings window, click **GitHub settings** from the list of Authentication options. - -3. Click the **GitHub Default** tab if not already selected. - -The **GitHub OAuth2 Callback URL** field is already pre-populated and non-editable. Once the application is registered, GitHub displays the Client ID and Client Secret. - -4. Click **Edit** and copy and paste GitHub's Client ID into the **GitHub OAuth2 Key** field. - -5. Copy and paste GitHub's Client Secret into the **GitHub OAuth2 Secret** field. - -6. For details on completing the mapping fields, see :ref:`ag_org_team_maps`. - -7. Click **Save** when done. - -8. To verify that the authentication was configured correctly, logout of AWX and the login screen will now display the GitHub logo to allow logging in with those credentials. - -.. image:: ../common/images/configure-awx-auth-github-logo.png - - -.. _ag_auth_github_org: - -GitHub Organization settings -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -.. index:: - pair: authentication; GitHub Org - -When defining account authentication with either an organization or a team within an organization, you should use the specific organization and team settings. Account authentication can be limited by an organization as well as by a team within an organization. - -You can also choose to allow all by specifying non-organization or non-team based settings (as shown above). - -You can limit users who can login to AWX by limiting only those in an organization or on a team within an organization. - -To set up social authentication for a GitHub Organization, you will need to obtain an OAuth2 key and secret for a web application. To do this, you must first register your organization-owned application at ``https://github.com/organizations//settings/applications``. In order to register the application, you must supply it with your Authorization callback URL, which is the **Callback URL** shown in the Details page. Each key and secret must belong to a unique application and cannot be shared or reused between different authentication backends. The OAuth2 key (Client ID) and secret (Client Secret) will be used to supply the required fields in the AWX User Interface. - -1. Click **Settings** from the left navigation bar. - -2. On the left side of the Settings window, click **GitHub settings** from the list of Authentication options. - -3. Click the **GitHub Organization** tab. - -The **GitHub Organization OAuth2 Callback URL** field is already pre-populated and non-editable. - -Once the application is registered, GitHub displays the Client ID and Client Secret. - -4. Click **Edit** and copy and paste GitHub's Client ID into the **GitHub Organization OAuth2 Key** field. - -5. Copy and paste GitHub's Client Secret into the **GitHub Organization OAuth2 Secret** field. - -6. Enter the name of your GitHub organization, as used in your organization's URL (e.g., https://github.com//) in the **GitHub Organization Name** field. - -7. For details on completing the mapping fields, see :ref:`ag_org_team_maps`. - -8. Click **Save** when done. - -9. To verify that the authentication was configured correctly, logout of AWX and the login screen will now display the GitHub Organization logo to allow logging in with those credentials. - -.. image:: ../common/images/configure-awx-auth-github-orgs-logo.png - - -.. _ag_auth_github_team: - -GitHub Team settings -~~~~~~~~~~~~~~~~~~~~~~~~ - -.. index:: - pair: authentication; GitHub Team - - -To set up social authentication for a GitHub Team, you will need to obtain an OAuth2 key and secret for a web application. To do this, you must first register your team-owned application at ``https://github.com/organizations//settings/applications``. In order to register the application, you must supply it with your Authorization callback URL, which is the **Callback URL** shown in the Details page. Each key and secret must belong to a unique application and cannot be shared or reused between different authentication backends. The OAuth2 key (Client ID) and secret (Client Secret) will be used to supply the required fields in the AWX User Interface. - -1. Find the numeric team ID using the GitHub API: http://fabian-kostadinov.github.io/2015/01/16/how-to-find-a-github-team-id/. The Team ID will be used to supply a required field in the AWX User Interface. - -2. Click **Settings** from the left navigation bar. - -3. On the left side of the Settings window, click **GitHub settings** from the list of Authentication options. - -4. Click the **GitHub Team** tab. - -The **GitHub Team OAuth2 Callback URL** field is already pre-populated and non-editable. Once the application is registered, GitHub displays the Client ID and Client Secret. - -5. Click **Edit** and copy and paste GitHub's Client ID into the **GitHub Team OAuth2 Key** field. - -6. Copy and paste GitHub's Client Secret into the **GitHub Team OAuth2 Secret** field. - -7. Copy and paste GitHub's team ID in the **GitHub Team ID** field. - -8. For details on completing the mapping fields, see :ref:`ag_org_team_maps`. - -9. Click **Save** when done. - -10. To verify that the authentication was configured correctly, logout of AWX and the login screen will now display the GitHub Team logo to allow logging in with those credentials. - -.. image:: ../common/images/configure-awx-auth-github-teams-logo.png - - -GitHub Enterprise settings -~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -.. index:: - pair: authentication; GitHub Enterprise - -To set up social authentication for a GitHub Enterprise, you will need to obtain a GitHub Enterprise URL, an API URL, OAuth2 key and secret for a web application. To obtain the URLs, refer to the GitHub documentation on `GitHub Enterprise administration `_ . To obtain the key and secret, you must first register your enterprise-owned application at ``https://github.com/organizations//settings/applications``. In order to register the application, you must supply it with your Authorization callback URL, which is the **Callback URL** shown in the Details page. Because its hosted on site and not github.com, you must specify which auth adapter it will talk to. - -Each key and secret must belong to a unique application and cannot be shared or reused between different authentication backends. The OAuth2 key (Client ID) and secret (Client Secret) will be used to supply the required fields in the AWX User Interface. - -1. Click **Settings** from the left navigation bar. - -2. On the left side of the Settings window, click **GitHub settings** from the list of Authentication options. - -3. Click the **GitHub Enterprise** tab. - -The **GitHub Enterprise OAuth2 Callback URL** field is already pre-populated and non-editable. Once the application is registered, GitHub displays the Client ID and Client Secret. - -4. Click **Edit** to configure GitHub Enterprise settings. - -5. In the **GitHub Enterprise URL** field, enter the hostname of the GitHub Enterprise instance (e.g., https://github.example.com). - -6. In the **GitHub Enterprise API URL** field, enter the API URL of the GitHub Enterprise instance (e.g., https://github.example.com/api/v3) - -7. Copy and paste GitHub's Client ID into the **GitHub Enterprise OAuth2 Key** field. - -8. Copy and paste GitHub's Client Secret into the **GitHub Enterprise OAuth2 Secret** field. - -9. For details on completing the mapping fields, see :ref:`ag_org_team_maps`. - -10. Click **Save** when done. - -11. To verify that the authentication was configured correctly, logout of AWX and the login screen will now display the GitHub Enterprise logo to allow logging in with those credentials. - -.. image:: ../common/images/configure-awx-auth-github-ent-logo.png - - -GitHub Enterprise Organization settings -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -.. index:: - pair: authentication; GitHub Enterprise Org - -To set up social authentication for a GitHub Enterprise Org, you will need to obtain a GitHub Enterprise Org URL, an Org API URL, an Org OAuth2 key and secret for a web application. To obtain the URLs, refer to the GitHub documentation on `GitHub Enterprise administration `_ . To obtain the key and secret, you must first register your enterprise organization-owned application at ``https://github.com/organizations//settings/applications``. In order to register the application, you must supply it with your Authorization callback URL, which is the **Callback URL** shown in the Details page. Because its hosted on site and not github.com, you must specify which auth adapter it will talk to. - -Each key and secret must belong to a unique application and cannot be shared or reused between different authentication backends. The OAuth2 key (Client ID) and secret (Client Secret) will be used to supply the required fields in the AWX User Interface. - -1. Click **Settings** from the left navigation bar. - -2. On the left side of the Settings window, click **GitHub settings** from the list of Authentication options. - -3. Click the **GitHub Enterprise Organization** tab. - -The **GitHub Enterprise Organization OAuth2 Callback URL** field is already pre-populated and non-editable. Once the application is registered, GitHub displays the Client ID and Client Secret. - -4. Click **Edit** to configure GitHub Enterprise Organization settings. - -5. In the **GitHub Enterprise Organization URL** field, enter the hostname of the GitHub Enterprise Org instance (e.g., https://github.orgexample.com). - -6. In the **GitHub Enterprise Organization API URL** field, enter the API URL of the GitHub Enterprise Org instance (e.g., https://github.orgexample.com/api/v3) - -7. Copy and paste GitHub's Client ID into the **GitHub Enterprise Organization OAuth2 Key** field. - -8. Copy and paste GitHub's Client Secret into the **GitHub Enterprise Organization OAuth2 Secret** field. - -9. Enter the name of your GitHub Enterprise organization, as used in your organization's URL (e.g., https://github.com//) in the **GitHub Enterprise Organization Name** field. - -10. For details on completing the mapping fields, see :ref:`ag_org_team_maps`. - -11. Click **Save** when done. - -12. To verify that the authentication was configured correctly, logout of AWX and the login screen will now display the GitHub Enterprise Organization logo to allow logging in with those credentials. - -.. image:: ../common/images/configure-awx-auth-github-ent-org-logo.png - - -GitHub Enterprise Team settings -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -.. index:: - pair: authentication; GitHub Enterprise Team - -To set up social authentication for a GitHub Enterprise teams, you will need to obtain a GitHub Enterprise Org URL, an Org API URL, an Org OAuth2 key and secret for a web application. To obtain the URLs, refer to the GitHub documentation on `GitHub Enterprise administration `_ . To obtain the key and secret, you must first register your enterprise team-owned application at ``https://github.com/organizations//settings/applications``. In order to register the application, you must supply it with your Authorization callback URL, which is the **Callback URL** shown in the Details page. Because its hosted on site and not github.com, you must specify which auth adapter it will talk to. - -Each key and secret must belong to a unique application and cannot be shared or reused between different authentication backends. The OAuth2 key (Client ID) and secret (Client Secret) will be used to supply the required fields in the AWX User Interface. - -1. Find the numeric team ID using the GitHub API: http://fabian-kostadinov.github.io/2015/01/16/how-to-find-a-github-team-id/. The Team ID will be used to supply a required field in the AWX User Interface. - -2. Click **Settings** from the left navigation bar. - -3. On the left side of the Settings window, click **GitHub settings** from the list of Authentication options. - -4. Click the **GitHub Enterprise Team** tab. - -The **GitHub Enterprise Team OAuth2 Callback URL** field is already pre-populated and non-editable. Once the application is registered, GitHub displays the Client ID and Client Secret. - -5. Click **Edit** to configure GitHub Enterprise Team settings. - -6. In the **GitHub Enterprise Team URL** field, enter the hostname of the GitHub Enterprise team instance (e.g., https://github.teamexample.com). - -7. In the **GitHub Enterprise Team API URL** field, enter the API URL of the GitHub Enterprise team instance (e.g., https://github.teamexample.com/api/v3) - -8. Copy and paste GitHub's Client ID into the **GitHub Enterprise Team OAuth2 Key** field. - -9. Copy and paste GitHub's Client Secret into the **GitHub Enterprise Team OAuth2 Secret** field. - -10. Copy and paste GitHub's team ID in the **GitHub Enterprise Team ID** field. - -11. For details on completing the mapping fields, see :ref:`ag_org_team_maps`. - -12. Click **Save** when done. - -13. To verify that the authentication was configured correctly, logout of AWX and the login screen will now display the GitHub Enterprise Teams logo to allow logging in with those credentials. - -.. image:: ../common/images/configure-awx-auth-github-ent-teams-logo.png - - -.. _ag_auth_google_oauth2: - -Google OAuth2 settings ------------------------ - -.. index:: - pair: authentication; Google OAuth2 - -To set up social authentication for Google, you will need to obtain an OAuth2 key and secret for a web application. To do this, you must first create a project and set it up with Google. Refer to https://support.google.com/googleapi/answer/6158849 for instructions. If you already completed the setup process, you can access those credentials by going to the Credentials section of the `Google API Manager Console `_. The OAuth2 key (Client ID) and secret (Client secret) will be used to supply the required fields in the AWX User Interface. - -1. Click **Settings** from the left navigation bar. - -2. On the left side of the Settings window, click **Google OAuth 2 settings** from the list of Authentication options. - -The **Google OAuth2 Callback URL** field is already pre-populated and non-editable. - -3. The following fields are also pre-populated. If not, use the credentials Google supplied during the web application setup process, and look for the values with the same format as the ones shown in the example below: - - - Click **Edit** and copy and paste Google's Client ID into the **Google OAuth2 Key** field. - - - Copy and paste Google's Client secret into the **Google OAuth2 Secret** field. - - .. image:: ../common/images/configure-awx-auth-google.png - -4. To complete the remaining optional fields, refer to the tooltips in each of the fields for instructions and required format. - -5. For details on completing the mapping fields, see :ref:`ag_org_team_maps`. - -6. Click **Save** when done. - -7. To verify that the authentication was configured correctly, logout of AWX and the login screen will now display the Google logo to indicate it as a alternate method of logging into AWX. - -.. image:: ../common/images/configure-awx-auth-google-logo.png - - - .. _ag_org_team_maps: Organization and Team Mapping @@ -329,12 +67,6 @@ Organization mappings may be specified separately for each account authenticatio :: - SOCIAL_AUTH_GOOGLE_OAUTH2_ORGANIZATION_MAP = {} - SOCIAL_AUTH_GITHUB_ORGANIZATION_MAP = {} - SOCIAL_AUTH_GITHUB_ORG_ORGANIZATION_MAP = {} - SOCIAL_AUTH_GITHUB_TEAM_ORGANIZATION_MAP = {} - - Team mapping ~~~~~~~~~~~~~~ @@ -374,7 +106,6 @@ Team mappings may be specified separately for each account authentication backen :: - SOCIAL_AUTH_GOOGLE_OAUTH2_TEAM_MAP = {} SOCIAL_AUTH_GITHUB_TEAM_MAP = {} SOCIAL_AUTH_GITHUB_ORG_TEAM_MAP = {} SOCIAL_AUTH_GITHUB_TEAM_TEAM_MAP = {} diff --git a/docs/docsite/rst/rest_api/authentication.rst b/docs/docsite/rst/rest_api/authentication.rst index 0349bbfa388f..8925798c0329 100644 --- a/docs/docsite/rst/rest_api/authentication.rst +++ b/docs/docsite/rst/rest_api/authentication.rst @@ -192,9 +192,7 @@ If you need to write custom requests, you can write a Python script using `Pytho SSO Authentication ------------------- -Single sign-on (SSO) authentication methods are fundamentally different from other methods because the authentication of the user happens external to AWX, like Google SSO, Azure SSO, SAML, or GitHub. For example, with GitHub SSO, GitHub is the single source of truth, which verifies your identity based on the username and password you gave AWX. - -You can configure SSO authentication using AWX inside a large organization with a central Identity Provider. Once you have configured an SSO method in AWX, a button for that SSO will be present on the login screen. If you click that button, it will redirect you to the Identity Provider, in this case GitHub, where you will present your credentials. If the Identity Provider verifies you successfully, then AWX will make a user linked to your GitHub user (if this is your first time logging in via this SSO method), and log you in. +Single sign-on (SSO) authentication methods are fundamentally different from other methods because the authentication of the user happens external to AWX, like SAML. For the various types of supported SSO authentication methods, see :ref:`ag_social_auth` and :ref:`ag_ent_auth` in the |ata|. diff --git a/docs/tower_configuration.md b/docs/tower_configuration.md index ec917fd924ef..a5aea85c9139 100644 --- a/docs/tower_configuration.md +++ b/docs/tower_configuration.md @@ -7,7 +7,7 @@ The REST endpoint for CRUD operations against AWX configurations can be found at Here is a typical AWX configuration category GET response: ``` -GET /api/v2/settings/github-team/ +GET /api/v2/settings/oidc/ HTTP 200 OK Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS Content-Type: application/json @@ -18,12 +18,10 @@ X-API-Query-Time: 0.004s X-API-Time: 0.026s { - "SOCIAL_AUTH_GITHUB_TEAM_CALLBACK_URL": "https://platformhost/sso/complete/github-team/", - "SOCIAL_AUTH_GITHUB_TEAM_KEY": "", - "SOCIAL_AUTH_GITHUB_TEAM_SECRET": "", - "SOCIAL_AUTH_GITHUB_TEAM_ID": "", - "SOCIAL_AUTH_GITHUB_TEAM_ORGANIZATION_MAP": null, - "SOCIAL_AUTH_GITHUB_TEAM_TEAM_MAP": null + "SOCIAL_AUTH_OIDC_KEY": null, + "SOCIAL_AUTH_OIDC_SECRET": "", + "SOCIAL_AUTH_OIDC_OIDC_ENDPOINT": "", + "SOCIAL_AUTH_OIDC_VERIFY_SSL": true } ```