Remove SAML authentication

awx/api/conf.py

@@ -37,7 +37,7 @@
  label=_('Disable the built-in authentication system'),
  help_text=_(
  "Controls whether users are prevented from using the built-in authentication system. "
- "You probably want to do this if you are using an LDAP or SAML integration."
+ "You probably want to do this if you are using an LDAP integration."
  ),
  category=_('Authentication'),
  category_slug='authentication',
@@ -77,8 +77,8 @@
  default=False,
  label=_('Allow External Users to Create OAuth2 Tokens'),
  help_text=_(
- 'For security reasons, users from external auth providers (LDAP, SAML, '
- 'SSO, and others) are not allowed to create OAuth2 tokens. '
+ 'For security reasons, users from external auth providers (LDAP, SSO, '
+ ' and others) are not allowed to create OAuth2 tokens. '
  'To change this behavior, enable this setting. Existing tokens will '
  'not be deleted when this setting is toggled off.'
  ),

awx/api/views/__init__.py

@@ -689,25 +689,15 @@ def get(self, request):
  data = OrderedDict()
  err_backend, err_message = request.session.get('social_auth_error', (None, None))
  auth_backends = list(load_backends(settings.AUTHENTICATION_BACKENDS, force_load=True).items())
- # Return auth backends in consistent order: oidc, saml.
+ # Return auth backends in consistent order: oidc.
  auth_backends.sort(key=lambda x: x[0])
  for name, backend in auth_backends:
  login_url = reverse('social:begin', args=(name,))
  complete_url = request.build_absolute_uri(reverse('social:complete', args=(name,)))
  backend_data = {'login_url': login_url, 'complete_url': complete_url}
- if name == 'saml':
- backend_data['metadata_url'] = reverse('sso:saml_metadata')
- for idp in sorted(settings.SOCIAL_AUTH_SAML_ENABLED_IDPS.keys()):
- saml_backend_data = dict(backend_data.items())
- saml_backend_data['login_url'] = '%s?idp=%s' % (login_url, idp)
- full_backend_name = '%s:%s' % (name, idp)
- if (err_backend == full_backend_name or err_backend == name) and err_message:
- saml_backend_data['error'] = err_message
- data[full_backend_name] = saml_backend_data
- else:
- if err_backend == name and err_message:
- backend_data['error'] = err_message
- data[name] = backend_data
+ if err_backend == name and err_message:
+ backend_data['error'] = err_message
+ data[name] = backend_data
  return Response(data)
 
 

awx/conf/migrations/0011_remove_saml_auth_conf.py

@@ -0,0 +1,40 @@
+# Generated by Django 4.2.10 on 2024-08-27 14:20
+
+from django.db import migrations
+
+SAML_AUTH_CONF_KEYS = [
+ 'SAML_AUTO_CREATE_OBJECTS',
+ 'SOCIAL_AUTH_SAML_CALLBACK_URL',
+ 'SOCIAL_AUTH_SAML_METADATA_URL',
+ 'SOCIAL_AUTH_SAML_SP_ENTITY_ID',
+ 'SOCIAL_AUTH_SAML_SP_PUBLIC_CERT',
+ 'SOCIAL_AUTH_SAML_SP_PRIVATE_KEY',
+ 'SOCIAL_AUTH_SAML_ORG_INFO',
+ 'SOCIAL_AUTH_SAML_TECHNICAL_CONTACT',
+ 'SOCIAL_AUTH_SAML_SUPPORT_CONTACT',
+ 'SOCIAL_AUTH_SAML_ENABLED_IDPS',
+ 'SOCIAL_AUTH_SAML_SECURITY_CONFIG',
+ 'SOCIAL_AUTH_SAML_SP_EXTRA',
+ 'SOCIAL_AUTH_SAML_EXTRA_DATA',
+ 'SOCIAL_AUTH_SAML_ORGANIZATION_MAP',
+ 'SOCIAL_AUTH_SAML_TEAM_MAP',
+ 'SOCIAL_AUTH_SAML_ORGANIZATION_ATTR',
+ 'SOCIAL_AUTH_SAML_TEAM_ATTR',
+ 'SOCIAL_AUTH_SAML_USER_FLAGS_BY_ATTR',
+]
+
+
+def remove_saml_auth_conf(apps, scheme_editor):
+ setting = apps.get_model('conf', 'Setting')
+ setting.objects.filter(key__in=SAML_AUTH_CONF_KEYS).delete()
+
+
+class Migration(migrations.Migration):
+
+ dependencies = [
+ ('conf', '0010_change_to_JSONField'),
+ ]
+
+ operations = [
+ migrations.RunPython(remove_saml_auth_conf),
+ ]

awx/conf/tests/functional/test_api.py

@@ -8,7 +8,6 @@
 from awx.conf import fields
 from awx.conf.registry import settings_registry
 from awx.conf.models import Setting
-from awx.sso import fields as sso_fields
 
 
 @pytest.fixture
@@ -103,24 +102,6 @@ def test_setting_singleton_update(api_request, dummy_setting):
  assert response.data['FOO_BAR'] == 4
 
 
-@pytest.mark.django_db
-def test_setting_singleton_update_hybriddictfield_with_forbidden(api_request, dummy_setting):
- # Some HybridDictField subclasses have a child of _Forbidden,
- # indicating that only the defined fields can be filled in. Make
- # sure that the _Forbidden validator doesn't get used for the
- # fields. See also https://github.com/ansible/awx/issues/4099.
- with dummy_setting('FOO_BAR', field_class=sso_fields.SAMLOrgAttrField, category='FooBar', category_slug='foobar'), mock.patch(
- 'awx.conf.views.clear_setting_cache'
- ):
- api_request(
- 'patch',
- reverse('api:setting_singleton_detail', kwargs={'category_slug': 'foobar'}),
- data={'FOO_BAR': {'saml_admin_attr': 'Admins', 'saml_attr': 'Orgs'}},
- )
- response = api_request('get', reverse('api:setting_singleton_detail', kwargs={'category_slug': 'foobar'}))
- assert response.data['FOO_BAR'] == {'saml_admin_attr': 'Admins', 'saml_attr': 'Orgs'}
-
-
 @pytest.mark.django_db
 def test_setting_singleton_update_dont_change_readonly_fields(api_request, dummy_setting):
  with dummy_setting('FOO_BAR', field_class=fields.IntegerField, read_only=True, default=4, category='FooBar', category_slug='foobar'), mock.patch(

awx/main/conf.py

@@ -48,7 +48,7 @@
  label=_('Organization Admins Can Manage Users and Teams'),
  help_text=_(
  'Controls whether any Organization Admin has the privileges to create and manage users and teams. '
- 'You may want to disable this ability if you are using an LDAP or SAML integration.'
+ 'You may want to disable this ability if you are using an LDAP integration.'
  ),
  category=_('System'),
  category_slug='system',

awx/main/models/__init__.py

@@ -248,8 +248,6 @@ def user_is_in_enterprise_category(user, category):
  ret = (category,) in user.enterprise_auth.values_list('provider') and not user.has_usable_password()
  # NOTE: this if block ensures existing enterprise users are still able to
  # log in. Remove it in a future release
- if category == 'saml':
- ret = ret or user.social_auth.all()
  return ret
 
 

awx/main/tests/functional/api/test_settings.py

@@ -193,31 +193,3 @@ def test_logging_aggregator_connection_test_valid(put, post, admin):
  # "Test" the logger
  url = reverse('api:setting_logging_test')
  post(url, {}, user=admin, expect=202)
-
-
-@pytest.mark.django_db
-@pytest.mark.parametrize('headers', [True, False])
-def test_saml_x509cert_validation(patch, get, admin, headers):
- cert = "MIIEogIBAAKCAQEA1T4za6qBbHxFpN5f9eFvA74MFjrsjcp1uvzOaE23AYKMDEJghJ6dqQ7GwHLNIeIeumqDFmODauIzrgSDJTT5+NG30Rr+rRi0zDkrkBAj/AtA+SaVhbzqB6ZSd7LaMly9XAc+82OKlNpuWS9hPmFaSShzDTXRu5RRyvm4NDCAOGDu5hyVR2pV/ffKDNfNkChnqzvRRW9laQcVmliZhlTGn7nPZ+JbjpwEy0nwW+4zoAiEvwnT52N4xTqIcYOnXtGiaf13dh7FkUfYmS0tzF3+h8QRKwtIm4y+sq84R/kr79/0t5aRUpJynNrECajzmArpL4IjXKTPIyUpTKirJgGnCwIDAQABAoIBAC6bbbm2hpsjfkVOpUKkhxMWUqX5MwK6oYjBAIwjkEAwPFPhnh7eXC87H42oidVCCt1LsmMOVQbjcdAzBEb5kTkk/Twi3k8O+1U3maHfJT5NZ2INYNjeNXh+jb/Dw5UGWAzpOIUR2JQ4Oa4cgPCVbppW0O6uOKz6+fWXJv+hKiUoBCC0TiY52iseHJdUOaKNxYRD2IyIzCAxFSd5tZRaARIYDsugXp3E/TdbsVWA7bmjIBOXq+SquTrlB8x7j3B7+Pi09nAJ2U/uV4PHE+/2Fl009ywfmqancvnhwnz+GQ5jjP+gTfghJfbO+Z6M346rS0Vw+osrPgfyudNHlCswHOECgYEA/Cfq25gDP07wo6+wYWbx6LIzj/SSZy/Ux9P8zghQfoZiPoaq7BQBPAzwLNt7JWST8U11LZA8/wo6ch+HSTMk+m5ieVuru2cHxTDqeNlh94eCrNwPJ5ayA5U6LxAuSCTAzp+rv6KQUx1JcKSEHuh+nRYTKvUDE6iA6YtPLO96lLUCgYEA2H5rOPX2M4w1Q9zjol77lplbPRdczXNd0PIzhy8Z2ID65qvmr1nxBG4f2H96ykW8CKLXNvSXreNZ1BhOXc/3Hv+3mm46iitB33gDX4mlV4Jyo/w5IWhUKRyoW6qXquFFsScxRzTrx/9M+aZeRRLdsBk27HavFEg6jrbQ0SleZL8CgYAaM6Op8d/UgkVrHOR9Go9kmK/W85kK8+NuaE7Ksf57R0eKK8AzC9kc/lMuthfTyOG+n0ff1i8gaVWtai1Ko+/hvfqplacAsDIUgYK70AroB8LCZ5ODj5sr2CPVpB7LDFakod7c6O2KVW6+L7oy5AHUHOkc+5y4PDg5DGrLxo68SQKBgAlGoWF3aG0c/MtDk51JZI43U+lyLs++ua5SMlMAeaMFI7rucpvgxqrh7Qthqukvw7a7A22fXUBeFWM5B2KNnpD9c+hyAKAa6l+gzMQzKZpuRGsyS2BbEAAS8kO7M3Rm4o2MmFfstI2FKs8nibJ79HOvIONQ0n+T+K5Utu2/UAQRAoGAFB4fiIyQ0nYzCf18Z4Wvi/qeIOW+UoBonIN3y1h4wruBywINHxFMHx4aVImJ6R09hoJ9D3Mxli3xF/8JIjfTG5fBSGrGnuofl14d/XtRDXbT2uhVXrIkeLL/ojODwwEx0VhxIRUEjPTvEl6AFSRRcBp3KKzQ/cu7ENDY6GTlOUI=" # noqa
- if headers:
- cert = '-----BEGIN CERTIFICATE-----\n' + cert + '\n-----END CERTIFICATE-----'
- url = reverse('api:setting_singleton_detail', kwargs={'category_slug': 'saml'})
- resp = patch(
- url,
- user=admin,
- data={
- 'SOCIAL_AUTH_SAML_ENABLED_IDPS': {
- "okta": {
- "attr_last_name": "LastName",
- "attr_username": "login",
- "entity_id": "http://www.okta.com/abc123",
- "attr_user_permanent_id": "login",
- "url": "https://example.okta.com/app/abc123/xyz123/sso/saml",
- "attr_email": "Email",
- "x509cert": cert,
- "attr_first_name": "FirstName",
- }
- }
- },
- )
- assert resp.status_code == 200