From d33070ac12f305f2ee40a94ee87ff7bde70e21b1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Brunner?= <stephane.brunner@camptocamp.com>
Date: Tue, 10 Dec 2024 11:09:38 +0100
Subject: [PATCH 1/2] Create a dedicated page for the authentication

---
 doc/integrator/authentication.rst        | 42 ++++++++++++------------
 doc/integrator/authentication_oauth2.rst |  2 +-
 doc/integrator/authentication_oidc.rst   |  9 +----
 doc/integrator/index.rst                 |  1 +
 doc/integrator/security.rst              |  6 ----
 5 files changed, 24 insertions(+), 36 deletions(-)

diff --git a/doc/integrator/authentication.rst b/doc/integrator/authentication.rst
index a8ee52ba12..98ab60ece8 100644
--- a/doc/integrator/authentication.rst
+++ b/doc/integrator/authentication.rst
@@ -1,9 +1,11 @@
+
+.. _integrator_authentication:
+
 Authentication
---------------
+==============
 
-~~~~~~~~~~~~~~~~~~~
 Supported standards
-~~~~~~~~~~~~~~~~~~~
+-------------------
 
 - `OpenID Connect`: as client, to be able to connect to an external OpenID Connect (OIDC) server.
 - `TOTP`: for two-factor authentication (2FA), this can be used for example with Google Authenticator.
@@ -11,9 +13,8 @@ Supported standards
   authentication, even if it was initially implemented to be able to connect from QGIS desktop on an
   application that requires two factor authentication.
 
-~~~~~~~~~~~~~~~~~~
 The default policy
-~~~~~~~~~~~~~~~~~~
+------------------
 
 By default, ``c2cgeoportal`` applications use an *auth ticket* authentication
 policy (``AuthTktAuthenticationPolicy``). With this policy, the user name is
@@ -40,18 +41,16 @@ In the file ``env.project``, you can configure the policy with the following var
 See also `the official documentation <https://docs.pylonsproject.org/projects/pyramid/en/latest/api/authentication.html#pyramid.authentication.AuthTktAuthenticationPolicy>`_.
 
 
-~~~~~~~~~~~~~~~~~~~~
 Using another policy
-~~~~~~~~~~~~~~~~~~~~
+--------------------
 
 When using ``AuthTktAuthenticationPolicy``, an "auth ticket" cookie should be
 set in the request for the user to be identified. In some applications, using
 a custom identification mechanism may be needed instead, for instance to use SSO.
 Our knowledge base has an example of how this can be achieved.
 
-~~~~~~~~~~~~~~~
 User validation
-~~~~~~~~~~~~~~~
+---------------
 
 For logging in, ``c2cgeoportal`` validates the user credentials
 (username/password) by reading the user information from the ``user`` database
@@ -59,9 +58,8 @@ table. If a c2cgeoportal application should work with another user information
 source, like LDAP, a custom *client validation* mechanism can be set up.
 Our knowledge base has an example of how this can be achieved.
 
-~~~~~~~~~~
 Basic auth
-~~~~~~~~~~
+----------
 
 To be able to access the OGC services from your desktop GIS, you should enable the basic authentication
 by setting ``BASICAUTH`` to ``True`` in the ``env.project`` file.
@@ -73,9 +71,8 @@ in your query string.
 
    For security reasons, basic authentication and two factor authentication should not be enabled together.
 
-~~~~~~~~~~~~~~~~~~~~~~~~~~
 Two factors authentication
-~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------
 
 GeoMapFish support TOTP (Time-Based One-Time Password Algorithm) two factors authentication
 (`RFC 6238 <https://tools.ietf.org/html/rfc6238>`_).
@@ -96,9 +93,8 @@ should uncheck the 'The user changed his password' field on the user in the admi
    For security reasons, basic authentication and two factor authentication should not be enabled together,
    you should use :ref:`OAuth2<integrator_authentication_oauth2>` for that.
 
-~~~~~~~~~~~~~~~
 Account lockout
-~~~~~~~~~~~~~~~
+---------------
 
 To lock an account after a certain number of authentication failures, set the following settings:
 
@@ -111,9 +107,9 @@ To lock an account after a certain number of authentication failures, set the fo
 To unlock a user, the administrator should uncheck the 'Deactivated' field on the user in the
 admin interface.
 
-~~~~~~~~
+
 Intranet
-~~~~~~~~
+--------
 
 To configure the intranet networks fill in the configuration like:
 
@@ -138,9 +134,8 @@ See `Python documentation <https://docs.python.org/3.4/library/ipaddress.html#ip
 
    A user can easily manually set the `Forwarded` or `X-Forwarded-For` header to spoof his IP.
 
-~~~~~~~~~~~~~~~~~~~
 Lost admin password
-~~~~~~~~~~~~~~~~~~~
+-------------------
 
 You can generate a new admin password the following command:
 
@@ -148,9 +143,8 @@ You can generate a new admin password the following command:
    :ref: c2cgeoportal_geoportal.scripts.manage_users.get_argparser
    :prog: docker compose exec geoportal manage-users
 
-~~~~~~~~~~~~~~~~~~~~
 External application
-~~~~~~~~~~~~~~~~~~~~
+--------------------
 
 Some service of GeoMapFish has some host restriction if you mix the domain.
 
@@ -177,3 +171,9 @@ Admin
 We provide a view for the admin interface, to be able to clear the cache per OGC server.
 If for an unknown reason you have not the same host in the ``Host`` header and ``came_from`` parameter, you should
 add the domain of the ``came_from`` parameter in the vars in ``vars/admin_interface/allowed_hosts``.
+
+
+.. _integrator_authentication_oauth2:
+.. include:: authentication_oauth2.rst
+.. _integrator_authentication_oidc:
+.. include:: authentication_oidc.rst
diff --git a/doc/integrator/authentication_oauth2.rst b/doc/integrator/authentication_oauth2.rst
index 9e7a6becb3..f7e1ba174a 100644
--- a/doc/integrator/authentication_oauth2.rst
+++ b/doc/integrator/authentication_oauth2.rst
@@ -1,5 +1,5 @@
 OAuth2 with QGIS
-~~~~~~~~~~~~~~~~
+----------------
 
 In the admin interface create an 'OAuth2 Client' with:
 
diff --git a/doc/integrator/authentication_oidc.rst b/doc/integrator/authentication_oidc.rst
index c123ad7e9a..229dd3660b 100644
--- a/doc/integrator/authentication_oidc.rst
+++ b/doc/integrator/authentication_oidc.rst
@@ -1,5 +1,5 @@
 OpenID Connect
-~~~~~~~~~~~~~~
+--------------
 
 We can configure an OpenID connect service as an SSO (Single Sign-On) provider for our application. This allows users to log in to our application using their OpenID Connect credentials.
 
@@ -33,7 +33,6 @@ We use `OpenID Connect Discovery 1.0 <https://openid.net/specs/openid-connect-di
         end
         Geoportal->>-Browser: response
 
-~~~~~~~~~~~~~~~~~~~~~~~
 Authentication provider
 ~~~~~~~~~~~~~~~~~~~~~~~
 
@@ -52,7 +51,6 @@ If we want to use OpenID Connect as an authentication provider, we need to set t
 With that the user will be create in the database at the first login, and the access right will be set in the GeoMapFish database.
 The user correspondence will be done on the email field.
 
-~~~~~~~~~~~~~~~~~~~~~~
 Authorization provider
 ~~~~~~~~~~~~~~~~~~~~~~
 
@@ -74,7 +72,6 @@ If we want to use OpenID Connect as an authorization provider, we need to set th
 
 With that the user will not be in the database only the roles will be set in the GeoMapFish database.
 
-~~~~~~~~~~~~~
 Other options
 ~~~~~~~~~~~~~
 
@@ -107,7 +104,6 @@ Other options
      display_name: name
      email: email
 
-~~~~~~~~~~~~~~~~~~~~
 Example with Zitadel
 ~~~~~~~~~~~~~~~~~~~~
 
@@ -121,7 +117,6 @@ Example with Zitadel
          query_user_info: true
          create_user: true
 
-~~~~~
 Hooks
 ~~~~~
 
@@ -153,7 +148,6 @@ Configure the hooks in the project initialization:
         config.add_request_method(get_remember_from_user_info, name="get_remember_from_user_info")
         config.add_request_method(get_user_from_remember, name="get_user_from_remember")
 
-~~~~~~~~~~~~~~~~~
 QGIS with Zitadel
 ~~~~~~~~~~~~~~~~~
 
@@ -173,7 +167,6 @@ On QGIS:
 * Set ``Client ID`` to ``<client_id>``.
 * Set ``Scope`` to the ``openid profile email``.
 
-~~~~~~~~~~~~~~
 Implementation
 ~~~~~~~~~~~~~~
 
diff --git a/doc/integrator/index.rst b/doc/integrator/index.rst
index f329235534..879a18e340 100644
--- a/doc/integrator/index.rst
+++ b/doc/integrator/index.rst
@@ -21,6 +21,7 @@ Content:
    database
    configuration
    customize
+   authentication
    security
    features
    docker
diff --git a/doc/integrator/security.rst b/doc/integrator/security.rst
index 5b2e70072f..94cb3ff4fe 100644
--- a/doc/integrator/security.rst
+++ b/doc/integrator/security.rst
@@ -3,12 +3,6 @@
 Security
 ========
 
-.. _integrator_authentication:
-.. include:: authentication.rst
-.. _integrator_authentication_oidc:
-.. include:: authentication_oidc.rst
-.. _integrator_authentication_oauth2:
-.. include:: authentication_oauth2.rst
 .. include:: https.rst
 .. include:: reset_password.rst
 

From f8ca3620f40bc7404fa997eddfc6066ac29ac610 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Brunner?= <stephane.brunner@camptocamp.com>
Date: Wed, 11 Dec 2024 09:34:36 +0100
Subject: [PATCH 2/2] Cleanup

---
 doc/integrator/authentication.rst | 2 --
 1 file changed, 2 deletions(-)

diff --git a/doc/integrator/authentication.rst b/doc/integrator/authentication.rst
index 98ab60ece8..19895f1f60 100644
--- a/doc/integrator/authentication.rst
+++ b/doc/integrator/authentication.rst
@@ -47,7 +47,6 @@ Using another policy
 When using ``AuthTktAuthenticationPolicy``, an "auth ticket" cookie should be
 set in the request for the user to be identified. In some applications, using
 a custom identification mechanism may be needed instead, for instance to use SSO.
-Our knowledge base has an example of how this can be achieved.
 
 User validation
 ---------------
@@ -56,7 +55,6 @@ For logging in, ``c2cgeoportal`` validates the user credentials
 (username/password) by reading the user information from the ``user`` database
 table. If a c2cgeoportal application should work with another user information
 source, like LDAP, a custom *client validation* mechanism can be set up.
-Our knowledge base has an example of how this can be achieved.
 
 Basic auth
 ----------