Google OAuth2 (#130)

* functional google auth

* updated deps

* updated docs

.coveragerc

@@ -1,6 +1,7 @@
 [run]
 omit =
     config/ldap_config.py
+    config/social_config.py
     config/settings.py
     config/wsgi.py
     api/apps.py

Dockerfile

@@ -32,7 +32,7 @@ WORKDIR /opt/alcali/code
 RUN pip install --user -U setuptools
 
 # Install project
-RUN pip install --user .[ldap] mysqlclient psycopg2
+RUN pip install --user .[ldap,social] mysqlclient psycopg2
 
 EXPOSE 8000
 

README.md

@@ -25,7 +25,7 @@ Alcali is a web based tool for monitoring and administrating **Saltstack** Salt.
 
 - Use custom auth module to login into both Alcali and the Salt-api using JWT.
 
-- LDAP authentication.
+- **LDAP** and **Google OAuth2** authentication.
 
 ## Try it!
 

api/urls.py

@@ -32,6 +32,7 @@
     verify,
     version,
     JobTemplateViewSet,
+    social,
 )
 from rest_framework import routers
 
@@ -76,3 +77,15 @@
 
 if os.environ.get("SALT_AUTH") == "rest":
     urlpatterns += [path("api/token/verify/", verify, name="token_verify")]
+
+if os.environ.get("AUTH_BACKEND") and os.environ["AUTH_BACKEND"].lower() == "social":
+    from rest_social_auth.views import SocialJWTPairUserAuthView
+
+    urlpatterns += [
+        path("api/social/", social, name="social"),
+        path(
+            "api/social/login/",
+            SocialJWTPairUserAuthView.as_view(),
+            name="social_login",
+        ),
+    ]

api/views/alcali.py

@@ -416,7 +416,6 @@ def version(request):
 
 
 @api_view(["GET"])
-@permission_classes([AllowAny])
 @renderer_classes([StreamingRenderer])
 def event_stream(request):
     # Web socket.
@@ -518,3 +517,15 @@ def verify(request):
         if request.POST.get("password") == user.user_settings.token:
             return Response({request.POST.get("username"): None})
         return HttpResponse("Unauthorized", status=401)
+
+
+@api_view(["GET"])
+@permission_classes([AllowAny])
+def social(request):
+    return Response(
+        {
+            "client_id": settings.SOCIAL_AUTH_GOOGLE_OAUTH2_KEY,
+            "provider": "google-oauth2",
+            "redirect_uri": settings.SOCIAL_AUTH_REDIRECT_URI,
+        }
+    )

babel.config.js

@@ -1,5 +1,5 @@
 module.exports = {
   presets: [
-    '@vue/app'
+    '@vue/cli-plugin-babel/preset'
   ]
 }

config/settings.py

@@ -166,3 +166,8 @@
 # LDAP Authentication.
 if os.environ.get("AUTH_BACKEND") and os.environ["AUTH_BACKEND"].lower() == "ldap":
     from .ldap_config import *
+
+# Social Authentication.
+if os.environ.get("AUTH_BACKEND") and os.environ["AUTH_BACKEND"].lower() == "social":
+    INSTALLED_APPS += ["social_django", "rest_social_auth"]
+    from .social_config import *

config/social_config.py

@@ -0,0 +1,20 @@
+import os
+
+AUTHENTICATION_BACKENDS = (
+    "social_core.backends.google.GoogleOAuth2",
+    "django.contrib.auth.backends.ModelBackend",
+)
+SOCIAL_AUTH_GOOGLE_OAUTH2_KEY = os.environ.get("SOCIAL_AUTH_GOOGLE_OAUTH2_KEY")
+SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET = os.environ.get("SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET")
+
+if os.environ.get("SOCIAL_AUTH_GOOGLE_OAUTH2_WHITELISTED_EMAILS"):
+    SOCIAL_AUTH_GOOGLE_OAUTH2_WHITELISTED_EMAILS = os.environ.get(
+        "SOCIAL_AUTH_GOOGLE_OAUTH2_WHITELISTED_EMAILS"
+    ).split(",")
+
+if os.environ.get("SOCIAL_AUTH_GOOGLE_OAUTH2_WHITELISTED_DOMAINS"):
+    SOCIAL_AUTH_GOOGLE_OAUTH2_WHITELISTED_DOMAINS = os.environ.get(
+        "SOCIAL_AUTH_GOOGLE_OAUTH2_WHITELISTED_DOMAINS"
+    ).split(",")
+
+SOCIAL_AUTH_REDIRECT_URI = os.environ.get("SOCIAL_AUTH_REDIRECT_URI")

dist/index.html

@@ -1 +1 @@
-<!DOCTYPE html><html lang=en><head><meta charset=utf-8><meta http-equiv=X-UA-Compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1"><link rel=icon href=/static/favicon.ico><title>ALCALI</title><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Roboto:100,300,400,500,700,900"><link href="https://fonts.googleapis.com/css?family=Material+Icons" rel=stylesheet><link href=/static/css/app.9c6564fa.css rel=preload as=style><link href=/static/css/chunk-vendors.cf8d7ed4.css rel=preload as=style><link href=/static/js/app.2811a6c6.js rel=preload as=script><link href=/static/js/chunk-vendors.1d7b01b2.js rel=preload as=script><link href=/static/css/chunk-vendors.cf8d7ed4.css rel=stylesheet><link href=/static/css/app.9c6564fa.css rel=stylesheet></head><body><noscript><strong>We're sorry but my-app doesn't work properly without JavaScript enabled. Please enable it to continue.</strong></noscript><div id=app></div><script src=/static/js/chunk-vendors.1d7b01b2.js></script><script src=/static/js/app.2811a6c6.js></script></body></html>
+<!DOCTYPE html><html lang=en><head><meta charset=utf-8><meta http-equiv=X-UA-Compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1"><link rel=icon href=/static/favicon.ico><title>ALCALI</title><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Roboto:100,300,400,500,700,900"><link href="https://fonts.googleapis.com/css?family=Material+Icons" rel=stylesheet><link href=/static/css/app.630a9e31.css rel=preload as=style><link href=/static/css/chunk-vendors.7b0e41fc.css rel=preload as=style><link href=/static/js/app.abcf37bb.js rel=preload as=script><link href=/static/js/chunk-vendors.9854a13e.js rel=preload as=script><link href=/static/css/chunk-vendors.7b0e41fc.css rel=stylesheet><link href=/static/css/app.630a9e31.css rel=stylesheet></head><body><noscript><strong>We're sorry but my-app doesn't work properly without JavaScript enabled. Please enable it to continue.</strong></noscript><div id=app></div><script src=/static/js/chunk-vendors.9854a13e.js></script><script src=/static/js/app.abcf37bb.js></script></body></html>

docker/Dockerfile-dev

@@ -32,6 +32,6 @@ WORKDIR /opt/alcali/code
 RUN pip install --user -U setuptools
 
 # Install project
-RUN pip install --user -e .[dev,ldap] mysqlclient
+RUN pip install --user -e .[dev,ldap,social] mysqlclient
 
 ENTRYPOINT ["/opt/alcali/code/docker/utils/entrypoint-dev.sh"]

docs/docs/configuration.md

@@ -96,6 +96,28 @@ AUTH_LDAP_USER_ATTR_MAP = {
 }
 ```
 
+## Google OAuth2 configuration
+
+These environment variable must be set:
+
+```bash
+AUTH_BACKEND=social
+SOCIAL_AUTH_GOOGLE_OAUTH2_KEY=XXXXX.apps.googleusercontent.com
+SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET=XXX
+SOCIAL_AUTH_REDIRECT_URI=<FULL URI> ex: https://foo.bar:9000
+```
+To limit access to certain emails:
+
+```bash
+SOCIAL_AUTH_GOOGLE_OAUTH2_WHITELISTED_EMAILS=<COMMA SEP EMAILS>
+```
+and/or certain domains:
+
+```bash
+SOCIAL_AUTH_GOOGLE_OAUTH2_WHITELISTED_DOMAINS=<COMMA SEP DOMAINS>
+```
+
+
 
 ## `.env` file example:
 

docs/docs/index.md

@@ -15,8 +15,13 @@ Alcali is a web based tool for monitoring and administrating **Saltstack** Salt.
 
 - Check your minions conformity to their highstate or **any state**.
 
+- Keep track of custom state at a glance.
+
 - Use custom auth module to login into both Alcali and the Salt-api using JWT.
 
+- **LDAP** and **Google OAuth2** authentication.
+
+
 [![Build Status](https://travis-ci.org/latenighttales/alcali.svg?branch=2019.2)](https://travis-ci.org/latenighttales/alcali)
 [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
 [![Dependabot Status](https://api.dependabot.com/badges/status?host=github&repo=latenighttales/alcali)](https://dependabot.com)

docs/docs/installation.md

@@ -358,3 +358,15 @@ pip install --user alcali[ldap]
 # Install from Source
 pip install --user .[ldap]
 ```
+
+#### Installation with Google OAuth2 support
+
+To add Google OAuth2 support to alcali, just append `[social]` to the chosen install method i.e:
+
+```commandline
+# Install from PyPI
+pip install --user alcali[social]
+
+# Install from Source
+pip install --user .[social]
+```