Page MenuHomePhabricator

Move Netbox authentication to python-social-auth
Open, In Progress, MediumPublic

Description

Currently netbox uses django-ca-ng to preform cas authentications. this is added via a cherry-pick we apply to every upgrade· however since we implemented this netbox has added support for djangi-social-auth. As such it makes senses for use to try and migrate to that. Currently the plug-in does not support the CAS protocol but dose support OAuth, OpenID and a bunch of providers. I suggest that we either work on adding cas support to python-social-app or migrate netbox to use OpenID connect or OAuth2

Some history on netbox sso and cas T244849

Event Timeline

jbond triaged this task as Medium priority.Sep 7 2022, 8:39 AM

I currently have a patch with the python-social-auth project to enable OIDC via CAS in the django-social-auth plugin. It still needs documentation and tests to be accepted, but can be used for Netbox as well. https://github.com/python-social-auth/social-core/pull/743

We may need to add a pipeline, if we wish to use groups, but that work is already done in the IDM and can simply be lifted from there.

SLyngshede-WMF changed the task status from Open to In Progress.EditedMay 31 2023, 8:36 AM

Installed the now release social-core on netbox-dev2002

$ source /srv/deployment/netbox/venv/bin/activate
$ pip install --proxy  http://webproxy.eqiad.wmnet:8080 social-auth-core==4.4.2 python-jose>=3.0.0

CAS is presented correctly, but needs correct credentials:

Skærmbillede 2023-05-31 kl. 10.48.24.png (918×796 px, 58 KB)

REMOTE_AUTH_BACKEND = 'social_core.backends.cas.CASOpenIdConnectAuth'
SOCIAL_AUTH_CAS_OIDC_ENDPOINT = 'https://idp-test.wikimedia.org/oidc'
SOCIAL_AUTH_CAS_KEY = 'netbox-next'
SOCIAL_AUTH_CAS_SECRET = 'BORKED'
SOCIAL_AUTH_CAS_USERINFO_URL = 'https://idp-test.wikimedia.org/oidc/profile'
SOCIAL_AUTH_CAS_SCOPE = ['openid', 'profile', 'email', 'groups']
SOCIAL_AUTH_CAS_ID_KEY = 'username'

Change 924895 had a related patch set uploaded (by Slyngshede; author: Slyngshede):

[operations/puppet@production] R:idp_test Add Netbox next as OIDC consumer.

https://gerrit.wikimedia.org/r/924895

Change 924895 merged by Slyngshede:

[operations/puppet@production] R:idp_test Add Netbox next as OIDC consumer.

https://gerrit.wikimedia.org/r/924895

Configuration is going to become something like:

REMOTE_AUTH_BACKEND = 'social_core.backends.cas.CASOpenIdConnectAuth'
REMOTE_AUTH_GROUP_SYNC_ENABLED = True
REMOTE_AUTH_SUPERUSER_GROUPS = 'cn=ops,ou=groups,dc=wikimedia,dc=org'
REMOTE_AUTH_STAFF_GROUPS = 'cn=ops,ou=groups,dc=wikimedia,dc=org'
SOCIAL_AUTH_ALLOW_GROUPS = ('cn=ops,ou=groups,dc=wikimedia,dc=org', 'cn=wmf,ou=groups,dc=wikimedia,dc=org', 'cn=nda,ou=groups,dc=wikimedia,dc=org')
SOCIAL_AUTH_CAS_OIDC_ENDPOINT = 'https://idp-test.wikimedia.org/oidc'
SOCIAL_AUTH_CAS_KEY = 'netbox_next'
SOCIAL_AUTH_CAS_SECRET = 'BORKED'
SOCIAL_AUTH_CAS_USERINFO_URL = 'https://idp-test.wikimedia.org/oidc/profile'
SOCIAL_AUTH_CAS_SCOPE = ['openid', 'profile', 'email', 'groups']
SOCIAL_AUTH_CAS_ID_KEY = 'username'

SOCIAL_AUTH_PIPELINE = (
    'social_core.pipeline.social_auth.social_details',
    'social_core.pipeline.social_auth.social_uid',
    'social_core.pipeline.social_auth.social_user',
    'social_core.pipeline.user.get_username',
    'social_core.pipeline.social_auth.associate_by_email',
    'social_core.pipeline.user.create_user',
    'social_core.pipeline.social_auth.associate_user',
    'netbox.authentication.user_default_groups_handler',
    'social_core.pipeline.social_auth.load_extra_data',
    'social_core.pipeline.user.user_details',
    'extras.social_pipeline.add_user_to_groups',
)

Change 922506 had a related patch set uploaded (by Slyngshede; author: Slyngshede):

[operations/puppet@production] WIP P:netbox reconfigure to used OIDC

https://gerrit.wikimedia.org/r/922506

Change 922506 merged by Slyngshede:

[operations/puppet@production] P:netbox reconfigure to used OIDC

https://gerrit.wikimedia.org/r/922506

Change 932247 had a related patch set uploaded (by Jbond; author: jbond):

[operations/puppet@production] idp: use groups for the groups attribute when doing OIDC

https://gerrit.wikimedia.org/r/932247

Change 932247 merged by Jbond:

[operations/puppet@production] idp: use groups for the groups attribute when doing OIDC

https://gerrit.wikimedia.org/r/932247

Change 980824 had a related patch set uploaded (by Ayounsi; author: Ayounsi):

[operations/software/netbox-deploy@master] Add ApereoSocialPipeline for now CAS auth

https://gerrit.wikimedia.org/r/980824

Change 980824 merged by Ayounsi:

[operations/software/netbox-deploy@master] Add ApereoSocialPipeline for now CAS auth

https://gerrit.wikimedia.org/r/980824