Add Remote Group Support to the RemoteUserAuth Backend and Middleware

fix incorrect assumption about when to run the group sync Add documentation for new Settings format to autopep8 compliance add first set of basic testcases format test to comply with pep8 rename SEPERATOR to SEPARATOR remove accidentally carried over parameter
2024-05-10 07:54:54 +00:00 · 2021-02-08 14:55:56 +01:00
parent f63dcb1f08
commit d5e5cdda23
5 changed files with 383 additions and 46 deletions
--- a/netbox/netbox/middleware.py
+++ b/netbox/netbox/middleware.py
@ -1,8 +1,11 @@
 import uuid
 from urllib import parse
+import logging

 from django.conf import settings
 from django.contrib.auth.middleware import RemoteUserMiddleware as RemoteUserMiddleware_
+from django.contrib import auth
+from django.core.exceptions import ImproperlyConfigured
 from django.db import ProgrammingError
 from django.http import Http404, HttpResponseRedirect
 from django.urls import reverse
@ -16,6 +19,7 @@ class LoginRequiredMiddleware(object):
    """
    If LOGIN_REQUIRED is True, redirect all non-authenticated users to the login page.
    """
+
    def __init__(self, get_response):
        self.get_response = get_response

@ -49,12 +53,65 @@ class RemoteUserMiddleware(RemoteUserMiddleware_):
        return settings.REMOTE_AUTH_HEADER

    def process_request(self, request):
-
+        logger = logging.getLogger(
+            'netbox.authentication.RemoteUserMiddleware')
        # Bypass middleware if remote authentication is not enabled
        if not settings.REMOTE_AUTH_ENABLED:
            return
+        # AuthenticationMiddleware is required so that request.user exists.
+        if not hasattr(request, 'user'):
+            raise ImproperlyConfigured(
+                "The Django remote user auth middleware requires the"
+                " authentication middleware to be installed.  Edit your"
+                " MIDDLEWARE setting to insert"
+                " 'django.contrib.auth.middleware.AuthenticationMiddleware'"
+                " before the RemoteUserMiddleware class.")
+        try:
+            username = request.META[self.header]
+        except KeyError:
+            # If specified header doesn't exist then remove any existing
+            # authenticated remote-user, or return (leaving request.user set to
+            # AnonymousUser by the AuthenticationMiddleware).
+            if self.force_logout_if_no_header and request.user.is_authenticated:
+                self._remove_invalid_user(request)
+            return
+        # If the user is already authenticated and that user is the user we are
+        # getting passed in the headers, then the correct user is already
+        # persisted in the session and we don't need to continue.
+        if request.user.is_authenticated:
+            if request.user.get_username() == self.clean_username(username, request):
+                return
+            else:
+                # An authenticated user is associated with the request, but
+                # it does not match the authorized user in the header.
+                self._remove_invalid_user(request)

-        return super().process_request(request)
+        # We are seeing this user for the first time in this session, attempt
+        # to authenticate the user.
+        if settings.REMOTE_AUTH_GROUP_SYNC_ENABLED:
+            logger.debug("Trying to sync Groups")
+            user = auth.authenticate(
+                request, remote_user=username, remote_groups=self._get_groups(request))
+        else:
+            user = auth.authenticate(request, remote_user=username)
+        if user:
+            # User is valid.  Set request.user and persist user in the session
+            # by logging the user in.
+            request.user = user
+            auth.login(request, user)
+
+    def _get_groups(self, request):
+        logger = logging.getLogger(
+            'netbox.authentication.RemoteUserMiddleware')
+
+        groups_string = request.META.get(
+            settings.REMOTE_AUTH_GROUP_HEADER, None)
+        if groups_string:
+            groups = groups_string.split(settings.REMOTE_AUTH_GROUP_SEPARATOR)
+        else:
+            groups = []
+        logger.debug(f"Groups are {groups}")
+        return groups


 class ObjectChangeMiddleware(object):
@ -71,6 +128,7 @@ class ObjectChangeMiddleware(object):
    have been created. Conversely, deletions are acted upon immediately, so that the serialized representation of the
    object is recorded before it (and any related objects) are actually deleted from the database.
    """
+
    def __init__(self, get_response):
        self.get_response = get_response

@ -90,6 +148,7 @@ class APIVersionMiddleware(object):
    """
    If the request is for an API endpoint, include the API version as a response header.
    """
+
    def __init__(self, get_response):
        self.get_response = get_response

@ -105,6 +164,7 @@ class ExceptionHandlingMiddleware(object):
    Intercept certain exceptions which are likely indicative of installation issues and provide helpful instructions
    to the user.
    """
+
    def __init__(self, get_response):
        self.get_response = get_response