From 40917034d5c52a641126a7d903d960e7605d1ace Mon Sep 17 00:00:00 2001 From: Rick Elrod Date: Thu, 10 Oct 2024 01:00:43 +0200 Subject: [PATCH] Prettier DRF pages when using trusted proxy This is a rather hacky, but fixes the DRF pages when going through a trusted proxy. Notably: This is meant to primarily fix the DRF pages on downstream builds while leaving the upstream to function as-is. When using a trusted proxy, the DRF login and logout endpoints now redirect to the Platform login page (which respects ?next) and logout endpoint respectively. The CSS and JS is inlined because the trusted proxy might only proxy to /api/ and not /static/ which is a harder problem to solve. Signed-off-by: Rick Elrod --- awx/api/generics.py | 25 +++++++++++++++++++++++-- awx/settings/defaults.py | 4 ++++ awx/templates/rest_framework/api.html | 18 ++++++++++++++++-- 3 files changed, 43 insertions(+), 4 deletions(-) diff --git a/awx/api/generics.py b/awx/api/generics.py index 9e1698a61f3a..5c6f03e11b0f 100644 --- a/awx/api/generics.py +++ b/awx/api/generics.py @@ -14,7 +14,7 @@ from django.db import connection, transaction from django.db.models.fields.related import OneToOneRel from django.http import QueryDict -from django.shortcuts import get_object_or_404 +from django.shortcuts import get_object_or_404, redirect from django.template.loader import render_to_string from django.utils.encoding import smart_str from django.utils.safestring import mark_safe @@ -36,7 +36,7 @@ # django-ansible-base from ansible_base.rest_filters.rest_framework.field_lookup_backend import FieldLookupBackend from ansible_base.lib.utils.models import get_all_field_names -from ansible_base.lib.utils.requests import get_remote_host +from ansible_base.lib.utils.requests import get_remote_host, is_proxied_request from ansible_base.rbac.models import RoleEvaluation, RoleDefinition from ansible_base.rbac.permission_registry import permission_registry from ansible_base.jwt_consumer.common.util import validate_x_trusted_proxy_header @@ -82,6 +82,12 @@ class LoggedLoginView(auth_views.LoginView): def get(self, request, *args, **kwargs): + if is_proxied_request(): + next = request.GET.get('next', "") + if next: + next = f"?next={next}" + return redirect(f"/login{next}") + # The django.auth.contrib login form doesn't perform the content # negotiation we've come to expect from DRF; add in code to catch # situations where Accept != text/html (or */*) and reply with @@ -97,6 +103,15 @@ def get(self, request, *args, **kwargs): return super(LoggedLoginView, self).get(request, *args, **kwargs) def post(self, request, *args, **kwargs): + if is_proxied_request(): + # Give a message, saying to login via AAP + return Response( + { + 'detail': _('Please log in via Platform Authentication.'), + }, + status=status.HTTP_401_UNAUTHORIZED, + ) + ret = super(LoggedLoginView, self).post(request, *args, **kwargs) ip = get_remote_host(request) # request.META.get('REMOTE_ADDR', None) if request.user.is_authenticated: @@ -119,6 +134,12 @@ class LoggedLogoutView(auth_views.LogoutView): success_url_allowed_hosts = set(settings.LOGOUT_ALLOWED_HOSTS.split(",")) if settings.LOGOUT_ALLOWED_HOSTS else set() def dispatch(self, request, *args, **kwargs): + if is_proxied_request(): + next = request.GET.get('next', "") + if next: + next = f"?next={next}" + return redirect(f"/logout/{next}") + original_user = getattr(request, 'user', None) ret = super(LoggedLogoutView, self).dispatch(request, *args, **kwargs) current_user = getattr(request, 'user', None) diff --git a/awx/settings/defaults.py b/awx/settings/defaults.py index bf1e6e57270d..e535cf10dd95 100644 --- a/awx/settings/defaults.py +++ b/awx/settings/defaults.py @@ -320,6 +320,10 @@ 'social_django.context_processors.login_redirect', ], 'builtins': ['awx.main.templatetags.swagger'], + 'libraries': { + "ansible_base.lib.templatetags.requests": "ansible_base.lib.templatetags.requests", + "ansible_base.lib.templatetags.util": "ansible_base.lib.templatetags.util", + }, }, 'DIRS': [ os.path.join(BASE_DIR, 'templates'), diff --git a/awx/templates/rest_framework/api.html b/awx/templates/rest_framework/api.html index fbcfe97b30b1..806e915c22ed 100644 --- a/awx/templates/rest_framework/api.html +++ b/awx/templates/rest_framework/api.html @@ -1,11 +1,18 @@ {% extends 'rest_framework/base.html' %} -{% load i18n static %} +{% load i18n static ansible_base.lib.templatetags.requests ansible_base.lib.templatetags.util %} {% block title %}{{ name }} · {% trans 'AWX REST API' %}{% endblock %} {% block bootstrap_theme %} + {% is_proxied_request as proxied %} + {% if proxied %} + + {% else %} + {% endif %} {% endblock %} {% block style %} @@ -24,7 +31,6 @@ - {% trans 'REST API' %} @@ -74,5 +80,13 @@ {{ block.super }} + +{% is_proxied_request as proxied %} +{% if proxied %} + +{% else %} +{% endif %} {% endblock %}