Skip to content

Commit

Permalink
remove oidc
Browse files Browse the repository at this point in the history
  • Loading branch information
jessicamack committed Oct 2, 2024
1 parent 14698b1 commit 4c260e1
Show file tree
Hide file tree
Showing 7 changed files with 27 additions and 2,033 deletions.
26 changes: 26 additions & 0 deletions awx/conf/migrations/0011_remove_oidc_auth_conf.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
# Generated by Django 4.2.10 on 2024-08-27 19:31

from django.db import migrations

Check warning on line 3 in awx/conf/migrations/0011_remove_oidc_auth_conf.py

View check run for this annotation

Codecov / codecov/patch

awx/conf/migrations/0011_remove_oidc_auth_conf.py#L3

Added line #L3 was not covered by tests

OIDC_AUTH_CONF_KEYS = [

Check warning on line 5 in awx/conf/migrations/0011_remove_oidc_auth_conf.py

View check run for this annotation

Codecov / codecov/patch

awx/conf/migrations/0011_remove_oidc_auth_conf.py#L5

Added line #L5 was not covered by tests
'SOCIAL_AUTH_OIDC_KEY',
'SOCIAL_AUTH_OIDC_SECRET',
'SOCIAL_AUTH_OIDC_OIDC_ENDPOINT',
'SOCIAL_AUTH_OIDC_VERIFY_SSL'
]


def remove_oidc_auth_conf(apps, scheme_editor):
setting = apps.get_model('conf', 'Setting')
setting.objects.filter(key__in=OIDC_AUTH_CONF_KEYS).delete()

Check warning on line 15 in awx/conf/migrations/0011_remove_oidc_auth_conf.py

View check run for this annotation

Codecov / codecov/patch

awx/conf/migrations/0011_remove_oidc_auth_conf.py#L13-L15

Added lines #L13 - L15 were not covered by tests


class Migration(migrations.Migration):

Check warning on line 18 in awx/conf/migrations/0011_remove_oidc_auth_conf.py

View check run for this annotation

Codecov / codecov/patch

awx/conf/migrations/0011_remove_oidc_auth_conf.py#L18

Added line #L18 was not covered by tests

dependencies = [

Check warning on line 20 in awx/conf/migrations/0011_remove_oidc_auth_conf.py

View check run for this annotation

Codecov / codecov/patch

awx/conf/migrations/0011_remove_oidc_auth_conf.py#L20

Added line #L20 was not covered by tests
('conf', '0010_change_to_JSONField'),
]

operations = [

Check warning on line 24 in awx/conf/migrations/0011_remove_oidc_auth_conf.py

View check run for this annotation

Codecov / codecov/patch

awx/conf/migrations/0011_remove_oidc_auth_conf.py#L24

Added line #L24 was not covered by tests
migrations.RunPython(remove_oidc_auth_conf),
]
48 changes: 0 additions & 48 deletions awx/sso/conf.py
Original file line number Diff line number Diff line change
Expand Up @@ -1234,54 +1234,6 @@ def _register_ldap(append=None):
placeholder=SOCIAL_AUTH_TEAM_MAP_PLACEHOLDER,
)

###############################################################################
# Generic OIDC AUTHENTICATION SETTINGS
###############################################################################

register(
'SOCIAL_AUTH_OIDC_KEY',
field_class=fields.CharField,
allow_null=False,
default=None,
label=_('OIDC Key'),
help_text='The OIDC key (Client ID) from your IDP.',
category=_('Generic OIDC'),
category_slug='oidc',
)

register(
'SOCIAL_AUTH_OIDC_SECRET',
field_class=fields.CharField,
allow_blank=True,
default='',
label=_('OIDC Secret'),
help_text=_('The OIDC secret (Client Secret) from your IDP.'),
category=_('Generic OIDC'),
category_slug='oidc',
encrypted=True,
)

register(
'SOCIAL_AUTH_OIDC_OIDC_ENDPOINT',
field_class=fields.CharField,
allow_blank=True,
default='',
label=_('OIDC Provider URL'),
help_text=_('The URL for your OIDC provider including the path up to /.well-known/openid-configuration'),
category=_('Generic OIDC'),
category_slug='oidc',
)

register(
'SOCIAL_AUTH_OIDC_VERIFY_SSL',
field_class=fields.BooleanField,
default=True,
label=_('Verify OIDC Provider Certificate'),
help_text=_('Verify the OIDC provider ssl certificate.'),
category=_('Generic OIDC'),
category_slug='oidc',
)

###############################################################################
# SAML AUTHENTICATION SETTINGS
###############################################################################
Expand Down
10 changes: 0 additions & 10 deletions awx/sso/tests/functional/test_common.py
Original file line number Diff line number Diff line change
Expand Up @@ -314,16 +314,6 @@ def test_get_external_account(self, enable_ldap, enable_social, enable_enterpris

if enable_ldap:
user.profile.ldap_dn = 'test.dn'
if enable_social:
from social_django.models import UserSocialAuth

social_auth, _ = UserSocialAuth.objects.get_or_create(
uid='667ec049-cdf3-45d0-a4dc-0465f7505954',
provider='oidc',
extra_data={},
user_id=user.id,
)
user.social_auth.set([social_auth])
if enable_enterprise:
from awx.sso.models import UserEnterpriseAuth

Expand Down
83 changes: 0 additions & 83 deletions tools/docker-compose/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -271,7 +271,6 @@ $ make docker-compose
- [Using Logstash](./docs/logstash.md)
- [Start a Cluster](#start-a-cluster)
- [Start with Minikube](#start-with-minikube)
- [SAML and OIDC Integration](#saml-and-oidc-integration)
- [OpenLDAP Integration](#openldap-integration)
- [Splunk Integration](#splunk-integration)
- [tacacs+ Integration](#tacacs+-integration)
Expand Down Expand Up @@ -354,88 +353,6 @@ If you want to clean all things once your are done, you can do:
(host)$ make docker-compose-container-group-clean
```

### SAML and OIDC Integration
Keycloak can be used as both a SAML and OIDC provider and can be used to test AWX social auth. This section describes how to build a reference Keycloak instance and plumb it with AWX for testing purposes.

First, be sure that you have the awx.awx collection installed by running `make install_collection`.
Next, make sure you have your containers running by running `make docker-compose`.

Note: The following instructions assume we are using the built-in postgres database container. If you are not using the internal database you can use this guide as a reference, updating the database fields as required for your connection.

We are now ready to run two one time commands to build and pre-populate the Keycloak database.

The first one time command will be creating a Keycloak database in your postgres database by running:
```bash
docker exec tools_postgres_1 /usr/bin/psql -U postgres --command 'CREATE DATABASE keycloak WITH OWNER=awx encoding "UTF8";'
```

After running this command the following message should appear and you should be returned to your prompt:
```base
CREATE DATABASE
```

The second one time command will be to start a Keycloak container to build our admin user; be sure to set pg_username and pg_password to work for you installation. Note: the command below set the username as admin with a password of admin, you can change this if you want. Also, if you are using your own container or have changed the pg_username please update the command accordingly.
```bash
PG_PASSWORD=`cat tools/docker-compose/_sources/secrets/pg_password.yml | cut -f 2 -d \'`
docker run --rm -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin --net=sources_awx \
-e DB_VENDOR=postgres -e DB_ADDR=postgres -e DB_DATABASE=keycloak -e DB_USER=awx -e DB_PASSWORD=${PG_PASSWORD} \
quay.io/keycloak/keycloak:15.0.2
```

Once you see a message like: `WFLYSRV0051: Admin console listening on http://127.0.0.1:9990` you can stop the container.

Now that we have performed the one time setup anytime you want to run a Keycloak instance alongside AWX we can start docker-compose with the KEYCLOAK option to get a Keycloak instance with the command:
```bash
KEYCLOAK=true make docker-compose
```

Go ahead and stop your existing docker-compose run and restart with Keycloak before proceeding to the next steps.

Once the containers come up a new port (8443) should be exposed and the Keycloak interface should be running on that port. Connect to this through a url like `https://localhost:8443` to confirm that Keycloak has stared. If you wanted to login and look at Keycloak itself you could select the "Administration console" link and log into the UI the username/password set in the previous `docker run` command. For more information about Keycloak and links to their documentation see their project at https://github.com/keycloak/keycloak.

Now we are ready to configure and plumb Keycloak with AWX. To do this we have provided a playbook which will:
* Create a certificate for SAML data exchange between Keycloak and AWX.
* Create a realm in Keycloak with a client for AWX via SAML and OIDC and 3 users.
* Backup and configure the SMAL and OIDC adapter in AWX. NOTE: the private key of any existing SAML or OIDC adapters can not be backed up through the API, you need a DB backup to recover this.

Before we can run the playbook we need to understand that SAML works by sending redirects between AWX and Keycloak through the browser. Because of this we have to tell both AWX and Keycloak how they will construct the redirect URLs. On the Keycloak side, this is done within the realm configuration and on the AWX side its done through the SAML settings. The playbook requires a variable called `container_reference` to be set. The container_reference variable needs to be how your browser will be able to talk to the running containers. Here are some examples of how to choose a proper container_reference.
* If you develop on a mac which runs a Fedora VM which has AWX running within that and the browser you use to access AWX runs on the mac. The VM with the container has its own IP that is mapped to a name like `tower.home.net`. In this scenario your "container_reference" could be either the IP of the VM or the tower.home.net friendly name.
* If you are on a Fedora work station running AWX and also using a browser on your workstation you could use localhost, your work stations IP or hostname as the container_reference.

In addition, OIDC works similar but slightly differently. OIDC has browser redirection but OIDC will also communicate from the AWX docker instance to the Keycloak docker instance directly. Any hostnames you might have are likely not propagated down into the AWX container. So we need a method for both the browser and AWX container to talk to Keycloak. For this we will likely use your machines IP address. This can be passed in as a variable called `oidc_reference`. If unset this will default to container_reference which may be viable for some configurations.

In addition to container_reference, there are some additional variables which you can override if you need/choose to do so. Here are their names and default values:
```yaml
keycloak_user: admin
keycloak_pass: admin
cert_subject: "/C=US/ST=NC/L=Durham/O=awx/CN="
```
* keycloak_(user|pass) need to change if you modified the user when starting the initial container above.
* cert_subject will be the subject line of the certificate shared between AWX and keycloak you can change this if you like or just use the defaults.
To override any of the variables above you can add more `-e` arguments to the playbook run below. For example, if you simply need to change the `keycloak_pass` add the argument `-e keycloak_pass=my_secret_pass` to the following ansible-playbook command.

In addition, you may need to override the username or password to get into your AWX instance. We log into AWX in order to read and write the SAML and OIDC settings. This can be done in several ways because we are using the awx.awx collection. The easiest way is to set environment variables such as `CONTROLLER_USERNAME`. See the awx.awx documentation for more information on setting environment variables. In the example provided below we are showing an example of specifying a username/password for authentication.

Now that we have all of our variables covered we can run the playbook like:
```bash
export CONTROLLER_USERNAME=<your username>
export CONTROLLER_PASSWORD=<your password>
ansible-playbook tools/docker-compose/ansible/plumb_keycloak.yml -e container_reference=<your container_reference here> -e oidc_reference=<your oidc reference>
```

Once the playbook is done running both SAML and OIDC should now be setup in your development environment. This realm has three users with the following username/passwords:
1. awx_unpriv:unpriv123
2. awx_admin:admin123
3. awx_auditor:audit123

The first account is a normal user. The second account has the SMAL attribute is_superuser set in Keycloak so will be a super user in AWX if logged in through SAML. The third account has the SAML is_system_auditor attribute in Keycloak so it will be a system auditor in AWX if logged in through SAML. To log in with one of these Keycloak users go to the AWX login screen and click the small "Sign In With SAML Keycloak" button at the bottom of the login box.

Note: The OIDC adapter performs authentication only, not authorization. So any user created in AWX will not have any permissions on it at all.

If you Keycloak configuration is not working and you need to rerun the playbook to try a different `container_reference` or `oidc_reference` you can log into the Keycloak admin console on port 8443 and select the AWX realm in the upper left drop down. Then make sure you are on "Ream Settings" in the Configure menu option and click the trash can next to AWX in the main page window pane. This will completely remove the AWX ream (which has both SAML and OIDC settings) enabling you to re-run the plumb playbook.

### OpenLDAP Integration

OpenLDAP is an LDAP provider that can be used to test AWX with LDAP integration. This section describes how to build a reference OpenLDAP instance and plumb it with your AWX for testing purposes.
Expand Down
14 changes: 1 addition & 13 deletions tools/docker-compose/ansible/plumb_keycloak.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,8 +24,6 @@
public_key_trimmed: "{{ public_key_content | regex_replace('-----BEGIN CERTIFICATE-----\\\\n', '') | regex_replace('\\\\n-----END CERTIFICATE-----', '') }}"
existing_saml: "{{ lookup('awx.awx.controller_api', 'settings/saml', host=awx_host, verify_ssl=false) }}"
new_saml: "{{ lookup('template', 'saml_settings.json.j2') }}"
existing_oidc: "{{ lookup('awx.awx.controller_api', 'settings/oidc', host=awx_host, verify_ssl=false) }}"
new_oidc: "{{ lookup('template', 'oidc_settings.json.j2') }}"
vars:
# We add the extra \\ in here so that when jinja is templating out the files we end up with \n in the strings.
public_key_content: "{{ lookup('file', public_key_file) | regex_replace('\n', '\\\\n') }}"
Expand All @@ -36,11 +34,9 @@
msg:
- "Here is your existing SAML configuration for reference:"
- "{{ existing_saml }}"
- "Here is your existing OIDC configuration for reference:"
- "{{ existing_oidc }}"

- ansible.builtin.pause:
prompt: "Continuing to run this will replace your existing saml and OIDC settings (displayed above). They will all be captured except for your private key. Be sure that is backed up before continuing"
prompt: "Continuing to run this will replace your existing saml settings (displayed above). They will all be captured except for your private key. Be sure that is backed up before continuing"

- name: Write out the existing content
ansible.builtin.copy:
Expand All @@ -49,21 +45,13 @@
loop:
- filename: "existing_saml_adapter_settings.json"
content: "{{ existing_saml }}"
- filename: "existing_oidc_adapter_settings.json"
content: "{{ existing_oidc }}"

- name: Configure AWX SAML adapter
awx.awx.settings:
settings: "{{ new_saml }}"
controller_host: "{{ awx_host }}"
validate_certs: False

- name: Configure AWX OIDC adapter
awx.awx.settings:
settings: "{{ new_oidc }}"
controller_host: "{{ awx_host }}"
validate_certs: False

- name: Get a keycloak token
ansible.builtin.uri:
url: "https://localhost:8443/auth/realms/master/protocol/openid-connect/token"
Expand Down
Loading

0 comments on commit 4c260e1

Please sign in to comment.