Remove SAML authentication (#15568)

* remove saml

* remove license file and management command

* update requirements, add migrations

* remove unused imports

awx/api/conf.py

@@ -37,7 +37,7 @@
     label=_('Disable the built-in authentication system'),
     help_text=_(
         "Controls whether users are prevented from using the built-in authentication system. "
-        "You probably want to do this if you are using an LDAP or SAML integration."
+        "You probably want to do this if you are using an LDAP integration."
     ),
     category=_('Authentication'),
     category_slug='authentication',
@@ -77,8 +77,8 @@
     default=False,
     label=_('Allow External Users to Create OAuth2 Tokens'),
     help_text=_(
-        'For security reasons, users from external auth providers (LDAP, SAML, '
-        'SSO, and others) are not allowed to create OAuth2 tokens. '
+        'For security reasons, users from external auth providers (LDAP, SSO, '
+        ' and others) are not allowed to create OAuth2 tokens. '
         'To change this behavior, enable this setting. Existing tokens will '
         'not be deleted when this setting is toggled off.'
     ),

awx/api/views/__init__.py

@@ -689,25 +689,15 @@ def get(self, request):
         data = OrderedDict()
         err_backend, err_message = request.session.get('social_auth_error', (None, None))
         auth_backends = list(load_backends(settings.AUTHENTICATION_BACKENDS, force_load=True).items())
-        # Return auth backends in consistent order: oidc, saml.
+        # Return auth backends in consistent order: oidc.
         auth_backends.sort(key=lambda x: x[0])
         for name, backend in auth_backends:
             login_url = reverse('social:begin', args=(name,))
             complete_url = request.build_absolute_uri(reverse('social:complete', args=(name,)))
             backend_data = {'login_url': login_url, 'complete_url': complete_url}
-            if name == 'saml':
-                backend_data['metadata_url'] = reverse('sso:saml_metadata')
-                for idp in sorted(settings.SOCIAL_AUTH_SAML_ENABLED_IDPS.keys()):
-                    saml_backend_data = dict(backend_data.items())
-                    saml_backend_data['login_url'] = '%s?idp=%s' % (login_url, idp)
-                    full_backend_name = '%s:%s' % (name, idp)
-                    if (err_backend == full_backend_name or err_backend == name) and err_message:
-                        saml_backend_data['error'] = err_message
-                    data[full_backend_name] = saml_backend_data
-            else:
-                if err_backend == name and err_message:
-                    backend_data['error'] = err_message
-                data[name] = backend_data
+            if err_backend == name and err_message:
+                backend_data['error'] = err_message
+            data[name] = backend_data
         return Response(data)
 
 

awx/conf/migrations/0011_remove_saml_auth_conf.py

@@ -0,0 +1,40 @@
+# Generated by Django 4.2.10 on 2024-08-27 14:20
+
+from django.db import migrations
+
+SAML_AUTH_CONF_KEYS = [
+    'SAML_AUTO_CREATE_OBJECTS',
+    'SOCIAL_AUTH_SAML_CALLBACK_URL',
+    'SOCIAL_AUTH_SAML_METADATA_URL',
+    'SOCIAL_AUTH_SAML_SP_ENTITY_ID',
+    'SOCIAL_AUTH_SAML_SP_PUBLIC_CERT',
+    'SOCIAL_AUTH_SAML_SP_PRIVATE_KEY',
+    'SOCIAL_AUTH_SAML_ORG_INFO',
+    'SOCIAL_AUTH_SAML_TECHNICAL_CONTACT',
+    'SOCIAL_AUTH_SAML_SUPPORT_CONTACT',
+    'SOCIAL_AUTH_SAML_ENABLED_IDPS',
+    'SOCIAL_AUTH_SAML_SECURITY_CONFIG',
+    'SOCIAL_AUTH_SAML_SP_EXTRA',
+    'SOCIAL_AUTH_SAML_EXTRA_DATA',
+    'SOCIAL_AUTH_SAML_ORGANIZATION_MAP',
+    'SOCIAL_AUTH_SAML_TEAM_MAP',
+    'SOCIAL_AUTH_SAML_ORGANIZATION_ATTR',
+    'SOCIAL_AUTH_SAML_TEAM_ATTR',
+    'SOCIAL_AUTH_SAML_USER_FLAGS_BY_ATTR',
+]
+
+
+def remove_saml_auth_conf(apps, scheme_editor):
+    setting = apps.get_model('conf', 'Setting')
+    setting.objects.filter(key__in=SAML_AUTH_CONF_KEYS).delete()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('conf', '0010_change_to_JSONField'),
+    ]
+
+    operations = [
+        migrations.RunPython(remove_saml_auth_conf),
+    ]

awx/conf/tests/functional/test_api.py

@@ -8,7 +8,6 @@
 from awx.conf import fields
 from awx.conf.registry import settings_registry
 from awx.conf.models import Setting
-from awx.sso import fields as sso_fields
 
 
 @pytest.fixture
@@ -103,24 +102,6 @@ def test_setting_singleton_update(api_request, dummy_setting):
         assert response.data['FOO_BAR'] == 4
 
 
-@pytest.mark.django_db
-def test_setting_singleton_update_hybriddictfield_with_forbidden(api_request, dummy_setting):
-    # Some HybridDictField subclasses have a child of _Forbidden,
-    # indicating that only the defined fields can be filled in.  Make
-    # sure that the _Forbidden validator doesn't get used for the
-    # fields.  See also https://github.com/ansible/awx/issues/4099.
-    with dummy_setting('FOO_BAR', field_class=sso_fields.SAMLOrgAttrField, category='FooBar', category_slug='foobar'), mock.patch(
-        'awx.conf.views.clear_setting_cache'
-    ):
-        api_request(
-            'patch',
-            reverse('api:setting_singleton_detail', kwargs={'category_slug': 'foobar'}),
-            data={'FOO_BAR': {'saml_admin_attr': 'Admins', 'saml_attr': 'Orgs'}},
-        )
-        response = api_request('get', reverse('api:setting_singleton_detail', kwargs={'category_slug': 'foobar'}))
-        assert response.data['FOO_BAR'] == {'saml_admin_attr': 'Admins', 'saml_attr': 'Orgs'}
-
-
 @pytest.mark.django_db
 def test_setting_singleton_update_dont_change_readonly_fields(api_request, dummy_setting):
     with dummy_setting('FOO_BAR', field_class=fields.IntegerField, read_only=True, default=4, category='FooBar', category_slug='foobar'), mock.patch(

awx/main/conf.py

@@ -48,7 +48,7 @@
     label=_('Organization Admins Can Manage Users and Teams'),
     help_text=_(
         'Controls whether any Organization Admin has the privileges to create and manage users and teams. '
-        'You may want to disable this ability if you are using an LDAP or SAML integration.'
+        'You may want to disable this ability if you are using an LDAP integration.'
     ),
     category=_('System'),
     category_slug='system',

awx/main/models/__init__.py

@@ -248,8 +248,6 @@ def user_is_in_enterprise_category(user, category):
     ret = (category,) in user.enterprise_auth.values_list('provider') and not user.has_usable_password()
     # NOTE: this if block ensures existing enterprise users are still able to
     # log in. Remove it in a future release
-    if category == 'saml':
-        ret = ret or user.social_auth.all()
     return ret
 
 

awx/main/tests/functional/api/test_settings.py

@@ -193,31 +193,3 @@ def test_logging_aggregator_connection_test_valid(put, post, admin):
     # "Test" the logger
     url = reverse('api:setting_logging_test')
     post(url, {}, user=admin, expect=202)
-
-
-@pytest.mark.django_db
-@pytest.mark.parametrize('headers', [True, False])
-def test_saml_x509cert_validation(patch, get, admin, headers):
-    cert = "MIIEogIBAAKCAQEA1T4za6qBbHxFpN5f9eFvA74MFjrsjcp1uvzOaE23AYKMDEJghJ6dqQ7GwHLNIeIeumqDFmODauIzrgSDJTT5+NG30Rr+rRi0zDkrkBAj/AtA+SaVhbzqB6ZSd7LaMly9XAc+82OKlNpuWS9hPmFaSShzDTXRu5RRyvm4NDCAOGDu5hyVR2pV/ffKDNfNkChnqzvRRW9laQcVmliZhlTGn7nPZ+JbjpwEy0nwW+4zoAiEvwnT52N4xTqIcYOnXtGiaf13dh7FkUfYmS0tzF3+h8QRKwtIm4y+sq84R/kr79/0t5aRUpJynNrECajzmArpL4IjXKTPIyUpTKirJgGnCwIDAQABAoIBAC6bbbm2hpsjfkVOpUKkhxMWUqX5MwK6oYjBAIwjkEAwPFPhnh7eXC87H42oidVCCt1LsmMOVQbjcdAzBEb5kTkk/Twi3k8O+1U3maHfJT5NZ2INYNjeNXh+jb/Dw5UGWAzpOIUR2JQ4Oa4cgPCVbppW0O6uOKz6+fWXJv+hKiUoBCC0TiY52iseHJdUOaKNxYRD2IyIzCAxFSd5tZRaARIYDsugXp3E/TdbsVWA7bmjIBOXq+SquTrlB8x7j3B7+Pi09nAJ2U/uV4PHE+/2Fl009ywfmqancvnhwnz+GQ5jjP+gTfghJfbO+Z6M346rS0Vw+osrPgfyudNHlCswHOECgYEA/Cfq25gDP07wo6+wYWbx6LIzj/SSZy/Ux9P8zghQfoZiPoaq7BQBPAzwLNt7JWST8U11LZA8/wo6ch+HSTMk+m5ieVuru2cHxTDqeNlh94eCrNwPJ5ayA5U6LxAuSCTAzp+rv6KQUx1JcKSEHuh+nRYTKvUDE6iA6YtPLO96lLUCgYEA2H5rOPX2M4w1Q9zjol77lplbPRdczXNd0PIzhy8Z2ID65qvmr1nxBG4f2H96ykW8CKLXNvSXreNZ1BhOXc/3Hv+3mm46iitB33gDX4mlV4Jyo/w5IWhUKRyoW6qXquFFsScxRzTrx/9M+aZeRRLdsBk27HavFEg6jrbQ0SleZL8CgYAaM6Op8d/UgkVrHOR9Go9kmK/W85kK8+NuaE7Ksf57R0eKK8AzC9kc/lMuthfTyOG+n0ff1i8gaVWtai1Ko+/hvfqplacAsDIUgYK70AroB8LCZ5ODj5sr2CPVpB7LDFakod7c6O2KVW6+L7oy5AHUHOkc+5y4PDg5DGrLxo68SQKBgAlGoWF3aG0c/MtDk51JZI43U+lyLs++ua5SMlMAeaMFI7rucpvgxqrh7Qthqukvw7a7A22fXUBeFWM5B2KNnpD9c+hyAKAa6l+gzMQzKZpuRGsyS2BbEAAS8kO7M3Rm4o2MmFfstI2FKs8nibJ79HOvIONQ0n+T+K5Utu2/UAQRAoGAFB4fiIyQ0nYzCf18Z4Wvi/qeIOW+UoBonIN3y1h4wruBywINHxFMHx4aVImJ6R09hoJ9D3Mxli3xF/8JIjfTG5fBSGrGnuofl14d/XtRDXbT2uhVXrIkeLL/ojODwwEx0VhxIRUEjPTvEl6AFSRRcBp3KKzQ/cu7ENDY6GTlOUI="  # noqa
-    if headers:
-        cert = '-----BEGIN CERTIFICATE-----\n' + cert + '\n-----END CERTIFICATE-----'
-    url = reverse('api:setting_singleton_detail', kwargs={'category_slug': 'saml'})
-    resp = patch(
-        url,
-        user=admin,
-        data={
-            'SOCIAL_AUTH_SAML_ENABLED_IDPS': {
-                "okta": {
-                    "attr_last_name": "LastName",
-                    "attr_username": "login",
-                    "entity_id": "http://www.okta.com/abc123",
-                    "attr_user_permanent_id": "login",
-                    "url": "https://example.okta.com/app/abc123/xyz123/sso/saml",
-                    "attr_email": "Email",
-                    "x509cert": cert,
-                    "attr_first_name": "FirstName",
-                }
-            }
-        },
-    )
-    assert resp.status_code == 200