From 42966abfe4d39bf780052f5b30ae1fdce40dd4ae Mon Sep 17 00:00:00 2001 From: Lars Meijers Date: Wed, 24 Apr 2024 09:02:06 +0200 Subject: [PATCH] reverted and amended the groups check --- .../en/integrations/social-authentication.md | 48 ++++++++----------- ... 0213_alter_dojo_group_social_provider.py} | 2 +- dojo/group/utils.py | 5 +- dojo/pipeline.py | 2 +- 4 files changed, 25 insertions(+), 32 deletions(-) rename dojo/db_migrations/{0210_alter_dojo_group_social_provider.py => 0213_alter_dojo_group_social_provider.py} (88%) diff --git a/docs/content/en/integrations/social-authentication.md b/docs/content/en/integrations/social-authentication.md index c6a3b21a944..95bd11dc027 100644 --- a/docs/content/en/integrations/social-authentication.md +++ b/docs/content/en/integrations/social-authentication.md @@ -266,8 +266,8 @@ Follow along below. 5. Restart DefectDojo, and you should now see a **Login with Gitlab** button on the login page. -## Keycloak !!Needs to be updated!! -There is also an option to use Keycloak as OAuth2 provider in order to authenticate users to Defect Dojo, also by using +## Keycloak +There is also an option to use Keycloak as OAuth2/OIDC provider in order to authenticate users to Defect Dojo, also by using the social-auth plugin. Here are suggestion on how to configure Keycloak and DefectDojo: @@ -279,53 +279,44 @@ Here are suggestion on how to configure Keycloak and DefectDojo: * Set `access type` to `confidential` * Under `valid Redirect URIs`, add the URI to your defect dojo installation, e.g. 'https:///*' * Under `web origins`, add the same (or '+') - * Under `Fine grained openID connect configuration` -> `user info signed response algorithm`: set to `RS256` - * Under `Fine grained openID connect configuration` -> `request object signature algorithm`: set to `RS256` * -> save these settings in keycloak (hit save button) -3. Under `Scope` -> `Full Scope Allowed` set to `off` -4. Under `mappers` -> add a custom mapper here: - * Name: `aud` - * Mapper type: `audience` - * Included audience: select your client/client-id here - * Add ID to token: `off` - * Add access to token: `on` -5. Under `credentials`: copy the secret (and use as DD_SOCIAL_AUTH_KEYCLOAK_SECRET below) -6. In your realm settings -> keys: copy the "Public key" (signing key) (use for DD_SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY below) -7. In your realm settings -> general -> endpoints: look into openId endpoint configuration - and look up your authorization and token endpoint (use them below) +3. In your realm settings -> general -> endpoints: look into openId endpoint configuration + and use the url below for the `DD_SOCIAL_AUTH_OIDC_OIDC_ENDPOINT` property (you can remove the `/.well-known/openid-configuration` part as its standard and the python library adds it) ### Configure Defect Dojo Edit the settings (see [Configuration]({{< ref "/getting_started/configuration" >}})) with the following information: {{< highlight python >}} - DD_SESSION_COOKIE_SECURE=True, - DD_CSRF_COOKIE_SECURE=True, - DD_SECURE_SSL_REDIRECT=True, DD_SOCIAL_AUTH_KEYCLOAK_OAUTH2_ENABLED=True, - DD_SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY=(str, ''), + DD_SOCIAL_AUTH_OIDC_OIDC_ENDPOINT="" DD_SOCIAL_AUTH_KEYCLOAK_KEY=(str, ''), - DD_SOCIAL_AUTH_KEYCLOAK_SECRET=(str, ''), - DD_SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL=(str, ''), - DD_SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL=(str, '') + DD_SOCIAL_AUTH_KEYCLOAK_SECRET=(str, ''), {{< /highlight >}} or, alternatively, for helm configuration, add this to the `extraConfig` section: ``` -DD_SESSION_COOKIE_SECURE: 'True' -DD_CSRF_COOKIE_SECURE: 'True' -DD_SECURE_SSL_REDIRECT: 'True' DD_SOCIAL_AUTH_KEYCLOAK_OAUTH2_ENABLED: 'True' -DD_SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY: '' +DD_SOCIAL_AUTH_OIDC_OIDC_ENDPOINT="" DD_SOCIAL_AUTH_KEYCLOAK_KEY: '' DD_SOCIAL_AUTH_KEYCLOAK_SECRET: '' -DD_SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL: '' -DD_SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL: '' ``` Optionally, you *can* set `DD_SOCIAL_AUTH_KEYCLOAK_LOGIN_BUTTON_TEXT` in order to customize the login button's text caption. +### Syncing groups from Keycloak to Defectdojo +It is also possible to sync groups from Keycloak into Defectdojo, for this you will first need to configure a `client scope` which enables the groups of your users to be included +into the authentication tokens of your users. Keycloak provides a `Groups` mapper specifically for this purpose. + +After enabling the `Groups` mapper you can configure Defectdojo to sync these groups with the following properties: + +``` +DD_SOCIAL_AUTH_KEYCLOAK_OAUTH2_GET_GROUPS: "True" +DD_SOCIAL_AUTH_KEYCLOAK_OAUTH2_CLEANUP_GROUPS: "True" +DD_SOCIAL_AUTH_KEYCLOAK_OAUTH2_GROUPS_FILTER: "" +``` + ## GitHub Enterprise 1. Navigate to your GitHub Enterprise Server and follow instructions to create a new OAuth App [https://docs.github.com/en/enterprise-server/developers/apps/building-oauth-apps/creating-an-oauth-app](https://docs.github.com/en/enterprise-server/developers/apps/building-oauth-apps/creating-an-oauth-app) 2. Choose a name for your application @@ -448,6 +439,7 @@ Some Identity Providers are able to send list of groups to which should user bel - [Azure](#automatic-import-of-user-groups): Check `DD_SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_GET_GROUPS` and `DD_SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_CLEANUP_GROUPS` - [RemoteUser](#remoteuser): Check `DD_AUTH_REMOTEUSER_GROUPS_HEADER` and `DD_AUTH_REMOTEUSER_GROUPS_CLEANUP` +- [Keycloak](#Syncing-groups-from-Keycloak-to-Defectdojo) Check `DD_SOCIAL_AUTH_KEYCLOAK_OAUTH2_GET_GROUPS` and `DD_SOCIAL_AUTH_KEYCLOAK_OAUTH2_CLEANUP_GROUPS` ## Login speed-up diff --git a/dojo/db_migrations/0210_alter_dojo_group_social_provider.py b/dojo/db_migrations/0213_alter_dojo_group_social_provider.py similarity index 88% rename from dojo/db_migrations/0210_alter_dojo_group_social_provider.py rename to dojo/db_migrations/0213_alter_dojo_group_social_provider.py index a919da4e7b0..991908fa3f8 100644 --- a/dojo/db_migrations/0210_alter_dojo_group_social_provider.py +++ b/dojo/db_migrations/0213_alter_dojo_group_social_provider.py @@ -6,7 +6,7 @@ class Migration(migrations.Migration): dependencies = [ - ('dojo', '0209_alter_finding_severity'), + ('dojo', '0212_sla_configuration_enforce_critical_and_more'), ] operations = [ diff --git a/dojo/group/utils.py b/dojo/group/utils.py index fa2b076afbf..1d690aefb17 100644 --- a/dojo/group/utils.py +++ b/dojo/group/utils.py @@ -3,7 +3,8 @@ from django.contrib.auth.models import Group from django.db.models.signals import post_delete, post_save from django.dispatch import receiver -from dojo.models import Dojo_Group, Dojo_Group_Member, Role, Dojo_User + +from dojo.models import Dojo_Group, Dojo_Group_Member, Role def get_auth_group_name(group, attempt=0): @@ -34,7 +35,7 @@ def group_post_save_handler(sender, **kwargs): group.auth_group = auth_group group.save() user = get_current_user() - if user and isinstance(user, Dojo_User): + if user and not settings.AZUREAD_TENANT_OAUTH2_GET_GROUPS and not settings.KEYCLOAK_TENANT_OAUTH2_GET_GROUPS: # Add the current user as the owner of the group member = Dojo_Group_Member() member.user = user diff --git a/dojo/pipeline.py b/dojo/pipeline.py index 40da06b7d2d..b3cbc4437f4 100644 --- a/dojo/pipeline.py +++ b/dojo/pipeline.py @@ -6,8 +6,8 @@ import social_core.pipeline.user from django.conf import settings from social_core.backends.azuread_tenant import AzureADTenantOAuth2 -from social_core.backends.open_id_connect import OpenIdConnectAuth from social_core.backends.google import GoogleOAuth2 +from social_core.backends.open_id_connect import OpenIdConnectAuth from dojo.authorization.roles_permissions import Permissions, Roles from dojo.models import Dojo_Group, Dojo_Group_Member, Product, Product_Member, Product_Type, Role