From 753ad112d411af6421ded8c041e167ba02f56e6f Mon Sep 17 00:00:00 2001 From: Lars Meijers Date: Fri, 8 Mar 2024 16:43:42 +0100 Subject: [PATCH 1/5] keycloak oidc and group sync --- dojo/context_processors.py | 3 +++ .../0205_alter_dojo_group_social_provider.py | 18 +++++++++++++ dojo/group/utils.py | 5 ++-- dojo/models.py | 2 ++ dojo/pipeline.py | 20 +++++++++++++++ dojo/settings/settings.dist.py | 25 ++++++++++++++----- dojo/templates/dojo/login.html | 2 +- dojo/user/views.py | 2 +- 8 files changed, 66 insertions(+), 11 deletions(-) create mode 100644 dojo/db_migrations/0205_alter_dojo_group_social_provider.py diff --git a/dojo/context_processors.py b/dojo/context_processors.py index c0bbb250469..9da80ff0b8e 100644 --- a/dojo/context_processors.py +++ b/dojo/context_processors.py @@ -17,6 +17,9 @@ def globalize_vars(request): "AZUREAD_TENANT_OAUTH2_GET_GROUPS": settings.AZUREAD_TENANT_OAUTH2_GET_GROUPS, "AZUREAD_TENANT_OAUTH2_GROUPS_FILTER": settings.AZUREAD_TENANT_OAUTH2_GROUPS_FILTER, "AZUREAD_TENANT_OAUTH2_CLEANUP_GROUPS": settings.AZUREAD_TENANT_OAUTH2_CLEANUP_GROUPS, + "KEYCLOAK_TENANT_OAUTH2_GET_GROUPS": settings.AZUREAD_TENANT_OAUTH2_GET_GROUPS, + "KEYCLOAK_TENANT_OAUTH2_GROUPS_FILTER": settings.AZUREAD_TENANT_OAUTH2_GROUPS_FILTER, + "KEYCLOAK_TENANT_OAUTH2_CLEANUP_GROUPS": settings.AZUREAD_TENANT_OAUTH2_CLEANUP_GROUPS, "KEYCLOAK_ENABLED": settings.KEYCLOAK_OAUTH2_ENABLED, "SOCIAL_AUTH_KEYCLOAK_LOGIN_BUTTON_TEXT": settings.SOCIAL_AUTH_KEYCLOAK_LOGIN_BUTTON_TEXT, "GITHUB_ENTERPRISE_ENABLED": settings.GITHUB_ENTERPRISE_OAUTH2_ENABLED, diff --git a/dojo/db_migrations/0205_alter_dojo_group_social_provider.py b/dojo/db_migrations/0205_alter_dojo_group_social_provider.py new file mode 100644 index 00000000000..320a1677bb1 --- /dev/null +++ b/dojo/db_migrations/0205_alter_dojo_group_social_provider.py @@ -0,0 +1,18 @@ +# Generated by Django 4.1.13 on 2024-03-18 16:35 + +from django.db import migrations, models + + +class Migration(migrations.Migration): + + dependencies = [ + ('dojo', '0204_jira_project_epic_issue_type_name'), + ] + + operations = [ + migrations.AlterField( + model_name='dojo_group', + name='social_provider', + field=models.CharField(blank=True, choices=[('AzureAD', 'AzureAD'), ('Remote', 'Remote'), ('Keycloak', 'Keycloak')], help_text='Group imported from a social provider.', max_length=10, null=True, verbose_name='Social Authentication Provider'), + ), + ] diff --git a/dojo/group/utils.py b/dojo/group/utils.py index 09ea0e79393..fa2b076afbf 100644 --- a/dojo/group/utils.py +++ b/dojo/group/utils.py @@ -3,8 +3,7 @@ from django.contrib.auth.models import Group from django.db.models.signals import post_delete, post_save from django.dispatch import receiver - -from dojo.models import Dojo_Group, Dojo_Group_Member, Role +from dojo.models import Dojo_Group, Dojo_Group_Member, Role, Dojo_User def get_auth_group_name(group, attempt=0): @@ -35,7 +34,7 @@ def group_post_save_handler(sender, **kwargs): group.auth_group = auth_group group.save() user = get_current_user() - if user and not settings.AZUREAD_TENANT_OAUTH2_GET_GROUPS: + if user and isinstance(user, Dojo_User): # Add the current user as the owner of the group member = Dojo_Group_Member() member.user = user diff --git a/dojo/models.py b/dojo/models.py index 415bc6b4567..f421188bcf7 100644 --- a/dojo/models.py +++ b/dojo/models.py @@ -247,9 +247,11 @@ class UserContactInfo(models.Model): class Dojo_Group(models.Model): AZURE = 'AzureAD' REMOTE = 'Remote' + KEYCLOAK = 'Keycloak' SOCIAL_CHOICES = ( (AZURE, _('AzureAD')), (REMOTE, _('Remote')), + (KEYCLOAK, _('Keycloak')), ) name = models.CharField(max_length=255, unique=True) description = models.CharField(max_length=4000, null=True, blank=True) diff --git a/dojo/pipeline.py b/dojo/pipeline.py index 8f05d35d4c1..40da06b7d2d 100644 --- a/dojo/pipeline.py +++ b/dojo/pipeline.py @@ -6,6 +6,7 @@ import social_core.pipeline.user from django.conf import settings from social_core.backends.azuread_tenant import AzureADTenantOAuth2 +from social_core.backends.open_id_connect import OpenIdConnectAuth from social_core.backends.google import GoogleOAuth2 from dojo.authorization.roles_permissions import Permissions, Roles @@ -66,6 +67,25 @@ def modify_permissions(backend, uid, user=None, social=None, *args, **kwargs): pass +def update_keycloak_groups(backend, uid, user=None, social=None, *args, **kwargs): + if settings.KEYCLOAK_OAUTH2_ENABLED and settings.KEYCLOAK_TENANT_OAUTH2_GET_GROUPS and isinstance(backend, OpenIdConnectAuth): + group_names = [] + if 'groups' not in kwargs['response'] or kwargs['response']['groups'] == "": + logger.warning("No groups in response. Stopping to update groups of user based on azureAD") + return + group_ids = kwargs['response']['groups'] + for group_from_response in group_ids: + if settings.KEYCLOAK_TENANT_OAUTH2_GROUPS_FILTER == "" or re.search(settings.KEYCLOAK_TENANT_OAUTH2_GROUPS_FILTER, group_from_response): + group_names.append(group_from_response) + else: + logger.debug("Skipping group " + group_from_response + " due to KEYCLOAK_TENANT_OAUTH2_GROUPS_FILTER " + settings.KEYCLOAK_TENANT_OAUTH2_GROUPS_FILTER) + + if len(group_names) > 0: + assign_user_to_groups(user, group_names, 'Keycloak') + if settings.KEYCLOAK_TENANT_OAUTH2_CLEANUP_GROUPS: + cleanup_old_groups_for_user(user, group_names) + + def update_azure_groups(backend, uid, user=None, social=None, *args, **kwargs): if settings.AZUREAD_TENANT_OAUTH2_ENABLED and settings.AZUREAD_TENANT_OAUTH2_GET_GROUPS and isinstance(backend, AzureADTenantOAuth2): # In some wild cases, there could be two social auth users diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py index 128c8057f1c..a1b3ea1e4ae 100644 --- a/dojo/settings/settings.dist.py +++ b/dojo/settings/settings.dist.py @@ -131,6 +131,9 @@ DD_SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_GET_GROUPS=(bool, False), DD_SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_GROUPS_FILTER=(str, ''), DD_SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_CLEANUP_GROUPS=(bool, True), + DD_SOCIAL_AUTH_KEYCLOAK_OAUTH2_GET_GROUPS=(bool, False), + DD_SOCIAL_AUTH_KEYCLOAK_OAUTH2_CLEANUP_GROUPS=(bool, True), + DD_SOCIAL_AUTH_KEYCLOAK_OAUTH2_GROUPS_FILTER=(str, ''), DD_SOCIAL_AUTH_GITLAB_OAUTH2_ENABLED=(bool, False), DD_SOCIAL_AUTH_GITLAB_PROJECT_AUTO_IMPORT=(bool, False), DD_SOCIAL_AUTH_GITLAB_PROJECT_IMPORT_TAGS=(bool, False), @@ -141,6 +144,7 @@ DD_SOCIAL_AUTH_GITLAB_API_URL=(str, 'https://gitlab.com'), DD_SOCIAL_AUTH_GITLAB_SCOPE=(list, ['read_user', 'openid']), DD_SOCIAL_AUTH_KEYCLOAK_OAUTH2_ENABLED=(bool, False), + DD_SOCIAL_AUTH_OIDC_OIDC_ENDPOINT=(str, ''), DD_SOCIAL_AUTH_KEYCLOAK_KEY=(str, ''), DD_SOCIAL_AUTH_KEYCLOAK_SECRET=(str, ''), DD_SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY=(str, ''), @@ -489,7 +493,8 @@ def generate_url(scheme, double_slashes, user, password, host, port, path, param 'dojo.okta.OktaOAuth2', 'social_core.backends.azuread_tenant.AzureADTenantOAuth2', 'social_core.backends.gitlab.GitLabOAuth2', - 'social_core.backends.keycloak.KeycloakOAuth2', + # 'social_core.backends.keycloak.KeycloakOAuth2', + 'social_core.backends.open_id_connect.OpenIdConnectAuth', 'social_core.backends.github_enterprise.GithubEnterpriseOAuth2', 'dojo.remote_user.RemoteUserBackend', 'django.contrib.auth.backends.RemoteUserBackend', @@ -522,6 +527,7 @@ def generate_url(scheme, double_slashes, user, password, host, port, path, param 'social_core.pipeline.social_auth.load_extra_data', 'social_core.pipeline.user.user_details', 'dojo.pipeline.update_azure_groups', + 'dojo.pipeline.update_keycloak_groups', 'dojo.pipeline.update_product_access', ) @@ -583,13 +589,20 @@ def generate_url(scheme, double_slashes, user, password, host, port, path, param SOCIAL_AUTH_TRAILING_SLASH = env('DD_SOCIAL_AUTH_TRAILING_SLASH') KEYCLOAK_OAUTH2_ENABLED = env('DD_SOCIAL_AUTH_KEYCLOAK_OAUTH2_ENABLED') -SOCIAL_AUTH_KEYCLOAK_KEY = env('DD_SOCIAL_AUTH_KEYCLOAK_KEY') -SOCIAL_AUTH_KEYCLOAK_SECRET = env('DD_SOCIAL_AUTH_KEYCLOAK_SECRET') -SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY = env('DD_SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY') -SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL = env('DD_SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL') -SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL = env('DD_SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL') +SOCIAL_AUTH_OIDC_OIDC_ENDPOINT = env('DD_SOCIAL_AUTH_OIDC_OIDC_ENDPOINT') +SOCIAL_AUTH_OIDC_KEY = env('DD_SOCIAL_AUTH_KEYCLOAK_KEY') +SOCIAL_AUTH_OIDC_SECRET = env('DD_SOCIAL_AUTH_KEYCLOAK_SECRET') SOCIAL_AUTH_KEYCLOAK_LOGIN_BUTTON_TEXT = env('DD_SOCIAL_AUTH_KEYCLOAK_LOGIN_BUTTON_TEXT') +KEYCLOAK_TENANT_OAUTH2_GET_GROUPS = env('DD_SOCIAL_AUTH_KEYCLOAK_OAUTH2_GET_GROUPS') +KEYCLOAK_TENANT_OAUTH2_CLEANUP_GROUPS = env('DD_SOCIAL_AUTH_KEYCLOAK_OAUTH2_CLEANUP_GROUPS') +KEYCLOAK_TENANT_OAUTH2_GROUPS_FILTER = env('DD_SOCIAL_AUTH_KEYCLOAK_OAUTH2_GROUPS_FILTER') + +# SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY = env('DD_SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY') +# SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL = env('DD_SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL') +# SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL = env('DD_SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL') + + GITHUB_ENTERPRISE_OAUTH2_ENABLED = env('DD_SOCIAL_AUTH_GITHUB_ENTERPRISE_OAUTH2_ENABLED') SOCIAL_AUTH_GITHUB_ENTERPRISE_URL = env('DD_SOCIAL_AUTH_GITHUB_ENTERPRISE_URL') SOCIAL_AUTH_GITHUB_ENTERPRISE_API_URL = env('DD_SOCIAL_AUTH_GITHUB_ENTERPRISE_API_URL') diff --git a/dojo/templates/dojo/login.html b/dojo/templates/dojo/login.html index 55da0d7f7d5..42ac84368a7 100644 --- a/dojo/templates/dojo/login.html +++ b/dojo/templates/dojo/login.html @@ -88,7 +88,7 @@

{% trans "Login" %}

{% if KEYCLOAK_ENABLED is True %}
{% endif %} diff --git a/dojo/user/views.py b/dojo/user/views.py index c971d932c16..b0a0e6c1a8b 100644 --- a/dojo/user/views.py +++ b/dojo/user/views.py @@ -137,7 +137,7 @@ def login_view(request): elif settings.GITLAB_OAUTH2_ENABLED: social_auth = 'gitlab' elif settings.KEYCLOAK_OAUTH2_ENABLED: - social_auth = 'keycloak' + social_auth = 'oidc' elif settings.AUTH0_OAUTH2_ENABLED: social_auth = 'auth0' elif settings.GITHUB_ENTERPRISE_OAUTH2_ENABLED: From 2f628d12b98bfe41e8eff72e23418b96864516d3 Mon Sep 17 00:00:00 2001 From: Lars Meijers Date: Tue, 23 Apr 2024 17:29:02 +0200 Subject: [PATCH 2/5] removed unused settings and made note to show that --- docs/content/en/integrations/social-authentication.md | 2 +- dojo/context_processors.py | 6 +++--- ...vider.py => 0210_alter_dojo_group_social_provider.py} | 2 +- dojo/settings/settings.dist.py | 9 --------- 4 files changed, 5 insertions(+), 14 deletions(-) rename dojo/db_migrations/{0205_alter_dojo_group_social_provider.py => 0210_alter_dojo_group_social_provider.py} (90%) diff --git a/docs/content/en/integrations/social-authentication.md b/docs/content/en/integrations/social-authentication.md index a7cafe38067..c6a3b21a944 100644 --- a/docs/content/en/integrations/social-authentication.md +++ b/docs/content/en/integrations/social-authentication.md @@ -266,7 +266,7 @@ Follow along below. 5. Restart DefectDojo, and you should now see a **Login with Gitlab** button on the login page. -## Keycloak +## Keycloak !!Needs to be updated!! There is also an option to use Keycloak as OAuth2 provider in order to authenticate users to Defect Dojo, also by using the social-auth plugin. diff --git a/dojo/context_processors.py b/dojo/context_processors.py index 9da80ff0b8e..cc3f8ad3cb2 100644 --- a/dojo/context_processors.py +++ b/dojo/context_processors.py @@ -17,9 +17,9 @@ def globalize_vars(request): "AZUREAD_TENANT_OAUTH2_GET_GROUPS": settings.AZUREAD_TENANT_OAUTH2_GET_GROUPS, "AZUREAD_TENANT_OAUTH2_GROUPS_FILTER": settings.AZUREAD_TENANT_OAUTH2_GROUPS_FILTER, "AZUREAD_TENANT_OAUTH2_CLEANUP_GROUPS": settings.AZUREAD_TENANT_OAUTH2_CLEANUP_GROUPS, - "KEYCLOAK_TENANT_OAUTH2_GET_GROUPS": settings.AZUREAD_TENANT_OAUTH2_GET_GROUPS, - "KEYCLOAK_TENANT_OAUTH2_GROUPS_FILTER": settings.AZUREAD_TENANT_OAUTH2_GROUPS_FILTER, - "KEYCLOAK_TENANT_OAUTH2_CLEANUP_GROUPS": settings.AZUREAD_TENANT_OAUTH2_CLEANUP_GROUPS, + "KEYCLOAK_TENANT_OAUTH2_GET_GROUPS": settings.KEYCLOAK_TENANT_OAUTH2_GET_GROUPS, + "KEYCLOAK_TENANT_OAUTH2_GROUPS_FILTER": settings.KEYCLOAK_TENANT_OAUTH2_GROUPS_FILTER, + "KEYCLOAK_TENANT_OAUTH2_CLEANUP_GROUPS": settings.KEYCLOAK_TENANT_OAUTH2_CLEANUP_GROUPS, "KEYCLOAK_ENABLED": settings.KEYCLOAK_OAUTH2_ENABLED, "SOCIAL_AUTH_KEYCLOAK_LOGIN_BUTTON_TEXT": settings.SOCIAL_AUTH_KEYCLOAK_LOGIN_BUTTON_TEXT, "GITHUB_ENTERPRISE_ENABLED": settings.GITHUB_ENTERPRISE_OAUTH2_ENABLED, diff --git a/dojo/db_migrations/0205_alter_dojo_group_social_provider.py b/dojo/db_migrations/0210_alter_dojo_group_social_provider.py similarity index 90% rename from dojo/db_migrations/0205_alter_dojo_group_social_provider.py rename to dojo/db_migrations/0210_alter_dojo_group_social_provider.py index 320a1677bb1..a919da4e7b0 100644 --- a/dojo/db_migrations/0205_alter_dojo_group_social_provider.py +++ b/dojo/db_migrations/0210_alter_dojo_group_social_provider.py @@ -6,7 +6,7 @@ class Migration(migrations.Migration): dependencies = [ - ('dojo', '0204_jira_project_epic_issue_type_name'), + ('dojo', '0209_alter_finding_severity'), ] operations = [ diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py index a1b3ea1e4ae..cedaa6be505 100644 --- a/dojo/settings/settings.dist.py +++ b/dojo/settings/settings.dist.py @@ -147,9 +147,6 @@ DD_SOCIAL_AUTH_OIDC_OIDC_ENDPOINT=(str, ''), DD_SOCIAL_AUTH_KEYCLOAK_KEY=(str, ''), DD_SOCIAL_AUTH_KEYCLOAK_SECRET=(str, ''), - DD_SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY=(str, ''), - DD_SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL=(str, ''), - DD_SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL=(str, ''), DD_SOCIAL_AUTH_KEYCLOAK_LOGIN_BUTTON_TEXT=(str, 'Login with Keycloak'), DD_SOCIAL_AUTH_GITHUB_ENTERPRISE_OAUTH2_ENABLED=(bool, False), DD_SOCIAL_AUTH_GITHUB_ENTERPRISE_URL=(str, ''), @@ -493,7 +490,6 @@ def generate_url(scheme, double_slashes, user, password, host, port, path, param 'dojo.okta.OktaOAuth2', 'social_core.backends.azuread_tenant.AzureADTenantOAuth2', 'social_core.backends.gitlab.GitLabOAuth2', - # 'social_core.backends.keycloak.KeycloakOAuth2', 'social_core.backends.open_id_connect.OpenIdConnectAuth', 'social_core.backends.github_enterprise.GithubEnterpriseOAuth2', 'dojo.remote_user.RemoteUserBackend', @@ -598,11 +594,6 @@ def generate_url(scheme, double_slashes, user, password, host, port, path, param KEYCLOAK_TENANT_OAUTH2_CLEANUP_GROUPS = env('DD_SOCIAL_AUTH_KEYCLOAK_OAUTH2_CLEANUP_GROUPS') KEYCLOAK_TENANT_OAUTH2_GROUPS_FILTER = env('DD_SOCIAL_AUTH_KEYCLOAK_OAUTH2_GROUPS_FILTER') -# SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY = env('DD_SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY') -# SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL = env('DD_SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL') -# SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL = env('DD_SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL') - - GITHUB_ENTERPRISE_OAUTH2_ENABLED = env('DD_SOCIAL_AUTH_GITHUB_ENTERPRISE_OAUTH2_ENABLED') SOCIAL_AUTH_GITHUB_ENTERPRISE_URL = env('DD_SOCIAL_AUTH_GITHUB_ENTERPRISE_URL') SOCIAL_AUTH_GITHUB_ENTERPRISE_API_URL = env('DD_SOCIAL_AUTH_GITHUB_ENTERPRISE_API_URL') From c463d7d117135d9a4586ca8cb770b08078242497 Mon Sep 17 00:00:00 2001 From: Lars Meijers Date: Wed, 24 Apr 2024 09:02:06 +0200 Subject: [PATCH 3/5] reverted and amended the groups check --- .../en/integrations/social-authentication.md | 48 ++++++++----------- ... 0213_alter_dojo_group_social_provider.py} | 2 +- dojo/group/utils.py | 5 +- dojo/pipeline.py | 2 +- 4 files changed, 25 insertions(+), 32 deletions(-) rename dojo/db_migrations/{0210_alter_dojo_group_social_provider.py => 0213_alter_dojo_group_social_provider.py} (88%) diff --git a/docs/content/en/integrations/social-authentication.md b/docs/content/en/integrations/social-authentication.md index c6a3b21a944..95bd11dc027 100644 --- a/docs/content/en/integrations/social-authentication.md +++ b/docs/content/en/integrations/social-authentication.md @@ -266,8 +266,8 @@ Follow along below. 5. Restart DefectDojo, and you should now see a **Login with Gitlab** button on the login page. -## Keycloak !!Needs to be updated!! -There is also an option to use Keycloak as OAuth2 provider in order to authenticate users to Defect Dojo, also by using +## Keycloak +There is also an option to use Keycloak as OAuth2/OIDC provider in order to authenticate users to Defect Dojo, also by using the social-auth plugin. Here are suggestion on how to configure Keycloak and DefectDojo: @@ -279,53 +279,44 @@ Here are suggestion on how to configure Keycloak and DefectDojo: * Set `access type` to `confidential` * Under `valid Redirect URIs`, add the URI to your defect dojo installation, e.g. 'https:///*' * Under `web origins`, add the same (or '+') - * Under `Fine grained openID connect configuration` -> `user info signed response algorithm`: set to `RS256` - * Under `Fine grained openID connect configuration` -> `request object signature algorithm`: set to `RS256` * -> save these settings in keycloak (hit save button) -3. Under `Scope` -> `Full Scope Allowed` set to `off` -4. Under `mappers` -> add a custom mapper here: - * Name: `aud` - * Mapper type: `audience` - * Included audience: select your client/client-id here - * Add ID to token: `off` - * Add access to token: `on` -5. Under `credentials`: copy the secret (and use as DD_SOCIAL_AUTH_KEYCLOAK_SECRET below) -6. In your realm settings -> keys: copy the "Public key" (signing key) (use for DD_SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY below) -7. In your realm settings -> general -> endpoints: look into openId endpoint configuration - and look up your authorization and token endpoint (use them below) +3. In your realm settings -> general -> endpoints: look into openId endpoint configuration + and use the url below for the `DD_SOCIAL_AUTH_OIDC_OIDC_ENDPOINT` property (you can remove the `/.well-known/openid-configuration` part as its standard and the python library adds it) ### Configure Defect Dojo Edit the settings (see [Configuration]({{< ref "/getting_started/configuration" >}})) with the following information: {{< highlight python >}} - DD_SESSION_COOKIE_SECURE=True, - DD_CSRF_COOKIE_SECURE=True, - DD_SECURE_SSL_REDIRECT=True, DD_SOCIAL_AUTH_KEYCLOAK_OAUTH2_ENABLED=True, - DD_SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY=(str, ''), + DD_SOCIAL_AUTH_OIDC_OIDC_ENDPOINT="" DD_SOCIAL_AUTH_KEYCLOAK_KEY=(str, ''), - DD_SOCIAL_AUTH_KEYCLOAK_SECRET=(str, ''), - DD_SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL=(str, ''), - DD_SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL=(str, '') + DD_SOCIAL_AUTH_KEYCLOAK_SECRET=(str, ''), {{< /highlight >}} or, alternatively, for helm configuration, add this to the `extraConfig` section: ``` -DD_SESSION_COOKIE_SECURE: 'True' -DD_CSRF_COOKIE_SECURE: 'True' -DD_SECURE_SSL_REDIRECT: 'True' DD_SOCIAL_AUTH_KEYCLOAK_OAUTH2_ENABLED: 'True' -DD_SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY: '' +DD_SOCIAL_AUTH_OIDC_OIDC_ENDPOINT="" DD_SOCIAL_AUTH_KEYCLOAK_KEY: '' DD_SOCIAL_AUTH_KEYCLOAK_SECRET: '' -DD_SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL: '' -DD_SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL: '' ``` Optionally, you *can* set `DD_SOCIAL_AUTH_KEYCLOAK_LOGIN_BUTTON_TEXT` in order to customize the login button's text caption. +### Syncing groups from Keycloak to Defectdojo +It is also possible to sync groups from Keycloak into Defectdojo, for this you will first need to configure a `client scope` which enables the groups of your users to be included +into the authentication tokens of your users. Keycloak provides a `Groups` mapper specifically for this purpose. + +After enabling the `Groups` mapper you can configure Defectdojo to sync these groups with the following properties: + +``` +DD_SOCIAL_AUTH_KEYCLOAK_OAUTH2_GET_GROUPS: "True" +DD_SOCIAL_AUTH_KEYCLOAK_OAUTH2_CLEANUP_GROUPS: "True" +DD_SOCIAL_AUTH_KEYCLOAK_OAUTH2_GROUPS_FILTER: "" +``` + ## GitHub Enterprise 1. Navigate to your GitHub Enterprise Server and follow instructions to create a new OAuth App [https://docs.github.com/en/enterprise-server/developers/apps/building-oauth-apps/creating-an-oauth-app](https://docs.github.com/en/enterprise-server/developers/apps/building-oauth-apps/creating-an-oauth-app) 2. Choose a name for your application @@ -448,6 +439,7 @@ Some Identity Providers are able to send list of groups to which should user bel - [Azure](#automatic-import-of-user-groups): Check `DD_SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_GET_GROUPS` and `DD_SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_CLEANUP_GROUPS` - [RemoteUser](#remoteuser): Check `DD_AUTH_REMOTEUSER_GROUPS_HEADER` and `DD_AUTH_REMOTEUSER_GROUPS_CLEANUP` +- [Keycloak](#Syncing-groups-from-Keycloak-to-Defectdojo) Check `DD_SOCIAL_AUTH_KEYCLOAK_OAUTH2_GET_GROUPS` and `DD_SOCIAL_AUTH_KEYCLOAK_OAUTH2_CLEANUP_GROUPS` ## Login speed-up diff --git a/dojo/db_migrations/0210_alter_dojo_group_social_provider.py b/dojo/db_migrations/0213_alter_dojo_group_social_provider.py similarity index 88% rename from dojo/db_migrations/0210_alter_dojo_group_social_provider.py rename to dojo/db_migrations/0213_alter_dojo_group_social_provider.py index a919da4e7b0..991908fa3f8 100644 --- a/dojo/db_migrations/0210_alter_dojo_group_social_provider.py +++ b/dojo/db_migrations/0213_alter_dojo_group_social_provider.py @@ -6,7 +6,7 @@ class Migration(migrations.Migration): dependencies = [ - ('dojo', '0209_alter_finding_severity'), + ('dojo', '0212_sla_configuration_enforce_critical_and_more'), ] operations = [ diff --git a/dojo/group/utils.py b/dojo/group/utils.py index fa2b076afbf..1d690aefb17 100644 --- a/dojo/group/utils.py +++ b/dojo/group/utils.py @@ -3,7 +3,8 @@ from django.contrib.auth.models import Group from django.db.models.signals import post_delete, post_save from django.dispatch import receiver -from dojo.models import Dojo_Group, Dojo_Group_Member, Role, Dojo_User + +from dojo.models import Dojo_Group, Dojo_Group_Member, Role def get_auth_group_name(group, attempt=0): @@ -34,7 +35,7 @@ def group_post_save_handler(sender, **kwargs): group.auth_group = auth_group group.save() user = get_current_user() - if user and isinstance(user, Dojo_User): + if user and not settings.AZUREAD_TENANT_OAUTH2_GET_GROUPS and not settings.KEYCLOAK_TENANT_OAUTH2_GET_GROUPS: # Add the current user as the owner of the group member = Dojo_Group_Member() member.user = user diff --git a/dojo/pipeline.py b/dojo/pipeline.py index 40da06b7d2d..b3cbc4437f4 100644 --- a/dojo/pipeline.py +++ b/dojo/pipeline.py @@ -6,8 +6,8 @@ import social_core.pipeline.user from django.conf import settings from social_core.backends.azuread_tenant import AzureADTenantOAuth2 -from social_core.backends.open_id_connect import OpenIdConnectAuth from social_core.backends.google import GoogleOAuth2 +from social_core.backends.open_id_connect import OpenIdConnectAuth from dojo.authorization.roles_permissions import Permissions, Roles from dojo.models import Dojo_Group, Dojo_Group_Member, Product, Product_Member, Product_Type, Role From 1d29d07d0a505c4ad650b1a3f4f6842e05737051 Mon Sep 17 00:00:00 2001 From: Lars Meijers Date: Fri, 24 May 2024 08:13:52 +0200 Subject: [PATCH 4/5] updated readme --- docs/content/en/integrations/social-authentication.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/content/en/integrations/social-authentication.md b/docs/content/en/integrations/social-authentication.md index 95bd11dc027..dcc53a19825 100644 --- a/docs/content/en/integrations/social-authentication.md +++ b/docs/content/en/integrations/social-authentication.md @@ -307,7 +307,7 @@ Optionally, you *can* set `DD_SOCIAL_AUTH_KEYCLOAK_LOGIN_BUTTON_TEXT` in order t ### Syncing groups from Keycloak to Defectdojo It is also possible to sync groups from Keycloak into Defectdojo, for this you will first need to configure a `client scope` which enables the groups of your users to be included -into the authentication tokens of your users. Keycloak provides a `Groups` mapper specifically for this purpose. +into the authentication tokens of your users. Keycloak provides a `Groups` `Token mapper` specifically for this purpose. After enabling the `Groups` mapper you can configure Defectdojo to sync these groups with the following properties: @@ -318,7 +318,7 @@ DD_SOCIAL_AUTH_KEYCLOAK_OAUTH2_GROUPS_FILTER: "" ``` ## GitHub Enterprise -1. Navigate to your GitHub Enterprise Server and follow instructions to create a new OAuth App [https://docs.github.com/en/enterprise-server/developers/apps/building-oauth-apps/creating-an-oauth-app](https://docs.github.com/en/enterprise-server/developers/apps/building-oauth-apps/creating-an-oauth-app) +1. Navigate to your GitHub Enterprise Server and follow instructions to create a new OAuth App [https://docs.github.com/en/enterprise-server/developers/apps/building-oauth-apps/creating-an-oauth-app](https://docs.github.com/en/enterprise-server/developers/apps/building-oauth-apps/creating-an-oauth-app) 2. Choose a name for your application 3. For the Redirect URI, enter the DefectDojo URL with the following format From 679a1679dc4c13c4ee84bc787c4139281d2e8857 Mon Sep 17 00:00:00 2001 From: Lars Meijers Date: Tue, 28 May 2024 14:06:25 +0200 Subject: [PATCH 5/5] update the hash --- dojo/settings/.settings.dist.py.sha256sum | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dojo/settings/.settings.dist.py.sha256sum b/dojo/settings/.settings.dist.py.sha256sum index 146a46f0b48..53afeedac5a 100644 --- a/dojo/settings/.settings.dist.py.sha256sum +++ b/dojo/settings/.settings.dist.py.sha256sum @@ -1 +1 @@ -f23b780905f138f168436a6579b45a1ccaa0deb35e6b11b1e9169f13266e4bb0 +530c28be2efca480e9b8ec7dbf9481a5f35987f1fe5c8e9b5e21daff15cbccb1