This patch adds support for MFA TOTP on openstack dashboard.
A new configuration variable OPENSTACK_KEYSTONE_MFA_TOTP_ENABLED
was added false by default.
If enabled, users needing TOTP are prompted with a new form.
keystone doc: https://docs.openstack.org/keystone/latest/admin/auth-totp.html
Demonstration video : https://youtu.be/prDJJdFoMpM
Change-Id: I1047102a379c8a900a5e6840096bb671da4fd2ff
Blueprint: #totp-support
Closes-Bug: #2030477
Since the normal form doesn't have a request attribute, we have to
pass the initial value for the region from the view.
Change-Id: Icea647ad13718b74528922f362ad665be1392e9b
Closes-bug: #1957926
django.utils.translation.ugettext(), ugettext_lazy(), ugettext_noop(),
ungettext(), and ungettext_lazy() are deprecated in favor of the
functions that they’re aliases for: django.utils.translation.gettext(),
gettext_lazy(), gettext_noop(), ngettext(), and ngettext_lazy().
https://docs.djangoproject.com/en/4.0/releases/3.0/#id3
Change-Id: I77878f84e9d10cf6a136dada81eabf4e18676250
Autofocus on the login screen now is on the first field. It's either
"User Name" or "Domain" with multidomain support. However it appears
to be more convenient to keep the focus on "User Name" whether there
is multidomain support or not. Also "Domain" is pre-filled with the
last domain used, so often there's no need to change it.
This patch moves "Domain" field under "User Name" and "Password" and
keeps autofocus always on "User Name".
Closes-Bug: #1916958
Change-Id: I590ce3a5cbaa0ebb470228a7114a60ff89467835
In python3, super() does not always require a class and self reference.
In other words, super() is enough for most cases.
This is much simpler and it is time to switch it to the newer style.
pylint provides a check for this.
Let's enable 'super-with-arguments' check.
NOTE: _prepare_mappings() method of FormRegion in
openstack_dashboard/test/integration_tests/regions/forms.py is refactored.
super() (without explicit class and self referece) does not work when
a subclass method calls a same method in a parent class multiple times.
It looks better to prepare a separate method to provide a common logic.
Change-Id: Id9512a14be9f20dbd5ebd63d446570c7b7c825ff
This patch makes sure that all the variables and attributes that the
login page templates use are always defined, to avoid annoying lookup
errors in the logs.
There is still an error about request.COOKIES.logout_reason because
I'm not entirely sure how to best handle that one.
Change-Id: I692ea70bc09b819b39587f5bd6cb4e729731754f
Kyestone V2 support was removed in Train, so it's safe to do such cleanup.
* Functions which just return horizon settings are dropped and
the settings are referred directly now.
* The service catalog in the sample test data is updated to match
the format of the keystone API v3.
* Related to the above change of the sample service catalog,
openstack_dashboard.test.unit.api.test_keystone.ServiceAPITests is
updated to specify the region name explicitly because 'RegionTwo'
endpoint is no longer the second entry of the endpoint list in the
keystone API v3.
Co-Authored-By: Akihiro Motoki <amotoki@gmail.com>
Change-Id: Ib60f360c96341fa5c618595f4a9bfdfe7ec5ae83
There are cases where leading/trailing spaces are included in passwords
We should not touch passwords input in forms and pass them to auth
backends without any modifications. The detail was discussed in
the mailing list thread [1] referred in the bug comment.
[1] http://lists.openstack.org/pipermail/openstack-discuss/2020-January/thread.html#12223
Change-Id: I98de224cc77a98fa216ec3bc032412325e661e14
Closes-Bug: #1861224
Unfortunately the only way we can know the user_id at this point is
by parsing the error message.
I also refactored the exceptions in openstack_auth to make them use
different classes (but one common superclass).
Partially implements blueprint: allow-users-change-expired-password
Change-Id: Ieceee09db21040b96577db19bd195dc3799e3892
Keystone's API for changing the user password doesn't require
authentication, so we can have a page that doesn't require it too.
In order to change the password, the user has to provide their old
password. This is needed for when the password is expired or when
it has to be changed on first use.
The next step will be adding a redirect to this page when a password
is expired or required to be changed.
Part of blueprint: allow-users-change-expired-password
Change-Id: I3b207ef6c5a3095022a2acb64d3988e127f0f49a
This commit also moves descriptions of settings defined in openstack_auth
from openstack_dashboard/settings.py and local_settings.py(.example)
to openstack_auth/settings.py.
Note that if openstack_dashboard has different default settings
from openstack_auth defaults, they are now moved to
openstack_dashboard/defaults.py.
Part of blueprint ini-based-configuration
Change-Id: I59eebc388de0bcbd4d1fe35c6138efbd3e04c5b8
We only support Django >= 1.11 now. Who cares about Django < 1.7.
Change-Id: I3576b921b976ef9e5bb1561bda85348112e4b6e8
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
The redirect for WEBSSO takes its data directly from the request's
POST data, and the format of that data has changed, so now we need
to convert it for it to work correctly.
Change-Id: I5b18e555a9bc6b24be1e59465f07e73e99739e22
closes-bug: #1794710
Instead of using endpoint URLs to designate regions in the login
form and its cookies, use numbers. This way, if internal URLs are
configured, they won't be exposed to the outside.
Change-Id: Ifed089e7cee3075bf2dc5d1ce77b0e1b1d091ca0
Closes-bug: #1787943
The django form field default is "required=True", so this patch
remove the redundant "required=True" in the form.
Change-Id: I3d91ae0638b69d56c1f1b72913ee4995db249007
The user domain name is useful information when troubleshooting
authentication in OpenStack-installations with multiple domains.
Change-Id: I1cecd36bfafd7bdf9a9c68d2311fa5ff96272f36
(cherry picked from commit 1fa9ae26cc6006f8ee94fabddb7fea171adee55d
in django_openstack_auth)
In Django 1.10 a new Form property was introduced, defaulting to True,
which enabled HTML form validation for fields marked "required" in
Django. This changed old behavior, which was that required fields were
only validated server-side. This patch restores old behavior by setting
use_required_attribute to False for the inherited AuthenticationForm.
This problem arose because when WebSSO is enabled and a
non-keystone-credentials authentication method is selected from the
dropdown list, the now-hidden username and password fields are still
marked "required" and still validated client-side, even though they are
invisible to the user and cannot be filled in. It would be nice to fix
the javascript to properly turn the "required" attribute on or off
depending on what authentication method is selected and whether the
"required" fields are even visible, but for now this just restores the
behavior we had before Djanto 1.10.
Change-Id: I3e798a2288d9c33396b40a86b07ea8c163d3b525
Closes-bug: #1703109
Moves Django OpenStack Auth content to Horizon, since they are so
tightly coupled. This cleans up the development workflow and should
make keystone / auth related contributions easier.
Implements: blueprint merge-openstack-auth
Change-Id: Ia1cdc47bad1ca6e633073a9f9445b0c7f70d05bc
Benjamin Lasseye