search

WeblateOrg / weblate

Web based localization tool with tight version control integration.
https://weblate.org/
GNU General Public License v3.0
4.63k stars 1.02k forks source link

Social Auth domain whitelisting not supported in Docker #3882

Closed sietevecesmal closed 4 years ago

sietevecesmal commented 4 years ago

Describe the bug Is not possible to whitelist domains using WEBLATE_SOCIAL_AUTH_GOOGLE_OAUTH2_WHITELISTED_DOMAINS environment variable.

To Reproduce Adding WEBLATE_SOCIAL_AUTH_GOOGLE_OAUTH2_WHITELISTED_DOMAINS: ['domain.com'] to the docker environment variables still allows users with other domains to sign-in into weblate.

Already tried with SOCIAL_AUTH_GOOGLE_OAUTH2_WHITELISTED_DOMAINS just in case.

Expected behavior As shown here an AuthForbidden error raise is expected for users not in the domain.com domain.

Server configuration and status

weblate@weblate-67fb8f7d9-tl6l2:/$ weblate list_versions
 * Weblate: 4.0.4
 * Django: 3.0.6
 * siphashc: 1.3
 * Whoosh: 2.7.4
 * translate-toolkit: 2.5.1
 * lxml: 4.3.2
 * Pillow: 7.1.2
 * bleach: 3.1.5
 * python-dateutil: 2.8.1
 * social-auth-core: 3.3.3
 * social-auth-app-django: 3.1.0
 * django-crispy-forms: 1.9.0
 * oauthlib: 3.1.0
 * django-compressor: 2.4
 * djangorestframework: 3.11.0
 * django-appconf: 1.0.4
 * user-agents: 2.1
 * filelock: 3.0.12
 * setuptools: 40.8.0
 * jellyfish: 0.7.2
 * openpyxl: 3.0.1
 * celery: 4.4.2
 * kombu: 4.6.8
 * translation-finder: 2.0
 * html2text: 2020.1.16
 * pycairo: 1.16.2
 * pygobject: 3.30.4
 * diff-match-patch: 20181111
 * requests: 2.23.0
 * django-redis: 4.11.0
 * hiredis: 1.0.1
 * sentry_sdk: 0.14.3
 * Cython: 0.29.17
 * misaka: 2.1.1
 * GitPython: 3.1.2
 * borgbackup: 1.1.11
 * Python: 3.7.3
 * Git: 2.20.1
 * psycopg2: 2.7.7
 * phply: 1.2.5
 * chardet: 3.0.4
 * ruamel.yaml: 0.16.10
 * tesserocr: 2.5.1
 * akismet: 1.1
 * boto3: 1.13.4
 * zeep: 3.4.0
 * aeidon: 1.7.0
 * Mercurial: 5.4
 * git-svn: 2.20.1
 * git-review: 1.28.0
 * Database backends: django.db.backends.postgresql
 * Cache backends: default:RedisCache, avatar:FileBasedCache
 * Email setup: django.core.mail.backends.smtp.EmailBackend: localhost
 * OS encoding: filesystem=utf-8, default=utf-8
 * Celery: redis://eu01-infra01-weblate.redis.local.vpc:6379/1, redis://eu01-infra01-weblate.redis.local.vpc:6379/1, regular
 * Platform: Linux 4.14.171-136.231.amzn2.x86_64 (x86_64)
weblate@weblate-67fb8f7d9-tl6l2:/$ weblate check --deploy
SystemCheckError: System check identified some issues:

CRITICALS:
?: (weblate.E003) Cannot send e-mail ([Errno 99] Cannot assign requested address), please check EMAIL_* settings.
    HINT: https://docs.weblate.org/en/weblate-4.0.4/admin/install.html#out-mail

WARNINGS:
?: (security.W004) You have not set a value for the SECURE_HSTS_SECONDS setting. If your entire site is served only over SSL, you may want to consider setting a value and enabling HTTP Strict Transport Security. Be sure to read the documentation first; enabling HSTS carelessly can cause serious, irreversible problems.

INFOS:
?: (weblate.I021) Error collection is not set up, it is highly recommended for production use
    HINT: https://docs.weblate.org/en/weblate-4.0.4/admin/install.html#collecting-errors
?: (weblate.I028) Backups are not configured, it is highly recommended for production use
    HINT: https://docs.weblate.org/en/weblate-4.0.4/admin/backup.html
nijel commented 4 years ago

There is currently no such variable as WEBLATE_SOCIAL_AUTH_GOOGLE_OAUTH2_WHITELISTED_DOMAINS, see https://docs.weblate.org/en/latest/admin/install/docker.html#google

sietevecesmal commented 4 years ago

And in that case, how could I whitelist domains? Security speaking I should be able to restrict Google SSO to my company's domain.

Thanks for your quick response!

nijel commented 4 years ago

You currently cannot do this in Docker, patches are welcome.

Related code is here:

https://github.com/WeblateOrg/weblate/blob/d5b11c3e67e2027bfe43b36e042ad50957d4efa0/weblate/settings_docker.py#L246-L254

sietevecesmal commented 4 years ago

Cool, pull request created. Thanks!

github-actions[bot] commented 4 years ago

Thank you for your report, the issue you have reported has just been fixed.

sietevecesmal commented 4 years ago

Hi! Is it possible this still isn't in the edge image? Because it still ignores the domain whitelist. In that case, do you have an ETA? Thanks for your time.

nijel commented 4 years ago

It will be part of the 4.1 release, there is currently no plan to point release before that.

sietevecesmal commented 4 years ago

Cool, thanks!