Handle system user login via external source - Githubissues

ansible / django-ansible-base

Apache License 2.0

11 stars 43 forks source link

Handle system user login via external source #502

Closed trucdg closed 1 month ago

trucdg commented 2 months ago

Description:

The _system user is not intended to be an interactive user. However, there is a possibility someone might create a _system user and attempt to log in via an external authenticator

This PR:

Raise AuthException and return 403 when System User attempts to login via an external source
Add unit tests

Steps to test:

Enable the testing authenticator in container-startup.yml
Create a user with username _system by adding in the appropriate configuration for _system user in the following files:
- LDAP: in /aap-gateway/tools/ansible/roles/ldap/files/ldap.ldif (remember to ensure the user pass the allow map policy)
- Radius: in /aap-gateway/tools/ansible/roles/radius/defaults/main.yml
- Keycloak: login to keycloak via port 8443 with credential (usr:admin, pw:admin), create a new _system user through the Users tab
  1. Login using _system credential
- LDAP + Radius: login via port 8800 /api/gateway/v1/login/
- Keycloak: navigate to /api/gateway/v1/ui_auth, choose the corresponding login_url for SAML/ OIDC
  1. Confirm that response is 403 - Forbidden and there is warning in logger.
To see the 403 Permission Denied Page - need this AAP-PR#442

sonarcloud[bot] commented 1 month ago

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud