Help needed: Get this running on CKAN 2.9.9

[BWibo]

Hey there,

thx for this greate extension. I'm currently trying to get this running on CKAN 2.9.9, but I'm facing a couple of issues. I have the extension successfully installed, the database migration was completed successfully. I can launch CKAN and login using username & password, but I'm not prompted for 2FA setup on first login. I can do the setup by navigating to user config page. This seems to work, but no QR-Code is displayed. I need to enter the token manually in 2FA app. Testing a code is confirmed to work.

Patch flask_app.py and pylons_app.py

From what is described in ckanext-security.patch, I created these two files. The changes are the same as in the patch, just shifted for a couple of line. Can you confirm that this is correct:

• https://github.com/tum-gis/ckan-docker/blob/feature/ckanext-security/sddi-base/flask_app.py
• https://github.com/tum-gis/ckan-docker/blob/feature/ckanext-security/sddi-base/pylons_app.py

who.ini

Based on the documentation, I'm not entirely sure how to get this right. I tried to derive a working who.ini from the original CKAN 2.9.9 and the docs. Below is what I ended up with. The gives me the bahavior as described above.

Can you please give some guidance how to configure this correctly:

• What [authenticators] are required? Is the order important?
  • When I leave out auth_tkt and ckan.lib.authenticator:UsernamePasswordAuthenticator logging in with username/password fails.
• Are any change required for login_form_url, login_handler_path or other settings in that section?
• Anything else I did not get right?

[plugin:use_beaker]
use = repoze.who.plugins.use_beaker:make_plugin
key_name = ckan_session
delete_on_logout = True

[plugin:auth_tkt]
use = ckan.lib.repoze_plugins.auth_tkt:make_plugin
# If no secret key is defined here, beaker.session.secret will be used
#secret = somesecret

[plugin:friendlyform]
use = ckan.lib.repoze_plugins.friendly_form:FriendlyFormPlugin
login_form_url= /user/login
login_handler_path = /login_generic
logout_handler_path = /user/logout
rememberer_name = use_beaker
post_login_url = /user/logged_in
post_logout_url = /user/logged_out
charset = utf-8

[general]
request_classifier = repoze.who.classifiers:default_request_classifier
challenge_decider = repoze.who.classifiers:default_challenge_decider

[identifiers]
plugins =
    friendlyform;browser
    use_beaker

[authenticators]
plugins =
    auth_tkt
    ckan.lib.authenticator:UsernamePasswordAuthenticator
    ckanext.security.authenticator:CKANLoginThrottle
    ckanext.security.authenticator:BeakerRedisAuth

[challengers]
plugins =
    friendlyform;browser

Logs

From the CKAN logs I get this:

2023-09-04 13:21:41,367 ERROR [ckan.lib.webassets_tools] Trying to include unknown asset: <security/mfa_configure>

Should I be worried about this? How fix that?

This is it for now. Thx in advance for any support on this!

[markstuart]

Hi @BWibo

In our implementation (CKAN 2.9.8) this is the who.ini file config:

[plugin:use_beaker]
use = repoze.who.plugins.use_beaker:make_plugin
key_name = ckan_session
delete_on_logout = True

[plugin:friendlyform]
use = ckan.lib.repoze_plugins.friendly_form:FriendlyFormPlugin
login_form_url= /user/login
login_handler_path = /login_generic
logout_handler_path = /user/logout
rememberer_name = use_beaker
post_login_url = /user/logged_in
post_logout_url = /user/logged_out
charset = utf-8

[general]
request_classifier = repoze.who.classifiers:default_request_classifier
challenge_decider = repoze.who.classifiers:default_challenge_decider

[identifiers]
plugins =
    friendlyform;browser
    use_beaker

[authenticators]
plugins =
    ckanext.security.authenticator:CKANLoginThrottle
    ckanext.security.authenticator:BeakerRedisAuth

[challengers]
plugins =
    friendlyform;browser

The issue with the QR code not displaying will be related to that error message in the logs. The mfa_configure file should be rendered by the ckan webassets pipeline and be available for request by the templates. It doesn't seem like that is happening in your case however?

This is likely the reason that you're not seeing the mfa challenge on the login page as well, as it uses javascript to override the form submission behaviour.

You should be able to see some script tags near the bottom of the body on the login page like these:

<script src="/webassets/webassets-external/54068721e204466fdd6561cabd04cca8_qrious.js" type="text/javascript"></script>
<script src="/webassets/webassets-external/204a98d1dce0cdc48a598deae34d8640_login_ajax.js" type="text/javascript"></script>

[markstuart]

Also, you'll want to remove ckan.lib.authenticator:UsernamePasswordAuthenticator from your who.ini authenticators, as I'm pretty sure that's what is allowing you to bypass the 2fa on the login page

[markstuart]

Closing this due to inactivity.

[BWibo]

Thx, for the assistance. I'll reopen if this comes up again. For now, we have different solution.