search

jeremyschulman / netbox-plugin-auth-saml2

Netbox plugin for SSO using SAML2
119 stars 21 forks source link

Netbox 3.0 or 3.0.2 #45

Open RyanMesser opened 2 years ago

RyanMesser commented 2 years ago

Hi,

This plugin works fine in Netbox 2.9.11 but when updating to 3.0 or 3.0.2 I get the below error and the container doesn't start. I tried adding this to the Dockerfile but has had no effect

RUN sed -i 's/base64.decodestring/base64.decodebytes/g' /opt/netbox/venv/lib/python3.9/site-packages/saml2/saml.py

The error I get in the logs is the below File "/opt/netbox/venv/lib/python3.9/site-packages/saml2/saml.py", line 91, in , _b64_encode_fn = getattr(base64, 'encodebytes', base64.encodestring)

Any ideas on what I could do to fix?

duviful commented 2 years ago

Hello, Same problem for me on NetBox v3.0.2 (image built from a custom Dockerfile)

AttributeError: module 'base64' has no attribute 'decodestring'

I'm available for testing and troubleshooting. Thanks

maekee commented 2 years ago

"If using NetBox's built-in remote authentication backend, update REMOTE_AUTH_BACKEND to 'netbox.authentication.RemoteUserBackend', as the authentication class has moved."

https://netbox.readthedocs.io/en/stable/release-notes/version-2.9/#configuration-changes

duviful commented 2 years ago

I'm using the plugin to handle SAML authentication and not the build-in auth backend, this is a snippet of the extra.py file working with v2.11

REMOTE_AUTH_BACKEND = "django3_saml2_nbplugin.backends.SAML2CustomAttrUserBackend"
REMOTE_AUTH_AUTO_CREATE_USER = True
REMOTE_AUTH_DEFAULT_GROUPS = 'Viewers'
REMOTE_AUTH_DEFAULT_PERMISSIONS= 'None'

PLUGINS = ['django3_saml2_nbplugin']
PLUGINS_CONFIG = {
    'django3_saml2_nbplugin': {
        'AUTHENTICATION_BACKEND': REMOTE_AUTH_BACKEND,

your suggestion is to change REMOTE_AUTH_BACKEND from django3_saml2_nbplugin.backends.SAML2CustomAttrUserBackend to netbox.authentication.RemoteUserBackend?

wouldn't it just revert to the built-in auth and lose SAML functionalities?

RyanMesser commented 2 years ago

I'm using the plugin to handle SAML authentication and not the build-in auth backend, this is a snippet of the extra.py file working with v2.11

REMOTE_AUTH_BACKEND = "django3_saml2_nbplugin.backends.SAML2CustomAttrUserBackend"
REMOTE_AUTH_AUTO_CREATE_USER = True
REMOTE_AUTH_DEFAULT_GROUPS = 'Viewers'
REMOTE_AUTH_DEFAULT_PERMISSIONS= 'None'

PLUGINS = ['django3_saml2_nbplugin']
PLUGINS_CONFIG = {
    'django3_saml2_nbplugin': {
        'AUTHENTICATION_BACKEND': REMOTE_AUTH_BACKEND,

your suggestion is to change REMOTE_AUTH_BACKEND from django3_saml2_nbplugin.backends.SAML2CustomAttrUserBackend to netbox.authentication.RemoteUserBackend?

wouldn't it just revert to the built-in auth and lose SAML functionalities?

I concur with this, how does this modification effect that this plugin doesn't build when using Netbox 3.0.2 ?

jacobhrussell commented 2 years ago

I am also getting the AttributeError: module 'base64' has no attribute 'decodestring' error after upgrading to v3 and using netbox-docker. Looks like decodestring has been deprecated and is finally causing some issues — you can read more about it on this SO question and also from the Python docs. Latest netbox-docker image uses alpine with python at 3.9 I believe.

I think the root issue is the pysaml2 dependency used in django3-auth-saml2 which is in turn used by the plugin:

File "/opt/netbox/venv/lib/python3.9/site-packages/django3_auth_saml2/urls.py", line 3, in <module>
from . import views
File "/opt/netbox/venv/lib/python3.9/site-packages/saml2/saml.py", line 90, in <module>
_b64_decode_fn = getattr(base64, 'decodebytes', base64.decodestring)

Looks like pysaml2 was updated by dependabot in the django3-auth-saml2 repo, but there hasn't been a release to pypi since then per this issue. Maybe go give that issue some love! Maintainer just might now know this is an issue since NetBox v3 is still relatively new.

jacobhrussell commented 2 years ago

This solution will depend on your deployment, but I was able to resolve the issue by adding RUN /opt/netbox/venv/bin/pip install pysaml2==6.5.0 -U to the end of my Dockerfile-Plugins.

It will give you the following error when you build the image:

ERROR: pip's dependency resolver does not currently take into account all the packages that are installed. This behaviour is the source of the following dependency conflicts.
django3-auth-saml2 0.2.0 requires pysaml2==5.0.0, but you have pysaml2 6.5.0 which is incompatible.

This can be ignored as far as I can tell. Once the new version of django3-auth-saml2 is pushed to pypi this should go away.

RyanMesser commented 2 years ago

This solution will depend on your deployment, but I was able to resolve the issue by adding RUN /opt/netbox/venv/bin/pip install pysaml2==6.5.0 -U to the end of my Dockerfile-Plugins.

It will give you the following error when you build the image:

ERROR: pip's dependency resolver does not currently take into account all the packages that are installed. This behaviour is the source of the following dependency conflicts.
django3-auth-saml2 0.2.0 requires pysaml2==5.0.0, but you have pysaml2 6.5.0 which is incompatible.

This can be ignored as far as I can tell. Once the new version of django3-auth-saml2 is pushed to pypi this should go away.

Thanks, this worked for me. Got the error you mentioned on build but afterwards it seems to work fine. I've tested this on the latest version of Nextbox (3.0.7).

jeremyschulman commented 2 years ago

@jacobhrussell - thank you for digging into this issue and finding the root cause. There is another package that needs to be installed, which is here: https://github.com/jeremyschulman/django3-auth-saml2/blob/master/requirements.txt and that does have the pysaml2 library pinned to 6.5.0.

jacobhrussell commented 2 years ago

@jeremyschulman my pleasure and thanks for the awesome plugin!

jasonbyatt commented 2 years ago

Hey all

I've recently deployed Netbox 3.0.10 and I'm currently getting this issue. I upgrade pysaml2 to 6.5.0 however the problem is still occurring. Any ideas on anything else I can check? This is a pretty fresh install (not using docker)

Thanks

devon-mar commented 2 years ago

Here's my Dockerfile (DockerHub). I needed to explicitly pin pysaml2 to 6.5.2 to get it to work.

celldara commented 2 years ago

for those of us not using Docker and who must have repeatable Ansible scripts, these workarounds are not a proper method to solve this. We need a proper solution (django3-auth-saml2 updated in pypi to support pysaml2 >= 6.5.2 (latest is 7.1.0). I'm also not able to pull from github due to airgapped servers and have to rely on replicated pypi repo, so if it isn't in pypi, I can't use it.

jeremyschulman commented 2 years ago

@celldara - I can fix this. I think the right thing to do is to unpin the version of pysaml2 in the django3-auth-saml2 repo. If I did that then I believe you would most likely need to install pysaml2 first with the version you need, and then install the django3 repo. Would that approach work for you?

celldara commented 2 years ago

@jeremyschulman as long as it makes it into the pypi repository. I can only use it if it is pushed to pypi. You already have a version that supports pysaml2==6.5.0 but it isn't pushed to pypi either.

Maybe set a minimum version of 6.5.2 (which seems to work with Python 3.9) and let it match at least that

jeremyschulman commented 2 years ago

ok, I'll push it to pypi shortly. sorry for that.

On Thu, Dec 2, 2021 at 1:00 PM celldara @.***> wrote:

@jeremyschulman https://github.com/jeremyschulman as long as it makes it into the pypi repository. I can only use it if it is pushed to pypi. You already have a version that supports pysaml2==6.5.0 but it isn't pushed to pypi either.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/jeremyschulman/netbox-plugin-auth-saml2/issues/45#issuecomment-984865928, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAT4WVDMAHFDUHM46QXAGATUO6X23ANCNFSM5EH2DERQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

celldara commented 2 years ago

Thank you. I was dreading doing the SAML2 auth to NetBox when I found your solution. Much nicer than doing it in Apache using mod_auth_mellon.

jeremyschulman commented 2 years ago

@celldara - ok, I just pushed a version of django repo that sets saml2 to >= 6.5.0. The new release version is 0.2.1. Please give that a try and let me know if that works for you; or if not we can work through the issues.

celldara commented 2 years ago

I'll have to wait for the pypi repo to replicate here. I still have lots of work to finish up on what is needed to migrate our old data to the new servers, so it may be a couple days before I test.

celldara commented 2 years ago

@jeremyschulman The new version pushed to pypi worked great. It allowed install of pysaml2 7.1.0 (it just installed the latest version by default without having to specify a version). SAML2 Auth with Azure SSO works great with Python 3.9 now. Thanks

jeremyschulman commented 2 years ago

@celldara - excellent. I would like to close this issue @RyanMesser. Would that be AOK with you?