saltyorg / Sandbox

Saltbox Sandbox

GNU General Public License v3.0

71 stars 98 forks source link

feat: tandoor: adding sso to app #202

Closed azerial closed 1 year ago

azerial commented 1 year ago

Description

Added Authelia SSO to the tandoor application role.

Impact: Security

Experienced: Tandoor is currently only secured behind the built in authentication method. This is not consistent with other roles. We have an SSO that is updated with uniform security updates.

Expected: Tandoor should be secured behind Authelia SSO.

How Has This Been Tested?

[x] Tested on a scaleway dedibox. Application can be accessed from both an active SSO session and is blocked from access in a new Firefox private window, requesting authentication against Authelia. With authentication successful, user is able to login and use application as usual.

owine commented 1 year ago

We try to avoid double auth with apps. Can the internal auth be disabled easily? I wrote the role, but abandoned the app pretty soon after.

azerial commented 1 year ago

Let me consult their code and get back to you on this.

I can understand this; however, there are a few applications in Saltbox main that do this. From my perspective, this unifies the security across the platform.

azerial commented 1 year ago

It looks perhaps possible to integrate the Django Allauth that tandoor uses in with Authelia. This would require the role to change more, but I think it would be worth it. I will make the change, but I wont be able to get it done until later today (day job work).

I'm not super familiar with the github workflow(we use gitlab at work), but if we can maybe put this in a draft state and then I can resubmit it after sufficient testing and the change has been made. Otherwise we can just leave it open.

I will research its feasibility and get back to you.

owine commented 1 year ago

I've moved it to draft - either ping me or mark it ready for review when you're good to go. I think my approval will persist so the CI will run on additional commits to your fork/branch.

azerial commented 1 year ago

This was a lot easier than i thought. I just had to set an env var to 1 to disable the django authentication.

After the user authenticates with the SSO, they are redirected to the application and are logged in with the admin user. This has been tested in Firefox Development edition (active SSO session and Private tab) and Google Chrome (new SSO session).

owine commented 1 year ago

Great - will merge once CI goes green. Thanks