From f886820a617002270e2b257f0c6e36773aba2a16 Mon Sep 17 00:00:00 2001 From: jctanner Date: Fri, 27 Sep 2024 11:32:24 -0400 Subject: [PATCH] Force galaxy session auth as the first auth class. (#2279) The galaxy sessionauth class must always come first to control the 401 vs 403 error messages AND to prevent the keycloak auth classes from sending back a www-authenticate header that causes an authentication popup in the platform UX. No-Issue Signed-off-by: James Tanner (cherry picked from commit 64968a924ab03a85c7072dbee60e9d450acd2d09) --- galaxy_ng/app/dynaconf_hooks.py | 13 +++++++++- .../tests/unit/app/test_dynaconf_hooks.py | 24 +++++++++---------- 2 files changed, 24 insertions(+), 13 deletions(-) diff --git a/galaxy_ng/app/dynaconf_hooks.py b/galaxy_ng/app/dynaconf_hooks.py index 44e6f8faf3..6deb06945d 100755 --- a/galaxy_ng/app/dynaconf_hooks.py +++ b/galaxy_ng/app/dynaconf_hooks.py @@ -417,13 +417,24 @@ def configure_authentication_classes(settings: Dynaconf, data: Dict[str, Any]) - # add in keycloak classes if necessary ... if data.get('GALAXY_AUTH_KEYCLOAK_ENABLED') is True: for class_name in [ - "galaxy_ng.app.auth.session.SessionAuthentication", + # "galaxy_ng.app.auth.session.SessionAuthentication", "galaxy_ng.app.auth.token.ExpiringTokenAuthentication", "galaxy_ng.app.auth.keycloak.KeycloakBasicAuth" ]: if class_name not in galaxy_auth_classes: galaxy_auth_classes.insert(0, class_name) + # galaxy sessionauth -must- always come first ... + galaxy_session = "galaxy_ng.app.auth.session.SessionAuthentication" + if galaxy_auth_classes: + # Check if galaxy_session is already the first element + if galaxy_auth_classes[0] != galaxy_session: + # Remove galaxy_session if it exists in the list + if galaxy_session in galaxy_auth_classes: + galaxy_auth_classes.remove(galaxy_session) + # Insert galaxy_session at the beginning of the list + galaxy_auth_classes.insert(0, galaxy_session) + if galaxy_auth_classes: data["ANSIBLE_AUTHENTICATION_CLASSES"] = list(galaxy_auth_classes) data["GALAXY_AUTHENTICATION_CLASSES"] = list(galaxy_auth_classes) diff --git a/galaxy_ng/tests/unit/app/test_dynaconf_hooks.py b/galaxy_ng/tests/unit/app/test_dynaconf_hooks.py index da5f6d3f80..a9a1253a91 100644 --- a/galaxy_ng/tests/unit/app/test_dynaconf_hooks.py +++ b/galaxy_ng/tests/unit/app/test_dynaconf_hooks.py @@ -73,7 +73,7 @@ def validate(*args, **kwargs): @pytest.mark.parametrize( "do_stuff, extra_settings, expected_results", [ - # >=4.10 no external auth ... + # 0 >=4.10 no external auth ... ( True, # False, @@ -84,7 +84,7 @@ def validate(*args, **kwargs): ] }, ), - # >=4.10 ldap ... + # 1 >=4.10 ldap ... ( True, # False, @@ -120,7 +120,7 @@ def validate(*args, **kwargs): "REST_FRAMEWORK__DEFAULT_AUTHENTICATION_CLASSES": None, }, ), - # >=4.10 keycloak ... + # 2 >=4.10 keycloak ... ( True, # False, @@ -143,23 +143,23 @@ def validate(*args, **kwargs): "ansible_base.lib.backends.prefixed_user_auth.PrefixedUserAuthBackend", ], "ANSIBLE_AUTHENTICATION_CLASSES": [ + "galaxy_ng.app.auth.session.SessionAuthentication", "galaxy_ng.app.auth.keycloak.KeycloakBasicAuth", "galaxy_ng.app.auth.token.ExpiringTokenAuthentication", - "galaxy_ng.app.auth.session.SessionAuthentication", ], "GALAXY_AUTHENTICATION_CLASSES": [ + "galaxy_ng.app.auth.session.SessionAuthentication", "galaxy_ng.app.auth.keycloak.KeycloakBasicAuth", "galaxy_ng.app.auth.token.ExpiringTokenAuthentication", - "galaxy_ng.app.auth.session.SessionAuthentication", ], "REST_FRAMEWORK__DEFAULT_AUTHENTICATION_CLASSES": [ + "galaxy_ng.app.auth.session.SessionAuthentication", "galaxy_ng.app.auth.keycloak.KeycloakBasicAuth", "galaxy_ng.app.auth.token.ExpiringTokenAuthentication", - "galaxy_ng.app.auth.session.SessionAuthentication", ], }, ), - # >=4.10 dab .. + # 3 >=4.10 dab .. ( True, # False, @@ -195,7 +195,7 @@ def validate(*args, **kwargs): ], }, ), - # >=4.10 keycloak+dab ... + # 4 >=4.10 keycloak+dab ... ( True, # False, @@ -224,32 +224,32 @@ def validate(*args, **kwargs): "ansible_base.lib.backends.prefixed_user_auth.PrefixedUserAuthBackend", ], "ANSIBLE_AUTHENTICATION_CLASSES": [ + "galaxy_ng.app.auth.session.SessionAuthentication", "galaxy_ng.app.auth.keycloak.KeycloakBasicAuth", "galaxy_ng.app.auth.token.ExpiringTokenAuthentication", - "galaxy_ng.app.auth.session.SessionAuthentication", "ansible_base.jwt_consumer.hub.auth.HubJWTAuth", "rest_framework.authentication.TokenAuthentication", "rest_framework.authentication.BasicAuthentication", ], "GALAXY_AUTHENTICATION_CLASSES": [ + "galaxy_ng.app.auth.session.SessionAuthentication", "galaxy_ng.app.auth.keycloak.KeycloakBasicAuth", "galaxy_ng.app.auth.token.ExpiringTokenAuthentication", - "galaxy_ng.app.auth.session.SessionAuthentication", "ansible_base.jwt_consumer.hub.auth.HubJWTAuth", "rest_framework.authentication.TokenAuthentication", "rest_framework.authentication.BasicAuthentication", ], "REST_FRAMEWORK__DEFAULT_AUTHENTICATION_CLASSES": [ + "galaxy_ng.app.auth.session.SessionAuthentication", "galaxy_ng.app.auth.keycloak.KeycloakBasicAuth", "galaxy_ng.app.auth.token.ExpiringTokenAuthentication", - "galaxy_ng.app.auth.session.SessionAuthentication", "ansible_base.jwt_consumer.hub.auth.HubJWTAuth", "rest_framework.authentication.TokenAuthentication", "rest_framework.authentication.BasicAuthentication", ], }, ), - # >=4.10 ldap+dab ... + # 5 >=4.10 ldap+dab ... ( True, # False,