Bump Netbox version and use CSH SSO (#4)

* Add netbox-topology-view plugin

* Fix Containerfile

* Set specific version of netbox-topology-views

* Update static Containerfile

* Add separate static containerfile

* bump netbox to 3.7.4

* bump netbox to 3.7.4 but actually this time

* bump netbox-topology-views to 3.9b1 for upgrade to netbox 3.7.4

* oidc

* revert netbox-topology-views to 3.9.0 (no beta)

* better group mirroring

* remove LDAP stuff

* change login banner

* remove hardcoded login/logout redirects

* cursed auto-redirect to sso

* update readme

* remove templates

---------

Co-authored-by: joe <[email protected]>

Author: cecilialau6776

.gitmodules

@@ -1,3 +1,4 @@
 [submodule "netbox"]
 	path = netbox
 	url = ../../netbox-community/netbox.git
+	branch = v3.7.4

Containerfile

@@ -9,25 +9,23 @@ RUN apt-get update && \
   libffi-dev \
   libpq-dev \
   libssl-dev \
-  zlib1g-dev \
-  libldap2-dev \
-  libsasl2-dev \
-  libssl-dev
+  zlib1g-dev
 
 COPY netbox/requirements.txt /opt/netbox/requirements.txt
 COPY local_requirements.txt /opt/netbox/local_requirements.txt
-RUN pip install django-storages django-auth-ldap srvlookup
+RUN pip install django-storages
 RUN pip install -r /opt/netbox/requirements.txt
 RUN pip install -r /opt/netbox/local_requirements.txt
 
 COPY netbox /opt/netbox
+COPY oidc_groups.py /opt/netbox/netbox/oidc_groups.py
 
 COPY validators.py /opt/netbox/netbox/netbox/validators.py
 COPY configuration.env.py /opt/netbox/netbox/netbox/configuration.py
-COPY ldap_config.env.py /opt/netbox/netbox/netbox/ldap_config.py
 COPY gunicorn.py /opt/netbox/gunicorn.py
 COPY migrate.sh /opt/netbox/migrate.sh
 
+
 WORKDIR /opt/netbox
 
 RUN NETBOX_SECRET_KEY="6l0~ZBT9yFIQoZxak9H=N_f6~@Yhbu~YS4s6r8-R2%GwXZVV)0" mkdocs build && \

README.md

@@ -1,5 +1,5 @@
 # CSH Netbox
-OKD Containers for CSH's Netbox instance, now with LDAP!
+OKD Containers for CSH's Netbox instance, now with CSH SSO!
 
 ## Upgrading
 

configuration.env.py

@@ -97,7 +97,7 @@
 BANNER_BOTTOM = ''
 
 # Text to include on the login page above the login form. HTML is allowed.
-BANNER_LOGIN = 'Please log in with your CSH username and password'
+BANNER_LOGIN = '<script>window.location.replace("/oauth/login/oidc/" + window.location.search);</script>'
 
 # Base URL path if accessing NetBox within a directory. For example, if installed at https://example.com/netbox/, set:
 # BASE_PATH = 'netbox/'
@@ -183,7 +183,7 @@
   "version": 1,
   "disable_existing_loggers": False,
   "handlers": {"console": {"class": "logging.StreamHandler"}},
-  "loggers": {"django_auth_ldap": {"level": "DEBUG", "handlers": ["console"]}},
+  "loggers": {"social_core": {"level": "DEBUG", "handlers": ["console"]}},
 } if DEBUG else {}
 
 # Automatically reset the lifetime of a valid session upon each authenticated request. Enables users to remain
@@ -275,11 +275,37 @@
 
 # Remote authentication support
 REMOTE_AUTH_ENABLED = True
-REMOTE_AUTH_BACKEND = 'netbox.authentication.LDAPBackend'
+REMOTE_AUTH_BACKEND = 'social_core.backends.open_id_connect.OpenIdConnectAuth'
 REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER'
 REMOTE_AUTH_AUTO_CREATE_USER = True
 REMOTE_AUTH_DEFAULT_GROUPS = []
 REMOTE_AUTH_DEFAULT_PERMISSIONS = {}
+SOCIAL_AUTH_OIDC_ENDPOINT = 'https://sso.csh.rit.edu/auth/realms/csh'
+SOCIAL_AUTH_KEY = os.environ.get("OIDC_CLIENT_ID")
+SOCIAL_AUTH_SECRET = os.environ.get("OIDC_CLIENT_SECRET")
+SOCIAL_AUTH_NO_DEFAULT_PROTECTED_USER_FIELDS = True
+SOCIAL_AUTH_PROTECTED_USER_FIELDS = (
+    "id",
+    "pk",
+    "email",
+    "password",
+    "is_active",
+    "is_staff",
+    "is_superuser",
+)
+
+SOCIAL_AUTH_PIPELINE = (
+    'social_core.pipeline.social_auth.social_details',
+    'social_core.pipeline.social_auth.social_uid',
+    'social_core.pipeline.social_auth.social_user',
+    'social_core.pipeline.user.get_username',
+    'social_core.pipeline.user.create_user',
+    'social_core.pipeline.social_auth.associate_user',
+    'netbox.authentication.user_default_groups_handler',
+    'social_core.pipeline.social_auth.load_extra_data',
+    'oidc_groups.oidc_groups_handler',
+    'social_core.pipeline.user.user_details',
+)
 
 # This repository is used to check whether there is a new release of NetBox available. Set to None to disable the
 # version check or use the URL below to check for release in the official NetBox repository.

ldap_config.env.py

@@ -1,2 +1,3 @@
-netbox-topology-views==3.8.1
+netbox-topology-views==3.9.0
+social-auth-app-django==5.4.0
 netbox-plugin-dns==0.22.1

local_requirements.txt

@@ -0,0 +1,19 @@
+from django.contrib.auth.models import Group
+
+
+def oidc_groups_handler(strategy, response, user, *args, **kwargs):
+    # mirror groups
+    groups = [
+        Group.objects.get_or_create(name=group)[0] for group in response["groups"]
+    ]
+    user.groups.set(groups)
+
+    # give active rtps superuser and staff
+    is_active_rtp = "active_rtp" in response["groups"]
+    user.is_superuser = is_active_rtp
+    user.is_staff = is_active_rtp
+
+    user.is_active = "member" in response["groups"]
+
+    # save
+    strategy.storage.user.changed(user)