experiment: configure allauth with mfa

hmpf · hmpf · commit 265c2a0dd84b · 2025-10-23T09:54:45.000+02:00
diff --git a/python/nav/django/defaults.py b/python/nav/django/defaults.py
@@ -0,0 +1,14 @@
+PUBLIC_URLS = [
+    '/api/',  # No auth/different auth system
+    '/doc/',  # No auth/different auth system
+    '/about/',
+    '/index/login/',
+    '/index/audit-logging-modal/',
+    '/refresh_session',
+    '/accounts/',
+    '/accounts/2fa/authenticate/',
+]
+NAV_LOGIN_URL = '/index/login/'
+ALLAUTH_LOGIN_URL = '/accounts/login/'
+
+LOGIN_URL = ALLAUTH_LOGIN_URL
diff --git a/python/nav/django/settings.py b/python/nav/django/settings.py
@@ -137,6 +137,7 @@
     'nav.django.legacy.LegacyCleanupMiddleware',
     'django.contrib.messages.middleware.MessageMiddleware',
     'django_htmx.middleware.HtmxMiddleware',
+    'allauth.account.middleware.AccountMiddleware',
 )
 
 SESSION_SERIALIZER = 'nav.web.session_serializer.PickleSerializer'
@@ -236,12 +237,21 @@
     'nav.portadmin.napalm',
     'nav.web.portadmin',
     'django.contrib.postgres',
+    'allauth',
+    'allauth.account',
+    'allauth.mfa',
+    'allauth.socialaccount',
+    # noqa: Needs to be a setting
+    'allauth.socialaccount.providers.dataporten',
 )
 
 DEFAULT_AUTO_FIELD = 'django.db.models.AutoField'
 AUTH_USER_MODEL = 'nav_models.Account'
 
-AUTHENTICATION_BACKENDS = ['django.contrib.auth.backends.ModelBackend']
+AUTHENTICATION_BACKENDS = [
+    'django.contrib.auth.backends.ModelBackend',
+    "allauth.account.auth_backends.AuthenticationBackend",
+]
 LOGIN_REDIRECT_URL = '/'
 LOGIN_URL = '/index/login/'
 
@@ -318,3 +328,17 @@
     'JWT_ISSUERS': _issuers_setting,
     'JWT_AUTH_HEADER_PREFIX': 'Bearer',
 }
+
+# Allauth settings
+
+# ACCOUNT_ADAPTER = "argus.auth.allauth.adapter.ArgusAccountAdapter"
+ACCOUNT_USER_MODEL_USERNAME_FIELD = 'login'
+ACCOUNT_ALLOW_SIGNUPS = False
+ACCOUNT_MAX_EMAIL_ADDRESSES = 1
+LOGIN_URL = '/accounts/login/'
+MFA_WEBAUTHN_ALLOW_INSECURE_ORIGIN = True  # allow localhost
+MFA_TOTP_ISSUER = 'NAV'
+MFA_TOTP_TOLERANCE = 0
+MFA_SUPPORTED_TYPES = ['totp', 'recovery_codes']
+SOCIALACCOUNT_AUTO_SIGNUP = True
+# SOCIALACCOUNT_ADAPTER = 'argus.auth.allauth.adapter.ArgusSocialAccountAdapter'
diff --git a/python/nav/django/urls.py b/python/nav/django/urls.py
@@ -66,6 +66,7 @@
     path('refresh_session/', refresh_session, name='refresh-session'),
     path('auditlog/', include('nav.auditlog.urls')),
     path('interfaces/', include('nav.web.interface_browser.urls')),
+    path('accounts/', include('allauth.urls')),
     path('500/', force_500),
 ]
 
diff --git a/python/nav/web/auth/__init__.py b/python/nav/web/auth/__init__.py
@@ -26,6 +26,7 @@
 from django.http import HttpRequest
 from django.urls import reverse
 
+from nav.django.defaults import LOGIN_URL
 from nav.auditlog.models import LogEntry
 from nav.models.profiles import Account, AccountGroup
 from nav.web.auth import ldap, remote_user
@@ -42,7 +43,7 @@
 # This may seem like redundant information, but it seems django's reverse
 # will hang under some usages of these middleware classes - so until we figure
 # out what's going on, we'll hardcode this here.
-LOGIN_URL = '/index/login/'
+# LOGIN_URL = '/accounts/login/'
 # The local logout url, redirects to '/' after logout
 # If the entire site is protected via remote_user, this link must be outside
 # that protection!
diff --git a/python/nav/web/auth/utils.py b/python/nav/web/auth/utils.py
@@ -24,6 +24,7 @@
 from django.contrib.auth import get_user as django_get_user
 from django.core.cache import cache
 
+from nav.django.defaults import PUBLIC_URLS
 from nav.models.profiles import Account
 
 
@@ -103,15 +104,7 @@ def authorization_not_required(fullpath):
     Should the user be able to decide this? Currently not.
 
     """
-    auth_not_required = [
-        '/api/',
-        '/doc/',  # No auth/different auth system
-        '/about/',
-        '/index/login/',
-        '/index/audit-logging-modal/',
-        '/refresh_session',
-    ]
-    for url in auth_not_required:
+    for url in PUBLIC_URLS:
         if fullpath.startswith(url):
             _logger.debug('authorization_not_required: %s', url)
             return True
diff --git a/python/nav/web/templates/allauth/layouts/base.html b/python/nav/web/templates/allauth/layouts/base.html
@@ -0,0 +1,48 @@
+{% extends "base.html" %}
+{% load socialaccount %}
+{% load i18n %}
+{% block base_content %}
+{% if request.user.is_authenticated %}
+    <nav>
+      <ul>
+        {% url 'account_email' as email_url_ %}
+        {% if email_url_ %}
+          <li>
+            <a href="{{ email_url_ }}">{% trans "Change Email" %}</a>
+          </li>
+        {% endif %}
+        {% url 'account_change_password' as change_password_url_ %}
+        {% if change_password_url_ %}
+          <li>
+            <a href="{{ change_password_url_ }}">{% trans "Change Password" %}</a>
+          </li>
+        {% endif %}
+        {% url 'socialaccount_connections' as connections_url_ %}
+        {% if connections_url_ %}
+          <li>
+            <a href="{{ connections_url_ }}">{% trans "Account Connections" %}</a>
+          </li>
+        {% endif %}
+        {% url 'mfa_index' as mfa_url_ %}
+        {% if mfa_url_ %}
+          <li>
+            <a href="{{ mfa_url_ }}">{% trans "Two-Factor Authentication" %}</a>
+          </li>
+        {% endif %}
+        {% url 'usersessions_list' as usersessions_list_url_ %}
+        {% if usersessions_list_url_ %}
+          <li>
+            <a href="{{ usersessions_list_url_ }}">{% trans "Sessions" %}</a>
+          </li>
+        {% endif %}
+        {% url 'account_logout' as logout_url_ %}
+      </ul>
+    </nav>
+{% endif %}
+  <section>
+    <div>
+      {% block content %}
+      {% endblock content %}
+    </div>
+  </section>
+{% endblock base_content %}
diff --git a/requirements/base.txt b/requirements/base.txt
@@ -47,3 +47,5 @@ service-identity==21.1.0
 requests
 
 pyjwt>=2.6.0
+
+django-allauth[mfa,socialaccount]
diff --git a/tests/functional/conftest.py b/tests/functional/conftest.py
@@ -1,6 +1,8 @@
 import os
 import subprocess
 
+from nav.django.default import NAV_LOGIN_URL as LOGIN_URL
+
 import pytest
 from selenium.webdriver.common.by import By
 from selenium.webdriver.support.ui import WebDriverWait
@@ -45,7 +47,7 @@ def selenium(selenium, base_url, admin_username, admin_password):
     wait = WebDriverWait(selenium, 10)
 
     # visit the login page and submit the login form
-    selenium.get(f"{base_url}/index/login")
+    selenium.get(f"{base_url}/{LOGIN_URL}")
     wait.until(EC.text_to_be_present_in_element((By.TAG_NAME, "label"), "Username"))
 
     username = selenium.find_element(By.ID, "id_username")
diff --git a/tests/integration/web/crawler_test.py b/tests/integration/web/crawler_test.py
@@ -35,6 +35,8 @@
     urlunparse,
 )
 
+from nav.django.settings import LOGIN_URL
+
 
 TIMEOUT = 90  # seconds?
 
@@ -165,7 +167,7 @@ def _queue_links_from(self, content, base_url):
                 self.queue.append('%s://%s%s' % (url.scheme, url.netloc, url.path))
 
     def login(self):
-        login_url = urljoin(self.base_url, '/index/login/')
+        login_url = urljoin(self.base_url, LOGIN_URL)
         opener = build_opener(HTTPCookieProcessor())
         data = urlencode({'username': self.username, 'password': self.password})
         opener.open(login_url, data.encode('utf-8'), TIMEOUT)

Original file line number	Diff line number	Diff line change
`@@ -66,6 +66,7 @@`
`66`	`66`	`path('refresh_session/', refresh_session, name='refresh-session'),`
`67`	`67`	`path('auditlog/', include('nav.auditlog.urls')),`
`68`	`68`	`path('interfaces/', include('nav.web.interface_browser.urls')),`
	`69`	`+ path('accounts/', include('allauth.urls')),`
`69`	`70`	`path('500/', force_500),`
`70`	`71`	`]`
`71`	`72`