[#2076] Fix admin index with 2fa

maykinmedia · Feb 21, 2024 · 2330eff · 2330eff
1 parent 1e8807b
commit 2330eff
Show file tree

Hide file tree

Showing 7 changed files with 16 additions and 24 deletions.
diff --git a/requirements/dev.txt b/requirements/dev.txt
@@ -323,7 +323,7 @@ django-elasticsearch-dsl==7.2.1
     # via
     #   -c requirements/ci.txt
     #   -r requirements/ci.txt
-django-extensions==3.1.3
+django-extensions==3.2.3
     # via -r requirements/dev.in
 django-extra-fields==3.0.2
     # via

diff --git a/src/open_inwoner/cms/utils/middleware.py b/src/open_inwoner/cms/utils/middleware.py
@@ -1,4 +1,3 @@
-from django.conf import settings
 from django.http import HttpResponseRedirect
 
 from cms.toolbar.utils import get_toolbar_from_request

diff --git a/src/open_inwoner/conf/base.py b/src/open_inwoner/conf/base.py
@@ -480,11 +480,6 @@
     "open_inwoner.accounts.backends.CustomOIDCBackend",
 ]
 
-# Allowing OIDC admins to bypass 2FA
-MAYKIN_2FA_ALLOW_MFA_BYPASS_BACKENDS = [
-    "open_inwoner.accounts.backends.CustomOIDCBackend",
-]
-
 
 SESSION_COOKIE_NAME = "open_inwoner_sessionid"
 SESSION_ENGINE = "django.contrib.sessions.backends.cache"
@@ -609,6 +604,11 @@
 ADMIN_INDEX_SHOW_REMAINING_APPS = False
 ADMIN_INDEX_AUTO_CREATE_APP_GROUP = False
 ADMIN_INDEX_SHOW_REMAINING_APPS_TO_SUPERUSERS = False
+ADMIN_INDEX_SHOW_MENU = True
+ADMIN_INDEX_DISPLAY_DROP_DOWN_MENU_CONDITION_FUNCTION = (
+    "open_inwoner.utils.django_two_factor_auth.should_display_dropdown_menu"
+)
+
 
 #
 # DJANGO-AXES (4.0+)
@@ -804,6 +804,10 @@
 TWO_FACTOR_PATCH_ADMIN = False
 TWO_FACTOR_WEBAUTHN_RP_NAME = f"OpenInwoner {ENVIRONMENT}"
 TWO_FACTOR_WEBAUTHN_AUTHENTICATOR_ATTACHMENT = "cross-platform"
+# Allow OIDC admins to bypass 2FA
+MAYKIN_2FA_ALLOW_MFA_BYPASS_BACKENDS = [
+    "open_inwoner.accounts.backends.CustomOIDCBackend",
+]
 
 # file upload limits
 MIN_UPLOAD_SIZE = 1  # in bytes

diff --git a/src/open_inwoner/conf/ci.py b/src/open_inwoner/conf/ci.py
@@ -60,10 +60,6 @@
 # Django privates
 SENDFILE_BACKEND = "django_sendfile.backends.development"
 
-# Two factor auth
-TWO_FACTOR_FORCE_OTP_ADMIN = False
-TWO_FACTOR_PATCH_ADMIN = False
-
 # THOU SHALT NOT USE NAIVE DATETIMES
 warnings.filterwarnings(
     "error",

diff --git a/src/open_inwoner/configurations/tests/test_oidc.py b/src/open_inwoner/configurations/tests/test_oidc.py
@@ -24,7 +24,7 @@ def setUpTestData(cls):
         openid_config.enabled = True
         openid_config.save()
 
-    def test_admin_only_enlabled(self):
+    def test_admin_only_enabled(self):
         """Assert that the OIDC login option is only displayed for login via admin"""
 
         config = SiteConfiguration.get_solo()
@@ -41,9 +41,7 @@ def test_admin_only_enlabled(self):
 
         oidc_login_option = response.pyquery.find(".admin-login-option")
 
-        self.assertEqual(
-            oidc_login_option.text(), _("Log in met een organisatieaccount")
-        )
+        self.assertEqual(oidc_login_option.text(), _("Login with organization account"))
 
     def test_admin_only_disabled(self):
         """Assert that the OIDC login option is only displayed for regular users"""
@@ -63,7 +61,7 @@ def test_admin_only_disabled(self):
         # admin login
         response = self.client.get(reverse("admin:login"))
 
-        self.assertNotContains(response, _("Log in met een organisatieaccount"))
+        self.assertNotContains(response, _("Login with organization account"))
 
     def test_oidc_config_validation(self):
         """

diff --git a/src/open_inwoner/configurations/tests/test_upload.py b/src/open_inwoner/configurations/tests/test_upload.py
@@ -1,6 +1,7 @@
 from django.urls import reverse
 
 from django_webtest import WebTest
+from maykin_2fa.test import disable_admin_mfa
 from webtest import Upload
 
 from open_inwoner.accounts.tests.factories import UserFactory
@@ -9,6 +10,7 @@
 from ..models import CustomFontSet, SiteConfiguration
 
 
+@disable_admin_mfa()
 class CustomFontsTest(ClearCachesMixin, WebTest):
     def setUp(self):
         self.user = UserFactory(is_superuser=True, is_staff=True)

diff --git a/src/open_inwoner/utils/django_two_factor_auth.py b/src/open_inwoner/utils/django_two_factor_auth.py
@@ -1,5 +1,3 @@
-from django.conf import settings
-
 from django_admin_index.utils import (
     should_display_dropdown_menu as default_should_display_dropdown_menu,
 )
@@ -8,12 +6,7 @@
 def should_display_dropdown_menu(request) -> bool:
     default = default_should_display_dropdown_menu(request)
 
-    two_factor_enabled = settings.TWO_FACTOR_PATCH_ADMIN
-    if not two_factor_enabled:
-        return default
-
-    # never display the dropdown in two-factor admin views
-    if request.resolver_match.view_name.startswith("admin:two_factor:"):
+    if request.resolver_match.view_name.startswith("maykin_2fa"):
         return False
 
     return default and request.user.is_verified()