Skip to content

Commit

Permalink
[#2076] Fix admin index with 2fa
Browse files Browse the repository at this point in the history
  • Loading branch information
pi-sigma committed Feb 19, 2024
1 parent 0e18cb7 commit cd3359b
Show file tree
Hide file tree
Showing 7 changed files with 16 additions and 24 deletions.
2 changes: 1 addition & 1 deletion requirements/dev.txt
Original file line number Diff line number Diff line change
Expand Up @@ -323,7 +323,7 @@ django-elasticsearch-dsl==7.2.1
# via
# -c requirements/ci.txt
# -r requirements/ci.txt
django-extensions==3.1.3
django-extensions==3.2.3
# via -r requirements/dev.in
django-extra-fields==3.0.2
# via
Expand Down
1 change: 0 additions & 1 deletion src/open_inwoner/cms/utils/middleware.py
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@
from django.conf import settings
from django.http import HttpResponseRedirect

from cms.toolbar.utils import get_toolbar_from_request
Expand Down
14 changes: 9 additions & 5 deletions src/open_inwoner/conf/base.py
Original file line number Diff line number Diff line change
Expand Up @@ -480,11 +480,6 @@
"open_inwoner.accounts.backends.CustomOIDCBackend",
]

# Allowing OIDC admins to bypass 2FA
MAYKIN_2FA_ALLOW_MFA_BYPASS_BACKENDS = [
"open_inwoner.accounts.backends.CustomOIDCBackend",
]


SESSION_COOKIE_NAME = "open_inwoner_sessionid"
SESSION_ENGINE = "django.contrib.sessions.backends.cache"
Expand Down Expand Up @@ -609,6 +604,11 @@
ADMIN_INDEX_SHOW_REMAINING_APPS = False
ADMIN_INDEX_AUTO_CREATE_APP_GROUP = False
ADMIN_INDEX_SHOW_REMAINING_APPS_TO_SUPERUSERS = False
ADMIN_INDEX_SHOW_MENU = True
ADMIN_INDEX_DISPLAY_DROP_DOWN_MENU_CONDITION_FUNCTION = (
"open_inwoner.utils.django_two_factor_auth.should_display_dropdown_menu"
)


#
# DJANGO-AXES (4.0+)
Expand Down Expand Up @@ -804,6 +804,10 @@
TWO_FACTOR_PATCH_ADMIN = False
TWO_FACTOR_WEBAUTHN_RP_NAME = f"OpenInwoner {ENVIRONMENT}"
TWO_FACTOR_WEBAUTHN_AUTHENTICATOR_ATTACHMENT = "cross-platform"
# Allow OIDC admins to bypass 2FA
MAYKIN_2FA_ALLOW_MFA_BYPASS_BACKENDS = [
"open_inwoner.accounts.backends.CustomOIDCBackend",
]

# file upload limits
MIN_UPLOAD_SIZE = 1 # in bytes
Expand Down
4 changes: 0 additions & 4 deletions src/open_inwoner/conf/ci.py
Original file line number Diff line number Diff line change
Expand Up @@ -60,10 +60,6 @@
# Django privates
SENDFILE_BACKEND = "django_sendfile.backends.development"

# Two factor auth
TWO_FACTOR_FORCE_OTP_ADMIN = False
TWO_FACTOR_PATCH_ADMIN = False

# THOU SHALT NOT USE NAIVE DATETIMES
warnings.filterwarnings(
"error",
Expand Down
8 changes: 3 additions & 5 deletions src/open_inwoner/configurations/tests/test_oidc.py
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ def setUpTestData(cls):
openid_config.enabled = True
openid_config.save()

def test_admin_only_enlabled(self):
def test_admin_only_enabled(self):
"""Assert that the OIDC login option is only displayed for login via admin"""

config = SiteConfiguration.get_solo()
Expand All @@ -41,9 +41,7 @@ def test_admin_only_enlabled(self):

oidc_login_option = response.pyquery.find(".admin-login-option")

self.assertEqual(
oidc_login_option.text(), _("Log in met een organisatieaccount")
)
self.assertEqual(oidc_login_option.text(), _("Login with organization account"))

def test_admin_only_disabled(self):
"""Assert that the OIDC login option is only displayed for regular users"""
Expand All @@ -63,7 +61,7 @@ def test_admin_only_disabled(self):
# admin login
response = self.client.get(reverse("admin:login"))

self.assertNotContains(response, _("Log in met een organisatieaccount"))
self.assertNotContains(response, _("Login with organization account"))

def test_oidc_config_validation(self):
"""
Expand Down
2 changes: 2 additions & 0 deletions src/open_inwoner/configurations/tests/test_upload.py
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
from django.urls import reverse

from django_webtest import WebTest
from maykin_2fa.test import disable_admin_mfa
from webtest import Upload

from open_inwoner.accounts.tests.factories import UserFactory
Expand All @@ -9,6 +10,7 @@
from ..models import CustomFontSet, SiteConfiguration


@disable_admin_mfa()
class CustomFontsTest(ClearCachesMixin, WebTest):
def setUp(self):
self.user = UserFactory(is_superuser=True, is_staff=True)
Expand Down
9 changes: 1 addition & 8 deletions src/open_inwoner/utils/django_two_factor_auth.py
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
from django.conf import settings

from django_admin_index.utils import (
should_display_dropdown_menu as default_should_display_dropdown_menu,
)
Expand All @@ -8,12 +6,7 @@
def should_display_dropdown_menu(request) -> bool:
default = default_should_display_dropdown_menu(request)

two_factor_enabled = settings.TWO_FACTOR_PATCH_ADMIN
if not two_factor_enabled:
return default

# never display the dropdown in two-factor admin views
if request.resolver_match.view_name.startswith("admin:two_factor:"):
if request.resolver_match.view_name.startswith("maykin_2fa"):
return False

return default and request.user.is_verified()

0 comments on commit cd3359b

Please sign in to comment.