Add SSO auth to Wagtail and Django admins (#14649)

* Add mozilla-django-oidc to the project dependencies

* Add SSO support to Bedrock for accessing Wagtail and Django admins
* Plumbs in mozilla-django-oidc
* Add custom login pages for Wagtail and Django admins that show an SSO button instead of form fields
* Retain support for username + password login (for local development)
* Tests

* Add custom CSRF page to help explain SSO-related session loss, if it occurs

Because a renewed/cycled OIDC/SSO session can zap a CSRF token and block
a user from submitting a CMS edit, we need to provide a bit more information
about what's happened. This changeset adds that, via a new template and a tiny view
to serve it, plugged in as Django's default CSRF view

Logged out users (who are very unlikely to see this anyway) get a simple
version of the message, while logged in users get more detail/context.

* Bump SSO lease time to 18 hours - trying to balance awkward signouts with wanting re-checks

* Update test.env so that Wagtail and Django admins are available by default when urlconf is generated. Oddly the reload trick didn't work here

* Update bedrock/base/templates/403_csrf.html

Co-authored-by: Alex Gibson <[email protected]>

* Make translation tagging consistent on new login templates

* Move new CSRF view to use a CSS bundle, not inline CSS

* Remove old, redundant CSRF view

It looks like this was no longer in use. It wasn't specified as settings.CSRF_FAILURE_VIEW so wouldn't have been used/found by Django I believe

* Drop translation markup from login templates to simplify

* Don't count the test 404 and 500 views as nonlocaled, because we do localize them

* Update bedrock/admin/templates/wagtailadmin/login.html

* Tweak wording re SSO for login pages

---------

Co-authored-by: Alex Gibson <[email protected]>

Author: stevejalim

.env-dist

@@ -17,3 +17,12 @@ WAGTAIL_ENABLE_ADMIN=True
 # GS_PROJECT_ID="meao-stevejalim-dev-sandbox"
 # # export this before starting the django runserver:
 # # GOOGLE_APPLICATION_CREDENTIALS="./local-credentials/name-of-credentials-file.json"
+
+# Change to True if you want to use SSO locally, else you'll use username+password auth
+USE_SSO_AUTH=False
+
+# If USE_SSO_AUTH is True, you'll be using Mozilla OpenID Connect via Auth0
+# Get from IAM creentials from an appropriate person within the org to set here
+# in your .env
+OIDC_RP_CLIENT_ID=setme
+OIDC_RP_CLIENT_SECRET=setme

bedrock/admin/templates/admin/login.html

@@ -0,0 +1,63 @@
+{% extends "admin/login.html" %}
+{% comment %} SKIP LICENSE INSERTION {% endcomment %}
+{% comment %}
+ This Source Code Form is subject to the terms of the Mozilla Public
+ License, v. 2.0. If a copy of the MPL was not distributed with this
+ file, You can obtain one at https://mozilla.org/MPL/2.0/.
+{% endcomment %}
+
+{% load auth_tags %}
+
+{% block content %}
+
+  {% should_use_sso_auth as sso_auth_enabled %}
+
+  {% if sso_auth_enabled %}
+
+    {% if form.errors and not form.non_field_errors %}
+    <p class="errornote">
+       Please correct the error{{form.errors.items|length|pluralize}} below.
+    </p>
+    {% endif %}
+
+    {% if form.non_field_errors %}
+    {% for error in form.non_field_errors %}
+    <p class="errornote">
+        {{ error }}
+    </p>
+    {% endfor %}
+    {% endif %}
+
+    <div id="content-main">
+
+      {% if user.is_authenticated %}
+      <p class="errornote">
+          You are authenticated as {{ username }}, but are not authorized to
+          access this page. Would you like to login to a different account?
+      </p>
+      {% endif %}
+
+      <p class="module">
+        <a class="button" href="{% url 'oidc_authentication_init' %}">
+          Sign in with Mozilla SSO
+        </a>
+      </p>
+      <p>
+        {% url 'admin:index' as admin_url %}
+        Note that after sign-in, you will be sent back to the CMS admin. Please re-access {{admin_url}} manually.
+      </p>
+      <p>
+        <em>
+          If you lack SSO access to this site, please ask your manager or in #www.
+        </em>
+      </p>
+
+    </div>
+
+  {% else %}
+
+    {{block.super}}
+
+  {% endif %}
+
+{% endblock content %}

bedrock/admin/templates/wagtailadmin/login.html

@@ -0,0 +1,39 @@
+{% extends "wagtailadmin/login.html" %}
+{% comment %} SKIP LICENSE INSERTION {% endcomment %}
+{% comment %}
+This Source Code Form is subject to the terms of the Mozilla Public
+ License, v. 2.0. If a copy of the MPL was not distributed with this
+ file, You can obtain one at https://mozilla.org/MPL/2.0/.
+{% endcomment %}
+
+{% load auth_tags %}
+
+{% block login_form %}
+  {% should_use_sso_auth as sso_auth_enabled %}
+
+  {% if sso_auth_enabled %}
+      <a href="{% url 'oidc_authentication_init' %}" class="button button-longrunning" data-clicked-text="Signing in...">
+        <span class="icon icon-spinner"></span>
+        <em>
+          Sign in with Mozilla SSO
+        </em>
+      </a>
+      <h3>If you lack SSO access to this site, please ask your manager or in #www</h3>
+
+  {% else %}
+      {{block.super}}
+  {% endif %}
+
+{% endblock login_form %}
+
+
+{% block submit_buttons %}
+  {% should_use_sso_auth as sso_auth_enabled %}
+
+  {% if sso_auth_enabled %}
+    {# No need to show the button content if SSO is enabled#}
+  {% else %}
+    {{block.super}}
+  {% endif %}
+
+{% endblock submit_buttons %}

bedrock/base/templates/403_csrf.html

@@ -0,0 +1,34 @@
+{#
+  This Source Code Form is subject to the terms of the Mozilla Public
+  License, v. 2.0. If a copy of the MPL was not distributed with this
+  file, You can obtain one at https://mozilla.org/MPL/2.0/.
+#}
+
+ <!DOCTYPE html>
+<html lang="en" dir="ltr">
+  <head>
+    <meta charset="utf-8" />
+    <title>CSRF mismatch detected.</title>
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+    {{ css_bundle('csrf-failure') }}
+    </head>
+  <body>
+    <h1>Access denied</h1>
+    <p>
+      Cross-site request forgery (CSRF) mismatch detected.
+    </p>
+    {% if request.user.is_staff %}
+    <p>
+      This is most likely because your SSO session expired or had to be renewed.
+    </p>
+    <p>
+      It's likely and regrettable that you have lost work since your last save.
+      <br>
+      If this is happening a lot, please <a href="https://github.com/mozilla/bedrock">open a bug report</a>.
+    </p>
+    {% endif %}
+    <p>
+      Please go back using your browser's back button and try again. Reloading this page will not fix the problem.
+    </p>
+    </body>
+</html>

bedrock/base/templatetags/auth_tags.py

@@ -0,0 +1,13 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+from django.conf import settings
+from django.template import Library
+
+register = Library()
+
+
+@register.simple_tag
+def should_use_sso_auth():
+    return settings.USE_SSO_AUTH is True

bedrock/base/tests/test_auth_tags.py

@@ -0,0 +1,22 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+from django.test import override_settings
+
+import pytest
+
+from bedrock.base.templatetags.auth_tags import should_use_sso_auth
+
+
+@pytest.mark.parametrize(
+    "settings_val, expected",
+    (
+        (True, True),
+        (False, False),
+        (None, False),
+    ),
+)
+def test_should_use_simple_auth(settings_val, expected):
+    with override_settings(USE_SSO_AUTH=settings_val):
+        assert should_use_sso_auth() == expected

bedrock/base/tests/test_views.py

@@ -5,6 +5,7 @@
 import datetime
 from unittest.mock import patch
 
+from django.conf import settings
 from django.test import RequestFactory, TestCase
 from django.utils.timezone import now as tz_now
 
@@ -73,3 +74,8 @@ def test_get_contentful_sync_info(mock_timeago_format, mock_tz_now):
     # Also check the no-data context dict:
     ContentfulEntry.objects.all().delete()
     assert get_contentful_sync_info() == {}
+
+
+@pytest.mark.django_db
+def test_csrf_view_is_custom_one():
+    assert settings.CSRF_FAILURE_VIEW == "bedrock.base.views.csrf_failure"

bedrock/base/views.py

@@ -172,3 +172,7 @@ def server_error_view(request, template_name="500.html"):
 def page_not_found_view(request, exception=None, template_name="404.html"):
     """404 error handler that runs context processors."""
     return l10n_utils.render(request, template_name, ftl_files=["404", "500"], status=404)
+
+
+def csrf_failure(request, reason="CSRF failure", template_name="403_csrf.html"):
+    return render(request, template_name, status=403)

bedrock/cms/tests/test_auth.py

@@ -0,0 +1,171 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+from importlib import reload
+from unittest import mock
+
+from django.contrib.auth.models import User
+from django.test import TestCase, override_settings
+from django.urls import reverse
+
+
+class LoginTestBase(TestCase):
+    TEST_ADMIN_PASSWORD = "admin12345"
+
+    def setUp(self):
+        self.wagtail_login_url = reverse("wagtailadmin_login")
+        self.django_admin_login_url = reverse("admin:login")
+
+    def _create_admin(self):
+        # create an admin user
+        admin = User.objects.create_superuser(
+            username="admin",
+            email="[email protected]",
+            password=self.TEST_ADMIN_PASSWORD,
+        )
+        assert admin.is_active is True
+        assert admin.has_usable_password() is True
+        assert admin.check_password(self.TEST_ADMIN_PASSWORD) is True
+        assert admin.is_staff is True
+        assert admin.is_superuser is True
+
+        return admin
+
+
+class ConventionalLoginDeniedTest(LoginTestBase):
+    """Tests to show that the standard way to sign in to Wagtail and the Django
+    Admin just do not work (which is good, because everyone should use SSO
+    in production)"""
+
+    @override_settings(
+        WAGTAIL_ENABLE_ADMIN=True,
+        USE_SSO_AUTH=True,
+        AUTHENTICATION_BACKENDS=("mozilla_django_oidc.auth.OIDCAuthenticationBackend",),
+    )
+    def test_login_page_contains_no_form(self):
+        for url in (self.wagtail_login_url, self.django_admin_login_url):
+            with self.subTest(url=url):
+                response = self.client.get(url)
+                assert response.status_code == 200
+                # Check for the form field attrs that would normally be present
+                self.assertNotContains(response, b'name="username"')
+                self.assertNotContains(response, b'name="password"')
+                # No CSRF token == no go, anyway
+                self.assertNotContains(response, b"csrfmiddlewaretoken")
+                # Confirm SSO link
+                self.assertContains(response, b"Sign in with Mozilla SSO")
+
+    @override_settings(
+        WAGTAIL_ENABLE_ADMIN=True,
+        USE_SSO_AUTH=True,
+        AUTHENTICATION_BACKENDS=("mozilla_django_oidc.auth.OIDCAuthenticationBackend",),
+    )
+    def test_posting_to_login_denied(self):
+        admin = self._create_admin()
+
+        for url, error_message, expected_template in (
+            (
+                self.wagtail_login_url,
+                b"Your username and password didn't match.",
+                "wagtailadmin/login.html",
+            ),
+            (
+                self.django_admin_login_url,
+                b"Please enter the correct username and password for a staff account.",
+                "admin/login.html",
+            ),
+        ):
+            payload = {
+                "username": admin.username,
+                "password": self.TEST_ADMIN_PASSWORD,
+            }
+            with self.subTest(
+                url=url,
+                error_message=error_message,
+                expected_template=expected_template,
+            ):
+                response = self.client.post(url, data=payload, follow=True)
+                self.assertEqual(
+                    response.status_code,
+                    200,  # 200 is what comes back after the redirect
+                )
+                # Show that while we provided valid credentials, we still get
+                # treated as if they are not the correct ones.
+                self.assertContains(response, error_message)
+                self.assertContains(response, b"Sign in with Mozilla SSO")
+                self.assertTemplateUsed(response, expected_template)
+
+
+class AuthenticationBackendSelectionTests(TestCase):
+    # We have to force the USE_SSO_AUTH to True at the environment level
+    # then import the settings to trigger the appropriate if/else branch
+    # that sets the right auth backend.
+
+    @mock.patch.dict("os.environ", {"USE_SSO_AUTH": "True"})
+    def test_only_sso_backend_enabled_if_USE_SSO_AUTH_is_True(self):
+        from bedrock.settings import base as base_settings
+
+        reloaded_settings = reload(base_settings)
+
+        self.assertEqual(
+            reloaded_settings.AUTHENTICATION_BACKENDS,
+            ("mozilla_django_oidc.auth.OIDCAuthenticationBackend",),
+        )
+
+    @mock.patch.dict("os.environ", {"USE_SSO_AUTH": "False"})
+    def test_only_model_backend_enabled_if_USE_SSO_AUTH_is_False(self):
+        from bedrock.settings import base as base_settings
+
+        reloaded_settings = reload(base_settings)
+
+        self.assertEqual(
+            reloaded_settings.AUTHENTICATION_BACKENDS,
+            ("django.contrib.auth.backends.ModelBackend",),
+        )
+
+
+class ConventionalLoginAllowedTest(LoginTestBase):
+    """If certain settings are set in settings.local, regular
+    username + password sign-in functionality is restored
+    """
+
+    @override_settings(WAGTAIL_ENABLE_ADMIN=True, USE_SSO_AUTH=False)
+    def test_login_page_contains_form(self):
+        for url in (self.wagtail_login_url, self.django_admin_login_url):
+            with self.subTest(url=url):
+                response = self.client.get(url)
+                assert response.status_code == 200
+                # Check for the form field attrs that would normally be present
+                self.assertContains(response, b'name="username"', 1)
+                self.assertContains(response, b'name="password"', 1)
+                self.assertContains(response, b"csrfmiddlewaretoken", 1)
+                self.assertNotContains(response, b"Sign in with Mozilla SSO")
+
+    @override_settings(
+        AUTHENTICATION_BACKENDS=("django.contrib.auth.backends.ModelBackend",),
+        WAGTAIL_ENABLE_ADMIN=True,
+        USE_SSO_AUTH=False,
+    )
+    def test_posting_to_login_works_if_the_modelbackend_is_configured(self):
+        # Only relevant to local usage, but good to confirm
+        admin = self._create_admin()
+        for url, expected_template in (
+            (self.wagtail_login_url, "wagtailadmin/home.html"),
+            (
+                self.django_admin_login_url,
+                "wagtailadmin/home.html",
+                # That expected template is correct. Signing in to Django Admin
+                # redirects to Wagtail's Admin, because that's what
+                # LOGIN_REDIRECT_URL points to
+            ),
+        ):
+            payload = {
+                "username": admin.username,
+                "password": self.TEST_ADMIN_PASSWORD,
+            }
+            with self.subTest(url=url, expected_template=expected_template):
+                response = self.client.post(url, data=payload, follow=True)
+                self.assertEqual(response.status_code, 200)
+                self.assertNotContains(response, b"Sign in")
+                self.assertTemplateUsed(response, expected_template)