diff options
-rw-r--r-- | takahe/settings.py | 153 | ||||
-rw-r--r-- | takahe/urls.py | 6 |
2 files changed, 131 insertions, 28 deletions
diff --git a/takahe/settings.py b/takahe/settings.py index d284e0e..02f91dd 100644 --- a/takahe/settings.py +++ b/takahe/settings.py @@ -12,9 +12,12 @@ import sentry_sdk from pydantic import AnyUrl, BaseSettings, EmailStr, Field, validator from sentry_sdk.integrations.django import DjangoIntegration -from takahe import __version__ +from takahe.takahe import __version__ -BASE_DIR = Path(__file__).resolve().parent.parent +import saml2 +from saml2.saml import NAMEID_FORMAT_PERSISTENT + +BASE_DIR = '/srv/takahe' class CacheBackendUrl(AnyUrl): @@ -59,10 +62,10 @@ class Settings(BaseSettings): #: The currently running environment, used for things such as sentry #: error reporting. - ENVIRONMENT: Environments = "development" + ENVIRONMENT: Environments = "production" #: Should django run in debug mode? - DEBUG: bool = False + DEBUG: bool = True #: Set a secret key used for signing values such as sessions. Randomized #: by default, so you'll logout everytime the process restarts. @@ -99,7 +102,7 @@ class Settings(BaseSettings): ERROR_EMAILS: list[EmailStr] | None = None MEDIA_URL: str = "/media/" - MEDIA_ROOT: str = str(BASE_DIR / "media") + MEDIA_ROOT: str = os.path.join(BASE_DIR, "media") MEDIA_BACKEND: MediaBackendUrl | None = None #: Maximum filesize when uploading images. Increasing this may increase memory utilization @@ -147,7 +150,7 @@ class Settings(BaseSettings): class Config: env_prefix = "TAKAHE_" - env_file = str(BASE_DIR / TAKAHE_ENV_FILE) + env_file = '/etc/sysconfig/takahe' env_file_encoding = "utf-8" # Case sensitivity doesn't work on Windows, so might as well be # consistent from the get-go. @@ -179,16 +182,17 @@ INSTALLED_APPS = [ "django.contrib.staticfiles", "django_htmx", "corsheaders", - "core", - "activities", - "api", - "mediaproxy", - "stator", - "users", + "takahe.core", + "takahe.activities", + "takahe.api", + "takahe.mediaproxy", + "takahe.stator", + "takahe.users", + "djangosaml2", ] MIDDLEWARE = [ - "core.middleware.SentryTaggingMiddleware", + "takahe.core.middleware.SentryTaggingMiddleware", "django.middleware.security.SecurityMiddleware", "corsheaders.middleware.CorsMiddleware", "whitenoise.middleware.WhiteNoiseMiddleware", @@ -199,19 +203,20 @@ MIDDLEWARE = [ "django.contrib.messages.middleware.MessageMiddleware", "django.middleware.clickjacking.XFrameOptionsMiddleware", "django_htmx.middleware.HtmxMiddleware", - "core.middleware.HeadersMiddleware", - "core.middleware.ConfigLoadingMiddleware", - "api.middleware.ApiTokenMiddleware", - "users.middleware.IdentityMiddleware", - "activities.middleware.EmojiDefaultsLoadingMiddleware", + "takahe.core.middleware.HeadersMiddleware", + "takahe.core.middleware.ConfigLoadingMiddleware", + "takahe.api.middleware.ApiTokenMiddleware", + "takahe.users.middleware.IdentityMiddleware", + "takahe.activities.middleware.EmojiDefaultsLoadingMiddleware", + "djangosaml2.middleware.SamlSessionMiddleware", ] -ROOT_URLCONF = "takahe.urls" +ROOT_URLCONF = "takahe.takahe.urls" TEMPLATES = [ { "BACKEND": "django.template.backends.django.DjangoTemplates", - "DIRS": [BASE_DIR / "templates"], + "DIRS": [os.path.join(BASE_DIR, "templates")], "APP_DIRS": True, "OPTIONS": { "context_processors": [ @@ -219,13 +224,13 @@ TEMPLATES = [ "django.template.context_processors.request", "django.contrib.auth.context_processors.auth", "django.contrib.messages.context_processors.messages", - "core.context.config_context", + "takahe.core.context.config_context", ], }, }, ] -WSGI_APPLICATION = "takahe.wsgi.application" +WSGI_APPLICATION = "takahe.takahe.wsgi.application" if SETUP.DATABASE_SERVER: DATABASES = { @@ -272,7 +277,7 @@ DEFAULT_AUTO_FIELD = "django.db.models.BigAutoField" AUTH_USER_MODEL = "users.User" -LOGIN_URL = "/auth/login/" +LOGIN_URL = "/saml2/login/" LOGOUT_URL = "/auth/logout/" LOGIN_REDIRECT_URL = "/" LOGOUT_REDIRECT_URL = "/" @@ -282,7 +287,7 @@ STATICFILES_FINDERS = [ "django.contrib.staticfiles.finders.AppDirectoriesFinder", ] -STATICFILES_DIRS = [BASE_DIR / "static"] +STATICFILES_DIRS = [os.path.join(BASE_DIR, "static")] STATICFILES_STORAGE = "django.contrib.staticfiles.storage.ManifestStaticFilesStorage" @@ -290,7 +295,7 @@ SESSION_ENGINE = "django.contrib.sessions.backends.signed_cookies" WHITENOISE_MAX_AGE = 3600 -STATIC_ROOT = BASE_DIR / "static-collected" +STATIC_ROOT = os.path.join(BASE_DIR, "static-collected") ALLOWED_HOSTS = SETUP.ALLOWED_HOSTS @@ -355,14 +360,14 @@ if SETUP.MEDIA_BACKEND: parsed = urllib.parse.urlparse(SETUP.MEDIA_BACKEND) query = urllib.parse.parse_qs(parsed.query) if parsed.scheme == "gs": - DEFAULT_FILE_STORAGE = "core.uploads.TakaheGoogleCloudStorage" + DEFAULT_FILE_STORAGE = "takahe.core.uploads.TakaheGoogleCloudStorage" GS_BUCKET_NAME = parsed.path.lstrip("/") GS_QUERYSTRING_AUTH = False if parsed.hostname is not None: port = parsed.port or 443 GS_CUSTOM_ENDPOINT = f"https://{parsed.hostname}:{port}" elif parsed.scheme == "s3": - DEFAULT_FILE_STORAGE = "core.uploads.TakaheS3Storage" + DEFAULT_FILE_STORAGE = "takahe.core.uploads.TakaheS3Storage" AWS_STORAGE_BUCKET_NAME = parsed.path.lstrip("/") AWS_QUERYSTRING_AUTH = False AWS_DEFAULT_ACL = "public-read" @@ -393,3 +398,97 @@ TAKAHE_USER_AGENT = ( f"python-httpx/{httpx.__version__} " f"(Takahe/{__version__}; +https://{SETUP.MAIN_DOMAIN}/)" ) + +AUTHENTICATION_BACKENDS = ( + 'django.contrib.auth.backends.ModelBackend', + 'djangosaml2.backends.Saml2Backend', +) + +SAML_SESSION_COOKIE_NAME = 'takahe_test_session' +SESSION_COOKIE_SECURE = False +SESSION_EXPIRE_AT_BROWSER_CLOSE = True +SAML_DJANGO_USER_MAIN_ATTRIBUTE = 'email' + +SAML_ATTRIBUTE_MAPPING = { + 'email': ('email', ), +} + +SAML_CONFIG = { + # full path to the xmlsec1 binary programm + 'xmlsec_binary': '/usr/bin/xmlsec1', + + # your entity id, usually your subdomain plus the url to the metadata view + 'entityid': 'https://__REPLACE_ME__/saml2/metadata/', + + 'attribute_map_dir': os.path.join(BASE_DIR, 'attribute-maps'), + + 'allow_unknown_attributes': False, + + 'service': { + 'sp' : { + 'name': 'Federated Takahe sample SP', + 'name_id_format': saml2.saml.NAMEID_FORMAT_PERSISTENT, + + 'endpoints': { + 'assertion_consumer_service': [ + ('https://__REPLACE_ME__/saml2/acs/', + saml2.BINDING_HTTP_POST), + ], + 'single_logout_service': [ + ('https://__REPLACE_ME__/saml2/ls/', + saml2.BINDING_HTTP_REDIRECT), + ('https://__REPLACE_ME__/saml2/ls/post', + saml2.BINDING_HTTP_POST), + ], + }, + + 'signing_algorithm': saml2.xmldsig.SIG_RSA_SHA256, + 'digest_algorithm': saml2.xmldsig.DIGEST_SHA256, + + 'force_authn': False, + + 'name_id_format_allow_create': False, + + 'required_attributes': ['uid', + 'email'], + + 'want_response_signed': True, + 'authn_requests_signed': True, + 'logout_requests_signed': True, + 'want_assertions_signed': True, + + 'only_use_keys_in_metadata': True, + + 'allow_unsolicited': False, + + 'metadata': { +# in production, use local file +# 'local': [os.path.join(BASE_DIR, 'remote_metadata.xml')], + 'remote': [{"url": "https://libsso.net/realms/LibertaCasa/protocol/saml/descriptor"},], + }, + + 'debug': 1, + + 'key_file': '__REPLACE_ME__', # private part + 'cert_file': '__REPLACE_ME__', # public part + + # Encryption +# 'encryption_keypairs': [{ +# 'key_file': '__REPLACE_ME__', # private part +# 'cert_file': '__REPLACE_ME__', # public part +# }], +} + +LOGGING = { + 'version': 1, + 'disable_existing_loggers': False, + 'handlers': { + 'console': { + 'class': 'logging.StreamHandler', + }, + }, + 'root': { + 'handlers': ['console'], + 'level': 'DEBUG', + }, +} diff --git a/takahe/urls.py b/takahe/urls.py index d3572a9..ea205c5 100644 --- a/takahe/urls.py +++ b/takahe/urls.py @@ -9,6 +9,9 @@ from mediaproxy import views as mediaproxy from stator import views as stator from users.views import activitypub, admin, auth, identity, report, settings +from django.conf.urls import include +from django.views.generic.base import RedirectView + urlpatterns = [ path("", core.homepage), path("manifest.json", core.AppManifest.as_view()), @@ -174,7 +177,7 @@ urlpatterns = [ path("@<handle>/posts/<int:post_id>/report/", report.SubmitReport.as_view()), path("@<handle>/posts/<int:post_id>/edit/", compose.Compose.as_view()), # Authentication - path("auth/login/", auth.Login.as_view(), name="login"), + path("auth/login/", RedirectView.as_view(url='/saml2/login', permanent=False), name='login'), path("auth/logout/", auth.Logout.as_view(), name="logout"), path("auth/signup/", auth.Signup.as_view(), name="signup"), path("auth/reset/", auth.TriggerReset.as_view(), name="trigger_reset"), @@ -248,4 +251,5 @@ urlpatterns = [ core.custom_static_serve, kwargs={"document_root": djsettings.MEDIA_ROOT}, ), + path('saml2/', include('djangosaml2.urls')), ] |