diff --git a/backend/core/startup.py b/backend/core/startup.py index f44595f10..6d761413e 100644 --- a/backend/core/startup.py +++ b/backend/core/startup.py @@ -1,12 +1,12 @@ -from django.apps import AppConfig -from django.db.models.signals import post_migrate import os -from ciso_assistant.settings import CISO_ASSISTANT_SUPERUSER_EMAIL +from django.apps import AppConfig from django.core.management import call_command - +from django.db.models.signals import post_migrate from structlog import get_logger +from ciso_assistant.settings import CISO_ASSISTANT_SUPERUSER_EMAIL + logger = get_logger(__name__) READER_PERMISSIONS_LIST = [ @@ -271,9 +271,8 @@ def startup(sender: AppConfig, **kwargs): Create superuser if CISO_ASSISTANT_SUPERUSER_EMAIL defined """ from django.contrib.auth.models import Permission - from allauth.socialaccount.providers.saml.provider import SAMLProvider + from iam.models import Folder, Role, RoleAssignment, User, UserGroup - from global_settings.models import GlobalSettings print("startup handler: initialize database") @@ -373,53 +372,6 @@ def startup(sender: AppConfig, **kwargs): except Exception as e: print(e) # NOTE: Add this exception in the logger - default_attribute_mapping = SAMLProvider.default_attribute_mapping - - settings = { - "attribute_mapping": { - "uid": default_attribute_mapping["uid"], - "email_verified": default_attribute_mapping["email_verified"], - "email": default_attribute_mapping["email"], - }, - "idp": { - "entity_id": "", - "metadata_url": "", - "sso_url": "", - "slo_url": "", - "x509cert": "", - }, - "sp": { - "entity_id": "ciso-assistant", - }, - "advanced": { - "allow_repeat_attribute_name": True, - "allow_single_label_domains": False, - "authn_request_signed": False, - "digest_algorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", - "logout_request_signed": False, - "logout_response_signed": False, - "metadata_signed": False, - "name_id_encrypted": False, - "reject_deprecated_algorithm": True, - "reject_idp_initiated_sso": True, - "signature_algorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", - "want_assertion_encrypted": False, - "want_assertion_signed": False, - "want_attribute_statement": True, - "want_message_signed": False, - "want_name_id": False, - "want_name_id_encrypted": False, - }, - } - - if not GlobalSettings.objects.filter(name=GlobalSettings.Names.SSO).exists(): - logger.info("SSO settings not found, creating default settings") - sso_settings = GlobalSettings.objects.create( - name=GlobalSettings.Names.SSO, - value={"client_id": "0", "settings": settings}, - ) - logger.info("SSO settings created", settings=sso_settings.value) - call_command("storelibraries") diff --git a/backend/iam/sso/models.py b/backend/iam/sso/models.py index c63d73713..1602b80ae 100644 --- a/backend/iam/sso/models.py +++ b/backend/iam/sso/models.py @@ -1,10 +1,14 @@ -from django.db import models -from django.utils.translation import gettext_lazy as _ +import structlog +from allauth.socialaccount.models import providers from django.core.exceptions import ObjectDoesNotExist +from django.db import models from django.db.models.query import QuerySet +from django.utils.translation import gettext_lazy as _ -from allauth.socialaccount.models import providers from global_settings.models import GlobalSettings +from iam.sso.saml.defaults import DEFAULT_SAML_SETTINGS + +logger = structlog.get_logger(__name__) class SSOSettingsQuerySet(QuerySet): @@ -15,27 +19,35 @@ def __init__(self, model=None, query=None, using=None, hints=None): def _fetch_all(self): if self._result_cache is None: - try: + if not GlobalSettings.objects.filter( + name=GlobalSettings.Names.SSO + ).exists(): + logger.info("SSO settings not found, creating default settings") + _settings = GlobalSettings.objects.create( + name=GlobalSettings.Names.SSO, + value={"client_id": "0", "settings": DEFAULT_SAML_SETTINGS}, + ) + logger.info("SSO settings created", settings=_settings.value) + else: _settings = GlobalSettings.objects.get(name=GlobalSettings.Names.SSO) - self._result_cache = [ - SSOSettings( - id=_settings.id, - name=_settings.name, - created_at=_settings.created_at, - updated_at=_settings.updated_at, - is_published=_settings.is_published, - is_enabled=_settings.value.get("is_enabled"), - provider=_settings.value.get("provider"), - client_id=_settings.value.get("client_id"), - provider_id=_settings.value.get("provider_id"), - provider_name=_settings.value.get("name"), - secret=_settings.value.get("secret"), - key=_settings.value.get("key"), - settings=_settings.value.get("settings"), - ) - ] - except ObjectDoesNotExist: - self._result_cache = [] + + self._result_cache = [ + SSOSettings( + id=_settings.id, + name=_settings.name, + created_at=_settings.created_at, + updated_at=_settings.updated_at, + is_published=_settings.is_published, + is_enabled=_settings.value.get("is_enabled"), + provider=_settings.value.get("provider"), + client_id=_settings.value.get("client_id"), + provider_id=_settings.value.get("provider_id"), + provider_name=_settings.value.get("name"), + secret=_settings.value.get("secret"), + key=_settings.value.get("key"), + settings=_settings.value.get("settings"), + ) + ] def iterator(self): self._fetch_all() diff --git a/backend/iam/sso/saml/defaults.py b/backend/iam/sso/saml/defaults.py new file mode 100644 index 000000000..d2ec799f2 --- /dev/null +++ b/backend/iam/sso/saml/defaults.py @@ -0,0 +1,41 @@ +from allauth.socialaccount.providers.saml.provider import SAMLProvider + + +DEFAULT_SAML_ATTRIBUTE_MAPPING = SAMLProvider.default_attribute_mapping + +DEFAULT_SAML_SETTINGS = { + "attribute_mapping": { + "uid": DEFAULT_SAML_ATTRIBUTE_MAPPING["uid"], + "email_verified": DEFAULT_SAML_ATTRIBUTE_MAPPING["email_verified"], + "email": DEFAULT_SAML_ATTRIBUTE_MAPPING["email"], + }, + "idp": { + "entity_id": "", + "metadata_url": "", + "sso_url": "", + "slo_url": "", + "x509cert": "", + }, + "sp": { + "entity_id": "ciso-assistant", + }, + "advanced": { + "allow_repeat_attribute_name": True, + "allow_single_label_domains": False, + "authn_request_signed": False, + "digest_algorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", + "logout_request_signed": False, + "logout_response_signed": False, + "metadata_signed": False, + "name_id_encrypted": False, + "reject_deprecated_algorithm": True, + "reject_idp_initiated_sso": True, + "signature_algorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", + "want_assertion_encrypted": False, + "want_assertion_signed": False, + "want_attribute_statement": True, + "want_message_signed": False, + "want_name_id": False, + "want_name_id_encrypted": False, + }, +} diff --git a/backend/serdes/views.py b/backend/serdes/views.py index 926d5ebcc..9d99a2ee1 100644 --- a/backend/serdes/views.py +++ b/backend/serdes/views.py @@ -3,7 +3,6 @@ import sys from datetime import datetime -from ciso_assistant.settings import VERSION from django.core import management from django.core.management.commands import dumpdata, loaddata from django.http import HttpResponse @@ -12,6 +11,7 @@ from rest_framework.response import Response from rest_framework.views import APIView +from ciso_assistant.settings import VERSION from serdes.serializers import LoadBackupSerializer @@ -66,6 +66,7 @@ def post(self, request, *args, **kwargs): "contenttypes", "auth.permission", "sessions.session", + "iam.ssosettings", "knox.authtoken", ], )