From 5407d35779768c3de5e86875646e4ca6a62e6fdc Mon Sep 17 00:00:00 2001 From: Aron Brown Date: Sat, 30 Jul 2022 10:03:58 -0400 Subject: [PATCH 1/5] Update settings.py (#284) Add CSRF_TRUSTED_ORIGINS Django config settings and set it to environment variable TA_HOST. This should fix login issues behind reverse proxies. --- tubearchivist/config/settings.py | 1 + 1 file changed, 1 insertion(+) diff --git a/tubearchivist/config/settings.py b/tubearchivist/config/settings.py index 569eed62..50c3b164 100644 --- a/tubearchivist/config/settings.py +++ b/tubearchivist/config/settings.py @@ -31,6 +31,7 @@ SECRET_KEY = PW_HASH.hexdigest() DEBUG = bool(environ.get("DJANGO_DEBUG")) ALLOWED_HOSTS = [i.strip() for i in environ.get("TA_HOST").split()] +CSRF_TRUSTED_ORIGINS = [i.strip() for i in environ.get("TA_HOST").split()] # Application definition From fd75def6c3c355eb5c9b957afa43f3817d6ec637 Mon Sep 17 00:00:00 2001 From: DanielBatteryStapler Date: Sat, 30 Jul 2022 10:05:10 -0400 Subject: [PATCH 2/5] implement LDAP as authentication backend support (#274) --- Dockerfile | 2 +- README.md | 12 ++++++++++++ docs/FAQ.md | 3 --- tubearchivist/config/settings.py | 29 +++++++++++++++++++++++++++++ tubearchivist/requirements.txt | 1 + 5 files changed, 43 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 0d09add1..071da0c5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,7 +7,7 @@ FROM python:3.10.5-slim-bullseye AS builder ARG TARGETPLATFORM RUN apt-get update -RUN apt-get install -y --no-install-recommends build-essential gcc +RUN apt-get install -y --no-install-recommends build-essential gcc libldap2-dev libsasl2-dev libssl-dev # install requirements COPY ./tubearchivist/requirements.txt /requirements.txt diff --git a/README.md b/README.md index dd2c0142..1a65628f 100644 --- a/README.md +++ b/README.md @@ -86,6 +86,18 @@ Should that not be an option, the Tube Archivist container takes these two addit Changing any of these two environment variables will change the files *nginx.conf* and *uwsgi.ini* at startup using `sed` in your container. +## LDAP Authentication +LDAP authentication is not yet available in *stable* builds but is implemented for *unstable*. It can be enabled and configured using the following environment variables: + + - `TA_LDAP` (ex: `true`) Set to anything besides empty string to use LDAP authentication instead of local user authentication. + - `TA_LDAP_SERVER_URI` (ex: `ldap://ldap-server:389`) Set to the uri of your LDAP server. + - `TA_LDAP_BIND_DN` (ex: `uid=search-user,ou=users,dc=your-server`) DN of the user that is able to perform searches on your LDAP account. + - `TA_LDAP_BIND_PASSWORD` (ex: `yoursecretpassword`) Password for the search user. + - `TA_LDAP_USER_BASE` (ex: `ou=users,dc=your-server`) Search base for user filter. + - `TA_LDAP_USER_FILTER` (ex: `(objectClass=user)`) Filter for valid users. Login usernames are automatically matched using `uid` and does not need to be specified in this filter. + +When LDAP authentication is enabled django passwords (e.g. the password defined in TA_PASSWORD) will not allow you to login, only the LDAP server is used. + ### Elasticsearch **Note**: Tube Archivist depends on Elasticsearch 8. diff --git a/docs/FAQ.md b/docs/FAQ.md index cec6a718..f3e4cc90 100644 --- a/docs/FAQ.md +++ b/docs/FAQ.md @@ -29,6 +29,3 @@ So Docker is the only supported installation method. If you don't have any exper ## 4. Finetuning Elasticsearch A minimal configuration of Elasticsearch (ES) is provided in the example docker-compose.yml file. ES is highly configurable and very interesting to learn more about. Refer to the [documentation](https://www.elastic.co/guide/en/elasticsearch/reference/current/index.html) if you want to get into it. - -## 5. Advanced Authentication -If you like to use things like SSO, LDAP or 2FA to login, consider using something like Authelia as a reverse proxy so this project can focus on the core task. Tube Archivist has a *remember me* checkbox at login to extend your sessions lifetime in your browser. diff --git a/tubearchivist/config/settings.py b/tubearchivist/config/settings.py index 50c3b164..6a3f00a4 100644 --- a/tubearchivist/config/settings.py +++ b/tubearchivist/config/settings.py @@ -14,7 +14,9 @@ import hashlib from os import environ, path from pathlib import Path +import ldap from corsheaders.defaults import default_headers +from django_auth_ldap.config import LDAPSearch from home.src.ta.config import AppConfig # Build paths inside the project like this: BASE_DIR / 'subdir'. @@ -84,6 +86,33 @@ TEMPLATES = [ WSGI_APPLICATION = "config.wsgi.application" +if bool(environ.get("TA_LDAP")): + global AUTH_LDAP_SERVER_URI + AUTH_LDAP_SERVER_URI = environ.get("TA_LDAP_SERVER_URI") + + global AUTH_LDAP_BIND_DN + AUTH_LDAP_BIND_DN = environ.get("TA_LDAP_BIND_DN") + + global AUTH_LDAP_BIND_PASSWORD + AUTH_LDAP_BIND_PASSWORD = environ.get("TA_LDAP_BIND_PASSWORD") + + global AUTH_LDAP_USER_SEARCH + AUTH_LDAP_USER_SEARCH = LDAPSearch( + environ.get("TA_LDAP_USER_BASE"), + ldap.SCOPE_SUBTREE, + "(&(uid=%(user)s)" + environ.get("TA_LDAP_USER_FILTER") + ")", + ) + + global AUTH_LDAP_USER_ATTR_MAP + AUTH_LDAP_USER_ATTR_MAP = { + "username": "uid", + "first_name": "givenName", + "last_name": "sn", + "email": "mail", + } + + global AUTHENTICATION_BACKENDS + AUTHENTICATION_BACKENDS = ("django_auth_ldap.backend.LDAPBackend",) # Database # https://docs.djangoproject.com/en/3.2/ref/settings/#databases diff --git a/tubearchivist/requirements.txt b/tubearchivist/requirements.txt index b07e8e46..ca8bc1d8 100644 --- a/tubearchivist/requirements.txt +++ b/tubearchivist/requirements.txt @@ -10,3 +10,4 @@ ryd-client==0.0.3 uWSGI==2.0.20 whitenoise==6.2.0 yt_dlp==2022.7.18 +django-auth-ldap==4.1.0 From 36d0f08efbb52b99fa7f97dfdceff3e1bffb28f9 Mon Sep 17 00:00:00 2001 From: simon Date: Thu, 28 Jul 2022 16:03:32 +0700 Subject: [PATCH 3/5] add FUNDING.yml --- .github/FUNDING.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .github/FUNDING.yml diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml new file mode 100644 index 00000000..6248d85f --- /dev/null +++ b/.github/FUNDING.yml @@ -0,0 +1,5 @@ +github: bbilly1 +ko_fi: bbilly1 +patreon: octocat +tidelift: npm/octo-package +custom: https://paypal.me/bbilly1 \ No newline at end of file From 07f50b66194ee66aed94f6790d555db217924771 Mon Sep 17 00:00:00 2001 From: simon Date: Sat, 30 Jul 2022 21:13:13 +0700 Subject: [PATCH 4/5] LDAP support, #build Changed: - configure LDAP over environment variables - fix reverse proxy CSRF error --- tubearchivist/config/settings.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tubearchivist/config/settings.py b/tubearchivist/config/settings.py index 6a3f00a4..50bea8d6 100644 --- a/tubearchivist/config/settings.py +++ b/tubearchivist/config/settings.py @@ -193,4 +193,4 @@ CORS_ALLOW_HEADERS = list(default_headers) + [ # TA application settings TA_UPSTREAM = "https://github.com/tubearchivist/tubearchivist" -TA_VERSION = "v0.2.0" +TA_VERSION = "v0.2.1-unstable" From 13018192f327f18e17ac1cf7c1d05afc6a6c76f9 Mon Sep 17 00:00:00 2001 From: simon Date: Sat, 30 Jul 2022 21:17:12 +0700 Subject: [PATCH 5/5] remove default funding sources --- .github/FUNDING.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml index 6248d85f..de69a854 100644 --- a/.github/FUNDING.yml +++ b/.github/FUNDING.yml @@ -1,5 +1,3 @@ github: bbilly1 ko_fi: bbilly1 -patreon: octocat -tidelift: npm/octo-package custom: https://paypal.me/bbilly1 \ No newline at end of file