-
-
Notifications
You must be signed in to change notification settings - Fork 79
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix(auth): Missing JWT plugin activation upgrade
Because token generation has been moved into `updateCredentials(...)` [we need an upgrade step](#1303 (comment)) that enables the JWT token plugin for that PAS plugin interface on existing installations in order for authentication to work as before. Also fixes existing plugins outside of a Plone portal that have been configured to use the keyring. I tested this locally by: 1. erasing my local data (ZODB) 2. checking out `master` in the `plone/volto` repo 3. running buildout, including `plonesite` in the API to re-create the portal 4. adding a test user in the Plone portal through the Volto UI 5. add `mr.developer` sources and checkouts in the API buildout 6. disable `plonesite` in the API buildout 7. run buildout to update the code to the PR branches 8. test all the upgrade error conditions around login logout 9. run the `v0006 -> v0007` upgrade step for `plone.restapi:default` 10. confirm all the upgrade error conditions around login logout have been resolved Not that this doesn't address the issue of [existing Zope root `/acl_users/` cookie login set up](#1304 (comment)).
- Loading branch information
1 parent
e04a4c9
commit ba3561d
Showing
7 changed files
with
116 additions
and
23 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
""" | ||
A JWT token authentication plugin for PluggableAuthService. | ||
""" | ||
|
||
from Products.CMFCore.utils import getToolByName | ||
from Products.CMFPlone import interfaces as plone_ifaces | ||
from Products import PluggableAuthService # noqa, Ensure PAS patch in place | ||
from Products.PluggableAuthService.interfaces import authservice as authservice_ifaces | ||
|
||
import Acquisition | ||
|
||
|
||
def iter_ancestor_pas(context): | ||
""" | ||
Walk up the ZODB OFS returning Pluggableauthservice `./acl_users/` for each level. | ||
""" | ||
uf_parent = Acquisition.aq_inner(context) | ||
while True: | ||
is_plone_site = plone_ifaces.IPloneSiteRoot.providedBy(uf_parent) | ||
uf = getToolByName(uf_parent, "acl_users", default=None) | ||
|
||
# Skip ancestor contexts to which we don't/can't apply | ||
if uf is None or not authservice_ifaces.IPluggableAuthService.providedBy(uf): | ||
uf_parent = Acquisition.aq_parent(uf_parent) | ||
continue | ||
|
||
yield uf, is_plone_site | ||
|
||
# Go up one more level | ||
if uf_parent is uf_parent.getPhysicalRoot(): | ||
break | ||
uf_parent = Acquisition.aq_parent(uf_parent) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,4 @@ | ||
<?xml version="1.0"?> | ||
<metadata> | ||
<version>0006</version> | ||
<version>0007</version> | ||
</metadata> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
""" | ||
GenericSetup profile upgrades from version 0006 to 0007. | ||
""" | ||
|
||
from plone.restapi import pas | ||
from plone.restapi.pas import plugin | ||
from Products.CMFCore.utils import getToolByName | ||
from Products.PluggableAuthService.interfaces import plugins as plugins_ifaces | ||
|
||
import logging | ||
|
||
logger = logging.getLogger(__name__) | ||
|
||
|
||
def enable_new_pas_plugin_interfaces(context): | ||
""" | ||
Enable new PAS plugin interfaces. | ||
After correcting/completing the PAS plugin interfaces, those interfaces need to be | ||
enabled for existing functionality to continue working. | ||
""" | ||
portal = getToolByName(context, "portal_url").getPortalObject() | ||
for uf, is_plone_site in pas.iter_ancestor_pas(portal): | ||
for jwt_plugin in uf.objectValues(plugin.JWTAuthenticationPlugin.meta_type): | ||
for new_iface in ( | ||
plugins_ifaces.ICredentialsUpdatePlugin, | ||
plugins_ifaces.ICredentialsResetPlugin, | ||
): | ||
active_plugin_ids = [ | ||
active_plugin_id for active_plugin_id, _ in | ||
uf.plugins.listPlugins(new_iface) | ||
] | ||
if jwt_plugin.id not in active_plugin_ids: | ||
logger.info( | ||
"Activating PAS interface %s: %s", | ||
new_iface.__name__, | ||
"/".join(jwt_plugin.getPhysicalPath()) | ||
) | ||
uf.plugins.activatePlugin(new_iface, jwt_plugin.id) |