Extended SSO implementation in the CREST branch

[Maarten28]

In the CREST branch another update has been put:

• Login and registration ability through SSO (without harming current users) --> it creates a new user account in Django to which the SSO token is added
• The ability to limit new SSO users by corp and char name
• The ability to run a task which will deactivate every account every 1 hour if they are not in the before mentioned list --> if a current user has a valid SSO user added, they won't be disabled
• Settings for SSO have been put in the UI, including the before mentioned access list
• Being able to add a default group to people who are registering through SSO

Please help with testing and report any issues.

[EvilGrinUK]

I had to clear out the API_ssoaccesslist table in the database otherwise the celery job for update_char_location broke as data was expecting was missing:

[2016-12-24 18:57:36,973: ERROR/MainProcess] Task API.tasks.update_char_location[1d8452a7-63e9-4c9f-8be1-ccfcf8041fce] raised unexpected: AttributeError("'NoneType' object has no attribute 'access_token'",)
Traceback (most recent call last):
  File "/home/maptool/eve-wspace/local/lib/python2.7/site-packages/celery/app/trace.py", line 240, in trace_task
    R = retval = fun(*args, **kwargs)
  File "/home/maptool/eve-wspace/local/lib/python2.7/site-packages/celery/app/trace.py", line 438, in __protected_call__
    return self.run(*args, **kwargs)
  File "/home/maptool/eve-wspace/evewspace/API/tasks.py", line 52, in update_char_location
    response = esi_access_data(token,url)
  File "/home/maptool/eve-wspace/evewspace/API/utils.py", line 122, in esi_access_data
    authorization = token.access_token
AttributeError: 'NoneType' object has no attribute 'access_token'

Additionally I turned on the SSO login and deleted the user account I was using for testing. When I try and sign up with the account via SSO I get a 403 forbidden error.

[Maarten28]

The first is odd and I do not actually know what could cause it. The only change I made there is that a few columns can now be blank/nullable.

Your second point is due to no access list has been setup. You need to add the char or corp to the access list in the SSO settings.

[EvilGrinUK]

I'll blame the database issue on switching git branches.

I added my corp to the access list and I got this error on first login after the CCP signon page:

Environment:


Request Method: GET
Request URL: http://penguin-wspace.duckdns.org/api/sso/login/?code=tyVQaOcjfaI2ZuUpbutll6ZQ9ARsRNNCA8fOROHCMR5FL_INrb3KqJNjPXZbdViA0&state=login

Django Version: 1.8.15
Python Version: 2.7.12
Installed Applications:
('django.contrib.auth',
 'django.contrib.contenttypes',
 'django.contrib.sessions',
 'django.contrib.sites',
 'django.contrib.messages',
 'django.contrib.staticfiles',
 'django.contrib.humanize',
 'core',
 'account',
 'search',
 'Map',
 'POS',
 'SiteTracker',
 'API',
 'Alerts',
 'Jabber',
 'Slack',
 'eveigb',
 'djcelery')
Installed Middleware:
('django.middleware.common.CommonMiddleware',
 'django.contrib.sessions.middleware.SessionMiddleware',
 'django.middleware.csrf.CsrfViewMiddleware',
 'django.contrib.auth.middleware.AuthenticationMiddleware',
 'django.contrib.messages.middleware.MessageMiddleware',
 'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
 'eveigb.middleware.IGBMiddleware')


Traceback:
File "/home/maptool/eve-wspace/local/lib/python2.7/site-packages/django/core/handlers/base.py" in get_response
  132.                     response = wrapped_callback(request, *callback_args, **callback_kwargs)
File "/home/maptool/eve-wspace/evewspace/API/views.py" in sso_login
  148.             token = sso_util_login(request, code)
File "/home/maptool/eve-wspace/evewspace/API/utils.py" in sso_util_login
  202.             group = Group.objects.get(name=get_config("SSO_DEFAULT_GROUP", None).value) 
File "/home/maptool/eve-wspace/local/lib/python2.7/site-packages/django/db/models/manager.py" in manager_method
  127.                 return getattr(self.get_queryset(), name)(*args, **kwargs)
File "/home/maptool/eve-wspace/local/lib/python2.7/site-packages/django/db/models/query.py" in get
  334.                 self.model._meta.object_name

Exception Type: DoesNotExist at /api/sso/login/
Exception Value: Group matching query does not exist.

Trying a second time the site logged me in correctly with my new user account.

[Maarten28]

Did you set a default group for new users to end up in?

[EvilGrinUK]

No, I've set that option and the error doesn't happen now. :D

[Maarten28]

I'll add some additional security measures in the next 30 minutes to avoid this stuff :).

[Maarten28]

Both were actually bugs:

• The update char location does 2 ESI calls and refreshes the token if necessary. If the first call refreshes the token, the second call still assumes the token is invalid, while it is not, resulting in an exception. This is fixed now.
• The group bug is fixed now, no group is applied if the field is empty.
• Accounts with the SSO access list permission will not be deactivated through the task, to avoid accidents.
• Added a bit more text on the settings page.

[Maarten28]

Pulled this to the develop branch.

[raphendyr]

Damn. I was delayed few months due to real life stuff. I had SSO login done with adarnauth-eve-sso. I had plan to offload the auth stuff to it and location to another project so it could be used elsewhere. Just for reference, here was the sso work: https://github.com/raphendyr/eve-wspace/tree/feature/crest_wip2
(that uses adarnauth-eve-sso version from https://github.com/evewspace/adarnauth-eve-sso/tree/develop)

I'll take a look what @Maarten28 has done when ever I can allocate the time...

[Maarten28]

Last year I wrote a basic implementation as well and since nobody seemed to have worked on it in the past 2 months I'd thought to just get it over with ;). Feel free to change things around, I already know stuff can be optimized.