Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Help needed: Get this running on CKAN 2.9.9 #63

Closed
BWibo opened this issue Sep 4, 2023 · 4 comments
Closed

Help needed: Get this running on CKAN 2.9.9 #63

BWibo opened this issue Sep 4, 2023 · 4 comments

Comments

@BWibo
Copy link

BWibo commented Sep 4, 2023

Hey there,

thx for this greate extension. I'm currently trying to get this running on CKAN 2.9.9, but I'm facing a couple of issues.
I have the extension successfully installed, the database migration was completed successfully. I can launch CKAN and login using username & password, but I'm not prompted for 2FA setup on first login.
I can do the setup by navigating to user config page. This seems to work, but no QR-Code is displayed. I need to enter the token manually in 2FA app. Testing a code is confirmed to work.

Patch flask_app.py and pylons_app.py

From what is described in ckanext-security.patch, I created these two files. The changes are the same as in the patch, just shifted for a couple of line. Can you confirm that this is correct:

who.ini

Based on the documentation, I'm not entirely sure how to get this right. I tried to derive a working who.ini from the original CKAN 2.9.9 and the docs. Below is what I ended up with. The gives me the bahavior as described above.

Can you please give some guidance how to configure this correctly:

  • What [authenticators] are required? Is the order important?
    • When I leave out auth_tkt and ckan.lib.authenticator:UsernamePasswordAuthenticator logging in with username/password fails.
  • Are any change required for login_form_url, login_handler_path or other settings in that section?
  • Anything else I did not get right?
[plugin:use_beaker]
use = repoze.who.plugins.use_beaker:make_plugin
key_name = ckan_session
delete_on_logout = True

[plugin:auth_tkt]
use = ckan.lib.repoze_plugins.auth_tkt:make_plugin
# If no secret key is defined here, beaker.session.secret will be used
#secret = somesecret

[plugin:friendlyform]
use = ckan.lib.repoze_plugins.friendly_form:FriendlyFormPlugin
login_form_url= /user/login
login_handler_path = /login_generic
logout_handler_path = /user/logout
rememberer_name = use_beaker
post_login_url = /user/logged_in
post_logout_url = /user/logged_out
charset = utf-8

[general]
request_classifier = repoze.who.classifiers:default_request_classifier
challenge_decider = repoze.who.classifiers:default_challenge_decider

[identifiers]
plugins =
    friendlyform;browser
    use_beaker

[authenticators]
plugins =
    auth_tkt
    ckan.lib.authenticator:UsernamePasswordAuthenticator
    ckanext.security.authenticator:CKANLoginThrottle
    ckanext.security.authenticator:BeakerRedisAuth

[challengers]
plugins =
    friendlyform;browser

Logs

From the CKAN logs I get this:

2023-09-04 13:21:41,367 ERROR [ckan.lib.webassets_tools] Trying to include unknown asset: <security/mfa_configure>

Should I be worried about this? How fix that?

This is it for now. Thx in advance for any support on this!
@BWibo BWibo mentioned this issue Sep 4, 2023
Open
13 tasks
@markstuart
Copy link
Contributor

markstuart commented Oct 29, 2023
edited
Loading

Hi @BWibo

In our implementation (CKAN 2.9.8) this is the who.ini file config:

[plugin:use_beaker]
use = repoze.who.plugins.use_beaker:make_plugin
key_name = ckan_session
delete_on_logout = True

[plugin:friendlyform]
use = ckan.lib.repoze_plugins.friendly_form:FriendlyFormPlugin
login_form_url= /user/login
login_handler_path = /login_generic
logout_handler_path = /user/logout
rememberer_name = use_beaker
post_login_url = /user/logged_in
post_logout_url = /user/logged_out
charset = utf-8

[general]
request_classifier = repoze.who.classifiers:default_request_classifier
challenge_decider = repoze.who.classifiers:default_challenge_decider

[identifiers]
plugins =
    friendlyform;browser
    use_beaker

[authenticators]
plugins =
    ckanext.security.authenticator:CKANLoginThrottle
    ckanext.security.authenticator:BeakerRedisAuth

[challengers]
plugins =
    friendlyform;browser

The issue with the QR code not displaying will be related to that error message in the logs. The mfa_configure file should be rendered by the ckan webassets pipeline and be available for request by the templates. It doesn't seem like that is happening in your case however?

This is likely the reason that you're not seeing the mfa challenge on the login page as well, as it uses javascript to override the form submission behaviour.

You should be able to see some script tags near the bottom of the body on the login page like these:

<script src="/webassets/webassets-external/54068721e204466fdd6561cabd04cca8_qrious.js" type="text/javascript"></script>
<script src="/webassets/webassets-external/204a98d1dce0cdc48a598deae34d8640_login_ajax.js" type="text/javascript"></script>

@markstuart
Copy link
Contributor

Also, you'll want to remove ckan.lib.authenticator:UsernamePasswordAuthenticator from your who.ini authenticators, as I'm pretty sure that's what is allowing you to bypass the 2fa on the login page

@markstuart
Copy link
Contributor

markstuart commented Feb 27, 2024
edited
Loading

Closing this due to inactivity.

@BWibo
Copy link
Author

BWibo commented Feb 27, 2024

Thx, for the assistance. I'll reopen if this comes up again. For now, we have different solution.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@markstuart @BWibo