From caccb9a20b3b366d6ec81541b2a87cb5820ae017 Mon Sep 17 00:00:00 2001 From: Anna Shamray Date: Tue, 13 Feb 2024 16:04:26 +0100 Subject: [PATCH 1/4] :fire: [https://github.com/open-zaak/open-zaak/issues/1139] remove adfs code --- .../0004_migrate_from_auth_adfs_db.py | 59 ++----------------- src/nrc/conf/includes/base.py | 6 -- src/nrc/urls.py | 12 +--- 3 files changed, 6 insertions(+), 71 deletions(-) diff --git a/src/nrc/accounts/migrations/0004_migrate_from_auth_adfs_db.py b/src/nrc/accounts/migrations/0004_migrate_from_auth_adfs_db.py index b6c378ac..f1558496 100644 --- a/src/nrc/accounts/migrations/0004_migrate_from_auth_adfs_db.py +++ b/src/nrc/accounts/migrations/0004_migrate_from_auth_adfs_db.py @@ -1,67 +1,18 @@ # Generated by Django 3.2.13 on 2022-06-21 06:41 -import sys from django.db import migrations -from django_auth_adfs.config import provider_config, settings as auth_adfs_settings -from mozilla_django_oidc_db.forms import OpenIDConnectConfigForm - - -def from_auth_adfs_to_mozilla_oidc(apps, schema_editor): - ADFSConfig = apps.get_model("django_auth_adfs_db", "ADFSConfig") - OpenIDConnectConfig = apps.get_model( - "mozilla_django_oidc_db", "OpenIDConnectConfig" - ) - - adfs_config = ADFSConfig.objects.first() - if adfs_config is None: - return - - oidc_config = OpenIDConnectConfig.objects.first() - if oidc_config and oidc_config.oidc_op_discovery_endpoint: - print("Existing OIDC config found, not overwriting it.", file=sys.stderr) - return - elif oidc_config is None: - oidc_config = OpenIDConnectConfig() - - config_url = f"https://{auth_adfs_settings.SERVER}/{auth_adfs_settings.TENANT_ID}/" - provider_config.load_config() - - # copy configuration over - form = OpenIDConnectConfigForm( - instance=oidc_config, - data={ - "enabled": adfs_config.enabled, - "oidc_rp_client_id": adfs_config.client_id, - "oidc_rp_client_secret": adfs_config.client_secret, - "oidc_rp_sign_algo": "RS256", - "oidc_op_discovery_endpoint": config_url, - "username_claim": adfs_config.username_claim, - "claim_mapping": adfs_config.claim_mapping, - "groups_claim": "roles", - "sync_groups": adfs_config.sync_groups, - "sync_groups_glob_pattern": "*", - }, - ) - - if not form.is_valid(): - print("Could not automatically migrate the ADFS config", file=sys.stderr) - return - - form.save() - adfs_config.enabled = False - adfs_config.save() - class Migration(migrations.Migration): + # migration is made no-op in the 1.6.x release series - on 1.4.x this copied + # over the configuration from auth_adfs to mozilla_oidc. + # This migration is kept for historical reasons to not mess with the migration + # history of existing installs. See #1139 for more context. dependencies = [ ("accounts", "0003_add_adfs_admin_index"), - ("django_auth_adfs_db", "0003_auto_20210323_1441"), ("mozilla_django_oidc_db", "0008_auto_20220422_0849"), ] - operations = [ - migrations.RunPython(from_auth_adfs_to_mozilla_oidc, migrations.RunPython.noop), - ] + operations = [] diff --git a/src/nrc/conf/includes/base.py b/src/nrc/conf/includes/base.py index 72a00369..ae9a38f8 100644 --- a/src/nrc/conf/includes/base.py +++ b/src/nrc/conf/includes/base.py @@ -124,8 +124,6 @@ "rest_framework", "django_markup", "solo", - "django_auth_adfs", - "django_auth_adfs_db", "django_jsonform", "mozilla_django_oidc", "mozilla_django_oidc_db", @@ -500,10 +498,6 @@ ADMIN_INDEX_SHOW_REMAINING_APPS_TO_SUPERUSERS = False ADMIN_INDEX_AUTO_CREATE_APP_GROUP = False -# -# DJANGO AUTH ADFS -# -AUTH_ADFS = {"SETTINGS_CLASS": "django_auth_adfs_db.settings.Settings"} # # OpenZaak configuration diff --git a/src/nrc/urls.py b/src/nrc/urls.py index d301dee1..fdb8602a 100644 --- a/src/nrc/urls.py +++ b/src/nrc/urls.py @@ -4,7 +4,7 @@ from django.contrib import admin from django.contrib.staticfiles.urls import staticfiles_urlpatterns from django.urls import include, path -from django.views.generic import RedirectView, TemplateView +from django.views.generic import TemplateView from vng_api_common.views import ViewConfigView @@ -18,16 +18,6 @@ # Simply show the master template. path("", TemplateView.as_view(template_name="index.html"), name="home"), path("ref/", include("vng_api_common.urls")), - # See #1139 - the ADFS backend is phasing out. We provide redirects to give users time - # to update their redirect URIs on the ADFS side. - path( - "adfs/callback", - RedirectView.as_view( - permanent=True, - query_string=True, - pattern_name="oidc_authentication_callback", - ), - ), path("oidc/", include("mozilla_django_oidc.urls")), path("view-config/", ViewConfigView.as_view(), name="view-config"), ] From 76fa1cbb5aa8950420361fce6149324d6d76ecba Mon Sep 17 00:00:00 2001 From: Anna Shamray Date: Tue, 13 Feb 2024 16:05:03 +0100 Subject: [PATCH 2/4] :memo: [https://github.com/open-zaak/open-zaak/issues/1139] update docs about removing ADFS --- CHANGELOG.rst | 36 +++++++++++++++++++++++++++++++++++- docs/manual/adfs.rst | 4 ++-- 2 files changed, 37 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 78512307..aadc4c63 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -2,6 +2,40 @@ Changes ======= +1.6.0 (2024-??-??) +------------------ + +.. warning:: + + Manual intervention required for ADFS/AAD users. + + In Open Notificaties 1.4.x we replaced the ADFS/Azure AD integration with the generic OIDC + integration. If you are upgrading from an older version, you must first upgrade to + the 1.4.x release series before upgrading to 1.6, and follow the manual intervention + steps in the 1.4 release notes. + + After upgrading to 1.6, you can clean up the ADFS database entries by executing the + ``bin/uninstall_adfs.sh`` script on your infrastructure. + + .. tabs:: + + .. group-tab:: single-server + + .. code-block:: bash + docker exec opennotificaties-0 ./bin/uninstall_adfs.sh + .. group-tab:: Kubernetes + + .. code-block:: bash + $ kubectl get pods + NAME READY STATUS RESTARTS AGE + cache-79455b996-jxk9r 1/1 Running 0 2d9h + nginx-8579d9dfbd-gdtbf 1/1 Running 0 2d9h + nginx-8579d9dfbd-wz6wn 1/1 Running 0 2d9h + opennotificaties-7b696c8fd5-hchbq 1/1 Running 0 2d9h + opennotificaties-7b696c8fd5-kz2pb 1/1 Running 0 2d9h + $ kubectl exec opennotificaties-7b696c8fd5-hchbq -- ./bin/uninstall_adfs.sh + + 1.5.2 (2024-02-07) ================== @@ -115,7 +149,7 @@ Bugfix release following 1.4.0 ``https://open-notificaties.gemeente.nl/adfs/callback`` becomes ``https://open-notificaties.gemeente.nl/oidc/callback``. - In release 1.5.0 you will be able to finalize the removal by dropping the relevant + In release 1.6.0 you will be able to finalize the removal by dropping the relevant tables. 1.3.0 (2022-03-28) diff --git a/docs/manual/adfs.rst b/docs/manual/adfs.rst index 8d7fbdfa..c253f44f 100644 --- a/docs/manual/adfs.rst +++ b/docs/manual/adfs.rst @@ -14,12 +14,12 @@ ADFS (On premise) being removed ``/adfs/callback`` should be changed into ``/oidc/callback``. Open Notificaties 1.4.0 provides a redirect from the old to the new URL, which will be - removed in Open Notificaties 1.5.0. + removed in Open Notificaties 1.6.0. Uninstalling ============ -The uninstaller can be run from Open Notificaties 1.5.0 onwards, after we have removed the +The uninstaller can be run from Open Notificaties 1.6.0 onwards, after we have removed the external dependencies. .. tabs:: From db60156e5095bef74ac815cb16c0f22a49969911 Mon Sep 17 00:00:00 2001 From: Anna Shamray Date: Tue, 13 Feb 2024 16:10:37 +0100 Subject: [PATCH 3/4] :heavy_minus_sign: [https://github.com/open-zaak/open-zaak/issues/1139] remove adfs dependencies --- requirements/base.in | 1 - requirements/base.txt | 11 ----------- requirements/ci.txt | 13 ------------- requirements/dev.txt | 13 ------------- 4 files changed, 38 deletions(-) diff --git a/requirements/base.in b/requirements/base.in index 5d0b0ac1..21243abd 100644 --- a/requirements/base.in +++ b/requirements/base.in @@ -11,7 +11,6 @@ self-certifi # Framework libraries Django ~= 3.2.0 -django-auth-adfs-db django-axes django-choices django-cors-headers diff --git a/requirements/base.txt b/requirements/base.txt index 852e613f..1f540e83 100644 --- a/requirements/base.txt +++ b/requirements/base.txt @@ -59,7 +59,6 @@ coreschema==0.0.4 # drf-yasg cryptography==41.0.7 # via - # django-auth-adfs # josepy # mozilla-django-oidc # pyopenssl @@ -69,8 +68,6 @@ django==3.2.24 # commonground-api-common # django-admin-index # django-appconf - # django-auth-adfs - # django-auth-adfs-db # django-axes # django-choices # django-cors-headers @@ -95,10 +92,6 @@ django-admin-index==2.0.0 # via -r requirements/base.in django-appconf==1.0.5 # via django-log-outgoing-requests -django-auth-adfs==1.11.6 - # via django-auth-adfs-db -django-auth-adfs-db==0.3.0 - # via -r requirements/base.in django-axes==5.31.0 # via -r requirements/base.in django-choices==1.7.2 @@ -132,7 +125,6 @@ django-sendfile2==0.7.0 django-solo==2.0.0 # via # commonground-api-common - # django-auth-adfs-db # django-log-outgoing-requests # mozilla-django-oidc-db # notifications-api-common @@ -213,7 +205,6 @@ pycparser==2.21 pyjwt==2.4.0 # via # commonground-api-common - # django-auth-adfs # gemma-zds-client pyopenssl==23.3.0 # via @@ -246,7 +237,6 @@ requests==2.31.0 # via # commonground-api-common # coreapi - # django-auth-adfs # django-log-outgoing-requests # gemma-zds-client # mozilla-django-oidc @@ -280,7 +270,6 @@ uritemplate==3.0.0 # drf-yasg urllib3==1.26.18 # via - # django-auth-adfs # elastic-apm # requests # sentry-sdk diff --git a/requirements/ci.txt b/requirements/ci.txt index 9c6d9ce0..34b7e5ab 100644 --- a/requirements/ci.txt +++ b/requirements/ci.txt @@ -92,7 +92,6 @@ coverage==6.3.2 cryptography==41.0.7 # via # -r requirements/base.txt - # django-auth-adfs # josepy # mozilla-django-oidc # pyopenssl @@ -102,8 +101,6 @@ django==3.2.24 # commonground-api-common # django-admin-index # django-appconf - # django-auth-adfs - # django-auth-adfs-db # django-axes # django-choices # django-cors-headers @@ -130,12 +127,6 @@ django-appconf==1.0.5 # via # -r requirements/base.txt # django-log-outgoing-requests -django-auth-adfs==1.11.6 - # via - # -r requirements/base.txt - # django-auth-adfs-db -django-auth-adfs-db==0.3.0 - # via -r requirements/base.txt django-axes==5.31.0 # via -r requirements/base.txt django-choices==1.7.2 @@ -186,7 +177,6 @@ django-solo==2.0.0 # via # -r requirements/base.txt # commonground-api-common - # django-auth-adfs-db # django-log-outgoing-requests # mozilla-django-oidc-db # notifications-api-common @@ -338,7 +328,6 @@ pyjwt==2.4.0 # via # -r requirements/base.txt # commonground-api-common - # django-auth-adfs # gemma-zds-client pyopenssl==23.3.0 # via @@ -382,7 +371,6 @@ requests==2.31.0 # -r requirements/base.txt # commonground-api-common # coreapi - # django-auth-adfs # django-log-outgoing-requests # gemma-zds-client # mozilla-django-oidc @@ -438,7 +426,6 @@ uritemplate==3.0.0 urllib3==1.26.18 # via # -r requirements/base.txt - # django-auth-adfs # elastic-apm # requests # sentry-sdk diff --git a/requirements/dev.txt b/requirements/dev.txt index 14d950f8..831f35c6 100644 --- a/requirements/dev.txt +++ b/requirements/dev.txt @@ -105,7 +105,6 @@ coverage==6.3.2 cryptography==41.0.7 # via # -r requirements/ci.txt - # django-auth-adfs # josepy # mozilla-django-oidc # pyopenssl @@ -115,8 +114,6 @@ django==3.2.24 # commonground-api-common # django-admin-index # django-appconf - # django-auth-adfs - # django-auth-adfs-db # django-axes # django-choices # django-cors-headers @@ -145,12 +142,6 @@ django-appconf==1.0.5 # via # -r requirements/ci.txt # django-log-outgoing-requests -django-auth-adfs==1.11.6 - # via - # -r requirements/ci.txt - # django-auth-adfs-db -django-auth-adfs-db==0.3.0 - # via -r requirements/ci.txt django-axes==5.31.0 # via -r requirements/ci.txt django-choices==1.7.2 @@ -205,7 +196,6 @@ django-solo==2.0.0 # via # -r requirements/ci.txt # commonground-api-common - # django-auth-adfs-db # django-log-outgoing-requests # mozilla-django-oidc-db # notifications-api-common @@ -390,7 +380,6 @@ pyjwt==2.4.0 # via # -r requirements/ci.txt # commonground-api-common - # django-auth-adfs # gemma-zds-client pyopenssl==23.3.0 # via @@ -440,7 +429,6 @@ requests==2.31.0 # -r requirements/ci.txt # commonground-api-common # coreapi - # django-auth-adfs # django-log-outgoing-requests # gemma-zds-client # mozilla-django-oidc @@ -532,7 +520,6 @@ uritemplate==3.0.0 urllib3==1.26.18 # via # -r requirements/ci.txt - # django-auth-adfs # elastic-apm # requests # sentry-sdk From b6b0045de9a06bfc8d9d34326293b725e6f18a39 Mon Sep 17 00:00:00 2001 From: Anna Shamray Date: Tue, 13 Feb 2024 16:21:07 +0100 Subject: [PATCH 4/4] :green_heart: [https://github.com/open-zaak/open-zaak/issues/1139] fix documents --- CHANGELOG.rst | 27 ++++++++++++++++++++------- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index aadc4c63..5a5fe2d9 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -17,23 +17,36 @@ Changes After upgrading to 1.6, you can clean up the ADFS database entries by executing the ``bin/uninstall_adfs.sh`` script on your infrastructure. - .. tabs:: + .. tabs:: .. group-tab:: single-server .. code-block:: bash - docker exec opennotificaties-0 ./bin/uninstall_adfs.sh + + $ docker exec opennotificaties-0 /app/bin/uninstall_adfs.sh + + BEGIN + DROP TABLE + DELETE 3 + COMMIT + + .. group-tab:: Kubernetes .. code-block:: bash + $ kubectl get pods - NAME READY STATUS RESTARTS AGE - cache-79455b996-jxk9r 1/1 Running 0 2d9h - nginx-8579d9dfbd-gdtbf 1/1 Running 0 2d9h - nginx-8579d9dfbd-wz6wn 1/1 Running 0 2d9h + NAME READY STATUS RESTARTS AGE + cache-79455b996-jxk9r 1/1 Running 0 2d9h opennotificaties-7b696c8fd5-hchbq 1/1 Running 0 2d9h opennotificaties-7b696c8fd5-kz2pb 1/1 Running 0 2d9h - $ kubectl exec opennotificaties-7b696c8fd5-hchbq -- ./bin/uninstall_adfs.sh + + $ kubectl exec opennotificaties-7b696c8fd5-hchbq -- /app/bin/uninstall_adfs.sh + + BEGIN + DROP TABLE + DELETE 3 + COMMIT 1.5.2 (2024-02-07)