[19.0][MIG] auth_saml: Migration to 19.0#916
Draft
vincent-hatakeyama wants to merge 76 commits intoOCA:19.0from
Draft
[19.0][MIG] auth_saml: Migration to 19.0#916vincent-hatakeyama wants to merge 76 commits intoOCA:19.0from
vincent-hatakeyama wants to merge 76 commits intoOCA:19.0from
Conversation
[IMP] Cleanup
The following line of code for 11.0: - https://github.com/odoo/odoo/blob/52d6f0e3ee90874fc93fec9cdff74ec71d3b991f/addons/auth_oauth/controllers/main.py#L69 is assigning the key "auth_link" for "list_providers" method. The following template is expecting this key: - https://github.com/odoo/odoo/blob/52d6f0e3ee90874fc93fec9cdff74ec71d3b991f/addons/auth_oauth/views/auth_oauth_templates.xml#L5 So, it raise a KeyError compiling "template_auth_oauth_providers_N" This change is fixing adding that expected key in order to avoid this KeyError
Updated by "Update PO files to match POT (msgmerge)" hook in Weblate. Translation: server-auth-11.0/server-auth-11.0-auth_saml Translate-URL: https://translation.odoo-community.org/projects/server-auth-11-0/server-auth-11-0-auth_saml/
[FIX] dependencies
add requirement on lasso
- Default behavior is now to allow password and SAML together. Otherwise, users could keep getting their passwords removed without warning. - General cleanup. - Remove relations to field `password_crypt` because in v12 the `password` field is always encrypted instead. Co-Authored-By: Alexandre Díaz <alexandre.diaz@tecnativa.com>
Updated by "Update PO files to match POT (msgmerge)" hook in Weblate. Translation: server-auth-12.0/server-auth-12.0-auth_saml Translate-URL: https://translation.odoo-community.org/projects/server-auth-12-0/server-auth-12-0-auth_saml/
Currently translated at 100.0% (37 of 37 strings) Translation: server-auth-15.0/server-auth-15.0-auth_saml Translate-URL: https://translation.odoo-community.org/projects/server-auth-15-0/server-auth-15-0-auth_saml/fr/
🚑 Fix the disallow password for users with SAML ids Added tests to ensure the feature works correctly. Admin user is also an exception from not having a password. In Odoo 15.0, this is the standard user to connect for administrative task, not the super user. ✨ Improve provider form and list views ✨⏩ port of 11.0 automatic redirection from 11.0 version. Use disable_autoredirect as a parameter query to disable automatic redirection (for example https://example.com/web/login?disable_autoredirect=) 💄 Add certificate file name fields to improve the UI 📝 Add required on several fields of the SAML provider; without them the server will crash and there is not enough information to make SAML work. ✨ Split signing to have finer control and be compatible with more IDP. 🔨 Integrate token into res.users.saml, removing auth_saml.token. No need for a separate table, and no more need to create lines in the table. 📝 Avoid server errors when user try metadata page without necessary parameters. 🚑 Replace method call from odoo.http.redirect_with_hash to request.redirect as the former does not exists in Odoo 15.0 anymore. 📚 Improved the module documentation 👕 pylint fixes and other fixes or minor changes
Updated by "Update PO files to match POT (msgmerge)" hook in Weblate. Translation: server-auth-15.0/server-auth-15.0-auth_saml Translate-URL: https://translation.odoo-community.org/projects/server-auth-15-0/server-auth-15-0-auth_saml/
Translated using Weblate (Italian) Currently translated at 85.5% (77 of 90 strings) Translation: server-auth-16.0/server-auth-16.0-auth_saml Translate-URL: https://translation.odoo-community.org/projects/server-auth-16-0/server-auth-16-0-auth_saml/it/ Translated using Weblate (Italian) Currently translated at 100.0% (90 of 90 strings) Translation: server-auth-16.0/server-auth-16.0-auth_saml Translate-URL: https://translation.odoo-community.org/projects/server-auth-16-0/server-auth-16-0-auth_saml/it/
Updated the signin method to reflect changes in similar method signin from auth_oauth. Without the changes, the ORM crashes with psycopg2.errors.InvalidSavepointSpecification when trying to signin. Fixes OCA#664
As user in that group can already edit users, so it make sense to allow them to see and edit that information rather than restrict it to admin/system.
Currently translated at 100.0% (89 of 89 strings) Translation: server-auth-18.0/server-auth-18.0-auth_saml Translate-URL: https://translation.odoo-community.org/projects/server-auth-18-0/server-auth-18-0-auth_saml/fr/
To reproduce: enable both saml and mfa.
Fixes
```
File "/home/odoo/18.0/server-auth/auth_saml/controllers/main.py", line 251, in signin
resp = request.redirect(_get_login_redirect_url(auth_info, url), 303)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/odoo/18.0/odoo/addons/web/controllers/utils.py", line 240, in _get_login_redirect_url
url = request.env(user=uid)['res.users'].browse(uid)._mfa_url()
^^^^^^^^^^^^^^^^^^^^^
File "/home/odoo/18.0/odoo/odoo/api.py", line 644, in __call__
uid = self.uid if user is None else int(user)
^^^^^^^^^
```
cf. https://github.com/odoo/odoo/blob/65704e58fda293af727f76d5c0741b135817db99/addons/web/controllers/home.py#L124-L126
Co-authored-by: Cas Vissers <cas@360erp.nl>
The message is incorrect, the log is done when the attribute key is not found.
On Office365, what you get when configuring an application for SAML authentication is the URL of the federation metadata document. This URL is stable, but the content of the document is not. I suspect some of the encryption keys can be updated / renewed over time. The result is that the configured provider in Odoo suddenly stops working, because the messages sent by the Office365 provider can no longer be validated by Odoo (because the federation document is out of date). Downloading the new version and updating the auth.saml.provider record fixes the issue. This PR adds a new field to store the URL of the metadata document. When this field is set on a provider, you get a button next to it in the form view to download the document from the URL. The button will not update the document if it has not changed. Additionally, when a SignatureError happens, we check if downloading the document again fixes the issue.
Fix logic of SELECT FOR UDPDATE to only lock records whose metadata will be updated
When using mapping, not writing the value systematically avoids getting security mail on login/email changes when there is no change. Also use SQL for blanking passwords avoids the security update mails.
Currently translated at 100.0% (93 of 93 strings) Translation: server-auth-18.0/server-auth-18.0-auth_saml Translate-URL: https://translation.odoo-community.org/projects/server-auth-18-0/server-auth-18-0-auth_saml/it/
vincent-hatakeyama
force-pushed
the
mig/19.0/auth_saml
branch
2 times, most recently
from
efa8b26 to
f46be2e
Compare
vincent-hatakeyama
force-pushed
the
mig/19.0/auth_saml
branch
from
f46be2e to
ea3da06
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
There is already an existing PR that missed some needed changes. I also do not manage to log in with a local keycloak.
I’m currently facing the same issue with my PR (that’s why it is in draft).