Add option to automatically move users to a new authenticator #601

newswangerd · 2024-09-02T16:28:38Z

This adds a new field on the authenticator model called auto_migrate_users_to which accepts a foreign key to another authenticator. When this field is configured we will do the following:

On login, collect any authenticator users from authenticators configured to migrate to the currently in use authenticator
For each of the discovered authenticators, call the move_authenticator_user_to method on the authenticator plugin. This lets the authenticator plugin know that the user is being moved and gives it a chance to perform any cleanup before that happens.

ansible_base/authentication/models/authenticator.py

newswangerd · 2024-09-05T21:21:27Z

Right now you can auto migrate users to any authenticator. I'm considering adding a field on the authenticator plugin where plugin authors can declare which authenticators are supported for auto migration. For example, we can declare that the generic oidc authenticator can be set to auto migrate users to keycloak, github, google etc (because these are all odic based authenticators), but can't be set to auto migrate users to saml.

Ultimately all of the authenticators that can be configured to use active directory as a backend (LDAP, OIDC, SAML, Keycloak) are potentially compatible with one another as long as they have the same user database as a backend.

ansible_base/authentication/authenticator_plugins/base.py

ansible_base/authentication/authenticator_plugins/keycloak.py

ansible_base/authentication/models/authenticator.py

ansible_base/authentication/utils/authentication.py

newswangerd · 2024-09-06T13:06:03Z

@elyezer I can't add you as a reviewer, but I'd like it if you could take a look at this

ansible_base/authentication/migrations/0014_authenticator_auto_migrate_users_to.py

john-westcott-iv

Can we squash the 2 migration files in the authentication app?

ansible_base/authentication/serializers/authenticator.py

ansible_base/authentication/utils/authentication.py

ansible_base/authentication/authenticator_plugins/base.py

ansible_base/authentication/utils/authentication.py

test_app/tests/authentication/test_migrate_user_to_authenticator.py

ansible_base/authentication/utils/authentication.py

AlanCoding

I'm understanding high-level what this is doing and tests look fairly thorough.

sonarcloud · 2024-09-12T15:32:53Z

Quality Gate passed

Issues
2 New issues
0 Accepted issues

Measures
0 Security Hotspots
92.9% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

relrod reviewed Sep 2, 2024

View reviewed changes

ansible_base/authentication/models/authenticator.py Outdated Show resolved Hide resolved

AlanCoding added the app:authentication label Sep 4, 2024

newswangerd marked this pull request as draft September 4, 2024 15:05

newswangerd force-pushed the feature/AAP-30012-merge-auth-users branch from 70af940 to 5697f2b Compare September 5, 2024 21:16

newswangerd marked this pull request as ready for review September 5, 2024 21:17

newswangerd requested a review from john-westcott-iv September 5, 2024 21:17

relrod reviewed Sep 5, 2024

View reviewed changes

elyezer reviewed Sep 6, 2024

View reviewed changes

ansible_base/authentication/migrations/0014_authenticator_auto_migrate_users_to.py Outdated Show resolved Hide resolved

john-westcott-iv reviewed Sep 6, 2024

View reviewed changes

newswangerd force-pushed the feature/AAP-30012-merge-auth-users branch from fbd8e8b to 18b8a3f Compare September 10, 2024 14:57

newswangerd requested review from relrod and AlanCoding September 10, 2024 15:01