feat: support keycloak login to wagtail admin (#20)

.dockerignore

@@ -2,6 +2,7 @@
 /media/
 /static/
 *.sqlite3
+.env
 
 # Python and others
 __pycache__

.env.example

@@ -1,4 +1,5 @@
-DEBUG=True
+# After doing changes here, run "docker compose up"
+
 SECRET_KEY="insecure-key-please-change-me-4:,Q[DpiIH<3DbK#:(+fd[81tk)y#6"
 ALLOWED_HOSTS=tgno-backend.test,localhost
 
@@ -8,5 +9,9 @@ POSTGRES_PASSWORD="insecure-password-fC0VolUCiiEYWDJG[_Q~=O,elEF7rZ"
 POSTGRES_HOST=db
 POSTGRES_PORT=5432
 
-#CSRF_COOKIE_DOMAIN=
-#CSRF_TRUSTED_ORIGINS=
+DISABLE_LOCAL_AUTH=False
+SOCIAL_AUTH_KEYCLOAK_KEY=
+SOCIAL_AUTH_KEYCLOAK_SECRET=
+SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY=
+SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL=
+SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL=

.gitignore

@@ -5,4 +5,3 @@ __pycache__
 # Dev assets and state
 db.sqlite3
 media
-static

README.md

@@ -35,12 +35,12 @@ Example urls
 We are using Docker via docker-compose for local development. To get started
 
 1. Copy `.env.example` to `.env`
-2. Start apps via `docker-compose up`
+2. Start apps via `docker compose up`
 3. Wait until apps are running, and calmed down
 4. Create admin user via `make createsuperuser`
-5. Manually create site content and config, or use `make seed-foor-development` to create basic setup with dummy content (not safe to use if content has already been added)
+5. Manually create site content and config, or use `make seed-for-development` to create basic setup with dummy content (not safe to use if content has already been added)
 
-Once running you should start an interactive shell in `web` container in order to have full access to any Django and Wagtail commands. This can be done via `docker-compose exec web bash`, or via our shortcut `make`/`make shell`
+Once running you should start an interactive shell in `web` container in order to have full access to any Django and Wagtail commands. This can be done via `docker compose exec web bash`, or via our shortcut `make`/`make shell`
 
 We recommend this approach since it makes it a lot easier to tinker and learn how things work. To list all commands available try `python manage.py` (while in the interactive shell)
 

docker-compose.yml

@@ -1,5 +1,3 @@
-version: '3'
-
 services:
   db:
     image: postgres:16-alpine

requirements.txt

@@ -1,3 +1,4 @@
 Django>=4.2,<4.3
 wagtail>=6.2
 psycopg>=3.1.8,<4.0
+social-auth-app-django==5.4.2

tgno/context_processor.py

@@ -0,0 +1,9 @@
+from django.conf import settings
+
+
+def get_site_info(request):
+    return {
+        "SITE_NAME": settings.SITE_NAME,
+        "KEYCLOAK_LOGIN": settings.SOCIAL_AUTH_KEYCLOAK_KEY is not None,
+        "DISABLE_LOCAL_AUTH": settings.DISABLE_LOCAL_AUTH,
+    }

tgno/settings/base.py

@@ -20,6 +20,12 @@
 # Quick-start development settings - unsuitable for production
 # See https://docs.djangoproject.com/en/4.2/howto/deployment/checklist/
 
+# SECURITY WARNING: keep the secret key used in production secret!
+SECRET_KEY = env("SECRET_KEY", "django-insecure-)u4^uo@zde4qa=m+*6x0$r$iro8k5&-=w$%)tf$vj(yf@wg#c=")
+
+# SECURITY WARNING: define the correct hosts in production!
+ALLOWED_HOSTS = env("ALLOWED_HOSTS", "localhost").split(",")
+CSRF_TRUSTED_ORIGINS = env("CSRF_TRUSTED_ORIGINS", "http://localhost").split(",")
 
 # Application definition
 
@@ -43,6 +49,7 @@
     "wagtail",
     "modelcluster",
     "taggit",
+    "social_django",
     "django.contrib.admin",
     "django.contrib.auth",
     "django.contrib.contenttypes",
@@ -79,6 +86,7 @@
                 "django.template.context_processors.request",
                 "django.contrib.auth.context_processors.auth",
                 "django.contrib.messages.context_processors.messages",
+                "tgno.context_processor.get_site_info",
             ],
         },
     },
@@ -176,6 +184,26 @@
 
 # Base URL to use when referring to full URLs within the Wagtail admin backend -
 # e.g. in notification emails. Don't include '/admin' or a trailing slash
-WAGTAILADMIN_BASE_URL = env("WAGTAILADMIN_BASE_URL", "http://example.com")
+WAGTAILADMIN_BASE_URL = env("WAGTAILADMIN_BASE_URL", "http://localhost:8000")
+WAGTAILAPI_BASE_URL = env("WAGTAILAPI_BASE_URL", "http://localhost:8000")
+
+# Custom settings
+SITE_NAME = env("SITE_NAME", "TG.no")
+DISABLE_LOCAL_AUTH = env("DISABLE_LOCAL_AUTH", "False").lower() in ("true", "1")
+
+# Django Social Auth
+AUTHENTICATION_BACKENDS = []
+
+SOCIAL_AUTH_JSONFIELD_ENABLED = True
+SOCIAL_AUTH_KEYCLOAK_KEY = os.getenv("SOCIAL_AUTH_KEYCLOAK_KEY") or None
+SOCIAL_AUTH_KEYCLOAK_SECRET = env("SOCIAL_AUTH_KEYCLOAK_SECRET", None)
+SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY = env("SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY", None)
+SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL = env("SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL", None)
+SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL = env("SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL", None)
+LOGIN_REDIRECT_URL = "/admin"
+
+if SOCIAL_AUTH_KEYCLOAK_KEY is not None:
+    AUTHENTICATION_BACKENDS.append("social_core.backends.keycloak.KeycloakOAuth2")
 
-WAGTAILAPI_BASE_URL = env("WAGTAILAPI_BASE_URL", "http://example.com")
+if DISABLE_LOCAL_AUTH is False:
+    AUTHENTICATION_BACKENDS.append("django.contrib.auth.backends.ModelBackend")

tgno/settings/dev.py

@@ -2,21 +2,16 @@
 
 from .base import *
 
+SITE_NAME = "TG.no - Development"
+
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = True
 
-# SECURITY WARNING: keep the secret key used in production secret!
-SECRET_KEY = "django-insecure-)u4^uo@zde4qa=m+*6x0$r$iro8k5&-=w$%)tf$vj(yf@wg#c="
-
 # SECURITY WARNING: define the correct hosts in production!
 ALLOWED_HOSTS = ["*"]
 
 EMAIL_BACKEND = "django.core.mail.backends.console.EmailBackend"
 
-WAGTAILADMIN_BASE_URL = "http://localhost:8000"
-
-WAGTAILAPI_BASE_URL = "http://localhost:8000"
-
 
 try:
     from .local import *

tgno/settings/production.py

@@ -4,8 +4,6 @@
 
 DEBUG = False
 SECRET_KEY = env("SECRET_KEY")
-ALLOWED_HOSTS = env("ALLOWED_HOSTS", "localhost").split(",")
-CSRF_TRUSTED_ORIGINS = env("CSRF_TRUSTED_ORIGINS", "http://localhost").split(",")
 EMAIL_BACKEND = "django.core.mail.backends.console.EmailBackend"
 
 LOGGING = {

tgno/templates/wagtailadmin/base.html

@@ -0,0 +1,3 @@
+{% extends "wagtailadmin/base.html" %}
+
+{% block branding_title %}{{ SITE_NAME }}{% endblock %}

tgno/templates/wagtailadmin/home.html

@@ -0,0 +1,3 @@
+{% extends "wagtailadmin/home.html" %}
+
+{% block branding_welcome %}{{ SITE_NAME }}{% endblock %}

tgno/templates/wagtailadmin/login.html

@@ -0,0 +1,29 @@
+{% extends "wagtailadmin/login.html" %}
+{% load static %}
+
+{% block branding_login %}{{ SITE_NAME }}{% endblock %}
+
+{% block branding_logo %}
+    <div class="login-logo">
+        <img src="{% static 'images/tglogo_noytral.png' %}" alt="The Gathering Logo" class="icon-wagtail" />
+    </div>
+{% endblock %}
+
+{% block login_form %}
+    {% if DISABLE_LOCAL_AUTH is False %}
+        {{ block.super }}
+    {% endif %}
+{% endblock %}
+
+{% block submit_buttons %}
+    {% if DISABLE_LOCAL_AUTH is False %}
+        {{ block.super }}
+    {% endif %}
+    {% if KEYCLOAK_LOGIN is True %}
+        {% if DISABLE_LOCAL_AUTH is False %}
+            <br/>
+            <br/>
+        {% endif %}
+        <a href="{% url "social:begin" "keycloak" %}"><button type="button" class="button">Login using Wannabe5</button></a>
+    {% endif %}
+{% endblock %}

tgno/urls.py

@@ -14,6 +14,7 @@
 urlpatterns = [
     path("django-admin/", admin.site.urls),
     path("admin/", include(wagtailadmin_urls)),
+    path("", include("social_django.urls")),
     path("documents/", include(wagtaildocs_urls)),
     path("search/", search_views.search, name="search"),
     path("api/v2/", base_api_router.urls),