Merge pull request #130 from open-zaak/feature/remove-adfs

Feature/remove adfs

CHANGELOG.rst

@@ -2,6 +2,53 @@
 Changes
 =======
 
+1.6.0 (2024-??-??)
+------------------
+
+.. warning::
+
+   Manual intervention required for ADFS/AAD users.
+
+   In Open Notificaties 1.4.x we replaced the ADFS/Azure AD integration with the generic OIDC
+   integration. If you are upgrading from an older version, you must first upgrade to
+   the 1.4.x release series before upgrading to 1.6, and follow the manual intervention
+   steps in the 1.4 release notes.
+
+   After upgrading to 1.6, you can clean up the ADFS database entries by executing the
+   ``bin/uninstall_adfs.sh`` script on your infrastructure.
+
+    .. tabs::
+
+     .. group-tab:: single-server
+
+       .. code-block:: bash
+
+           $ docker exec opennotificaties-0 /app/bin/uninstall_adfs.sh
+
+           BEGIN
+           DROP TABLE
+           DELETE 3
+           COMMIT
+
+
+     .. group-tab:: Kubernetes
+
+       .. code-block:: bash
+
+           $ kubectl get pods
+           NAME                                READY   STATUS    RESTARTS   AGE
+           cache-79455b996-jxk9r               1/1     Running   0          2d9h
+           opennotificaties-7b696c8fd5-hchbq   1/1     Running   0          2d9h
+           opennotificaties-7b696c8fd5-kz2pb   1/1     Running   0          2d9h
+
+           $ kubectl exec opennotificaties-7b696c8fd5-hchbq -- /app/bin/uninstall_adfs.sh
+
+           BEGIN
+           DROP TABLE
+           DELETE 3
+           COMMIT
+
+
 1.5.2 (2024-02-07)
 ==================
 
@@ -115,7 +162,7 @@ Bugfix release following 1.4.0
    ``https://open-notificaties.gemeente.nl/adfs/callback`` becomes
    ``https://open-notificaties.gemeente.nl/oidc/callback``.
 
-   In release 1.5.0 you will be able to finalize the removal by dropping the relevant
+   In release 1.6.0 you will be able to finalize the removal by dropping the relevant
    tables.
 
 1.3.0 (2022-03-28)

docs/manual/adfs.rst

@@ -14,12 +14,12 @@ ADFS (On premise) being removed
    ``/adfs/callback`` should be changed into ``/oidc/callback``.
 
    Open Notificaties 1.4.0 provides a redirect from the old to the new URL, which will be
-   removed in Open Notificaties 1.5.0.
+   removed in Open Notificaties 1.6.0.
 
 Uninstalling
 ============
 
-The uninstaller can be run from Open Notificaties 1.5.0 onwards, after we have removed the
+The uninstaller can be run from Open Notificaties 1.6.0 onwards, after we have removed the
 external dependencies.
 
 .. tabs::

requirements/base.in

@@ -11,7 +11,6 @@ self-certifi
 
 # Framework libraries
 Django ~= 3.2.0
-django-auth-adfs-db
 django-axes
 django-choices
 django-cors-headers

requirements/base.txt

@@ -59,7 +59,6 @@ coreschema==0.0.4
     #   drf-yasg
 cryptography==41.0.7
     # via
-    #   django-auth-adfs
     #   josepy
     #   mozilla-django-oidc
     #   pyopenssl
@@ -69,8 +68,6 @@ django==3.2.24
     #   commonground-api-common
     #   django-admin-index
     #   django-appconf
-    #   django-auth-adfs
-    #   django-auth-adfs-db
     #   django-axes
     #   django-choices
     #   django-cors-headers
@@ -95,10 +92,6 @@ django-admin-index==2.0.0
     # via -r requirements/base.in
 django-appconf==1.0.5
     # via django-log-outgoing-requests
-django-auth-adfs==1.11.6
-    # via django-auth-adfs-db
-django-auth-adfs-db==0.3.0
-    # via -r requirements/base.in
 django-axes==5.31.0
     # via -r requirements/base.in
 django-choices==1.7.2
@@ -132,7 +125,6 @@ django-sendfile2==0.7.0
 django-solo==2.0.0
     # via
     #   commonground-api-common
-    #   django-auth-adfs-db
     #   django-log-outgoing-requests
     #   mozilla-django-oidc-db
     #   notifications-api-common
@@ -213,7 +205,6 @@ pycparser==2.21
 pyjwt==2.4.0
     # via
     #   commonground-api-common
-    #   django-auth-adfs
     #   gemma-zds-client
 pyopenssl==23.3.0
     # via
@@ -246,7 +237,6 @@ requests==2.31.0
     # via
     #   commonground-api-common
     #   coreapi
-    #   django-auth-adfs
     #   django-log-outgoing-requests
     #   gemma-zds-client
     #   mozilla-django-oidc
@@ -280,7 +270,6 @@ uritemplate==3.0.0
     #   drf-yasg
 urllib3==1.26.18
     # via
-    #   django-auth-adfs
     #   elastic-apm
     #   requests
     #   sentry-sdk

requirements/ci.txt

@@ -92,7 +92,6 @@ coverage==6.3.2
 cryptography==41.0.7
     # via
     #   -r requirements/base.txt
-    #   django-auth-adfs
     #   josepy
     #   mozilla-django-oidc
     #   pyopenssl
@@ -102,8 +101,6 @@ django==3.2.24
     #   commonground-api-common
     #   django-admin-index
     #   django-appconf
-    #   django-auth-adfs
-    #   django-auth-adfs-db
     #   django-axes
     #   django-choices
     #   django-cors-headers
@@ -130,12 +127,6 @@ django-appconf==1.0.5
     # via
     #   -r requirements/base.txt
     #   django-log-outgoing-requests
-django-auth-adfs==1.11.6
-    # via
-    #   -r requirements/base.txt
-    #   django-auth-adfs-db
-django-auth-adfs-db==0.3.0
-    # via -r requirements/base.txt
 django-axes==5.31.0
     # via -r requirements/base.txt
 django-choices==1.7.2
@@ -186,7 +177,6 @@ django-solo==2.0.0
     # via
     #   -r requirements/base.txt
     #   commonground-api-common
-    #   django-auth-adfs-db
     #   django-log-outgoing-requests
     #   mozilla-django-oidc-db
     #   notifications-api-common
@@ -338,7 +328,6 @@ pyjwt==2.4.0
     # via
     #   -r requirements/base.txt
     #   commonground-api-common
-    #   django-auth-adfs
     #   gemma-zds-client
 pyopenssl==23.3.0
     # via
@@ -382,7 +371,6 @@ requests==2.31.0
     #   -r requirements/base.txt
     #   commonground-api-common
     #   coreapi
-    #   django-auth-adfs
     #   django-log-outgoing-requests
     #   gemma-zds-client
     #   mozilla-django-oidc
@@ -438,7 +426,6 @@ uritemplate==3.0.0
 urllib3==1.26.18
     # via
     #   -r requirements/base.txt
-    #   django-auth-adfs
     #   elastic-apm
     #   requests
     #   sentry-sdk

requirements/dev.txt

@@ -105,7 +105,6 @@ coverage==6.3.2
 cryptography==41.0.7
     # via
     #   -r requirements/ci.txt
-    #   django-auth-adfs
     #   josepy
     #   mozilla-django-oidc
     #   pyopenssl
@@ -115,8 +114,6 @@ django==3.2.24
     #   commonground-api-common
     #   django-admin-index
     #   django-appconf
-    #   django-auth-adfs
-    #   django-auth-adfs-db
     #   django-axes
     #   django-choices
     #   django-cors-headers
@@ -145,12 +142,6 @@ django-appconf==1.0.5
     # via
     #   -r requirements/ci.txt
     #   django-log-outgoing-requests
-django-auth-adfs==1.11.6
-    # via
-    #   -r requirements/ci.txt
-    #   django-auth-adfs-db
-django-auth-adfs-db==0.3.0
-    # via -r requirements/ci.txt
 django-axes==5.31.0
     # via -r requirements/ci.txt
 django-choices==1.7.2
@@ -205,7 +196,6 @@ django-solo==2.0.0
     # via
     #   -r requirements/ci.txt
     #   commonground-api-common
-    #   django-auth-adfs-db
     #   django-log-outgoing-requests
     #   mozilla-django-oidc-db
     #   notifications-api-common
@@ -390,7 +380,6 @@ pyjwt==2.4.0
     # via
     #   -r requirements/ci.txt
     #   commonground-api-common
-    #   django-auth-adfs
     #   gemma-zds-client
 pyopenssl==23.3.0
     # via
@@ -440,7 +429,6 @@ requests==2.31.0
     #   -r requirements/ci.txt
     #   commonground-api-common
     #   coreapi
-    #   django-auth-adfs
     #   django-log-outgoing-requests
     #   gemma-zds-client
     #   mozilla-django-oidc
@@ -532,7 +520,6 @@ uritemplate==3.0.0
 urllib3==1.26.18
     # via
     #   -r requirements/ci.txt
-    #   django-auth-adfs
     #   elastic-apm
     #   requests
     #   sentry-sdk

src/nrc/accounts/migrations/0004_migrate_from_auth_adfs_db.py

@@ -1,67 +1,18 @@
 # Generated by Django 3.2.13 on 2022-06-21 06:41
 
-import sys
 
 from django.db import migrations
 
-from django_auth_adfs.config import provider_config, settings as auth_adfs_settings
-from mozilla_django_oidc_db.forms import OpenIDConnectConfigForm
-
-
-def from_auth_adfs_to_mozilla_oidc(apps, schema_editor):
-    ADFSConfig = apps.get_model("django_auth_adfs_db", "ADFSConfig")
-    OpenIDConnectConfig = apps.get_model(
-        "mozilla_django_oidc_db", "OpenIDConnectConfig"
-    )
-
-    adfs_config = ADFSConfig.objects.first()
-    if adfs_config is None:
-        return
-
-    oidc_config = OpenIDConnectConfig.objects.first()
-    if oidc_config and oidc_config.oidc_op_discovery_endpoint:
-        print("Existing OIDC config found, not overwriting it.", file=sys.stderr)
-        return
-    elif oidc_config is None:
-        oidc_config = OpenIDConnectConfig()
-
-    config_url = f"https://{auth_adfs_settings.SERVER}/{auth_adfs_settings.TENANT_ID}/"
-    provider_config.load_config()
-
-    # copy configuration over
-    form = OpenIDConnectConfigForm(
-        instance=oidc_config,
-        data={
-            "enabled": adfs_config.enabled,
-            "oidc_rp_client_id": adfs_config.client_id,
-            "oidc_rp_client_secret": adfs_config.client_secret,
-            "oidc_rp_sign_algo": "RS256",
-            "oidc_op_discovery_endpoint": config_url,
-            "username_claim": adfs_config.username_claim,
-            "claim_mapping": adfs_config.claim_mapping,
-            "groups_claim": "roles",
-            "sync_groups": adfs_config.sync_groups,
-            "sync_groups_glob_pattern": "*",
-        },
-    )
-
-    if not form.is_valid():
-        print("Could not automatically migrate the ADFS config", file=sys.stderr)
-        return
-
-    form.save()
-    adfs_config.enabled = False
-    adfs_config.save()
-
 
 class Migration(migrations.Migration):
 
+    # migration is made no-op in the 1.6.x release series - on 1.4.x this copied
+    # over the configuration from auth_adfs to mozilla_oidc.
+    # This migration is kept for historical reasons to not mess with the migration
+    # history of existing installs. See #1139 for more context.
     dependencies = [
         ("accounts", "0003_add_adfs_admin_index"),
-        ("django_auth_adfs_db", "0003_auto_20210323_1441"),
         ("mozilla_django_oidc_db", "0008_auto_20220422_0849"),
     ]
 
-    operations = [
-        migrations.RunPython(from_auth_adfs_to_mozilla_oidc, migrations.RunPython.noop),
-    ]
+    operations = []

src/nrc/conf/includes/base.py

@@ -124,8 +124,6 @@
     "rest_framework",
     "django_markup",
     "solo",
-    "django_auth_adfs",
-    "django_auth_adfs_db",
     "django_jsonform",
     "mozilla_django_oidc",
     "mozilla_django_oidc_db",
@@ -500,10 +498,6 @@
 ADMIN_INDEX_SHOW_REMAINING_APPS_TO_SUPERUSERS = False
 ADMIN_INDEX_AUTO_CREATE_APP_GROUP = False
 
-#
-# DJANGO AUTH ADFS
-#
-AUTH_ADFS = {"SETTINGS_CLASS": "django_auth_adfs_db.settings.Settings"}
 
 #
 # OpenZaak configuration

src/nrc/urls.py

@@ -4,7 +4,7 @@
 from django.contrib import admin
 from django.contrib.staticfiles.urls import staticfiles_urlpatterns
 from django.urls import include, path
-from django.views.generic import RedirectView, TemplateView
+from django.views.generic import TemplateView
 
 from vng_api_common.views import ViewConfigView
 
@@ -18,16 +18,6 @@
     # Simply show the master template.
     path("", TemplateView.as_view(template_name="index.html"), name="home"),
     path("ref/", include("vng_api_common.urls")),
-    # See #1139 - the ADFS backend is phasing out. We provide redirects to give users time
-    # to update their redirect URIs on the ADFS side.
-    path(
-        "adfs/callback",
-        RedirectView.as_view(
-            permanent=True,
-            query_string=True,
-            pattern_name="oidc_authentication_callback",
-        ),
-    ),
     path("oidc/", include("mozilla_django_oidc.urls")),
     path("view-config/", ViewConfigView.as_view(), name="view-config"),
 ]