From e79dfa3e66dab94195ae1d11176a35a58590d50b Mon Sep 17 00:00:00 2001 From: Phil Owen Date: Wed, 12 Nov 2025 07:36:38 -0500 Subject: [PATCH 1/8] Startup issue when configuring the color scheme. fix suggested by GR. --- appstore/product/configuration.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/appstore/product/configuration.py b/appstore/product/configuration.py index bdd7a7723..f8c10663c 100644 --- a/appstore/product/configuration.py +++ b/appstore/product/configuration.py @@ -34,6 +34,6 @@ class ProductSettings: brand: str = "CommonsShare" title: str = "CommonsShare" logo_url: str = "/static/images/commonsshare/logo-lg.png" - color_scheme: ProductColorScheme = ProductColorScheme() + color_scheme: ProductColorScheme = field(default_factory=lambda: ProductColorScheme()) capabilities: List[str] = field(default_factory=lambda: ['app', 'search']) From da3da2f7742625bee19f3ed71d63f3e6b163a5b2 Mon Sep 17 00:00:00 2001 From: Phil Owen Date: Wed, 19 Nov 2025 13:59:07 -0500 Subject: [PATCH 2/8] improving message comment --- appstore/core/management/commands/addingwhitelistedsocialapp.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/appstore/core/management/commands/addingwhitelistedsocialapp.py b/appstore/core/management/commands/addingwhitelistedsocialapp.py index f6c13b40f..b07f910c0 100644 --- a/appstore/core/management/commands/addingwhitelistedsocialapp.py +++ b/appstore/core/management/commands/addingwhitelistedsocialapp.py @@ -25,4 +25,4 @@ def handle(self, *args, **kwargs): if not Group.objects.filter(name='whitelisted'): Group.objects.create(name='whitelisted') - print("Successfully added social applications GitHub and Google and whitelisted to the Group!") + print("Successfully added social applications and whitelisted them into the Group!") From 2fc11def6e51131780005d89c6eca991450fec70 Mon Sep 17 00:00:00 2001 From: Phil Owen Date: Wed, 19 Nov 2025 14:02:18 -0500 Subject: [PATCH 3/8] adding CILogon --- README.md | 58 ++++++++++++++++++++++++++++++++----------------------- 1 file changed, 34 insertions(+), 24 deletions(-) diff --git a/README.md b/README.md index 313671beb..8b00d4f0d 100644 --- a/README.md +++ b/README.md @@ -75,28 +75,31 @@ concerns are: During development, environment variables can be set to control execution: -| Variable | Description | -| :------------------------------------- | :---------------------------------------------------------------- | -| BRAND=[braini, cat, heal, restartr, scidas, eduhelx] | Product context configuration for the appstore. | -| DJANGO_SETTINGS_MODULE=[appstore.settings._settings] | Product settings module configuration for the appstore. | -| DEV_PHASE=[stub, local, dev, val, prod] | In stub, does not require a Tycho service. | -| ALLOW_DJANGO_LOGIN=[TRUE, FALSE] | When true, presents username and password authentication options. | -| SECRET_KEY | Key for securing the application. | -| OAUTH_PROVIDERS | Contains all the providers(google, github). | -| GOOGLE_CLIENT_ID | Contains the client_id of the provider. | -| GOOGLE_SECRET | Contains the secret key for provider. | -| GOOGLE_NAME | Sets the name for the provider. | -| GITHUB_CLIENT_ID | Contains the client_id of the provider. | -| GITHUB_SECRET | Contains the secret key of the provider. | -| GITHUB_NAME | Sets the name for the provider. | -| APPSTORE_DJANGO_USERNAME | Holds superuser username credentials. | -| APPSTORE_DJANGO_PASSWORD | Holds superuser password credentials. | -| TYCHO_URL | Contains the url of the running tycho host. | -| OAUTH_DB_DIR | Contains the path for the database directory. | -| OAUTH_DB_FILE | Contains the path for the database file. | -| APPSTORE_DEFAULT_FROM_EMAIL | Default email address for appstore. | -| APPSTORE_DEFAULT_SUPPORT_EMAIL | Default support email for appstore. | -| ACCOUNT_DEFAULT_HTTP_PROTOCOL | Allows to switch between http and https protocol. | +| Variable | Description | +|:-------------------------------------------------------------|:------------------------------------------------------------------| +| BRAND=[braini, cat, heal, restartr, scidas, eduhelx] | Product context configuration for the appstore. | +| DJANGO_SETTINGS_MODULE=[appstore.settings._settings] | Product settings module configuration for the appstore. | +| DEV_PHASE=[stub, local, dev, val, prod] | In stub, does not require a Tycho service. | +| ALLOW_DJANGO_LOGIN=[TRUE, FALSE] | When true, presents username and password authentication options. | +| SECRET_KEY | Key for securing the application. | +| OAUTH_PROVIDERS | Contains all the providers(google, github, cilogon). | +| CILOGON_CLIENT_ID | Contains the client_id of the provider. | +| CILOGON_SECRET | Contains the secret key for provider. | +| CILOGON_NAME | Sets the name for the provider. | +| GOOGLE_CLIENT_ID | Contains the client_id of the provider. | +| GOOGLE_SECRET | Contains the secret key for provider. | +| GOOGLE_NAME | Sets the name for the provider. | +| GITHUB_CLIENT_ID | Contains the client_id of the provider. | +| GITHUB_SECRET | Contains the secret key of the provider. | +| GITHUB_NAME | Sets the name for the provider. | +| APPSTORE_DJANGO_USERNAME | Holds superuser username credentials. | +| APPSTORE_DJANGO_PASSWORD | Holds superuser password credentials. | +| TYCHO_URL | Contains the url of the running tycho host. | +| OAUTH_DB_DIR | Contains the path for the database directory. | +| OAUTH_DB_FILE | Contains the path for the database file. | +| APPSTORE_DEFAULT_FROM_EMAIL | Default email address for appstore. | +| APPSTORE_DEFAULT_SUPPORT_EMAIL | Default support email for appstore. | +| ACCOUNT_DEFAULT_HTTP_PROTOCOL | Allows to switch between http and https protocol. | The provided .env.sample contains a starter that you can update and source for development. @@ -527,13 +530,17 @@ appstore: EMAIL_HOST_PASSWORD: DOCKSTORE_APPS_BRANCH: oauth: - OAUTH_PROVIDERS: "github,google" + OAUTH_PROVIDERS: "github,google,cilogon" GITHUB_NAME: GITHUB_CLIENT_ID: GITHUB_SECRET: GOOGLE_NAME: GOOGLE_CLIENT_ID: - GOOGLE_SECRET: + GOOGLE_SECRET: + CILOGON_NAME: + CILOGON_CLIENT_ID: + CILOGON_SECRET: + ACCOUNT_DEFAULT_HTTP_PROTOCOL: https appstoreEntrypointArgs: "make start" userStorage: @@ -558,6 +565,9 @@ As part of user configuration, system administration will obtain the following - GOOGLE_NAME - GOOGLE_CLIENT_ID - GOOGLE_SECRET + - CILOGON_NAME + - CILOGON_CLIENT_ID + - CILOGON_SECRET - serverName - IP - nginxTLSSecret From 305e12c6324dfb9498d67814acb648da4e0db834 Mon Sep 17 00:00:00 2001 From: Phil Owen Date: Thu, 20 Nov 2025 14:40:25 -0500 Subject: [PATCH 4/8] adding override to see what social accounts are returning for data. --- appstore/appstore/adapter.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/appstore/appstore/adapter.py b/appstore/appstore/adapter.py index b2816809d..8fd8c93fa 100644 --- a/appstore/appstore/adapter.py +++ b/appstore/appstore/adapter.py @@ -16,7 +16,6 @@ def clean_email(self, email): ) return email - class LoginRedirectAdapter(DefaultAccountAdapter, DefaultSocialAccountAdapter): """ For regular form login redirect the user to the correct @@ -60,6 +59,12 @@ def get_logout_redirect_url(self, request): return url class SocialAccountAdapter(DefaultSocialAccountAdapter): + + def populate_user(self, request, sociallogin, data): + user = super().populate_user(request, sociallogin, data) + print('sociallogin.account.extra_data:', sociallogin.account.extra_data) + return user + def on_authentication_error(self, request, provider, error=None, exception=None, extra_context=None): provider_id = provider.id if provider else "unknown" error_code = error.name if error else "unknown" From c39fe62d424db4a629cc75b090aeb5e9005578ec Mon Sep 17 00:00:00 2001 From: Phil Owen Date: Thu, 20 Nov 2025 14:55:13 -0500 Subject: [PATCH 5/8] tidying up, correcting spelling mistake. --- appstore/appstore/settings/base.py | 29 ++++++++++++++++++++++------- 1 file changed, 22 insertions(+), 7 deletions(-) diff --git a/appstore/appstore/settings/base.py b/appstore/appstore/settings/base.py index f3ab83c82..93e8be709 100644 --- a/appstore/appstore/settings/base.py +++ b/appstore/appstore/settings/base.py @@ -11,6 +11,27 @@ logger = logging.getLogger(__name__) +# SECURITY WARNING: don't run with debug turned on in production! +# Empty quotes equates to false in kubernetes env. +DEBUG_STRING = os.environ.get("DEBUG", "") +if DEBUG_STRING.lower() == "false": + DEBUG_STRING = "" + +DEBUG = bool(DEBUG_STRING) + +if DEBUG: + from product.configuration import ProductSettings, ProductColorScheme + + APPLICATION_BRAND = os.environ.get("BRAND", "") + + PRODUCT_SETTINGS = ProductSettings( + brand=APPLICATION_BRAND, + title=APPLICATION_BRAND, + logo_url=f"/static/images/{APPLICATION_BRAND}/logo.png", + color_scheme=ProductColorScheme("#191348", "#0079bc"), + links=None, + ) + APPSTORE_NESTED_SETTINGS_DIR = Path(__file__).parent.resolve(strict=True) APPSTORE_CONFIG_DIR = APPSTORE_NESTED_SETTINGS_DIR.parent DJANGO_PROJECT_ROOT_DIR = APPSTORE_CONFIG_DIR.parent @@ -35,12 +56,6 @@ # SECURITY WARNING: keep the secret key used in production secret! SECRET_KEY = os.environ["SECRET_KEY"] -# SECURITY WARNING: don't run with debug turned on in production! -# Empty quotes equates to false in kubernetes env. -DEBUG_STRING = os.environ.get("DEBUG", "") -if DEBUG_STRING.lower() == "false": - DEBUG_STRING = "" -DEBUG = bool(DEBUG_STRING) # stub, local, dev, val, prod. DEV_PHASE = os.environ.get("DEV_PHASE", "local") @@ -159,7 +174,7 @@ SAML_URL = "/accounts/saml" SAML_ACS_URL = "/saml2_auth/acs/" #SAML_ACS_URL = "/sso/acs/" -SOCIALACCOUNT_ADAPATER = "appstore.adapter.SocialAccountAdapter" +SOCIALACCOUNT_ADAPTER = "appstore.adapter.SocialAccountAdapter" SOCIALACCOUNT_QUERY_EMAIL = ACCOUNT_EMAIL_REQUIRED SOCIALACCOUNT_STORE_TOKENS = True SOCIALACCOUNT_PROVIDERS = { From a02af714fc48d48b02c026588b63aa0dddec77ff Mon Sep 17 00:00:00 2001 From: frostyfan109 Date: Wed, 10 Dec 2025 12:44:50 -0500 Subject: [PATCH 6/8] add oidc dex config --- appstore/appstore/settings/base.py | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/appstore/appstore/settings/base.py b/appstore/appstore/settings/base.py index 93e8be709..ec922d18f 100644 --- a/appstore/appstore/settings/base.py +++ b/appstore/appstore/settings/base.py @@ -107,6 +107,7 @@ "crispy_forms", "rest_framework", "drf_spectacular", + "allauth.socialaccount.providers.openid_connect" ] ## Setting to allow for a seamless login that was breaking at django-allauth 0.47. @@ -178,7 +179,20 @@ SOCIALACCOUNT_QUERY_EMAIL = ACCOUNT_EMAIL_REQUIRED SOCIALACCOUNT_STORE_TOKENS = True SOCIALACCOUNT_PROVIDERS = { - "google": {"SCOPE": ["profile", "email"], "AUTH_PARAMS": {"access_type": "offline"}} + "google": {"SCOPE": ["profile", "email"], "AUTH_PARAMS": {"access_type": "offline"}}, + "openid_connect": { + "APPS": [ + { + "provider_id": "dex", + "name": "Dex IDP", + "client_id": "django", + "secret": "xL4QMryQ_6TrIzYBbpnZt864vFJtD_dkOFQJZmrYIZbV5Gz5LfNdzbFpCYk6aki3dOwrIqnuRhGKmU8WXz757Q", + "settings": { + "server_url": "https://helx-dex-server.apps.renci.org/dex" + }, + } + ] + } } SECURE_CROSS_ORIGIN_OPENER_POLICY = None From 15d5124d8d75baa54eec8462d3e792741ed4a0a9 Mon Sep 17 00:00:00 2001 From: frostyfan109 Date: Wed, 10 Dec 2025 15:04:18 -0500 Subject: [PATCH 7/8] fix providers endpoint, move openid_connect installation --- appstore/api/v1/views.py | 7 ++++--- appstore/appstore/settings/base.py | 4 ++-- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/appstore/api/v1/views.py b/appstore/api/v1/views.py index e29089457..9285670ed 100644 --- a/appstore/api/v1/views.py +++ b/appstore/api/v1/views.py @@ -873,11 +873,12 @@ def _get_social_providers(self, request, settings): "allauth.account.auth_backends.AuthenticationBackend" in settings.AUTHENTICATION_BACKENDS ): - for provider in socialaccount.providers.registry.get_class_list(): - inst = provider(request, "allauth.socialaccount") + adapter = socialaccount.adapter.get_adapter(request) + providers = adapter.list_providers(request) + for provider in providers: provider_data.append( asdict( - LoginProvider(inst.name, inst.get_login_url(request)) + LoginProvider(provider.name, provider.get_login_url(request)) ) ) diff --git a/appstore/appstore/settings/base.py b/appstore/appstore/settings/base.py index ec922d18f..7c6659e53 100644 --- a/appstore/appstore/settings/base.py +++ b/appstore/appstore/settings/base.py @@ -106,8 +106,7 @@ "corsheaders", "crispy_forms", "rest_framework", - "drf_spectacular", - "allauth.socialaccount.providers.openid_connect" + "drf_spectacular" ] ## Setting to allow for a seamless login that was breaking at django-allauth 0.47. @@ -127,6 +126,7 @@ for PROVIDER in OAUTH_PROVIDERS: if PROVIDER != '': THIRD_PARTY_APPS.append(f"allauth.socialaccount.providers.{PROVIDER}") +THIRD_PARTY_APPS.append("allauth.socialaccount.providers.openid_connect") INSTALLED_APPS = DJANGO_APPS + THIRD_PARTY_APPS + LOCAL_APPS From 2b27805aec4caade290ec79625bcb4701f9760fb Mon Sep 17 00:00:00 2001 From: frostyfan109 Date: Wed, 10 Dec 2025 17:35:12 -0500 Subject: [PATCH 8/8] update whitelist required URL --- appstore/appstore/settings/base.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/appstore/appstore/settings/base.py b/appstore/appstore/settings/base.py index 7c6659e53..b057de70b 100644 --- a/appstore/appstore/settings/base.py +++ b/appstore/appstore/settings/base.py @@ -170,7 +170,7 @@ ACCOUNT_LOGOUT_REDIRECT_URL = "/helx" LOGIN_REDIRECT_URL = "/helx/workspaces/login/success" LOGIN_URL = "/accounts/login" -LOGIN_WHITELIST_URL = "/login_whitelist/" +LOGIN_WHITELIST_URL = "/helx/workspaces/login?whitelist_required=true" OIDC_SESSION_MANAGEMENT_ENABLE = True SAML_URL = "/accounts/saml" SAML_ACS_URL = "/saml2_auth/acs/"