2018-08-21 21:52:28 +02:00
|
|
|
# Authentication in the development environment
|
|
|
|
|
|
|
|
This page documents special notes that are useful for configuring
|
|
|
|
Zulip's various authentication methods for testing in a development
|
|
|
|
environment.
|
|
|
|
|
|
|
|
## Testing OAuth in development
|
2017-11-02 21:05:21 +01:00
|
|
|
|
2019-04-06 02:58:44 +02:00
|
|
|
Among the many [authentication methods](../production/authentication-methods.html)
|
2017-11-02 21:05:21 +01:00
|
|
|
we support, a server can be configured to allow users to sign in with
|
|
|
|
their Google accounts or GitHub accounts, using the OAuth protocol.
|
|
|
|
|
|
|
|
Because these authentication methods involve an interaction between
|
|
|
|
Zulip, an external service, and the user's browser, and particularly
|
|
|
|
because browsers can (rightly!) be picky about the identity of sites
|
|
|
|
you interact with, the preferred way to set them up in a development
|
|
|
|
environment is to set up the real Google and GitHub to process auth
|
|
|
|
requests for your development environment.
|
|
|
|
|
|
|
|
The steps to do this are a variation of the steps documented in
|
2019-06-07 13:26:04 +02:00
|
|
|
`prod_settings_template.py`. The main differences here are driven by
|
|
|
|
the fact that `dev_settings.py` is in Git, so it can be inconvenient
|
|
|
|
to put secrets there. In development, we allow providing those values
|
|
|
|
in the untracked file `zproject/dev-secrets.conf`, using the standard
|
|
|
|
lower-case naming convention for that file.
|
|
|
|
|
|
|
|
Here are the full procedures for dev:
|
2017-11-02 21:05:21 +01:00
|
|
|
|
|
|
|
### Google
|
|
|
|
|
2017-11-02 21:21:38 +01:00
|
|
|
* Visit https://console.developers.google.com and navigate to "APIs &
|
|
|
|
services" > "Credentials". Create a "Project" which will correspond
|
|
|
|
to your dev environment.
|
2017-11-02 21:05:21 +01:00
|
|
|
|
2017-11-02 21:21:38 +01:00
|
|
|
* Navigate to "APIs & services" > "Library", and find the "Google+
|
|
|
|
API". Choose "Enable".
|
2017-11-02 21:05:21 +01:00
|
|
|
|
2017-11-02 21:21:38 +01:00
|
|
|
* Return to "Credentials", and select "Create credentials". Choose
|
|
|
|
"OAuth client ID", and follow prompts to create a consent screen, etc.
|
|
|
|
For "Authorized redirect URIs", fill in
|
|
|
|
`https://zulipdev.com:9991/accounts/login/google/done/` .
|
2017-11-02 21:05:21 +01:00
|
|
|
|
2017-11-02 21:21:38 +01:00
|
|
|
* You should get a client ID and a client secret. Copy them. In
|
2019-06-13 21:30:55 +02:00
|
|
|
`dev-secrets.conf`, set `google_auth2_client_id` to the client ID
|
|
|
|
and `google_oauth2_client_secret` to the client secret.
|
2017-11-02 21:05:21 +01:00
|
|
|
|
|
|
|
### GitHub
|
|
|
|
|
|
|
|
* Register an OAuth2 application with GitHub at one of
|
2017-11-02 21:21:38 +01:00
|
|
|
https://github.com/settings/developers or
|
|
|
|
https://github.com/organizations/ORGNAME/settings/developers.
|
|
|
|
Specify `http://zulipdev.com:9991/complete/github/` as the callback URL.
|
2017-11-02 21:05:21 +01:00
|
|
|
|
2017-11-02 21:21:38 +01:00
|
|
|
* You should get a page with settings for your new application,
|
2019-06-07 13:26:04 +02:00
|
|
|
showing a client ID and a client secret. In `dev-secrets.conf`, set
|
|
|
|
`social_auth_github_key` to the client ID and `social_auth_github_secret`
|
|
|
|
to the client secret.
|
2018-08-18 05:11:19 +02:00
|
|
|
|
2018-11-27 16:08:43 +01:00
|
|
|
### When SSL is required
|
|
|
|
|
|
|
|
Some OAuth providers (such as Facebook) require HTTPS on the callback
|
|
|
|
URL they post back to, which isn't supported directly by the Zulip
|
|
|
|
development environment. If you run a
|
2019-04-06 02:58:44 +02:00
|
|
|
[remote Zulip development server](../development/remote.html), we have
|
2018-11-27 16:08:43 +01:00
|
|
|
instructions for
|
2019-04-06 02:58:44 +02:00
|
|
|
[an nginx reverse proxy with SSL](../development/remote.html#using-an-nginx-reverse-proxy)
|
2018-11-27 16:08:43 +01:00
|
|
|
that you can use for your development efforts.
|
|
|
|
|
2018-08-18 05:11:19 +02:00
|
|
|
## Testing LDAP in development
|
|
|
|
|
2019-05-28 22:53:36 +02:00
|
|
|
Before Zulip 2.0, one of the more common classes of bug reports with
|
|
|
|
Zulip's authentication was users having trouble getting [LDAP
|
|
|
|
authentication](../production/authentication-methods.html#ldap-including-active-directory)
|
|
|
|
working. The root cause was because setting up a local LDAP server
|
|
|
|
for development was difficult, which meant most developers were unable
|
|
|
|
to work on fixing even simple issues with it.
|
2018-08-18 05:11:19 +02:00
|
|
|
|
|
|
|
We solved this problem for our unit tests long ago by using the
|
|
|
|
popular [fakeldap](https://github.com/zulip/fakeldap) library. And in
|
|
|
|
2018, we added convenient support for using fakeldap in the Zulip
|
|
|
|
development environment as well, so that you can go through all the
|
|
|
|
actual flows for LDAP configuration.
|
|
|
|
|
|
|
|
- To enable fakeldap, set `FAKE_LDAP_MODE` in
|
|
|
|
`zproject/dev_settings.py` to one of the following options. For more
|
2018-09-27 22:30:29 +02:00
|
|
|
information on these modes, refer to
|
2019-04-06 02:58:44 +02:00
|
|
|
[our production docs](../production/authentication-methods.html#ldap-including-active-directory):
|
2018-08-18 05:11:19 +02:00
|
|
|
- `a`: If users' email addresses are in LDAP and used as username.
|
|
|
|
- `b`: If LDAP only has usernames but email addresses are of the form
|
|
|
|
username@example.com
|
|
|
|
- `c`: If LDAP usernames are completely unrelated to email addresses.
|
|
|
|
|
|
|
|
- To disable fakeldap, set `FAKE_LDAP_MODE` back to `None`.
|
|
|
|
|
|
|
|
- In all fakeldap configurations, users' fake LDAP passwords are equal
|
|
|
|
to their usernames (e.g. for `ldapuser1@zulip.com`, the password is
|
|
|
|
`ldapuser1`).
|
|
|
|
|
2018-08-18 02:35:19 +02:00
|
|
|
- `FAKE_LDAP_NUM_USERS` in `zproject/dev_settings.py` can be used to
|
|
|
|
specify the number of LDAP users to be added. The default value for
|
|
|
|
the number of LDAP users is 8.
|
2019-06-17 22:11:29 +02:00
|
|
|
|
|
|
|
### Testing avatar and custom profile field synchronization
|
|
|
|
|
|
|
|
The fakeldap LDAP directories we use in the development environment
|
|
|
|
are generated by the code in `zerver/lib/dev_ldap_directory.py`, and
|
|
|
|
contain data one might want to sync, including avatars and custom
|
|
|
|
profile fields.
|
|
|
|
|
|
|
|
We also have configured `AUTH_LDAP_USER_ATTR_MAP` in
|
|
|
|
`zproject/dev_settings.py` to sync several of those fields. For
|
|
|
|
example:
|
|
|
|
|
|
|
|
* Modes `a` and `b` will set the user's avatar on account creation and
|
|
|
|
update it when `manage.py sync_ldap_user_data` is run.
|
|
|
|
* Mode `b` is configured to automatically have the `birthday` and
|
|
|
|
`Phone number` custom profile fields populated/synced.
|
|
|
|
* Mode `a` is configured to deactivate/reactivate users whose accounts
|
|
|
|
are disabled in LDAP when `manage.py sync_ldap_user_data` is run.
|
|
|
|
(Note that you'll likely need to edit
|
|
|
|
`zerver/lib/dev_ldap_directory.py` to ensure there are some accounts
|
|
|
|
configured to be disabled).
|
|
|
|
|
|
|
|
### Automated testing
|
|
|
|
|
|
|
|
For our automated tests, we generally configure custom LDAP data for
|
|
|
|
each individual test, because that generally means one can understand
|
|
|
|
exactly what data is being used in the test without looking at other
|
|
|
|
resources. It also gives us more freedom to edit the development
|
|
|
|
environment directory without worrying about tests.
|