2018-08-21 21:52:28 +02:00
|
|
|
# Authentication in the development environment
|
|
|
|
|
|
|
|
This page documents special notes that are useful for configuring
|
|
|
|
Zulip's various authentication methods for testing in a development
|
|
|
|
environment.
|
|
|
|
|
|
|
|
## Testing OAuth in development
|
2017-11-02 21:05:21 +01:00
|
|
|
|
2019-09-30 19:37:56 +02:00
|
|
|
Among the many [authentication methods](../production/authentication-methods.md)
|
2017-11-02 21:05:21 +01:00
|
|
|
we support, a server can be configured to allow users to sign in with
|
|
|
|
their Google accounts or GitHub accounts, using the OAuth protocol.
|
|
|
|
|
|
|
|
Because these authentication methods involve an interaction between
|
|
|
|
Zulip, an external service, and the user's browser, and particularly
|
|
|
|
because browsers can (rightly!) be picky about the identity of sites
|
|
|
|
you interact with, the preferred way to set them up in a development
|
|
|
|
environment is to set up the real Google and GitHub to process auth
|
|
|
|
requests for your development environment.
|
|
|
|
|
|
|
|
The steps to do this are a variation of the steps documented in
|
2019-06-07 13:26:04 +02:00
|
|
|
`prod_settings_template.py`. The main differences here are driven by
|
|
|
|
the fact that `dev_settings.py` is in Git, so it can be inconvenient
|
|
|
|
to put secrets there. In development, we allow providing those values
|
|
|
|
in the untracked file `zproject/dev-secrets.conf`, using the standard
|
|
|
|
lower-case naming convention for that file.
|
|
|
|
|
|
|
|
Here are the full procedures for dev:
|
2017-11-02 21:05:21 +01:00
|
|
|
|
|
|
|
### Google
|
|
|
|
|
2017-11-02 21:21:38 +01:00
|
|
|
* Visit https://console.developers.google.com and navigate to "APIs &
|
|
|
|
services" > "Credentials". Create a "Project" which will correspond
|
|
|
|
to your dev environment.
|
2017-11-02 21:05:21 +01:00
|
|
|
|
2019-02-02 16:51:26 +01:00
|
|
|
* Navigate to "APIs & services" > "Library", and find the "Identity
|
|
|
|
Toolkit API". Choose "Enable".
|
2017-11-02 21:05:21 +01:00
|
|
|
|
2017-11-02 21:21:38 +01:00
|
|
|
* Return to "Credentials", and select "Create credentials". Choose
|
|
|
|
"OAuth client ID", and follow prompts to create a consent screen, etc.
|
|
|
|
For "Authorized redirect URIs", fill in
|
2019-02-02 16:51:26 +01:00
|
|
|
`http://zulipdev.com:9991/complete/google/` .
|
2017-11-02 21:05:21 +01:00
|
|
|
|
2017-11-02 21:21:38 +01:00
|
|
|
* You should get a client ID and a client secret. Copy them. In
|
2019-02-02 16:51:26 +01:00
|
|
|
`dev-secrets.conf`, set `social_auth_google_key` to the client ID
|
|
|
|
and `social_auth_google_secret` to the client secret.
|
2017-11-02 21:05:21 +01:00
|
|
|
|
|
|
|
### GitHub
|
|
|
|
|
|
|
|
* Register an OAuth2 application with GitHub at one of
|
2017-11-02 21:21:38 +01:00
|
|
|
https://github.com/settings/developers or
|
|
|
|
https://github.com/organizations/ORGNAME/settings/developers.
|
|
|
|
Specify `http://zulipdev.com:9991/complete/github/` as the callback URL.
|
2017-11-02 21:05:21 +01:00
|
|
|
|
2017-11-02 21:21:38 +01:00
|
|
|
* You should get a page with settings for your new application,
|
2019-06-07 13:26:04 +02:00
|
|
|
showing a client ID and a client secret. In `dev-secrets.conf`, set
|
|
|
|
`social_auth_github_key` to the client ID and `social_auth_github_secret`
|
|
|
|
to the client secret.
|
2018-08-18 05:11:19 +02:00
|
|
|
|
2019-09-29 06:32:56 +02:00
|
|
|
### SAML
|
|
|
|
|
2019-10-31 05:07:11 +01:00
|
|
|
* Sign up for a [developer Okta account](https://developer.okta.com/).
|
|
|
|
* Set up SAML authentication by following
|
|
|
|
[Okta's documentation](https://developer.okta.com/docs/guides/saml-application-setup/overview/).
|
|
|
|
Specify:
|
2019-09-29 06:32:56 +02:00
|
|
|
* `http://localhost:9991/complete/saml/` for the "Single sign on URL"`.
|
|
|
|
* `http://localhost:9991` for the "Audience URI (SP Entity ID)".
|
|
|
|
* Skip "Default RelayState".
|
|
|
|
* Skip "Name ID format".
|
|
|
|
* Set 'Email` for "Application username format".
|
|
|
|
* Provide "Attribute statements" of `email` to `user.email`,
|
|
|
|
`first_name` to `user.firstName`, and `last_name` to `user.lastName`.
|
2019-10-31 05:07:11 +01:00
|
|
|
* Assign at least one account in the "Assignments" tab. You'll use it for
|
|
|
|
signing up / logging in to Zulip.
|
2019-09-29 06:32:56 +02:00
|
|
|
* Visit the big "Setup instructions" button on the "Sign on" tab.
|
|
|
|
* Edit `zproject/dev-secrets.conf` to add the two values provided:
|
|
|
|
* Set `saml_url = http...` from "Identity Provider Single Sign-On
|
|
|
|
URL".
|
|
|
|
* Set `saml_entity_id = http://...` from "Identity Provider Issuer".
|
|
|
|
* Download the certificate and put it at the path `zproject/dev_saml.cert`.
|
|
|
|
* Now you should have working SAML authentication!
|
2019-10-31 05:07:11 +01:00
|
|
|
* You can sign up to the target realm with the account that you've "assigned"
|
|
|
|
in the previous steps (if the account's email address is allowed in the realm,
|
|
|
|
so you may have to change the realm settings to allow the appropriate email domain)
|
|
|
|
and then you'll be able to log in freely. Alternatively, you can create an account
|
|
|
|
with the email in any other way, and then just use SAML to log in.
|
2019-09-29 06:32:56 +02:00
|
|
|
|
2018-11-27 16:08:43 +01:00
|
|
|
### When SSL is required
|
|
|
|
|
|
|
|
Some OAuth providers (such as Facebook) require HTTPS on the callback
|
|
|
|
URL they post back to, which isn't supported directly by the Zulip
|
|
|
|
development environment. If you run a
|
2019-09-30 19:37:56 +02:00
|
|
|
[remote Zulip development server](../development/remote.md), we have
|
2018-11-27 16:08:43 +01:00
|
|
|
instructions for
|
2019-04-06 02:58:44 +02:00
|
|
|
[an nginx reverse proxy with SSL](../development/remote.html#using-an-nginx-reverse-proxy)
|
2018-11-27 16:08:43 +01:00
|
|
|
that you can use for your development efforts.
|
|
|
|
|
2018-08-18 05:11:19 +02:00
|
|
|
## Testing LDAP in development
|
|
|
|
|
2019-05-28 22:53:36 +02:00
|
|
|
Before Zulip 2.0, one of the more common classes of bug reports with
|
|
|
|
Zulip's authentication was users having trouble getting [LDAP
|
|
|
|
authentication](../production/authentication-methods.html#ldap-including-active-directory)
|
|
|
|
working. The root cause was because setting up a local LDAP server
|
|
|
|
for development was difficult, which meant most developers were unable
|
|
|
|
to work on fixing even simple issues with it.
|
2018-08-18 05:11:19 +02:00
|
|
|
|
|
|
|
We solved this problem for our unit tests long ago by using the
|
|
|
|
popular [fakeldap](https://github.com/zulip/fakeldap) library. And in
|
|
|
|
2018, we added convenient support for using fakeldap in the Zulip
|
|
|
|
development environment as well, so that you can go through all the
|
|
|
|
actual flows for LDAP configuration.
|
|
|
|
|
|
|
|
- To enable fakeldap, set `FAKE_LDAP_MODE` in
|
|
|
|
`zproject/dev_settings.py` to one of the following options. For more
|
2018-09-27 22:30:29 +02:00
|
|
|
information on these modes, refer to
|
2019-04-06 02:58:44 +02:00
|
|
|
[our production docs](../production/authentication-methods.html#ldap-including-active-directory):
|
2018-08-18 05:11:19 +02:00
|
|
|
- `a`: If users' email addresses are in LDAP and used as username.
|
|
|
|
- `b`: If LDAP only has usernames but email addresses are of the form
|
|
|
|
username@example.com
|
|
|
|
- `c`: If LDAP usernames are completely unrelated to email addresses.
|
|
|
|
|
|
|
|
- To disable fakeldap, set `FAKE_LDAP_MODE` back to `None`.
|
|
|
|
|
|
|
|
- In all fakeldap configurations, users' fake LDAP passwords are equal
|
|
|
|
to their usernames (e.g. for `ldapuser1@zulip.com`, the password is
|
|
|
|
`ldapuser1`).
|
|
|
|
|
2018-08-18 02:35:19 +02:00
|
|
|
- `FAKE_LDAP_NUM_USERS` in `zproject/dev_settings.py` can be used to
|
|
|
|
specify the number of LDAP users to be added. The default value for
|
|
|
|
the number of LDAP users is 8.
|
2019-06-17 22:11:29 +02:00
|
|
|
|
|
|
|
### Testing avatar and custom profile field synchronization
|
|
|
|
|
|
|
|
The fakeldap LDAP directories we use in the development environment
|
|
|
|
are generated by the code in `zerver/lib/dev_ldap_directory.py`, and
|
|
|
|
contain data one might want to sync, including avatars and custom
|
|
|
|
profile fields.
|
|
|
|
|
|
|
|
We also have configured `AUTH_LDAP_USER_ATTR_MAP` in
|
|
|
|
`zproject/dev_settings.py` to sync several of those fields. For
|
|
|
|
example:
|
|
|
|
|
|
|
|
* Modes `a` and `b` will set the user's avatar on account creation and
|
|
|
|
update it when `manage.py sync_ldap_user_data` is run.
|
|
|
|
* Mode `b` is configured to automatically have the `birthday` and
|
|
|
|
`Phone number` custom profile fields populated/synced.
|
|
|
|
* Mode `a` is configured to deactivate/reactivate users whose accounts
|
|
|
|
are disabled in LDAP when `manage.py sync_ldap_user_data` is run.
|
|
|
|
(Note that you'll likely need to edit
|
|
|
|
`zerver/lib/dev_ldap_directory.py` to ensure there are some accounts
|
|
|
|
configured to be disabled).
|
|
|
|
|
|
|
|
### Automated testing
|
|
|
|
|
|
|
|
For our automated tests, we generally configure custom LDAP data for
|
|
|
|
each individual test, because that generally means one can understand
|
|
|
|
exactly what data is being used in the test without looking at other
|
|
|
|
resources. It also gives us more freedom to edit the development
|
|
|
|
environment directory without worrying about tests.
|
2019-10-07 21:10:18 +02:00
|
|
|
|
|
|
|
## Two Factor Authentication
|
|
|
|
|
|
|
|
Zulip uses [django-two-factor-auth][0] as a beta 2FA integration.
|
|
|
|
|
|
|
|
To enable 2FA, set `TWO_FACTOR_AUTHENTICATION_ENABLED` in settings to
|
|
|
|
`True`, then log into Zulip and add otp device from settings
|
|
|
|
page. Once the device is added, password based authentication will ask
|
|
|
|
for one-time-password. In the development environment., this
|
|
|
|
one-time-password will be printed to the console when you try to
|
|
|
|
login. Just copy-paste it into the form field to continue.
|
|
|
|
|
|
|
|
Direct development logins don't prompt for 2FA one-time-passwords, so
|
|
|
|
to test 2FA in development, make sure that you login using a
|
|
|
|
password. You can get the passwords for the default test users using
|
|
|
|
`./manage.py print_initial_password`.
|
|
|
|
|
|
|
|
[0]: https://github.com/Bouke/django-two-factor-auth
|