Version Bump 3.3.0

CCP SSO Issues, Mitigations

See merge request allianceauth/allianceauth!1472

.pre-commit-config.yaml

@@ -13,9 +13,23 @@ repos:
       - id: check-yaml
       - id: fix-byte-order-marker
       - id: trailing-whitespace
-        exclude: (\.min\.css|\.min\.js|\.mo|\.po|swagger\.json)$
+        exclude: |
+          (?x)(
+            \.min\.css|
+            \.min\.js|
+            \.po|
+            \.mo|
+            swagger\.json
+          )
       - id: end-of-file-fixer
-        exclude: (\.min\.css|\.min\.js|\.mo|\.po|swagger\.json)$
+        exclude: |
+          (?x)(
+            \.min\.css|
+            \.min\.js|
+            \.po|
+            \.mo|
+            swagger\.json
+          )
       - id: mixed-line-ending
         args: [ '--fix=lf' ]
       - id: fix-encoding-pragma
@@ -25,7 +39,14 @@ repos:
     rev: 2.4.0
     hooks:
       - id: editorconfig-checker
-        exclude: ^(LICENSE|allianceauth\/static\/allianceauth\/css\/themes\/bootstrap-locals.less|allianceauth\/eveonline\/swagger.json|(.*.po)|(.*.mo))
+        exclude: |
+          (?x)(
+            LICENSE|
+            allianceauth\/static\/allianceauth\/css\/themes\/bootstrap-locals.less|
+            \.po|
+            \.mo|
+            swagger\.json
+          )
 
   - repo: https://github.com/asottile/pyupgrade
     rev: v2.34.0

allianceauth/__init__.py

@@ -1,7 +1,7 @@
 # This will make sure the app is always imported when
 # Django starts so that shared_task will use this app.
 
-__version__ = '3.2.0'
+__version__ = '3.3.0'
 __title__ = 'Alliance Auth'
 __url__ = 'https://gitlab.com/allianceauth/allianceauth'
 NAME = f'{__title__} v{__version__}'

allianceauth/analytics/models.py

@@ -8,13 +8,13 @@ from uuid import uuid4
 class AnalyticsIdentifier(models.Model):
 
     identifier = models.UUIDField(default=uuid4,
-                                  editable=False)
+                                editable=False)
 
     def save(self, *args, **kwargs):
         if not self.pk and AnalyticsIdentifier.objects.exists():
             # Force a single object
             raise ValidationError('There is can be only one \
-                                   AnalyticsIdentifier instance')
+                                    AnalyticsIdentifier instance')
         self.pk = self.id = 1 # If this happens to be deleted and recreated, force it to be 1
         return super().save(*args, **kwargs)
 

allianceauth/authentication/backends.py

@@ -2,6 +2,7 @@ import logging
 
 from django.contrib.auth.backends import ModelBackend
 from django.contrib.auth.models import User, Permission
+from django.contrib import messages
 
 from .models import UserProfile, CharacterOwnership, OwnershipRecord
 
@@ -37,7 +38,13 @@ class StateBackend(ModelBackend):
             ownership = CharacterOwnership.objects.get(character__character_id=token.character_id)
             if ownership.owner_hash == token.character_owner_hash:
                 logger.debug(f'Authenticating {ownership.user} by ownership of character {token.character_name}')
-                return ownership.user
+                if ownership.user.profile.main_character:
+                    if ownership.user.profile.main_character.character_id == token.character_id:
+                        return ownership.user
+                    else:  ## this is an alt, enforce main only.
+                        if request:
+                            messages.error("Unable to authenticate with this Character, Please log in with the main character associated with this account.")
+                        return None
             else:
                 logger.debug(f'{token.character_name} has changed ownership. Creating new user account.')
                 ownership.delete()
@@ -57,13 +64,20 @@ class StateBackend(ModelBackend):
                 if records.exists():
                     # we've seen this character owner before. Re-attach to their old user account
                     user = records[0].user
+                    if user.profile.main_character:
+                        if ownership.user.profile.main_character.character_id != token.character_id:
+                            ## this is an alt, enforce main only due to trust issues in SSO.
+                            if request:
+                                messages.error("Unable to authenticate with this Character, Please log in with the main character associated with this account. Then add this character from the dashboard.")
+                            return None
+
                     token.user = user
                     co = CharacterOwnership.objects.create_by_token(token)
                     logger.debug(f'Authenticating {user} by matching owner hash record of character {co.character}')
-                    if not user.profile.main_character:
-                        # set this as their main by default if they have none
-                        user.profile.main_character = co.character
-                        user.profile.save()
+
+                    # set this as their main by default as they have none
+                    user.profile.main_character = co.character
+                    user.profile.save()
                     return user
             logger.debug(f'Unable to authenticate character {token.character_name}. Creating new user.')
             return self.create_user(token)

allianceauth/authentication/models.py

@@ -18,13 +18,13 @@ class State(models.Model):
     priority = models.IntegerField(unique=True, help_text="Users get assigned the state with the highest priority available to them.")
 
     member_characters = models.ManyToManyField(EveCharacter, blank=True,
-                                               help_text="Characters to which this state is available.")
+                                                help_text="Characters to which this state is available.")
     member_corporations = models.ManyToManyField(EveCorporationInfo, blank=True,
-                                                 help_text="Corporations to whose members this state is available.")
+                                                help_text="Corporations to whose members this state is available.")
     member_alliances = models.ManyToManyField(EveAllianceInfo, blank=True,
-                                              help_text="Alliances to whose members this state is available.")
+                                            help_text="Alliances to whose members this state is available.")
     member_factions = models.ManyToManyField(EveFactionInfo, blank=True,
-                                             help_text="Factions to whose members this state is available.")
+                                            help_text="Factions to whose members this state is available.")
     public = models.BooleanField(default=False, help_text="Make this state available to any character.")
 
     objects = StateManager()

allianceauth/authentication/templates/authentication/tokens.html

@@ -0,0 +1,62 @@
+{% extends "allianceauth/base.html" %}
+{% load i18n %}
+
+{% block page_title %}{% translate "Dashboard" %}{% endblock %}
+
+{% block content %}
+    <h1 class="page-header text-center">{% translate "Token Management" %}</h1>
+    <div class="col-sm-12">
+        <table class="table table-aa" id="table_tokens" style="width:100%">
+            <thead>
+                <tr>
+                    <th>{% translate "Scopes" %}</th>
+                    <th class="text-right">{% translate "Actions" %}</th>
+                    <th>{% translate "Character" %}</th>
+
+                </tr>
+            </thead>
+            <tbody>
+                {% for t in tokens %}
+                    <tr>
+                        <td styl="white-space:initial;">{% for s in t.scopes.all %}<span class="label label-default">{{s.name}}</span> {% endfor %}</td>
+                        <td nowrap class="text-right"><a href="{% url 'authentication:token_delete' t.id %}" class="btn btn-danger"><i class="fas fa-trash"></i></a> <a href="{% url 'authentication:token_refresh' t.id %}" class="btn btn-success"><i class="fas fa-sync-alt"></i></a></td>
+                        <td>{{t.character_name}}</td>
+                    </tr>
+                {% endfor %}
+            </tbody>
+        </table>
+        {% translate "This page is a best attempt, but backups or database logs can still contain your tokens. Always revoke tokens on https://community.eveonline.com/support/third-party-applications/ where possible."|urlize %}
+    </div>
+{% endblock %}
+
+{% block extra_javascript %}
+    {% include 'bundles/datatables-js.html' %}
+{% endblock %}
+
+{% block extra_css %}
+    {% include 'bundles/datatables-css.html' %}
+{% endblock %}
+
+{% block extra_script %}
+    $(document).ready(function(){
+        let grp = 2;
+        var table = $('#table_tokens').DataTable({
+            "columnDefs": [{ orderable: false, targets: [0,1] },{ "visible": false, "targets": grp }],
+            "order": [[grp, 'asc']],
+            "drawCallback": function (settings) {
+                var api = this.api();
+                var rows = api.rows({ page: 'current' }).nodes();
+                var last = null;
+                api.column(grp, { page: 'current' })
+                    .data()
+                    .each(function (group, i) {
+                        if (last !== group) {
+                            $(rows).eq(i).before('<tr class="info"><td colspan="3">' + group + '</td></tr>');
+                            last = group;
+                        }
+                    });
+            },
+            "stateSave": true,
+        });
+    });
+{% endblock %}

allianceauth/authentication/templates/public/lang_select.html

@@ -6,7 +6,7 @@
             {% get_language_info_list for LANGUAGES as languages %}
             {% for language in languages %}
                 <option value="{{ language.code }}"{% if language.code == LANGUAGE_CODE %} selected="selected"{% endif %}>
-                    {{ language.name_local }} ({{ language.code }})
+                    {{ language.name_local|capfirst }} ({{ language.code }})
                 </option>
             {% endfor %}
         </select>

allianceauth/authentication/tests/test_backend.py

@@ -116,10 +116,17 @@ class TestAuthenticate(TestCase):
         user = StateBackend().authenticate(token=t)
         self.assertEqual(user, self.user)
 
+    """ Alt Login disabled
     def test_authenticate_alt_character(self):
         t = Token(character_id=self.alt_character.character_id, character_owner_hash='2')
         user = StateBackend().authenticate(token=t)
         self.assertEqual(user, self.user)
+    """
+
+    def test_authenticate_alt_character_fail(self):
+        t = Token(character_id=self.alt_character.character_id, character_owner_hash='2')
+        user = StateBackend().authenticate(token=t)
+        self.assertEqual(user, None)
 
     def test_authenticate_unclaimed_character(self):
         t = Token(character_id=self.unclaimed_character.character_id, character_name=self.unclaimed_character.character_name, character_owner_hash='3')
@@ -128,6 +135,7 @@ class TestAuthenticate(TestCase):
         self.assertEqual(user.username, 'Unclaimed_Character')
         self.assertEqual(user.profile.main_character, self.unclaimed_character)
 
+    """ Alt Login disabled
     def test_authenticate_character_record(self):
         t = Token(character_id=self.unclaimed_character.character_id, character_name=self.unclaimed_character.character_name, character_owner_hash='4')
         OwnershipRecord.objects.create(user=self.old_user, character=self.unclaimed_character, owner_hash='4')
@@ -135,6 +143,15 @@ class TestAuthenticate(TestCase):
         self.assertEqual(user, self.old_user)
         self.assertTrue(CharacterOwnership.objects.filter(owner_hash='4', user=self.old_user).exists())
         self.assertTrue(user.profile.main_character)
+    """
+
+    def test_authenticate_character_record_fails(self):
+        t = Token(character_id=self.unclaimed_character.character_id, character_name=self.unclaimed_character.character_name, character_owner_hash='4')
+        OwnershipRecord.objects.create(user=self.old_user, character=self.unclaimed_character, owner_hash='4')
+        user = StateBackend().authenticate(token=t)
+        self.assertEqual(user, self.old_user)
+        self.assertTrue(CharacterOwnership.objects.filter(owner_hash='4', user=self.old_user).exists())
+        self.assertTrue(user.profile.main_character)
 
     def test_iterate_username(self):
         t = Token(character_id=self.unclaimed_character.character_id,

allianceauth/authentication/urls.py

@@ -22,5 +22,20 @@ urlpatterns = [
         views.add_character,
         name='add_character'
     ),
+    path(
+        'account/tokens/manage/',
+        views.token_management,
+        name='token_management'
+    ),
+    path(
+        'account/tokens/delete/<int:token_id>',
+        views.token_delete,
+        name='token_delete'
+    ),
+    path(
+        'account/tokens/refresh/<int:token_id>',
+        views.token_refresh,
+        name='token_refresh'
+    ),
     path('dashboard/', views.dashboard, name='dashboard'),
 ]

allianceauth/authentication/views.py

@@ -61,6 +61,44 @@ def dashboard(request):
     }
     return render(request, 'authentication/dashboard.html', context)
 
+@login_required
+def token_management(request):
+    tokens = request.user.token_set.all()
+
+    context = {
+        'tokens': tokens
+    }
+    return render(request, 'authentication/tokens.html', context)
+
+@login_required
+def token_delete(request, token_id=None):
+    try:
+        token = Token.objects.get(id=token_id)
+        if request.user == token.user:
+            token.delete()
+            messages.success(request, "Token Deleted.")
+        else:
+            messages.error(request, "This token does not belong to you.")
+    except Token.DoesNotExist:
+        messages.warning(request, "Token does not exist")
+    return redirect('authentication:token_management')
+
+@login_required
+def token_refresh(request, token_id=None):
+    try:
+        token = Token.objects.get(id=token_id)
+        if request.user == token.user:
+            try:
+                token.refresh()
+                messages.success(request, "Token refreshed.")
+            except Exception as e:
+                messages.warning(request, f"Failed to refresh token. {e}")
+        else:
+            messages.error(request, "This token does not belong to you.")
+    except Token.DoesNotExist:
+        messages.warning(request, "Token does not exist")
+    return redirect('authentication:token_management')
+
 
 @login_required
 @token_required(scopes=settings.LOGIN_TOKEN_SCOPES)

allianceauth/optimer/models.py

@@ -34,7 +34,7 @@ class OpTimer(models.Model):
     fc = models.CharField(max_length=254, default="")
     post_time = models.DateTimeField(default=timezone.now)
     eve_character = models.ForeignKey(EveCharacter, null=True,
-                                      on_delete=models.SET_NULL)
+                                    on_delete=models.SET_NULL)
     description = models.TextField(blank=True, default="")
     type = models.ForeignKey(OpTimerType, null=True, on_delete=models.SET_NULL)
 

allianceauth/project_template/project_name/settings/base.py

@@ -84,17 +84,16 @@ LOCALE_PATHS = (
     os.path.join(BASE_DIR, 'locale/'),
 )
 
-ugettext = lambda s: s
 LANGUAGES = (
-    ('en', ugettext('English')),
-    ('de', ugettext('German')),
-    ('es', ugettext('Spanish')),
-    ('zh-hans', ugettext('Chinese Simplified')),
-    ('ru', ugettext('Russian')),
-    ('ko', ugettext('Korean')),
-    ('fr', ugettext('French')),
-    ('ja', ugettext('Japanese')),
-    ('it', ugettext('Italian')),
+    ("en", "English"),
+    ("de", "German"),
+    ("es", "Spanish"),
+    ("zh-hans", "Chinese Simplified"),
+    ("ru", "Russian"),
+    ("ko", "Korean"),
+    ("fr", "French"),
+    ("ja", "Japanese"),
+    ("it", "Italian"),
 )
 
 TEMPLATES = [

allianceauth/templates/allianceauth/top-menu-user-dropdown.html

@@ -53,6 +53,14 @@
         <!-- logout / login -->
         <li role="separator" class="divider"></li>
         {% if user.is_authenticated %}
+            <li>
+                <a href="{% url 'authentication:token_management' %}">
+                    <i class="fas fa-user-lock"></i>
+                    {% translate "Token Management" %}
+                </a>
+            </li>
+            <li role="separator" class="divider"></li>
+
             <li><a href="{% url 'logout' %}">{% translate "Logout" %}</a></li>
         {% else %}
             <li><a href="{% url 'authentication:login' %}">{% translate "Login" %}</a></li>

docker/.env.example

@@ -1,7 +1,7 @@
 PROTOCOL=https://
 AUTH_SUBDOMAIN=%AUTH_SUBDOMAIN%
 DOMAIN=%DOMAIN%
-AA_DOCKER_TAG=registry.gitlab.com/allianceauth/allianceauth/auth:3.2.0
+AA_DOCKER_TAG=registry.gitlab.com/allianceauth/allianceauth/auth:3.3.0
 
 # Nginx Proxy Manager
 PROXY_HTTP_PORT=80

docker/Dockerfile

@@ -1,5 +1,5 @@
 FROM python:3.9-slim
-ARG AUTH_VERSION=v3.2.0
+ARG AUTH_VERSION=v3.3.0
 ARG AUTH_PACKAGE=allianceauth==${AUTH_VERSION}
 ENV VIRTUAL_ENV=/opt/venv
 ENV AUTH_USER=allianceauth

docker/conf/local.py

@@ -28,7 +28,9 @@ DATABASES["default"] = {
 ESI_SSO_CLIENT_ID = os.environ.get("ESI_SSO_CLIENT_ID")
 ESI_SSO_CLIENT_SECRET = os.environ.get("ESI_SSO_CLIENT_SECRET")
 ESI_SSO_CALLBACK_URL = f"{SITE_URL}/sso/callback"
-ESI_USER_CONTACT_EMAIL = os.environ.get("ESI_USER_CONTACT_EMAIL")  # A server maintainer that CCP can contact in case of issues.
+ESI_USER_CONTACT_EMAIL = os.environ.get(
+    "ESI_USER_CONTACT_EMAIL"
+)  # A server maintainer that CCP can contact in case of issues.
 
 # By default emails are validated before new users can log in.
 # It's recommended to use a free service like SparkPost or Elastic Email to send email.
@@ -48,7 +50,6 @@ ROOT_URLCONF = "myauth.urls"
 WSGI_APPLICATION = "myauth.wsgi.application"
 STATIC_ROOT = "/var/www/myauth/static/"
 BROKER_URL = f"redis://{os.environ.get('AA_REDIS', 'redis:6379')}/0"
-CELERY_RESULT_BACKEND = f"redis://{os.environ.get('AA_REDIS', 'redis:6379')}/0"
 CACHES = {
     "default": {
         "BACKEND": "django_redis.cache.RedisCache",

docs/features/services/discord.md

@@ -65,9 +65,9 @@ On the application summary page, press Create a Bot User.
 
 Update your auth project's settings file with these pieces of information from the summary page:
 
-- From the App Details panel, `DISCORD_APP_ID` is the Client/Application ID
-- From the App Details panel, `DISCORD_APP_SECRET` is the Secret
-- From the App Bot Users panel, `DISCORD_BOT_TOKEN` is the Token
+- From the General Information panel, `DISCORD_APP_ID` is the Client/Application ID
+- From the OAuth2 > General panel, `DISCORD_APP_SECRET` is the Client Secret
+- From the Bot panel, `DISCORD_BOT_TOKEN` is the Token
 
 ### Preparing Auth
 

docs/installation/switch_to_non_root.md

@@ -13,9 +13,15 @@ The migration itself is rather straightforward. The main idea is to change owner
 First, log in as your sudo user and run the following commands in order:
 
 ```shell
+# Set the right owner
 sudo chown -R allianceserver: /home/allianceserver
 sudo chown -R allianceserver: /var/www/myauth
-sudo chmod -r 655 /var/www/myauth
+
+# Remove static files, they will be re-added later
+sudo rm -rf /var/www/mayauth/static/*
+
+# Fix directory permissions
+sudo chmod -R 755 /var/www/myauth
 ```
 
 That's it. Your AA installation is now configured to be maintained with the `allianceserver` user.
@@ -45,6 +51,13 @@ Finally, switch to the main AA folder, from where you can run most commands dire
 cd myauth
 ```
 
+Now it's time to re-add the static files with the right permissions. To do so simply
+run:
+
+```shell
+python manage.py collectstatic
+```
+
 When you want to restart myauth, you need to switch back to your sudo user, because `allianceserver` does not have sudo privileges:
 
 ```shell