From 40d1e18faf39dd50dd41c5e94ab13350df384e51 Mon Sep 17 00:00:00 2001
From: Antoine Martin <dev@ayakael.net>
Date: Wed, 14 Jun 2023 10:20:42 -0400
Subject: [PATCH 1/1] Add OpenID Connect SSO support via django-allauth (#1746)

---
 src/documents/templates/account/base.html     |  14 +
 src/documents/templates/account/login.html    |   1 +
 src/documents/templates/account/logout.html   |   1 +
 .../templates/registration/login.html         |  72 ++-
 .../socialaccount/authentication_error.html   |   1 +
 src/documents/templatetags/django_settings.py |   9 +
 src/paperless/allauth_custom.py               |  73 +++
 src/paperless/settings.py                     | 114 +++++
 src/paperless/urls.py                         |   9 +-
 10 files changed, 711 insertions(+), 18 deletions(-)
 create mode 100644 0001-Add-OpenID-Connect-SSO-support-via-django-allauth-17.patch
 create mode 100644 src/documents/templates/account/base.html
 create mode 120000 src/documents/templates/account/login.html
 create mode 120000 src/documents/templates/account/logout.html
 create mode 120000 src/documents/templates/socialaccount/authentication_error.html
 create mode 100644 src/documents/templatetags/django_settings.py
 create mode 100644 src/paperless/allauth_custom.py

diff --git a/src/documents/templates/account/base.html b/src/documents/templates/account/base.html
new file mode 100644
index 00000000..0912c609
--- /dev/null
+++ b/src/documents/templates/account/base.html
@@ -0,0 +1,14 @@
+{% load i18n %}
+<html lang="en">
+  <head>
+    <title>{% translate "Redirecting" %}</title>
+    <meta http-equiv="refresh" content="0;URL='{% url "base" %}'" />
+    <style type="text/css">
+      body { background-color: #fff; }
+      a { color: #ccc; }
+    </style>
+  </head>
+  <body>
+    <a href="{% url "base" %}">{% translate "Redirecting" %}...</a>
+  </body>
+</html>
diff --git a/src/documents/templates/account/login.html b/src/documents/templates/account/login.html
new file mode 120000
index 00000000..03fd169e
--- /dev/null
+++ b/src/documents/templates/account/login.html
@@ -0,0 +1 @@
+../registration/login.html
\ No newline at end of file
diff --git a/src/documents/templates/account/logout.html b/src/documents/templates/account/logout.html
new file mode 120000
index 00000000..7cad0aa6
--- /dev/null
+++ b/src/documents/templates/account/logout.html
@@ -0,0 +1 @@
+../registration/logged_out.html
\ No newline at end of file
diff --git a/src/documents/templates/registration/login.html b/src/documents/templates/registration/login.html
index d9ff86a7..404f37e6 100644
--- a/src/documents/templates/registration/login.html
+++ b/src/documents/templates/registration/login.html
@@ -1,4 +1,7 @@
 <!doctype html>
+{% load django_settings %}
+{% load socialaccount %}
+{% settings_value "LOGIN_HIDE_PASSWORD_FORM" as hide_password_form %}
 
 {% load static %}
 {% load i18n %}
@@ -38,8 +41,7 @@
   </head>
 
   <body class="text-center">
-    <form class="form-signin" method="post">
-			{% csrf_token %}
+    <div class="form-signin">
       <svg xmlns="http://www.w3.org/2000/svg" width="300" class="logo mb-4" viewBox="0 0 2897.4 896.6">
         <path class="leaf" d="M140,713.7c-3.4-16.4-10.3-49.1-11.2-49.1c-145.7-87.1-128.4-238-80.2-324.2C59,449,251.2,524,139.1,656.8 c-0.9,1.7,5.2,22.4,10.3,41.4c22.4-37.9,56-83.6,54.3-87.9C65.9,273.9,496.9,248.1,586.6,39.4c40.5,201.8-20.7,513.9-367.2,593.2 c-1.7,0.9-62.9,108.6-65.5,109.5c0-1.7-25.9-0.9-22.4-9.5C133.1,727.4,136.6,720.6,140,713.7L140,713.7z M135.7,632.6 c44-50.9-7.8-137.9-38.8-166.4C149.5,556.7,146,609.3,135.7,632.6L135.7,632.6z" transform="translate(0)" style="fill:#17541f"/>
         <g class="text" style="fill:#000">
@@ -58,19 +60,55 @@
           <path d="M757.6,293.7c-20-10.8-42.6-16.2-67.8-16.2H600c-8.5,39.2-21.1,76.4-37.6,111.3c-9.9,20.8-21.1,40.6-33.6,59.4v207.2h88.9 V521.5h72c25.2,0,47.8-5.4,67.8-16.2s35.7-25.6,47.1-44.2c11.4-18.7,17.1-39.1,17.1-61.3c0.1-22.7-5.6-43.3-17-61.9 C793.3,319.2,777.6,304.5,757.6,293.7z M716.6,434.3c-9.3,8.9-21.6,13.3-36.7,13.3l-62.2,0.4v-92.5l62.2-0.4 c15.1,0,27.3,4.4,36.7,13.3c9.4,8.9,14,19.9,14,32.9C730.6,414.5,726,425.4,716.6,434.3z" transform="translate(0)"/>
         </g>
       </svg>
-			<p>{% translate "Please sign in." %}</p>
-			{% if form.errors %}
-				<div class="alert alert-danger" role="alert">
-					{% translate "Your username and password didn't match. Please try again." %}
-				</div>
-			{% endif %}
-			{% translate "Username" as i18n_username %}
-			{% translate "Password" as i18n_password %}
-			<label for="inputUsername" class="sr-only">{{ i18n_username }}</label>
-			<input type="text" name="username" id="inputUsername" class="form-control" placeholder="{{ i18n_username }}" autocorrect="off" autocapitalize="none" required autofocus>
-			<label for="inputPassword" class="sr-only">{{ i18n_password }}</label>
-			<input type="password" name="password" id="inputPassword" class="form-control" placeholder="{{ i18n_password }}" required>
-			<button class="btn btn-lg btn-primary btn-block" type="submit">{% translate "Sign in" %}</button>
-		</form>
-	</body>
+		  {% if auth_error %}
+      <div class="alert alert-danger" role="alert">
+        {% translate "An authentication error occurred. Please try again." %}
+      </div>
+      {% endif %}
+      {% if not hide_password_form %}
+      <p>{% translate "Please sign in." %}</p>
+      <form method="post">
+        {% csrf_token %}
+        {% if form.errors %}
+        <div class="alert alert-danger" role="alert">
+          {% translate "Your username and password didn't match. Please try again." %}
+        </div>
+        {% endif %}
+        {% translate "Username" as i18n_username %}
+        {% translate "Password" as i18n_password %}
+        <label for="inputUsername" class="sr-only">{{ i18n_username }}</label>
+        <input type="text" name="username" id="inputUsername" class="form-control" placeholder="{{ i18n_username }}" autocorrect="off" autocapitalize="none" required autofocus>
+        <label for="inputPassword" class="sr-only">{{ i18n_password }}</label>
+        <input type="password" name="password" id="inputPassword" class="form-control" placeholder="{{ i18n_password }}" required>
+        <button class="btn btn-lg btn-primary btn-block" type="submit">{% translate "Sign in" %}</button>
+      </form>
+      {% endif %}
+      {% get_providers as socialaccount_providers %}
+      {% if socialaccount_providers %}
+        {% if not hide_password_form %}
+          <p></p>
+          <p>- {% translate "or" %} -</p>
+        {% endif %}
+
+        {% for provider in socialaccount_providers %}
+          {% if provider.id == "openid" %}
+            {% for brand in provider.get_brands %}
+            <form method="post" action="{% provider_login_url provider.id openid=brand.openid_url process=process %}">
+              {% csrf_token %}
+              <p>
+                <input class="btn btn-lg btn-primary btn-block" type="submit" value="Log in with {{ brand.name }}">
+              </p>
+            </form>
+            {% endfor %}
+          {% endif %}
+          <form method="post" action="{% provider_login_url provider.id process=process %}">
+            {% csrf_token %}
+            <p>
+              <input class="btn btn-lg btn-primary btn-block" type="submit" value="Log in with {{ provider.name }}">
+            </p>
+          </form>
+        {% endfor %}
+      {% endif %}
+    </div>
+  </body>
 </html>
diff --git a/src/documents/templates/socialaccount/authentication_error.html b/src/documents/templates/socialaccount/authentication_error.html
new file mode 120000
index 00000000..b2ef5434
--- /dev/null
+++ b/src/documents/templates/socialaccount/authentication_error.html
@@ -0,0 +1 @@
+../account/login.html
\ No newline at end of file
diff --git a/src/documents/templatetags/django_settings.py b/src/documents/templatetags/django_settings.py
new file mode 100644
index 00000000..cf415d5c
--- /dev/null
+++ b/src/documents/templatetags/django_settings.py
@@ -0,0 +1,9 @@
+from django import template
+from django.conf import settings
+
+register = template.Library()
+
+
+@register.simple_tag
+def settings_value(name):
+    return getattr(settings, name, "")
diff --git a/src/paperless/allauth_custom.py b/src/paperless/allauth_custom.py
new file mode 100644
index 00000000..0e716346
--- /dev/null
+++ b/src/paperless/allauth_custom.py
@@ -0,0 +1,73 @@
+import logging
+
+from allauth.account.adapter import DefaultAccountAdapter
+from allauth.socialaccount.adapter import DefaultSocialAccountAdapter
+from django.conf import settings
+from django.http import Http404
+from django.urls import include
+from django.urls import path
+from django.urls import re_path
+from django.urls import reverse
+from django.urls import reverse_lazy
+from django.views.generic import RedirectView
+
+logger = logging.getLogger("paperless.allauth")
+
+
+def raise_404(*args, **kwargs):
+    raise Http404
+
+
+class CustomAccountAdapter(DefaultAccountAdapter):
+    def get_login_redirect_url(self, request):
+        return reverse("base")
+
+    def get_signup_redirect_url(self, request):
+        return self.get_login_redirect_url(request)
+
+    def is_open_for_signup(self, request):
+        return getattr(settings, "LOGIN_ENABLE_SIGNUP", False)
+
+
+class CustomSocialAccountAdapter(DefaultSocialAccountAdapter):
+    def authentication_error(
+        self,
+        request,
+        provider_id,
+        error=None,
+        exception=None,
+        extra_context=None,
+    ):
+        logger.error(f"Authentication error: {exception}")
+        return super().authentication_error(
+            request,
+            provider_id,
+            error,
+            exception,
+            extra_context,
+        )
+
+    def is_auto_signup_allowed(self, *args, **kwargs):
+        if getattr(settings, "SSO_AUTO_LINK_MULTIPLE", True):
+            # Skip allauth default logic of checking for an existing user with
+            # the same email address. This requires paperless administrators to
+            # trust the SSO providers connected to paperless.
+            return True
+        return super().is_auto_signup_allowed(*args, **kwargs)
+
+    def is_open_for_signup(self, request, sociallogin):
+        # True indicates a user should be automatically created on successful
+        # login via configured external provider
+        return getattr(settings, "SSO_AUTO_LINK", True)
+
+
+base_url = reverse_lazy("base")
+urlpatterns = [
+    # Override allauth URLs to disable features we don't want
+    path("signup/", RedirectView.as_view(url=base_url)),
+    re_path("confirm-email/.*", RedirectView.as_view(url=base_url)),
+    re_path("email/.*", RedirectView.as_view(url=base_url)),
+    re_path("password/.*", RedirectView.as_view(url=base_url)),
+    # Import allauth-provided URL patterns
+    path("", include("allauth.urls")),
+]
diff --git a/src/paperless/settings.py b/src/paperless/settings.py
index d3c239b4..a2cba20b 100644
--- a/src/paperless/settings.py
+++ b/src/paperless/settings.py
@@ -18,6 +18,7 @@ from urllib.parse import urlparse
 
 from celery.schedules import crontab
 from concurrent_log_handler.queue import setup_logging_queues
+from django.utils.text import slugify
 from django.utils.translation import gettext_lazy as _
 from dotenv import load_dotenv
 
@@ -91,6 +92,22 @@ def __get_list(
         return []
 
 
+def __get_list(
+    key: str,
+    sep: str = ",",
+    default: Optional[List[str]] = None,
+) -> List[str]:
+    """
+    Return a list of strings based on the environment variable or an given default
+    list, if provided or an empty list
+    """
+    if key in os.environ:
+        os.getenv(key).split(sep)
+    elif default is not None:
+        return default
+    return []
+
+
 def _parse_redis_url(env_redis: Optional[str]) -> Tuple[str]:
     """
     Gets the Redis information from the environment or a default and handles
@@ -256,6 +273,40 @@ SCRATCH_DIR = __get_path(
     Path(tempfile.gettempdir()) / "paperless",
 )
 
+###############################################################################
+# SSO Configuration
+###############################################################################
+
+
+def _get_oidc_server() -> Optional[Dict]:
+    config_id = os.environ.get("PAPERLESS_SSO_OIDC_ID")
+    name = os.environ.get("PAPERLESS_SSO_OIDC_NAME")
+    url = os.environ.get("PAPERLESS_SSO_OIDC_URL")
+    client_id = os.environ.get("PAPERLESS_SSO_OIDC_CLIENT_ID")
+    secret = os.environ.get("PAPERLESS_SSO_OIDC_SECRET")
+    if name and url and client_id and secret:
+        return {
+            "id": config_id or slugify(name)[:30],
+            "name": name,
+            "server_url": url,
+            "APP": {
+                "client_id": client_id,
+                "secret": secret,
+            },
+        }
+    return None
+
+
+_allauth_provider_modules = set(__get_list("PAPERLESS_SSO_MODULES"))
+_oidc_server = _get_oidc_server()
+if _oidc_server:
+    _allauth_provider_modules.add("openid_connect")
+
+SSO_ENABLED = __get_boolean(
+    "PAPERLESS_SSO_ENABLED",
+    str(bool(_allauth_provider_modules)),
+)
+
 ###############################################################################
 # Application Definition                                                      #
 ###############################################################################
@@ -282,9 +333,18 @@ INSTALLED_APPS = [
     "django_filters",
     "django_celery_results",
     "guardian",
+    "allauth",
+    "allauth.account",
+    "allauth.socialaccount",
     *env_apps,
 ]
 
+if SSO_ENABLED:
+    INSTALLED_APPS += [
+        f"allauth.socialaccount.providers.{provider}"
+        for provider in _allauth_provider_modules
+    ]
+
 if DEBUG:
     INSTALLED_APPS.append("channels")
 
@@ -394,6 +454,10 @@ HTTP_REMOTE_USER_HEADER_NAME = os.getenv(
 if ENABLE_HTTP_REMOTE_USER:
     MIDDLEWARE.append("paperless.auth.HttpRemoteUserMiddleware")
     AUTHENTICATION_BACKENDS.insert(0, "django.contrib.auth.backends.RemoteUserBackend")
+    if SSO_ENABLED:
+        AUTHENTICATION_BACKENDS.append(
+            "allauth.account.auth_backends.AuthenticationBackend",
+        )
     REST_FRAMEWORK["DEFAULT_AUTHENTICATION_CLASSES"].append(
         "rest_framework.authentication.RemoteUserAuthentication",
     )
@@ -949,3 +1013,53 @@ def _get_nltk_language_setting(ocr_lang: str) -> Optional[str]:
 NLTK_ENABLED: Final[bool] = __get_boolean("PAPERLESS_ENABLE_NLTK", "yes")
 
 NLTK_LANGUAGE: Optional[str] = _get_nltk_language_setting(OCR_LANGUAGE)
+
+
+###############################################################################
+# Single Sign-On (SSO)
+###############################################################################
+
+
+if SSO_ENABLED:
+    SSO_AUTO_LINK = __get_boolean("PAPERLESS_SSO_AUTO_LINK", "yes")
+    SSO_AUTO_LINK_MULTIPLE = __get_boolean(
+        "PAPERLESS_SSO_AUTO_LINK_MULTIPLE",
+        "yes",
+    )
+
+    # TODO This setting is unused and not part of django-allauth
+    SSO_SIGNUP_ONLY = __get_boolean(
+        "PAPERLESS_SSO_SIGNUP_ONLY",
+        "yes",
+    )
+    ACCOUNT_ADAPTER = "paperless.allauth_custom.CustomAccountAdapter"
+    ACCOUNT_DEFAULT_HTTP_PROTOCOL = "https"
+    ACCOUNT_EMAIL_VERIFICATION = "none"
+    LOGIN_ENABLE_SIGNUP = __get_boolean("PAPERLESS_LOGIN_ENABLE_SIGNUP", "no")
+    LOGIN_HIDE_PASSWORD_FORM = __get_boolean(
+        "PAPERLESS_LOGIN_HIDE_PASSWORD_FORM",
+        "no",
+    )
+    ACCOUNT_LOGOUT_ON_GET = True
+
+    # Disable all allauth forms except for the login form
+    class AllauthFormsOverride(dict):
+        def get(self, key, default=None):
+            return super().get(key, "paperless.allauth_custom.raise_404")
+
+    ACCOUNT_FORMS = AllauthFormsOverride(
+        login="allauth.account.forms.LoginForm",
+    )
+
+    SOCIALACCOUNT_ADAPTER = "paperless.allauth_custom.CustomSocialAccountAdapter"
+    SOCIALACCOUNT_LOGIN_ON_GET = __get_boolean(
+        "PAPERLESS_SSO_LOGIN_ON_GET",
+        "no",
+    )
+    SOCIALACCOUNT_PROVIDERS = json.loads(
+        os.environ.get("PAPERLESS_SSO_PROVIDERS", "{}"),
+    )
+    if _oidc_server:
+        SOCIALACCOUNT_PROVIDERS.setdefault("openid_connect", {})
+        SOCIALACCOUNT_PROVIDERS["openid_connect"].setdefault("SERVERS", [])
+        SOCIALACCOUNT_PROVIDERS["openid_connect"]["SERVERS"] += [_oidc_server]
diff --git a/src/paperless/urls.py b/src/paperless/urls.py
index c2b72d7b..3a3bf342 100644
--- a/src/paperless/urls.py
+++ b/src/paperless/urls.py
@@ -154,7 +154,14 @@ urlpatterns = [
     ),
     # TODO: with localization, this is even worse! :/
     # login, logout
-    path("accounts/", include("django.contrib.auth.urls")),
+    path(
+        "accounts/",
+        include(
+            "paperless.allauth_custom"
+            if settings.SSO_ENABLED
+            else "django.contrib.auth.urls",
+        ),
+    ),
     # Root of the Frontent
     re_path(r".*", login_required(IndexView.as_view()), name="base"),
 ]
-- 
2.40.1