Release 0.113.2

[odlbot]

annagav

• Seed data for testing courses locally and RC (Seed data for testing courses locally and RC #2571) (dad87e4f)

Chris Chudzicki

• automatically create cache table (automatically create cache table #2568) (12b67c42)

James Kachel

• Add OIDC login via social-auth (Add OIDC login via social-auth #2550) (53b18806)

[gitguardian]

⚠️ GitGuardian has uncovered 8 secrets following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

🔎 Detected hardcoded secrets in your pull request

GitGuardian id	GitGuardian status	Secret	Commit	Filename
13777604	Triggered	Generic High Entropy Secret	53b1880	config/keycloak/realms/default-realm.json	View secret
13777605	Triggered	Generic High Entropy Secret	53b1880	config/keycloak/realms/default-realm.json	View secret
13777606	Triggered	Generic Private Key	53b1880	config/keycloak/tls/tls.key	View secret
13777607	Triggered	Generic High Entropy Secret	53b1880	config/keycloak/realms/default-realm.json	View secret
13777608	Triggered	Generic High Entropy Secret	53b1880	config/keycloak/realms/default-realm.json	View secret
13777609	Triggered	Generic Password	53b1880	config/keycloak/realms/default-realm.json	View secret
13777610	Triggered	Generic High Entropy Secret	53b1880	config/keycloak/realms/default-realm.json	View secret
10259317	Triggered	Generic Password	53b1880	docker-compose.yml	View secret

🛠 Guidelines to remediate hardcoded secrets

1. Understand the implications of revoking this secret by investigating where it is used in your code.
2. Replace and store your secrets safely. Learn here the best practices.
3. Revoke and rotate these secrets.
4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider

• following these best practices for managing and storing secrets including API keys and other credentials
• install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.

---

^{🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.}

[gemini-code-assist]

Hello @odlbot, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

Summary of Changes

This pull request updates the MITx Online platform to release version 0.113.2. It incorporates several key changes, including seeding data for testing courses, automatically creating a cache table, and adding OIDC login via social-auth. The changes also include updates to the Dockerfile, pre-commit configurations, and settings to accommodate the new Keycloak integration.

Highlights

• Keycloak Integration: Adds support for OIDC login via social-auth, including a sample Keycloak instance for local development and testing. This involves new settings, authentication backends, and pipeline configurations.
• Course Data Seeding: Includes seed data for testing courses locally and in the RC environment, making it easier to develop and test course-related features.
• Cache Table Automation: Automatically creates a cache table, likely to improve performance and efficiency of data retrieval.
• Dockerfile Updates: Updates the Dockerfile to include Keycloak configuration files and SSL certificates, streamlining the setup process for Keycloak integration.
• Pre-commit Configuration: Updates pre-commit configuration to exclude Keycloak configuration files from certain checks, preventing false positives.

Changelog

Click here to see the changelog

• .env.example
  • Added environment variables for Keycloak service configuration, including hostname, ports, admin credentials, and keystore password.
• .pre-commit-config.yaml
  • Excluded Keycloak configuration files from pre-commit checks to avoid unnecessary warnings.
• .secrets.baseline
  • Updated to exclude Keycloak configuration files from secret scanning.
  • Updated the line number for a hashed secret in main/settings.py from 959 to 1014.
  • Updated the generated_at timestamp.
• Dockerfile
  • Added instructions to copy mitol_*.gz files to the /app directory within the container.
• README-keycloak.md
  • Added a new README file with instructions on how to integrate MITx Online with Keycloak, including default settings, SSL certificate setup, realm configuration, and troubleshooting tips.
• README.md
  • Added a section on Keycloak Integration, referencing the new README-keycloak.md file.
• RELEASE.rst
  • Added release notes for version 0.113.2, listing the key changes included in this release.
• app.json
  • Added new environment variables to app.json for Keycloak configuration, OIDC settings, and exposing OIDC login functionality.
• authentication/backends/ol_open_id_connect.py
  • Created a custom wrapper class OlOpenIdConnectAuth for Keycloak authentication, extending OpenIdConnectAuth to include user details retrieval and email validation.
• authentication/pipeline/user.py
  • Modified the authentication pipeline to include steps for handling OIDC logins, including user creation and blocked user checks.
  • Added forbid_hijack to prevent admin users from logging in while hijacking another user.
  • Modified get_username to handle OIDC logins.
• authentication/pipeline/user_test.py
  • Added tests for the create_ol_oidc_user function to ensure correct user creation and handling of OIDC logins.
• authentication/views.py
  • Modified the logout view to redirect users to the Keycloak logout URL after logging out from MITx Online.
  • Added import for OlOpenIdConnectAuth.
• config/db/init-keycloak.sql
  • Added SQL script to create the keycloak database and grant privileges to the postgres user.
• config/keycloak/realms/default-realm.json
  • Added a default realm configuration file for Keycloak, including users, roles, and client settings.
• config/keycloak/tls/README.md
  • Added a README file with instructions on how to configure TLS for Keycloak, including generating self-signed certificates.
• config/keycloak/tls/tls.crt
  • Added a default TLS certificate file.
• config/keycloak/tls/tls.crt.default
  • Added a default TLS certificate file.
• config/keycloak/tls/tls.key
  • Added a default TLS key file.
• config/keycloak/tls/tls.key.default
  • Added a default TLS key file.
• courses/management/commands/populate_course_data.py
  • Added a management command to seed the database with course and course run data for testing purposes.
• courses/management/courses.json
  • Added a JSON file containing course and course run data for testing purposes.
• courses/management/utils.py
  • Added a utility function to load JSON data from a file.
• docker-compose-keycloak-override.yml
  • Added a docker-compose override file to add an alias for the Keycloak hostname to host-gateway.
• docker-compose.yml
  • Added a Keycloak service configuration to the docker-compose file, including environment variables, ports, volumes, and command.
• ecommerce/api.py
  • Removed an extra newline character.
• frontend/public/src/components/AnonymousMenu.js
  • Modified the AnonymousMenu component to conditionally render login and create account links based on the oidc_login_url setting.
• frontend/public/src/components/AnonymousMenu_test.js
  • Added tests for the AnonymousMenu component to ensure correct rendering of login and create account links based on the oidc_login_url setting.
• frontend/public/src/flow/declarations.js
  • Added a declaration for the oidc_login_url setting.
• frontend/public/src/lib/urls.js
  • Added email route to login urls.
• main/settings.py
  • Updated the version number to 0.113.2.
  • Added settings for Keycloak integration, including OIDC endpoints, client IDs, and secrets.
  • Added EXPOSE_OIDC_LOGIN setting to control the visibility of OIDC login functionality.
  • Added KEYCLOAK_BASE_URL and KEYCLOAK_REALM_NAME settings for logout redirection.
  • Added OlOpenIdConnectAuth to AUTHENTICATION_BACKENDS.
  • Added global_id to SOCIAL_AUTH_IMMUTABLE_USER_FIELDS.
• main/utils.py
  • Modified get_js_settings to include the OIDC login URL if EXPOSE_OIDC_LOGIN is enabled.
• main/utils_test.py
  • Added tests for get_js_settings to ensure correct rendering of OIDC login URL based on the EXPOSE_OIDC_LOGIN setting.
• scripts/run-django-dev.sh
  • Added createcachetable command to the script.
• users/factories.py
  • Added global_id to UserFactory.
• users/management/commands/promote_user.py
  • Added a management command to promote or demote users to staff or superuser status.
• users/management/tests/promote_user_test.py
  • Added tests for the promote_user management command.
• users/models.py
  • Added global_id field to the User model to store the SSO ID.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

---

Trivia time!

What is the default port used by Keycloak for HTTPS?

Click here for the answer

The default port used by Keycloak for HTTPS is 8443.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces Keycloak integration, which is a significant feature. The changes span multiple files, including .env.example, Dockerfile, README files, and Python code. The Keycloak integration seems well-structured, but there are some security concerns and areas for improvement, particularly around input sanitization and documentation clarity.

Summary of Findings

• Sensitive information in .env.example: The .env.example file contains a default password (supersecret123456789) for KEYCLOAK_SVC_KEYSTORE_PASSWORD. This poses a security risk as it could be used in a production environment if not changed.
• Missing input sanitization: The code related to Keycloak integration does not appear to include input sanitization. This could lead to vulnerabilities such as injection attacks.

Merge Readiness

The pull request introduces significant functionality with the Keycloak integration. While the code appears to be well-structured, the presence of a default password in .env.example and the lack of input sanitization are critical security concerns that must be addressed before merging. Additionally, the documentation could be improved for clarity. Therefore, I recommend that this pull request not be merged until these issues are resolved. I am unable to approve this pull request, and other reviewers should carefully examine the changes before considering approval.

[gemini-code-assist]

The KEYCLOAK_SVC_KEYSTORE_PASSWORD is set to supersecret123456789 by default. This is a major security risk, as anyone deploying the application without changing this password will be vulnerable. Consider removing the default value or generating a random one during deployment. It is recommended to not have a default value at all, forcing the user to set one.

KEYCLOAK_SVC_KEYSTORE_PASSWORD=

[gemini-code-assist]

The _keycloak_logout_url method constructs a URL using settings.KEYCLOAK_BASE_URL and settings.KEYCLOAK_REALM_NAME. Ensure that these settings are properly validated and that the constructed URL is safe from injection attacks. Consider using urllib.parse.urljoin to construct the URL safely.

[gemini-code-assist]

Excluding config/keycloak/* from pre-commit hooks and secrets scanning is a good idea to prevent secrets from being accidentally committed. However, ensure that this exclusion is intentional and doesn't bypass necessary security checks for other important files in the config directory.

[gemini-code-assist]

Excluding config/keycloak/* from secrets scanning is a good idea to prevent secrets from being accidentally committed. However, ensure that this exclusion is intentional and doesn't bypass necessary security checks for other important files in the config directory.

[gemini-code-assist]

In create_ol_oidc_user, the is_active flag is set to True for new users. Ensure that this is the desired behavior and that there are no security implications. Consider adding a comment explaining why this is being done.