feat: RBAC + SAML support

Author: mgogoulos

Dockerfile

@@ -37,7 +37,7 @@ ENV PATH="$VIRTUAL_ENV/bin:$PATH"
 # Install runtime system dependencies
 RUN apt-get update -y && \
     apt-get -y upgrade && \
-    apt-get install --no-install-recommends supervisor nginx imagemagick procps -y && \
+    apt-get install --no-install-recommends supervisor nginx imagemagick procps libxml2-dev libxmlsec1-dev libxmlsec1-openssl -y && \
     rm -rf /var/lib/apt/lists/* && \
     apt-get purge --auto-remove && \
     apt-get clean
@@ -85,4 +85,4 @@ EXPOSE 9000 80
 RUN chmod +x ./deploy/docker/entrypoint.sh
 
 ENTRYPOINT ["./deploy/docker/entrypoint.sh"]
-CMD ["./deploy/docker/start.sh"]
+CMD ["./deploy/docker/start.sh"]

README.md

@@ -23,11 +23,13 @@ A demo is available at https://demo.mediacms.io
 
 ## Features
 - **Complete control over your data**: host it yourself!
-- **Support for multiple publishing workflows**: public, private, unlisted and custom
 - **Modern technologies**: Django/Python/Celery, React.
+- **Support for multiple publishing workflows**: public, private, unlisted and custom
 - **Multiple media types support**: video, audio,  image, pdf
 - **Multiple media classification options**: categories, tags and custom
 - **Multiple media sharing options**: social media share, videos embed code generation
+- **Role-Based Access Control (RBAC)
+- **SAML support
 - **Easy media searching**: enriched with live search functionality
 - **Playlists for audio and video content**: create playlists, add and reorder content
 - **Responsive design**: including light and dark themes

admin_customizations/__init__.py

@@ -0,0 +1,86 @@
+from django.apps import AppConfig
+from django.conf import settings
+from django.contrib import admin
+
+
+class AdminCustomizationsConfig(AppConfig):
+    default_auto_field = 'django.db.models.BigAutoField'
+    name = 'admin_customizations'
+
+    def ready(self):
+        original_get_app_list = admin.AdminSite.get_app_list
+
+        def get_app_list(self, request, app_label=None):
+            """Custom get_app_list"""
+            app_list = original_get_app_list(self, request, app_label)
+            # To see the list:
+            # print([a.get('app_label') for a in app_list])
+
+            email_model = None
+            rbac_group_model = None
+            identity_providers_user_log_model = None
+            identity_providers_login_option = None
+            auth_app = None
+            rbac_app = None
+            socialaccount_app = None
+
+            for app in app_list:
+                if app['app_label'] == 'users':
+                    auth_app = app
+
+                elif app['app_label'] == 'account':
+                    for model in app['models']:
+                        if model['object_name'] == 'EmailAddress':
+                            email_model = model
+                elif app['app_label'] == 'rbac':
+                    if not getattr(settings, 'USE_RBAC', False):
+                        continue
+                    rbac_app = app
+                    for model in app['models']:
+                        if model['object_name'] == 'RBACGroup':
+                            rbac_group_model = model
+                elif app['app_label'] == 'identity_providers':
+                    if not getattr(settings, 'USE_IDENTITY_PROVIDERS', False):
+                        continue
+
+                    models_to_check = list(app['models'])
+
+                    for model in models_to_check:
+                        if model['object_name'] == 'IdentityProviderUserLog':
+                            identity_providers_user_log_model = model
+                        if model['object_name'] == 'LoginOption':
+                            identity_providers_login_option = model
+                elif app['app_label'] == 'socialaccount':
+                    socialaccount_app = app
+
+            if email_model and auth_app:
+                auth_app['models'].append(email_model)
+            if rbac_group_model and rbac_app and auth_app:
+                auth_app['models'].append(rbac_group_model)
+            if identity_providers_login_option and socialaccount_app:
+                socialaccount_app['models'].append(identity_providers_login_option)
+            if identity_providers_user_log_model and socialaccount_app:
+                socialaccount_app['models'].append(identity_providers_user_log_model)
+
+            # 2. don't include the following apps
+            apps_to_hide = ['authtoken', 'auth', 'account', 'saml_auth', 'rbac']
+            if not getattr(settings, 'USE_RBAC', False):
+                apps_to_hide.append('rbac')
+            if not getattr(settings, 'USE_IDENTITY_PROVIDERS', False):
+                apps_to_hide.append('socialaccount')
+
+            app_list = [app for app in app_list if app['app_label'] not in apps_to_hide]
+
+            # 3. change the ordering
+            app_order = {
+                'files': 1,
+                'users': 2,
+                'socialaccount': 3,
+                'rbac': 5,
+            }
+
+            app_list.sort(key=lambda x: app_order.get(x['app_label'], 999))
+
+            return app_list
+
+        admin.AdminSite.get_app_list = get_app_list

admin_customizations/admin.py

@@ -4,30 +4,36 @@
 BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
 
 INSTALLED_APPS = [
-    'django.contrib.admin',
-    'django.contrib.auth',
-    'allauth',
-    'allauth.account',
-    'allauth.socialaccount',
-    'django.contrib.contenttypes',
-    'django.contrib.sessions',
-    'django.contrib.messages',
-    'django.contrib.staticfiles',
-    'django.contrib.sites',
-    'rest_framework',
-    'rest_framework.authtoken',
-    'imagekit',
-    'files.apps.FilesConfig',
-    'users.apps.UsersConfig',
-    'actions.apps.ActionsConfig',
-    'debug_toolbar',
-    'mptt',
-    'crispy_forms',
+    "admin_customizations",
+    "django.contrib.auth",
+    "allauth",
+    "allauth.account",
+    "allauth.socialaccount",
+    "django.contrib.contenttypes",
+    "django.contrib.sessions",
+    "django.contrib.messages",
+    "django.contrib.staticfiles",
+    "jazzmin",
+    "django.contrib.admin",
+    "django.contrib.sites",
+    "rest_framework",
+    "rest_framework.authtoken",
+    "imagekit",
+    "files.apps.FilesConfig",
+    "users.apps.UsersConfig",
+    "actions.apps.ActionsConfig",
+    "rbac.apps.RbacConfig",
+    "identity_providers.apps.IdentityProvidersConfig",
+    "debug_toolbar",
+    "mptt",
+    "crispy_forms",
     "crispy_bootstrap5",
-    'uploader.apps.UploaderConfig',
-    'djcelery_email',
-    'drf_yasg',
-    'corsheaders',
+    "uploader.apps.UploaderConfig",
+    "djcelery_email",
+    "drf_yasg",
+    "allauth.socialaccount.providers.saml",
+    "saml_auth.apps.SamlAuthConfig",
+    "corsheaders",
 ]
 
 MIDDLEWARE = [

admin_customizations/apps.py

@@ -115,7 +115,7 @@
 ACCOUNT_EMAIL_REQUIRED = True  # new users need to specify email
 ACCOUNT_EMAIL_VERIFICATION = "optional"  # 'mandatory' 'none'
 ACCOUNT_LOGIN_ON_EMAIL_CONFIRMATION = True
-ACCOUNT_USERNAME_MIN_LENGTH = "4"
+ACCOUNT_USERNAME_MIN_LENGTH = 4
 ACCOUNT_ADAPTER = "users.adapter.MyAccountAdapter"
 ACCOUNT_SIGNUP_FORM_CLASS = "users.forms.SignupForm"
 ACCOUNT_USERNAME_VALIDATORS = "users.validators.custom_username_validators"
@@ -256,7 +256,7 @@
 )
 
 INSTALLED_APPS = [
-    "django.contrib.admin",
+    "admin_customizations",
     "django.contrib.auth",
     "allauth",
     "allauth.account",
@@ -265,20 +265,26 @@
     "django.contrib.sessions",
     "django.contrib.messages",
     "django.contrib.staticfiles",
+    "jazzmin",
+    "django.contrib.admin",
     "django.contrib.sites",
     "rest_framework",
     "rest_framework.authtoken",
     "imagekit",
     "files.apps.FilesConfig",
     "users.apps.UsersConfig",
     "actions.apps.ActionsConfig",
+    "rbac.apps.RbacConfig",
+    "identity_providers.apps.IdentityProvidersConfig",
     "debug_toolbar",
     "mptt",
     "crispy_forms",
     "crispy_bootstrap5",
     "uploader.apps.UploaderConfig",
     "djcelery_email",
     "drf_yasg",
+    "allauth.socialaccount.providers.saml",
+    "saml_auth.apps.SamlAuthConfig",
 ]
 
 MIDDLEWARE = [
@@ -440,26 +446,6 @@
     CELERY_TASK_ALWAYS_EAGER = True
 
 
-try:
-    # keep a local_settings.py file for local overrides
-    from .local_settings import *  # noqa
-
-    # ALLOWED_HOSTS needs a url/ip
-    ALLOWED_HOSTS.append(FRONTEND_HOST.replace("http://", "").replace("https://", ""))
-except ImportError:
-    # local_settings not in use
-    pass
-
-
-if "http" not in FRONTEND_HOST:
-    # FRONTEND_HOST needs a http:// preffix
-    FRONTEND_HOST = f"http://{FRONTEND_HOST}"  # noqa
-
-if LOCAL_INSTALL:
-    SSL_FRONTEND_HOST = FRONTEND_HOST.replace("http", "https")
-else:
-    SSL_FRONTEND_HOST = FRONTEND_HOST
-
 if GLOBAL_LOGIN_REQUIRED:
     # this should go after the AuthenticationMiddleware middleware
     MIDDLEWARE.insert(6, "login_required.middleware.LoginRequiredMiddleware")
@@ -477,16 +463,6 @@
 
 DEFAULT_AUTO_FIELD = 'django.db.models.AutoField'
 
-# the following is related to local development using docker
-# and docker-compose-dev.yaml
-try:
-    DEVELOPMENT_MODE = os.environ.get("DEVELOPMENT_MODE")
-    if DEVELOPMENT_MODE:
-        # keep a dev_settings.py file for local overrides
-        from .dev_settings import *  # noqa
-except ImportError:
-    pass
-
 LANGUAGES = [
     ('ar', _('Arabic')),
     ('bn', _('Bengali')),
@@ -526,7 +502,45 @@
 # keep the trailing slash
 DJANGO_ADMIN_URL = "admin/"
 
+# this are used around a number of places and will need to be well documented!!!
+
+USE_SAML = False
+USE_RBAC = False
+USE_IDENTITY_PROVIDERS = False
+JAZZMIN_UI_TWEAKS = {"theme": "flatly"}
+
+
+try:
+    # keep a local_settings.py file for local overrides
+    from .local_settings import *  # noqa
+
+    # ALLOWED_HOSTS needs a url/ip
+    ALLOWED_HOSTS.append(FRONTEND_HOST.replace("http://", "").replace("https://", ""))
+except ImportError:
+    # local_settings not in use
+    pass
+
+if "http" not in FRONTEND_HOST:
+    # FRONTEND_HOST needs a http:// preffix
+    FRONTEND_HOST = f"http://{FRONTEND_HOST}"  # noqa
+
+if LOCAL_INSTALL:
+    SSL_FRONTEND_HOST = FRONTEND_HOST.replace("http", "https")
+else:
+    SSL_FRONTEND_HOST = FRONTEND_HOST
+
+
 # CSRF_COOKIE_SECURE = True
 # SESSION_COOKIE_SECURE = True
 
 PYSUBS_COMMAND = "pysubs2"
+
+# the following is related to local development using docker
+# and docker-compose-dev.yaml
+try:
+    DEVELOPMENT_MODE = os.environ.get("DEVELOPMENT_MODE")
+    if DEVELOPMENT_MODE:
+        # keep a dev_settings.py file for local overrides
+        from .dev_settings import *  # noqa
+except ImportError:
+    pass

admin_customizations/migrations/__init__.py

@@ -31,3 +31,7 @@
     re_path(r'^swagger/$', schema_view.with_ui('swagger', cache_timeout=0), name='schema-swagger-ui'),
     path('docs/api/', schema_view.with_ui('redoc', cache_timeout=0), name='schema-redoc'),
 ]
+
+admin.site.site_header = "MediaCMS Admin"
+admin.site.site_title = "MediaCMS"
+admin.site.index_title = "Admin"

admin_customizations/models.py

@@ -0,0 +1 @@
+VERSION = "5.0.0"