fix(auth): Fix broken PAS plugin config at root

Outside of the context of a Plone site, there usually isn't a `plone.keyring.interfaces.IKeyManager` but the GenericSetup "various" import step that adds the JWT token plugin to the Zope root `/acl_users` leaves the default keyring plugin setting which results in the following when authenticating to the Zope root: 2021-12-27 11:25:39,451 ERROR [Zope.SiteErrorLog:22][waitress-3] ComponentLookupError: http://localhost:49080/api/acl_users/credentials_cookie_auth/login Traceback (innermost last): Module ZPublisher.WSGIPublisher, line 162, in transaction_pubevents Module ZPublisher.WSGIPublisher, line 372, in publish_module Module ZPublisher.WSGIPublisher, line 266, in publish Module ZPublisher.mapply, line 85, in mapply Module ZPublisher.WSGIPublisher, line 63, in call_object Module Products.PluggableAuthService.plugins.CookieAuthHelper, line 279, in login Module Products.PluggableAuthService.PluggableAuthService, line 1153, in updateCredentials Module plone.restapi.pas.plugin, line 165, in updateCredentials Module plone.restapi.pas.plugin, line 260, in create_payload_token Module plone.restapi.pas.plugin, line 230, in _signing_secret Module zope.component._api, line 165, in getUtility zope.interface.interfaces.ComponentLookupError: (<InterfaceClass plone.keyring.interfaces.IKeyManager>, '') Fix this by doing an interface for the Plone portal and changing that configuration setting if not being installed into a Plone portal.
plone · Feb 14, 2022 · f9097a0 · f9097a0
1 parent 8ef0667
commit f9097a0
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 0 deletions.
diff --git a/src/plone/restapi/setuphandlers.py b/src/plone/restapi/setuphandlers.py
@@ -46,6 +46,8 @@ def install_pas_plugin(context):
                     "ICredentialsResetPlugin",
                 ],
             )
+            if not is_plone_site:
+                plugin.use_keyring = False
 
 
 def post_install_default(context):

diff --git a/src/plone/restapi/upgrades/to0007.py b/src/plone/restapi/upgrades/to0007.py
@@ -22,6 +22,12 @@ def enable_new_pas_plugin_interfaces(context):
     portal = getToolByName(context, "portal_url").getPortalObject()
     for uf, is_plone_site in pas.iter_ancestor_pas(portal):
         for jwt_plugin in uf.objectValues(plugin.JWTAuthenticationPlugin.meta_type):
+            if not is_plone_site and jwt_plugin.use_keyring:
+                logger.info(
+                    "Disabling keyring for plugin outside of Plone: %s",
+                    "/".join(jwt_plugin.getPhysicalPath()),
+                )
+                jwt_plugin.use_keyring = False
             for new_iface in (
                 plugins_ifaces.ICredentialsUpdatePlugin,
                 plugins_ifaces.ICredentialsResetPlugin,