fix(auth): Fix broken PAS plugin config at root

rpatterson · rpatterson · commit f9097a021516 · 2022-02-14T14:55:40.000-08:00
Outside of the context of a Plone site, there usually isn't a
`plone.keyring.interfaces.IKeyManager` but the GenericSetup "various" import step that
adds the JWT token plugin to the Zope root `/acl_users` leaves the default keyring
plugin setting which results in the following when authenticating to the Zope root:

    2021-12-27 11:25:39,451 ERROR   [Zope.SiteErrorLog:22][waitress-3] ComponentLookupError: http://localhost:49080/api/acl_users/credentials_cookie_auth/login
    Traceback (innermost last):
      Module ZPublisher.WSGIPublisher, line 162, in transaction_pubevents
      Module ZPublisher.WSGIPublisher, line 372, in publish_module
      Module ZPublisher.WSGIPublisher, line 266, in publish
      Module ZPublisher.mapply, line 85, in mapply
      Module ZPublisher.WSGIPublisher, line 63, in call_object
      Module Products.PluggableAuthService.plugins.CookieAuthHelper, line 279, in login
      Module Products.PluggableAuthService.PluggableAuthService, line 1153, in updateCredentials
      Module plone.restapi.pas.plugin, line 165, in updateCredentials
      Module plone.restapi.pas.plugin, line 260, in create_payload_token
      Module plone.restapi.pas.plugin, line 230, in _signing_secret
      Module zope.component._api, line 165, in getUtility
    zope.interface.interfaces.ComponentLookupError: (&lt;InterfaceClass plone.keyring.interfaces.IKeyManager&gt;, '')

Fix this by doing an interface for the Plone portal and changing that configuration
setting if not being installed into a Plone portal.
diff --git a/src/plone/restapi/setuphandlers.py b/src/plone/restapi/setuphandlers.py
@@ -46,6 +46,8 @@ def install_pas_plugin(context):
                     "ICredentialsResetPlugin",
                 ],
             )
+            if not is_plone_site:
+                plugin.use_keyring = False
 
 
 def post_install_default(context):
diff --git a/src/plone/restapi/upgrades/to0007.py b/src/plone/restapi/upgrades/to0007.py
@@ -22,6 +22,12 @@ def enable_new_pas_plugin_interfaces(context):
     portal = getToolByName(context, "portal_url").getPortalObject()
     for uf, is_plone_site in pas.iter_ancestor_pas(portal):
         for jwt_plugin in uf.objectValues(plugin.JWTAuthenticationPlugin.meta_type):
+            if not is_plone_site and jwt_plugin.use_keyring:
+                logger.info(
+                    "Disabling keyring for plugin outside of Plone: %s",
+                    "/".join(jwt_plugin.getPhysicalPath()),
+                )
+                jwt_plugin.use_keyring = False
             for new_iface in (
                 plugins_ifaces.ICredentialsUpdatePlugin,
                 plugins_ifaces.ICredentialsResetPlugin,

Original file line number	Diff line number	Diff line change
`@@ -46,6 +46,8 @@ def install_pas_plugin(context):`
`46`	`46`	`"ICredentialsResetPlugin",`
`47`	`47`	`],`
`48`	`48`	`)`
	`49`	`+ if not is_plone_site:`
	`50`	`+ plugin.use_keyring = False`
`49`	`51`
`50`	`52`
`51`	`53`	`def post_install_default(context):`