System Checks

docs/source/conf.py

@@ -29,6 +29,7 @@
 # ones.
 extensions = [
     "sphinx_rtd_theme",
+    "sphinx.ext.autosectionlabel",
 ]
 
 # Add any paths that contain templates here, relative to this directory.

docs/source/index.rst

@@ -51,4 +51,5 @@ Features
    reference/signals
    reference/models
    reference/management_commands
+   reference/checks
    reference/change_log

docs/source/installation/publish.rst

@@ -5,6 +5,8 @@ Deployment Checklist
 Before deploying your site to production it is important to go over some best practices and make sure your site is the **most stable and secure**.
 Provided here are some best practices related to ``django-windowsauth``, IIS and LDAP.
 
+Many checks can be performed automatically using ``py manage.py check --deploy``.
+
 .. seealso::
     Check out `Django's deployment checklist <https://docs.djangoproject.com/en/3.1/howto/deployment/checklist/>`_ too.
 

docs/source/reference/checks.rst

@@ -0,0 +1,108 @@
+
+Checks
+======
+
+.. glossary::
+
+    wauth.E001
+        Type: ``Error``
+
+        Required setting ``WAUTH_DOMAINS`` is not configured. :ref:`WAUTH_DOMAINS (Required)`
+
+.. glossary::
+
+    wauth.W002
+        Type: ``Warning``
+
+        Found missing domain settings for LDAP users.
+
+.. glossary::
+
+    wauth.E003
+        Type: ``Error``
+
+        | Unable to load LDAPUser model.
+        | Try running ``py manage.py migrate windows_auth``.
+
+.. glossary::
+
+    wauth.W004
+        Type: ``Warning``
+
+        | Unable to create LDAP connection with a configured domain.
+        | Check your settings and the server.
+
+.. glossary::
+
+    wauth.E005
+        Type: ``Error``
+
+        | Error while creating LDAP connection with a configured domain
+        | Check your settings and the server.
+
+.. glossary::
+
+    wauth.E006
+        Type: ``Error``
+
+        You have ``windows_auth.middleware.SimulateWindowsAuthMiddleware`` in your ``MIDDLEWARE``, but you have not configured ``WAUTH_SIMULATE_USER``. :ref:`WAUTH_SIMULATE_USER`
+
+.. glossary::
+
+    wauth.W010
+        Type: ``Warning``, Deploy only
+
+        You should not have ``windows_auth.middleware.SimulateWindowsAuthMiddleware`` in your middleware in production.
+        :ref:`SimulateWindowsAuthMiddleware`
+
+.. glossary::
+
+    wauth.I011
+        Type: ``Info``, Deploy only
+
+        Using the database to check LDAP user last sync time is slow.
+        If you can, you should use cache system instead.
+        :ref:`WAUTH_USE_CACHE`
+
+.. glossary::
+
+    wauth.W012
+        Type: ``Warning``, Deploy only
+
+        ``USE_SSL`` is not set to True. It is recommended to use only secure LDAP connection.
+        :ref:`USE_SSL`
+
+.. glossary::
+
+    wauth.W013
+        Type: ``Warning``, Deploy only
+
+        You should use a stronger authentication method for you LDAP connection.
+        Configure ``authentication`` to SASL or NTLM in you ``CONNECTION_OPTIONS``.
+        :doc:`../howto/securing_ldap`
+
+.. glossary::
+
+    wauth.W014
+        Type: ``Warning``, Deploy only
+
+        You should use a dedicated bind account with the minimum permissions needed.
+        Your bind account has logged in to website.
+        :ref:`USERNAME`
+
+.. glossary::
+
+    wauth.W015
+        Type: ``Warning``, Deploy only
+
+        You should use a dedicated connection for you write operations.
+        Using a different connection, and even another bind account, is considered best-practice.
+        :ref:`READ_ONLY`
+
+.. glossary::
+
+    wauth.I020
+        Type: ``Info``, Deploy only
+
+        You should keep your site and project files on a separate disk from the OS.
+        :ref:`READ_ONLY`

windows_auth/apps.py

@@ -1,9 +1,7 @@
 import atexit
 
-from django.db import DatabaseError
 from ldap3.core.exceptions import LDAPException
 from django.apps import AppConfig
-from django.db.models import Count
 
 from windows_auth import logger
 
@@ -13,7 +11,8 @@ class WindowsAuthConfig(AppConfig):
     default_auto_field = 'django.db.models.AutoField'
 
     def ready(self):
-        from windows_auth.conf import WAUTH_IGNORE_SETTING_WARNINGS, WAUTH_PRELOAD_DOMAINS, WAUTH_DOMAINS
+        from windows_auth import checks
+        from windows_auth.conf import WAUTH_PRELOAD_DOMAINS, WAUTH_DOMAINS
         from windows_auth.settings import DEFAULT_DOMAIN_SETTING
         from windows_auth.ldap import get_ldap_manager, close_connections
 
@@ -23,19 +22,6 @@ def ready(self):
         # You can avoid this behavior by using "runserver --noreload" parameter,
         # or modifying the WAUTH_PRELOAD_DOMAINS setting to False.
 
-        # check about users with domain missing from settings
-        if not WAUTH_IGNORE_SETTING_WARNINGS and DEFAULT_DOMAIN_SETTING not in WAUTH_DOMAINS:
-            try:
-                from windows_auth.models import LDAPUser
-                missing_domains = LDAPUser.objects.exclude(domain__in=WAUTH_DOMAINS.keys())
-                if missing_domains.exists():
-                    for result in missing_domains.values("domain").annotate(count=Count("pk")):
-                        logger.warning(f"Settings for domain \"{result.get('domain')}\" are missing from WAUTH_DOMAINS "
-                                       f"({result.get('count')} users found)")
-            except DatabaseError as e:
-                # Table probably does not exist yet, migration is pending
-                logger.warn(e)
-
         # configure default preload domains
         preload_domains = WAUTH_PRELOAD_DOMAINS
         if preload_domains in (None, True):