0001-idp_oidc-revoke-oidc-claims-authorization-45200.patch

Nicolas Roche, 27 juillet 2020 16:34

Voir les différences: en ligne côte à côte

Subject: [PATCH] idp_oidc: revoke oidc claims authorization (#45200)

 src/authentic2/app_settings.py                |  3 +
 .../templates/authentic2/accounts.html        |  3 +
 .../accounts_authorized_oauth_services.html   | 67 +++++++++++++++++++
 src/authentic2/urls.py                        |  3 +
 src/authentic2/views.py                       | 25 +++++++
 tests/test_idp_oidc.py                        | 36 ++++++++++
 tests/test_profile.py                         | 21 ++++++
 7 files changed, 158 insertions(+)
 create mode 100644 src/authentic2/templates/authentic2/accounts_authorized_oauth_services.html

             default=None,
             definition='File containing certificate chains as PEM certificates'),
         A2_REGISTRATION_CAN_DELETE_ACCOUNT=Setting(
             default=True,
             definition='Can user self delete their account and all their data'),
         A2_REGISTRATION_CAN_CHANGE_PASSWORD=Setting(
             default=True,
             definition='Allow user to change its own password'),
         A2_REGISTRATION_CAN_MANAGE_SERVICE_AUTHORIZATIONS=Setting(
             default=True,
             definition='Allow user to revoke granted services access to its account profile data'),
         A2_REGISTRATION_EMAIL_BLACKLIST=Setting(
             default=[],
             definition='List of forbidden email wildcards, ex.: ^.*@ville.fr$'),
         A2_REGISTRATION_REDIRECT=Setting(
             default=None,
             definition='Forced redirection after each redirect, NEXT_URL substring is replaced'
             ' by the original next_url passed to /accounts/register/'),
         A2_PROFILE_CAN_CHANGE_EMAIL=Setting(

             </dl>
           {% endif %}
           {% if allow_email_change %}
             <p><a href="{% url 'email-change' %}">{% trans "Change email" %}</a></p>
           {% endif %}
           {% if allow_profile_edit %}
             <p><a href="{% url 'profile_edit' %}">{% trans "Edit account data" %}</a></p>
           {% endif %}
           {% if allow_authorization_management %}
             <p><a href="{% url 'authorized-oauth-services' %}">{% trans "Manage service authorizations" %}</a></p>
           {% endif %}
           {% if allow_account_deletion %}
             <p><a href="{% url 'delete_account' %}">{% trans "Delete account" %}</a></p>
           {% endif %}
         </div>
         <div id="a2-credentials" class="a2-profile-block">
           <h3>{% trans "Credentials" %}</h3>
           {% for html_block in frontends_block %}
             {{ html_block|safe }}

     {% extends "authentic2/base-page.html" %}
     {% load i18n %}
     {% block page-title %}
     {{ block.super }} - {{ view.title }}
     {% endblock %}
     {% block breadcrumb %}
     {{ block.super }}
     <a href="..">{% trans "Your account" %}</a>
     <a href="">{{ view.title }}</a>
     {% endblock %}
     {% block content %}
     {% block oidc-authorized-oauth-services-pre %}{% endblock %}
     <div class="authorized-oauth-services">
       {% block oidc-authorized-oauth-services-top %}
       <p class="authorized-oauth-services--top">
         {% if authorized_oauth_services|length_is:0 %}
         {% trans "You have not granted service access to your account profile data." %}
         {% else %}
         {% blocktrans count counter=authorized_oauth_services|length %}
         You have granted one service access to your account profile data.
         {% plural %}
         You have granted {{ counter }} services access to your account profile data.
         {% endblocktrans %}
         {% endif %}
       </p>
       {% endblock %}
       <ul class="authorized-oauth-services--list">
         {% for auth in authorized_oauth_services %}
         <li class="authorized-oauth-services--item">
           <form method="post" class="authorized-oauth-services--form">
             {% csrf_token %}
             {% block oidc-authorized-oauth-service %}
             <div class="authorized-oauth-services--infos">
               {% block oidc-authorized-oauth-service-top %}{% endblock %}
               <span class="authorized-oauth-services--client">
                 {{ auth.client }}
               </span>
               <span class="authorized-oauth-services--dates">
                 <span class="authorized-oauth-services-dates--since">
                   <span class="label">{% trans "Allowed since:" %}</span>
                   <span class="time">{{ auth.created }}</span>
                 </span>
                 <span class="authorized-oauth-services--separator">/</span>
                 <span class="authorized-oauth-services--expired">
                   <span class="label">{% trans "Expire on:" %}</span>
                   <span class="time">{{ auth.expired }}</span>
                 </span>
               </span>
             </div>
             <div class="authorized-oauth-services--actions">
               <input type="hidden" id="auth-id" name="auth_id" value="{{ auth.id }}">
               <button class="authorized-oauth-services--revoke-button">{% trans 'Revoke' %}</button>
             </div>
             {% block oidc-authorized-oauth-service-bottom %}{% endblock %}
             {% endblock %}
           </form>
         </li>
         {% endfor %}
       </ul>
     </table>
     {% block oidc-authorized-oauth-services-bottom %}{% endblock %}
     </div>
     {% block oidc-authorized-oauth-services-post %}{% endblock %}
     {% endblock %}

             views.edit_profile,
             name='profile_edit_with_scope'),
         url(r'^change-email/$',
             views.email_change,
             name='email-change'),
         url(r'^change-email/verify/$',
             views.email_change_verify,
             name='email-change-verify'),
         url(r'^authorizations/$',
             login_required(views.authorized_oauth_services),
             name='authorized-oauth-services'),
         url(r'^$',
             views.profile,
             name='account_management'),
         # Password change
         url(r'^password/change/$',
             views.password_change,
             name='password_change'),

     from django.http import Http404
     from django.utils.http import urlsafe_base64_decode
     from django.views.generic.edit import CreateView
     from django.forms import CharField
     from django.http import HttpResponseBadRequest
     from django.template import loader
     from authentic2.compat.misc import default_token_generator
     from authentic2_idp_oidc.models import OIDCAuthorization
     from . import (utils, app_settings, decorators, constants,
                    models, cbv, hooks, validators)
     from .utils import switch_user
     from .a2_rbac.utils import get_default_ou
     from .a2_rbac.models import OrganizationalUnit as OU
     from .forms import (
         passwords as passwords_forms,
         registration as registration_forms,
-...
             context.update({
                 'frontends_block': blocks,
                 'frontends_block_by_id': blocks_by_id,
                 'profile': profile,
                 'attributes': attributes,
                 'allow_account_deletion': app_settings.A2_REGISTRATION_CAN_DELETE_ACCOUNT,
                 'allow_profile_edit': EditProfile.can_edit_profile(),
                 'allow_email_change': app_settings.A2_PROFILE_CAN_CHANGE_EMAIL,
                 'allow_authorization_management': app_settings.A2_REGISTRATION_CAN_MANAGE_SERVICE_AUTHORIZATIONS,
                 # TODO: deprecated should be removed when publik-base-theme is updated
                 'allow_password_change': utils.user_can_change_password(request=request),
                 'federation_management': federation_management,
             })
             hooks.call_hooks('modify_context_data', self, context)
             return context
     profile = login_required(ProfileView.as_view())
-...
     class SuView(View):
         def get(self, request, uuid):
             user = switch_user.resolve_token(uuid)
             if not user:
                 raise Http404
             return utils.simulate_authentication(request, user, 'su')
     su = SuView.as_view()
     class AuthorizedOauthServicesView(TemplateView):
         template_name = 'authentic2/accounts_authorized_oauth_services.html'
         title = _('Consent Management')
         def get_context_data(self, **kwargs):
             context = super(AuthorizedOauthServicesView, self).get_context_data(**kwargs)
             context['authorized_oauth_services'] = OIDCAuthorization.objects.filter(
                 user=self.request.user)
             return context
         def post(self, request, *args, **kwargs):
             if request.user:
                 qs = OIDCAuthorization.objects.filter(user=request.user)
                 auth_id = request.POST.get('auth_id')
                 if auth_id:
                     qs = qs.filter(id=auth_id)
                 qs.delete()
             return HttpResponseRedirect(reverse('authorized-oauth-services'))
     authorized_oauth_services = AuthorizedOauthServicesView.as_view()

         with pytest.raises(ValidationError, match=r'same domain'):
             OIDCClient(
                 redirect_uris='https://example.com/ https://example2.com/',
                 identifier_policy=OIDCClient.POLICY_PAIRWISE).clean()
         OIDCClient(
             redirect_uris='https://example.com/ https://example2.com/',
             sector_identifier_uri='https://example.com/').clean()
     def test_oidc_authorized_oauth_services_view(app, oidc_client, simple_user):
         url = make_url('authorized-oauth-services')
         response = app.get(url, status=302)
         assert '/login/' in response.location
         utils.login(app, simple_user)
         response = app.get(url, status=200)
         assert "You have not granted service access to your account profile data." in response.text
         OIDCAuthorization.objects.create(
             client=oidc_client, user=simple_user, scopes='openid',
             expired=now() + datetime.timedelta(days=2))
         OIDCAuthorization.objects.create(
             client=oidc_client, user=simple_user, scopes='openid profile',
             expired=now() + datetime.timedelta(days=2))
         OIDCAuthorization.objects.create(
             client=oidc_client, user=simple_user, scopes='openid profile email',
             expired=now() + datetime.timedelta(days=2))
         response = app.get(url, status=200)
         assert "You have granted 3 services access to your account profile data."
         assert len(response.html.find_all(
             'button', {'class': 'authorized-oauth-services--revoke-button'})) == 3
         # revoke two
         response = response.forms[0].submit()
         response = response.follow()
         assert len(response.html.find_all(
             'button', {'class': 'authorized-oauth-services--revoke-button'})) == 2
         response = response.forms[0].submit()
         response = response.follow()
         assert len(response.html.find_all(
             'button', {'class': 'authorized-oauth-services--revoke-button'})) == 1
         assert "You have granted one service access to your account profile data." in response.text

         assert len(response.pyquery('input[type="radio"][name="edit-profile-title"][readonly="true"]')) == 0
         assert len(response.pyquery('select[name="edit-profile-title"]')) == 0
         simple_user.verified_attributes.title = 'Monsieur'
         response = app.get(url, status=200)
         assert len(response.pyquery('input[type="radio"][name="edit-profile-title"]')) == 0
         assert len(response.pyquery('input[type="text"][name="edit-profile-title@disabled"][readonly]')) == 1
     def test_acount_view(app, simple_user, settings):
         utils.login(app, simple_user)
         url = reverse('account_management')
         response = app.get(url, status=200)
         assert [x['href'] for x in response.html.find('div', {'id': 'a2-profile'}).find_all('a')] == [
             reverse('email-change'),
             reverse('profile_edit'),
             reverse('authorized-oauth-services'),
             reverse('delete_account')
+        ]
         settings.A2_PROFILE_CAN_CHANGE_EMAIL = False
         settings.A2_REGISTRATION_CAN_MANAGE_SERVICE_AUTHORIZATIONS = False
         settings.A2_REGISTRATION_CAN_DELETE_ACCOUNT = False
         url = reverse('account_management')
         response = app.get(url, status=200)
         assert [x['href'] for x in response.html.find('div', {'id': 'a2-profile'}).find_all('a')] == [
             reverse('profile_edit'),
+        ]
+    -

Projet

Général

Profil

Produits Entr'ouvert » Authentic 2

0001-idp_oidc-revoke-oidc-claims-authorization-45200.patch