0001-profile_views-include-ous-in-oidc-authz-management-p.patch
| src/authentic2/templates/authentic2/accounts_authorized_oauth_services.html | ||
|---|---|---|
| 17 | 17 |
{% block oidc-authorized-oauth-services-top %}
|
| 18 | 18 |
<p class="authorized-oauth-services--top"> |
| 19 | 19 |
{% if authorized_oauth_services|length_is:0 %}
|
| 20 |
{% trans "You have not granted service access to your account profile data." %}
|
|
| 20 |
{% trans "You have not given any authorization to access your account profile data." %}
|
|
| 21 | 21 |
{% else %}
|
| 22 |
{% blocktrans count counter=authorized_oauth_services|length %}
|
|
| 23 |
You have granted one service access to your account profile data. |
|
| 24 |
{% plural %}
|
|
| 25 |
You have granted {{ counter }} services access to your account profile data.
|
|
| 26 |
{% endblocktrans %}
|
|
| 22 |
{% trans "You have given authorizations to access your account profile data." %}
|
|
| 27 | 23 |
{% endif %}
|
| 28 | 24 |
</p> |
| 29 | 25 |
{% endblock %}
|
| src/authentic2/views.py | ||
|---|---|---|
| 23 | 23 |
from ratelimit.utils import is_ratelimited |
| 24 | 24 | |
| 25 | 25 |
from django.conf import settings |
| 26 |
from django.contrib.contenttypes.models import ContentType |
|
| 26 | 27 |
from django.shortcuts import render, get_object_or_404 |
| 27 | 28 |
from django.template.loader import render_to_string |
| 28 | 29 |
from django.views.generic.edit import UpdateView, FormView |
| ... | ... | |
| 512 | 513 |
'federation_management': federation_management, |
| 513 | 514 |
}) |
| 514 | 515 | |
| 515 |
if ('authentic2_idp_oidc' in settings.INSTALLED_APPS and
|
|
| 516 |
app_settings.A2_PROFILE_CAN_MANAGE_SERVICE_AUTHORIZATIONS): |
|
| 517 |
from authentic2_idp_oidc.models import OIDCClient |
|
| 518 |
context['allow_authorization_management'] = OIDCClient.objects.filter( |
|
| 519 |
authorization_mode=OIDCClient.AUTHORIZATION_MODE_BY_SERVICE).exists() |
|
| 520 | ||
| 516 |
if 'authentic2_idp_oidc' in settings.INSTALLED_APPS: |
|
| 517 |
if app_settings.A2_PROFILE_CAN_MANAGE_SERVICE_AUTHORIZATIONS: |
|
| 518 |
from authentic2_idp_oidc.models import OIDCClient |
|
| 519 |
context['allow_authorization_management'] = OIDCClient.objects.filter( |
|
| 520 |
authorization_mode__in=( |
|
| 521 |
OIDCClient.AUTHORIZATION_MODE_BY_SERVICE, |
|
| 522 |
OIDCClient.AUTHORIZATION_MODE_BY_OU)).exists() |
|
| 521 | 523 |
hooks.call_hooks('modify_context_data', self, context)
|
| 522 | 524 |
return context |
| 523 | 525 | |
| ... | ... | |
| 1285 | 1287 | |
| 1286 | 1288 |
def get_context_data(self, **kwargs): |
| 1287 | 1289 |
from authentic2_idp_oidc.models import OIDCAuthorization |
| 1290 |
from authentic2_idp_oidc.models import OIDCClient |
|
| 1291 |
from django_rbac.utils import get_ou_model |
|
| 1288 | 1292 | |
| 1289 | 1293 |
context = super(AuthorizedOauthServicesView, self).get_context_data(**kwargs) |
| 1294 |
service_ct = ContentType.objects.get_for_model(OIDCClient) |
|
| 1295 |
ou_ct = ContentType.objects.get_for_model(get_ou_model()) |
|
| 1290 | 1296 |
context['authorized_oauth_services'] = OIDCAuthorization.objects.filter( |
| 1291 |
user=self.request.user) |
|
| 1297 |
user=self.request.user, client_ct__in=(ou_ct,service_ct,))
|
|
| 1292 | 1298 |
return context |
| 1293 | 1299 | |
| 1294 | 1300 |
def post(self, request, *args, **kwargs): |
| 1295 | 1301 |
from authentic2_idp_oidc.models import OIDCAuthorization |
| 1302 |
from authentic2_idp_oidc.models import OIDCClient |
|
| 1303 |
from django_rbac.utils import get_ou_model |
|
| 1296 | 1304 | |
| 1297 |
qs = OIDCAuthorization.objects.filter(user=request.user) |
|
| 1305 |
service_ct = ContentType.objects.get_for_model(OIDCClient) |
|
| 1306 |
ou_ct = ContentType.objects.get_for_model(get_ou_model()) |
|
| 1307 |
qs = OIDCAuthorization.objects.filter( |
|
| 1308 |
user=request.user, client_ct__in=(service_ct, ou_ct)) |
|
| 1298 | 1309 |
auth_id = request.POST.get('auth_id')
|
| 1299 | 1310 |
if auth_id: |
| 1300 | 1311 |
qs = qs.filter(id=auth_id) |
| tests/test_idp_oidc.py | ||
|---|---|---|
| 45 | 45 |
from authentic2.a2_rbac.utils import get_default_ou |
| 46 | 46 |
from authentic2.utils import make_url |
| 47 | 47 |
from authentic2_auth_oidc.utils import parse_timestamp |
| 48 |
from django_rbac.utils import get_ou_model |
|
| 48 | 49 |
from django_rbac.utils import get_role_model |
| 49 | 50 | |
| 50 | 51 |
User = get_user_model() |
| ... | ... | |
| 1615 | 1616 | |
| 1616 | 1617 | |
| 1617 | 1618 |
def test_oidc_authorized_oauth_services_view(app, oidc_client, simple_user): |
| 1619 |
from django.contrib.contenttypes.models import ContentType |
|
| 1620 | ||
| 1618 | 1621 |
url = make_url('authorized-oauth-services')
|
| 1619 | 1622 |
response = app.get(url, status=302) |
| 1620 | 1623 |
assert '/login/' in response.location |
| 1621 | 1624 | |
| 1622 | 1625 |
utils.login(app, simple_user) |
| 1623 | 1626 |
response = app.get(url, status=200) |
| 1624 |
assert "You have not granted service access to your account profile data." in response.text
|
|
| 1627 |
assert "You have not given any authorization to access your account profile data." in response.text
|
|
| 1625 | 1628 | |
| 1629 |
# create an ou authz |
|
| 1630 |
OU = get_ou_model() |
|
| 1631 |
ou1 = OU.objects.create(name='Orgunit1', slug='orgunit1') |
|
| 1632 |
OIDCAuthorization.objects.create( |
|
| 1633 |
client=ou1, user=simple_user, scopes='openid profile email', |
|
| 1634 |
expired=now() + datetime.timedelta(days=2)) |
|
| 1635 |
# create service authzs |
|
| 1626 | 1636 |
OIDCAuthorization.objects.create( |
| 1627 | 1637 |
client=oidc_client, user=simple_user, scopes='openid', |
| 1628 | 1638 |
expired=now() + datetime.timedelta(days=2)) |
| ... | ... | |
| 1634 | 1644 |
expired=now() + datetime.timedelta(days=2)) |
| 1635 | 1645 | |
| 1636 | 1646 |
response = app.get(url, status=200) |
| 1637 |
assert "You have granted 3 services access to your account profile data."
|
|
| 1647 |
assert "You have given authorizations to access your account profile data." in response.text
|
|
| 1638 | 1648 |
assert len(response.html.find_all( |
| 1639 |
'button', {'class': 'authorized-oauth-services--revoke-button'})) == 3
|
|
| 1649 |
'button', {'class': 'authorized-oauth-services--revoke-button'})) == 4
|
|
| 1640 | 1650 | |
| 1641 |
# revoke two |
|
| 1642 |
response = response.forms[0].submit() |
|
| 1651 |
# revoke two service authz |
|
| 1652 |
response = response.forms[1].submit() |
|
| 1653 |
response = response.follow() |
|
| 1654 |
assert len(response.html.find_all( |
|
| 1655 |
'button', {'class': 'authorized-oauth-services--revoke-button'})) == 3
|
|
| 1656 |
assert OIDCAuthorization.objects.filter( |
|
| 1657 |
client_ct=ContentType.objects.get_for_model(OIDCClient)).count() == 2 |
|
| 1658 |
response = response.forms[1].submit() |
|
| 1643 | 1659 |
response = response.follow() |
| 1644 | 1660 |
assert len(response.html.find_all( |
| 1645 | 1661 |
'button', {'class': 'authorized-oauth-services--revoke-button'})) == 2
|
| 1662 |
assert OIDCAuthorization.objects.filter( |
|
| 1663 |
client_ct=ContentType.objects.get_for_model(OIDCClient)).count() == 1 |
|
| 1664 | ||
| 1665 |
# revoke the only OU authz |
|
| 1646 | 1666 |
response = response.forms[0].submit() |
| 1647 | 1667 |
response = response.follow() |
| 1648 | 1668 |
assert len(response.html.find_all( |
| 1649 | 1669 |
'button', {'class': 'authorized-oauth-services--revoke-button'})) == 1
|
| 1650 |
assert "You have granted one service access to your account profile data." in response.text |
|
| 1670 |
assert OIDCAuthorization.objects.filter( |
|
| 1671 |
client_ct=ContentType.objects.get_for_model(OU)).count() == 0 |
|
| 1651 |
- |
|