0001-profile_views-include-ous-in-oidc-authz-management-p.patch
src/authentic2/templates/authentic2/accounts_authorized_oauth_services.html | ||
---|---|---|
17 | 17 |
{% block oidc-authorized-oauth-services-top %} |
18 | 18 |
<p class="authorized-oauth-services--top"> |
19 | 19 |
{% if authorized_oauth_services|length_is:0 %} |
20 |
{% trans "You have not granted service access to your account profile data." %}
|
|
20 |
{% trans "You have not given any authorization to access your account profile data." %}
|
|
21 | 21 |
{% else %} |
22 |
{% blocktrans count counter=authorized_oauth_services|length %} |
|
23 |
You have granted one service access to your account profile data. |
|
24 |
{% plural %} |
|
25 |
You have granted {{ counter }} services access to your account profile data. |
|
26 |
{% endblocktrans %} |
|
22 |
{% trans "You have given authorizations to access your account profile data." %} |
|
27 | 23 |
{% endif %} |
28 | 24 |
</p> |
29 | 25 |
{% endblock %} |
src/authentic2/views.py | ||
---|---|---|
23 | 23 |
from ratelimit.utils import is_ratelimited |
24 | 24 | |
25 | 25 |
from django.conf import settings |
26 |
from django.contrib.contenttypes.models import ContentType |
|
26 | 27 |
from django.shortcuts import render, get_object_or_404 |
27 | 28 |
from django.template.loader import render_to_string |
28 | 29 |
from django.views.generic.edit import UpdateView, FormView |
... | ... | |
512 | 513 |
'federation_management': federation_management, |
513 | 514 |
}) |
514 | 515 | |
515 |
if ('authentic2_idp_oidc' in settings.INSTALLED_APPS and |
|
516 |
app_settings.A2_PROFILE_CAN_MANAGE_SERVICE_AUTHORIZATIONS): |
|
517 |
from authentic2_idp_oidc.models import OIDCClient |
|
518 |
context['allow_authorization_management'] = OIDCClient.objects.filter( |
|
519 |
authorization_mode=OIDCClient.AUTHORIZATION_MODE_BY_SERVICE).exists() |
|
520 | ||
516 |
if 'authentic2_idp_oidc' in settings.INSTALLED_APPS: |
|
517 |
if app_settings.A2_PROFILE_CAN_MANAGE_SERVICE_AUTHORIZATIONS: |
|
518 |
from authentic2_idp_oidc.models import OIDCClient |
|
519 |
context['allow_authorization_management'] = OIDCClient.objects.filter( |
|
520 |
authorization_mode__in=( |
|
521 |
OIDCClient.AUTHORIZATION_MODE_BY_SERVICE, |
|
522 |
OIDCClient.AUTHORIZATION_MODE_BY_OU)).exists() |
|
521 | 523 |
hooks.call_hooks('modify_context_data', self, context) |
522 | 524 |
return context |
523 | 525 | |
... | ... | |
1285 | 1287 | |
1286 | 1288 |
def get_context_data(self, **kwargs): |
1287 | 1289 |
from authentic2_idp_oidc.models import OIDCAuthorization |
1290 |
from authentic2_idp_oidc.models import OIDCClient |
|
1291 |
from django_rbac.utils import get_ou_model |
|
1288 | 1292 | |
1289 | 1293 |
context = super(AuthorizedOauthServicesView, self).get_context_data(**kwargs) |
1294 |
service_ct = ContentType.objects.get_for_model(OIDCClient) |
|
1295 |
ou_ct = ContentType.objects.get_for_model(get_ou_model()) |
|
1290 | 1296 |
context['authorized_oauth_services'] = OIDCAuthorization.objects.filter( |
1291 |
user=self.request.user) |
|
1297 |
user=self.request.user, client_ct__in=(ou_ct,service_ct,))
|
|
1292 | 1298 |
return context |
1293 | 1299 | |
1294 | 1300 |
def post(self, request, *args, **kwargs): |
1295 | 1301 |
from authentic2_idp_oidc.models import OIDCAuthorization |
1302 |
from authentic2_idp_oidc.models import OIDCClient |
|
1303 |
from django_rbac.utils import get_ou_model |
|
1296 | 1304 | |
1297 |
qs = OIDCAuthorization.objects.filter(user=request.user) |
|
1305 |
service_ct = ContentType.objects.get_for_model(OIDCClient) |
|
1306 |
ou_ct = ContentType.objects.get_for_model(get_ou_model()) |
|
1307 |
qs = OIDCAuthorization.objects.filter( |
|
1308 |
user=request.user, client_ct__in=(service_ct, ou_ct)) |
|
1298 | 1309 |
auth_id = request.POST.get('auth_id') |
1299 | 1310 |
if auth_id: |
1300 | 1311 |
qs = qs.filter(id=auth_id) |
tests/test_idp_oidc.py | ||
---|---|---|
45 | 45 |
from authentic2.a2_rbac.utils import get_default_ou |
46 | 46 |
from authentic2.utils import make_url |
47 | 47 |
from authentic2_auth_oidc.utils import parse_timestamp |
48 |
from django_rbac.utils import get_ou_model |
|
48 | 49 |
from django_rbac.utils import get_role_model |
49 | 50 | |
50 | 51 |
User = get_user_model() |
... | ... | |
1615 | 1616 | |
1616 | 1617 | |
1617 | 1618 |
def test_oidc_authorized_oauth_services_view(app, oidc_client, simple_user): |
1619 |
from django.contrib.contenttypes.models import ContentType |
|
1620 | ||
1618 | 1621 |
url = make_url('authorized-oauth-services') |
1619 | 1622 |
response = app.get(url, status=302) |
1620 | 1623 |
assert '/login/' in response.location |
1621 | 1624 | |
1622 | 1625 |
utils.login(app, simple_user) |
1623 | 1626 |
response = app.get(url, status=200) |
1624 |
assert "You have not granted service access to your account profile data." in response.text
|
|
1627 |
assert "You have not given any authorization to access your account profile data." in response.text
|
|
1625 | 1628 | |
1629 |
# create an ou authz |
|
1630 |
OU = get_ou_model() |
|
1631 |
ou1 = OU.objects.create(name='Orgunit1', slug='orgunit1') |
|
1632 |
OIDCAuthorization.objects.create( |
|
1633 |
client=ou1, user=simple_user, scopes='openid profile email', |
|
1634 |
expired=now() + datetime.timedelta(days=2)) |
|
1635 |
# create service authzs |
|
1626 | 1636 |
OIDCAuthorization.objects.create( |
1627 | 1637 |
client=oidc_client, user=simple_user, scopes='openid', |
1628 | 1638 |
expired=now() + datetime.timedelta(days=2)) |
... | ... | |
1634 | 1644 |
expired=now() + datetime.timedelta(days=2)) |
1635 | 1645 | |
1636 | 1646 |
response = app.get(url, status=200) |
1637 |
assert "You have granted 3 services access to your account profile data."
|
|
1647 |
assert "You have given authorizations to access your account profile data." in response.text
|
|
1638 | 1648 |
assert len(response.html.find_all( |
1639 |
'button', {'class': 'authorized-oauth-services--revoke-button'})) == 3
|
|
1649 |
'button', {'class': 'authorized-oauth-services--revoke-button'})) == 4
|
|
1640 | 1650 | |
1641 |
# revoke two |
|
1642 |
response = response.forms[0].submit() |
|
1651 |
# revoke two service authz |
|
1652 |
response = response.forms[1].submit() |
|
1653 |
response = response.follow() |
|
1654 |
assert len(response.html.find_all( |
|
1655 |
'button', {'class': 'authorized-oauth-services--revoke-button'})) == 3 |
|
1656 |
assert OIDCAuthorization.objects.filter( |
|
1657 |
client_ct=ContentType.objects.get_for_model(OIDCClient)).count() == 2 |
|
1658 |
response = response.forms[1].submit() |
|
1643 | 1659 |
response = response.follow() |
1644 | 1660 |
assert len(response.html.find_all( |
1645 | 1661 |
'button', {'class': 'authorized-oauth-services--revoke-button'})) == 2 |
1662 |
assert OIDCAuthorization.objects.filter( |
|
1663 |
client_ct=ContentType.objects.get_for_model(OIDCClient)).count() == 1 |
|
1664 | ||
1665 |
# revoke the only OU authz |
|
1646 | 1666 |
response = response.forms[0].submit() |
1647 | 1667 |
response = response.follow() |
1648 | 1668 |
assert len(response.html.find_all( |
1649 | 1669 |
'button', {'class': 'authorized-oauth-services--revoke-button'})) == 1 |
1650 |
assert "You have granted one service access to your account profile data." in response.text |
|
1670 |
assert OIDCAuthorization.objects.filter( |
|
1671 |
client_ct=ContentType.objects.get_for_model(OU)).count() == 0 |
|
1651 |
- |