0002-auth_oidc-add-views-to-configure-claims-66419.patch

Valentin Deniaud, 25 août 2022 17:08

Voir les différences: en ligne côte à côte

Subject: [PATCH 2/3] auth_oidc: add views to configure claims (#66419)

 .../journal_event_types.py                    | 91 +++++++++++++++++++
 src/authentic2_auth_oidc/models.py            |  1 +
 .../authenticator_detail.html                 | 20 ++++
 src/authentic2_auth_oidc/urls.py              | 25 +++++
 src/authentic2_auth_oidc/views.py             | 67 +++++++++++++-
 tests/test_manager_authenticators.py          | 29 ++++++
 tests/test_manager_journal.py                 | 30 ++++++
 7 files changed, 260 insertions(+), 3 deletions(-)
 create mode 100644 src/authentic2_auth_oidc/journal_event_types.py
 create mode 100644 src/authentic2_auth_oidc/templates/authentic2_auth_oidc/authenticator_detail.html

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2022 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.utils.translation import gettext_lazy as _
     from authentic2.apps.journal.models import EventTypeDefinition
     from authentic2.apps.journal.utils import form_to_old_new
     from .models import OIDCProvider
     class OIDCClaimMappingEvents(EventTypeDefinition):
         @classmethod
         def record(cls, *, user, session, claim, data=None):
             data = data or {}
             data.update({'claim_id': claim.pk})
             super().record(user=user, session=session, references=[claim.provider], data=data)
     class OIDCClaimMappingCreation(OIDCClaimMappingEvents):
         name = 'authenticator.oidc.claim.creation'
         label = _('OIDC provider related object creation')
         @classmethod
         def get_message(cls, event, context):
             (provider,) = event.get_typed_references(OIDCProvider)
             claim_id = event.get_data('claim_id')
             if context != provider:
                 return _('creation of claim ({claim_id}) in provider "{provider}"').format(
                     claim_id=claim_id, provider=provider
+                )
             else:
                 return _('creation of claim (%s)') % claim_id
     class OIDCClaimMappingEdit(OIDCClaimMappingEvents):
         name = 'authenticator.oidc.claim.edit'
         label = _('OIDC provider related object edit')
         @classmethod
         def record(cls, *, user, session, form):
             super().record(
                 user=user,
                 session=session,
                 claim=form.instance,
                 data=form_to_old_new(form),
+            )
         @classmethod
         def get_message(cls, event, context):
             (provider,) = event.get_typed_references(OIDCProvider)
             claim_id = event.get_data('claim_id')
             new = event.get_data('new') or {}
             edited_attributes = ', '.join(new) or ''
             if context != provider:
                 return _('edit claim ({claim_id}) in provider "{provider}" ({change})').format(
                     claim_id=claim_id,
                     provider=provider,
                     change=edited_attributes,
+                )
             else:
                 return _('edit claim ({claim_id}) ({change})').format(claim_id=claim_id, change=edited_attributes)
     class OIDCClaimMappingDeletion(OIDCClaimMappingEvents):
         name = 'authenticator.oidc.claim.deletion'
         label = _('OIDC provider related object deletion')
         @classmethod
         def get_message(cls, event, context):
             (provider,) = event.get_typed_references(OIDCProvider)
             claim_id = event.get_data('claim_id')
             if context != provider:
                 return _('deletion of claim ({claim_id}) in provider "{provider}"').format(
                     claim_id=claim_id, provider=provider
+                )
             else:
                 return _('deletion of claim %s') % claim_id

src/authentic2_auth_oidc/models.py
115	115
116	116	type = 'oidc'
117	117	how = ['oidc']
	118	manager_view_template_name = 'authentic2_auth_oidc/authenticator_detail.html'
118	119	description_fields = ['show_condition', 'issuer', 'scopes', 'strategy', 'created', 'modified']
119	120
120	121	class Meta:

     {% extends 'authentic2/authenticators/authenticator_detail.html' %}
     {% load i18n %}
     {% block extra-tab-buttons %}
       <button aria-controls="panel-claims" aria-selected="false" id="tab-claims" role="tab" tabindex="-1">{% trans "Claims" %}</button>
     {% endblock %}
     {% block extra-tab-list %}
       <div aria-labelledby="tab-claims" hidden="" id="panel-claims" role="tabpanel" tabindex="0">
         <ul class="objects-list single-links">
           {% for claim in object.claim_mappings.all %}
             <li>
               <a rel="popup" href="{% url 'a2-manager-oidc-edit-claim' authenticator_pk=object.pk pk=claim.pk %}">{{ claim }}</a>
               <a rel="popup" class="delete" href="{% url 'a2-manager-oidc-delete-claim' authenticator_pk=object.pk pk=claim.pk %}">{% trans "Remove" %}</a>
             </li>
           {% endfor %}
           <li><a class="add" rel="popup" href="{% url 'a2-manager-oidc-add-claim' authenticator_pk=object.pk %}">{% trans 'Add' %}</a></li>
         </ul>
       </div>
     {% endblock %}

     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.conf.urls import url
     from django.urls import path
     from authentic2.apps.authenticators.manager_urls import superuser_login_required
     from authentic2.decorators import required
     from . import views
-...
         url(r'^accounts/oidc/login/$', views.login_initiate, name='oidc-login-initiate'),
         url(r'^accounts/oidc/callback/$', views.login_callback, name='oidc-login-callback'),
+    ]
     urlpatterns += required(
         superuser_login_required,
+        [
             path(
                 'authenticators/<int:authenticator_pk>/claim/add/',
                 views.add_claim,
                 name='a2-manager-oidc-add-claim',
             ),
             path(
                 'authenticators/<int:authenticator_pk>/claim/<int:pk>/edit/',
                 views.edit_claim,
                 name='a2-manager-oidc-edit-claim',
             ),
             path(
                 'authenticators/<int:authenticator_pk>/claim/<int:pk>/delete/',
                 views.delete_claim,
                 name='a2-manager-oidc-delete-claim',
             ),
         ],
+    )

     from django.contrib import messages
     from django.contrib.auth import REDIRECT_FIELD_NAME
     from django.http import HttpResponseBadRequest
     from django.shortcuts import get_object_or_404
     from django.urls import reverse
     from django.utils.translation import get_language
     from django.utils.translation import ugettext as _
     from django.views.generic import CreateView, DeleteView, UpdateView
     from django.views.generic.base import View
     from authentic2.manager.views import MediaMixin, TitleMixin
     from authentic2.utils import crypto
     from authentic2.utils.misc import authenticate, good_next_url, login, redirect
     from . import models
     from .forms import OIDCClaimMappingForm
     from .models import OIDCClaimMapping, OIDCProvider
     from .utils import get_provider, get_provider_by_issuer
     logger = logging.getLogger(__name__)
-...
         issuer = request.GET['iss']
         try:
             provider = get_provider_by_issuer(issuer)
         except models.OIDCProvider.DoesNotExist:
         except OIDCProvider.DoesNotExist:
             return HttpResponseBadRequest('unknown issuer %s' % issuer, content_type='text/plain')
         return oidc_login(request, pk=provider.pk, next_url=request.GET.get('target_link_uri'))
-...
             try:
                 provider = get_provider_by_issuer(issuer)
             except models.OIDCProvider.DoesNotExist:
             except OIDCProvider.DoesNotExist:
                 messages.warning(request, _('Unknown OpenID connect issuer: "%s"') % issuer)
                 logger.warning('auth_oidc: unknown issuer, %s', issuer)
                 return self.continue_to_next_url(request)
-...
     login_callback = LoginCallback.as_view()
     class OIDCProviderMixin(MediaMixin, TitleMixin):
         model = OIDCClaimMapping
         def dispatch(self, request, *args, **kwargs):
             self.provider = get_object_or_404(OIDCProvider, pk=kwargs.get('authenticator_pk'))
             return super().dispatch(request, *args, **kwargs)
         def get_form_kwargs(self):
             kwargs = super().get_form_kwargs()
             if not kwargs.get('instance'):
                 kwargs['instance'] = self.model()
             kwargs['instance'].provider = self.provider
             return kwargs
         def get_success_url(self):
             return reverse('a2-manager-authenticator-detail', kwargs={'pk': self.provider.pk}) + '#open:claims'
     class OIDCClaimMappingAddView(OIDCProviderMixin, CreateView):
         template_name = 'authentic2/manager/form.html'
         title = _('New claim')
         form_class = OIDCClaimMappingForm
         def form_valid(self, form):
             resp = super().form_valid(form)
             self.request.journal.record('authenticator.oidc.claim.creation', claim=form.instance)
             return resp
     add_claim = OIDCClaimMappingAddView.as_view()
     class OIDCClaimMappingEditView(OIDCProviderMixin, UpdateView):
         template_name = 'authentic2/manager/form.html'
         title = _('Edit claim')
         form_class = OIDCClaimMappingForm
         def form_valid(self, form):
             resp = super().form_valid(form)
             self.request.journal.record('authenticator.oidc.claim.edit', form=form)
             return resp
     edit_claim = OIDCClaimMappingEditView.as_view()
     class OIDCClaimMappingDeleteView(OIDCProviderMixin, DeleteView):
         template_name = 'authentic2/authenticators/authenticator_delete_form.html'
         def delete(self, *args, **kwargs):
             self.request.journal.record('authenticator.oidc.claim.deletion', claim=self.get_object())
             return super().delete(*args, **kwargs)
     delete_claim = OIDCClaimMappingDeleteView.as_view()

         assert_event('authenticator.deletion', user=superuser, session=app.session)
     def test_authenticators_oidc_claims(app, superuser):
         authenticator = OIDCProvider.objects.create(slug='idp1')
         resp = login(app, superuser, path=authenticator.get_absolute_url())
         resp = resp.click('Add')
         resp.form['claim'] = 'email'
         resp.form['attribute'].select(text='Email Address (email)')
         resp.form['verified'].select(text='verified claim')
         resp.form['required'] = True
         resp.form['idtoken_claim'] = True
         resp = resp.form.submit()
         assert_event('authenticator.oidc.claim.creation', user=superuser, session=app.session)
         assert '#open:claims' in resp.location
         resp = resp.follow()
         assert escape('email -> email, verified, required, idtoken') in resp.text
         resp = resp.click('email')
         resp.form['attribute'].select(text='First Name (first_name)')
         resp = resp.form.submit().follow()
         assert escape('email -> first_name, verified, required, idtoken') in resp.text
         assert_event('authenticator.oidc.claim.edit', user=superuser, session=app.session)
         resp = resp.click('Remove')
         resp = resp.form.submit().follow()
         assert 'email' not in resp.text
         assert_event('authenticator.oidc.claim.deletion', user=superuser, session=app.session)
     def test_authenticators_fc(app, superuser):
         resp = login(app, superuser, path='/manage/authenticators/')

     from authentic2.custom_user.models import Profile, ProfileType, User
     from authentic2.journal import journal
     from authentic2.models import Service
     from authentic2_auth_oidc.models import OIDCClaimMapping, OIDCProvider
     from authentic2_auth_saml.models import RenameAttributeAction, SAMLAuthenticator
     from .utils import login, logout, text_content
-...
         authenticator = LoginPasswordAuthenticator.objects.create(slug='test')
         saml_authenticator = SAMLAuthenticator.objects.create(slug='saml')
         rename_attribute_action = RenameAttributeAction.objects.create(authenticator=saml_authenticator)
         oidc_provider = OIDCProvider.objects.create(slug='oidc')
         oidc_claim_mapping = OIDCClaimMapping.objects.create(provider=oidc_provider)
         class EventFactory:
             date = make_aware(datetime.datetime(2020, 1, 1))
-...
             session=session2,
             related_object=rename_attribute_action,
+        )
         make('authenticator.oidc.claim.creation', user=agent, session=session2, claim=oidc_claim_mapping)
         claim_edit_form = mock.Mock(spec=['instance', 'initial', 'changed_data', 'cleaned_data'])
         claim_edit_form.instance = oidc_claim_mapping
         claim_edit_form.initial = {'claim': 'email'}
         claim_edit_form.changed_data = ['claim']
         claim_edit_form.cleaned_data = {'claim': 'first_name'}
         make('authenticator.oidc.claim.edit', user=agent, session=session2, form=claim_edit_form)
         make('authenticator.oidc.claim.deletion', user=agent, session=session2, claim=oidc_claim_mapping)
         # verify we created at least one event for each type
         assert set(Event.objects.values_list("type__name", flat=True)) == set(_registry)
-...
     def test_global_journal(app, superuser, events):
         response = login(app, user=superuser, path="/manage/")
         rename_attribute_action = RenameAttributeAction.objects.get()
         oidc_claim_mapping = OIDCClaimMapping.objects.get()
         # remove event about admin login
         Event.objects.filter(user=superuser).delete()
-...
                 'type': 'authenticator.saml.related_object.deletion',
                 'user': 'agent',
             },
+            {
                 'message': 'creation of claim (%s) in provider "OpenIDConnect"' % oidc_claim_mapping.pk,
                 'timestamp': 'Jan. 3, 2020, 11 a.m.',
                 'type': 'authenticator.oidc.claim.creation',
                 'user': 'agent',
             },
+            {
                 'message': 'edit claim (%s) in provider "OpenIDConnect" (claim)' % oidc_claim_mapping.pk,
                 'timestamp': 'Jan. 3, 2020, noon',
                 'type': 'authenticator.oidc.claim.edit',
                 'user': 'agent',
             },
+            {
                 'message': 'deletion of claim (%s) in provider "OpenIDConnect"' % oidc_claim_mapping.pk,
                 'timestamp': 'Jan. 3, 2020, 1 p.m.',
                 'type': 'authenticator.oidc.claim.deletion',
                 'user': 'agent',
             },
+        ]
         agent_page = response.click('agent', index=1)
+    -

Projet

Général

Profil

Produits Entr'ouvert » Authentic 2

0002-auth_oidc-add-views-to-configure-claims-66419.patch