0009-auth_oidc-use-generic-related-object-code-53442.patch

Valentin Deniaud, 21 septembre 2022 12:47

Voir les différences: en ligne côte à côte

Subject: [PATCH 09/10] auth_oidc: use generic related object code (#53442)

 src/authentic2_auth_oidc/forms.py             | 11 +++
 .../journal_event_types.py                    | 91 -------------------
 .../migrations/0001_initial.py                |  5 +
 .../migrations/0014_auto_20220920_1614.py     | 28 ++++++
 src/authentic2_auth_oidc/models.py            | 27 ++++--
 .../authenticator_detail.html                 | 20 ----
 src/authentic2_auth_oidc/urls.py              | 25 -----
 src/authentic2_auth_oidc/views.py             | 63 +------------
 tests/test_auth_oidc.py                       | 28 +++---
 tests/test_manager_authenticators.py          | 10 +-
 tests/test_manager_journal.py                 | 30 ------
 11 files changed, 85 insertions(+), 253 deletions(-)
 delete mode 100644 src/authentic2_auth_oidc/journal_event_types.py
 create mode 100644 src/authentic2_auth_oidc/migrations/0014_auto_20220920_1614.py
 delete mode 100644 src/authentic2_auth_oidc/templates/authentic2_auth_oidc/authenticator_detail.html

     from django import forms
     from authentic2.forms.fields import RoleChoiceField
     from authentic2.forms.widgets import DatalistTextInput, SelectAttributeWidget
     from .models import OIDCClaimMapping, OIDCProvider
-...
             widgets = {
                 'claim': OIDCClaimTextInput,
+            }
     class OIDCRelatedObjectForm(forms.ModelForm):
         class Meta:
             exclude = ('authenticator',)
             field_classes = {'role': RoleChoiceField}
             widgets = {
                 'claim': OIDCClaimTextInput,
                 'attribute': SelectAttributeWidget,
+            }

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2022 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.utils.translation import gettext_lazy as _
     from authentic2.apps.journal.models import EventTypeDefinition
     from authentic2.apps.journal.utils import form_to_old_new
     from .models import OIDCProvider
     class OIDCClaimMappingEvents(EventTypeDefinition):
         @classmethod
         def record(cls, *, user, session, claim, data=None):
             data = data or {}
             data.update({'claim_id': claim.pk})
             super().record(user=user, session=session, references=[claim.provider], data=data)
     class OIDCClaimMappingCreation(OIDCClaimMappingEvents):
         name = 'authenticator.oidc.claim.creation'
         label = _('OIDC provider claim creation')
         @classmethod
         def get_message(cls, event, context):
             (provider,) = event.get_typed_references(OIDCProvider)
             claim_id = event.get_data('claim_id')
             if context != provider:
                 return _('creation of claim ({claim_id}) in provider "{provider}"').format(
                     claim_id=claim_id, provider=provider
+                )
             else:
                 return _('creation of claim (%s)') % claim_id
     class OIDCClaimMappingEdit(OIDCClaimMappingEvents):
         name = 'authenticator.oidc.claim.edit'
         label = _('OIDC provider claim edit')
         @classmethod
         def record(cls, *, user, session, form):
             super().record(
                 user=user,
                 session=session,
                 claim=form.instance,
                 data=form_to_old_new(form),
+            )
         @classmethod
         def get_message(cls, event, context):
             (provider,) = event.get_typed_references(OIDCProvider)
             claim_id = event.get_data('claim_id')
             new = event.get_data('new') or {}
             edited_attributes = ', '.join(new) or ''
             if context != provider:
                 return _('edit claim ({claim_id}) in provider "{provider}" ({change})').format(
                     claim_id=claim_id,
                     provider=provider,
                     change=edited_attributes,
+                )
             else:
                 return _('edit claim ({claim_id}) ({change})').format(claim_id=claim_id, change=edited_attributes)
     class OIDCClaimMappingDeletion(OIDCClaimMappingEvents):
         name = 'authenticator.oidc.claim.deletion'
         label = _('OIDC provider claim deletion')
         @classmethod
         def get_message(cls, event, context):
             (provider,) = event.get_typed_references(OIDCProvider)
             claim_id = event.get_data('claim_id')
             if context != provider:
                 return _('deletion of claim ({claim_id}) in provider "{provider}"').format(
                     claim_id=claim_id, provider=provider
+                )
             else:
                 return _('deletion of claim %s') % claim_id

                     ('created', models.DateTimeField(auto_now_add=True, verbose_name='created')),
                     ('modified', models.DateTimeField(auto_now=True, verbose_name='modified')),
                 ],
                 options={
                     'verbose_name': 'Claim',
                     'verbose_name_plural': 'Claims',
                     'default_related_name': 'claim_mappings',
                 },
             ),
             migrations.CreateModel(
                 name='OIDCProvider',

     # Generated by Django 2.2.26 on 2022-09-20 14:14
     import django
     from django.db import migrations, models
     class Migration(migrations.Migration):
         dependencies = [
             ('authentic2_auth_oidc', '0013_auto_20220726_1714'),
+        ]
         operations = [
             migrations.RenameField(
                 model_name='oidcclaimmapping',
                 old_name='provider',
                 new_name='authenticator',
             ),
             migrations.AlterField(
                 model_name='oidcclaimmapping',
                 name='authenticator',
                 field=models.ForeignKey(
                     on_delete=django.db.models.deletion.CASCADE,
                     related_name='claim_mappings',
                     to='authenticators.BaseAuthenticator',
                 ),
             ),
+        ]

     from jwcrypto.jwk import InvalidJWKValue, JWKSet
     from authentic2.a2_rbac.utils import get_default_ou
     from authentic2.apps.authenticators.models import BaseAuthenticator
     from authentic2.apps.authenticators.models import AuthenticatorRelatedObjectBase, BaseAuthenticator
     from authentic2.utils.misc import make_url, redirect_to_login
     from authentic2.utils.template import validate_template
-...
         type = 'oidc'
         how = ['oidc']
         manager_view_template_name = 'authentic2_auth_oidc/authenticator_detail.html'
         description_fields = ['show_condition', 'issuer', 'scopes', 'strategy', 'created', 'modified']
         class Meta:
-...
             return OIDCProviderEditForm
         @property
         def related_object_form_class(self):
             from .forms import OIDCRelatedObjectForm
             return OIDCRelatedObjectForm
         @property
         def related_models(self):
             return {
                 OIDCClaimMapping: self.claim_mappings.all(),
+            }
         @property
         def jwkset(self):
             if self.jwkset_json:
-...
             return render(request, template_names, context)
     class OIDCClaimMapping(models.Model):
     class OIDCClaimMapping(AuthenticatorRelatedObjectBase):
         NOT_VERIFIED = 0
         VERIFIED_CLAIM = 1
         ALWAYS_VERIFIED = 2
-...
             (ALWAYS_VERIFIED, _('always verified')),
+        ]
         provider = models.ForeignKey(
             to='OIDCProvider', verbose_name=_('provider'), related_name='claim_mappings', on_delete=models.CASCADE
+        )
         claim = models.CharField(max_length=128, verbose_name=_('claim'), validators=[validate_template])
         attribute = models.CharField(max_length=64, verbose_name=_('attribute'))
         verified = models.PositiveIntegerField(
-...
         objects = managers.OIDCClaimMappingManager()
         class Meta:
             default_related_name = 'claim_mappings'
             verbose_name = _('Claim')
             verbose_name_plural = _('Claims')
         def natural_key(self):
             return (self.claim, self.attribute, self.verified, self.required)
-...
             return '<OIDCClaimMapping %r:%r on provider %r verified:%s required:%s >' % (
                 self.claim,
                 self.attribute,
                 self.provider and self.provider.issuer,
                 self.authenticator,
                 self.verified,
                 self.required,
+            )

     {% extends 'authentic2/authenticators/authenticator_detail.html' %}
     {% load i18n %}
     {% block extra-tab-buttons %}
       <button aria-controls="panel-claims" aria-selected="false" id="tab-claims" role="tab" tabindex="-1">{% trans "Claims" %}</button>
     {% endblock %}
     {% block extra-tab-list %}
       <div aria-labelledby="tab-claims" hidden="" id="panel-claims" role="tabpanel" tabindex="0">
         <ul class="objects-list single-links">
           {% for claim in object.claim_mappings.all %}
             <li>
               <a rel="popup" href="{% url 'a2-manager-oidc-edit-claim' authenticator_pk=object.pk pk=claim.pk %}">{{ claim }}</a>
               <a rel="popup" class="delete" href="{% url 'a2-manager-oidc-delete-claim' authenticator_pk=object.pk pk=claim.pk %}">{% trans "Remove" %}</a>
             </li>
           {% endfor %}
           <li><a class="add" rel="popup" href="{% url 'a2-manager-oidc-add-claim' authenticator_pk=object.pk %}">{% trans 'Add' %}</a></li>
         </ul>
       </div>
     {% endblock %}

     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.conf.urls import url
     from django.urls import path
     from authentic2.apps.authenticators.manager_urls import superuser_login_required
     from authentic2.decorators import required
     from . import views
-...
         url(r'^accounts/oidc/login/$', views.login_initiate, name='oidc-login-initiate'),
         url(r'^accounts/oidc/callback/$', views.login_callback, name='oidc-login-callback'),
+    ]
     urlpatterns += required(
         superuser_login_required,
+        [
             path(
                 'authenticators/<int:authenticator_pk>/claim/add/',
                 views.add_claim,
                 name='a2-manager-oidc-add-claim',
             ),
             path(
                 'authenticators/<int:authenticator_pk>/claim/<int:pk>/edit/',
                 views.edit_claim,
                 name='a2-manager-oidc-edit-claim',
             ),
             path(
                 'authenticators/<int:authenticator_pk>/claim/<int:pk>/delete/',
                 views.delete_claim,
                 name='a2-manager-oidc-delete-claim',
             ),
         ],
+    )

     from django.contrib import messages
     from django.contrib.auth import REDIRECT_FIELD_NAME
     from django.http import HttpResponseBadRequest
     from django.shortcuts import get_object_or_404
     from django.urls import reverse
     from django.utils.translation import get_language
     from django.utils.translation import ugettext as _
     from django.views.generic import CreateView, DeleteView, UpdateView
     from django.views.generic.base import View
     from authentic2.manager.views import MediaMixin, TitleMixin
     from authentic2.utils import crypto
     from authentic2.utils.misc import authenticate, good_next_url, login, redirect
     from .forms import OIDCClaimMappingForm
     from .models import OIDCClaimMapping, OIDCProvider
     from .models import OIDCProvider
     from .utils import get_provider, get_provider_by_issuer
     logger = logging.getLogger(__name__)
-...
     login_callback = LoginCallback.as_view()
     class OIDCProviderMixin(MediaMixin, TitleMixin):
         model = OIDCClaimMapping
         def dispatch(self, request, *args, **kwargs):
             self.provider = get_object_or_404(OIDCProvider, pk=kwargs.get('authenticator_pk'))
             return super().dispatch(request, *args, **kwargs)
         def get_form_kwargs(self):
             kwargs = super().get_form_kwargs()
             if not kwargs.get('instance'):
                 kwargs['instance'] = self.model()
             kwargs['instance'].provider = self.provider
             return kwargs
         def get_success_url(self):
             return reverse('a2-manager-authenticator-detail', kwargs={'pk': self.provider.pk}) + '#open:claims'
     class OIDCClaimMappingAddView(OIDCProviderMixin, CreateView):
         template_name = 'authentic2/manager/form.html'
         title = _('New claim')
         form_class = OIDCClaimMappingForm
         def form_valid(self, form):
             resp = super().form_valid(form)
             self.request.journal.record('authenticator.oidc.claim.creation', claim=form.instance)
             return resp
     add_claim = OIDCClaimMappingAddView.as_view()
     class OIDCClaimMappingEditView(OIDCProviderMixin, UpdateView):
         template_name = 'authentic2/manager/form.html'
         title = _('Edit claim')
         form_class = OIDCClaimMappingForm
         def form_valid(self, form):
             resp = super().form_valid(form)
             self.request.journal.record('authenticator.oidc.claim.edit', form=form)
             return resp
     edit_claim = OIDCClaimMappingEditView.as_view()
     class OIDCClaimMappingDeleteView(OIDCProviderMixin, DeleteView):
         template_name = 'authentic2/authenticators/authenticator_delete_form.html'
         def delete(self, *args, **kwargs):
             self.request.journal.record('authenticator.oidc.claim.deletion', claim=self.get_object())
             return super().delete(*args, **kwargs)
     delete_claim = OIDCClaimMappingDeleteView.as_view()

             button_label=name,
+        )
         provider.full_clean()
         OIDCClaimMapping.objects.create(provider=provider, claim='sub', attribute='username', idtoken_claim=True)
         OIDCClaimMapping.objects.create(provider=provider, claim='email', attribute='email')
         OIDCClaimMapping.objects.create(provider=provider, claim='email', required=True, attribute='email')
         OIDCClaimMapping.objects.create(
             provider=provider,
             authenticator=provider, claim='sub', attribute='username', idtoken_claim=True
+        )
         OIDCClaimMapping.objects.create(authenticator=provider, claim='email', attribute='email')
         OIDCClaimMapping.objects.create(authenticator=provider, claim='email', required=True, attribute='email')
         OIDCClaimMapping.objects.create(
             authenticator=provider,
             claim='given_name',
             required=True,
             verified=OIDCClaimMapping.ALWAYS_VERIFIED,
             attribute='first_name',
+        )
         OIDCClaimMapping.objects.create(
             provider=provider,
             authenticator=provider,
             claim='family_name',
             required=True,
             verified=OIDCClaimMapping.VERIFIED_CLAIM,
             attribute='last_name',
+        )
         OIDCClaimMapping.objects.create(provider=provider, claim='ou', attribute='ou__slug')
         OIDCClaimMapping.objects.create(authenticator=provider, claim='ou', attribute='ou__slug')
         return provider
-...
     def test_strategy_find_email(app, caplog, code, oidc_provider, oidc_provider_jwkset, simple_user):
         OIDCClaimMapping.objects.all().delete()
         OIDCClaimMapping.objects.create(
             provider=oidc_provider,
             authenticator=oidc_provider,
             claim='email',
             attribute='email',
             idtoken_claim=False,  # served by user_info endpoint
-...
     ):
         OIDCClaimMapping.objects.all().delete()
         OIDCClaimMapping.objects.create(
             provider=oidc_provider,
             authenticator=oidc_provider,
             claim='email',
             attribute='email',
             idtoken_claim=False,  # served by user_info endpoint
-...
         OIDCClaimMapping.objects.all().delete()
         OIDCClaimMapping.objects.create(
             provider=oidc_provider,
             authenticator=oidc_provider,
             attribute='username',
             idtoken_claim=False,
             claim='{{ given_name }} "{{ nickname }}" {{ family_name }}',
+        )
         OIDCClaimMapping.objects.create(
             provider=oidc_provider,
             authenticator=oidc_provider,
             attribute='pro_phone',
             idtoken_claim=False,
             claim='(prefix +33) {{ phone_number }}',
+        )
         OIDCClaimMapping.objects.create(
             provider=oidc_provider,
             authenticator=oidc_provider,
             attribute='email',
             idtoken_claim=False,
             claim='{{ given_name }}@foo.bar',
+        )
         # last one, with an idtoken claim
         OIDCClaimMapping.objects.create(
             provider=oidc_provider,
             authenticator=oidc_provider,
             attribute='last_name',
             idtoken_claim=True,
             claim='{{ name|upper }}',
+        )
         # typo in template string
         OIDCClaimMapping.objects.create(
             provider=oidc_provider,
             authenticator=oidc_provider,
             attribute='first_name',
             idtoken_claim=True,
             claim='{{ given_name',

         authenticator = OIDCProvider.objects.create(slug='idp1')
         resp = login(app, superuser, path=authenticator.get_absolute_url())
         resp = resp.click('Add')
         resp = resp.click('Add', href='claim')
         resp.form['claim'] = 'email'
         resp.form['attribute'].select(text='Email address (email)')
         resp.form['verified'].select(text='verified claim')
         resp.form['required'] = True
         resp.form['idtoken_claim'] = True
         resp = resp.form.submit()
         assert_event('authenticator.oidc.claim.creation', user=superuser, session=app.session)
         assert '#open:claims' in resp.location
         assert_event('authenticator.related_object.creation', user=superuser, session=app.session)
         assert '#open:oidcclaimmapping' in resp.location
         resp = resp.follow()
         assert 'email → Email address (email), verified, required, idtoken' in resp.text
-...
         resp.form['attribute'].select(text='First name (first_name)')
         resp = resp.form.submit().follow()
         assert 'email → First name (first_name), verified, required, idtoken' in resp.text
         assert_event('authenticator.oidc.claim.edit', user=superuser, session=app.session)
         assert_event('authenticator.related_object.edit', user=superuser, session=app.session)
         resp = resp.click('Remove')
         resp = resp.form.submit().follow()
         assert 'email' not in resp.text
         assert_event('authenticator.oidc.claim.deletion', user=superuser, session=app.session)
         assert_event('authenticator.related_object.deletion', user=superuser, session=app.session)
     def test_authenticators_fc(app, superuser):

     from authentic2.custom_user.models import Profile, ProfileType, User
     from authentic2.journal import journal
     from authentic2.models import Service
     from authentic2_auth_oidc.models import OIDCClaimMapping, OIDCProvider
     from authentic2_auth_saml.models import SAMLAuthenticator, SetAttributeAction
     from .utils import login, logout, text_content
-...
         authenticator = LoginPasswordAuthenticator.objects.create(slug='test')
         saml_authenticator = SAMLAuthenticator.objects.create(slug='saml')
         set_attribute_action = SetAttributeAction.objects.create(authenticator=saml_authenticator)
         oidc_provider = OIDCProvider.objects.create(slug='oidc')
         oidc_claim_mapping = OIDCClaimMapping.objects.create(provider=oidc_provider)
         class EventFactory:
             date = make_aware(datetime.datetime(2020, 1, 1))
-...
             session=session2,
             related_object=set_attribute_action,
+        )
         make('authenticator.oidc.claim.creation', user=agent, session=session2, claim=oidc_claim_mapping)
         claim_edit_form = mock.Mock(spec=['instance', 'initial', 'changed_data', 'cleaned_data'])
         claim_edit_form.instance = oidc_claim_mapping
         claim_edit_form.initial = {'claim': 'email'}
         claim_edit_form.changed_data = ['claim']
         claim_edit_form.cleaned_data = {'claim': 'first_name'}
         make('authenticator.oidc.claim.edit', user=agent, session=session2, form=claim_edit_form)
         make('authenticator.oidc.claim.deletion', user=agent, session=session2, claim=oidc_claim_mapping)
         # verify we created at least one event for each type
         assert set(Event.objects.values_list("type__name", flat=True)) == set(_registry)
-...
     def test_global_journal(app, superuser, events):
         response = login(app, user=superuser, path="/manage/")
         set_attribute_action = SetAttributeAction.objects.get()
         oidc_claim_mapping = OIDCClaimMapping.objects.get()
         # remove event about admin login
         Event.objects.filter(user=superuser).delete()
-...
                 'type': 'authenticator.related_object.deletion',
                 'user': 'agent',
             },
+            {
                 'message': 'creation of claim (%s) in provider "OpenIDConnect"' % oidc_claim_mapping.pk,
                 'timestamp': 'Jan. 3, 2020, 11 a.m.',
                 'type': 'authenticator.oidc.claim.creation',
                 'user': 'agent',
             },
+            {
                 'message': 'edit claim (%s) in provider "OpenIDConnect" (claim)' % oidc_claim_mapping.pk,
                 'timestamp': 'Jan. 3, 2020, noon',
                 'type': 'authenticator.oidc.claim.edit',
                 'user': 'agent',
             },
+            {
                 'message': 'deletion of claim (%s) in provider "OpenIDConnect"' % oidc_claim_mapping.pk,
                 'timestamp': 'Jan. 3, 2020, 1 p.m.',
                 'type': 'authenticator.oidc.claim.deletion',
                 'user': 'agent',
             },
+        ]
         agent_page = response.click('agent', index=1)
+    -

Projet

Général

Profil

Produits Entr'ouvert » Authentic 2

0009-auth_oidc-use-generic-related-object-code-53442.patch