ynerant/nk20
1
0
Fork 0
mirror of https://gitlab.crans.org/bde/nk20 synced 2025-11-12 09:39:28 +01:00
Code Issues Releases Wiki Activity

token access

Browse Source
This commit is contained in:
quark
2025-11-09 14:48:29 +01:00
parent 08593700fc
commit 9998189dbf
4 changed files with 34 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
apps/permission/backends.py
View File

@@ -21,7 +21,7 @@ class PermissionBackend(ModelBackend):
Manage permissions of users Manage permissions of users
""" """
supports_object_permissions = True supports_object_permissions = True
supports_anonymous_user = True supports_anonymous_user = False
supports_inactive_user = False supports_inactive_user = False
@staticmethod @staticmethod
@@ -33,6 +33,7 @@ class PermissionBackend(ModelBackend):
:param t: The type of the permissions: view, change, add or delete :param t: The type of the permissions: view, change, add or delete
:return: The queryset of the permissions of the user (memoized) grouped by clubs :return: The queryset of the permissions of the user (memoized) grouped by clubs
""" """
# Permission for auth
if hasattr(request, 'oauth2') and request.oauth2 is not None and 'scope' in request.oauth2: if hasattr(request, 'oauth2') and request.oauth2 is not None and 'scope' in request.oauth2:
# OAuth2 Authentication # OAuth2 Authentication
user = request.oauth2['user'] user = request.oauth2['user']
@@ -46,6 +47,21 @@ class PermissionBackend(ModelBackend):
if int(club_id) == membership_obj.club_id: if int(club_id) == membership_obj.club_id:
query |= Q(pk=permission_id, mask__rank__lte=request.oauth2['mask']) query |= Q(pk=permission_id, mask__rank__lte=request.oauth2['mask'])
return query return query
# Restreint token permission to his scope
elif hasattr(request, 'auth') and request.auth is not None and hasattr(request.auth, 'scope'):
user = request.auth.user
def permission_filter(membership_obj):
query = Q(pk=-1)
for scope in request.auth.scope.split(' '):
if scope == "openid" or scope == "0_0":
continue
permission_id, club_id = scope.split('_')
if int(club_id) == membership_obj.club_id:
query |= Q(pk=permission_id)
return query
else: else:
user = request.user user = request.user
@@ -79,7 +95,6 @@ class PermissionBackend(ModelBackend):
:param type: The type of the permissions: view, change, add or delete :param type: The type of the permissions: view, change, add or delete
:return: A generator of the requested permissions :return: A generator of the requested permissions
""" """
if hasattr(request, 'auth') and request.auth is not None and hasattr(request.auth, 'scope'): if hasattr(request, 'auth') and request.auth is not None and hasattr(request.auth, 'scope'):
# OAuth2 Authentication # OAuth2 Authentication
user = request.auth.user user = request.auth.user

53
apps/permission/scopes.py
View File

@@ -54,7 +54,7 @@ class PermissionScopes(BaseScopes):
return [] return []
scopes = [f"{p.id}_{p.membership.club.id}" scopes = [f"{p.id}_{p.membership.club.id}"
for p in PermissionBackend.get_raw_permissions(get_current_request(), 'view')] for p in PermissionBackend.get_raw_permissions(get_current_request(), 'view')]
scopes = ['0_0'] scopes = ['0_0'] # always default
return scopes return scopes
@@ -143,36 +143,6 @@ class PermissionOAuth2Validator(OAuth2Validator):
request.scopes = valid_scopes request.scopes = valid_scopes
return valid_scopes return valid_scopes
def validate_code_scopes(self, client_id, scopes, client, request, *args, **kwargs):
"""
For Authorization Code scope are scope of the user
"""
valid_scopes = set()
req = get_current_request()
request.oauth2 = {}
request.oauth2['user'] = req.user
request.oauth2['scope'] = scopes
# mask implementation
request.oauth2['mask'] = req.session.load()['permission_mask']
for t in Permission.PERMISSION_TYPES:
for p in PermissionBackend.get_raw_permissions(request, t[0]):
scope = f"{p.id}_{p.membership.club.id}"
if scope in scopes:
valid_scopes.add(scope)
# Always give one scope to generate token
if not valid_scopes:
valid_scopes.add('0_0')
request.scopes = valid_scopes
return valid_scopes
def validate_implicit_scopes(self, client_id, scopes, client, request, *args, **kwargs):
"""
Implicit flow it's just degraded Authorization flow
"""
return self.validate_code_scopes(client_id, scopes, client, request, args, kwargs)
def validate_scopes(self, client_id, scopes, client, request, *args, **kwargs): def validate_scopes(self, client_id, scopes, client, request, *args, **kwargs):
""" """
User can request as many scope as he wants, including invalid scopes, User can request as many scope as he wants, including invalid scopes,
@@ -187,19 +157,28 @@ class PermissionOAuth2Validator(OAuth2Validator):
if hasattr(request, 'grant_type') and request.grant_type == 'password': if hasattr(request, 'grant_type') and request.grant_type == 'password':
return self.validate_ropb_scopes(client_id, scopes, client, request, args, kwargs) return self.validate_ropb_scopes(client_id, scopes, client, request, args, kwargs)
if hasattr(request, '_params') and request._params['response_type'] == 'code': # Authorization code and Implicit are the same for scope, OIDC it's only a layer
return self.validate_code_scopes(client_id, scopes, client, request, args, kwargs)
if hasattr(request, '_params') and request._params['response_type'] == 'token': valid_scopes = set()
return self.validate_implicit_scopes(client_id, scopes, client, request, args, kwargs) req = get_current_request()
request.oauth2 = {}
request.oauth2['user'] = req.user
request.oauth2['scope'] = scopes
# mask implementation
request.oauth2['mask'] = req.session.load()['permission_mask']
for t in Permission.PERMISSION_TYPES: for t in Permission.PERMISSION_TYPES:
for p in PermissionBackend.get_raw_permissions(get_current_request(), t[0]): for p in PermissionBackend.get_raw_permissions(request, t[0]):
scope = f"{p.id}_{p.membership.club.id}" scope = f"{p.id}_{p.membership.club.id}"
if scope in scopes: if scope in scopes:
valid_scopes.add(scope) valid_scopes.add(scope)
if '0_0' in scopes: # We grant openid scope if user is active
if 'openid' in scopes and req.user.is_active:
valid_scopes.add('openid')
# Always give one scope to generate token
if not valid_scopes:
valid_scopes.add('0_0') valid_scopes.add('0_0')
request.scopes = valid_scopes request.scopes = valid_scopes

6
apps/permission/tests/test_oauth2_flow.py
View File

@@ -442,9 +442,3 @@ class OAuth2FlowTestCase(TestCase):
# Token can have access, it shouldn't have the useless scope # Token can have access, it shouldn't have the useless scope
self.assertEqual(token.scope, self.base_scope) self.assertEqual(token.scope, self.base_scope)
def test_oidc_flow(self):
"""
Ensure OIDC Flow work
"""
pass

2
note_kfet/settings/base.py
View File

@@ -273,9 +273,9 @@ OAUTH2_PROVIDER = {
'REFRESH_TOKEN_EXPIRE_SECONDS': timedelta(days=14), 'REFRESH_TOKEN_EXPIRE_SECONDS': timedelta(days=14),
'PKCE_REQUIRED': False, # PKCE (fix a breaking change of django-oauth-toolkit 2.0.0) 'PKCE_REQUIRED': False, # PKCE (fix a breaking change of django-oauth-toolkit 2.0.0)
'OIDC_ENABLED': True, 'OIDC_ENABLED': True,
'OIDC_RP_INITIATED_LOGOUT_ENABLED': False,
'OIDC_RSA_PRIVATE_KEY': 'OIDC_RSA_PRIVATE_KEY':
os.getenv('OIDC_RSA_PRIVATE_KEY', 'CHANGE_ME_IN_ENV_SETTINGS').replace('\\n', '\n'), # for multilines os.getenv('OIDC_RSA_PRIVATE_KEY', 'CHANGE_ME_IN_ENV_SETTINGS').replace('\\n', '\n'), # for multilines
'SCOPES': { 'openid': "OpenID Connect scope" },
} }
# Take control on how widget templates are sourced # Take control on how widget templates are sourced