mirror of
				https://gitlab.crans.org/bde/nk20
				synced 2025-10-26 21:43:17 +01:00 
			
		
		
		
	Compare commits
	
		
			6 Commits
		
	
	
		
			849a3ef9b3
			...
			oidc
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
|  | c411197af3 | ||
|  | cdc6f0a3f8 | ||
|  | df0d886db9 | ||
|  | 092cc37320 | ||
|  | d71105976f | ||
|  | 89cc03141b | 
| @@ -21,3 +21,6 @@ EMAIL_PASSWORD=CHANGE_ME | ||||
| # Wiki configuration | ||||
| WIKI_USER=NoteKfet2020 | ||||
| WIKI_PASSWORD= | ||||
|  | ||||
| # OIDC | ||||
| OIDC_RSA_PRIVATE_KEY=CHANGE_ME | ||||
|   | ||||
							
								
								
									
										1
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										1
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							| @@ -48,6 +48,7 @@ backups/ | ||||
| env/ | ||||
| venv/ | ||||
| db.sqlite3 | ||||
| shell.nix | ||||
|  | ||||
| # ansibles customs host | ||||
| ansible/host_vars/*.yaml | ||||
|   | ||||
| @@ -61,8 +61,8 @@ Bien que cela permette de créer une instance sur toutes les distributions, | ||||
| 6. (Optionnel) **Création d'une clé privée OpenID Connect** | ||||
|  | ||||
| Pour activer le support d'OpenID Connect, il faut générer une clé privée, par | ||||
| exemple avec openssl (`openssl genrsa -out oidc.key 4096`), et renseigner son | ||||
| emplacement dans `OIDC_RSA_PRIVATE_KEY` (par défaut `/var/secrets/oidc.key`). | ||||
| exemple avec openssl (`openssl genrsa -out oidc.key 4096`), et copier la clé dans .env dans le champ | ||||
| `OIDC_RSA_PRIVATE_KEY`. | ||||
|  | ||||
| 7.  Enjoy : | ||||
|  | ||||
| @@ -237,8 +237,8 @@ Sinon vous pouvez suivre les étapes décrites ci-dessous. | ||||
| 7. **Création d'une clé privée OpenID Connect** | ||||
|  | ||||
| Pour activer le support d'OpenID Connect, il faut générer une clé privée, par | ||||
| exemple avec openssl (`openssl genrsa -out oidc.key 4096`), et renseigner son | ||||
| emplacement dans `OIDC_RSA_PRIVATE_KEY` (par défaut `/var/secrets/oidc.key`). | ||||
| exemple avec openssl (`openssl genrsa -out oidc.key 4096`), et renseigner le champ | ||||
| `OIDC_RSA_PRIVATE_KEY` dans le .env (par défaut `/var/secrets/oidc.key`). | ||||
|  | ||||
| 8.  *Enjoy \o/* | ||||
|  | ||||
|   | ||||
| @@ -63,7 +63,8 @@ class FoodListView(ProtectQuerysetMixin, LoginRequiredMixin, MultiTableMixin, Li | ||||
|             valid_regex = is_regex(pattern) | ||||
|             suffix = '__iregex' if valid_regex else '__istartswith' | ||||
|             prefix = '^' if valid_regex else '' | ||||
|             qs = qs.filter(Q(**{f'name{suffix}': prefix + pattern})) | ||||
|             qs = qs.filter(Q(**{f'name{suffix}': prefix + pattern}) | ||||
|                            | Q(**{f'owner__name{suffix}': prefix + pattern})) | ||||
|         else: | ||||
|             qs = qs.none() | ||||
|         search_table = qs.filter(PermissionBackend.filter_queryset(self.request, Food, 'view')) | ||||
|   | ||||
| @@ -1,8 +1,10 @@ | ||||
| # Copyright (C) 2018-2025 by BDE ENS Paris-Saclay | ||||
| # SPDX-License-Identifier: GPL-3.0-or-later | ||||
|  | ||||
| from oauth2_provider.oauth2_validators import OAuth2Validator | ||||
| from oauth2_provider.scopes import BaseScopes | ||||
| from member.models import Club | ||||
| from note.models import Alias | ||||
| from note_kfet.middlewares import get_current_request | ||||
|  | ||||
| from .backends import PermissionBackend | ||||
| @@ -17,25 +19,46 @@ class PermissionScopes(BaseScopes): | ||||
|     """ | ||||
|  | ||||
|     def get_all_scopes(self): | ||||
|         return {f"{p.id}_{club.id}": f"{p.description} (club {club.name})" | ||||
|         scopes = {f"{p.id}_{club.id}": f"{p.description} (club {club.name})" | ||||
|                   for p in Permission.objects.all() for club in Club.objects.all()} | ||||
|         scopes['openid'] = "OpenID Connect" | ||||
|         return scopes | ||||
|  | ||||
|     def get_available_scopes(self, application=None, request=None, *args, **kwargs): | ||||
|         if not application: | ||||
|             return [] | ||||
|         return [f"{p.id}_{p.membership.club.id}" | ||||
|         scopes = [f"{p.id}_{p.membership.club.id}" | ||||
|                   for t in Permission.PERMISSION_TYPES | ||||
|                   for p in PermissionBackend.get_raw_permissions(get_current_request(), t[0])] | ||||
|         scopes.append('openid') | ||||
|         return scopes | ||||
|  | ||||
|     def get_default_scopes(self, application=None, request=None, *args, **kwargs): | ||||
|         if not application: | ||||
|             return [] | ||||
|         return [f"{p.id}_{p.membership.club.id}" | ||||
|         scopes = [f"{p.id}_{p.membership.club.id}" | ||||
|                   for p in PermissionBackend.get_raw_permissions(get_current_request(), 'view')] | ||||
|         scopes.append('openid') | ||||
|         return scopes | ||||
|  | ||||
|  | ||||
| class PermissionOAuth2Validator(OAuth2Validator): | ||||
|     oidc_claim_scope = None  # fix breaking change of django-oauth-toolkit 2.0.0 | ||||
|     oidc_claim_scope = OAuth2Validator.oidc_claim_scope | ||||
|     oidc_claim_scope.update({"name": 'openid', | ||||
|                              "normalized_name": 'openid', | ||||
|                              "email": 'openid', | ||||
|                              }) | ||||
|  | ||||
|     def get_additional_claims(self, request): | ||||
|         return { | ||||
|             "name": request.user.username, | ||||
|             "normalized_name": Alias.normalize(request.user.username), | ||||
|             "email": request.user.email, | ||||
|         } | ||||
|  | ||||
|     def get_discovery_claims(self, request): | ||||
|         claims = super().get_discovery_claims(self) | ||||
|         return claims + ["name", "normalized_name", "email"] | ||||
|  | ||||
|     def validate_scopes(self, client_id, scopes, client, request, *args, **kwargs): | ||||
|         """ | ||||
| @@ -54,6 +77,8 @@ class PermissionOAuth2Validator(OAuth2Validator): | ||||
|                 if scope in scopes: | ||||
|                     valid_scopes.add(scope) | ||||
|  | ||||
|         request.scopes = valid_scopes | ||||
|         if 'openid' in scopes: | ||||
|             valid_scopes.add('openid') | ||||
|  | ||||
|         request.scopes = valid_scopes | ||||
|         return valid_scopes | ||||
|   | ||||
| @@ -19,6 +19,7 @@ EXCLUDED = [ | ||||
|     'oauth2_provider.accesstoken', | ||||
|     'oauth2_provider.grant', | ||||
|     'oauth2_provider.refreshtoken', | ||||
|     'oauth2_provider.idtoken', | ||||
|     'sessions.session', | ||||
| ] | ||||
|  | ||||
|   | ||||
| @@ -171,7 +171,7 @@ class ScopesView(LoginRequiredMixin, TemplateView): | ||||
|             available_scopes = scopes.get_available_scopes(app) | ||||
|             context["scopes"][app] = OrderedDict() | ||||
|             items = [(k, v) for (k, v) in all_scopes.items() if k in available_scopes] | ||||
|             items.sort(key=lambda x: (int(x[0].split("_")[1]), int(x[0].split("_")[0]))) | ||||
|             # items.sort(key=lambda x: (int(x[0].split("_")[1]), int(x[0].split("_")[0]))) | ||||
|             for k, v in items: | ||||
|                 context["scopes"][app][k] = v | ||||
|  | ||||
|   | ||||
| @@ -270,7 +270,7 @@ OAUTH2_PROVIDER = { | ||||
|     'PKCE_REQUIRED': False, # PKCE (fix a breaking change of django-oauth-toolkit 2.0.0) | ||||
|     'OIDC_ENABLED': True, | ||||
|     'OIDC_RSA_PRIVATE_KEY': | ||||
|         os.getenv('OIDC_RSA_PRIVATE_KEY', '/var/secrets/oidc.key'), | ||||
|         os.getenv('OIDC_RSA_PRIVATE_KEY', 'CHANGE_ME_IN_ENV_SETTINGS').replace('\\n', '\n'), # for multilines | ||||
|     'SCOPES': { 'openid': "OpenID Connect scope" }, | ||||
| } | ||||
|  | ||||
|   | ||||
| @@ -1,34 +0,0 @@ | ||||
| # This is a workaround meant for use with the nix package manager. If you don't know what it is or don't use it, please ignore this file. | ||||
| #  | ||||
| # The nk20 javascript static location are hardcoded for imperative system. | ||||
| # This make ./manage.py collectstatic hard to use with nixos. | ||||
| #  | ||||
| # A workaround is to enter a FHSUserEnv with the static placed under /share/javascript/<static>. | ||||
| # This emulate a debian like system and enable collecting static normally with ./manage.py collectstatics. | ||||
| # The regular shell.nix should be enough for other configurations. | ||||
| # | ||||
| # Warning, you are still supposed to use pip package with a venv ! | ||||
| { pkgs ? import <nixpkgs> {} }: | ||||
| (pkgs.buildFHSUserEnv { | ||||
|   name = "pipzone"; | ||||
|   targetPkgs = pkgs: (with pkgs; | ||||
|   let | ||||
|     fhs-static = stdenv.mkDerivation { | ||||
|       name = "fhs-static"; | ||||
|       buildCommand = '' | ||||
|       mkdir -p $out/share/javascript/bootstrap4 | ||||
|       mkdir -p $out/share/javascript/jquery | ||||
|       ln -s ${python39Packages.xstatic-bootstrap}/lib/python3.9/site-packages/xstatic/pkg/bootstrap/data/* $out/share/javascript/bootstrap4 | ||||
|       ln -s ${python39Packages.xstatic-jquery}/lib/python3.9/site-packages/xstatic/pkg/jquery/data/* $out/share/javascript/jquery | ||||
|     ''; | ||||
|     }; | ||||
|   in [ | ||||
|     fhs-static | ||||
|     python39 | ||||
|     gettext | ||||
|     python39Packages.pip | ||||
|     python39Packages.virtualenv | ||||
|     python39Packages.setuptools | ||||
|   ]); | ||||
|   runScript = "bash"; | ||||
| }).env | ||||
							
								
								
									
										23
									
								
								shell.nix
									
									
									
									
									
								
							
							
						
						
									
										23
									
								
								shell.nix
									
									
									
									
									
								
							| @@ -1,23 +0,0 @@ | ||||
| # This is meant for use with the nix package manager. If you don't know what it is or don't use it, please ignore this file. | ||||
| # | ||||
| # This shell.nix contains all dependencies require to create a venv and pip install -r requirements.txt. | ||||
| # | ||||
| # Please check shell-static.nix for running ./manage.py collectstatics. | ||||
| { pkgs ? import <nixpkgs> {} }: | ||||
| pkgs.mkShell { | ||||
|   buildInputs = with pkgs; [ | ||||
|     python39 | ||||
|     python39Packages.pip | ||||
|     python39Packages.setuptools | ||||
|     gettext | ||||
|  | ||||
|   ]; | ||||
|   shellHook = '' | ||||
|     # Tells pip to put packages into $PIP_PREFIX instead of the usual locations. | ||||
|     # See https://pip.pypa.io/en/stable/user_guide/#environment-variables. | ||||
|     export PIP_PREFIX=$(pwd)/_build/pip_packages | ||||
|     export PYTHONPATH="$PIP_PREFIX/${pkgs.python39.sitePackages}:$PYTHONPATH" | ||||
|     export PATH="$PIP_PREFIX/bin:$PATH" | ||||
|     unset SOURCE_DATE_EPOCH | ||||
|   ''; | ||||
| } | ||||
		Reference in New Issue
	
	Block a user