mirror of
				https://gitlab.crans.org/bde/nk20
				synced 2025-10-26 05:23:18 +01:00 
			
		
		
		
	Compare commits
	
		
			8 Commits
		
	
	
		
			d58a299a8b
			...
			oidc
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
|  | c411197af3 | ||
|  | cdc6f0a3f8 | ||
|  | df0d886db9 | ||
|  | 092cc37320 | ||
|  | d71105976f | ||
|  | 89cc03141b | ||
|  | 4445dd4a96 | ||
|  | dc6a40de02 | 
| @@ -21,3 +21,6 @@ EMAIL_PASSWORD=CHANGE_ME | |||||||
| # Wiki configuration | # Wiki configuration | ||||||
| WIKI_USER=NoteKfet2020 | WIKI_USER=NoteKfet2020 | ||||||
| WIKI_PASSWORD= | WIKI_PASSWORD= | ||||||
|  |  | ||||||
|  | # OIDC | ||||||
|  | OIDC_RSA_PRIVATE_KEY=CHANGE_ME | ||||||
|   | |||||||
| @@ -61,8 +61,8 @@ Bien que cela permette de créer une instance sur toutes les distributions, | |||||||
| 6. (Optionnel) **Création d'une clé privée OpenID Connect** | 6. (Optionnel) **Création d'une clé privée OpenID Connect** | ||||||
|  |  | ||||||
| Pour activer le support d'OpenID Connect, il faut générer une clé privée, par | Pour activer le support d'OpenID Connect, il faut générer une clé privée, par | ||||||
| exemple avec openssl (`openssl genrsa -out oidc.key 4096`), et renseigner son | exemple avec openssl (`openssl genrsa -out oidc.key 4096`), et copier la clé dans .env dans le champ | ||||||
| emplacement dans `OIDC_RSA_PRIVATE_KEY` (par défaut `/var/secrets/oidc.key`). | `OIDC_RSA_PRIVATE_KEY`. | ||||||
|  |  | ||||||
| 7.  Enjoy : | 7.  Enjoy : | ||||||
|  |  | ||||||
| @@ -237,8 +237,8 @@ Sinon vous pouvez suivre les étapes décrites ci-dessous. | |||||||
| 7. **Création d'une clé privée OpenID Connect** | 7. **Création d'une clé privée OpenID Connect** | ||||||
|  |  | ||||||
| Pour activer le support d'OpenID Connect, il faut générer une clé privée, par | Pour activer le support d'OpenID Connect, il faut générer une clé privée, par | ||||||
| exemple avec openssl (`openssl genrsa -out oidc.key 4096`), et renseigner son | exemple avec openssl (`openssl genrsa -out oidc.key 4096`), et renseigner le champ | ||||||
| emplacement dans `OIDC_RSA_PRIVATE_KEY` (par défaut `/var/secrets/oidc.key`). | `OIDC_RSA_PRIVATE_KEY` dans le .env (par défaut `/var/secrets/oidc.key`). | ||||||
|  |  | ||||||
| 8.  *Enjoy \o/* | 8.  *Enjoy \o/* | ||||||
|  |  | ||||||
|   | |||||||
| @@ -7,7 +7,7 @@ from api.viewsets import is_regex | |||||||
| from django_tables2.views import MultiTableMixin | from django_tables2.views import MultiTableMixin | ||||||
| from django.db import transaction | from django.db import transaction | ||||||
| from django.db.models import Q | from django.db.models import Q | ||||||
| from django.http import HttpResponseRedirect | from django.http import HttpResponseRedirect, Http404 | ||||||
| from django.views.generic import DetailView, UpdateView, CreateView | from django.views.generic import DetailView, UpdateView, CreateView | ||||||
| from django.views.generic.list import ListView | from django.views.generic.list import ListView | ||||||
| from django.urls import reverse_lazy | from django.urls import reverse_lazy | ||||||
| @@ -63,7 +63,8 @@ class FoodListView(ProtectQuerysetMixin, LoginRequiredMixin, MultiTableMixin, Li | |||||||
|             valid_regex = is_regex(pattern) |             valid_regex = is_regex(pattern) | ||||||
|             suffix = '__iregex' if valid_regex else '__istartswith' |             suffix = '__iregex' if valid_regex else '__istartswith' | ||||||
|             prefix = '^' if valid_regex else '' |             prefix = '^' if valid_regex else '' | ||||||
|             qs = qs.filter(Q(**{f'name{suffix}': prefix + pattern})) |             qs = qs.filter(Q(**{f'name{suffix}': prefix + pattern}) | ||||||
|  |                            | Q(**{f'owner__name{suffix}': prefix + pattern})) | ||||||
|         else: |         else: | ||||||
|             qs = qs.none() |             qs = qs.none() | ||||||
|         search_table = qs.filter(PermissionBackend.filter_queryset(self.request, Food, 'view')) |         search_table = qs.filter(PermissionBackend.filter_queryset(self.request, Food, 'view')) | ||||||
| @@ -71,7 +72,7 @@ class FoodListView(ProtectQuerysetMixin, LoginRequiredMixin, MultiTableMixin, Li | |||||||
|         open_table = self.get_queryset().order_by('expiry_date').filter( |         open_table = self.get_queryset().order_by('expiry_date').filter( | ||||||
|             Q(polymorphic_ctype__model='transformedfood') |             Q(polymorphic_ctype__model='transformedfood') | ||||||
|             | Q(polymorphic_ctype__model='basicfood', basicfood__date_type='DLC')).filter( |             | Q(polymorphic_ctype__model='basicfood', basicfood__date_type='DLC')).filter( | ||||||
|                 expiry_date__lt=timezone.now()).filter( |                 expiry_date__lt=timezone.now(), end_of_life='').filter( | ||||||
|                     PermissionBackend.filter_queryset(self.request, Food, 'view')) |                     PermissionBackend.filter_queryset(self.request, Food, 'view')) | ||||||
|         # table served |         # table served | ||||||
|         served_table = self.get_queryset().order_by('-pk').filter( |         served_table = self.get_queryset().order_by('-pk').filter( | ||||||
| @@ -240,11 +241,6 @@ class TransformedFoodCreateView(ProtectQuerysetMixin, ProtectedCreateView): | |||||||
|         form.instance.is_ready = False |         form.instance.is_ready = False | ||||||
|         return super().form_valid(form) |         return super().form_valid(form) | ||||||
|  |  | ||||||
|     def get_context_data(self, *args, **kwargs): |  | ||||||
|         context = super().get_context_data(*args, **kwargs) |  | ||||||
|         context['title'] += ' ' + self.object.name |  | ||||||
|         return context |  | ||||||
|  |  | ||||||
|     def get_success_url(self, **kwargs): |     def get_success_url(self, **kwargs): | ||||||
|         self.object.refresh_from_db() |         self.object.refresh_from_db() | ||||||
|         return reverse_lazy('food:transformedfood_view', kwargs={"pk": self.object.pk}) |         return reverse_lazy('food:transformedfood_view', kwargs={"pk": self.object.pk}) | ||||||
| @@ -438,6 +434,8 @@ class FoodDetailView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView): | |||||||
|         return context |         return context | ||||||
|  |  | ||||||
|     def get(self, *args, **kwargs): |     def get(self, *args, **kwargs): | ||||||
|  |         if Food.objects.filter(pk=kwargs['pk']).count() != 1: | ||||||
|  |             return Http404 | ||||||
|         model = Food.objects.get(pk=kwargs['pk']).polymorphic_ctype.model |         model = Food.objects.get(pk=kwargs['pk']).polymorphic_ctype.model | ||||||
|         if 'stop_redirect' in kwargs and kwargs['stop_redirect']: |         if 'stop_redirect' in kwargs and kwargs['stop_redirect']: | ||||||
|             return super().get(*args, **kwargs) |             return super().get(*args, **kwargs) | ||||||
|   | |||||||
| @@ -1,8 +1,10 @@ | |||||||
| # Copyright (C) 2018-2025 by BDE ENS Paris-Saclay | # Copyright (C) 2018-2025 by BDE ENS Paris-Saclay | ||||||
| # SPDX-License-Identifier: GPL-3.0-or-later | # SPDX-License-Identifier: GPL-3.0-or-later | ||||||
|  |  | ||||||
| from oauth2_provider.oauth2_validators import OAuth2Validator | from oauth2_provider.oauth2_validators import OAuth2Validator | ||||||
| from oauth2_provider.scopes import BaseScopes | from oauth2_provider.scopes import BaseScopes | ||||||
| from member.models import Club | from member.models import Club | ||||||
|  | from note.models import Alias | ||||||
| from note_kfet.middlewares import get_current_request | from note_kfet.middlewares import get_current_request | ||||||
|  |  | ||||||
| from .backends import PermissionBackend | from .backends import PermissionBackend | ||||||
| @@ -17,25 +19,46 @@ class PermissionScopes(BaseScopes): | |||||||
|     """ |     """ | ||||||
|  |  | ||||||
|     def get_all_scopes(self): |     def get_all_scopes(self): | ||||||
|         return {f"{p.id}_{club.id}": f"{p.description} (club {club.name})" |         scopes = {f"{p.id}_{club.id}": f"{p.description} (club {club.name})" | ||||||
|                   for p in Permission.objects.all() for club in Club.objects.all()} |                   for p in Permission.objects.all() for club in Club.objects.all()} | ||||||
|  |         scopes['openid'] = "OpenID Connect" | ||||||
|  |         return scopes | ||||||
|  |  | ||||||
|     def get_available_scopes(self, application=None, request=None, *args, **kwargs): |     def get_available_scopes(self, application=None, request=None, *args, **kwargs): | ||||||
|         if not application: |         if not application: | ||||||
|             return [] |             return [] | ||||||
|         return [f"{p.id}_{p.membership.club.id}" |         scopes = [f"{p.id}_{p.membership.club.id}" | ||||||
|                   for t in Permission.PERMISSION_TYPES |                   for t in Permission.PERMISSION_TYPES | ||||||
|                   for p in PermissionBackend.get_raw_permissions(get_current_request(), t[0])] |                   for p in PermissionBackend.get_raw_permissions(get_current_request(), t[0])] | ||||||
|  |         scopes.append('openid') | ||||||
|  |         return scopes | ||||||
|  |  | ||||||
|     def get_default_scopes(self, application=None, request=None, *args, **kwargs): |     def get_default_scopes(self, application=None, request=None, *args, **kwargs): | ||||||
|         if not application: |         if not application: | ||||||
|             return [] |             return [] | ||||||
|         return [f"{p.id}_{p.membership.club.id}" |         scopes = [f"{p.id}_{p.membership.club.id}" | ||||||
|                   for p in PermissionBackend.get_raw_permissions(get_current_request(), 'view')] |                   for p in PermissionBackend.get_raw_permissions(get_current_request(), 'view')] | ||||||
|  |         scopes.append('openid') | ||||||
|  |         return scopes | ||||||
|  |  | ||||||
|  |  | ||||||
| class PermissionOAuth2Validator(OAuth2Validator): | class PermissionOAuth2Validator(OAuth2Validator): | ||||||
|     oidc_claim_scope = None  # fix breaking change of django-oauth-toolkit 2.0.0 |     oidc_claim_scope = OAuth2Validator.oidc_claim_scope | ||||||
|  |     oidc_claim_scope.update({"name": 'openid', | ||||||
|  |                              "normalized_name": 'openid', | ||||||
|  |                              "email": 'openid', | ||||||
|  |                              }) | ||||||
|  |  | ||||||
|  |     def get_additional_claims(self, request): | ||||||
|  |         return { | ||||||
|  |             "name": request.user.username, | ||||||
|  |             "normalized_name": Alias.normalize(request.user.username), | ||||||
|  |             "email": request.user.email, | ||||||
|  |         } | ||||||
|  |  | ||||||
|  |     def get_discovery_claims(self, request): | ||||||
|  |         claims = super().get_discovery_claims(self) | ||||||
|  |         return claims + ["name", "normalized_name", "email"] | ||||||
|  |  | ||||||
|     def validate_scopes(self, client_id, scopes, client, request, *args, **kwargs): |     def validate_scopes(self, client_id, scopes, client, request, *args, **kwargs): | ||||||
|         """ |         """ | ||||||
| @@ -54,6 +77,8 @@ class PermissionOAuth2Validator(OAuth2Validator): | |||||||
|                 if scope in scopes: |                 if scope in scopes: | ||||||
|                     valid_scopes.add(scope) |                     valid_scopes.add(scope) | ||||||
|  |  | ||||||
|         request.scopes = valid_scopes |         if 'openid' in scopes: | ||||||
|  |             valid_scopes.add('openid') | ||||||
|  |  | ||||||
|  |         request.scopes = valid_scopes | ||||||
|         return valid_scopes |         return valid_scopes | ||||||
|   | |||||||
| @@ -19,6 +19,7 @@ EXCLUDED = [ | |||||||
|     'oauth2_provider.accesstoken', |     'oauth2_provider.accesstoken', | ||||||
|     'oauth2_provider.grant', |     'oauth2_provider.grant', | ||||||
|     'oauth2_provider.refreshtoken', |     'oauth2_provider.refreshtoken', | ||||||
|  |     'oauth2_provider.idtoken', | ||||||
|     'sessions.session', |     'sessions.session', | ||||||
| ] | ] | ||||||
|  |  | ||||||
|   | |||||||
| @@ -171,7 +171,7 @@ class ScopesView(LoginRequiredMixin, TemplateView): | |||||||
|             available_scopes = scopes.get_available_scopes(app) |             available_scopes = scopes.get_available_scopes(app) | ||||||
|             context["scopes"][app] = OrderedDict() |             context["scopes"][app] = OrderedDict() | ||||||
|             items = [(k, v) for (k, v) in all_scopes.items() if k in available_scopes] |             items = [(k, v) for (k, v) in all_scopes.items() if k in available_scopes] | ||||||
|             items.sort(key=lambda x: (int(x[0].split("_")[1]), int(x[0].split("_")[0]))) |             # items.sort(key=lambda x: (int(x[0].split("_")[1]), int(x[0].split("_")[0]))) | ||||||
|             for k, v in items: |             for k, v in items: | ||||||
|                 context["scopes"][app][k] = v |                 context["scopes"][app][k] = v | ||||||
|  |  | ||||||
|   | |||||||
| @@ -19,8 +19,9 @@ Le modèle regroupe : | |||||||
| * Propriétaire (doit-être un Club) | * Propriétaire (doit-être un Club) | ||||||
| * Allergènes (ManyToManyField) | * Allergènes (ManyToManyField) | ||||||
| * date d'expiration | * date d'expiration | ||||||
| * a été mangé (booléen) | * fin de vie | ||||||
| * est prêt (booléen) | * est prêt (booléen) | ||||||
|  | * consigne (pour les GCKs) | ||||||
|  |  | ||||||
| BasicFood | BasicFood | ||||||
| ~~~~~~~~~ | ~~~~~~~~~ | ||||||
| @@ -40,7 +41,7 @@ Les TransformedFood correspondent aux produits préparés à la Kfet. Ils peuven | |||||||
|  |  | ||||||
| Le modèle regroupe : | Le modèle regroupe : | ||||||
|  |  | ||||||
| * Durée de consommation (par défaut 3 jours) | * Durée de conservation (par défaut 3 jours) | ||||||
| * Ingrédients (ManyToManyField vers Food) | * Ingrédients (ManyToManyField vers Food) | ||||||
| * Date de création | * Date de création | ||||||
| * Champs de Food | * Champs de Food | ||||||
|   | |||||||
| @@ -12,6 +12,7 @@ Applications de la Note Kfet 2020 | |||||||
|    ../api/index |    ../api/index | ||||||
|    registration |    registration | ||||||
|    logs |    logs | ||||||
|  |    food | ||||||
|    treasury |    treasury | ||||||
|    wei |    wei | ||||||
|    wrapped |    wrapped | ||||||
| @@ -66,6 +67,8 @@ Applications facultatives | |||||||
|     Serveur central d'authentification, permet d'utiliser son compte de la NoteKfet2020 pour se connecter à d'autre application ayant intégrer un client. |     Serveur central d'authentification, permet d'utiliser son compte de la NoteKfet2020 pour se connecter à d'autre application ayant intégrer un client. | ||||||
| * `Scripts <https://gitlab.crans.org/bde/nk20-scripts>`_ | * `Scripts <https://gitlab.crans.org/bde/nk20-scripts>`_ | ||||||
|      Ensemble de commande `./manage.py` pour la gestion de la note: import de données, verification d'intégrité, etc... |      Ensemble de commande `./manage.py` pour la gestion de la note: import de données, verification d'intégrité, etc... | ||||||
|  | * `Food <food>`_ : | ||||||
|  |     Gestion de la nourriture dans Kfet pour les clubs. | ||||||
| * `Treasury <treasury>`_ : | * `Treasury <treasury>`_ : | ||||||
|     Interface de gestion pour les trésorièr⋅es, émission de factures, remises de chèque, statistiques... |     Interface de gestion pour les trésorièr⋅es, émission de factures, remises de chèque, statistiques... | ||||||
| * `WEI <wei>`_ : | * `WEI <wei>`_ : | ||||||
|   | |||||||
| @@ -183,6 +183,7 @@ Contributeur⋅rices | |||||||
|    * korenst1 |    * korenst1 | ||||||
|    * nicomarg |    * nicomarg | ||||||
|    * PAC |    * PAC | ||||||
|  |    * Quark | ||||||
|    * ÿnérant |    * ÿnérant | ||||||
|  |  | ||||||
|  |  | ||||||
|   | |||||||
| @@ -270,7 +270,7 @@ OAUTH2_PROVIDER = { | |||||||
|     'PKCE_REQUIRED': False, # PKCE (fix a breaking change of django-oauth-toolkit 2.0.0) |     'PKCE_REQUIRED': False, # PKCE (fix a breaking change of django-oauth-toolkit 2.0.0) | ||||||
|     'OIDC_ENABLED': True, |     'OIDC_ENABLED': True, | ||||||
|     'OIDC_RSA_PRIVATE_KEY': |     'OIDC_RSA_PRIVATE_KEY': | ||||||
|         os.getenv('OIDC_RSA_PRIVATE_KEY', '/var/secrets/oidc.key'), |         os.getenv('OIDC_RSA_PRIVATE_KEY', 'CHANGE_ME_IN_ENV_SETTINGS').replace('\\n', '\n'), # for multilines | ||||||
|     'SCOPES': { 'openid': "OpenID Connect scope" }, |     'SCOPES': { 'openid': "OpenID Connect scope" }, | ||||||
| } | } | ||||||
|  |  | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user