remove oidc from OAuth2, add dedicated OIDC provider

2019-07-05 15:21:48 +02:00 · 2019-07-05 15:21:48 +02:00 · 23d277eaf1
parent 75ced59451
commit 23d277eaf1
21 changed files with 355 additions and 58 deletions
--- a/passbook/core/templates/base/skeleton_login.html
+++ b/passbook/core/templates/base/skeleton_login.html
@ -0,0 +1,54 @@
 {% load static %}
 {% load i18n %}
 {% load utils %}
 <!DOCTYPE html>
 <html lang="en" class="layout-pf layout-pf-fixed transitions">
 <head>
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <title>
    {% block title %}
    {% title %}
    {% endblock %}
  </title>
  <link rel="icon" type="image/png" href="{% static 'img/logo.png' %}">
  <link rel="shortcut icon" type="image/png" href="{% static 'img/logo.png' %}">
  <link rel="stylesheet" type="text/css" href="{% static 'css/patternfly.min.css' %}">
  <link rel="stylesheet" type="text/css" href="{% static 'css/patternfly-additions.min.css' %}">
  <link rel="stylesheet" type="text/css" href="{% static 'css/passbook.css' %}">
  <style>
    .login-pf {
      background-attachment: fixed;
      scroll-behavior: smooth;
      background-size: cover;
    }
  </style>
  {% block head %}
  {% endblock %}
 </head>
 <body class="login-pf">
  {% if 'impersonate_id' in request.session %}
  <div class="experimental-pf-bar">
    <span id="experimentalBar" class="experimental-pf-text">
      {% blocktrans with user=user %}You're currently impersonating {{ user }}.{% endblocktrans %}
      <a href="?__unimpersonate=True" id="acceptMessage">{% trans 'Stop impersonation' %}</a>
    </span>
  </div>
  {% endif %}
  {% block body %}
  {% endblock %}
  <script src="{% static 'js/jquery.min.js' %}"></script>
  <script src="{% static 'js/bootstrap.min.js' %}"></script>
  <script src="{% static 'js/patternfly.min.js' %}"></script>
  <script src="{% static 'js/passbook.js' %}"></script>
  {% block scripts %}
  {% endblock %}
  <div class="modals">
    {% include 'partials/about_modal.html' %}
  </div>
 </body>
 </html>
--- a/passbook/core/templates/login/base.html
+++ b/passbook/core/templates/login/base.html
@ -1,4 +1,4 @@
-{% extends 'base/skeleton.html' %}
+{% extends 'base/skeleton_login.html' %}
 {% load static %}
 {% load i18n %}
--- a/passbook/oauth_provider/forms.py
+++ b/passbook/oauth_provider/forms.py
@ -1,4 +1,4 @@
-"""passbook OAuth2 IDP Forms"""
+"""passbook OAuth2 Provider Forms"""
 from django import forms
--- a/passbook/oauth_provider/models.py
+++ b/passbook/oauth_provider/models.py
@ -25,8 +25,6 @@ class OAuth2Provider(Provider, AbstractApplication):
                reverse('passbook_oauth_provider:token')),
            'userinfo_url': request.build_absolute_uri(
                reverse('passbook_api:openid')),
            'openid_url': request.build_absolute_uri(
                reverse('passbook_oauth_provider:openid-discovery'))
        }
    class Meta:
--- a/passbook/oauth_provider/templates/oauth2_provider/setup_url_modal.html
+++ b/passbook/oauth_provider/templates/oauth2_provider/setup_url_modal.html
@ -31,15 +31,6 @@
            </div>
          </div>
        </form>
        <hr>
        <form class="form-horizontal">
          <div class="form-group">
            <label class="col-sm-3 control-label">{% trans 'OpenID Configuration URL' %}</label>
            <div class="col-sm-9">
              <input type="text"class="form-control" readonly value="{{ openid_url }}">
            </div>
          </div>
        </form>
      </div>
      <div class="modal-footer">
        <button type="button" class="btn btn-primary" data-dismiss="modal">{% trans 'Close' %}</button>
--- a/passbook/oauth_provider/urls.py
+++ b/passbook/oauth_provider/urls.py
@ -3,7 +3,7 @@
 from django.urls import path
 from oauth2_provider import views
-from passbook.oauth_provider.views import oauth2, openid
+from passbook.oauth_provider.views import oauth2
 urlpatterns = [
    # Custom OAuth 2 Authorize View
@ -17,9 +17,4 @@ urlpatterns = [
    path("token/", views.TokenView.as_view(), name="token"),
    path("revoke_token/", views.RevokeTokenView.as_view(), name="revoke-token"),
    path("introspect/", views.IntrospectTokenView.as_view(), name="introspect"),
    # OpenID-Connect Discovery
    path('.well-known/openid-configuration', openid.OpenIDConfigurationView.as_view(),
         name='openid-discovery'),
    path('.well-known/jwks.json', openid.JSONWebKeyView.as_view(),
         name='openid-jwks'),
 ]
--- a/passbook/oauth_provider/views/oauth2.py
+++ b/passbook/oauth_provider/views/oauth2.py
@ -57,10 +57,10 @@ class PassbookAuthorizationView(AccessMixin, AuthorizationView):
        provider.save()
        self._application = application
        # Check permissions
-        passing, policy_meaages = self.user_has_access(self._application, request.user)
+        passing, policy_messages = self.user_has_access(self._application, request.user)
        if not passing:
-            for policy_meaage in policy_meaages:
+            for policy_message in policy_messages:
-                messages.error(request, policy_meaage)
+                messages.error(request, policy_message)
            return redirect('passbook_oauth_provider:oauth2-permission-denied')
        # Some clients don't pass response_type, so we default to code
        if 'response_type' not in request.GET:
--- a/passbook/oauth_provider/views/openid.py
+++ b/passbook/oauth_provider/views/openid.py
@ -1,35 +0,0 @@
 """passbook oauth provider OpenID Views"""
 from django.http import HttpRequest, JsonResponse
 from django.shortcuts import reverse
 from django.views.generic import View
 class OpenIDConfigurationView(View):
    """Return OpenID Configuration"""
    def get_issuer_url(self, request):
        """Get correct issuer URL"""
        full_url = request.build_absolute_uri(reverse('passbook_oauth_provider:openid-discovery'))
        return full_url.replace(".well-known/openid-configuration", "")
    def get(self, request: HttpRequest):
        """Get Response conform to https://openid.net/specs/openid-connect-discovery-1_0.html"""
        return JsonResponse({
            'issuer': self.get_issuer_url(request),
            'authorization_endpoint': request.build_absolute_uri(
                reverse('passbook_oauth_provider:oauth2-authorize')),
            'token_endpoint': request.build_absolute_uri(reverse('passbook_oauth_provider:token')),
            "jwks_uri": request.build_absolute_uri(reverse('passbook_oauth_provider:openid-jwks')),
            "scopes_supported": [
                "openid",
            ],
        })
 class JSONWebKeyView(View):
    """JSON Web Key View"""
    def get(self, request: HttpRequest):
        """JSON Webkeys are not implemented yet, hence return an empty object"""
        return JsonResponse({})
--- a/passbook/oidc_provider/init.py
+++ b/passbook/oidc_provider/init.py
--- a/passbook/oidc_provider/apps.py
+++ b/passbook/oidc_provider/apps.py
@ -0,0 +1,27 @@
 """passbook auth oidc provider app config"""
 from logging import getLogger
 from django.apps import AppConfig
 from django.urls import include, path
 LOGGER = getLogger(__name__)
 class PassbookOIDCProviderConfig(AppConfig):
    """passbook auth oidc provider app config"""
    name = 'passbook.oidc_provider'
    label = 'passbook_oidc_provider'
    verbose_name = 'passbook OIDC Provider'
    def ready(self):
        from Cryptodome.PublicKey import RSA
        from oidc_provider.models import RSAKey
        if not RSAKey.objects.exists():
            key = RSA.generate(2048)
            rsakey = RSAKey(key=key.exportKey('PEM').decode('utf8'))
            rsakey.save()
            LOGGER.info("Created key")
        from passbook.root import urls
        urls.urlpatterns.append(
            path('application/oidc/', include('oidc_provider.urls', namespace='oidc_provider')),
        )
--- a/passbook/oidc_provider/forms.py
+++ b/passbook/oidc_provider/forms.py
@ -0,0 +1,38 @@
 """passbook OIDC IDP Forms"""
 from django import forms
 from oauth2_provider.generators import (generate_client_id,
                                        generate_client_secret)
 from oidc_provider.models import Client
 from passbook.oidc_provider.models import OpenIDProvider
 class OIDCProviderForm(forms.ModelForm):
    """OpenID Client form"""
    def __init__(self, *args, **kwargs):
        # Correctly load data from 1:1 rel
        if 'instance' in kwargs:
            kwargs['instance'] = kwargs['instance'].oidc_client
        super().__init__(*args, **kwargs)
        self.fields['client_id'].initial = generate_client_id()
        self.fields['client_secret'].initial = generate_client_secret()
    def save(self, *args, **kwargs):
        response = super().save(*args, **kwargs)
        # Check if openidprovider class instance exists
        if not OpenIDProvider.objects.filter(oidc_client=self.instance).exists():
            OpenIDProvider.objects.create(oidc_client=self.instance)
        return response
    class Meta:
        model = Client
        fields = [
            'name', 'client_type', 'client_id', 'client_secret', 'response_types',
            'jwt_alg', 'reuse_consent', 'require_consent', '_redirect_uris', '_scope'
        ]
        # exclude = ['owner', 'website_url', 'terms_url', 'contact_email', 'logo', ]
        labels = {
            'client_secret': "Client Secret"
        }
--- a/passbook/oidc_provider/lib.py
+++ b/passbook/oidc_provider/lib.py
@ -0,0 +1,30 @@
 """OIDC Permission checking"""
 from logging import getLogger
 from django.contrib import messages
 from django.shortcuts import redirect
 from passbook.core.models import Application
 from passbook.core.policies import PolicyEngine
 LOGGER = getLogger(__name__)
 def check_permissions(request, user, client):
    """Check permissions, used for
    https://django-oidc-provider.readthedocs.io/en/latest/
    sections/settings.html#oidc-after-userlogin-hook"""
    try:
        application = client.openidprovider.application
    except Application.DoesNotExist:
        return redirect('passbook_oauth_provider:oauth2-permission-denied')
    LOGGER.debug("Checking permissions of %s on application %s...", user, application)
    policy_engine = PolicyEngine(application.policies.all())
    policy_engine.for_user(user).with_request(request).build()
    # Check permissions
    passing, policy_messages = policy_engine.result
    if not passing:
        for policy_message in policy_messages:
            messages.error(request, policy_message)
        return redirect('passbook_oauth_provider:oauth2-permission-denied')
    return None
--- a/passbook/oidc_provider/migrations/0001_initial.py
+++ b/passbook/oidc_provider/migrations/0001_initial.py
@ -0,0 +1,25 @@
 # Generated by Django 2.2.3 on 2019-07-05 12:16
 import django.db.models.deletion
 from django.db import migrations, models
 class Migration(migrations.Migration):
    initial = True
    dependencies = [
        ('oidc_provider', '0026_client_multiple_response_types'),
        ('passbook_core', '0024_ssologinpolicy'),
    ]
    operations = [
        migrations.CreateModel(
            name='OpenIDProvider',
            fields=[
                ('provider_ptr', models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True, primary_key=True, serialize=False, to='passbook_core.Provider')),
                ('oidc_client', models.OneToOneField(on_delete=django.db.models.deletion.CASCADE, to='oidc_provider.Client')),
            ],
            bases=('passbook_core.provider',),
        ),
    ]
--- a/passbook/oidc_provider/migrations/init.py
+++ b/passbook/oidc_provider/migrations/init.py
--- a/passbook/oidc_provider/models.py
+++ b/passbook/oidc_provider/models.py
@ -0,0 +1,45 @@
 """oidc models"""
 from django.db import models
 from django.shortcuts import reverse
 from django.utils.translation import gettext as _
 from oidc_provider.models import Client
 from passbook.core.models import Provider
 class OpenIDProvider(Provider):
    """Proxy model for OIDC Client"""
    # Since oidc_provider doesn't currently support swappable models
    # (https://github.com/juanifioren/django-oidc-provider/pull/305)
    # we have a 1:1 relationship, and update oidc_client when the form is saved.
    oidc_client = models.OneToOneField(Client, on_delete=models.CASCADE)
    form = 'passbook.oidc_provider.forms.OIDCProviderForm'
    @property
    def name(self):
        """Name property for UI"""
        return self.oidc_client.name
    def __str__(self):
        return "OpenID Connect Provider %s" % self.oidc_client.__str__()
    def html_setup_urls(self, request):
        """return template and context modal with URLs for authorize, token, openid-config, etc"""
        return "oidc_provider/setup_url_modal.html", {
            'provider': self,
            'authorize': request.build_absolute_uri(
                reverse('oidc_provider:authorize')),
            'token': request.build_absolute_uri(
                reverse('oidc_provider:token')),
            'userinfo': request.build_absolute_uri(
                reverse('oidc_provider:userinfo')),
            'provider_info': request.build_absolute_uri(
                reverse('oidc_provider:provider-info')),
        }
    class Meta:
        verbose_name = _('OpenID Provider')
        verbose_name_plural = _('OpenID Providers')
--- a/passbook/oidc_provider/requirements.txt
+++ b/passbook/oidc_provider/requirements.txt
@ -0,0 +1 @@
 django-oidc-provider
--- a/passbook/oidc_provider/settings.py
+++ b/passbook/oidc_provider/settings.py
@ -0,0 +1,7 @@
 """passbook OIDC Provider"""
 INSTALLED_APPS = [
    'oidc_provider',
 ]
 OIDC_AFTER_USERLOGIN_HOOK = "passbook.oidc_provider.lib.check_permissions"
--- a/passbook/oidc_provider/templates/oidc_provider/authorize.html
+++ b/passbook/oidc_provider/templates/oidc_provider/authorize.html
@ -0,0 +1,70 @@
 {% extends "login/base.html" %}
 {% load utils %}
 {% load i18n %}
 {% block title %}
 {% title 'Authorize Application' %}
 {% endblock %}
 {% block card %}
 <header class="login-pf-header">
  <h1>{% trans 'Authorize Application' %}</h1>
 </header>
 <form method="POST">
    {% csrf_token %}
    {% if not error %}
        {% csrf_token %}
        {% for field in form %}
            {% if field.is_hidden %}
                {{ field }}
            {% endif %}
        {% endfor %}
        <div class="form-group">
            <p class="subtitle">
                {% blocktrans with remote=client.name %}
                You're about to sign into {{ remote }}
                {% endblocktrans %}
            </p>
            <p>{% trans "Application requires following permissions" %}</p>
            <ul>
                {% for scope in scopes %}
                <li>{{ scope.name }}</li>
                {% endfor %}
            </ul>
            {{ hidden_inputs }}
            {{ form.errors }}
            {{ form.non_field_errors }}
            <p>
                {% blocktrans with user=user %}
                You are logged in as {{ user }}. Not you?
                {% endblocktrans %}
                <a href="{% url 'passbook_core:auth-logout' %}">{% trans 'Logout' %}</a>
            </p>
            <div class="form-group">
                <input type="submit" class="btn btn-success btn-disabled btn-lg click-spinner" name="allow" value="{% trans 'Continue' %}">
                <a href="{% back %}" class="btn btn-default btn-lg">{% trans "Cancel" %}</a>
            </div>
            <div class="form-group spinner-hidden hidden">
                <div class="spinner"></div>
            </div>
        </div>
    {% else %}
    <div class="login-group">
        <p class="subtitle">
            {% blocktrans with err=error.error %}Error: {{ err }}{% endblocktrans %}
        </p>
        <p>{{ error.description }}</p>
    </div>
    {% endif %}
 </form>
 {% endblock %}
 {% block scripts %}
 <script>
    $('.click-spinner').on('click', function (e) {
        $('.spinner-hidden').removeClass('hidden');
        $(e.target).addClass('disabled');
    })
 </script>
 {% endblock %}
--- a/passbook/oidc_provider/templates/oidc_provider/setup_url_modal.html
+++ b/passbook/oidc_provider/templates/oidc_provider/setup_url_modal.html
@ -0,0 +1,49 @@
 {% load i18n %}
 <button class="btn btn-default btn-sm" data-toggle="modal" data-target="#{{ provider.pk }}">{% trans 'View Setup URLs' %}</button>
 <div class="modal fade" id="{{ provider.pk }}" tabindex="-1" role="dialog" aria-labelledby="{{ provider.pk }}Label" aria-hidden="true">
  <div class="modal-dialog">
    <div class="modal-content">
      <div class="modal-header">
        <button type="button" class="close" data-dismiss="modal" aria-hidden="true" aria-label="Close">
          <span class="pficon pficon-close"></span>
        </button>
        <h4 class="modal-title" id="{{ provider.pk }}Label">{% trans 'Setup URLs' %}</h4>
      </div>
      <div class="modal-body">
        <form class="form-horizontal">
          <div class="form-group">
            <label class="col-sm-3 control-label">{% trans 'Authorize URL' %}</label>
            <div class="col-sm-9">
              <input type="text"class="form-control" readonly value="{{ authorize }}">
            </div>
          </div>
          <div class="form-group">
            <label class="col-sm-3 control-label">{% trans 'Token URL' %}</label>
            <div class="col-sm-9">
              <input type="text" class="form-control" readonly value="{{ token }}">
            </div>
          </div>
          <div class="form-group">
            <label class="col-sm-3 control-label">{% trans 'Userinfo Endpoint' %}</label>
            <div class="col-sm-9">
              <input type="text" class="form-control" readonly value="{{ userinfo }}">
            </div>
          </div>
        </form>
        <hr>
        <form class="form-horizontal">
          <div class="form-group">
            <label class="col-sm-3 control-label">{% trans 'OpenID Configuration URL' %}</label>
            <div class="col-sm-9">
              <input type="text"class="form-control" readonly value="{{ provider_info }}">
            </div>
          </div>
        </form>
      </div>
      <div class="modal-footer">
        <button type="button" class="btn btn-primary" data-dismiss="modal">{% trans 'Close' %}</button>
      </div>
    </div>
  </div>
 </div>
--- a/passbook/root/settings.py
+++ b/passbook/root/settings.py
@ -82,6 +82,7 @@ INSTALLED_APPS = [
    'passbook.ldap.apps.PassbookLdapConfig',
    'passbook.oauth_client.apps.PassbookOAuthClientConfig',
    'passbook.oauth_provider.apps.PassbookOAuthProviderConfig',
    'passbook.oidc_provider.apps.PassbookOIDCProviderConfig',
    'passbook.saml_idp.apps.PassbookSAMLIDPConfig',
    'passbook.otp.apps.PassbookOTPConfig',
    'passbook.captcha_factor.apps.PassbookCaptchaFactorConfig',
--- a/requirements.txt
+++ b/requirements.txt
@ -8,3 +8,4 @@
 -r passbook/admin/requirements.txt
 -r passbook/api/requirements.txt
 -r passbook/app_gw/requirements.txt
 -r passbook/oidc_provider/requirements.txt
`@ -1,4 +1,4 @@`
	`"""passbook OAuth2 IDP Forms"""`	`"""passbook OAuth2 Provider Forms"""`

	`from django import forms`	`from django import forms`