mirror of
https://gitlab.crans.org/bde/nk20
synced 2025-07-25 10:05:23 +02:00
Compare commits
8 Commits
033ee010f8
...
oidc
Author | SHA1 | Date | |
---|---|---|---|
c411197af3 | |||
cdc6f0a3f8 | |||
df0d886db9 | |||
092cc37320 | |||
d71105976f | |||
89cc03141b | |||
4445dd4a96 | |||
dc6a40de02 |
@ -21,3 +21,6 @@ EMAIL_PASSWORD=CHANGE_ME
|
|||||||
# Wiki configuration
|
# Wiki configuration
|
||||||
WIKI_USER=NoteKfet2020
|
WIKI_USER=NoteKfet2020
|
||||||
WIKI_PASSWORD=
|
WIKI_PASSWORD=
|
||||||
|
|
||||||
|
# OIDC
|
||||||
|
OIDC_RSA_PRIVATE_KEY=CHANGE_ME
|
||||||
|
@ -61,8 +61,8 @@ Bien que cela permette de créer une instance sur toutes les distributions,
|
|||||||
6. (Optionnel) **Création d'une clé privée OpenID Connect**
|
6. (Optionnel) **Création d'une clé privée OpenID Connect**
|
||||||
|
|
||||||
Pour activer le support d'OpenID Connect, il faut générer une clé privée, par
|
Pour activer le support d'OpenID Connect, il faut générer une clé privée, par
|
||||||
exemple avec openssl (`openssl genrsa -out oidc.key 4096`), et renseigner son
|
exemple avec openssl (`openssl genrsa -out oidc.key 4096`), et copier la clé dans .env dans le champ
|
||||||
emplacement dans `OIDC_RSA_PRIVATE_KEY` (par défaut `/var/secrets/oidc.key`).
|
`OIDC_RSA_PRIVATE_KEY`.
|
||||||
|
|
||||||
7. Enjoy :
|
7. Enjoy :
|
||||||
|
|
||||||
@ -237,8 +237,8 @@ Sinon vous pouvez suivre les étapes décrites ci-dessous.
|
|||||||
7. **Création d'une clé privée OpenID Connect**
|
7. **Création d'une clé privée OpenID Connect**
|
||||||
|
|
||||||
Pour activer le support d'OpenID Connect, il faut générer une clé privée, par
|
Pour activer le support d'OpenID Connect, il faut générer une clé privée, par
|
||||||
exemple avec openssl (`openssl genrsa -out oidc.key 4096`), et renseigner son
|
exemple avec openssl (`openssl genrsa -out oidc.key 4096`), et renseigner le champ
|
||||||
emplacement dans `OIDC_RSA_PRIVATE_KEY` (par défaut `/var/secrets/oidc.key`).
|
`OIDC_RSA_PRIVATE_KEY` dans le .env (par défaut `/var/secrets/oidc.key`).
|
||||||
|
|
||||||
8. *Enjoy \o/*
|
8. *Enjoy \o/*
|
||||||
|
|
||||||
|
@ -7,7 +7,7 @@ from api.viewsets import is_regex
|
|||||||
from django_tables2.views import MultiTableMixin
|
from django_tables2.views import MultiTableMixin
|
||||||
from django.db import transaction
|
from django.db import transaction
|
||||||
from django.db.models import Q
|
from django.db.models import Q
|
||||||
from django.http import HttpResponseRedirect
|
from django.http import HttpResponseRedirect, Http404
|
||||||
from django.views.generic import DetailView, UpdateView, CreateView
|
from django.views.generic import DetailView, UpdateView, CreateView
|
||||||
from django.views.generic.list import ListView
|
from django.views.generic.list import ListView
|
||||||
from django.urls import reverse_lazy
|
from django.urls import reverse_lazy
|
||||||
@ -63,7 +63,8 @@ class FoodListView(ProtectQuerysetMixin, LoginRequiredMixin, MultiTableMixin, Li
|
|||||||
valid_regex = is_regex(pattern)
|
valid_regex = is_regex(pattern)
|
||||||
suffix = '__iregex' if valid_regex else '__istartswith'
|
suffix = '__iregex' if valid_regex else '__istartswith'
|
||||||
prefix = '^' if valid_regex else ''
|
prefix = '^' if valid_regex else ''
|
||||||
qs = qs.filter(Q(**{f'name{suffix}': prefix + pattern}))
|
qs = qs.filter(Q(**{f'name{suffix}': prefix + pattern})
|
||||||
|
| Q(**{f'owner__name{suffix}': prefix + pattern}))
|
||||||
else:
|
else:
|
||||||
qs = qs.none()
|
qs = qs.none()
|
||||||
search_table = qs.filter(PermissionBackend.filter_queryset(self.request, Food, 'view'))
|
search_table = qs.filter(PermissionBackend.filter_queryset(self.request, Food, 'view'))
|
||||||
@ -71,7 +72,7 @@ class FoodListView(ProtectQuerysetMixin, LoginRequiredMixin, MultiTableMixin, Li
|
|||||||
open_table = self.get_queryset().order_by('expiry_date').filter(
|
open_table = self.get_queryset().order_by('expiry_date').filter(
|
||||||
Q(polymorphic_ctype__model='transformedfood')
|
Q(polymorphic_ctype__model='transformedfood')
|
||||||
| Q(polymorphic_ctype__model='basicfood', basicfood__date_type='DLC')).filter(
|
| Q(polymorphic_ctype__model='basicfood', basicfood__date_type='DLC')).filter(
|
||||||
expiry_date__lt=timezone.now()).filter(
|
expiry_date__lt=timezone.now(), end_of_life='').filter(
|
||||||
PermissionBackend.filter_queryset(self.request, Food, 'view'))
|
PermissionBackend.filter_queryset(self.request, Food, 'view'))
|
||||||
# table served
|
# table served
|
||||||
served_table = self.get_queryset().order_by('-pk').filter(
|
served_table = self.get_queryset().order_by('-pk').filter(
|
||||||
@ -240,11 +241,6 @@ class TransformedFoodCreateView(ProtectQuerysetMixin, ProtectedCreateView):
|
|||||||
form.instance.is_ready = False
|
form.instance.is_ready = False
|
||||||
return super().form_valid(form)
|
return super().form_valid(form)
|
||||||
|
|
||||||
def get_context_data(self, *args, **kwargs):
|
|
||||||
context = super().get_context_data(*args, **kwargs)
|
|
||||||
context['title'] += ' ' + self.object.name
|
|
||||||
return context
|
|
||||||
|
|
||||||
def get_success_url(self, **kwargs):
|
def get_success_url(self, **kwargs):
|
||||||
self.object.refresh_from_db()
|
self.object.refresh_from_db()
|
||||||
return reverse_lazy('food:transformedfood_view', kwargs={"pk": self.object.pk})
|
return reverse_lazy('food:transformedfood_view', kwargs={"pk": self.object.pk})
|
||||||
@ -438,6 +434,8 @@ class FoodDetailView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView):
|
|||||||
return context
|
return context
|
||||||
|
|
||||||
def get(self, *args, **kwargs):
|
def get(self, *args, **kwargs):
|
||||||
|
if Food.objects.filter(pk=kwargs['pk']).count() != 1:
|
||||||
|
return Http404
|
||||||
model = Food.objects.get(pk=kwargs['pk']).polymorphic_ctype.model
|
model = Food.objects.get(pk=kwargs['pk']).polymorphic_ctype.model
|
||||||
if 'stop_redirect' in kwargs and kwargs['stop_redirect']:
|
if 'stop_redirect' in kwargs and kwargs['stop_redirect']:
|
||||||
return super().get(*args, **kwargs)
|
return super().get(*args, **kwargs)
|
||||||
|
@ -1,8 +1,10 @@
|
|||||||
# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
|
# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
|
||||||
# SPDX-License-Identifier: GPL-3.0-or-later
|
# SPDX-License-Identifier: GPL-3.0-or-later
|
||||||
|
|
||||||
from oauth2_provider.oauth2_validators import OAuth2Validator
|
from oauth2_provider.oauth2_validators import OAuth2Validator
|
||||||
from oauth2_provider.scopes import BaseScopes
|
from oauth2_provider.scopes import BaseScopes
|
||||||
from member.models import Club
|
from member.models import Club
|
||||||
|
from note.models import Alias
|
||||||
from note_kfet.middlewares import get_current_request
|
from note_kfet.middlewares import get_current_request
|
||||||
|
|
||||||
from .backends import PermissionBackend
|
from .backends import PermissionBackend
|
||||||
@ -17,25 +19,46 @@ class PermissionScopes(BaseScopes):
|
|||||||
"""
|
"""
|
||||||
|
|
||||||
def get_all_scopes(self):
|
def get_all_scopes(self):
|
||||||
return {f"{p.id}_{club.id}": f"{p.description} (club {club.name})"
|
scopes = {f"{p.id}_{club.id}": f"{p.description} (club {club.name})"
|
||||||
for p in Permission.objects.all() for club in Club.objects.all()}
|
for p in Permission.objects.all() for club in Club.objects.all()}
|
||||||
|
scopes['openid'] = "OpenID Connect"
|
||||||
|
return scopes
|
||||||
|
|
||||||
def get_available_scopes(self, application=None, request=None, *args, **kwargs):
|
def get_available_scopes(self, application=None, request=None, *args, **kwargs):
|
||||||
if not application:
|
if not application:
|
||||||
return []
|
return []
|
||||||
return [f"{p.id}_{p.membership.club.id}"
|
scopes = [f"{p.id}_{p.membership.club.id}"
|
||||||
for t in Permission.PERMISSION_TYPES
|
for t in Permission.PERMISSION_TYPES
|
||||||
for p in PermissionBackend.get_raw_permissions(get_current_request(), t[0])]
|
for p in PermissionBackend.get_raw_permissions(get_current_request(), t[0])]
|
||||||
|
scopes.append('openid')
|
||||||
|
return scopes
|
||||||
|
|
||||||
def get_default_scopes(self, application=None, request=None, *args, **kwargs):
|
def get_default_scopes(self, application=None, request=None, *args, **kwargs):
|
||||||
if not application:
|
if not application:
|
||||||
return []
|
return []
|
||||||
return [f"{p.id}_{p.membership.club.id}"
|
scopes = [f"{p.id}_{p.membership.club.id}"
|
||||||
for p in PermissionBackend.get_raw_permissions(get_current_request(), 'view')]
|
for p in PermissionBackend.get_raw_permissions(get_current_request(), 'view')]
|
||||||
|
scopes.append('openid')
|
||||||
|
return scopes
|
||||||
|
|
||||||
|
|
||||||
class PermissionOAuth2Validator(OAuth2Validator):
|
class PermissionOAuth2Validator(OAuth2Validator):
|
||||||
oidc_claim_scope = None # fix breaking change of django-oauth-toolkit 2.0.0
|
oidc_claim_scope = OAuth2Validator.oidc_claim_scope
|
||||||
|
oidc_claim_scope.update({"name": 'openid',
|
||||||
|
"normalized_name": 'openid',
|
||||||
|
"email": 'openid',
|
||||||
|
})
|
||||||
|
|
||||||
|
def get_additional_claims(self, request):
|
||||||
|
return {
|
||||||
|
"name": request.user.username,
|
||||||
|
"normalized_name": Alias.normalize(request.user.username),
|
||||||
|
"email": request.user.email,
|
||||||
|
}
|
||||||
|
|
||||||
|
def get_discovery_claims(self, request):
|
||||||
|
claims = super().get_discovery_claims(self)
|
||||||
|
return claims + ["name", "normalized_name", "email"]
|
||||||
|
|
||||||
def validate_scopes(self, client_id, scopes, client, request, *args, **kwargs):
|
def validate_scopes(self, client_id, scopes, client, request, *args, **kwargs):
|
||||||
"""
|
"""
|
||||||
@ -54,6 +77,8 @@ class PermissionOAuth2Validator(OAuth2Validator):
|
|||||||
if scope in scopes:
|
if scope in scopes:
|
||||||
valid_scopes.add(scope)
|
valid_scopes.add(scope)
|
||||||
|
|
||||||
request.scopes = valid_scopes
|
if 'openid' in scopes:
|
||||||
|
valid_scopes.add('openid')
|
||||||
|
|
||||||
|
request.scopes = valid_scopes
|
||||||
return valid_scopes
|
return valid_scopes
|
||||||
|
@ -19,6 +19,7 @@ EXCLUDED = [
|
|||||||
'oauth2_provider.accesstoken',
|
'oauth2_provider.accesstoken',
|
||||||
'oauth2_provider.grant',
|
'oauth2_provider.grant',
|
||||||
'oauth2_provider.refreshtoken',
|
'oauth2_provider.refreshtoken',
|
||||||
|
'oauth2_provider.idtoken',
|
||||||
'sessions.session',
|
'sessions.session',
|
||||||
]
|
]
|
||||||
|
|
||||||
|
@ -171,7 +171,7 @@ class ScopesView(LoginRequiredMixin, TemplateView):
|
|||||||
available_scopes = scopes.get_available_scopes(app)
|
available_scopes = scopes.get_available_scopes(app)
|
||||||
context["scopes"][app] = OrderedDict()
|
context["scopes"][app] = OrderedDict()
|
||||||
items = [(k, v) for (k, v) in all_scopes.items() if k in available_scopes]
|
items = [(k, v) for (k, v) in all_scopes.items() if k in available_scopes]
|
||||||
items.sort(key=lambda x: (int(x[0].split("_")[1]), int(x[0].split("_")[0])))
|
# items.sort(key=lambda x: (int(x[0].split("_")[1]), int(x[0].split("_")[0])))
|
||||||
for k, v in items:
|
for k, v in items:
|
||||||
context["scopes"][app][k] = v
|
context["scopes"][app][k] = v
|
||||||
|
|
||||||
|
@ -19,8 +19,9 @@ Le modèle regroupe :
|
|||||||
* Propriétaire (doit-être un Club)
|
* Propriétaire (doit-être un Club)
|
||||||
* Allergènes (ManyToManyField)
|
* Allergènes (ManyToManyField)
|
||||||
* date d'expiration
|
* date d'expiration
|
||||||
* a été mangé (booléen)
|
* fin de vie
|
||||||
* est prêt (booléen)
|
* est prêt (booléen)
|
||||||
|
* consigne (pour les GCKs)
|
||||||
|
|
||||||
BasicFood
|
BasicFood
|
||||||
~~~~~~~~~
|
~~~~~~~~~
|
||||||
@ -40,7 +41,7 @@ Les TransformedFood correspondent aux produits préparés à la Kfet. Ils peuven
|
|||||||
|
|
||||||
Le modèle regroupe :
|
Le modèle regroupe :
|
||||||
|
|
||||||
* Durée de consommation (par défaut 3 jours)
|
* Durée de conservation (par défaut 3 jours)
|
||||||
* Ingrédients (ManyToManyField vers Food)
|
* Ingrédients (ManyToManyField vers Food)
|
||||||
* Date de création
|
* Date de création
|
||||||
* Champs de Food
|
* Champs de Food
|
||||||
|
@ -12,6 +12,7 @@ Applications de la Note Kfet 2020
|
|||||||
../api/index
|
../api/index
|
||||||
registration
|
registration
|
||||||
logs
|
logs
|
||||||
|
food
|
||||||
treasury
|
treasury
|
||||||
wei
|
wei
|
||||||
wrapped
|
wrapped
|
||||||
@ -66,6 +67,8 @@ Applications facultatives
|
|||||||
Serveur central d'authentification, permet d'utiliser son compte de la NoteKfet2020 pour se connecter à d'autre application ayant intégrer un client.
|
Serveur central d'authentification, permet d'utiliser son compte de la NoteKfet2020 pour se connecter à d'autre application ayant intégrer un client.
|
||||||
* `Scripts <https://gitlab.crans.org/bde/nk20-scripts>`_
|
* `Scripts <https://gitlab.crans.org/bde/nk20-scripts>`_
|
||||||
Ensemble de commande `./manage.py` pour la gestion de la note: import de données, verification d'intégrité, etc...
|
Ensemble de commande `./manage.py` pour la gestion de la note: import de données, verification d'intégrité, etc...
|
||||||
|
* `Food <food>`_ :
|
||||||
|
Gestion de la nourriture dans Kfet pour les clubs.
|
||||||
* `Treasury <treasury>`_ :
|
* `Treasury <treasury>`_ :
|
||||||
Interface de gestion pour les trésorièr⋅es, émission de factures, remises de chèque, statistiques...
|
Interface de gestion pour les trésorièr⋅es, émission de factures, remises de chèque, statistiques...
|
||||||
* `WEI <wei>`_ :
|
* `WEI <wei>`_ :
|
||||||
|
@ -183,6 +183,7 @@ Contributeur⋅rices
|
|||||||
* korenst1
|
* korenst1
|
||||||
* nicomarg
|
* nicomarg
|
||||||
* PAC
|
* PAC
|
||||||
|
* Quark
|
||||||
* ÿnérant
|
* ÿnérant
|
||||||
|
|
||||||
|
|
||||||
|
@ -270,7 +270,7 @@ OAUTH2_PROVIDER = {
|
|||||||
'PKCE_REQUIRED': False, # PKCE (fix a breaking change of django-oauth-toolkit 2.0.0)
|
'PKCE_REQUIRED': False, # PKCE (fix a breaking change of django-oauth-toolkit 2.0.0)
|
||||||
'OIDC_ENABLED': True,
|
'OIDC_ENABLED': True,
|
||||||
'OIDC_RSA_PRIVATE_KEY':
|
'OIDC_RSA_PRIVATE_KEY':
|
||||||
os.getenv('OIDC_RSA_PRIVATE_KEY', '/var/secrets/oidc.key'),
|
os.getenv('OIDC_RSA_PRIVATE_KEY', 'CHANGE_ME_IN_ENV_SETTINGS').replace('\\n', '\n'), # for multilines
|
||||||
'SCOPES': { 'openid': "OpenID Connect scope" },
|
'SCOPES': { 'openid': "OpenID Connect scope" },
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Reference in New Issue
Block a user