Merge branch 'nix-shell' into 'main'

Nix shell

See merge request bde/nk20!201

.gitignore

@@ -48,7 +48,6 @@ backups/
 env/
 venv/
 db.sqlite3
-shell.nix
 
 # ansibles customs host
 ansible/host_vars/*.yaml

apps/permission/scopes.py

@@ -1,5 +1,6 @@
 # Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
+
 from oauth2_provider.oauth2_validators import OAuth2Validator
 from oauth2_provider.scopes import BaseScopes
 from member.models import Club
@@ -18,21 +19,27 @@ class PermissionScopes(BaseScopes):
     """
 
     def get_all_scopes(self):
-        return {f"{p.id}_{club.id}": f"{p.description} (club {club.name})"
+        scopes = {f"{p.id}_{club.id}": f"{p.description} (club {club.name})"
-                for p in Permission.objects.all() for club in Club.objects.all()}
+                  for p in Permission.objects.all() for club in Club.objects.all()}
+        scopes['openid'] = "OpenID Connect"
+        return scopes
 
     def get_available_scopes(self, application=None, request=None, *args, **kwargs):
         if not application:
             return []
-        return [f"{p.id}_{p.membership.club.id}"
+        scopes = [f"{p.id}_{p.membership.club.id}"
-                for t in Permission.PERMISSION_TYPES
+                  for t in Permission.PERMISSION_TYPES
-                for p in PermissionBackend.get_raw_permissions(get_current_request(), t[0])]
+                  for p in PermissionBackend.get_raw_permissions(get_current_request(), t[0])]
+        scopes.append('openid')
+        return scopes
 
     def get_default_scopes(self, application=None, request=None, *args, **kwargs):
         if not application:
             return []
-        return [f"{p.id}_{p.membership.club.id}"
+        scopes = [f"{p.id}_{p.membership.club.id}"
-                for p in PermissionBackend.get_raw_permissions(get_current_request(), 'view')]
+                  for p in PermissionBackend.get_raw_permissions(get_current_request(), 'view')]
+        scopes.append('openid')
+        return scopes
 
 
 class PermissionOAuth2Validator(OAuth2Validator):
@@ -49,6 +56,10 @@ class PermissionOAuth2Validator(OAuth2Validator):
             "email": request.user.email,
         }
 
+    def get_discovery_claims(self, request):
+        claims = super().get_discovery_claims(self)
+        return claims + ["name", "normalized_name", "email"]
+
     def validate_scopes(self, client_id, scopes, client, request, *args, **kwargs):
         """
         User can request as many scope as he wants, including invalid scopes,
@@ -66,6 +77,8 @@ class PermissionOAuth2Validator(OAuth2Validator):
                 if scope in scopes:
                     valid_scopes.add(scope)
 
-        request.scopes = valid_scopes
+        if 'openid' in scopes:
+            valid_scopes.add('openid')
 
+        request.scopes = valid_scopes
         return valid_scopes

apps/permission/signals.py

@@ -19,6 +19,7 @@ EXCLUDED = [
     'oauth2_provider.accesstoken',
     'oauth2_provider.grant',
     'oauth2_provider.refreshtoken',
+    'oauth2_provider.idtoken',
     'sessions.session',
 ]
 

apps/permission/views.py

@@ -171,7 +171,7 @@ class ScopesView(LoginRequiredMixin, TemplateView):
             available_scopes = scopes.get_available_scopes(app)
             context["scopes"][app] = OrderedDict()
             items = [(k, v) for (k, v) in all_scopes.items() if k in available_scopes]
-            items.sort(key=lambda x: (int(x[0].split("_")[1]), int(x[0].split("_")[0])))
+            # items.sort(key=lambda x: (int(x[0].split("_")[1]), int(x[0].split("_")[0])))
             for k, v in items:
                 context["scopes"][app][k] = v
 

shell-static.nix

@@ -0,0 +1,34 @@
+# This is a workaround meant for use with the nix package manager. If you don't know what it is or don't use it, please ignore this file.
+# 
+# The nk20 javascript static location are hardcoded for imperative system.
+# This make ./manage.py collectstatic hard to use with nixos.
+# 
+# A workaround is to enter a FHSUserEnv with the static placed under /share/javascript/<static>.
+# This emulate a debian like system and enable collecting static normally with ./manage.py collectstatics.
+# The regular shell.nix should be enough for other configurations.
+#
+# Warning, you are still supposed to use pip package with a venv !
+{ pkgs ? import <nixpkgs> {} }:
+(pkgs.buildFHSUserEnv {
+  name = "pipzone";
+  targetPkgs = pkgs: (with pkgs;
+  let
+    fhs-static = stdenv.mkDerivation {
+      name = "fhs-static";
+      buildCommand = ''
+      mkdir -p $out/share/javascript/bootstrap4
+      mkdir -p $out/share/javascript/jquery
+      ln -s ${python39Packages.xstatic-bootstrap}/lib/python3.9/site-packages/xstatic/pkg/bootstrap/data/* $out/share/javascript/bootstrap4
+      ln -s ${python39Packages.xstatic-jquery}/lib/python3.9/site-packages/xstatic/pkg/jquery/data/* $out/share/javascript/jquery
+    '';
+    };
+  in [
+    fhs-static
+    python39
+    gettext
+    python39Packages.pip
+    python39Packages.virtualenv
+    python39Packages.setuptools
+  ]);
+  runScript = "bash";
+}).env

shell.nix

@@ -0,0 +1,23 @@
+# This is meant for use with the nix package manager. If you don't know what it is or don't use it, please ignore this file.
+#
+# This shell.nix contains all dependencies require to create a venv and pip install -r requirements.txt.
+#
+# Please check shell-static.nix for running ./manage.py collectstatics.
+{ pkgs ? import <nixpkgs> {} }:
+pkgs.mkShell {
+  buildInputs = with pkgs; [
+    python39
+    python39Packages.pip
+    python39Packages.setuptools
+    gettext
+
+  ];
+  shellHook = ''
+    # Tells pip to put packages into $PIP_PREFIX instead of the usual locations.
+    # See https://pip.pypa.io/en/stable/user_guide/#environment-variables.
+    export PIP_PREFIX=$(pwd)/_build/pip_packages
+    export PYTHONPATH="$PIP_PREFIX/${pkgs.python39.sitePackages}:$PYTHONPATH"
+    export PATH="$PIP_PREFIX/bin:$PATH"
+    unset SOURCE_DATE_EPOCH
+  '';
+}