Merge branch 'food_traceability' into 'main'

bug fix and doc See merge request bde/nk20!311
2025-07-24 17:50:35 +02:00 · 2025-05-04 20:17:51 +02:00 · 2025-04-30 12:38:32 +02:00 · 2025-04-28 13:35:17 +02:00 · 2025-04-27 09:36:46 +02:00
7 changed files with 17 additions and 47 deletions
--- a/.env_example
+++ b/.env_example
@ -21,6 +21,3 @@ EMAIL_PASSWORD=CHANGE_ME
 # Wiki configuration
 WIKI_USER=NoteKfet2020
 WIKI_PASSWORD=
-
-# OIDC
-OIDC_RSA_PRIVATE_KEY=CHANGE_ME
--- a/README.md
+++ b/README.md
@ -61,8 +61,8 @@ Bien que cela permette de créer une instance sur toutes les distributions,
 6. (Optionnel) **Création d'une clé privée OpenID Connect**

 Pour activer le support d'OpenID Connect, il faut générer une clé privée, par
-exemple avec openssl (`openssl genrsa -out oidc.key 4096`), et copier la clé dans .env dans le champ
-`OIDC_RSA_PRIVATE_KEY`.
+exemple avec openssl (`openssl genrsa -out oidc.key 4096`), et renseigner son
+emplacement dans `OIDC_RSA_PRIVATE_KEY` (par défaut `/var/secrets/oidc.key`).

 7.  Enjoy :

@ -237,8 +237,8 @@ Sinon vous pouvez suivre les étapes décrites ci-dessous.
 7. **Création d'une clé privée OpenID Connect**

 Pour activer le support d'OpenID Connect, il faut générer une clé privée, par
-exemple avec openssl (`openssl genrsa -out oidc.key 4096`), et renseigner le champ
-`OIDC_RSA_PRIVATE_KEY` dans le .env (par défaut `/var/secrets/oidc.key`).
+exemple avec openssl (`openssl genrsa -out oidc.key 4096`), et renseigner son
+emplacement dans `OIDC_RSA_PRIVATE_KEY` (par défaut `/var/secrets/oidc.key`).

 8.  *Enjoy \o/*

--- a/apps/food/views.py
+++ b/apps/food/views.py
@ -63,8 +63,7 @@ class FoodListView(ProtectQuerysetMixin, LoginRequiredMixin, MultiTableMixin, Li
            valid_regex = is_regex(pattern)
            suffix = '__iregex' if valid_regex else '__istartswith'
            prefix = '^' if valid_regex else ''
-            qs = qs.filter(Q(**{f'name{suffix}': prefix + pattern})
-                           | Q(**{f'owner__name{suffix}': prefix + pattern}))
+            qs = qs.filter(Q(**{f'name{suffix}': prefix + pattern}))
        else:
            qs = qs.none()
        search_table = qs.filter(PermissionBackend.filter_queryset(self.request, Food, 'view'))
@ -72,7 +71,7 @@ class FoodListView(ProtectQuerysetMixin, LoginRequiredMixin, MultiTableMixin, Li
        open_table = self.get_queryset().order_by('expiry_date').filter(
            Q(polymorphic_ctype__model='transformedfood')
            | Q(polymorphic_ctype__model='basicfood', basicfood__date_type='DLC')).filter(
-                expiry_date__lt=timezone.now(), end_of_life='').filter(
+                expiry_date__lt=timezone.now()).filter(
                    PermissionBackend.filter_queryset(self.request, Food, 'view'))
        # table served
        served_table = self.get_queryset().order_by('-pk').filter(
--- a/apps/permission/scopes.py
+++ b/apps/permission/scopes.py
@ -1,10 +1,8 @@
 # Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
-
 from oauth2_provider.oauth2_validators import OAuth2Validator
 from oauth2_provider.scopes import BaseScopes
 from member.models import Club
-from note.models import Alias
 from note_kfet.middlewares import get_current_request

 from .backends import PermissionBackend
@ -19,46 +17,25 @@ class PermissionScopes(BaseScopes):
    """

    def get_all_scopes(self):
-        scopes = {f"{p.id}_{club.id}": f"{p.description} (club {club.name})"
-                  for p in Permission.objects.all() for club in Club.objects.all()}
-        scopes['openid'] = "OpenID Connect"
-        return scopes
+        return {f"{p.id}_{club.id}": f"{p.description} (club {club.name})"
+                for p in Permission.objects.all() for club in Club.objects.all()}

    def get_available_scopes(self, application=None, request=None, *args, **kwargs):
        if not application:
            return []
-        scopes = [f"{p.id}_{p.membership.club.id}"
-                  for t in Permission.PERMISSION_TYPES
-                  for p in PermissionBackend.get_raw_permissions(get_current_request(), t[0])]
-        scopes.append('openid')
-        return scopes
+        return [f"{p.id}_{p.membership.club.id}"
+                for t in Permission.PERMISSION_TYPES
+                for p in PermissionBackend.get_raw_permissions(get_current_request(), t[0])]

    def get_default_scopes(self, application=None, request=None, *args, **kwargs):
        if not application:
            return []
-        scopes = [f"{p.id}_{p.membership.club.id}"
-                  for p in PermissionBackend.get_raw_permissions(get_current_request(), 'view')]
-        scopes.append('openid')
-        return scopes
+        return [f"{p.id}_{p.membership.club.id}"
+                for p in PermissionBackend.get_raw_permissions(get_current_request(), 'view')]


 class PermissionOAuth2Validator(OAuth2Validator):
-    oidc_claim_scope = OAuth2Validator.oidc_claim_scope
-    oidc_claim_scope.update({"name": 'openid',
-                             "normalized_name": 'openid',
-                             "email": 'openid',
-                             })
-
-    def get_additional_claims(self, request):
-        return {
-            "name": request.user.username,
-            "normalized_name": Alias.normalize(request.user.username),
-            "email": request.user.email,
-        }
-
-    def get_discovery_claims(self, request):
-        claims = super().get_discovery_claims(self)
-        return claims + ["name", "normalized_name", "email"]
+    oidc_claim_scope = None  # fix breaking change of django-oauth-toolkit 2.0.0

    def validate_scopes(self, client_id, scopes, client, request, *args, **kwargs):
        """
@ -77,8 +54,6 @@ class PermissionOAuth2Validator(OAuth2Validator):
                if scope in scopes:
                    valid_scopes.add(scope)

-        if 'openid' in scopes:
-            valid_scopes.add('openid')
-
        request.scopes = valid_scopes
+
        return valid_scopes
--- a/apps/permission/signals.py
+++ b/apps/permission/signals.py
@ -19,7 +19,6 @@ EXCLUDED = [
    'oauth2_provider.accesstoken',
    'oauth2_provider.grant',
    'oauth2_provider.refreshtoken',
-    'oauth2_provider.idtoken',
    'sessions.session',
 ]

--- a/apps/permission/views.py
+++ b/apps/permission/views.py
@ -171,7 +171,7 @@ class ScopesView(LoginRequiredMixin, TemplateView):
            available_scopes = scopes.get_available_scopes(app)
            context["scopes"][app] = OrderedDict()
            items = [(k, v) for (k, v) in all_scopes.items() if k in available_scopes]
-            # items.sort(key=lambda x: (int(x[0].split("_")[1]), int(x[0].split("_")[0])))
+            items.sort(key=lambda x: (int(x[0].split("_")[1]), int(x[0].split("_")[0])))
            for k, v in items:
                context["scopes"][app][k] = v

--- a/note_kfet/settings/base.py
+++ b/note_kfet/settings/base.py
@ -270,7 +270,7 @@ OAUTH2_PROVIDER = {
    'PKCE_REQUIRED': False, # PKCE (fix a breaking change of django-oauth-toolkit 2.0.0)
    'OIDC_ENABLED': True,
    'OIDC_RSA_PRIVATE_KEY':
-        os.getenv('OIDC_RSA_PRIVATE_KEY', 'CHANGE_ME_IN_ENV_SETTINGS').replace('\\n', '\n'), # for multilines
+        os.getenv('OIDC_RSA_PRIVATE_KEY', '/var/secrets/oidc.key'),
    'SCOPES': { 'openid': "OpenID Connect scope" },
 }
Author	SHA1	Message	Date
quark	03932672f3	Merge branch 'food_traceability' into 'main' bug fix and doc See merge request bde/nk20!311	2025-05-04 20:17:51 +02:00
quark	d58a299a8b	Merge branch 'food_traceability' into 'main' Add manage ingredient feature, fix some bug See merge request bde/nk20!310	2025-04-30 12:38:32 +02:00
quark	c4404ef995	Merge branch 'food_traceability' into 'main' fix bug See merge request bde/nk20!309	2025-04-28 13:35:17 +02:00
quark	f0e9a7d3dc	Merge branch 'food_traceability' into 'main' Food traceability See merge request bde/nk20!308	2025-04-27 09:36:46 +02:00