*(minor): small refactor

passbook/providers/oidc/admin.py

@@ -0,0 +1,5 @@
+"""oidc provider admin"""
+
+from passbook.lib.admin import admin_autoregister
+
+admin_autoregister('passbook_providers_oidc')

passbook/providers/oidc/apps.py

@@ -0,0 +1,30 @@
+"""passbook auth oidc provider app config"""
+from django.apps import AppConfig
+from django.db.utils import InternalError, OperationalError, ProgrammingError
+from django.urls import include, path
+from structlog import get_logger
+
+LOGGER = get_logger()
+
+class PassbookProviderOIDCConfig(AppConfig):
+    """passbook auth oidc provider app config"""
+
+    name = 'passbook.providers.oidc'
+    label = 'passbook_providers_oidc'
+    verbose_name = 'passbook Providers.OIDC'
+
+    def ready(self):
+        try:
+            from Cryptodome.PublicKey import RSA
+            from oidc_provider.models import RSAKey
+            if not RSAKey.objects.exists():
+                key = RSA.generate(2048)
+                rsakey = RSAKey(key=key.exportKey('PEM').decode('utf8'))
+                rsakey.save()
+                LOGGER.info("Created key")
+        except (OperationalError, ProgrammingError, InternalError):
+            pass
+        from passbook.root import urls
+        urls.urlpatterns.append(
+            path('application/oidc/', include('oidc_provider.urls', namespace='oidc_provider')),
+        )

passbook/providers/oidc/forms.py

@@ -0,0 +1,38 @@
+"""passbook OIDC IDP Forms"""
+
+from django import forms
+from oauth2_provider.generators import (generate_client_id,
+                                        generate_client_secret)
+from oidc_provider.models import Client
+
+from passbook.providers.oidc.models import OpenIDProvider
+
+
+class OIDCProviderForm(forms.ModelForm):
+    """OpenID Client form"""
+
+    def __init__(self, *args, **kwargs):
+        # Correctly load data from 1:1 rel
+        if 'instance' in kwargs and kwargs['instance']:
+            kwargs['instance'] = kwargs['instance'].oidc_client
+        super().__init__(*args, **kwargs)
+        self.fields['client_id'].initial = generate_client_id()
+        self.fields['client_secret'].initial = generate_client_secret()
+
+    def save(self, *args, **kwargs):
+        response = super().save(*args, **kwargs)
+        # Check if openidprovider class instance exists
+        if not OpenIDProvider.objects.filter(oidc_client=self.instance).exists():
+            OpenIDProvider.objects.create(oidc_client=self.instance)
+        return response
+
+    class Meta:
+        model = Client
+        fields = [
+            'name', 'client_type', 'client_id', 'client_secret', 'response_types',
+            'jwt_alg', 'reuse_consent', 'require_consent', '_redirect_uris', '_scope'
+        ]
+        # exclude = ['owner', 'website_url', 'terms_url', 'contact_email', 'logo', ]
+        labels = {
+            'client_secret': "Client Secret"
+        }

passbook/providers/oidc/lib.py

@@ -0,0 +1,29 @@
+"""OIDC Permission checking"""
+from django.contrib import messages
+from django.shortcuts import redirect
+from structlog import get_logger
+
+from passbook.core.models import Application
+from passbook.policies.engine import PolicyEngine
+
+LOGGER = get_logger()
+
+def check_permissions(request, user, client):
+    """Check permissions, used for
+    https://django-oidc-provider.readthedocs.io/en/latest/
+    sections/settings.html#oidc-after-userlogin-hook"""
+    try:
+        application = client.openidprovider.application
+    except Application.DoesNotExist:
+        return redirect('passbook_providers_oauth:oauth2-permission-denied')
+    LOGGER.debug("Checking permissions for application", user=user, application=application)
+    policy_engine = PolicyEngine(application.policies.all())
+    policy_engine.for_user(user).with_request(request).build()
+
+    # Check permissions
+    passing, policy_messages = policy_engine.result
+    if not passing:
+        for policy_message in policy_messages:
+            messages.error(request, policy_message)
+        return redirect('passbook_providers_oauth:oauth2-permission-denied')
+    return None

passbook/providers/oidc/migrations/0001_initial.py

@@ -0,0 +1,29 @@
+# Generated by Django 2.2.6 on 2019-10-07 14:07
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        ('passbook_core', '0001_initial'),
+        ('oidc_provider', '0026_client_multiple_response_types'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='OpenIDProvider',
+            fields=[
+                ('provider_ptr', models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True, primary_key=True, serialize=False, to='passbook_core.Provider')),
+                ('oidc_client', models.OneToOneField(on_delete=django.db.models.deletion.CASCADE, to='oidc_provider.Client')),
+            ],
+            options={
+                'verbose_name': 'OpenID Provider',
+                'verbose_name_plural': 'OpenID Providers',
+            },
+            bases=('passbook_core.provider',),
+        ),
+    ]

passbook/providers/oidc/models.py

@@ -0,0 +1,45 @@
+"""oidc models"""
+from django.db import models
+from django.shortcuts import reverse
+from django.utils.translation import gettext as _
+from oidc_provider.models import Client
+
+from passbook.core.models import Provider
+
+
+class OpenIDProvider(Provider):
+    """Proxy model for OIDC Client"""
+    # Since oidc_provider doesn't currently support swappable models
+    # (https://github.com/juanifioren/django-oidc-provider/pull/305)
+    # we have a 1:1 relationship, and update oidc_client when the form is saved.
+
+    oidc_client = models.OneToOneField(Client, on_delete=models.CASCADE)
+
+    form = 'passbook.providers.oidc.forms.OIDCProviderForm'
+
+    @property
+    def name(self):
+        """Name property for UI"""
+        return self.oidc_client.name
+
+    def __str__(self):
+        return "OpenID Connect Provider %s" % self.oidc_client.__str__()
+
+    def html_setup_urls(self, request):
+        """return template and context modal with URLs for authorize, token, openid-config, etc"""
+        return "oidc_provider/setup_url_modal.html", {
+            'provider': self,
+            'authorize': request.build_absolute_uri(
+                reverse('oidc_provider:authorize')),
+            'token': request.build_absolute_uri(
+                reverse('oidc_provider:token')),
+            'userinfo': request.build_absolute_uri(
+                reverse('oidc_provider:userinfo')),
+            'provider_info': request.build_absolute_uri(
+                reverse('oidc_provider:provider-info')),
+        }
+
+    class Meta:
+
+        verbose_name = _('OpenID Provider')
+        verbose_name_plural = _('OpenID Providers')

passbook/providers/oidc/settings.py

@@ -0,0 +1,7 @@
+"""passbook OIDC Provider"""
+
+INSTALLED_APPS = [
+    'oidc_provider',
+]
+
+OIDC_AFTER_USERLOGIN_HOOK = "passbook.providers.oidc.lib.check_permissions"

passbook/providers/oidc/templates/oidc_provider/authorize.html

@@ -0,0 +1,70 @@
+{% extends "login/base.html" %}
+
+{% load utils %}
+{% load i18n %}
+
+{% block title %}
+{% title 'Authorize Application' %}
+{% endblock %}
+
+{% block card %}
+<header class="login-pf-header">
+  <h1>{% trans 'Authorize Application' %}</h1>
+</header>
+<form method="POST">
+    {% csrf_token %}
+    {% if not error %}
+        {% csrf_token %}
+        {% for field in form %}
+            {% if field.is_hidden %}
+                {{ field }}
+            {% endif %}
+        {% endfor %}
+        <div class="form-group">
+            <p class="subtitle">
+                {% blocktrans with remote=client.name %}
+                You're about to sign into {{ remote }}
+                {% endblocktrans %}
+            </p>
+            <p>{% trans "Application requires following permissions" %}</p>
+            <ul>
+                {% for scope in scopes %}
+                <li>{{ scope.name }}</li>
+                {% endfor %}
+            </ul>
+            {{ hidden_inputs }}
+            {{ form.errors }}
+            {{ form.non_field_errors }}
+            <p>
+                {% blocktrans with user=user %}
+                You are logged in as {{ user }}. Not you?
+                {% endblocktrans %}
+                <a href="{% url 'passbook_core:auth-logout' %}">{% trans 'Logout' %}</a>
+            </p>
+            <div class="form-group">
+                <input type="submit" class="btn btn-success btn-disabled btn-lg click-spinner" name="allow" value="{% trans 'Continue' %}">
+                <a href="{% back %}" class="btn btn-default btn-lg">{% trans "Cancel" %}</a>
+            </div>
+            <div class="form-group spinner-hidden hidden">
+                <div class="spinner"></div>
+            </div>
+        </div>
+    {% else %}
+    <div class="login-group">
+        <p class="subtitle">
+            {% blocktrans with err=error.error %}Error: {{ err }}{% endblocktrans %}
+        </p>
+        <p>{{ error.description }}</p>
+    </div>
+    {% endif %}
+</form>
+{% endblock %}
+
+{% block scripts %}
+<script>
+    $('.click-spinner').on('click', function (e) {
+        $('.spinner-hidden').removeClass('hidden');
+        $(e.target).addClass('disabled');
+    })
+</script>
+{% endblock %}

passbook/providers/oidc/templates/oidc_provider/setup_url_modal.html

@@ -0,0 +1,49 @@
+{% load i18n %}
+
+<button class="btn btn-default btn-sm" data-toggle="modal" data-target="#{{ provider.pk }}">{% trans 'View Setup URLs' %}</button>
+<div class="modal fade" id="{{ provider.pk }}" tabindex="-1" role="dialog" aria-labelledby="{{ provider.pk }}Label" aria-hidden="true">
+  <div class="modal-dialog">
+    <div class="modal-content">
+      <div class="modal-header">
+        <button type="button" class="close" data-dismiss="modal" aria-hidden="true" aria-label="Close">
+          <span class="pficon pficon-close"></span>
+        </button>
+        <h4 class="modal-title" id="{{ provider.pk }}Label">{% trans 'Setup URLs' %}</h4>
+      </div>
+      <div class="modal-body">
+        <form class="form-horizontal">
+          <div class="form-group">
+            <label class="col-sm-3 control-label">{% trans 'Authorize URL' %}</label>
+            <div class="col-sm-9">
+              <input type="text"class="form-control" readonly value="{{ authorize }}">
+            </div>
+          </div>
+          <div class="form-group">
+            <label class="col-sm-3 control-label">{% trans 'Token URL' %}</label>
+            <div class="col-sm-9">
+              <input type="text" class="form-control" readonly value="{{ token }}">
+            </div>
+          </div>
+          <div class="form-group">
+            <label class="col-sm-3 control-label">{% trans 'Userinfo Endpoint' %}</label>
+            <div class="col-sm-9">
+              <input type="text" class="form-control" readonly value="{{ userinfo }}">
+            </div>
+          </div>
+        </form>
+        <hr>
+        <form class="form-horizontal">
+          <div class="form-group">
+            <label class="col-sm-3 control-label">{% trans 'OpenID Configuration URL' %}</label>
+            <div class="col-sm-9">
+              <input type="text"class="form-control" readonly value="{{ provider_info }}">
+            </div>
+          </div>
+        </form>
+      </div>
+      <div class="modal-footer">
+        <button type="button" class="btn btn-primary" data-dismiss="modal">{% trans 'Close' %}</button>
+      </div>
+    </div>
+  </div>
+</div>