Put oidc config into the db

30cbbb71 · Lukas Burgey · 00cd417a · 30cbbb71 · 30cbbb71 · 30cbbb71
Commit 30cbbb71 authored Dec 19, 2017 by Lukas Burgey
--- a/django_backend/backend/admin.py
+++ b/django_backend/backend/admin.py
 from django.contrib import admin
 from . import models
+from .auth.models import OIDCConfig


-# from django.apps import apps
-# b = apps.get_app_config('backend')
-# 
-# # register all models of the app
-# for _, model in b.models.items():
-#     admin.site.register(model)
-
 admin.site.register(models.User)
 admin.site.register(models.Site)
 admin.site.register(models.Service)
+admin.site.register(OIDCConfig)
--- a/django_backend/backend/auth/__init__.py
+++ b/django_backend/backend/auth/__init__.py
--- a/django_backend/backend/auth/backend.py
+++ b/django_backend/backend/auth/backend.py

+from django.db import models as db_models
+from oic.oic import Client
+from oic.utils.authn.client import CLIENT_AUTHN_METHOD
+from oic.oic.message import RegistrationResponse
 from urllib.request import Request, urlopen
 from .. import models
 from django.core.exceptions import ObjectDoesNotExist
-from .oidc import OIDC_CLIENT
+from django.conf import settings
 import json

+oidc_client = None
+
+
+class OIDCConfig(db_models.Model):
+    client_id = db_models.CharField(max_length=200)
+    client_secret = db_models.CharField(max_length=200)
+    redirect_uri = db_models.CharField(max_length=200)
+    issuer_uri = db_models.CharField(max_length=200)
+
+    @property
+    def registration_response(self):
+        info = {"client_id": self.client_id,
+                "client_secret": self.client_secret}
+        return RegistrationResponse(**info)
+
+    @property
+    def oidc_client(self):
+        global oidc_client
+        if oidc_client is None:
+            oidc_client = Client(client_authn_method=CLIENT_AUTHN_METHOD)
+            oidc_client.provider_config(self.issuer_uri)
+            oidc_client.store_registration_info(self.registration_response)
+        return oidc_client
+
+    @property
+    def provider_info(self):
+        return self.oidc_client.provider_info
+
+    def get_auth_request(self, client, state):
+        args = {
+            'client_id': self.client_id,
+            'response_type': 'code',
+            'scope': ['openid', 'profile', 'email'],
+            'redirect_uri': self.redirect_uri,
+            'state': state,
+        }
+
+        auth_req = client.construct_AuthorizationRequest(
+                request_args=args)
+        return auth_req.request(client.authorization_endpoint)
+
+    def __str__(self):
+        return self.issuer_uri
+
+
+def get_oidc_client():
+    # TODO dubious
+    oidc_config = OIDCConfig.objects.all()[settings.OIDC_CONFIG_INDEX]
+    return oidc_config.oidc_client
+

 class OIDCTokenAuthBackend(object):
    def get_user_info(self, access_token, token_type='Bearer'):
-        q = Request(OIDC_CLIENT.provider_info['userinfo_endpoint'])
+        q = Request(get_oidc_client().provider_info['userinfo_endpoint'])
        auth = (token_type + ' ' + access_token)
        q.add_header('Authorization', auth)


--- a/django_backend/backend/auth/oidc.py
+++ b/django_backend/backend/auth/oidc.py
-
-from oic.oic import Client
-from oic.utils.authn.client import CLIENT_AUTHN_METHOD
-from oic.oic.message import RegistrationResponse
-import os
-
-
-OIDC_CLIENT_ID = os.environ.get('OIDC_CLIENT_ID', '')
-OIDC_CLIENT_ID_SECRET = os.environ.get('OIDC_CLIENT_ID_SECRET', '')
-OIDC_REDIRECT_URI = os.environ.get('OIDC_REDIRECT_URI', '')
-OIDC_ISSUER_URI = os.environ.get('OIDC_ISSUER_URI', '')
-
-OIDC_CLIENT = Client(client_authn_method=CLIENT_AUTHN_METHOD)
-OIDC_CLIENT.provider_config(OIDC_ISSUER_URI)
-
-
-info = {"client_id": OIDC_CLIENT_ID, "client_secret": OIDC_CLIENT_ID_SECRET}
-client_reg = RegistrationResponse(**info)
-
-OIDC_CLIENT.store_registration_info(client_reg)
--- a/django_backend/backend/auth/views.py
+++ b/django_backend/backend/auth/views.py
-from .oidc import OIDC_CLIENT, OIDC_CLIENT_ID, OIDC_REDIRECT_URI
+from .models import OIDCConfig
 from django.contrib.auth import authenticate, login
 from django.db.utils import OperationalError
 from django.shortcuts import redirect, render
@@ -13,25 +13,20 @@ class Auth(View):
        state = rndstr()
        try:
            request.session['state'] = state
-            request.session['nonce'] = rndstr()
+            # request.session['nonce'] = rndstr()
        except OperationalError:
            return redirect('/?error=not_operational')

-        args = {
-            'client_id': OIDC_CLIENT_ID,
-            'response_type': 'code',
-            'scope': ['openid', 'profile', 'email'],
-            'redirect_uri': OIDC_REDIRECT_URI,
-            'state': state,
-        }
-        auth_req = OIDC_CLIENT.construct_AuthorizationRequest(
-                request_args=args)
-        login_url = auth_req.request(OIDC_CLIENT.authorization_endpoint)
+        oidc_config = OIDCConfig.objects.all()[0]
+        oidc_client = oidc_config.oidc_client
+
+        login_url = oidc_config.get_auth_request(
+                oidc_client,
+                state)
        return redirect(login_url)


 class AuthCallback(View):
-
    def get(self, request, **kwargs):

        try:
@@ -39,7 +34,10 @@ class AuthCallback(View):
        except OperationalError:
            return redirect('/?error=not_operational')

-        aresp = OIDC_CLIENT.parse_response(
+        oidc_config = OIDCConfig.objects.all()[0]
+        oidc_client = oidc_config.oidc_client
+
+        aresp = oidc_client.parse_response(
            AuthorizationResponse,
            info=json.dumps(request.GET))

@@ -50,13 +48,13 @@ class AuthCallback(View):
            'code': code,
        }

-        ac_token_response = OIDC_CLIENT.do_access_token_request(
+        ac_token_response = oidc_client.do_access_token_request(
            state=aresp['state'],
            request_args=args)

        # does fail with 'invalid_token'
        # user_info = OIDC_CLIENT.do_user_info_request(
-        #              state=aresp['state'])
+        #              statearesp['state'])
        # user_info = self.get_user_info(ac_token_response['access_token'])
        # try:
        #     u = models.User.objects.get(sub=user_info['sub'])

--- a/django_backend/settings.py
+++ b/django_backend/settings.py
@@ -21,6 +21,10 @@ SESSION_COOKIE_AGE = 3600

 CSRF_HEADER_NAME = 'HTTP_X_CSRFTOKEN'

+
+# index in the django_backend.backend.auth.models.OIDCConfig table
+OIDC_CONFIG_INDEX = 0
+
 # Quick-start development settings - unsuitable for production
 # See https://docs.djangoproject.com/en/1.11/howto/deployment/checklist/

@@ -99,7 +103,7 @@ DATABASES = {
 CORS_ORIGIN_ALLOW_ALL = True

 AUTHENTICATION_BACKENDS = [
-    'django_backend.backend.auth.backend.OIDCTokenAuthBackend',
+    'django_backend.backend.auth.models.OIDCTokenAuthBackend',
    'django.contrib.auth.backends.ModelBackend',
 ]