Implement provisional REST API

example-config/etc/nginx/conf.d/feudal.conf

@@ -67,6 +67,10 @@ server {
 		proxy_set_header Connection $connection_upgrade;
 	}
 
+	location /rest {
+		rewrite "^$" /backend/user-api;
+	}
+
 	location / {
 		if ($arg_idp) {
 			return 301 /backend/auth/v1/request$is_args$args;

feudal/backend/auth/v1/models.py

@@ -84,6 +84,8 @@ def default_idp():
 
 
 class OIDCTokenAuthBackend(object):
+    AuthException = Exception("Unable to authenticate user")
+
     def get_userinfo(self, oidc_client, access_token=None):
         user_info = None
 
@@ -105,12 +107,29 @@ class OIDCTokenAuthBackend(object):
         #LOGGER.debug("Got user info:\n%s\n", user_info)
         return user_info
 
-    def authenticate(self, request, token=None):
+    def authenticate(self, request, token=None, issuer_uri=None):
         if token is None:
             return None
 
         idp_id = utils.get_session(request, 'idp_id', None)
-        oidc_client = OIDCConfig.objects.get(id=idp_id)
+        oidc_client = None
+
+        try:
+
+            if issuer_uri is not None:
+                LOGGER.debug("Attempting to find IdP %s", issuer_uri)
+                oidc_client = OIDCConfig.objects.get(issuer_uri=issuer_uri)
+
+            elif idp_id is not None:
+                oidc_client = OIDCConfig.objects.get(id=idp_id)
+
+            if oidc_client is None:
+                LOGGER.error("Unable to determine IdP for authentication")
+                return None
+
+        except OIDCConfig.DoesNotExist:
+            LOGGER.error("Unable to determine IdP for authentication")
+            return None
 
         # get the user info from the idp
         userinfo = self.get_userinfo(

feudal/backend/urls.py

@@ -3,11 +3,13 @@ from django.contrib import admin
 
 from .views.client_urls import URLPATTERNS as clientapi_urls
 from .views.webpage_urls import URLPATTERNS as frontend_urls
+from .views.user_rest_urls import URLPATTERNS as user_rest_urls
 from .auth.v1.urls import URLPATTERNS as auth_urls
 
 URLPATTERNS = [
     url(r'^clientapi/', include(clientapi_urls)),
     url(r'^api/', include(frontend_urls)),
+    url(r'^user-api/', include(user_rest_urls)),
     url(r'^auth/v1/', include(auth_urls)),
     url(r'^admin', admin.site.urls),
 ]

feudal/backend/views/user_rest.py

+
+import logging
+
+from django.contrib.auth import authenticate
+from django.contrib.auth.models import Group
+from django.shortcuts import get_object_or_404
+from rest_framework import status
+from rest_framework import views
+from rest_framework.permissions import AllowAny
+from rest_framework.response import Response
+
+from .. import models
+from ..models import serializers as model_serializers
+from ..models.serializers import webpage as serializers
+
+LOGGER = logging.getLogger(__name__)
+
+
+example_input = {
+    'at': '<OpenID Connect Access Token>',
+    'iss': '<Issuer URI>',
+    'key': '<SSH public key>',
+    's': '<service identifier>',
+}
+
+def _error_response(error):
+    return Response(
+        {
+            'error': error,
+            'example_input': example_input
+        },
+        status=status.HTTP_400_BAD_REQUEST,
+    )
+
+class ProvisioningView(views.APIView):
+    permission_classes = (AllowAny,)
+
+    @staticmethod
+    def access_token_valid(access_token):
+        return False
+
+    @staticmethod
+    def service_exists(service_id):
+        return False
+
+    def post(self, request):
+        LOGGER.debug("Got user REST request: %s", request)
+
+        if 'at' not in request.data:
+            return _error_response("Need access token field 'at'")
+        if 'iss' not in request.data:
+            return _error_response("Need issuer uri field 'iss'")
+        if 'key' not in request.data:
+            return _error_response("Need ssh key field 'key'")
+        if 's' not in request.data:
+            return _error_response("Need service identifier field 's'")
+
+        access_token = request.data['at']
+        issuer_uri = request.data['iss']
+        key = request.data['key']
+        service_id = request.data['s']
+
+        user = authenticate(
+            request,
+            token=access_token,
+            issuer_uri=issuer_uri,
+        )
+
+        if user is None:
+            return _error_response("Unable to authenticate user")
+        
+        LOGGER.debug("USER-RESTAPI: authenticated user %s using access token", user)
+
+
+        if not self.service_exists(service_id):
+            return _error_response("Invalid service id: Does not exist")
+
+        return Response({
+            'foo': 'bar',
+        })

feudal/backend/views/user_rest_urls.py

+from django.conf.urls import url
+from . import user_rest as views
+
+URLPATTERNS = [
+    url(r'^prov', views.ProvisioningView.as_view()),
+]