From 75e24dd2b87b3ba39c581a6cfe72c95f0e85d8b1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20Langenski=C3=B6ld?= <tlangens@gmail.com>
Date: Sat, 21 Nov 2020 22:53:56 +0200
Subject: [PATCH] Add working OIDC implementation with user and groups sync

---
 fars/.env.example                | 12 ++++++++++-
 fars/booking/templates/base.html |  2 +-
 fars/fars/oidc.py                | 34 ++++++++++++++++++++++++++++++++
 fars/fars/settings.py            | 10 +++++++---
 4 files changed, 53 insertions(+), 5 deletions(-)
 create mode 100644 fars/fars/oidc.py

diff --git a/fars/.env.example b/fars/.env.example
index a118b9c..601a084 100644
--- a/fars/.env.example
+++ b/fars/.env.example
@@ -41,4 +41,14 @@ BILL_API_URL="https://bill.teknologforeningen.fi/api/"
 BILL_API_USER="user"
 
 # BILL API password
-BILL_API_PW="hunter2"
\ No newline at end of file
+BILL_API_PW="hunter2"
+
+# OIDC configurations
+OIDC_RP_CLIENT_ID="fars"
+OIDC_RP_CLIENT_SECRET=""
+
+OIDC_OP_AUTHORIZATION_ENDPOINT=""
+OIDC_OP_TOKEN_ENDPOINT=""
+OIDC_OP_USER_ENDPOINT=""
+OIDC_OP_JWKS_ENDPOINT=""
+
diff --git a/fars/booking/templates/base.html b/fars/booking/templates/base.html
index 78b8daa..164a7fd 100644
--- a/fars/booking/templates/base.html
+++ b/fars/booking/templates/base.html
@@ -37,7 +37,7 @@
           <span class="navbar-text" id="toolbar-user-name"><a href="{% url 'profile' %}">{{user.get_full_name}}</a></span>
           <form action="{% url 'oidc_logout' %}" method="post">
             {% csrf_token %}
-            <input class="btn btn-outline-danger" id="toolbar-btn" type="submit" value="logout">
+            <input class="btn btn-outline-danger" id="toolbar-btn" type="submit" value="{% trans 'Logout' %}">
           </form>
         </span>
       {% else %}
diff --git a/fars/fars/oidc.py b/fars/fars/oidc.py
new file mode 100644
index 0000000..e3abdb8
--- /dev/null
+++ b/fars/fars/oidc.py
@@ -0,0 +1,34 @@
+from mozilla_django_oidc.auth import OIDCAuthenticationBackend
+from django.contrib.auth.models import Group
+
+class TeknologOIDCAB(OIDCAuthenticationBackend):
+    def get_username(self, claims):
+        return claims.get('preferred_username')
+
+    def create_user(self, claims):
+        user = super(TeknologOIDCAB, self).create_user(claims)
+
+        user.first_name = claims.get('given_name', '')
+        user.last_name = claims.get('family_name', '')
+        groups = self.get_or_create_groups(claims.get('groups'))
+        user.groups.set(groups)
+        user.save()
+
+        return user
+
+    def update_user(self, user, claims):
+        user.first_name = claims.get('given_name', '')
+        user.last_name = claims.get('family_name', '')
+        groups = self.get_or_create_groups(claims.get('groups'))
+        user.groups.set(groups)
+        user.save()
+
+        return user
+
+    def get_or_create_groups(self, group_names):
+        groups = []
+        for group_name in group_names:
+            obj, _ = Group.objects.get_or_create(name=group_name)
+            groups.append(obj)
+
+        return groups
diff --git a/fars/fars/settings.py b/fars/fars/settings.py
index 81e8deb..2919819 100644
--- a/fars/fars/settings.py
+++ b/fars/fars/settings.py
@@ -131,7 +131,8 @@
     },
 ]
 
-LOGIN_REDIRECT_URL = 'home'
+LOGIN_REDIRECT_URL = '/'
+LOGOUT_REDIRECT_URL = '/'
 
 # Internationalization
 # https://docs.djangoproject.com/en/1.10/topics/i18n/
@@ -199,8 +200,8 @@
 # Keep ModelBackend around for per-user permissions and maybe a local
 # superuser.
 AUTHENTICATION_BACKENDS = (
-    'mozilla_django_oidc.auth.OIDCAuthenticationBackend',
-    #'django.contrib.auth.backends.ModelBackend',
+    'fars.oidc.TeknologOIDCAB',
+    'django.contrib.auth.backends.ModelBackend',
 )
 
 # Never require cert
@@ -215,3 +216,6 @@
 OIDC_OP_AUTHORIZATION_ENDPOINT = env('OIDC_OP_AUTHORIZATION_ENDPOINT')
 OIDC_OP_TOKEN_ENDPOINT = env('OIDC_OP_TOKEN_ENDPOINT')
 OIDC_OP_USER_ENDPOINT = env('OIDC_OP_USER_ENDPOINT')
+
+OIDC_RP_SIGN_ALGO = 'RS256'
+OIDC_OP_JWKS_ENDPOINT = env('OIDC_OP_JWKS_ENDPOINT')