auth: Map Keycloak user permissions to Django ones
ClosedPublic
Actions

Authored by anlambert on Jun 17 2020, 4:10 PM.

Details

Reviewers

ardumont

Group Reviewers

Reviewers

Maniphest Tasks

T2048: Use OpenID Connect to authenticate and authorize users in Django
T2247: Map Keycloak permissions to Django ones

Commits

rDWAPPS7e7194615881: auth: Map Keycloak user permissions to Django ones

Summary

This was the last task remaining to implement in order to close T2048.

Keycloak user permissions are named Roles in Keycloak semantics.

Extract them from each decoded access token and override methods from
django.contrib.auth.models.PermissionsMixin in order to manipulate them
as Django user permissions.

Closes T2247

Diff Detail

Repository

rDWAPPS Web applications

Branch

auth-map-keycloak-permissions

Lint

No Linters Available

Unit

No Unit Test Coverage

Build Status

Buildable 12916
Build 19668: Phabricator diff pipeline on jenkins	Jenkins console · Jenkins
Build 19667: arc lint + arc unit

Event Timeline

anlambert created this revision.Jun 17 2020, 4:10 PM

Herald added a reviewer: Reviewers. · View Herald TranscriptJun 17 2020, 4:10 PM

Harbormaster completed remote builds in B12916: Diff 11707.Jun 17 2020, 4:24 PM

Build is green

Patch application report for D3304 (id=11707)

Rebasing onto e926cadb92...

Current branch diff-target is up to date.

Changes applied before test

commit 7e719461588132fdaf854e20ccf244b83bc607da
Author: Antoine Lambert <antoine.lambert@inria.fr>
Date:   Wed Jun 17 16:02:08 2020 +0200

    auth: Map Keycloak user permissions to Django ones
    
    Keycloak user permissions are named Roles in Keycloak semantics.
    
    Extract them from each decoded access token and override methods from
    django.contrib.auth.models.PermissionsMixin in order to manipulate them
    as Django user permissions.
    
    Closes T2247

See https://jenkins.softwareheritage.org/job/DWAPPS/job/tests-on-diff/188/ for more details.

anlambert added a child revision: D3309: api/throttling: Lift rate limit when user has special permission.Jun 17 2020, 5:42 PM

I gather it's good (but some things may escape me).

I'm missing a bit description what tests are testing, i suggested some docstrings.
Hopefully, that helps.

Cheers,

swh/web/tests/auth/test_backends.py
52	Maybe add docstring to clarify what's the scenario we are testing. "Staff member should be allowed access" (or something better if you have in store ;)
91	"User with app permission should be allowed authentication" (please something better if you have that in store ;)
168	"User with app permission should be allowed api authentication" ?