Page MenuHomeSoftware Heritage

django: Add OIDCSessionExpiredMiddleware
ClosedPublic

Authored by anlambert on Mar 30 2021, 3:03 PM.

Details

Summary

Last piece of code that can be moved from swh-web to swh-auth.

That middleware detects when a user previously logged in using
the OpenID Connect authentication backend got his session expired.

In that case it will perform a redirection to a django view whose
name must be set in the SWH_AUTH_SESSION_EXPIRED_REDIRECT_VIEW
django setting (typically a logout view).

Related to T3150

Depends on D5366

Diff Detail

Repository
rDAUTH Common authentication libraries
Branch
django-oidc-session-expired-middleware
Lint
No Linters Available
Unit
No Unit Test Coverage
Build Status
Buildable 20363
Build 31614: Phabricator diff pipeline on jenkinsJenkins console · Jenkins
Build 31613: arc lint + arc unit

Event Timeline

Build is green

Patch application report for D5384 (id=19283)

Could not rebase; Attempt merge onto cce5275cc4...

Updating cce5275..72519d8
Fast-forward
 pytest.ini                                         |   1 +
 requirements-django.txt                            |   4 +-
 swh/auth/django/backends.py                        | 200 +++++++++++++++
 swh/auth/django/middlewares.py                     |  68 +++++
 swh/auth/django/utils.py                           |  76 +++++-
 swh/auth/django/views.py                           | 152 +++++++++++
 swh/auth/pytest_plugin.py                          |  13 +-
 swh/auth/tests/conftest.py                         |  25 ++
 swh/auth/tests/django/app/apptest/settings.py      |  44 ++++
 swh/auth/tests/django/app/apptest/urls.py          |  24 +-
 swh/auth/tests/django/django_asserts.py            |  21 ++
 swh/auth/tests/django/test_backends.py             | 270 ++++++++++++++++++++
 .../tests/django/test_drf_bearer_token_auth.py     | 109 ++++++++
 swh/auth/tests/django/test_middlewares.py          |  71 ++++++
 swh/auth/tests/django/test_utils.py                |   9 +-
 swh/auth/tests/django/test_views.py                | 282 +++++++++++++++++++++
 swh/auth/tests/test_utils.py                       |  36 +++
 swh/auth/utils.py                                  |  35 +++
 18 files changed, 1426 insertions(+), 14 deletions(-)
 create mode 100644 swh/auth/django/backends.py
 create mode 100644 swh/auth/django/middlewares.py
 create mode 100644 swh/auth/django/views.py
 create mode 100644 swh/auth/tests/conftest.py
 create mode 100644 swh/auth/tests/django/django_asserts.py
 create mode 100644 swh/auth/tests/django/test_backends.py
 create mode 100644 swh/auth/tests/django/test_drf_bearer_token_auth.py
 create mode 100644 swh/auth/tests/django/test_middlewares.py
 create mode 100644 swh/auth/tests/django/test_views.py
 create mode 100644 swh/auth/tests/test_utils.py
 create mode 100644 swh/auth/utils.py
Changes applied before test
commit 72519d822c2261d23cda25cef85ccf62775193e6
Author: Antoine Lambert <antoine.lambert@inria.fr>
Date:   Tue Mar 30 14:55:33 2021 +0200

    django: Add OIDCSessionExpiredMiddleware
    
    That middleware detects when a user previously logged in using
    the OpenID Connect authentication backend got his session expired.
    
    In that case it will perform a redirection to a django view whose
    name must be set in the SWH_AUTH_SESSION_EXPIRED_REDIRECT_VIEW
    django setting (typically a logout view).
    
    Related to T3150

commit f3a239111669e4146ddc6776a6fbd8308fd454aa
Author: Antoine Lambert <antoine.lambert@inria.fr>
Date:   Fri Mar 26 15:04:30 2021 +0100

    django: Add OIDC Bearer Token authentication backend for DRF views
    
    Add a generic Django REST Framework authentication backend enabling to
    authenticate a user using Keycloak and OpenID Connect bearer tokens.
    
    The backend can be easily plugged into a DRF application by:
    
      * adding "swh.auth.django.backends.OIDCBearerTokenAuthentication"
        to the REST_FRAMEWORK["DEFAULT_AUTHENTICATION_CLASSES"]
        django setting.
    
      * configuring Keycloak URL, realm and client by adding
        SWH_AUTH_SERVER_URL, SWH_AUTH_REALM_NAME and SWH_AUTH_CLIENT_ID
        in django settings
    
    Users will then be able to perform authenticated Web API calls by
    sending their refresh token in HTTP Authorization headers.
    
    Related to T3150

commit 6b6df8f54593715a5986d281bc2835a3c2d70d26
Author: Antoine Lambert <antoine.lambert@inria.fr>
Date:   Wed Mar 24 17:18:18 2021 +0100

    django: Add OIDC Authorization code PKCE authentication backend
    
    Add a generic Django authentication backend and related login / logout
    views enabling to authenticate a user using Keycloak and the OpenID
    Connect authorization code flow with PKCE ("Proof Key for Code Exchange").
    
    The backend can be easily plugged into any django application by:
    
     - adding "swh.auth.django.backends.OIDCAuthorizationCodePKCEBackend"
       to the AUTHENTICATION_BACKENDS django setting
    
     - configuring Keycloak by adding SWH_AUTH_SERVER_URL, SWH_AUTH_REALM_NAME
       and SWH_AUTH_CLIENT_ID in django settings
    
     - adding swh.auth.django.views.urlpatterns to the django application URLs
    
     - using the dedicated django views: "oidc-login" and "oidc-logout"
    
    Related to T3150

See https://jenkins.softwareheritage.org/job/DAUTH/job/tests-on-diff/63/ for more details.

ardumont added a subscriber: ardumont.

lgtm

i like how the test are quite readable given the decorators which allows to modify on
the fly the settings ;)

This revision is now accepted and ready to land.Mar 30 2021, 5:04 PM

Build is green

Patch application report for D5384 (id=19295)

Could not rebase; Attempt merge onto cce5275cc4...

Updating cce5275..e5fd97a
Fast-forward
 mypy.ini                                           |   9 +-
 pytest.ini                                         |   1 +
 requirements-django.txt                            |   4 +-
 swh/auth/django/backends.py                        | 201 +++++++++++++++
 swh/auth/django/middlewares.py                     |  68 +++++
 swh/auth/django/utils.py                           |  78 +++++-
 swh/auth/django/views.py                           | 152 +++++++++++
 swh/auth/keycloak.py                               |   7 +-
 swh/auth/pytest_plugin.py                          |  13 +-
 swh/auth/tests/conftest.py                         |  25 ++
 swh/auth/tests/django/app/apptest/settings.py      |  44 ++++
 swh/auth/tests/django/app/apptest/urls.py          |  24 +-
 swh/auth/tests/django/django_asserts.py            |  21 ++
 swh/auth/tests/django/test_backends.py             | 256 +++++++++++++++++++
 .../tests/django/test_drf_bearer_token_auth.py     | 109 ++++++++
 swh/auth/tests/django/test_middlewares.py          |  71 ++++++
 swh/auth/tests/django/test_utils.py                |   9 +-
 swh/auth/tests/django/test_views.py                | 282 +++++++++++++++++++++
 swh/auth/tests/test_utils.py                       |  36 +++
 swh/auth/utils.py                                  |  35 +++
 20 files changed, 1426 insertions(+), 19 deletions(-)
 create mode 100644 swh/auth/django/backends.py
 create mode 100644 swh/auth/django/middlewares.py
 create mode 100644 swh/auth/django/views.py
 create mode 100644 swh/auth/tests/conftest.py
 create mode 100644 swh/auth/tests/django/django_asserts.py
 create mode 100644 swh/auth/tests/django/test_backends.py
 create mode 100644 swh/auth/tests/django/test_drf_bearer_token_auth.py
 create mode 100644 swh/auth/tests/django/test_middlewares.py
 create mode 100644 swh/auth/tests/django/test_views.py
 create mode 100644 swh/auth/tests/test_utils.py
 create mode 100644 swh/auth/utils.py
Changes applied before test
commit e5fd97a75857159effd59b3737d25792781373cd
Author: Antoine Lambert <antoine.lambert@inria.fr>
Date:   Tue Mar 30 14:55:33 2021 +0200

    django: Add OIDCSessionExpiredMiddleware
    
    That middleware detects when a user previously logged in using
    the OpenID Connect authentication backend got his session expired.
    
    In that case it will perform a redirection to a django view whose
    name must be set in the SWH_AUTH_SESSION_EXPIRED_REDIRECT_VIEW
    django setting (typically a logout view).
    
    Related to T3150

commit 0c8c3ce7b9d02708b977352557e5569e286a2f53
Author: Antoine Lambert <antoine.lambert@inria.fr>
Date:   Fri Mar 26 15:04:30 2021 +0100

    django: Add OIDC Bearer Token authentication backend for DRF views
    
    Add a generic Django REST Framework authentication backend enabling to
    authenticate a user using Keycloak and OpenID Connect bearer tokens.
    
    The backend can be easily plugged into a DRF application by:
    
      * adding "swh.auth.django.backends.OIDCBearerTokenAuthentication"
        to the REST_FRAMEWORK["DEFAULT_AUTHENTICATION_CLASSES"]
        django setting.
    
      * configuring Keycloak URL, realm and client by adding
        SWH_AUTH_SERVER_URL, SWH_AUTH_REALM_NAME and SWH_AUTH_CLIENT_ID
        in django settings
    
    Users will then be able to perform authenticated Web API calls by
    sending their refresh token in HTTP Authorization headers.
    
    Related to T3150

commit 367ead11f59ffa7fa8f06e278f3fabc24c254519
Author: Antoine Lambert <antoine.lambert@inria.fr>
Date:   Wed Mar 24 17:18:18 2021 +0100

    django: Add OIDC Authorization code PKCE authentication backend
    
    Add a generic Django authentication backend and related login / logout
    views enabling to authenticate a user using Keycloak and the OpenID
    Connect authorization code flow with PKCE ("Proof Key for Code Exchange").
    
    The backend can be easily plugged into any django application by:
    
     - adding "swh.auth.django.backends.OIDCAuthorizationCodePKCEBackend"
       to the AUTHENTICATION_BACKENDS django setting
    
     - configuring Keycloak by adding SWH_AUTH_SERVER_URL, SWH_AUTH_REALM_NAME
       and SWH_AUTH_CLIENT_ID in django settings
    
     - adding swh.auth.django.views.urlpatterns to the django application URLs
    
     - using the dedicated django views: "oidc-login" and "oidc-logout"
    
    Related to T3150

See https://jenkins.softwareheritage.org/job/DAUTH/job/tests-on-diff/66/ for more details.