Settings rework: stable status.

Author: regilero

DEVELOPMENT.md

@@ -22,10 +22,11 @@ sphinx-autobuild docs docs/_build/html
 
 ## Running Tests
 
-Check database settings in tests/test_settings.py, target a real PostgreSQL Host (You need a PostgreSQL version 12 or greater).
+Check database settings in `tests/test_settings.py`, target a real PostgreSQL Host (You need a PostgreSQL version 12 or greater), for e2e tests check the `tests/e2e/settings.py` file.
 
 ```
-python3 runtests.py
+python3 run_tests.py  # for unit tests
+python3 run_e2e_tests.py  # for end to end tests
 ```
 
 ## Adding a dependency

README.md

@@ -90,19 +90,22 @@ Now you can pick an identity provider from the [available providers](https://dja
 
 Create a file named `oidc.py` next to your settings file and initialize your provider there :
 
+FIXME: Here config as settings only OR using custom provider
+
 ```python
 from django_pyoidc.providers.keycloak import KeycloakProvider
 
 my_oidc_provider = KeycloakProvider(
     op_name="keycloak",
-    client_secret="s3cret",
-    client_id="my_client_id",
     keycloak_base_uri="http://keycloak.local:8080/auth/", # we use the auth/ path prefix option on Keycloak
     keycloak_realm="Demo",
+    client_secret="s3cret",
+    client_id="my_client_id",
     logout_redirect="http://app.local:8082/",
     failure_redirect="http://app.local:8082/",
     success_redirect="http://app.local:8082/",
     redirect_requires_https=False,
+    login_uris_redirect_allowed_hosts=["app.local:8082"],
 )
 ```
 
@@ -112,7 +115,7 @@ You can then add to your django configuration the following line :
 from .oidc_providers import my_oidc_provider
 
 DJANGO_PYOIDC = {
-    **my_oidc_provider.get_config(allowed_hosts=["app.local:8082"]),
+    **my_oidc_provider.get_config(),
 }
 ```
 

django_pyoidc/client.py

@@ -5,31 +5,39 @@
 from oic.oic.consumer import Consumer
 from oic.utils.authn.client import CLIENT_AUTHN_METHOD
 
+from django_pyoidc.exceptions import (
+    InvalidOIDCConfigurationException,
+    InvalidSIDException,
+)
 from django_pyoidc.session import OIDCCacheSessionBackendForDjango
 from django_pyoidc.settings import OIDCSettingsFactory
-from django_pyoidc.utils import OIDCCacheBackendForDjango, get_setting_for_sso_op
+from django_pyoidc.utils import OIDCCacheBackendForDjango
 
 logger = logging.getLogger(__name__)
 
 
 class OIDCClient:
-    def __init__(self, op_name, session_id=None):
-        self._op_name = op_name
-        self.settings = OIDCSettingsFactory.get(self.op_name)
+    def __init__(self, op_name: str, session_id=None):
+        self.opsettings = OIDCSettingsFactory.get(op_name)
 
-        self.session_cache_backend = OIDCCacheSessionBackendForDjango(self._op_name)
-        self.general_cache_backend = OIDCCacheBackendForDjango(self._op_name)
-
-        consumer_config = {
-            # "debug": True,
-            "response_type": "code"
-        }
+        self.session_cache_backend = OIDCCacheSessionBackendForDjango(self.opsettings)
+        self.general_cache_backend = OIDCCacheBackendForDjango(self.opsettings)
+        client_id = self.opsettings.get("client_id")
+        client_secret = self.opsettings.get("client_secret", None)
+        consumer_config = self.opsettings.get(
+            "client_consumer_config_dict",
+            {
+                # "debug": True,
+                "response_type": "code"
+            },
+        )
 
         client_config = {
-            "client_id": get_setting_for_sso_op(op_name, "OIDC_CLIENT_ID"),
-            "client_authn_method": CLIENT_AUTHN_METHOD,
+            "client_id": client_id,
+            "client_authn_method": self.opsettings.get(
+                "client_authn_method", CLIENT_AUTHN_METHOD
+            ),
         }
-
         self.consumer = Consumer(
             session_db=self.session_cache_backend,
             consumer_config=consumer_config,
@@ -38,24 +46,40 @@ def __init__(self, op_name, session_id=None):
         # used in token introspection
         self.client_extension = ClientExtension(**client_config)
 
-        provider_info_uri = get_setting_for_sso_op(
-            op_name, "OIDC_PROVIDER_DISCOVERY_URI"
-        )
-        client_secret = get_setting_for_sso_op(op_name, "OIDC_CLIENT_SECRET")
+        provider_discovery_uri = self.opsettings.get("provider_discovery_uri", None)
         self.client_extension.client_secret = client_secret
 
         if session_id:
-            self.consumer.restore(session_id)
-        else:
-
-            cache_key = self.general_cache_backend.generate_hashed_cache_key(
-                provider_info_uri
-            )
             try:
-                config = self.general_cache_backend[cache_key]
+                self.consumer.restore(session_id)
             except KeyError:
-                config = self.consumer.provider_config(provider_info_uri)
-                # shared microcache for provider config
-                # FIXME: Setting for duration
-                self.general_cache_backend.set(cache_key, config, 60)
-            self.consumer.client_secret = client_secret
+                # This is an error as for example during the first communication round trips between
+                # the op and the client we'll have to find state elements in the oidc session
+                raise InvalidSIDException(
+                    f"OIDC consumer failed to restore oidc session {session_id}."
+                )
+            return
+
+        if not provider_discovery_uri:
+            raise InvalidOIDCConfigurationException(
+                "No provider discovery uri provided."
+            )
+        else:
+            if self.opsettings.get("oidc_cache_provider_metadata", False):
+                cache_key = self.general_cache_backend.generate_hashed_cache_key(
+                    provider_discovery_uri
+                )
+                try:
+                    config = self.general_cache_backend[cache_key]
+                    # this will for example register endpoints on the consumer object
+                    self.consumer.handle_provider_config(config, provider_discovery_uri)
+                except KeyError:
+                    # This make an HTTP call on provider discovery uri
+                    config = self.consumer.provider_config(provider_discovery_uri)
+                    # shared microcache for provider config
+                    # FIXME: Setting for duration
+                    self.general_cache_backend.set(cache_key, config, 60)
+            else:
+                # This make an HTTP call on provider discovery uri
+                config = self.consumer.provider_config(provider_discovery_uri)
+        self.consumer.client_secret = client_secret

django_pyoidc/drf/authentication.py

@@ -1,18 +1,14 @@
 import functools
 import logging
 
-from django.conf import settings
 from django.core.exceptions import PermissionDenied
 from rest_framework import exceptions
 from rest_framework.authentication import BaseAuthentication
 
 from django_pyoidc.client import OIDCClient
 from django_pyoidc.engine import OIDCEngine
-from django_pyoidc.utils import (
-    OIDCCacheBackendForDjango,
-    check_audience,
-    get_setting_for_sso_op,
-)
+from django_pyoidc.settings import OIDCSettingsFactory
+from django_pyoidc.utils import OIDCCacheBackendForDjango, check_audience
 
 logger = logging.getLogger(__name__)
 
@@ -24,38 +20,13 @@ class OidcAuthException(Exception):
 class OIDCBearerAuthentication(BaseAuthentication):
     def __init__(self, *args, **kwargs):
         super(OIDCBearerAuthentication, self).__init__(*args, **kwargs)
-        self.op_name = self.extract_drf_opname()
-        self.general_cache_backend = OIDCCacheBackendForDjango(self.op_name)
-        self.engine = OIDCEngine(self.op_name)
+        self.opsettings = OIDCSettingsFactory.get("drf")
+        self.general_cache_backend = OIDCCacheBackendForDjango(self.opsettings)
+        self.engine = OIDCEngine(self.opsettings)
 
     @functools.cached_property
     def client(self):
-        return OIDCClient(self.op_name)
-
-    @classmethod
-    def extract_drf_opname(cls):
-        """
-        Given a list of opnames and setting in DJANGO_PYOIDC conf, extract the one having USED_BY_REST_FRAMEWORK=True.
-        """
-        op = None
-        found = False
-        for op_name, configs in settings.DJANGO_PYOIDC.items():
-            if (
-                "USED_BY_REST_FRAMEWORK" in configs
-                and configs["USED_BY_REST_FRAMEWORK"]
-            ):
-                if found:
-                    raise RuntimeError(
-                        "Several DJANGO_PYOIDC sections are declared as USED_BY_REST_FRAMEWORK, only one should be used."
-                    )
-                found = True
-                op = op_name
-        if found:
-            return op
-        else:
-            raise RuntimeError(
-                "No DJANGO_PYOIDC sections are declared with USED_BY_REST_FRAMEWORK configuration option."
-            )
+        return OIDCClient("drf")
 
     def extract_access_token(self, request) -> str:
         val = request.headers.get("Authorization")
@@ -64,11 +35,9 @@ def extract_access_token(self, request) -> str:
             raise OidcAuthException(msg)
         val = val.strip()
         bearer_name, access_token_jwt = val.split(maxsplit=1)
-        requested_bearer_name = get_setting_for_sso_op(
-            self.op_name, "OIDC_API_BEARER_NAME", "Bearer"
-        )
+        requested_bearer_name = self.opsettings.get("oidc_api_bearer_name", "Bearer")
         if not bearer_name.lower() == requested_bearer_name.lower():
-            msg = f"Bad authorization header, invalid Keyword for the bearer, expecting {requested_bearer_name}."
+            msg = f"Bad authorization header, invalid Keyword for the bearer, expecting {requested_bearer_name} (check setting oidc_api_bearer_name)."
             raise OidcAuthException(msg)
         return access_token_jwt
 
@@ -104,7 +73,7 @@ def authenticate(self, request):
                 logger.debug("Request has valid access token.")
 
                 # FIXME: Add a setting to disable
-                client_id = get_setting_for_sso_op(self.op_name, "OIDC_CLIENT_ID")
+                client_id = self.opsettings.get("client_id")
                 if not check_audience(client_id, access_token_claims):
                     raise PermissionDenied(
                         f"Invalid result for acces token audiences check for {client_id}."

django_pyoidc/drf/schema.py

@@ -1,12 +1,11 @@
 import logging
-from urllib.parse import urljoin
 
 logger = logging.getLogger(__name__)
 
 try:
     from drf_spectacular.extensions import OpenApiAuthenticationExtension
 
-    from django_pyoidc.utils import get_setting_for_sso_op
+    from django_pyoidc.settings import OIDCSettingsFactory
 
     class OIDCScheme(OpenApiAuthenticationExtension):
         target_class = "django_pyoidc.drf.authentication.OIDCBearerAuthentication"
@@ -15,21 +14,15 @@ class OIDCScheme(OpenApiAuthenticationExtension):
         priority = -1
 
         def get_security_definition(self, auto_schema):
-            from django_pyoidc.drf.authentication import OIDCBearerAuthentication
-
-            op = OIDCBearerAuthentication.extract_drf_opname()
-            well_known_url = get_setting_for_sso_op(op, "OIDC_PROVIDER_DISCOVERY_URI")
-            if not well_known_url.endswith(".well-known/openid-configuration"):
-                if not well_known_url.endswith("/"):
-                    well_known_url += "/"
-                well_known_url = urljoin(
-                    well_known_url, ".well-known/openid-configuration"
-                )
+            # from django_pyoidc.drf.authentication import OIDCBearerAuthentication
+
+            opsettings = OIDCSettingsFactory.get("drf")
+            well_known_url = opsettings.get("provider_discovery_uri")
 
-            header_name = get_setting_for_sso_op(op, "OIDC_API_BEARER_NAME", "Bearer")
+            header_name = opsettings.get("oidc_api_bearer_name", "Bearer")
             if header_name != "Bearer":
                 logger.warning(
-                    "The configuration for 'OIDC_API_BEARER_NAME' will cause issue with swagger UI :"
+                    "The configuration for 'oidc_api_bearer_name' will cause issue with swagger UI :"
                     "it is not yet possible to change the header name for swagger UI, you should stick to"
                     "'Bearer'."
                 )

django_pyoidc/engine.py

@@ -3,53 +3,50 @@
 
 from django_pyoidc import get_user_by_email
 from django_pyoidc.client import OIDCClient
-from django_pyoidc.utils import (
-    OIDCCacheBackendForDjango,
-    get_setting_for_sso_op,
-    import_object,
-)
+from django_pyoidc.settings import OIDCSettings
+from django_pyoidc.utils import OIDCCacheBackendForDjango, import_object
 
 logger = logging.getLogger(__name__)
 
 
 class OIDCEngine:
-    def __init__(self, op_name: str):
-        self.op_name = op_name
-        self.general_cache_backend = OIDCCacheBackendForDjango(self.op_name)
+    def __init__(self, opsettings: OIDCSettings):
+        self.opsettings = opsettings
+        self.general_cache_backend = OIDCCacheBackendForDjango(opsettings)
 
-    def call_function(self, setting_name, *args, **kwargs):
-        function_path = get_setting_for_sso_op(self.op_name, setting_name)
+    def call_function(self, setting_func_name, *args, **kwargs):
+        function_path = self.opsettings.get(setting_func_name)
         if function_path:
             func = import_object(function_path, "")
             return func(*args, **kwargs)
 
     def call_get_user_function(self, tokens={}):
-        if get_setting_for_sso_op(self.op_name, "HOOK_GET_USER"):
+        if self.opsettings.get("HOOK_GET_USER"):
             logger.debug("OIDC, Calling user hook on get_user")
             return self.call_function("HOOK_GET_USER", tokens)
         else:
             return get_user_by_email(tokens)
 
     def introspect_access_token(self, access_token_jwt: str, client: OIDCClient):
         """
-        Perform a cached intropesction call to extract claims from encoded jwt of the access_token
+        Perform a cached introspection call to extract claims from encoded jwt of the access_token
         """
         # FIXME: allow a non-cached mode by global settings
         access_token_claims = None
 
-        # FIXME: in what case could we not have an access token available?
+        # FIXME: in what case could we do not have an access token available?
         # should we raise an error then?
         if access_token_jwt is not None:
             cache_key = self.general_cache_backend.generate_hashed_cache_key(
                 access_token_jwt
             )
             try:
-                access_token_claims = self.general_cache_backend["cache_key"]
+                access_token_claims = self.general_cache_backend[cache_key]
             except KeyError:
                 # CACHE MISS
 
                 # RFC 7662: token introspection: ask SSO to validate and render the jwt as json
-                # this means a slow web call
+                # this means a slow http call
                 request_args = {
                     "token": access_token_jwt,
                     "token_type_hint": "access_token",

django_pyoidc/providers/__init__.py

@@ -4,3 +4,4 @@
 from .keycloak_18 import Keycloak18Provider  # noqa
 from .lemonldapng import LemonLDAPngProvider  # noqa
 from .lemonldapng2 import LemonLDAPng2Provider  # noqa
+from .provider import Provider  # noqa