ljg.sh/ljg/core/auth.py

from django.conf import settings
from django.contrib.auth.models import Permission
from django.db import transaction
from django.db.models import CharField
from django.db.models import Value as V
from django.db.models.functions import Concat
from mozilla_django_oidc.auth import (
    OIDCAuthenticationBackend as BaseOIDCAuthenticationBackend,
)

from .models import OIDCUser


def get_permissions(claims):
    roles = claims.get("resource_access")
    if roles is None or settings.OIDC_RP_CLIENT_ID not in roles:
        return Permission.objects.none()

    return Permission.objects.annotate(
        fullname=Concat(
            "content_type__app_label", V("."), "codename", output_field=CharField()
        )
    ).filter(
        fullname__in=claims.get("resource_access")[settings.OIDC_RP_CLIENT_ID]["roles"]
    )


class OIDCAuthenticationBackend(BaseOIDCAuthenticationBackend):
    @transaction.atomic
    def create_user(self, claims):
        user = self.UserModel.objects.create_user(
            claims.get("preferred_username"), claims.get("email")
        )
        user.first_name = claims.get("given_name", "")
        user.last_name = claims.get("family_name", "")
        user.user_permissions.set(get_permissions(claims))
        user.save()

        OIDCUser.objects.create(uuid=claims.get("sub"), user=user)

        return user

    def update_user(self, user, claims):
        user.email = claims.get("email") or user.email
        user.user_permissions.set(get_permissions(claims))
        user.save()

        return user

    def filter_users_by_claims(self, claims):
        uuid = claims.get("sub")
        if not uuid:
            return self.UserModel.objects.none()

        try:
            oidc_user = OIDCUser.objects.get(uuid=uuid)
            return [oidc_user.user]
        except OIDCUser.DoesNotExist:
            return self.UserModel.objects.none()

    def verify_claims(self, claims):
        roles = claims.get("resource_access")
        return roles is not None and settings.OIDC_RP_CLIENT_ID in roles
Prepare authentication via OIDC 2023-08-10 21:41:11 +02:00			`from django.conf import settings`
			`from django.contrib.auth.models import Permission`
			`from django.db import transaction`
Implement redirects 2023-10-16 21:42:51 +02:00			`from django.db.models import CharField`
			`from django.db.models import Value as V`
			`from django.db.models.functions import Concat`
Reformat code 2023-10-11 16:15:15 +02:00			`from mozilla_django_oidc.auth import (`
			`OIDCAuthenticationBackend as BaseOIDCAuthenticationBackend,`
			`)`
Prepare authentication via OIDC 2023-08-10 21:41:11 +02:00
			`from .models import OIDCUser`


			`def get_permissions(claims):`
Fix OIDC authentication 2023-10-11 17:48:04 +02:00			`roles = claims.get("resource_access")`
			`if roles is None or settings.OIDC_RP_CLIENT_ID not in roles:`
			`return Permission.objects.none()`

Implement redirects 2023-10-16 21:42:51 +02:00			`return Permission.objects.annotate(`
			`fullname=Concat(`
			`"content_type__app_label", V("."), "codename", output_field=CharField()`
			`)`
			`).filter(`
			`fullname__in=claims.get("resource_access")[settings.OIDC_RP_CLIENT_ID]["roles"]`
Prepare authentication via OIDC 2023-08-10 21:41:11 +02:00			`)`


			`class OIDCAuthenticationBackend(BaseOIDCAuthenticationBackend):`
			`@transaction.atomic`
			`def create_user(self, claims):`
			`user = self.UserModel.objects.create_user(`
			`claims.get("preferred_username"), claims.get("email")`
			`)`
Fix OIDC authentication 2023-10-11 17:48:04 +02:00			`user.first_name = claims.get("given_name", "")`
			`user.last_name = claims.get("family_name", "")`
Prepare authentication via OIDC 2023-08-10 21:41:11 +02:00			`user.user_permissions.set(get_permissions(claims))`
			`user.save()`

			`OIDCUser.objects.create(uuid=claims.get("sub"), user=user)`

			`return user`

			`def update_user(self, user, claims):`
Fix OIDC authentication 2023-10-11 17:48:04 +02:00			`user.email = claims.get("email") or user.email`
Prepare authentication via OIDC 2023-08-10 21:41:11 +02:00			`user.user_permissions.set(get_permissions(claims))`
			`user.save()`

			`return user`

			`def filter_users_by_claims(self, claims):`
			`uuid = claims.get("sub")`
			`if not uuid:`
			`return self.UserModel.objects.none()`

			`try:`
Fix OIDC authentication 2023-10-11 17:48:04 +02:00			`oidc_user = OIDCUser.objects.get(uuid=uuid)`
Prepare authentication via OIDC 2023-08-10 21:41:11 +02:00			`return [oidc_user.user]`
			`except OIDCUser.DoesNotExist:`
			`return self.UserModel.objects.none()`

			`def verify_claims(self, claims):`
Fix OIDC authentication 2023-10-11 17:48:04 +02:00			`roles = claims.get("resource_access")`
			`return roles is not None and settings.OIDC_RP_CLIENT_ID in roles`