Commit 7e5901b6 authored by Nico Vermaas's avatar Nico Vermaas

Merge branch 'esap-gateway-query' into 'master'

create userprofile account for authenticated users if it does not yet exist

See merge request !61
parents afa62bc3 ad8064be
Pipeline #13140 passed with stages
in 12 minutes and 44 seconds
......@@ -5,6 +5,8 @@ from rest_framework import permissions
from .serializers import *
from ..models import *
from django.conf import settings
import base64
import json
logger = logging.getLogger(__name__)
......@@ -64,24 +66,19 @@ class EsapUserProfileViewSet(viewsets.ModelViewSet):
try:
try:
id_token = self.request.session["oidc_id_token"]
# a oidc_id_token has a header, payload and signature split by a '.'
token = id_token.split('.')
decoded_payload = base64.urlsafe_b64decode(token[1])
decoded_token = json.loads(decoded_payload.decode("UTF-8"))
except:
id_token = None
#uid = id_token["iss"]+id_token["sub"]
#preferred_username = id_token["preferred_username"]
#name = id_token["name"]
#access_token = self.request.session["oidc_access_token"]
# if settings.IS_DEV:
# try:
# user = auth.get_user(self.request)
# user_email = user.email
#
# except:
# # hardcode, because I don't get FAA to work in dev
# # 401 Client Error: Unauthorized for url: https://iam-escape.cloud.cnaf.infn.it/token
# user_email = "vermaas@astron.nl"
# else:
sub = decoded_token["sub"]
uid = decoded_token["iss"] + decoded_token["sub"]
name = decoded_token["name"]
user = auth.get_user(self.request)
user_email = user.email
......@@ -91,6 +88,3 @@ class EsapUserProfileViewSet(viewsets.ModelViewSet):
print('ERROR: '+str(e))
user_name = self.request.query_params.get("user_name", None)
return EsapUserProfile.objects.filter(user_name=user_name)
# def update(self, request, pk=None):
# self.update()
\ No newline at end of file
......@@ -77,7 +77,7 @@ class EsapUserProfile(models.Model):
on_delete=models.SET_NULL,
null=True,
verbose_name="Preferred Query Schema",
default="esap_default",
default=None,
)
software_repositories = models.ManyToManyField(
to=EsapSoftwareRepository, verbose_name="Software Repositories", blank=True
......
from mozilla_django_oidc.auth import OIDCAuthenticationBackend
from .models import EsapUserProfile
def update_userprofile(claims):
# check if a user already has a userprofile (by e-mail)
user_email = claims['email']
try:
user = EsapUserProfile.objects.get(user_email=user_email)
except:
# to get more claims than just email, the 'profile' scope must be enabled in settings
# OIDC_RP_SCOPES = "openid email profile"
#uid = claims['iss'] + claims['sub']
sub = claims['sub']
user_name = claims['preferred_username']
full_name= claims['name']
new_user = EsapUserProfile(user_name=user_name, full_name=full_name, user_email=user_email)
new_user.save()
class MyOIDCAB(OIDCAuthenticationBackend):
# https://mozilla-django-oidc.readthedocs.io/en/stable/installation.html#changing-how-django-users-are-created
# this is an example of overriding a part of the Authentication backend
def verify_claims(self, claims):
print('MyOIDCAB.verify_claims('+str(claims)+')')
update_userprofile(claims)
verified = super(MyOIDCAB, self).verify_claims(claims)
is_admin = 'admin' in claims.get('group', [])
return True
return verified
# return verified and is_admin
\ No newline at end of file
......@@ -221,6 +221,7 @@ OIDC_DRF_AUTH_BACKEND = 'mozilla_django_oidc.auth.OIDCAuthenticationBackend'
OIDC_RP_CLIENT_ID = os.environ['OIDC_RP_CLIENT_ID']
OIDC_RP_CLIENT_SECRET = os.environ['OIDC_RP_CLIENT_SECRET']
OIDC_RP_SCOPES = "openid email profile"
OIDC_RP_SIGN_ALGO = "RS256"
OIDC_OP_JWKS_ENDPOINT = os.environ['OIDC_OP_JWKS_ENDPOINT']
OIDC_OP_AUTHORIZATION_ENDPOINT = os.environ['OIDC_OP_AUTHORIZATION_ENDPOINT']
......
......@@ -70,7 +70,7 @@
</div>
<p class="footer" small>ASTRON - version 20 may 2021 - 15:00</p>
<p class="footer" small>ASTRON - version 21 may 2021 - 10:00</p>
{% endblock %}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment