Oauth2 to OIDC

apps/api/urls.py

@@ -3,9 +3,5 @@
 from django.conf.urls import url
 
 from apps.shop import views as shop_views
-from apps.sso import views as sso_views
 
-urlpatterns = [
-    url(r"^v1/rfid/$", shop_views.SetRFIDView.as_view(), name="set_rfid"),
-    url(r"^v1/auth/$", sso_views.TokenView.as_view(), name="oauth2_provider_token"),
-]
+urlpatterns = [url(r"^v1/rfid/$", shop_views.SetRFIDView.as_view(), name="set_rfid")]

apps/authentication/migrations/0002_auto_20150304_2211.py

@@ -7,10 +7,7 @@
 
 class Migration(migrations.Migration):
 
-    dependencies = [
-        ("sso", "0002_auto_20171127_1304"),
-        ("authentication", "0001_initial"),
-    ]
+    dependencies = [("authentication", "0001_initial")]
 
     operations = [
         migrations.AlterField(

apps/dashboard/urls.py

@@ -4,4 +4,6 @@
 
 from apps.dashboard import views
 
-urlpatterns = [url(r"^$", views.index, name="dashboard_index")]
+app_name = "dashboard"
+
+urlpatterns = [url(r"^$", views.index, name="index")]

apps/online_oidc_provider/authentication.py

@@ -1,6 +1,9 @@
+from django.core.exceptions import ImproperlyConfigured
 from oidc_provider.lib.utils.oauth2 import extract_access_token
 from oidc_provider.models import Token
 from rest_framework import authentication, exceptions
+from rest_framework.exceptions import PermissionDenied
+from rest_framework.permissions import BasePermission
 
 
 class OidcOauth2Auth(authentication.BaseAuthentication):
@@ -20,3 +23,56 @@ def authenticate(self, request):
             raise exceptions.AuthenticationFailed("The oauth2 token has expired")
 
         return oauth2_token.user, None
+
+
+class TokenHasScope(BasePermission):
+    """
+    The request is authenticated and the token used has the right scope
+    """
+
+    def has_permission(self, request, view):
+
+        try:
+            token = Token.objects.get(
+                access_token=extract_access_token(request)
+            )  # The Token object retrieved from access_token
+
+            if token.has_expired():
+                self.message = {
+                    "detail": PermissionDenied.default_detail,
+                    "error": "Token has expired",
+                }
+                return False
+
+        except Token.DoesNotExist:
+            self.message = {
+                "detail": PermissionDenied.default_detail,
+                "error": "No token provided or token does not exist",
+            }
+
+            return False
+
+        if hasattr(token, "scope"):
+            required_scopes = self.get_scopes(request, view)
+
+            if set(required_scopes).issubset(set(token.scope)):
+                return True
+
+            # Provide information about required scope
+            self.message = {
+                "detail": PermissionDenied.default_detail,
+                "error": "Permission denied, required_scopes: "
+                + str(list(required_scopes)),
+            }
+
+            return False
+
+        return False
+
+    def get_scopes(self, request, view):
+        try:
+            return getattr(view, "required_scopes")
+        except AttributeError:
+            raise ImproperlyConfigured(
+                "TokenHasScope requires the view to define the required_scopes attribute"
+            )

apps/online_oidc_provider/claims.py

@@ -1,7 +1,7 @@
 from django.utils.translation import ugettext as _
 from oidc_provider.lib.claims import ScopeClaims
 
-from apps.sso.userinfo import Onlineweb4Userinfo
+from apps.online_oidc_provider.userinfo import Onlineweb4Userinfo
 
 
 def userinfo(claims, user):
@@ -33,7 +33,7 @@ def userinfo(claims, user):
 class Onlineweb4ScopeClaims(ScopeClaims):
 
     info_onlineweb4 = (
-        _("Onlineweb4"),
+        "Onlineweb4",
         _(
             "Informasjon om brukerprofilen din på online.ntnu.no, "
             "medlemskapet ditt i Online og din studieretning."
@@ -42,3 +42,8 @@ class Onlineweb4ScopeClaims(ScopeClaims):
 
     def scope_onlineweb4(self):
         return Onlineweb4Userinfo(self.user).oidc()
+
+    info_nibble = ("Nibble", _("Informasjon om dine kjøp og saldo på Nibble"))
+
+    def scope_nibble(self):
+        return {"test": "this data was returned"}

apps/shop/tests.py

@@ -5,7 +5,6 @@
 
 from apps.authentication.models import Email, OnlineUser
 from apps.inventory.models import Item
-from apps.oauth2_provider.test import OAuth2TestCase
 from apps.shop.models import MagicToken
 
 
@@ -34,8 +33,8 @@ def test_item_detail(self):
         self.assertEqual(response.status_code, status.HTTP_200_OK)
 
 
-class ShopSetRFIDTestCase(OAuth2TestCase):
-    scopes = ["shop.readwrite", "read", "write"]
+class ShopSetRFIDTestCase:
+    scopes = ["nibble"]
 
     def setUp(self):
         super().setUp()

apps/shop/views.py

@@ -8,7 +8,6 @@
 from django.urls import reverse, reverse_lazy
 from django.utils.decorators import method_decorator
 from django.views.generic import FormView
-from oauth2_provider.contrib.rest_framework import OAuth2Authentication, TokenHasScope
 from rest_framework import mixins, status, viewsets
 from rest_framework.permissions import AllowAny, IsAuthenticated
 from rest_framework.response import Response
@@ -17,6 +16,7 @@
 from apps.authentication.models import Email
 from apps.authentication.models import OnlineUser as User
 from apps.inventory.models import Item
+from apps.online_oidc_provider.authentication import OidcOauth2Auth, TokenHasScope
 from apps.payment.models import PaymentTransaction
 from apps.shop.forms import SetRFIDForm
 from apps.shop.models import MagicToken, OrderLine
@@ -33,9 +33,9 @@
 class OrderLineViewSet(viewsets.GenericViewSet, mixins.CreateModelMixin):
     queryset = OrderLine.objects.all()
     serializer_class = OrderLineSerializer
-    authentication_classes = [OAuth2Authentication]
+    authentication_classes = [OidcOauth2Auth]
     permission_classes = [TokenHasScope]
-    required_scopes = ["shop.readwrite"]
+    required_scopes = ["nibble"]
 
     def create(self, request):
         serializer = OrderLineSerializer(data=request.data)
@@ -51,9 +51,9 @@ def perform_create(self, serializer):
 class TransactionViewSet(viewsets.GenericViewSet, mixins.CreateModelMixin):
     queryset = PaymentTransaction.objects.all()
     serializer_class = TransactionSerializer
-    authentication_classes = [OAuth2Authentication]
+    authentication_classes = [OidcOauth2Auth]
     permission_classes = [TokenHasScope]
-    required_scopes = ["shop.readwrite"]
+    required_scopes = ["nibble"]
 
     def create(self, request):
         serializer = TransactionSerializer(data=request.data)
@@ -80,9 +80,9 @@ class UserViewSet(
 ):
     queryset = User.objects.all()
     serializer_class = UserSerializer
-    authentication_classes = [OAuth2Authentication]
+    authentication_classes = [OidcOauth2Auth]
     permission_classes = [TokenHasScope]
-    required_scopes = ["shop.readwrite"]
+    required_scopes = ["nibble"]
     filterset_fields = ("rfid",)
 
 
@@ -96,9 +96,9 @@ class InventoryViewSet(
 
 
 class SetRFIDView(APIView):
-    authentication_classes = [OAuth2Authentication]
+    authentication_classes = [OidcOauth2Auth]
     permission_classes = [TokenHasScope]
-    required_scopes = ["shop.readwrite"]
+    required_scopes = ["nibble"]
 
     def post(self, request):
         username = request.data.get("username", "").lower()