REDMINE_ISSUE-14535 OpenIDConnect

docker/auth.py

+from django.contrib.auth.models import Group
+from django.db import transaction
+from mozilla_django_oidc import auth
+
+class OIDCAuthenticationBackend(auth.OIDCAuthenticationBackend):
+    def create_user(self, claims):
+        user = super(OIDCAuthenticationBackend, self).create_user(claims)
+
+        user.username = claims.get('email', '')
+        user.first_name = claims.get('given_name', '')
+        user.last_name = claims.get('family_name', '')
+        user.email = claims.get('email', '')
+
+        user.status = 2
+        #user.is_active = True
+        user.save()
+
+        self.update_groups(user, claims)
+
+        return user
+
+    def update_user(self, user, claims):
+        user.username = claims.get('email', '')
+        user.first_name = claims.get('given_name', '')
+        user.last_name = claims.get('family_name', '')
+        user.email = claims.get('email', '')
+        user.save()
+        self.update_groups(user, claims)
+
+        user.status = 2
+        #user.is_active = True
+        return user
+
+    def update_groups(self, user, claims):
+        """
+        Transform roles obtained from keycloak into Django Groups and
+        add them to the user. Note that any role not passed via keycloak
+        will be removed from the user.
+        """
+        with transaction.atomic():
+            user.groups.clear()
+            for role in claims.get('roles', []):
+                group, _ = Group.objects.get_or_create(name=role)
+                group.user_set.add(user)

docker/docker-entrypoint.d/01_install

@@ -39,6 +39,7 @@ else
     cp src/docker/settings.py config/settings.py
     cp src/docker/triggers.py config/triggers.py
     cp src/docker/urls.py config/urls.py
+    cp src/docker/auth.py config/auth.py
 
     # Wait for the postgres server
     echo "Waiting for database..."
@@ -58,7 +59,7 @@ else
     python manage.py migrate
 
     # Build static files
-    python manage.py collectstatic
+    python manage.py collectstatic --no-input
 
     # build i18n *.mo files
     python manage.py compilemessages --locale=fr

docker/settings.py

@@ -417,6 +417,10 @@ ONEGEOSUITE_INDEXER_ELASTIC_REPLICAS = config('INDEXER_ELASTIC_REPLICAS', defaul
 ONEGEOSUITE_INDEXER_ELASTIC_SHARDS = config('INDEXER_ELASTIC_SHARDS', default='1')
 ONEGEOSUITE_INDEXER_EXPORT_DIR = Path(MEDIA_ROOT) / config('INDEXER_EXPORT_DIR', default='indexer_exports')
 
+# Pour ique Django remplisse request.scheme avec https ou http
+
+SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
+
 # onegeo-login:
 
 ONEGEOSUITE_LOGIN_SIGNUP_CONFIRMATION_PUBLIC_URL = ONEGEOSUITE_PUBLIC_BASE_URL + '/onegeo-login/validateregistration/'
@@ -432,4 +436,34 @@ ONEGEOSUITE_PUBLIC_PORTAL_DATASET_PATTERN_URL = config('PUBLIC_PORTAL_DATASET_PA
 # onegeo-rpoxy-mapstore2
 
 ONEGEOSUITE_MAPSTORE_UPSTREAM = 'https://dev.geofit.onegeo.fr/geoportal/'
-ONEGEOSUITE_MAPSTORE_AUTH_HEADER = 'auth_user'
+ONEGEOSUITE_MAPSTORE_AUTH_HEADER = 'auth_user'
\ No newline at end of file
+
+# OpenIDConnect
+
+ONEGEOSUITE_SSO = config('SSO', default=None)
+if ONEGEOSUITE_SSO == "OpenIDConnect":
+    INSTALLED_APPS += ['mozilla_django_oidc']
+    MIDDLEWARE.remove('onegeo_suite.contrib.onegeo_login.middleware.TermsRequired')
+    MIDDLEWARE += ['mozilla_django_oidc.middleware.SessionRefresh']
+    AUTHENTICATION_BACKENDS += ('config.auth.OIDCAuthenticationBackend',)
+
+    OIDC_RP_CLIENT_ID = config('OIDC_RP_CLIENT_ID')
+    OIDC_RP_CLIENT_SECRET = config('OIDC_RP_CLIENT_SECRET')
+
+    OIDC_OP_AUTHORIZATION_ENDPOINT = config('OIDC_OP_AUTHORIZATION_ENDPOINT', default="http://localhost:8080/realms/OnegeoSuite/protocol/openid-connect/auth")
+    OIDC_OP_TOKEN_ENDPOINT = config('OIDC_OP_TOKEN_ENDPOINT', default="http://localhost:8080/realms/OnegeoSuite/protocol/openid-connect/token")
+    OIDC_OP_USER_ENDPOINT = config('OIDC_OP_USER_ENDPOINT', default="http://localhost:8080/realms/OnegeoSuite/protocol/openid-connect/userinfo")
+    OIDC_OP_JWKS_ENDPOINT = config('OIDC_OP_JWKS_ENDPOINT', default="http://localhost:8080/realms/OnegeoSuite/protocol/openid-connect/certs")
+
+    OIDC_RP_SIGN_ALGO = config('OIDC_RP_SIGN_ALGO', default="RS256")
+
+    LOGIN_REDIRECT_URL = config('LOGIN_REDIRECT_URL', default="http://localhost:8000/admin")
+    LOGIN_URL = config('LOGIN_URL', default='oidc_authentication_init')
+    LOGOUT_URL = config('LOGOUT_URL', default='onegeo_login:signout')
+
+    if DEBUG:
+        LOGGING['loggers']['mozilla_django_oidc'] = {
+            'handlers': ['console'],
+            'level': 'DEBUG'
+        }
+

docker/urls.py

@@ -9,6 +9,8 @@ from six.moves.urllib.parse import urlencode
 from django.conf.urls import include
 from django.urls import path
 from django.conf.urls.i18n import i18n_patterns
+from django.conf import settings
+
 from drfreverseproxy.views import ProxyView
 from drfreverseproxy.utilites import encode_items
 
@@ -82,3 +84,8 @@ urlpatterns = [
     path('datapusher/', include('onegeo_suite.contrib.onegeo_datapusher.urls')),
     path('', include('onegeo_suite.urls')),
 )
+
+if settings.ONEGEOSUITE_SSO == 'OpenIDConnect':
+    urlpatterns += [
+        path('oidc/', include('mozilla_django_oidc.urls')),
+    ]

env

@@ -67,3 +67,18 @@ INDEXER_ELASTIC_SHARDS=
 INDEXER_EXPORT_DIR=
 
 C_FORCE_ROOT=1
+
+SSO=
+
+OIDC_RP_CLIENT_ID=
+OIDC_RP_CLIENT_SECRET=
+OIDC_OP_AUTHORIZATION_ENDPOINT=http://localhost:8080/realms/OnegeoSuite/protocol/openid-connect/auth
+OIDC_OP_TOKEN_ENDPOINT=http://localhost:8080/realms/OnegeoSuite/protocol/openid-connect/token
+OIDC_OP_USER_ENDPOINT=http://localhost:8080/realms/OnegeoSuite/protocol/openid-connect/userinfo
+OIDC_OP_JWKS_ENDPOINT=http://localhost:8080/realms/OnegeoSuite/protocol/openid-connect/certs
+
+OIDC_RP_SIGN_ALGO=RS256
+
+LOGIN_REDIRECT_URL=http://localhost:8000/admin
+LOGIN_URL=oidc_authentication_init
+LOGOUT_URL=onegeo_login:signout

requirements.txt

 # IMPORTANT: elasticsearch 7.14 ne marche pas avec un elasticsearch OSS
 elasticsearch==7.13.0
 -e git+https://github.com/neogeo-technologies/OWSLib.git@neogeo/0.25.0#egg=OWSLib
+
 -e git+https://docker-onegeo-suite:D7S9gajfakqgzRwsAxB4@git.neogeo.fr/onegeo-suite/apps/django-onegeo-suite.git@geofit#egg=django_onegeo_suite
 -e git+https://docker-onegeo-suite:D7S9gajfakqgzRwsAxB4@git.neogeo.fr/onegeo-suite/apps/django-onegeo-rproxy-mapstore2.git@1.0.0b0#egg=django_onegeo_rproxy_mapstore2
 -e git+https://github.com/danpoland/drf-reverse-proxy@master#egg=drf-reverse-proxy
 python-decouple
+mozilla-django-oidc==2.0.0