Merge branch 'openid-connect' into 'main'

Openid connect See merge request bde/nk20!293
Typesetting
2025-06-21 09:58:23 +02:00 · 2025-03-10 15:22:42 +01:00 · 2025-03-08 16:08:40 +01:00 · 2025-03-08 16:04:25 +01:00
4 changed files with 51 additions and 135 deletions
--- a/README.md
+++ b/README.md
@ -58,7 +58,13 @@ Bien que cela permette de créer une instance sur toutes les distributions,
    (env)$ ./manage.py createsuperuser  # Création d'un⋅e utilisateur⋅rice initial
    ```

-6.  Enjoy :
+6. (Optionnel) **Création d'une clé privée OpenID Connect**
+
+Pour activer le support d'OpenID Connect, il faut générer une clé privée, par
+exemple avec openssl (`openssl genrsa -out oidc.key 4096`), et renseigner son
+emplacement dans `OIDC_RSA_PRIVATE_KEY` (par défaut `/var/secrets/oidc.key`).
+
+7.  Enjoy :

    ```bash
    (env)$ ./manage.py runserver 0.0.0.0:8000
@ -228,6 +234,12 @@ Sinon vous pouvez suivre les étapes décrites ci-dessous.
        (env)$ ./manage.py check # pas de bêtise qui traine
        (env)$ ./manage.py migrate

+7. **Création d'une clé privée OpenID Connect**
+
+Pour activer le support d'OpenID Connect, il faut générer une clé privée, par
+exemple avec openssl (`openssl genrsa -out oidc.key 4096`), et renseigner son
+emplacement dans `OIDC_RSA_PRIVATE_KEY` (par défaut `/var/secrets/oidc.key`).
+
 7.  *Enjoy \o/*

 ### Installation avec Docker
--- a/apps/permission/fixtures/initial.json
+++ b/apps/permission/fixtures/initial.json
@ -324,7 +324,7 @@
            "mask": 2,
            "field": "",
            "permanent": false,
-            "description": "Créer une transaction de ou vers la note d'un club tant que la source reste au dessus de -20 €"
+            "description": "Créer une transaction de ou vers la note d'un club"
        }
    },
    {
@ -3815,7 +3815,7 @@
            "mask": 2,
            "field": "",
            "permanent": false,
-            "description": "Créer une transaction vers la note d'un club tant que la source reste au dessus de -20 €"
+            "description": "Créer une transaction vers la note d'un club"
        }
    },
    {
@ -4186,86 +4186,6 @@
            "description": "Voir la note d'un club enfant"
        }
    },
-    {
-        "model": "permission.permission",
-        "pk": 266,
-        "fields": {
-            "model": [
-                "note",
-                "transaction"
-            ],
-            "query": "[\"OR\", {\"source_alias\": \"Carte bancaire\"}, {\"source_alias\": \"Espèces\"}, {\"source_alias\": \"Chèque\"}, {\"source_alias\": \"Virement bancaire\"}]",
-            "type": "view",
-            "mask": 2,
-            "field": "",
-            "permanent": false,
-            "description": "Voir les transactions de rechargement"
-        }
-    },
-    {
-        "model": "permission.permission",
-        "pk": 267,
-        "fields": {
-            "model": [
-                "note",
-                "transaction"
-            ],
-            "query": "[\"OR\", {\"source_alias\": \"Carte bancaire\"}, {\"source_alias\": \"Espèces\"}, {\"source_alias\": \"Chèque\"}, {\"source_alias\": \"Virement bancaire\"}]",
-            "type": "change",
-            "mask": 2,
-            "field": "valid",
-            "permanent": false,
-            "description": "Mettre à jour le statut de validation d'une transaction de rechargement"
-        }
-    },
-    {
-        "model": "permission.permission",
-        "pk": 268,
-        "fields": {
-            "model": [
-                "note",
-                "transaction"
-            ],
-            "query": "[\"OR\", {\"source_alias\": \"Carte bancaire\"}, {\"source_alias\": \"Espèces\"}, {\"source_alias\": \"Chèque\"}, {\"source_alias\": \"Virement bancaire\"}]",
-            "type": "change",
-            "mask": 2,
-            "field": "invalidity_reason",
-            "permanent": false,
-            "description": "Modifier la raison d'invalidité d'une transaction de rechargement"
-        }
-    },
-    {
-        "model": "permission.permission",
-        "pk": 269,
-        "fields": {
-            "model": [
-                "note",
-                "transaction"
-            ],
-            "query": "[\"OR\", {\"source_alias\": \"Carte bancaire\"}, {\"source_alias\": \"Espèces\"}, {\"source_alias\": \"Chèque\"}, {\"source_alias\": \"Virement bancaire\"}]",
-            "type": "add",
-            "mask": 2,
-            "field": "",
-            "permanent": false,
-            "description": "Créer une transaction de rechargement"
-        }
-    },
-    {
-        "model": "permission.permission",
-        "pk": 270,
-        "fields": {
-            "model": [
-                "note",
-                "transaction"
-            ],
-            "query": "[\"AND\", [\"OR\", {\"source\": [\"club\", \"note\"]}, {\"destination\": [\"club\", \"note\"]}], [\"OR\", {\"source__balance__gte\": {\"F\": [\"SUB\", [\"MUL\", [\"F\", \"amount\"], [\"F\", \"quantity\"]], 5000]}}, {\"valid\": false}]]",
-            "type": "add",
-            "mask": 2,
-            "field": "",
-            "permanent": false,
-            "description": "Créer une transaction de ou vers la note d'un club tant que la source reste au dessus de -50 €"
-        }
-    },
    {
        "model": "permission.role",
        "pk": 1,
--- a/note_kfet/settings/base.py
+++ b/note_kfet/settings/base.py
@ -268,6 +268,10 @@ OAUTH2_PROVIDER = {
    'OAUTH2_VALIDATOR_CLASS': "permission.scopes.PermissionOAuth2Validator",
    'REFRESH_TOKEN_EXPIRE_SECONDS': timedelta(days=14),
    'PKCE_REQUIRED': False, # PKCE (fix a breaking change of django-oauth-toolkit 2.0.0)
+    'OIDC_ENABLED': True,
+    'OIDC_RSA_PRIVATE_KEY':
+        os.getenv('OIDC_RSA_PRIVATE_KEY', '/var/secrets/oidc.key'),
+    'SCOPES': { 'openid': "OpenID Connect scope" },
 }

 # Take control on how widget templates are sourced
--- a/note_kfet/static/css/custom.css
+++ b/note_kfet/static/css/custom.css
@ -61,11 +61,6 @@ mark {
 /* Make navbar more readable */
 .navbar-dark .navbar-nav .nav-link {
    color: rgba(255, 255, 255, .75);
-    text-shadow: 2px 2px 15px #ffeb40;
-}
-
-.navbar-brand {
-    text-shadow: 2px 2px 15px #ffeb40;
 }

 /* Last BDE colors */
@ -73,8 +68,7 @@ mark {
 /*    background-color: rgb(18, 67, 4) !important; */
 /* MODE VIEUXCON=ON */
 /*    background-color: rgb(166, 0, 2) !important; */
-    background-color: rgb(0, 0, 0);
-    background-image: url('/static/wrapped/img/1/bg.png');
+    background-color: rgb(100, 30, 100) !important;
 }

 html {
@ -89,95 +83,81 @@ body {
 .btn-outline-primary:hover,
 .btn-outline-primary:not(:disabled):not(.disabled).active,
 .btn-outline-primary:not(:disabled):not(.disabled):active {
-    color:  rgb(0, 0, 0);
-    background-color: rgb(255, 0, 101);
-    border-color: rgb(255, 203, 32);
+   color:  rgb(240, 200, 240);
+    background-color: rgb(30, 120, 150);
+    border-color: rgb(190, 150, 190);
 }

 .btn-outline-primary {
-    color: #000;
-    background-color: #ffcb20;
-    border-color: #000;
+    color: #a2a;
+    background-color: #6bc;
+    border-color: #719;
 }

 .turbolinks-progress-bar {
-    background-color: #ffffff;
+    background-color: #12342E;
 }

 .btn-primary:hover,
 .btn-primary:not(:disabled):not(.disabled).active,
 .btn-primary:not(:disabled):not(.disabled):active {
-    color:  rgb(0, 0, 0);
-    background-color: rgb(255, 0, 101);
-    border-color: rgb(255, 203, 32);
+    color:  rgb(150, 200, 240);
+    background-color: rgb(50, 100, 140);
+    border-color: rgb(0, 0, 0);
 }

 .btn-primary {
-    color:  #ffcb20; 
-    background-color: #000000;
-    border-color: #ffcd20;
+    color:  #eae; 
+    background-color: #616;
+    border-color: #000000;
 }

 .border-primary {
-    border-color: rgb(255, 255, 255) !important; 
+    border-color: rgb(222, 180, 222) !important; 
 }

 .btn-secondary {
-    color:  #ff0065;
-    background-color: #000000;
-    border-color: #ff0065;
+    color:  #eae;
+    background-color: #616;
+    border-color: #000000;
 }

 .btn-secondary:hover,
 .btn-secondary:not(:disabled):not(.disabled).active,
 .btn-secondary:not(:disabled):not(.disabled):active {
-    color:  rgb(0, 0, 0);
-    background-color: rgb(255, 203, 32);
-    border-color: rgb(255, 0, 101);
+    color:  rgb(150, 200, 240);
+    background-color: rgb(50, 100, 140);
+    border-color: rgb(0, 0, 0);
 }

-.btn-outline-dark:nth-child(even) {
-    color: rgba(255, 203, 32, 75%);
-}
-
-.btn-outline-dark:nth-child(odd) {
-    color: rgba(255, 0, 101, 75%);
-}

 .btn-outline-dark {
-    background-color: #222;
-    border-color: #61605b;
+    color: #000000;
+    border-color: #000000;
 }

-.btn-outline-dark:hover:nth-child(even),
+.btn-outline-dark:hover,
 .btn-outline-dark:not(:disabled):not(.disabled).active,
 .btn-outline-dark:not(:disabled):not(.disabled):active {
-    color:  rgb(0, 0, 0);
-    background-color: rgb(255, 203, 32);
-    border-color: rgb(255, 0, 101);
+    color:  rgb(50, 100, 160);
+    background-color: rgb(240, 150, 240);
+    border-color: rgb(50, 100, 160);
 }

-.btn-outline-dark:hover:nth-child(odd),
-.btn-outline-dark:not(:disabled):not(.disabled).active,
-.btn-outline-dark:not(:disabled):not(.disabled):active {
-    color: rgb(0, 0, 0);
-    background-color: rgb(255, 203, 32);
-    border-color: rgb(255, 0, 101);
-}

 a {
-    color: rgb(255, 0, 101);
+    color: rgb(0, 150, 150);
 }

 a:hover {
-    color: rgb(255, 203, 32);
+    color: rgb(200, 0, 200);
 }

 .form-control:focus {
-    box-shadow: 0 0 0 0.25rem rgb(255 0 101 / 50%);
-    border-color: rgb(255, 0, 101);
+    box-shadow: 0 0 0 0.25rem rgb(0 150 150 / 50%);
+    border-color: rgb(0, 200, 200);
 }

 .btn-outline-primary.focus {
-  box-shadow: 0 0 0 0.25rem rgb(255 203 32 / 22%);
+  box-shadow: 0 0 0 0.25rem rgb(0 150 150 / 22%);
 }
Author	SHA1	Message	Date
bleizi	95a7ca2150	Merge branch 'openid-connect' into 'main' Openid connect See merge request bde/nk20!293	2025-03-10 15:22:42 +01:00
Nicolas Margulies	6c63c6417c	Typesetting	2025-03-08 16:08:40 +01:00
Nicolas Margulies	4563b2b640	Added configusation for OpenID support, along with installation information	2025-03-08 16:04:25 +01:00