Add test for oauth2 flow, add temporary ROPB for NoteApp #137

Small features

See merge request bde/nk20!355

apps/activity/views.py

@@ -152,11 +152,9 @@ class ActivityDetailView(ProtectQuerysetMixin, LoginRequiredMixin, MultiTableMix
     def get_tables_data(self):
         return [
             Guest.objects.filter(activity=self.object)
-                         .filter(PermissionBackend.filter_queryset(self.request, Guest, "view"))
-                         .distinct(),
+                         .filter(PermissionBackend.filter_queryset(self.request, Guest, "view")),
             self.object.opener.filter(activity=self.object)
-                              .filter(PermissionBackend.filter_queryset(self.request, Opener, "view"))
-                              .distinct(),
+                              .filter(PermissionBackend.filter_queryset(self.request, Opener, "view")),
         ]
 
     def render_to_response(self, context, **response_kwargs):
@@ -311,7 +309,7 @@ class ActivityInviteView(ProtectQuerysetMixin, ProtectedCreateView):
     @transaction.atomic
     def form_valid(self, form):
         form.instance.activity = Activity.objects\
-            .filter(PermissionBackend.filter_queryset(self.request, Activity, "view")).distinct().get(pk=self.kwargs["pk"])
+            .filter(PermissionBackend.filter_queryset(self.request, Activity, "view")).get(pk=self.kwargs["pk"])
         return super().form_valid(form)
 
     def get_success_url(self, **kwargs):

apps/permission/backends.py

@@ -26,7 +26,7 @@ class PermissionBackend(ModelBackend):
 
     @staticmethod
     @memoize
-    def get_raw_permissions(request, t):
+    def get_raw_permissions(request, t):  # noqa: C901
         """
         Query permissions of a certain type for a user, then memoize it.
         :param request: The current request
@@ -39,7 +39,15 @@ class PermissionBackend(ModelBackend):
 
             def permission_filter(membership_obj):
                 query = Q(pk=-1)
+                if 'mask' in request.GET:
+                    try:
+                        rank = int(request.GET['mask'])
+                    except ValueError:
+                        rank = 42
+                    query &= Q(mask__rank__lte=rank)
                 for scope in request.auth.scope.split(' '):
+                    if scope == "openid":
+                        continue
                     permission_id, club_id = scope.split('_')
                     if int(club_id) == membership_obj.club_id:
                         query |= Q(pk=permission_id)

apps/permission/fixtures/initial.json

@@ -927,7 +927,7 @@
                 "note",
                 "transactiontemplate"
             ],
-            "query": "[\"AND\", {\"destination\": [\"club\", \"note\"]}, {\"category__name\": \"Clubs\"}]",
+            "query": "{\"destination\": [\"club\", \"note\"]}",
             "type": "view",
             "mask": 2,
             "field": "",
@@ -943,7 +943,7 @@
                 "note",
                 "transactiontemplate"
             ],
-            "query": "[\"AND\", {\"destination\": [\"club\", \"note\"]}, {\"category__name\": \"Clubs\"}]", 
+            "query": "{\"destination\": [\"club\", \"note\"]}",
             "type": "add",
             "mask": 3,
             "field": "",
@@ -959,7 +959,7 @@
                 "note",
                 "transactiontemplate"
             ],
-            "query": "[\"AND\", {\"destination\": [\"club\", \"note\"]}, {\"category__name\": \"Clubs\"}]",
+            "query": "{\"destination\": [\"club\", \"note\"]}",
             "type": "change",
             "mask": 3,
             "field": "",
@@ -3486,22 +3486,6 @@
 	    "description": "Voir la bouffe servie"
 	}
     },
-    {
-        "model": "permission.permission",
-        "pk": 223,
-        "fields": {
-            "model": [
-                "note",
-                "templatecategory"
-            ],
-            "query": "{\"name\": \"Clubs\"}",
-            "type": "view",
-            "mask": 2,
-            "field": "",
-            "permanent": false,
-            "description": "Voir la catégorie de bouton Clubs"
-        }
-    },
     {
         "model": "permission.permission",
         "pk": 239,
@@ -4912,6 +4896,7 @@
                 19,
                 20,
                 21,
+                27,
                 59,
                 60,
                 61,
@@ -4922,7 +4907,6 @@
                 182,
                 184,
                 185,
-                223,
                 239,
                 240,
                 241
@@ -5287,12 +5271,6 @@
                 176,
                 177,
                 197,
-                211,
-                212,
-                213,
-                214,
-                215,
-                216,
                 311,
                 319
             ]

apps/permission/scopes.py

@@ -10,6 +10,8 @@ from note_kfet.middlewares import get_current_request
 from .backends import PermissionBackend
 from .models import Permission
 
+from django.utils.translation import gettext_lazy as _
+
 
 class PermissionScopes(BaseScopes):
     """
@@ -32,7 +34,7 @@ class PermissionScopes(BaseScopes):
 
         scopes = {f"{p.id}_{club.id}": f"{p.description} (club {club.name})"
                   for p in Permission.objects.all() for club in Club.objects.all()}
-        scopes['openid'] = "OpenID Connect"
+        scopes['openid'] = _("OpenID Connect (username and email)")
         return scopes
 
     def get_available_scopes(self, application=None, request=None, *args, **kwargs):
@@ -82,8 +84,12 @@ class PermissionOAuth2Validator(OAuth2Validator):
 
         valid_scopes = set()
 
+        # simple patch for have functionnal ROPB flow
+        # TODO rewrite
+        r = get_current_request()
+        r.user = request.user
         for t in Permission.PERMISSION_TYPES:
-            for p in PermissionBackend.get_raw_permissions(get_current_request(), t[0]):
+            for p in PermissionBackend.get_raw_permissions(r, t[0]):
                 scope = f"{p.id}_{p.membership.club.id}"
                 if scope in scopes:
                     valid_scopes.add(scope)

apps/permission/tests/test_oauth2_access.py

@@ -21,6 +21,7 @@ class OAuth2TestCase(TestCase):
     def setUp(self):
         self.user = User.objects.create(
             username="toto",
+            password="toto1234",
         )
         self.application = Application.objects.create(
             name="Test",
@@ -92,3 +93,39 @@ class OAuth2TestCase(TestCase):
         self.assertEqual(resp.status_code, 200)
         self.assertIn(self.application, resp.context['scopes'])
         self.assertIn('1_1', resp.context['scopes'][self.application])  # Now the user has this permission
+
+    def test_oidc(self):
+        """
+        Ensure OIDC work
+        """
+        # Create access token that has access to our own user detail
+        token = AccessToken.objects.create(
+            user=self.user,
+            application=self.application,
+            scope="openid",
+            token=get_random_string(64),
+            expires=timezone.now() + timedelta(days=365),
+        )
+
+        # No access without token
+        resp = self.client.get('/o/userinfo/')  # userinfo endpoint
+        self.assertEqual(resp.status_code, 401)
+
+        # Valid token
+        resp = self.client.get('/o/userinfo/', **{'Authorization': f'Bearer {token.token}'})
+        self.assertEqual(resp.status_code, 200)
+
+        # Create membership to test api
+        NoteUser.objects.create(user=self.user)
+        membership = Membership.objects.create(user=self.user, club_id=1)
+        membership.roles.add(Role.objects.get(name="Adhérent⋅e BDE"))
+        membership.save()
+
+        # Token can always be use to see yourself
+        resp = self.client.get('/api/me/',
+                               **{'Authorization': f'Bearer {token.token}'})
+
+        # Token is not granted to see other api
+        resp = self.client.get(f'/api/user/{self.user.pk}/',
+                               **{'Authorization': f'Bearer {token.token}'})
+        self.assertEqual(resp.status_code, 404)

apps/permission/tests/test_oauth2_flow.py

@@ -0,0 +1,115 @@
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+import base64
+
+from django.contrib.auth.models import User
+from django.test import TestCase
+from member.models import Membership, Club
+from note.models import NoteUser
+from oauth2_provider.models import Application
+
+from ..models import Role, Permission
+
+
+class OAuth2TestCase(TestCase):
+    fixtures = ('initial', )
+
+    def setUp(self):
+        self.user = User.objects.create(
+            username="toto",
+            password="toto1234",
+        )
+
+        NoteUser.objects.create(user=self.user)
+        membership = Membership.objects.create(user=self.user, club_id=1)
+        membership.roles.add(Role.objects.get(name="Adhérent⋅e BDE"))
+        membership.save()
+
+        bde = Club.objects.get(name="BDE")
+        view_user_perm = Permission.objects.get(pk=1)  # View own user detail
+
+        self.base_scope = f'{view_user_perm.pk}_{bde.pk}'
+
+    def test_oauth2_authorization_code_flow(self):
+        """
+        Ensure OAuth2 Authorization Code Flow work
+        """
+        pass
+
+    def test_oauth2_implicit_flow(self):
+        """
+        Ensure OAuth2 Implicit Flow work
+        """
+        pass
+
+    def test_oauth2_resource_owner_password_credentials_flow(self):
+        """
+        Ensure OAuth2 Resource Owner Password Credentials Flow work
+        """
+        pass
+
+    def test_oauth2_client_credentials(self):
+        """
+        Ensure OAuth2 Client Credentials work
+        """
+        app = Application.objects.create(
+            name="Test credentials",
+            client_type=Application.CLIENT_CONFIDENTIAL,
+            authorization_grant_type=Application.GRANT_CLIENT_CREDENTIALS,
+            user=self.user,
+            hash_client_secret=False,
+            algorithm=Application.NO_ALGORITHM,
+        )
+
+        # No token without credential
+        resp = self.client.post('/o/token/',
+                                data={"grant_type": "client_credentials"},
+                                **{"Content-Type": 'application/x-www-form-urlencoded'}
+                                )
+
+        self.assertEqual(resp.status_code, 401)
+
+        # Access with credential
+        credential = base64.b64encode(f'{app.client_id}:{app.client_secret}'.encode('utf-8')).decode()
+
+        resp = self.client.post('/o/token/',
+                                data={"grant_type": "client_credentials"},
+                                **{'HTTP_Authorization': f'Basic {credential}',
+                                   "Content-Type": 'application/x-www-form-urlencoded'}
+                                )
+
+        self.assertEqual(resp.status_code, 200)
+
+        token = resp.json()['access_token']
+
+        # Token is valid but has no right
+        resp = self.client.get('/api/user/{self.user.pk}',
+                               **{'Authorization': f'Bearer {token}'}
+                               )
+
+        self.assertEqual(resp.status_code, 403)
+
+        # RFC6749 4.4.2 allows use of scope in client credential flow
+        resp = self.client.post('/o/token/',
+                                data={"grant_type": "client_credentials",
+                                      "scope": self.base_scope},
+                                **{'http_Authorization': f'Basic {credential}',
+                                   "Content-Type": 'application/x-www-form-urlencoded'}
+                                )
+
+        self.assertEqual(resp.status_code, 200)
+
+        token = resp.json()['access_token']
+
+        # Now app can see his creator
+        resp = self.client.post(f'/api/user/{self.user.pk}/',
+                                **{'Authorization': f'Bearer {token}'})
+
+        self.assertEqual(resp.status_code, 200)
+
+    def test_oidc_flow(self):
+        """
+        Ensure OIDC Flow work
+        """
+        pass

apps/treasury/models.py

@@ -338,13 +338,13 @@ class SogeCredit(models.Model):
                 last_name=self.user.last_name,
                 first_name=self.user.first_name,
                 bank="Société générale",
-                valid=True,
+                valid=False,
             )
             credit_transaction._force_save = True
             credit_transaction.save()
             credit_transaction.refresh_from_db()
             self.credit_transaction = credit_transaction
-        elif not self.valid:
+        elif not self.valid_legacy:
             self.credit_transaction.amount = self.amount
             self.credit_transaction._force_save = True
             self.credit_transaction.save()
@@ -371,7 +371,7 @@ class SogeCredit(models.Model):
         The Sogé credit may be created after the user already paid its memberships.
         We query transactions and update the credit, if it is unvalid.
         """
-        if self.valid or not self.pk:
+        if self.valid_legacy or not self.pk:
             return
 
 # Soge do not pay BDE and kfet memberships since 2022
@@ -403,7 +403,7 @@ class SogeCredit(models.Model):
                         self.transactions.add(m.transaction)
 
         for tr in self.transactions.all():
-            tr.valid = True
+            tr.valid = False
             tr.save()
 
     def invalidate(self):
@@ -411,7 +411,7 @@ class SogeCredit(models.Model):
         Invalidating a Société générale delete the transaction of the bank if it was already created.
         Treasurers must know what they do, With Great Power Comes Great Responsibility...
         """
-        if self.valid:
+        if self.valid_legacy:
             self.credit_transaction.valid = False
             self.credit_transaction.save()
         for tr in self.transactions.all():
@@ -420,7 +420,7 @@ class SogeCredit(models.Model):
             tr.save()
 
     def validate(self, force=False):
-        if self.valid and not force:
+        if self.valid_legacy and not force:
             # The credit is already done
             return
 
@@ -428,7 +428,6 @@ class SogeCredit(models.Model):
         self.invalidate()
         # Refresh credit amount
         self.save()
-        self.valid = True
         self.credit_transaction.valid = True
         self.credit_transaction._force_save = True
         self.credit_transaction.save()

apps/treasury/tables.py

@@ -56,7 +56,6 @@ class InvoiceTable(tables.Table):
         model = Invoice
         template_name = 'django_tables2/bootstrap4.html'
         fields = ('id', 'name', 'object', 'acquitted', 'invoice',)
-        order_by = ('-id',)
 
 
 class RemittanceTable(tables.Table):

apps/treasury/templates/treasury/invoice_sample.tex

@@ -108,7 +108,7 @@
 
 \renewcommand{\headrulewidth}{0pt}
 \cfoot{
-    \small{\MonNom  ~--~ \MonAdresseRue ~ \MonAdresseVille ~--~ Téléphone : +33(0)6 83 55 03 18 \newline
+    \small{\MonNom  ~--~ \MonAdresseRue ~ \MonAdresseVille ~--~ Téléphone : +33(0)7 78 17 22 34\newline
      E-mail : tresorerie.bde@lists.crans.org ~--~ Numéro SIRET : 399 485 838 00029
     }
 }

apps/treasury/tests/test_treasury.py

@@ -359,7 +359,7 @@ class TestSogeCredits(TestCase):
         ))
         self.assertRedirects(response, reverse("treasury:manage_soge_credit", args=(soge_credit.pk,)), 302, 200)
         soge_credit.refresh_from_db()
-        self.assertTrue(soge_credit.valid)
+        self.assertTrue(soge_credit.valid_legacy)
         self.user.note.refresh_from_db()
         self.assertEqual(
             Transaction.objects.filter(Q(source=self.user.note) | Q(destination=self.user.note)).count(), 3)

apps/treasury/views.py

@@ -417,7 +417,7 @@ class SogeCreditListView(LoginRequiredMixin, ProtectQuerysetMixin, SingleTableVi
                 )
 
         if "valid" not in self.request.GET or not self.request.GET["valid"]:
-            qs = qs.filter(valid=False)
+            qs = qs.filter(credit_transaction__valid=False)
 
         return qs
 

apps/wei/tests/test_wei_registration.py

@@ -680,7 +680,7 @@ class TestWEIRegistration(TestCase):
             self.assertTrue(soge_credit.exists())
             soge_credit = soge_credit.get()
             self.assertTrue(membership.transaction in soge_credit.transactions.all())
-            self.assertTrue(membership.transaction.valid)
+            self.assertFalse(membership.transaction.valid)
 
         # Check that if the WEI is started, we can't update a wei
         self.wei.date_start = date(2000, 1, 1)