oidc support (#1802)

* oidc support part 1

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* Added Custom OAuth2Validator

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* make claims discoverable, make oidc config view work for anonymous users

* syntax

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* Add scope phonebook:admin to include the non-public phonebook info

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* Removed unneeded var

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* return username instead of user pk in the sub claim

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* update scope descriptions a bit

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* remove old .travis.yml

* add CI settings

* make pre-commit happy

* Added groups and permissions claim

* use uuid as username in bootstrap

* add permissions by group view in backoffice

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* add default team slug

* Add tab targets to the url

* add another back button

* add even more back buttons

* rework oidc claims and scopes, add profile fields for phonenumber and location

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* Added form extras to profile form template

* Switch to leaflet, add default locaton, add location field allow blank

* add updated_at claim under the profile scope

* add a bit of oidc readme

* Remove default

* add blank=True to Profile.phonenumber

---------

Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Co-authored-by: Rudy (zarya) <git@gigafreak.net>

Author: 3 people

.travis.yml

@@ -160,6 +160,22 @@ Otherwise start uwsgi or similar to serve the application.
 
 Enjoy!
 
+
+## OIDC IDP
+
+The BornHack website can act as an OIDC IDP. You are welcome to use it for your projects.
+
+
+### OIDC User Claims
+
+The supported standard and custom OIDC user claims can be seen in `bornhack/oauth_validators.py` https://github.com/bornhack/bornhack-website/blob/master/src/bornhack/oauth_validators
+
+
+### OIDC Scopes
+
+Supported oauth2 scopes are split between standard OIDC claim scopes, custom OIDC claim scopes, and API scopes. The current list of supported scopes can be seen in the `OAUTH2_PROVIDER["SCOPES"]` dict in `bornhack/settings.py` https://github.com/bornhack/bornhack-website/blob/master/src/bornhack/settings.py
+
+
 ## Notes
 
 ### Running tests

README.md

@@ -4,6 +4,10 @@ <h3>Permissions</h3>
     <h4 class="list-group-item-heading">Show Permissions (by User)</h4>
     <p class="list-group-item-text">Use this view to see permissions in a table with a row per user.</p>
   </a>
+  <a href="{% url 'backoffice:permission_list_by_group' camp_slug=camp.slug %}" class="list-group-item list-group-item-action">
+    <h4 class="list-group-item-heading">Show Permissions (by Group)</h4>
+    <p class="list-group-item-text">Use this view to see a list of groups and their permissions.</p>
+  </a>
   <a href="{% url 'backoffice:permission_list_by_permission' camp_slug=camp.slug %}" class="list-group-item list-group-item-action">
     <h4 class="list-group-item-heading">Show Permissions (by Permission)</h4>
     <p class="list-group-item-text">Use this view to see permissions in a table with a row per permission.</p>

src/backoffice/templates/includes/index_permissions.html

@@ -2,16 +2,19 @@
 <p>
   <dl>
     <dt>lead</dt>
-    <dd>The team lead permission enables a user to manage team memberships and permissions. This permission is granted to and removed from team leads automatically when the team membership is updated. Codename <b>camps.{{ team.slug }}_team_lead</b>.</dd>
+    <dd>The team lead permission enables a user to manage team memberships and permissions. This permission is granted to and removed from team leads automatically when the team membership is updated. Codename <b>camps.{{ team.slug | default:"TEAM" }}_team_lead</b>.</dd>
     <dt>member</dt>
-    <dd>The team member permission grants access to the team area with tasks and the team guide. It also grants access to handle facility feedback in backoffice. Some sections of backoffice and the main site are restricted to users with this permission. Codename <b>camps.{{ team.slug }}_team_member</b>.</dd>
+    <dd>The team member permission grants access to the team area with tasks and the team guide. It also grants access to handle facility feedback in backoffice. Some sections of backoffice and the main site are restricted to users with this permission. Codename <b>camps.{{ team.slug | default:"TEAM" }}_team_member</b>.</dd>
     <dt>mapper</dt>
-    <dd>The team mapper permission grants access to gis/map layer management in backoffice. Codename <b>camps.{{ team.slug }}_team_mapper</b>.</dd>
+    <dd>The team mapper permission grants access to gis/map layer management in backoffice. Codename <b>camps.{{ team.slug | default:"TEAM" }}_team_mapper</b>.</dd>
     <dt>facilitator</dt>
-    <dd>The team facilitator permission grants access to manage facilities in backoffice. Codename <b>camps.{{ team.slug }}_team_facilitator</b>.</dd>
+    <dd>The team facilitator permission grants access to manage facilities in backoffice. Codename <b>camps.{{ team.slug | default:"TEAM" }}_team_facilitator</b>.</dd>
     <dt>infopager</dt>
-    <dd>The team infopager permission grants access to manage infopage sections for the team. Codename <b>camps.{{ team.slug }}_team_infopager</b>.</dd>
+    <dd>The team infopager permission grants access to manage infopage sections for the team. Codename <b>camps.{{ team.slug | default:"TEAM" }}_team_infopager</b>.</dd>
     <dt>pos</dt>
-    <dd>The team pos permission grants access to submit point-of-sale reports on behalf of the team. Codename <b>camps.{{ team.slug }}_team_pos</b>.</dd>
+    <dd>The team pos permission grants access to submit point-of-sale reports on behalf of the team. Codename <b>camps.{{ team.slug | default:"TEAM" }}_team_pos</b>.</dd>
+  </p>
+  <p>
+    <a href="{% url 'backoffice:index' camp_slug=camp.slug %}" class="btn btn-secondary"><i class="fas fa-undo"></i> Backoffice</a>
+    <a href="{% url 'backoffice:index' camp_slug=camp.slug %}#permissions" class="btn btn-secondary"><i class="fas fa-undo"></i> Permissions</a>
   </p>
-  <p><a href="{% url 'backoffice:index' camp_slug=camp.slug %}" class="btn btn-default"><i class="fas fa-undo"></i> Backoffice</a></p>

src/backoffice/templates/includes/permissions_explainer.html

@@ -16,7 +16,7 @@ <h3 class="ms-3">{{ camp.title }} Backoffice</h3>
       <ul class="nav nav-tabs" role="tablist">
         {% for item, value in backoffice_tabs.items %}
           <li class="nav-item" role="presentation" class="active">
-            <a class="nav-link{% if forloop.first %} active{% endif %}" href="#{{ item }}" aria-controls="one" aria-selected="true" role="tab" data-bs-toggle="tab">
+            <a class="nav-link{% if forloop.first %} active{% endif %}" href="#{{ item }}" aria-controls="one" aria-selected="true" role="tab" data-bs-toggle="tab" data-bs-target="#{{ item }}">
               {{ value.name }}{% if value.count %} <span class="badge rounded-pill text-bg-danger">{{ value.count }}</span>{% endif %}
             </a>
           </li>

src/backoffice/templates/index.html

@@ -0,0 +1,40 @@
+{% extends 'base.html' %}
+{% load bornhack %}
+
+{% block title %}
+  Permissions by Group | Backoffice | {{ block.super }}
+{% endblock %}
+
+{% block content %}
+  <div class="panel panel-default">
+    <div class="panel-heading"><h3 class="panel-title">Permissions by Group - BackOffice</h3></div>
+    <div class="panel-body">
+      <p>A list of groups and their assigned custom bornhack permissions. Groups with no permissions are not included in this table. Ask orga to change group permissions if needed.</p>
+      {% include "includes/permissions_explainer.html" %}
+      <table class="table table-striped table-hover datatable">
+        <thead>
+          <tr>
+            <th>Group Name</th>
+            <th>Group Permissions</th>
+          </tr>
+        </thead>
+        <tbody>
+          {% for group in group_list %}
+            <tr>
+              <td>{{ group.name }}</td>
+              <td>
+                <ul>{% for perm in group.permissions.all %}
+                  <li><strong>camps.{{ perm.codename }}</strong> ({{ perm.name }})</li>
+                {% endfor %}</ul>
+              </td>
+            </tr>
+          {% endfor %}
+        </tbody>
+      </table>
+      <p>
+        <a class="btn btn-secondary" href="{% url 'backoffice:index' camp_slug=camp.slug %}"><i class="fas fa-undo"></i> Backoffice</a>
+        <a href="{% url 'backoffice:index' camp_slug=camp.slug %}#permissions" class="btn btn-secondary"><i class="fas fa-undo"></i> Permissions</a>
+      </p>
+    </div>
+  </div>
+{% endblock content %}

src/backoffice/templates/permissions_by_group.html

@@ -45,6 +45,7 @@
       </table>
       <p>
         <a class="btn btn-secondary" href="{% url 'backoffice:index' camp_slug=camp.slug %}"><i class="fas fa-undo"></i> Backoffice</a>
+        <a href="{% url 'backoffice:index' camp_slug=camp.slug %}#permissions" class="btn btn-secondary"><i class="fas fa-undo"></i> Permissions</a>
       </p>
     </div>
   </div>

src/backoffice/templates/permissions_by_permission.html

@@ -39,6 +39,7 @@
       </table>
       <p>
         <a class="btn btn-secondary" href="{% url 'backoffice:index' camp_slug=camp.slug %}"><i class="fas fa-undo"></i> Backoffice</a>
+        <a href="{% url 'backoffice:index' camp_slug=camp.slug %}#permissions" class="btn btn-secondary"><i class="fas fa-undo"></i> Permissions</a>
       </p>
     </div>
   </div>

src/backoffice/templates/permissions_by_user.html

@@ -167,6 +167,7 @@
 from .views import ZettleDataImportView
 from .views import ZettleReceiptListView
 from .views import PermissionByUserView
+from .views import PermissionByGroupView
 from .views import PermissionByPermissionView
 
 app_name = "backoffice"
@@ -1420,6 +1421,11 @@
         "permissions/",
         include(
             [
+                path(
+                    "by_group/",
+                    PermissionByGroupView.as_view(),
+                    name="permission_list_by_group",
+                ),
                 path(
                     "by_user/",
                     PermissionByUserView.as_view(),

src/backoffice/urls.py

@@ -9,7 +9,7 @@
 from teams.models import Team
 from django.views.generic import ListView, FormView
 from ..mixins import OrgaOrTeamLeadViewMixin
-from django.contrib.auth.models import User
+from django.contrib.auth.models import User, Group
 from ..forms import ManageTeamPermissionsForm
 from django.shortcuts import get_object_or_404
 from django.conf import settings
@@ -41,7 +41,11 @@ def get_context_data(self, **kwargs):
 
 
 class TeamPermissionManageView(CampViewMixin, FormView):
-    """This view is used to see and update team permissions."""
+    """This view is used to see and update team permissions.
+
+    This view does it's own permission checking in setup(),
+    so it does not need to inherit from OrgaOrTeamLeadViewMixin.
+    """
 
     template_name = "team_permissions_manage.html"
     form_class = ManageTeamPermissionsForm
@@ -185,3 +189,17 @@ def get_queryset(self, *args, **kwargs):
                 ),
             )
         return perms
+
+
+class PermissionByGroupView(OrgaOrTeamLeadViewMixin, ListView):
+    model = Group
+    template_name = "permissions_by_group.html"
+
+    def get_queryset(self, *args, **kwargs):
+        qs = super().get_queryset(*args, **kwargs)
+        permission_content_type = ContentType.objects.get_for_model(CampPermission)
+        groups = qs.filter(
+            permissions__isnull=False,
+            permissions__content_type=permission_content_type,
+        )
+        return groups.distinct()