[#343] Add setupconfig support

backend/requirements/base.in

@@ -14,7 +14,7 @@ django-rosetta
 django-structlog
 maykin-2fa
 mozilla-django-oidc-db
-
+django-setup-configuration
 maykin-common[axes]
 
 # API libraries

backend/requirements/base.txt

@@ -97,8 +97,10 @@ django-rosetta==0.10.2
     # via -r requirements/base.in
 django-sendfile2==0.7.2
     # via django-privates
-django-setup-configuration==0.7.2
-    # via zgw-consumers
+django-setup-configuration==0.11.0
+    # via
+    #   -r requirements/base.in
+    #   zgw-consumers
 django-simple-certmanager==2.4.1
     # via zgw-consumers
 django-solo==2.4.0
@@ -143,7 +145,7 @@ maykin-common==0.4.0
     # via -r requirements/base.in
 mozilla-django-oidc==4.0.1
     # via mozilla-django-oidc-db
-mozilla-django-oidc-db==0.25.0
+mozilla-django-oidc-db==1.0.2
     # via -r requirements/base.in
 msgspec==0.19.0
     # via -r requirements/base.in
@@ -247,5 +249,5 @@ webauthn==2.5.2
     # via django-two-factor-auth
 wrapt==1.17.2
     # via elastic-apm
-zgw-consumers==0.38.0
+zgw-consumers==1.1.0
     # via -r requirements/base.in

backend/requirements/ci.txt

@@ -198,7 +198,7 @@ django-sendfile2==0.7.2
     #   -r requirements/base.txt
     #   -r requirements/type-checking.txt
     #   django-privates
-django-setup-configuration==0.7.2
+django-setup-configuration==0.11.0
     # via
     #   -c requirements/base.txt
     #   -r requirements/base.txt
@@ -370,7 +370,7 @@ mozilla-django-oidc==4.0.1
     #   -r requirements/base.txt
     #   -r requirements/type-checking.txt
     #   mozilla-django-oidc-db
-mozilla-django-oidc-db==0.25.0
+mozilla-django-oidc-db==1.0.2
     # via
     #   -c requirements/base.txt
     #   -r requirements/base.txt
@@ -742,7 +742,7 @@ yarl==1.20.1
     # via
     #   -r requirements/type-checking.txt
     #   vcrpy
-zgw-consumers==0.38.0
+zgw-consumers==1.1.0
     # via
     #   -c requirements/base.txt
     #   -r requirements/base.txt

backend/requirements/dev.txt

@@ -242,7 +242,7 @@ django-sendfile2==0.7.2
     #   -r requirements/ci.txt
     #   -r requirements/type-checking.txt
     #   django-privates
-django-setup-configuration==0.7.2
+django-setup-configuration==0.11.0
     # via
     #   -c requirements/ci.txt
     #   -r requirements/ci.txt
@@ -473,7 +473,7 @@ mozilla-django-oidc==4.0.1
     #   -r requirements/ci.txt
     #   -r requirements/type-checking.txt
     #   mozilla-django-oidc-db
-mozilla-django-oidc-db==0.25.0
+mozilla-django-oidc-db==1.0.2
     # via
     #   -c requirements/ci.txt
     #   -r requirements/ci.txt
@@ -969,7 +969,7 @@ yarl==1.20.1
     #   -r requirements/ci.txt
     #   -r requirements/type-checking.txt
     #   vcrpy
-zgw-consumers==0.38.0
+zgw-consumers==1.1.0
     # via
     #   -c requirements/ci.txt
     #   -r requirements/ci.txt

backend/requirements/type-checking.txt

@@ -131,7 +131,7 @@ django-sendfile2==0.7.2
     # via
     #   -r requirements/base.txt
     #   django-privates
-django-setup-configuration==0.7.2
+django-setup-configuration==0.11.0
     # via -r requirements/base.txt
 django-simple-certmanager==2.4.1
     # via
@@ -226,7 +226,7 @@ mozilla-django-oidc==4.0.1
     # via
     #   -r requirements/base.txt
     #   mozilla-django-oidc-db
-mozilla-django-oidc-db==0.25.0
+mozilla-django-oidc-db==1.0.2
     # via -r requirements/base.txt
 msgspec==0.19.0
     # via -r requirements/base.txt
@@ -437,5 +437,5 @@ wrapt==1.17.2
     #   vcrpy
 yarl==1.20.1
     # via vcrpy
-zgw-consumers==0.38.0
+zgw-consumers==1.1.0
     # via -r requirements/base.txt

backend/src/openbeheer/conf/base.py

@@ -125,6 +125,7 @@
     "simple_certmanager",
     "maykin_common",
     "django_structlog",
+    "django_setup_configuration",
     # Project applications.
     "openbeheer.accounts",
     "openbeheer.utils",
@@ -584,3 +585,12 @@
         "openbeheer.api.drf_spectacular.schema.post_process_hook",
     ],
 }
+
+#
+# Django Setup Configuration
+#
+SETUP_CONFIGURATION_STEPS = [
+    "zgw_consumers.contrib.setup_configuration.steps.ServiceConfigurationStep",
+    "openbeheer.config.setup_configuration.steps.APIConfigConfigurationStep",
+    "mozilla_django_oidc_db.setup_configuration.steps.AdminOIDCConfigurationStep",
+]

backend/src/openbeheer/config/setup_configuration/fixtures/data.yaml

@@ -0,0 +1,76 @@
+#
+# ** Django setup configuration fixture **
+#
+# Can be used FOR DEVELOPMENT to configure the application with the docker services provided 
+# in the folder /backend/docker-services.
+
+oidc_db_config_enable: true
+oidc_db_config_admin_auth:
+  providers:
+  - identifier: admin-oidc-provider
+    oidc_use_nonce: true
+    oidc_nonce_size: 32
+    oidc_state_size: 32
+    endpoint_config:
+      oidc_op_discovery_endpoint: "http://localhost:28080/realms/openbeheer-dev/"
+  items:
+  - identifier: admin-oidc
+    enabled: true
+    oidc_rp_client_id: openbeheer-dev
+    oidc_rp_client_secret: oCwSJtZVdHW6BzCFIxKnIg16nLL0x4zK
+    oidc_rp_scopes_list:
+    - openid
+    - email
+    - profile
+    oidc_rp_sign_algo: RS256
+    oidc_provider_identifier: admin-oidc-provider
+    userinfo_claims_source: id_token
+    options:
+      user_settings:
+        claim_mappings:
+          username:
+            - sub
+          first_name:
+            - given_name
+          last_name:
+            - family_name
+          email:
+            - email
+        username_case_sensitive: true
+      groups_settings:
+        claim_mapping:
+          - roles
+        sync: true
+        sync_pattern: '*'
+        default_groups: []
+        make_users_staff: true
+        superuser_group_names:
+          - Superuser
+
+zgw_consumers_config_enable: true
+zgw_consumers:
+  services:
+  - identifier: objecttypen-service
+    label: Objecttypen API
+    api_root: http://localhost:8004/api/v2/
+    api_type: orc
+    auth_type: api_key
+    header_key: Authorization
+    header_value: Token 18b2b74ef994314b84021d47b9422e82b685d82f
+  - identifier: catalogi-service
+    label: Open Zaak - Catalogi API
+    api_root: http://localhost:8003/catalogi/api/v1/
+    api_type: ztc
+    auth_type: zgw
+    client_id: test-vcr
+    secret: test-vcr
+  - identifier: selectielijst-service
+    label: Open Zaak (public) - Selectielijst API
+    api_root: https://selectielijst.openzaak.nl/api/v1/
+    api_type: orc
+    auth_type: no_auth
+
+api_configuration_enabled: true
+api_configuration:
+  selectielijst_service_identifier: selectielijst-service
+  objecttypen_service_identifier: objecttypen-service

backend/src/openbeheer/config/setup_configuration/models.py

@@ -0,0 +1,13 @@
+from django_setup_configuration import ConfigurationModel
+from django_setup_configuration.fields import DjangoModelRef
+
+from ..models import APIConfig
+
+
+class APIConfigConfigurationModel(ConfigurationModel):
+    selectielijst_service_identifier: str = DjangoModelRef(
+        APIConfig, "selectielijst_api_service"
+    )
+    objecttypen_service_identifier: str = DjangoModelRef(
+        APIConfig, "objecttypen_api_service"
+    )

backend/src/openbeheer/config/setup_configuration/steps.py

@@ -0,0 +1,42 @@
+from django_setup_configuration import BaseConfigurationStep
+from django_setup_configuration.exceptions import ConfigurationRunFailed
+from zgw_consumers.models import Service
+
+from ..models import APIConfig
+from .models import APIConfigConfigurationModel
+
+
+class APIConfigConfigurationStep(BaseConfigurationStep[APIConfigConfigurationModel]):
+    """Configure API settings"""
+
+    config_model = APIConfigConfigurationModel
+    enable_setting = "api_configuration_enabled"
+    namespace = "api_configuration"
+    verbose_name = "API Configuration"
+
+    def execute(self, model: APIConfigConfigurationModel) -> None:
+        config = APIConfig.get_solo()
+
+        try:
+            config.selectielijst_api_service = Service.objects.get(
+                slug=model.selectielijst_service_identifier
+            )
+        except Service.DoesNotExist as exc:
+            raise ConfigurationRunFailed(
+                f"Could not find an existing `selectielijst` service with identifier `{model.selectielijst_service_identifier}`."
+                " Make sure it is already configured, manually or by first running the configuration step of `zgw_consumers`."
+            ) from exc
+
+        try:
+            config.objecttypen_api_service = Service.objects.get(
+                slug=model.objecttypen_service_identifier
+            )
+        except Service.DoesNotExist as exc:
+            raise ConfigurationRunFailed(
+                f"Could not find an existing `objecttypen` service with identifier `{model.objecttypen_service_identifier}`."
+                " Make sure it is already configured, manually or by first running the configuration step of `zgw_consumers`."
+            ) from exc
+
+        config.save(
+            update_fields=["selectielijst_api_service", "objecttypen_api_service"]
+        )

backend/src/openbeheer/config/setup_configuration/tests/files/full_config.yaml

@@ -0,0 +1,74 @@
+oidc_db_config_enable: true
+oidc_db_config_admin_auth:
+  providers:
+  - identifier: admin-oidc-provider
+    oidc_use_nonce: true
+    oidc_nonce_size: 32
+    oidc_state_size: 32
+    endpoint_config:
+      oidc_op_authorization_endpoint: http://localhost:28080/realms/openbeheer-dev/openid-connect/auth
+      oidc_op_token_endpoint: http://localhost:28080/realms/openbeheer-dev/protocol/openid-connect/token
+      oidc_op_user_endpoint: http://localhost:28080/realms/openbeheer-dev/protocol/openid-connect/userinfo
+      oidc_op_logout_endpoint: http://localhost:28080/realms/openbeheer-dev/protocol/openid-connect/logout
+      oidc_op_jwks_endpoint: http://localhost:28080/realms/openbeheer-dev/protocol/openid-connect/certs
+  items:
+  - identifier: admin-oidc
+    enabled: true
+    oidc_rp_client_id: openbeheer-dev
+    oidc_rp_client_secret: oCwSJtZVdHW6BzCFIxKnIg16nLL0x4zK
+    oidc_rp_scopes_list:
+    - openid
+    - email
+    - profile
+    oidc_rp_sign_algo: RS256
+    oidc_provider_identifier: admin-oidc-provider
+    userinfo_claims_source: id_token
+    options:
+      user_settings:
+        claim_mappings:
+          username:
+            - sub
+          first_name:
+            - given_name
+          last_name:
+            - family_name
+          email:
+            - email
+        username_case_sensitive: true
+      groups_settings:
+        claim_mapping:
+          - roles
+        sync: true
+        sync_pattern: '*'
+        default_groups: []
+        make_users_staff: true
+        superuser_group_names:
+          - Superuser
+
+zgw_consumers_config_enable: true
+zgw_consumers:
+  services:
+  - identifier: objecttypen-service
+    label: Objecttypen API
+    api_root: http://localhost:8004/api/v2/
+    api_type: orc
+    auth_type: api_key
+    header_key: Authorization
+    header_value: Token 18b2b74ef994314b84021d47b9422e82b685d82f
+  - identifier: catalogi-service
+    label: Open Zaak - Catalogi API
+    api_root: http://localhost:8003/catalogi/api/v1/
+    api_type: ztc
+    auth_type: zgw
+    client_id: test-vcr
+    secret: test-vcr
+  - identifier: selectielijst-service
+    label: Open Zaak (public) - Selectielijst API
+    api_root: https://selectielijst.openzaak.nl/api/v1/
+    api_type: orc
+    auth_type: no_auth
+
+api_configuration_enabled: true
+api_configuration:
+  selectielijst_service_identifier: selectielijst-service
+  objecttypen_service_identifier: objecttypen-service

backend/src/openbeheer/config/setup_configuration/tests/files/vcr_cassettes/APIConfigConfigurationStepTests/test_full_configuration_with_call_to_keycloak.yaml

@@ -0,0 +1,35 @@
+interactions:
+- request:
+    body: null
+    headers:
+      Accept:
+      - '*/*'
+      Accept-Encoding:
+      - gzip, deflate
+      Connection:
+      - keep-alive
+    method: GET
+    uri: http://localhost:28080/realms/openbeheer-dev/.well-known/openid-configuration
+  response:
+    body:
+      string: '{"issuer":"http://localhost:28080/realms/openbeheer-dev","authorization_endpoint":"http://localhost:28080/realms/openbeheer-dev/protocol/openid-connect/auth","token_endpoint":"http://localhost:28080/realms/openbeheer-dev/protocol/openid-connect/token","introspection_endpoint":"http://localhost:28080/realms/openbeheer-dev/protocol/openid-connect/token/introspect","userinfo_endpoint":"http://localhost:28080/realms/openbeheer-dev/protocol/openid-connect/userinfo","end_session_endpoint":"http://localhost:28080/realms/openbeheer-dev/protocol/openid-connect/logout","frontchannel_logout_session_supported":true,"frontchannel_logout_supported":true,"jwks_uri":"http://localhost:28080/realms/openbeheer-dev/protocol/openid-connect/certs","check_session_iframe":"http://localhost:28080/realms/openbeheer-dev/protocol/openid-connect/login-status-iframe.html","grant_types_supported":["authorization_code","client_credentials","implicit","password","refresh_token","urn:ietf:params:oauth:grant-type:device_code","urn:ietf:params:oauth:grant-type:token-exchange","urn:ietf:params:oauth:grant-type:uma-ticket","urn:openid:params:grant-type:ciba"],"acr_values_supported":["0","1"],"response_types_supported":["code","none","id_token","token","id_token
+        token","code id_token","code token","code id_token token"],"subject_types_supported":["public","pairwise"],"prompt_values_supported":["none","login","consent"],"id_token_signing_alg_values_supported":["PS384","RS384","EdDSA","ES384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"id_token_encryption_alg_values_supported":["ECDH-ES+A256KW","ECDH-ES+A192KW","ECDH-ES+A128KW","RSA-OAEP","RSA-OAEP-256","RSA1_5","ECDH-ES"],"id_token_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"userinfo_signing_alg_values_supported":["PS384","RS384","EdDSA","ES384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"userinfo_encryption_alg_values_supported":["ECDH-ES+A256KW","ECDH-ES+A192KW","ECDH-ES+A128KW","RSA-OAEP","RSA-OAEP-256","RSA1_5","ECDH-ES"],"userinfo_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"request_object_signing_alg_values_supported":["PS384","RS384","EdDSA","ES384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"request_object_encryption_alg_values_supported":["ECDH-ES+A256KW","ECDH-ES+A192KW","ECDH-ES+A128KW","RSA-OAEP","RSA-OAEP-256","RSA1_5","ECDH-ES"],"request_object_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"response_modes_supported":["query","fragment","form_post","query.jwt","fragment.jwt","form_post.jwt","jwt"],"registration_endpoint":"http://localhost:28080/realms/openbeheer-dev/clients-registrations/openid-connect","token_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"token_endpoint_auth_signing_alg_values_supported":["PS384","RS384","EdDSA","ES384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"introspection_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"introspection_endpoint_auth_signing_alg_values_supported":["PS384","RS384","EdDSA","ES384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"authorization_signing_alg_values_supported":["PS384","RS384","EdDSA","ES384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"authorization_encryption_alg_values_supported":["ECDH-ES+A256KW","ECDH-ES+A192KW","ECDH-ES+A128KW","RSA-OAEP","RSA-OAEP-256","RSA1_5","ECDH-ES"],"authorization_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"claims_supported":["aud","sub","iss","auth_time","name","given_name","family_name","preferred_username","email","acr"],"claim_types_supported":["normal"],"claims_parameter_supported":true,"scopes_supported":["openid","microprofile-jwt","offline_access","roles","profile","email","address","acr","basic","web-origins","phone","service_account"],"request_parameter_supported":true,"request_uri_parameter_supported":true,"require_request_uri_registration":true,"code_challenge_methods_supported":["plain","S256"],"tls_client_certificate_bound_access_tokens":true,"revocation_endpoint":"http://localhost:28080/realms/openbeheer-dev/protocol/openid-connect/revoke","revocation_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"revocation_endpoint_auth_signing_alg_values_supported":["PS384","RS384","EdDSA","ES384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"backchannel_logout_supported":true,"backchannel_logout_session_supported":true,"device_authorization_endpoint":"http://localhost:28080/realms/openbeheer-dev/protocol/openid-connect/auth/device","backchannel_token_delivery_modes_supported":["poll","ping"],"backchannel_authentication_endpoint":"http://localhost:28080/realms/openbeheer-dev/protocol/openid-connect/ext/ciba/auth","backchannel_authentication_request_signing_alg_values_supported":["PS384","RS384","EdDSA","ES384","ES256","RS256","ES512","PS256","PS512","RS512"],"require_pushed_authorization_requests":false,"pushed_authorization_request_endpoint":"http://localhost:28080/realms/openbeheer-dev/protocol/openid-connect/ext/par/request","mtls_endpoint_aliases":{"token_endpoint":"http://localhost:28080/realms/openbeheer-dev/protocol/openid-connect/token","revocation_endpoint":"http://localhost:28080/realms/openbeheer-dev/protocol/openid-connect/revoke","introspection_endpoint":"http://localhost:28080/realms/openbeheer-dev/protocol/openid-connect/token/introspect","device_authorization_endpoint":"http://localhost:28080/realms/openbeheer-dev/protocol/openid-connect/auth/device","registration_endpoint":"http://localhost:28080/realms/openbeheer-dev/clients-registrations/openid-connect","userinfo_endpoint":"http://localhost:28080/realms/openbeheer-dev/protocol/openid-connect/userinfo","pushed_authorization_request_endpoint":"http://localhost:28080/realms/openbeheer-dev/protocol/openid-connect/ext/par/request","backchannel_authentication_endpoint":"http://localhost:28080/realms/openbeheer-dev/protocol/openid-connect/ext/ciba/auth"},"authorization_response_iss_parameter_supported":true}'
+    headers:
+      Cache-Control:
+      - no-cache, must-revalidate, no-transform, no-store
+      Content-Type:
+      - application/json;charset=UTF-8
+      Referrer-Policy:
+      - no-referrer
+      Strict-Transport-Security:
+      - max-age=31536000; includeSubDomains
+      X-Content-Type-Options:
+      - nosniff
+      X-Frame-Options:
+      - SAMEORIGIN
+      content-length:
+      - '6549'
+    status:
+      code: 200
+      message: OK
+version: 1