Merge pull request #204 from querti/add-token-oidc

querti · web-flow · commit 9fc731a99c8d · 2023-06-01T09:48:09.000+02:00
Add Client Credentials Flow OIDC authentication
diff --git a/kobo/admin/templates/client/__project_name__.conf b/kobo/admin/templates/client/__project_name__.conf
@@ -3,7 +3,7 @@
 # Hub XML-RPC address.
 HUB_URL = "http://localhost:8000/xmlrpc"
 
-# Hub authentication method. Example: krbv, gssapi, password, worker_key, oidc
+# Hub authentication method. Example: krbv, gssapi, password, worker_key, oidc, token_oidc
 AUTH_METHOD = ""
 
 # Username and password
diff --git a/kobo/admin/templates/worker/__project_name__.conf b/kobo/admin/templates/worker/__project_name__.conf
@@ -3,7 +3,7 @@
 # Hub XML-RPC address.
 HUB_URL = "http://localhost.localdomain:8000/xmlrpc"
 
-# Hub authentication method. Example: krbv, gssapi, password, worker_key, oidc
+# Hub authentication method. Example: krbv, gssapi, password, worker_key, oidc, token_oidc
 AUTH_METHOD = ""
 
 # Username and password
diff --git a/kobo/client/__init__.py b/kobo/client/__init__.py
@@ -308,6 +308,48 @@ def _login_krbv(self):
         req_enc = encode_func(req)
 
         self._hub.auth.login_krbv(req_enc)
+    
+    def _login_token_oidc(self):
+        """Login using OIDC endpoint (with Client Credentials Flow - using tokens)"""
+        login_url = urlparse.urljoin(self._hub_url, "auth/tokenoidclogin/")
+        client_id = self._conf.get("OIDC_CLIENT_ID")
+        client_secret = self._conf.get("OIDC_CLIENT_SECRET")
+        auth_server_token_url = self._conf.get("OIDC_AUTH_SERVER_TOKEN_URL")
+        request_args = {}
+
+        import requests
+
+        token_data = {
+            "grant_type": "client_credentials",
+            "client_id": client_id,
+            "client_secret": client_secret,
+            "scope": "openid"
+        }
+        token_response = requests.post(auth_server_token_url, data=token_data, timeout=30)
+        token_response.raise_for_status()
+        headers = {"Authorization": f"Bearer {token_response.json()['access_token']}"}
+
+        # NOTE behavior difference from hub proxy overall:
+        # HubProxy by default DOES NOT verify https connections :(
+        # See the constructor. It could be repeated here by defaulting verify to False,
+        # but let's not do that, instead you must have an unbroken SSL setup to
+        # use this auth method.
+        if self._conf.get("CA_CERT"):
+            request_args["verify"] = self._conf["CA_CERT"]
+
+        with requests.Session() as s:
+            s.cookies = self._transport.cookiejar
+            response = s.get(
+                login_url,
+                headers=headers,
+                **request_args
+            )
+        
+        self._logger and self._logger.debug(
+            "Login response: %s %s", response, response.headers
+        )
+        response.raise_for_status()
+
 
     def _login_gssapi(self):
         """Login using kerberos credentials (uses gssapi)."""
diff --git a/kobo/client/default.conf b/kobo/client/default.conf
@@ -1,7 +1,7 @@
 # Hub xml-rpc address.
 HUB_URL = "https://localhost/hub/xmlrpc"
 
-# Hub authentication method. Example: krbv, gssapi, password, worker_key, oidc
+# Hub authentication method. Example: krbv, gssapi, password, worker_key, oidc, token_oidc
 AUTH_METHOD = "krbv"
 
 # Username and password
diff --git a/kobo/hub/urls/auth.py b/kobo/hub/urls/auth.py
@@ -14,6 +14,7 @@
         url(r"^login/$", kobo.hub.views.LoginView.as_view(), name="auth/login"),
         url(r"^krb5login/$", kobo.hub.views.krb5login, name="auth/krb5login"),
         url(r"^oidclogin/$", kobo.hub.views.oidclogin, name="auth/oidclogin"),
+        url(r"^tokenoidclogin/$", kobo.hub.views.oidclogin, name="auth/tokenoidclogin"),
         url(r'^logout/$', kobo.hub.views.LogoutView.as_view(), name="auth/logout"),
     ]
 
@@ -22,5 +23,6 @@
         url(r"^login/$", kobo.hub.views.login, name="auth/login"),
         url(r"^krb5login/$", kobo.hub.views.krb5login, name="auth/krb5login"),
         url(r"^oidclogin/$", kobo.hub.views.oidclogin, name="auth/oidclogin"),
+        url(r"^tokenoidclogin/$", kobo.hub.views.oidclogin, name="auth/tokenoidclogin"),
         url(r'^logout/$', kobo.hub.views.logout, name="auth/logout"),
     ]
diff --git a/kobo/worker/default.conf b/kobo/worker/default.conf
@@ -1,7 +1,7 @@
 # Hub xml-rpc address.
 HUB_URL = "https://localhost/hub/xmlrpc"
 
-# Hub authentication method. Example: krbv, gssapi, password, worker_key, oidc
+# Hub authentication method. Example: krbv, gssapi, password, worker_key, oidc, token_oidc
 AUTH_METHOD = "krbv"
 
 # Username and password
diff --git a/tests/test_hubproxy.py b/tests/test_hubproxy.py
@@ -40,6 +40,55 @@ def request(self, host, path, request, verbose=False):
         return []
 
 
+def test_login_token_oidc(requests_session):
+    """Login with OIDC client credentials flow."""
+
+    hub_url = "https://example.com/myapp/endpoint"
+    login_url = "https://example.com/myapp/auth/tokenoidclogin/"
+    token_url = "https://sso.example.com/protocol/openid-connect/token"
+
+    conf = PyConfigParser()
+    conf.load_from_dict(
+        {
+            "HUB_URL": hub_url,
+            "AUTH_METHOD": "token_oidc",
+            "OIDC_CLIENT_ID": "test-client",
+            "OIDC_CLIENT_SECRET": "secret-token",
+            "OIDC_AUTH_SERVER_TOKEN_URL": token_url,
+            "CA_CERT": "/path/to/ca-bundle.crt"
+        }
+    )
+
+    transport = FakeTransport()
+    proxy = HubProxy(conf, transport=transport)
+
+    with mock.patch("requests.post") as mock_post:
+        mock_post.return_value.json.return_value = {"access_token": "secret-token"}
+
+        # Force a login
+        proxy._login(force=True)
+
+        mock_post.assert_called_once_with(
+            "https://sso.example.com/protocol/openid-connect/token",
+            data={
+                "grant_type": "client_credentials",
+                "client_id": "test-client",
+                "client_secret": "secret-token",
+                "scope": "openid"
+            },
+            timeout=30
+        )
+
+    # Cookies should have been shared between session and transport
+    assert requests_session.return_value.cookies is transport.cookiejar
+
+    requests_session.return_value.get.assert_called_once_with(
+        "https://example.com/myapp/auth/tokenoidclogin/",
+        headers={"Authorization": "Bearer secret-token"},
+        verify="/path/to/ca-bundle.crt"
+    )
+
+
 def test_login_gssapi(requests_session):
     """Login with gssapi method obtains session cookie via SPNEGO & krb5login."""
 

Original file line number	Diff line number	Diff line change
`@@ -14,6 +14,7 @@`
`14`	`14`	`url(r"^login/$", kobo.hub.views.LoginView.as_view(), name="auth/login"),`
`15`	`15`	`url(r"^krb5login/$", kobo.hub.views.krb5login, name="auth/krb5login"),`
`16`	`16`	`url(r"^oidclogin/$", kobo.hub.views.oidclogin, name="auth/oidclogin"),`
	`17`	`+ url(r"^tokenoidclogin/$", kobo.hub.views.oidclogin, name="auth/tokenoidclogin"),`
`17`	`18`	`url(r'^logout/$', kobo.hub.views.LogoutView.as_view(), name="auth/logout"),`
`18`	`19`	`]`
`19`	`20`
`@@ -22,5 +23,6 @@`
`22`	`23`	`url(r"^login/$", kobo.hub.views.login, name="auth/login"),`
`23`	`24`	`url(r"^krb5login/$", kobo.hub.views.krb5login, name="auth/krb5login"),`
`24`	`25`	`url(r"^oidclogin/$", kobo.hub.views.oidclogin, name="auth/oidclogin"),`
	`26`	`+ url(r"^tokenoidclogin/$", kobo.hub.views.oidclogin, name="auth/tokenoidclogin"),`
`25`	`27`	`url(r'^logout/$', kobo.hub.views.logout, name="auth/logout"),`
`26`	`28`	`]`