[Review] Quite a lot of minor improvements

.drone.yml

@@ -0,0 +1,46 @@
+pipeline:
+  restore-cache:
+    image: drillster/drone-volume-cache
+    restore: true
+    mount:
+      - cache
+      - .tox
+    volumes:
+      - /tmp/drone-cache:/cache
+
+  build:
+    image: python:3.5
+    commands:
+      - mkdir -p cache/pip
+      - pip -q install --upgrade --cache-dir cache/pip tox flake8
+      - tox -e py35-django110
+      # - flake8 --config=.flake8rc
+      # - "isort -df -c -rc"
+
+  dist:
+    image: python:3.5
+    commands:
+      - '[ "${DRONE_TAG##v}" = "$$(python setup.py -V)" ]'
+      - python setup.py sdist bdist_wheel
+    when:
+      event: tag
+      tag: v*
+
+  pypi:
+    image: thomasf/twine
+    commands:
+      - twine upload dist/*
+    secrets: [ twine_username, twine_password ]
+    when:
+      event: tag
+      tag: v*
+
+
+  rebuild-cache:
+    image: drillster/drone-volume-cache
+    rebuild: true
+    mount:
+      - cache
+      - .tox
+    volumes:
+      - /tmp/drone-cache:/cache

.gitignore

@@ -21,6 +21,7 @@ var/
 *.egg-info/
 .installed.cfg
 *.egg
+.venv
 
 # Installer logs
 pip-log.txt

.isort.cfg

@@ -0,0 +1,2 @@
+[settings]
+skip=.tox

README.rst

@@ -7,18 +7,21 @@ Behind the scenes, it uses Roland Hedberg's great pyoidc library.
 
 Modified by JHUAPL BOSS to support Python3
 
+Modified by Thomas Frössman with fixes and additional modifications.
+
 Quickstart
 ----------
 
 Install djangooidc::
 
     # Latest code - unstable!
-    pip install git+https://github.com/jhuapl-boss/django-oidc.git
-
+    pip install git+https://github.com/{desiredforkname}/django-oidc.git
+
+(replace {desiredforkname} by the github username; find the fork which suit your needs, or just copy the name from your browser location field).
 
 Then to use it in a Django project, add this to your urls.py::
 
-    url(r'openid/', include('djangooidc.urls')),
+    url(r'^openid/', include('djangooidc.urls')),
 
 
 Then add the following items to your settings.py:
@@ -66,6 +69,26 @@ For example, an Azure AD OP would be::
 You may now test the authentication by going to (on the development server) http://localhost:8000/openid/login or to any
 of your views that requires authentication.
 
+Using a private key jwt for client authentication
+-------------------------------------------------
+If you are using private keys for client authentication with the OP, you can specify it like::
+
+    OIDC_PROVIDERS = {
+        "mitreid": {
+            "srv_discovery_url": "https://mitreid.org/",
+            "behaviour": OIDC_DEFAULT_BEHAVIOUR,
+            "client_registration": {
+                "client_id": "your_client_id",
+                "redirect_uris": ["http://localhost:8000/openid/callback/login/"],
+                'token_endpoint_auth_method': ['private_key_jwt'],
+                "enc_kid": "rsa_test",
+                "keyset_jwk_file": "file://keys/keyset.jwk"
+            }
+        }
+    }
+
+In this case keys/keyset.jwk is the full keyset (public and private keys) used when registering the client with the OP
+manually. (I.E. you've provided the OP with the public key.)
 
 Features
 --------

django_rp/settings.py

@@ -1,5 +1,6 @@
 # Django settings for access_web project.
 import os
+import django
 
 DEBUG = True
 TEMPLATE_DEBUG = DEBUG
@@ -36,7 +37,7 @@
 
 # Language code for this installation. All choices can be found here:
 # http://www.i18nguy.com/unicode/language-identifiers.html
-LANGUAGE_CODE = 'en-US'
+LANGUAGE_CODE = 'en-us'
 
 SITE_ID = 1
 
@@ -95,13 +96,25 @@
     'django.template.loaders.app_directories.Loader',
 )
 
-MIDDLEWARE_CLASSES = (
-    'django.middleware.common.CommonMiddleware',
-    'django.contrib.sessions.middleware.SessionMiddleware',
-    'django.middleware.csrf.CsrfViewMiddleware',
-    'django.contrib.auth.middleware.AuthenticationMiddleware',
-    'django.contrib.messages.middleware.MessageMiddleware',
-)
+if django.VERSION >= (2, 1):
+    MIDDLEWARE = [
+        'django.middleware.security.SecurityMiddleware',
+        'django.contrib.sessions.middleware.SessionMiddleware',
+        'django.middleware.common.CommonMiddleware',
+        'django.middleware.csrf.CsrfViewMiddleware',
+        'django.contrib.auth.middleware.AuthenticationMiddleware',
+        'django.contrib.messages.middleware.MessageMiddleware',
+        'django.middleware.clickjacking.XFrameOptionsMiddleware',
+    ]
+else:
+    MIDDLEWARE_CLASSES = (
+        'django.middleware.common.CommonMiddleware',
+        'django.contrib.sessions.middleware.SessionMiddleware',
+        'django.middleware.csrf.CsrfViewMiddleware',
+        'django.contrib.auth.middleware.AuthenticationMiddleware',
+        'django.contrib.messages.middleware.MessageMiddleware',
+    )
+
 
 SESSION_ENGINE = 'django.contrib.sessions.backends.db'
 
@@ -121,9 +134,28 @@
 
 ROOT_URLCONF = 'django_rp.urls'
 
-TEMPLATE_DIRS = (
-    # os.path.join(BASE_DIR, "django_rp/templates"),
-)
+if django.VERSION >= (2, 1):
+    TEMPLATES = [
+        {
+            'BACKEND': 'django.template.backends.django.DjangoTemplates',
+            'DIRS': [
+                os.path.join(BASE_DIR, 'djangooidc/templates'),
+            ],
+            'APP_DIRS': True,
+            'OPTIONS': {
+                'context_processors': [
+                    'django.template.context_processors.debug',
+                    'django.template.context_processors.request',
+                    'django.contrib.auth.context_processors.auth',
+                    'django.contrib.messages.context_processors.messages',
+                ],
+            },
+        },
+    ]
+else:
+    TEMPLATE_DIRS = (
+        # os.path.join(BASE_DIR, "django_rp/templates"),
+    )
 
 INSTALLED_APPS = (
     'django.contrib.auth',
@@ -218,16 +250,16 @@
 # The keys in this dictionary are the OPs (OpenID Providers) short user friendly name not the issuer (iss) name.
 OIDC_PROVIDERS = {
     # Test OP - webfinger supported on non-standard URL, no client self registration.
-    "Azure Active Directory": {
-        "srv_discovery_url": "https://sts.windows.net/9019caa7-f3ba-4261-8b4f-9162bdbe8cd1/",
-        "behaviour": OIDC_DEFAULT_BEHAVIOUR,
-        "client_registration": {
-            "client_id": "0d21f6d8-796f-4879-a2e1-314ddfcfb737",
-            "client_secret": "6hzvhNTsHPvTiUH/GUHVsFDt8b0BajZNox/iFI7iVJ8=",
-            "redirect_uris": ["http://localhost:8000/openid/callback/login/"],
-            "post_logout_redirect_uris": ["http://localhost:8000/openid/callback/logout/"],
-        }
-    },
+    # "Azure Active Directory": {
+    #     "srv_discovery_url": "https://sts.windows.net/9019caa7-f3ba-4261-8b4f-9162bdbe8cd1/",
+    #     "behaviour": OIDC_DEFAULT_BEHAVIOUR,
+    #     "client_registration": {
+    #         "client_id": "0d21f6d8-796f-4879-a2e1-314ddfcfb737",
+    #         "client_secret": "6hzvhNTsHPvTiUH/GUHVsFDt8b0BajZNox/iFI7iVJ8=",
+    #         "redirect_uris": ["http://localhost:8000/openid/callback/login/"],
+    #         "post_logout_redirect_uris": ["http://localhost:8000/openid/callback/logout/"],
+    #     }
+    # },
     # # No webfinger support, but OP information lookup and client registration
     # "xenosmilus": {
     # "srv_discovery_url": "https://xenosmilus2.umdc.umu.se:8091/",
@@ -283,4 +315,4 @@
     # },
 }
 #
-###############################################################################
+###############################################################################

django_rp/urls.py

@@ -1,21 +1,23 @@
-from django.conf.urls import patterns, include, url
+from os import path
+
+from django.conf.urls import include, url
 from django.contrib import admin
 
+from testapp.views import home, unprotected
+
 admin.autodiscover()
 
-from os import path
 
 BASEDIR = path.dirname(path.abspath(__file__))
 
-urlpatterns = patterns('',
-                       # URLS for OpenId authentication
-                       url(r'openid/', include('djangooidc.urls')),
-
-                       # Test URLs
-                       url(r'^$', 'testapp.views.home', name='home'),
-                       url(r'^unprotected$', 'testapp.views.unprotected', name='unprotected'),
+urlpatterns = [
+   # URLS for OpenId authentication
+   url(r'^openid/', include('djangooidc.urls')),
 
-                       # Uncomment the next line to enable the admin:
-                       url(r'^admin/', include(admin.site.urls)),
+   # Test URLs
+   url(r'^$', home, name='home'),
+   url(r'^unprotected$', unprotected, name='unprotected'),
 
-                       )
+   # Uncomment the next line to enable the admin:
+   url(r'^admin/', admin.site.urls),
+]

django_rp/wsgi.py

@@ -16,6 +16,11 @@
 import os
 import sys
 
+# This application object is used by any WSGI server configured to use this
+# file. This includes Django's development server, if the WSGI_APPLICATION
+# setting points here.
+from django.core.wsgi import get_wsgi_application
+
 mage_path = os.path.join(os.path.abspath(os.path.dirname(__file__)), os.path.pardir)
 if mage_path not in sys.path:
     sys.path.append(mage_path)
@@ -28,10 +33,6 @@
 # os.environ["DJANGO_SETTINGS_MODULE"] = "MAGE2.settings"
 os.environ.setdefault("DJANGO_SETTINGS_MODULE", "MAGE.settings")
 
-# This application object is used by any WSGI server configured to use this
-# file. This includes Django's development server, if the WSGI_APPLICATION
-# setting points here.
-from django.core.wsgi import get_wsgi_application
 application = get_wsgi_application()
 
 # Apply WSGI middleware here.

djangooidc/__init__.py

@@ -1,3 +1,3 @@
 # coding: utf-8
 
-__version__ = '0.1.3'
+__version__ = '0.0.9'

djangooidc/backends.py

@@ -1,22 +1,22 @@
 # coding: utf-8
-
 from __future__ import unicode_literals
-import datetime
+
 from django.conf import settings
 from django.contrib.auth import get_user_model
 from django.contrib.auth.backends import ModelBackend
+from django.utils import timezone
 
 
 class OpenIdConnectBackend(ModelBackend):
     """
     This backend checks a previously performed OIDC authentication.
     If it is OK and the user already exists in the database, it is returned.
-    If it is OK and user does not exist in the database, it is created and returned unless setting
-        OIDC_CREATE_UNKNOWN_USER is False.
+    If it is OK and user does not exist in the database, it is created and
+        returned unless setting OIDC_CREATE_UNKNOWN_USER is False.
     In all other cases, None is returned.
     """
 
-    def authenticate(self, **kwargs):
+    def authenticate(self, request, **kwargs):
         user = None
         if not kwargs or 'sub' not in kwargs.keys():
             return user
@@ -26,8 +26,9 @@ def authenticate(self, **kwargs):
         if 'upn' in kwargs.keys():
             username = kwargs['upn']
 
-        # Some OP may actually choose to withhold some information, so we must test if it is present
-        openid_data = {'last_login': datetime.datetime.now()}
+        # Some OP may actually choose to withhold some information, so we must
+        # test if it is present
+        openid_data = {'last_login': timezone.now()}
         if 'first_name' in kwargs.keys():
             openid_data['first_name'] = kwargs['first_name']
         if 'given_name' in kwargs.keys():
@@ -45,15 +46,19 @@ def authenticate(self, **kwargs):
         # instead we use get_or_create when creating unknown users since it has
         # built-in safeguards for multiple threads.
         if getattr(settings, 'OIDC_CREATE_UNKNOWN_USER', True):
-            args = {UserModel.USERNAME_FIELD: username, 'defaults': openid_data, }
+            args = {UserModel.USERNAME_FIELD: username,
+                    'defaults': openid_data, }
             user, created = UserModel.objects.update_or_create(**args)
             if created:
-                user = self.configure_user(user)
+                user = self.configure_user(user, **kwargs)
         else:
             try:
                 user = UserModel.objects.get_by_natural_key(username)
             except UserModel.DoesNotExist:
-                return None
+                try:
+                    user = UserModel.objects.get(email=kwargs['email'])
+                except UserModel.DoesNotExist:
+                    return None
         return user
 
     def clean_username(self, username):
@@ -65,10 +70,11 @@ def clean_username(self, username):
         """
         return username
 
-    def configure_user(self, user):
+    def configure_user(self, user, **kwargs):
         """
         Configures a user after creation and returns the updated user.
 
         By default, returns the user unmodified.
         """
-        return user
+        user.set_unusable_password()
+        return user