dj-jwt-auth 1.2.1__py3-none-any.whl → 1.3.1__py3-none-any.whl

{dj_jwt_auth-1.2.1.dist-info → dj_jwt_auth-1.3.1.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: dj-jwt-auth
-Version: 1.2.1
+Version: 1.3.1
 Summary: A Django package for JSON Web Token validation and verification. Using PyJWT.
 Home-page: https://www.example.com/
 Author: Konstantin Seleznev
@@ -31,13 +31,16 @@ Requires-Dist: cryptography >=36.0.2
 This is a package to verify and validate JSON Web Tokens (JWT) in Django.
 
 ### Installation
-1. Install the package using pip.
+1. Install the package using pip:
+```bash
+    pip install dj-jwt-auth
+```
 
 2. Add "django_jwt" to your INSTALLED_APPS setting like this::
 ```
     INSTALLED_APPS = [
         ...
-        'django_jwt',
+        "django_jwt",
     ]
 ```
 
@@ -45,39 +48,39 @@ This is a package to verify and validate JSON Web Tokens (JWT) in Django.
 ```
     MIDDLEWARE = [
         ...
-        'django_jwt.middleware.JWTAuthMiddleware',
+        "django_jwt.middleware.JWTAuthMiddleware",
     ]
 ```
 
 ### Configuration:
 Required variables:
-- OIDC_CONFIG_ROUTES - dict of 'algorithm': 'config_url', by default is empty. If filled will be used instead of OIDC_CERTS_URL
+- OIDC_CONFIG_ROUTES - dict of "algorithm": "config_url". Required for using JWTAuthMiddleware. Example: 
 ```
    OIDC_CONFIG_ROUTES = {
-       'RS256': 'https://keyCloak/realms/h/.well-known/openid-configuration',
-       'HS256': 'https://keyCloak/realms/h/.well-known/openid-configuration',
+       "RS256": "https://keyCloak/realms/h/.well-known/openid-configuration",
+       "HS256": "https://keyCloak/realms/h/.well-known/openid-configuration",
    } 
 ```
-
 Optional variables:
 - OIDC_AUDIENCE - by default ["account", "broker"]
+
 User retated variables:
 - OIDC_USER_UPDATE - if True, user model will be updated from userinfo endpoint if MODIFIED date has changed, by default True
 - OIDC_USER_MODIFIED_FIELD - user model field to store last modified date, by default `modified_timestamp`
 - OIDC_TOKEN_MODIFIED_FIELD - access token field to store last modified date, by default `updated_at`
-- OIDC_USER_UID - User model' unique identifier, by default `kc_id`
+- OIDC_USER_UID - User model" unique identifier, by default `kc_id`
 - OIDC_USER_MAPPING - mapping between JWT claims and user model fields, by default:
 ```
     OIDC_USER_MAPPING = {
-        'first_name': 'first_name',
-        'last_name': 'last_name',
-        'username': 'username',
+        "first_name": "first_name",
+        "last_name": "last_name",
+        "username": "username",
     }
 ```
 - OIDC_USER_DEFAULTS - default values for user model fields, by default:
 ```
     OIDC_USER_DEFAULTS = {
-        'is_active': True,
+        "is_active": True,
     }
 ```
 
@@ -86,8 +89,41 @@ User retated variables:
     OIDC_USER_ON_CREATE = None
     OIDC_USER_ON_UPDATE = None
 ```
-- OIDC_ADMIN_ISSUER - URL of the OIDC provider, by default None
 These functions should accept two arguments: user and request.
 
+### Admin panel integration:
+To integrate admin panel with OIDC, add OIDC_ADMIN_ISSUER and OIDC_ADMIN_CLIENT_ID to settings.
+- OIDC_ADMIN_ISSUER - required for admin-panel access through OIDC. Example: 
+```
+    OIDC_ADMIN_ISSUER = "https://keyCloak/realms/h/.well-known/openid-configuration"
+```
+- OIDC_ADMIN_CLIENT_ID - by default "complete-anatomy"
+To mapping roles to admin panel permissions, use OIDC_ADMIN_ROLES. Example:
+
+```python
+
+from django_jwt.roles import ROLE
+
+OIDC_ADMIN_ROLES = [
+    ROLE(
+        name="admin",  # name from token
+        is_superuser=True,
+    ),
+    ROLE(
+        name="staff",
+        groups=["LMS (Full)", "Organizations (Full)", "Customer Support (Full)"],
+        permissions=["Can add user"],
+    ),
+]
+```
+And add login view to urls.py:
+```python
+urlpatterns = [
+    path("admin/", include("django_jwt.urls")),
+    ...
+]
+```
+Login URL will be available at `/admin/oidc/`.
+
 ### Testing:
 Run command `python runtests.py` to run tests.

{dj_jwt_auth-1.2.1.dist-info → dj_jwt_auth-1.3.1.dist-info}/RECORD

@@ -3,16 +3,17 @@ django_jwt/config.py,sha256=BM_JeyJRB9qms9W5jcykkAJ5Cq3JqyAgvNE6dRrXSYw,1301
 django_jwt/exceptions.py,sha256=vFJcGOCSZvxJRbSeMgWgPUM9wcXu6CSHblpwMzhV-Ic,198
 django_jwt/middleware.py,sha256=4PiF0-v13aLjvTyeyumQqYFimb6gCDHBgm6KooPGZdM,1176
 django_jwt/pkce.py,sha256=HYIQI0vKSmQkYIqTj3cciIT01ldkjhqlYiXkYcnNSGc,711
-django_jwt/settings.py,sha256=qfrKNbfLVEB9vpCRJKXfWr01OrkLaEWvgoUAoiByxR8,1266
+django_jwt/roles.py,sha256=SaHK3o8T8USS4ZhG4SrHPlZQV2lMb2t1UZHT6IQtBvA,143
+django_jwt/settings.py,sha256=HnuHNoM3H5sGfDRc9hvXZDa9iTyleMNrN9Ted5KmFRk,1474
 django_jwt/urls.py,sha256=OoKbJ2kf41tuDBnVjK5TTW4aVt9bhRaz59HFlUOAins,251
-django_jwt/user.py,sha256=NiGMnBQ2mYvjt6hc780kg9di3oHQTCYaKna9FTHf7iM,3601
+django_jwt/user.py,sha256=_ZZdfAFdQeScMmWwkrzo-5XjTKMVCbmfK4FPpiCbaQQ,5021
 django_jwt/utils.py,sha256=Gz8cH0cD3y_cvW8FwRoCFgShBrYvcB7XBF0GWx0n2qQ,1485
-django_jwt/views.py,sha256=c6PbLakjLifb80EcZsdqIg98ulTw7tyuNe8JXezzE-c,3648
+django_jwt/views.py,sha256=Mwcd70Qrp5aeZYgXWBMzkm8DD01Tf1nAVlfq6wIlhQY,3705
 tests/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 tests/models.py,sha256=K5e0QCgyZeLLHS6i3KRMQHooql47g7qqni7f9tKQrIY,251
-tests/test.py,sha256=R2TtHRgsJe6p3hOHvGS8ZnZ48AjFn7RNFwSjYRhLHoY,5572
+tests/test.py,sha256=uZz9eG1nC1CljITD6K79Ruodtr8SDPEnBSt_5GOLVSc,7460
 tests/urls.py,sha256=D5FhDSVAudurkrpkCZZPnDvgXSgifwFVB3nAlYBg7uQ,212
-dj_jwt_auth-1.2.1.dist-info/METADATA,sha256=X8726z0gEDLWVzrRCe49invokaFxj_ItuzS6w8crT2A,3128
-dj_jwt_auth-1.2.1.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
-dj_jwt_auth-1.2.1.dist-info/top_level.txt,sha256=58O7TdK-yECZcbmPc52KNlBFpjIUlENuZubCxaSOxus,17
-dj_jwt_auth-1.2.1.dist-info/RECORD,,
+dj_jwt_auth-1.3.1.dist-info/METADATA,sha256=EurjeCr-WQKFOZcAmjOs2p7Q7afp0KTWXfGQUK_0U04,3994
+dj_jwt_auth-1.3.1.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
+dj_jwt_auth-1.3.1.dist-info/top_level.txt,sha256=58O7TdK-yECZcbmPc52KNlBFpjIUlENuZubCxaSOxus,17
+dj_jwt_auth-1.3.1.dist-info/RECORD,,

django_jwt/roles.py

@@ -0,0 +1,3 @@
+from collections import namedtuple
+
+ROLE = namedtuple("Role", ["name", "is_superuser", "groups", "permissions"], defaults=["", False, [], []])

django_jwt/settings.py

@@ -1,4 +1,5 @@
 from django.conf import settings
+from django_jwt.roles import ROLE
 
 OIDC_AUDIENCE = getattr(settings, "OIDC_AUDIENCE", ["account", "broker"])
 OIDC_CONFIG_URL = getattr(settings, "OIDC_CONFIG_URL", None)
@@ -39,3 +40,7 @@ OIDC_CONFIG_ROUTES = getattr(settings, "OIDC_CONFIG_ROUTES", None)
 OIDC_ADMIN_ISSUER = getattr(settings, "OIDC_ADMIN_ISSUER", None)
 OIDC_ADMIN_CLIENT_ID = getattr(settings, "OIDC_ADMIN_CLIENT_ID", "complete-anatomy")
 OIDC_ADMIN_SCOPE = getattr(settings, "OIDC_ADMIN_SCOPE", "openid")
+OIDC_ADMIN_ROLES = getattr(settings, "OIDC_ADMIN_ROLES", [])
+
+for role in OIDC_ADMIN_ROLES:
+    assert isinstance(role, ROLE), f"Role must be a namedtuple, got {type(role)}"

django_jwt/user.py

@@ -1,8 +1,10 @@
 from datetime import datetime
+from functools import cache
 from logging import getLogger
 
 import pytz
 from django.contrib.auth import get_user_model
+from django.contrib.auth.models import Group, Permission
 from django.http.request import HttpRequest
 
 from django_jwt import settings
@@ -100,3 +102,45 @@ class UserHandler:
                 return self._get_by_email()
             except model.DoesNotExist:
                 return self._create_new_user()
+
+
+class RoleHandler:
+    """
+    Process user roles and permissions from access token.
+    Token be like:
+    ...
+    "resource_access": {
+        "complete_anatomy": {
+            "roles": [
+                "admin"
+            ]
+        }
+    },
+    """
+
+    @property
+    def roles(self) -> dict:
+        return {role.name: role for role in settings.OIDC_ADMIN_ROLES}
+
+    @cache
+    def get_permissions(self, role_name: str) -> Permission:
+        return Permission.objects.filter(codename__in=self.roles[role_name].permissions)
+
+    @cache
+    def get_groups(self, role_name: str) -> Group:
+        return Group.objects.filter(name__in=self.roles[role_name].groups)
+
+    def apply(self, user: model, access_token: dict):
+        token_roles = access_token.get("resource_access", {}).get(settings.OIDC_ADMIN_CLIENT_ID, {}).get("roles", [])
+        for role_name in token_roles:
+            if role_name in self.roles:
+                role = self.roles[role_name]
+                user.groups.add(*self.get_groups(role_name))
+                user.user_permissions.add(*self.get_permissions(role_name))
+                if role.is_superuser != user.is_superuser:
+                    user.is_superuser = role.is_superuser
+                    user.save(update_fields=["is_superuser"])
+                break
+
+
+role_handler = RoleHandler()

django_jwt/views.py

@@ -17,7 +17,7 @@ from django_jwt import settings as jwt_settings
 from django_jwt.config import config
 from django_jwt.exceptions import BadRequestException, ConfigException
 from django_jwt.pkce import PKCESecret
-from django_jwt.user import UserHandler
+from django_jwt.user import UserHandler, role_handler
 from django_jwt.utils import get_access_token, oidc_handler
 
 log = getLogger(__name__)
@@ -81,6 +81,7 @@ class ReceiveRedirectView(AbsView):
             data = oidc_handler.decode_token(token)
             user = UserHandler(data, request, token).get_user()
             log.info(f"OIDC Admin login: {user}", extra={"data": data})
+            role_handler.apply(user, data)
             if not user.is_staff:
                 raise BadRequestException("User is not staff")
             login(request, user, backend=settings.DEFAULT_AUTHENTICATION_BACKEND)

tests/test.py

@@ -2,12 +2,15 @@ from http import HTTPStatus
 from unittest.mock import Mock, patch
 
 from django.contrib.auth import get_user_model
+from django.contrib.auth.models import Group, Permission
 from django.test import TestCase
 from django.urls import reverse
 from jwt.api_jwt import ExpiredSignatureError
 
 from django_jwt import settings
 from django_jwt.middleware import JWTAuthMiddleware
+from django_jwt.user import role_handler
+from django_jwt.roles import ROLE
 
 access_token_payload = {
     "sub": "12345",
@@ -102,13 +105,6 @@ class OIDCHandlerTest(TestCase):
         # fields are updated if they are changed in KeyCloak
         self.assertUserWithPayload()
 
-    # def test_roles(self, decode_token):
-    #     """User has admin and staff roles"""
-    #     decode_token.return_value["realm_access"]["roles"] = ["admin", "staff"]
-    #     self.middleware.process_request(self.request)
-    #     self.assertTrue(self.request.user.is_staff)
-    #     self.assertTrue(self.request.user.is_superuser)
-
     def test_profile_info(self, *_):
         """User has profile info"""
 
@@ -140,3 +136,47 @@ class OIDCHandlerTest(TestCase):
         User.objects.create(kc_id="1234", first_name="", last_name="", username="")
         self.middleware.process_request(self.request)
         self.assertEqual(self.request.user.username, "on_update")
+
+
+class RolesTest(TestCase):
+    def setUp(self) -> None:
+        self.user = User.objects.create(username="user")
+        settings.OIDC_ADMIN_ROLES = [
+            ROLE(
+                name="admin",
+                is_superuser=True,
+            ),
+            ROLE(
+                name="staff",
+                groups=["staff group"],
+                permissions=["add_user", "change_user", "delete_user"],
+            ),
+        ]
+        self.group = Group.objects.create(name="staff group")
+        self.permission = Permission.objects.get(name="Can add user")
+        self.access_token = {"resource_access": {settings.OIDC_ADMIN_CLIENT_ID: {"roles": ["staff"]}}}
+
+    def test_staff_role(self):
+        self.access_token["resource_access"][settings.OIDC_ADMIN_CLIENT_ID]["roles"] = ["staff"]
+        role_handler.apply(self.user, self.access_token)
+        self.assertTrue(self.user.groups.filter(name="staff group").exists())
+        self.assertTrue(self.user.user_permissions.filter(codename="add_user").exists())
+        self.assertFalse(self.user.is_superuser)
+
+    def test_admin_role(self):
+        self.access_token["resource_access"][settings.OIDC_ADMIN_CLIENT_ID]["roles"] = ["admin"]
+        role_handler.apply(self.user, self.access_token)
+        self.assertTrue(self.user.is_superuser)
+
+    def test_apply_staff_then_admin_role(self):
+        self.access_token["resource_access"][settings.OIDC_ADMIN_CLIENT_ID]["roles"] = ["staff"]
+        role_handler.apply(self.user, self.access_token)
+        self.assertFalse(self.user.is_superuser)
+        self.assertTrue(self.user.groups.filter(name="staff group").exists())
+        self.assertTrue(self.user.user_permissions.filter(codename="add_user").exists())
+
+        self.access_token["resource_access"][settings.OIDC_ADMIN_CLIENT_ID]["roles"] = ["admin"]
+        role_handler.apply(self.user, self.access_token)
+        self.assertTrue(self.user.is_superuser)
+        self.assertTrue(self.user.groups.filter(name="staff group").exists())
+        self.assertTrue(self.user.user_permissions.filter(codename="add_user").exists())