PyPI - dj-jwt-auth - Versions diffs - 1.4.1__py3-none-any.whl → 1.5.1__py3-none-any.whl - Mend

dj-jwt-auth 1.4.1py3-none-any.whl → 1.5.1py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

{dj_jwt_auth-1.4.1.dist-info → dj_jwt_auth-1.5.1.dist-info}/METADATA +14 -6
{dj_jwt_auth-1.4.1.dist-info → dj_jwt_auth-1.5.1.dist-info}/RECORD +10 -10
django_jwt/config.py +9 -2
django_jwt/settings.py +9 -2
django_jwt/urls.py +1 -0
django_jwt/user.py +13 -6
django_jwt/views.py +27 -7
tests/test.py +37 -2
{dj_jwt_auth-1.4.1.dist-info → dj_jwt_auth-1.5.1.dist-info}/WHEEL +0 -0
{dj_jwt_auth-1.4.1.dist-info → dj_jwt_auth-1.5.1.dist-info}/top_level.txt +0 -0

{dj_jwt_auth-1.4.1.dist-info → dj_jwt_auth-1.5.1.dist-info}/METADATA RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: dj-jwt-auth
-Version: 1.4.1
+Version: 1.5.1
 Summary: A Django package for JSON Web Token validation and verification. Using PyJWT.
 Home-page: https://www.example.com/
 Author: Konstantin Seleznev
@@ -70,14 +70,22 @@ User retated variables:
 - OIDC_TOKEN_MODIFIED_FIELD - access token field to store last modified date, by default `updated_at`
 - OIDC_USER_UID - User model" unique identifier, by default `kc_id`
 - OIDC_TOKEN_USER_UID - access token field to store user UID, by default `sub`
-- OIDC_USER_MAPPING - mapping between JWT claims and user model fields, by default:
+- OIDC_USER_MAPPING - mapping between JWT claims and user model fields. Can be dict or function. By default:
 ```
     OIDC_USER_MAPPING = {
-        "first_name": "first_name",
-        "last_name": "last_name",
-        "username": "username",
+        "given_name": "first_name",
+        "family_name": "last_name",
+        "name": "username",
     }
 ```
+OR
+```
+    def OIDC_USER_MAPPING(userinfo):
+        return {
+            "first_name": userinfo.get("given_name"),
+            "last_name": userinfo.get("family_name"),
+            "username": userinfo.get("name"),
+        }
 - OIDC_USER_DEFAULTS - default values for user model fields, by default:
 ```
     OIDC_USER_DEFAULTS = {
@@ -94,7 +102,7 @@ These functions should accept two arguments: user and request.
 ### Admin panel integration:
 To integrate admin panel with OIDC, add OIDC_ADMIN_ISSUER and OIDC_ADMIN_CLIENT_ID to settings.
-- OIDC_ADMIN_ISSUER - required for admin-panel access through OIDC. Example:
+- OIDC_ADMIN_ISSUER - for admin-panel access through OIDC. By default will be used 'ES256' from OIDC_CONFIG_ROUTES. Example:
 ```
     OIDC_ADMIN_ISSUER = "https://keyCloak/realms/h/.well-known/openid-configuration"
 ```

{dj_jwt_auth-1.4.1.dist-info → dj_jwt_auth-1.5.1.dist-info}/RECORD RENAMED Viewed

@@ -1,19 +1,19 @@
 django_jwt/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-django_jwt/config.py,sha256=BM_JeyJRB9qms9W5jcykkAJ5Cq3JqyAgvNE6dRrXSYw,1301
+django_jwt/config.py,sha256=-9JkGjMXRVNmQYPvrEwaoJacu068nySNfjMyo5DtXcw,1550
 django_jwt/exceptions.py,sha256=vFJcGOCSZvxJRbSeMgWgPUM9wcXu6CSHblpwMzhV-Ic,198
 django_jwt/middleware.py,sha256=4PiF0-v13aLjvTyeyumQqYFimb6gCDHBgm6KooPGZdM,1176
 django_jwt/pkce.py,sha256=HYIQI0vKSmQkYIqTj3cciIT01ldkjhqlYiXkYcnNSGc,711
 django_jwt/roles.py,sha256=SaHK3o8T8USS4ZhG4SrHPlZQV2lMb2t1UZHT6IQtBvA,143
-django_jwt/settings.py,sha256=NhA0froKOtkAD4QeO1TpEHdEPY-7z85wue9ceA8-sJ4,1552
-django_jwt/urls.py,sha256=OoKbJ2kf41tuDBnVjK5TTW4aVt9bhRaz59HFlUOAins,251
-django_jwt/user.py,sha256=DW87Vt22rt-DOFH6wmgHSbcoHPa19yuAkGijhhu0uxA,5011
+django_jwt/settings.py,sha256=gJePa3ER0vY6k5sDk-L1VagjbF4_dYrP0zrRJkGNY6Y,1708
+django_jwt/urls.py,sha256=PmNoMxcVg_1oCDHHQJFAcPxhPAOkiMhd4PFnS-Q3JLA,326
+django_jwt/user.py,sha256=DrUpsaGEv7P9Qi7GxcabPKH76mv8rSWpsnvxUMlmjGQ,5241
 django_jwt/utils.py,sha256=Gz8cH0cD3y_cvW8FwRoCFgShBrYvcB7XBF0GWx0n2qQ,1485
-django_jwt/views.py,sha256=Mwcd70Qrp5aeZYgXWBMzkm8DD01Tf1nAVlfq6wIlhQY,3705
+django_jwt/views.py,sha256=LweS9G_NBeiuVDLhtm_GtOi_Ok6Sz5KJVTU62k91Jcg,4352
 tests/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 tests/models.py,sha256=K5e0QCgyZeLLHS6i3KRMQHooql47g7qqni7f9tKQrIY,251
-tests/test.py,sha256=OzfDEIgbDZvCinV_terIYEYjq7vPvhQQIqa0qgQNtxo,7405
+tests/test.py,sha256=g1Itea87V6hqnK3FGX_nSq0znLRFxPW6WDNTuxYPf3M,8785
 tests/urls.py,sha256=D5FhDSVAudurkrpkCZZPnDvgXSgifwFVB3nAlYBg7uQ,212
-dj_jwt_auth-1.4.1.dist-info/METADATA,sha256=-9vahYCqTZgczLROxpUTROC5citx4QCQzJkN5fg5CME,4073
-dj_jwt_auth-1.4.1.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
-dj_jwt_auth-1.4.1.dist-info/top_level.txt,sha256=58O7TdK-yECZcbmPc52KNlBFpjIUlENuZubCxaSOxus,17
-dj_jwt_auth-1.4.1.dist-info/RECORD,,
+dj_jwt_auth-1.5.1.dist-info/METADATA,sha256=4SsXuxjNUEW3lKT0ekPnpSnEthQ7Qdh14Umb8MKVcLw,4369
+dj_jwt_auth-1.5.1.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
+dj_jwt_auth-1.5.1.dist-info/top_level.txt,sha256=58O7TdK-yECZcbmPc52KNlBFpjIUlENuZubCxaSOxus,17
+dj_jwt_auth-1.5.1.dist-info/RECORD,,

django_jwt/config.py CHANGED Viewed

@@ -1,5 +1,6 @@
 import json
 from functools import cache
+from urllib.parse import urljoin
 import requests
 from jwt.algorithms import ECAlgorithm, RSAAlgorithm
@@ -8,6 +9,12 @@ from django_jwt import settings
 from django_jwt.exceptions import ConfigException
+def ensure_well_known(url: str) -> str:
+    if url.endswith(".well-known/openid-configuration"):
+        return url
+    return urljoin(url, ".well-known/openid-configuration")
 class Config:
     def __init__(self):
         self.route = settings.OIDC_CONFIG_ROUTES
@@ -17,7 +24,7 @@ class Config:
         if not self.route:
             raise ConfigException("OIDC_CONFIG_ROUTES is not set")
-        response = requests.get(self.route[alg])
+        response = requests.get(ensure_well_known(self.route[alg]))
         response.raise_for_status()
         return response.json()
@@ -35,7 +42,7 @@ class Config:
     @cache
     def admin(self) -> dict:
         if settings.OIDC_ADMIN_ISSUER:
-            response = requests.get(settings.OIDC_ADMIN_ISSUER)
+            response = requests.get(ensure_well_known(settings.OIDC_ADMIN_ISSUER))
             response.raise_for_status()
             return response.json()
         raise ConfigException("OIDC_ADMIN_ISSUER is not set")

django_jwt/settings.py CHANGED Viewed

@@ -1,8 +1,8 @@
 from django.conf import settings
 from django_jwt.roles import ROLE
 OIDC_AUDIENCE = getattr(settings, "OIDC_AUDIENCE", ["account", "broker"])
-OIDC_CONFIG_URL = getattr(settings, "OIDC_CONFIG_URL", None)
 # key from KeyCloak; value is user model
 OIDC_USER_UPDATE = getattr(settings, "OIDC_USER_UPDATE", True)
@@ -37,11 +37,18 @@ OIDC_USER_ON_UPDATE = getattr(
     None,
 )
-OIDC_CONFIG_ROUTES = getattr(settings, "OIDC_CONFIG_ROUTES", None)
+OIDC_CONFIG_ROUTES = getattr(settings, "OIDC_CONFIG_ROUTES", {})
 OIDC_ADMIN_ISSUER = getattr(settings, "OIDC_ADMIN_ISSUER", None)
 OIDC_ADMIN_CLIENT_ID = getattr(settings, "OIDC_ADMIN_CLIENT_ID", "cs-completeanatomy-admin")
 OIDC_ADMIN_SCOPE = getattr(settings, "OIDC_ADMIN_SCOPE", "openid")
 OIDC_ADMIN_ROLES = getattr(settings, "OIDC_ADMIN_ROLES", [])
+if not OIDC_ADMIN_ISSUER:
+    OIDC_ADMIN_ISSUER = OIDC_CONFIG_ROUTES.get("ES256", None)
 for role in OIDC_ADMIN_ROLES:
     assert isinstance(role, ROLE), f"Role must be a namedtuple, got {type(role)}"
+assert isinstance(OIDC_USER_MAPPING, dict) or callable(
+    OIDC_USER_MAPPING
+), "OIDC_USER_MAPPING must be a dict or function"

django_jwt/urls.py CHANGED Viewed

@@ -4,5 +4,6 @@ from django_jwt import views
 urlpatterns = [
     path("oidc/callback/", views.ReceiveRedirectView.as_view(), name="receive_redirect_view"),
+    path("oidc/logout/", views.silent_sso_check, name="silent_sso_check"),
     path("oidc/", views.StartOIDCAuthView.as_view(), name="start_oidc_auth"),
 ]

django_jwt/user.py CHANGED Viewed

@@ -16,6 +16,12 @@ log = getLogger(__name__)
 model = get_user_model()
+def mapper(user_data: dict) -> dict:
+    if callable(settings.OIDC_USER_MAPPING):
+        return settings.OIDC_USER_MAPPING(user_data)
+    return {ca_key: user_data[kc_key] for kc_key, ca_key in settings.OIDC_USER_MAPPING.items() if kc_key in user_data}
 class UserHandler:
     modified_at = None
@@ -37,11 +43,9 @@ class UserHandler:
         """Collect user data from KeyCloak"""
         user_data = oidc_handler.get_user_info(self.access_token)
-        self.kwargs["email"] = user_data["email"].lower()
-        self.kwargs.update(
-            {ca_key: user_data[kc_key] for kc_key, ca_key in settings.OIDC_USER_MAPPING.items() if kc_key in user_data}
-        )
         log.info(f"User data: {self.kwargs}, access_token: {self.access_token}")
+        self.kwargs["email"] = user_data["email"].lower()
+        self.kwargs.update(mapper(user_data))
     def _update_user(self, user):
         """Update user fields if they are changed"""
@@ -130,17 +134,20 @@ class RoleHandler:
     def get_groups(self, role_name: str) -> Group:
         return Group.objects.filter(name__in=self.roles[role_name].groups)
-    def apply(self, user: model, access_token: dict):
+    def apply(self, user: model, access_token: dict) -> list[str]:
         token_roles = access_token.get("resource_access", {}).get(settings.OIDC_ADMIN_CLIENT_ID, {}).get("roles", [])
         for role_name in token_roles:
             if role_name in self.roles:
                 role = self.roles[role_name]
                 user.groups.add(*self.get_groups(role_name))
                 user.user_permissions.add(*self.get_permissions(role_name))
+                user.is_staff = True
                 if role.is_superuser != user.is_superuser:
                     user.is_superuser = role.is_superuser
-                    user.save(update_fields=["is_superuser"])
+                user.save(update_fields=["is_superuser", "is_staff"])
                 break
+        return token_roles
 role_handler = RoleHandler()

django_jwt/views.py CHANGED Viewed

@@ -8,7 +8,7 @@ from django.conf import settings
 from django.contrib.auth import login
 from django.core.cache import cache
 from django.http.response import HttpResponse
-from django.shortcuts import redirect
+from django.shortcuts import redirect, render
 from django.urls import reverse
 from django.views import View
 from requests.exceptions import HTTPError
@@ -27,19 +27,34 @@ def silent_sso_check(request):
     return HttpResponse("<html><body><script>parent.postMessage(location.href, location.origin)</script></body></html>")
+def index_response(request, msg, status=400):
+    logout_url = config.admin().get("end_session_endpoint")
+    return render(
+        request,
+        "django-jwt-index.html",
+        {
+            "error_message": msg,
+            "login_url": reverse("start_oidc_auth"),
+            "logout_url": logout_url,
+            "redirect_uri": request.build_absolute_uri(reverse("start_oidc_auth")),
+        },
+        status=status,
+    )
 class AbsView(View):
     def dispatch(self, request, *args, **kwargs):
         try:
             return super().dispatch(request, *args, **kwargs)
         except HTTPError as exc:
             log.warning(f"OIDC Admin HTTPError: {exc}")
-            return HttpResponse(status=exc.response.status_code, content=exc.response.text)
+            return index_response(request=request, msg=exc.response.text, status=exc.response.status_code)
         except ConfigException as exc:
             return HttpResponse(content=str(exc), status=500)
         except BadRequestException as exc:
-            return HttpResponse(content=str(exc), status=400)
-        except Exception:
-            return redirect("start_oidc_auth")
+            return index_response(request=request, msg=str(exc))
+        except Exception as exc:
+            return index_response(request=request, msg=str(exc))
 class StartOIDCAuthView(AbsView):
@@ -81,10 +96,15 @@ class ReceiveRedirectView(AbsView):
             data = oidc_handler.decode_token(token)
             user = UserHandler(data, request, token).get_user()
             log.info(f"OIDC Admin login: {user}", extra={"data": data})
-            role_handler.apply(user, data)
+            roles = role_handler.apply(user, data)
             if not user.is_staff:
-                raise BadRequestException("User is not staff")
+                raise BadRequestException(f"User {user.email} is not staff\nRoles: {roles}")
             login(request, user, backend=settings.DEFAULT_AUTHENTICATION_BACKEND)
             return redirect("admin:index")
         raise BadRequestException("No PKCE secret found in cache")
+class LogoutView(AbsView):
+    def get(self, request):
+        return index_response(request, "Logged out", status=401)

tests/test.py CHANGED Viewed

@@ -3,14 +3,14 @@ from unittest.mock import Mock, patch
 from django.contrib.auth import get_user_model
 from django.contrib.auth.models import Group, Permission
-from django.test import TestCase
+from django.test import TestCase, override_settings
 from django.urls import reverse
 from jwt.api_jwt import ExpiredSignatureError
 from django_jwt import settings
 from django_jwt.middleware import JWTAuthMiddleware
-from django_jwt.user import role_handler
 from django_jwt.roles import ROLE
+from django_jwt.user import role_handler
 access_token_payload = {
     "sub": "1234",
@@ -36,6 +36,16 @@ def _on_update(user, request):
     user.save()
+def test_mapper(user_data: dict) -> dict:
+    """Override user data - set username to 'override'"""
+    return {
+        "username": "override",
+        "first_name": user_data["given_name"],
+        "last_name": user_data["family_name"],
+    }
 @patch("django_jwt.utils.OIDCHandler.decode_token", return_value=access_token_payload)
 @patch("django_jwt.utils.OIDCHandler.get_user_info", return_value=user_info_payload)
 class OIDCHandlerTest(TestCase):
@@ -43,6 +53,11 @@ class OIDCHandlerTest(TestCase):
         self.middleware = JWTAuthMiddleware(get_response=lambda x: x)
         self.request = Mock()
         self.request.META = {"HTTP_AUTHORIZATION": "Bearer 1234"}
+        settings.OIDC_USER_MAPPING = {  # default mapping
+            "given_name": "first_name",
+            "family_name": "last_name",
+            "name": "username",
+        }
     def assertUserWithPayload(self):
         self.assertEqual(self.request.user.first_name, user_info_payload["given_name"])
@@ -135,6 +150,22 @@ class OIDCHandlerTest(TestCase):
         self.middleware.process_request(self.request)
         self.assertEqual(self.request.user.username, "on_update")
+    def test_user_data_mapping(self, *_):
+        """User data is mapped"""
+        settings.OIDC_USER_MAPPING = {"name": "username", "given_name": "last_name", "family_name": "first_name"}
+        self.middleware.process_request(self.request)
+        self.assertEqual(self.request.user.username, user_info_payload["name"])
+        self.assertEqual(self.request.user.first_name, user_info_payload["family_name"])
+        self.assertEqual(self.request.user.last_name, user_info_payload["given_name"])
+    def test_user_data_mapping_callable(self, *_):
+        """User data is mapped"""
+        settings.OIDC_USER_MAPPING = test_mapper
+        self.middleware.process_request(self.request)
+        self.assertEqual(self.request.user.username, "override")
 class RolesTest(TestCase):
     def setUp(self) -> None:
@@ -160,21 +191,25 @@ class RolesTest(TestCase):
         self.assertTrue(self.user.groups.filter(name="staff group").exists())
         self.assertTrue(self.user.user_permissions.filter(codename="add_user").exists())
         self.assertFalse(self.user.is_superuser)
+        self.assertTrue(self.user.is_staff)
     def test_admin_role(self):
         self.access_token["resource_access"][settings.OIDC_ADMIN_CLIENT_ID]["roles"] = ["admin"]
         role_handler.apply(self.user, self.access_token)
         self.assertTrue(self.user.is_superuser)
+        self.assertTrue(self.user.is_staff)
     def test_apply_staff_then_admin_role(self):
         self.access_token["resource_access"][settings.OIDC_ADMIN_CLIENT_ID]["roles"] = ["staff"]
         role_handler.apply(self.user, self.access_token)
         self.assertFalse(self.user.is_superuser)
+        self.assertTrue(self.user.is_staff)
         self.assertTrue(self.user.groups.filter(name="staff group").exists())
         self.assertTrue(self.user.user_permissions.filter(codename="add_user").exists())
         self.access_token["resource_access"][settings.OIDC_ADMIN_CLIENT_ID]["roles"] = ["admin"]
         role_handler.apply(self.user, self.access_token)
         self.assertTrue(self.user.is_superuser)
+        self.assertTrue(self.user.is_staff)
         self.assertTrue(self.user.groups.filter(name="staff group").exists())
         self.assertTrue(self.user.user_permissions.filter(codename="add_user").exists())

{dj_jwt_auth-1.4.1.dist-info → dj_jwt_auth-1.5.1.dist-info}/WHEEL RENAMED Viewed

File without changes

{dj_jwt_auth-1.4.1.dist-info → dj_jwt_auth-1.5.1.dist-info}/top_level.txt RENAMED Viewed

File without changes

dj-jwt-auth 1.4.1__py3-none-any.whl → 1.5.1__py3-none-any.whl

dj-jwt-auth 1.4.1py3-none-any.whl → 1.5.1py3-none-any.whl