From f69c69e73e023d230cff9db3a9158dd5a83f8204 Mon Sep 17 00:00:00 2001
From: Tom Hubrecht <tom.hubrecht@dgnum.eu>
Date: Tue, 28 May 2024 08:36:14 +0200
Subject: [PATCH] feat(auth): Use allauth and setup dev login

---
 .credentials/KANIDM_SECRET                    |  1 +
 default.nix                                   |  1 +
 src/app/settings.py                           | 30 ++++++++
 src/app/urls.py                               |  2 +
 src/dgsi/auth.py                              |  0
 src/shared/templates/_footer.html             |  6 ++
 src/shared/templates/_hero.html               | 26 +++++++
 src/shared/templates/_links.html              | 12 +++
 .../templates/allauth/elements/button.html    | 13 ++++
 .../templates/allauth/elements/fields.html    |  1 +
 .../templates/allauth/elements/provider.html  |  1 +
 .../allauth/elements/provider_list.html       |  6 ++
 .../templates/allauth/layouts/base.html       | 77 +++++++++++++++++++
 src/shared/templates/base.html                | 39 +---------
 src/shared/templates/login.html               | 29 +++++++
 15 files changed, 208 insertions(+), 36 deletions(-)
 create mode 100644 .credentials/KANIDM_SECRET
 delete mode 100644 src/dgsi/auth.py
 create mode 100644 src/shared/templates/_footer.html
 create mode 100644 src/shared/templates/_hero.html
 create mode 100644 src/shared/templates/_links.html
 create mode 100644 src/shared/templates/allauth/elements/button.html
 create mode 100644 src/shared/templates/allauth/elements/fields.html
 create mode 100644 src/shared/templates/allauth/elements/provider.html
 create mode 100644 src/shared/templates/allauth/elements/provider_list.html
 create mode 100644 src/shared/templates/allauth/layouts/base.html

diff --git a/.credentials/KANIDM_SECRET b/.credentials/KANIDM_SECRET
new file mode 100644
index 0000000..ccedbb7
--- /dev/null
+++ b/.credentials/KANIDM_SECRET
@@ -0,0 +1 @@
+MpWq4pgWKhVZDFve1Acy4DvjBrCSBe1Q4y2VUfYUSFXBfP9G
diff --git a/default.nix b/default.nix
index 78c35f9..a339fb9 100644
--- a/default.nix
+++ b/default.nix
@@ -60,6 +60,7 @@ in
       CREDENTIALS_DIRECTORY = builtins.toString ./.credentials;
       DGSI_DEBUG = "true";
       DGSI_STATIC_ROOT = builtins.toString ./.static;
+      DGSI_KANIDM_CLIENT = "dgsi_test";
     };
 
     shellHook = ''
diff --git a/src/app/settings.py b/src/app/settings.py
index 8982aa3..af2393f 100644
--- a/src/app/settings.py
+++ b/src/app/settings.py
@@ -33,6 +33,12 @@ INSTALLED_APPS = [
     "shared.staticfiles.StaticFilesApp",  # Overrides the default staticfiles app to filter out the sccs sources
     "sass_processor",
     "bulma",
+    # Authentication
+    "allauth",
+    "allauth.account",
+    "allauth.socialaccount",
+    "allauth.socialaccount.providers.openid_connect",
+    # Main app
     "dgsi",
 ]
 
@@ -47,6 +53,7 @@ MIDDLEWARE = [
     "django.contrib.auth.middleware.AuthenticationMiddleware",
     "django.contrib.messages.middleware.MessageMiddleware",
     "django.middleware.clickjacking.XFrameOptionsMiddleware",
+    "allauth.account.middleware.AccountMiddleware",
 ]
 
 ###
@@ -96,8 +103,31 @@ DATABASES = {
 
 
 ###
+# Authentication configuration
 # Disable password validation, no authentication should use local passwords
 
+AUTHENTICATION_BACKENDS = [
+    "allauth.account.auth_backends.AuthenticationBackend",
+]
+
+SOCIALACCOUNT_ONLY = True
+SOCIALACCOUNT_PROVIDERS = {
+    "openid_connect": {
+        "OAUTH_PKCE_ENABLED": True,
+        "APPS": [
+            {
+                "provider_id": "kanidm",
+                "name": "DGNum",
+                "client_id": credentials["KANIDM_CLIENT"],
+                "secret": credentials["KANIDM_SECRET"],
+                "settings": {
+                    "server_url": f"https://sso.dgnum.eu/oauth2/openid/{credentials['KANIDM_CLIENT']}",
+                },
+            }
+        ],
+    },
+}
+
 AUTH_PASSWORD_VALIDATORS = []
 
 
diff --git a/src/app/urls.py b/src/app/urls.py
index 97fcd2c..19fb416 100644
--- a/src/app/urls.py
+++ b/src/app/urls.py
@@ -22,7 +22,9 @@ from django.views.generic import TemplateView
 
 urlpatterns = [
     path("", TemplateView.as_view(template_name="home.html"), name="index"),
+    path("login", TemplateView.as_view(template_name="login.html"), name="login"),
     path("", include("dgsi.urls")),
+    path("accounts/", include("allauth.urls")),
 ]
 
 if settings.DEBUG:
diff --git a/src/dgsi/auth.py b/src/dgsi/auth.py
deleted file mode 100644
index e69de29..0000000
diff --git a/src/shared/templates/_footer.html b/src/shared/templates/_footer.html
new file mode 100644
index 0000000..f58de5e
--- /dev/null
+++ b/src/shared/templates/_footer.html
@@ -0,0 +1,6 @@
+{% load  django_browser_reload %}
+
+<footer class="footer has-text-centered">
+  <b>Logiciel développé pour et par la <a href="https://dgnum.eu">DGNum</a>.</b>
+  {% django_browser_reload_script %}
+</footer>
diff --git a/src/shared/templates/_hero.html b/src/shared/templates/_hero.html
new file mode 100644
index 0000000..a791240
--- /dev/null
+++ b/src/shared/templates/_hero.html
@@ -0,0 +1,26 @@
+{% load i18n %}
+
+<section class="hero is-dark is-primary">
+  <div class="hero-body">
+    <div class="container">
+      <div class="grid">
+        <div class="cell">
+          <h1 class="title">
+            <a href="{% url 'index' %}" class="has-text-dark">Dossier Général des Services Informagiques</a>
+          </h1>
+          <h2 class="subtitle">Système d'information de la DGNum</h2>
+        </div>
+        <div class="cell">
+          <a href="{% url 'login' %}" class="button is-light is-pulled-right">
+            <span>
+              <span>{% trans "Connexion" %}</span>
+              <span class="icon">
+                <i class="ti ti-login"></i>
+              </span>
+            </span>
+          </a>
+        </div>
+      </div>
+    </div>
+  </div>
+</section>
diff --git a/src/shared/templates/_links.html b/src/shared/templates/_links.html
new file mode 100644
index 0000000..14ee324
--- /dev/null
+++ b/src/shared/templates/_links.html
@@ -0,0 +1,12 @@
+{% load sass_tags static %}
+
+<!-- Icons -->
+<link href="{% static 'favicon.ico' %}" rel="icon" />
+<link href="{% static 'apple-touch-icon.png' %}" rel="apple-touch-icon" />
+<link rel="icon" type="image/png" href="{% static 'favicon-16x16.png' %}" sizes="16x16" />
+<link rel="icon" type="image/png" href="{% static 'favicon-32x32.png' %}" sizes="32x32" />
+<link rel="icon" type="image/png" href="{% static 'android-chrome-192x192.png' %}" sizes="192x192" />
+
+<!-- CSS -->
+<link href="{% sass_src 'bulma/bulma.scss' %}" rel="stylesheet" type="text/css" />
+<link href="{% static 'tabler-icons/tabler-icons.min.css' %}" rel="stylesheet" type="text/css" />
diff --git a/src/shared/templates/allauth/elements/button.html b/src/shared/templates/allauth/elements/button.html
new file mode 100644
index 0000000..e168e8e
--- /dev/null
+++ b/src/shared/templates/allauth/elements/button.html
@@ -0,0 +1,13 @@
+{% load allauth %}
+{% comment %} djlint:off {% endcomment %}
+<{% if attrs.href %}a href="{{ attrs.href }}"{% else %}button{% endif %}
+{% if attrs.form %}form="{{ attrs.form }}"{% endif %}
+{% if attrs.id %}id="{{ attrs.id }}"{% endif %}
+{% if attrs.name %}name="{{ attrs.name }}"{% endif %}
+{% if attrs.value %}value="{{ attrs.value }}"{% endif %}
+{% if attrs.type %}type="{{ attrs.type }}"{% endif %}
+class="button is-fullwidth"
+>
+{% slot %}
+{% endslot %}
+</{% if attrs.href %}a{% else %}button{% endif %}>
diff --git a/src/shared/templates/allauth/elements/fields.html b/src/shared/templates/allauth/elements/fields.html
new file mode 100644
index 0000000..e291ba1
--- /dev/null
+++ b/src/shared/templates/allauth/elements/fields.html
@@ -0,0 +1 @@
+{% include "bulma/form.html" with form=attrs.form %}
diff --git a/src/shared/templates/allauth/elements/provider.html b/src/shared/templates/allauth/elements/provider.html
new file mode 100644
index 0000000..36bc3f7
--- /dev/null
+++ b/src/shared/templates/allauth/elements/provider.html
@@ -0,0 +1 @@
+<a class="cell button is-primary is-light" title="{{ attrs.name }}" href="{{ attrs.href }}">{{ attrs.name }}</a>
diff --git a/src/shared/templates/allauth/elements/provider_list.html b/src/shared/templates/allauth/elements/provider_list.html
new file mode 100644
index 0000000..8430750
--- /dev/null
+++ b/src/shared/templates/allauth/elements/provider_list.html
@@ -0,0 +1,6 @@
+{% load allauth %}
+
+<div class="grid mt-5">
+  {% slot default %}
+  {% endslot %}
+</div>
diff --git a/src/shared/templates/allauth/layouts/base.html b/src/shared/templates/allauth/layouts/base.html
new file mode 100644
index 0000000..3746ddc
--- /dev/null
+++ b/src/shared/templates/allauth/layouts/base.html
@@ -0,0 +1,77 @@
+{% load django_browser_reload i18n sass_tags static %}
+
+<!DOCTYPE html>
+<html lang="fr">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <meta name="keywords" content="dgnum,dgsi,ens" />
+    <meta name="description" content="Système d'information de la DGNum" />
+    <title>DGNum</title>
+
+    {% include "_links.html" %}
+  </head>
+
+  <body>
+    {% include "_hero.html" %}
+
+    <section class="section container">
+      <nav class="level">
+        {% if user.is_authenticated %}
+          {% url 'account_email' as email_url %}
+          {% if email_url %}
+            <li class="level-item button is-light">
+              <a href="{{ email_url }}">{% trans "Change Email" %}</a>
+            </li>
+          {% endif %}
+          {% url 'account_change_password' as change_password_url %}
+          {% if change_password_url %}
+            <li class="level-item button is-light">
+              <a href="{{ change_password_url }}">{% trans "Change Password" %}</a>
+            </li>
+          {% endif %}
+          {% url 'mfa_index' as mfa_url %}
+          {% if mfa_url %}
+            <li class="level-item button is-light">
+              <a href="{{ mfa_url }}">{% trans "Two-Factor Authentication" %}</a>
+            </li>
+          {% endif %}
+          {% url 'usersessions_list' as usersessions_list_url %}
+          {% if usersessions_list_url %}
+            <li class="level-item button is-light">
+              <a href="{{ usersessions_list_url }}">{% trans "Sessions" %}</a>
+            </li>
+          {% endif %}
+          {% url 'account_logout' as logout_url %}
+          {% if logout_url %}
+            <li class="level-item button is-light">
+              <a href="{{ logout_url }}">{% trans "Sign Out" %}</a>
+            </li>
+          {% endif %}
+        {% else %}
+          {% url 'account_login' as login_url %}
+          {% if login_url %}
+            <li class="level-item button is-light has-text-weight-bold">
+              <a href="{{ login_url }}">{% trans "Sign In" %}</a>
+            </li>
+          {% endif %}
+          {% url 'account_signup' as signup_url %}
+          {% if signup_url %}
+            <li class="level-item button is-light has-text-weight-bold">
+              <a href="{{ signup_url }}">{% trans "Sign Up" %}</a>
+            </li>
+          {% endif %}
+        {% endif %}
+      </nav>
+
+      <hr>
+
+      <div class="content">
+        {% block content %}
+        {% endblock content %}
+      </div>
+    </section>
+
+    {% include "_footer.html" %}
+  </body>
+</html>
diff --git a/src/shared/templates/base.html b/src/shared/templates/base.html
index 18ce3f7..3432ddc 100644
--- a/src/shared/templates/base.html
+++ b/src/shared/templates/base.html
@@ -1,5 +1,3 @@
-{% load django_browser_reload sass_tags static %}
-
 <!DOCTYPE html>
 <html lang="fr">
   <head>
@@ -9,48 +7,17 @@
     <meta name="description" content="Système d'information de la DGNum" />
     <title>DGNum</title>
 
-    <!-- Icons -->
-    <link href="{% static 'favicon.ico' %}" rel="icon" />
-    <link href="{% static 'apple-touch-icon.png' %}" rel="apple-touch-icon" />
-    <link rel="icon"
-          type="image/png"
-          href="{% static 'favicon-16x16.png' %}"
-          sizes="16x16" />
-    <link rel="icon"
-          type="image/png"
-          href="{% static 'favicon-32x32.png' %}"
-          sizes="32x32" />
-    <link rel="icon"
-          type="image/png"
-          href="{% static 'android-chrome-192x192.png' %}"
-          sizes="192x192" />
-
-    <!-- CSS -->
-    <link href="{% sass_src 'bulma/bulma.scss' %}"
-          rel="stylesheet"
-          type="text/css" />
+    {% include "_links.html" %}
   </head>
 
   <body>
-    <section class="hero is-dark is-primary">
-      <div class="hero-body">
-        <div class="container">
-          <h1 class="title">
-            <a href="{% url 'index' %}" class="has-text-dark">Dossier Général des Services Informagiques</a>
-          </h1>
-          <h2 class="subtitle">Système d'information de la DGNum</h2>
-        </div>
-      </div>
-    </section>
+    {% include "_hero.html" %}
 
     <section class="section">
       {% block content %}
       {% endblock content %}
     </section>
 
-    <footer class="footer has-text-centered">
-      <b>Logiciel développé pour et par la <a href="https://dgnum.eu">DGNum</a>.</b>
-      {% django_browser_reload_script %}
-    </footer>
+    {% include "_footer.html" %}
   </body>
 </html>
diff --git a/src/shared/templates/login.html b/src/shared/templates/login.html
index e69de29..03e6ca0 100644
--- a/src/shared/templates/login.html
+++ b/src/shared/templates/login.html
@@ -0,0 +1,29 @@
+{% extends "base.html" %}
+
+{% load i18n socialaccount %}
+
+{% block content %}
+  <div class="fixed-grid">
+    <div class="grid">
+      <a href="{% provider_login_url 'kanidm' %}"
+         class="cell has-background-primary-dark p-6 has-radius-normal has-text-centered has-text-white">
+        <span class="icon-text">
+          <span class="icon">
+            <i class="ti ti-login"></i>
+          </span>
+          <span><b>{% trans "Connexion via la DGNum" %}</b></span>
+        </span>
+      </a>
+
+      <a href="{% provider_login_url 'kanidm' %}"
+         class="cell has-background-primary p-6 has-radius-normal has-text-centered has-text-white">
+        <span class="icon-text">
+          <span class="icon">
+            <i class="ti ti-login"></i>
+          </span>
+          <span><b>{% trans "Connexion via l'ENS" %}</b></span>
+        </span>
+      </a>
+    </div>
+  </div>
+{% endblock content %}