OAuth Browsable API Login

.travis.yml

@@ -28,4 +28,5 @@ before_script:
 script:
   - black --check ./src
   - tox -c ./src/tox.ini -e coverage
+  - tox -c ./src/tox.ini -e oauth
   - docker ps | grep api | grep -q healthy

docker-compose.yml

@@ -48,6 +48,7 @@ services:
       - CALLBACK_AUTHENTICATION
       - CLIENT_ID
       - CLIENT_SECRET
+      - OAUTH_AUTHORIZATION_URL
       - OAUTH_TOKEN_URL
       - PATH_TO_CLIENT_CERT
       - PATH_TO_VERIFY_CERT

env.template

@@ -60,15 +60,16 @@ MANAGER_IP="$(hostname -I | cut -d' ' -f1)"
 # Set to OAUTH if using OAuth Password Flow Authentication, callback url needs to be api/v2/results
 CALLBACK_AUTHENTICATION=TOKEN
 
-CLIENT_ID=sensor01.sms.internal
+CLIENT_ID=sensor01.sms.internal # must match FQDN
 CLIENT_SECRET=sensor-secret
 
 OAUTH_TOKEN_URL=https://scosmgrqa01.sms.internal:443/authserver/oauth/token
+OAUTH_AUTHORIZATION_URL=https://scosmgrqa01.sms.internal:443/authserver/oauth/authorize
 # Sensor certificate with private key used as client cert
 PATH_TO_CLIENT_CERT=test/sensor01.pem
 # Trusted Certificate Authority certificate to verify authserver and callback URL server certificate
 PATH_TO_VERIFY_CERT=test/scos_test_ca.crt
 # Path relative to configs/certs
 PATH_TO_JWT_PUBLIC_KEY=test/jwt_pubkey.pem
-# set to JWT to enable JWT authentication
+# set to OAUTH to enable OAUTH authentication
 AUTHENTICATION=TOKEN

nginx/conf.template

@@ -23,6 +23,9 @@ server {
     listen [::]:443 ssl;
     server_name ${DOMAINS};
 
+    # https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
     # reduce "upstream response is buffered to a temporary file" warnings
     proxy_buffers 16 16k;
     proxy_buffer_size 16k;
@@ -50,6 +53,8 @@ server {
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto https;
         proxy_set_header Host $http_host;
+        proxy_set_header X-Forwarded-Host  $host;
+        proxy_set_header X-Forwarded-Port  $server_port;
         proxy_redirect off;
         proxy_pass   http://wsgi-server;
     }

src/authentication/auth.py

@@ -1,3 +1,4 @@
+import json
 import logging
 
 import jwt
@@ -14,7 +15,12 @@
     in settings.REST_FRAMEWORK["DEFAULT_AUTHENTICATION_CLASSES"]
 )
 oauth_jwt_authentication_enabled = (
-    "authentication.auth.OAuthJWTAuthentication"
+    "authentication.auth.OAuthAPIJWTAuthentication"
+    in settings.REST_FRAMEWORK["DEFAULT_AUTHENTICATION_CLASSES"]
+)
+
+oauth_session_authentication_enabled = (
+    "authentication.auth.OAuthSessionAuthentication"
     in settings.REST_FRAMEWORK["DEFAULT_AUTHENTICATION_CLASSES"]
 )
 
@@ -28,7 +34,64 @@ def jwt_request_has_required_role(request):
     return False
 
 
-class OAuthJWTAuthentication(authentication.BaseAuthentication):
+def decode_token(token):
+    public_key = ""
+    try:
+        with open(settings.PATH_TO_JWT_PUBLIC_KEY) as public_key_file:
+            public_key = public_key_file.read()
+    except Exception as e:
+        logger.error(e)
+    if not public_key:
+        error = exceptions.AuthenticationFailed(
+            "Unable to get public key to decode jwt"
+        )
+        logger.error(error)
+        raise error
+    try:
+        # decode JWT token
+        # verifies jwt signature using RS256 algorithm and public key
+        # requires exp claim to verify token is not expired
+        # decodes and returns base64 encoded payload
+        return jwt.decode(
+            token,
+            public_key,
+            verify=True,
+            algorithms="RS256",
+            options={"require": ["exp"], "verify_exp": True},
+        )
+    except ExpiredSignatureError as e:
+        logger.error(e)
+        raise exceptions.AuthenticationFailed("Token is expired!")
+    except InvalidSignatureError as e:
+        logger.error(e)
+        raise exceptions.AuthenticationFailed("Unable to verify token!")
+    except Exception as e:
+        logger.error(e)
+        raise exceptions.AuthenticationFailed(f"Unable to decode token! {e}")
+
+
+def get_or_create_user_from_token(decoded_token):
+    jwt_username = decoded_token["user_name"]
+    user_model = get_user_model()
+    user = None
+    try:
+        user = user_model.objects.get(username=jwt_username)
+    except user_model.DoesNotExist:
+        user = user_model.objects.create_user(username=jwt_username)
+        user.email = decoded_token["userDetails"]["email"]
+        user.save()
+    if decoded_token["authorities"]:
+        authorities = decoded_token["authorities"]
+        if settings.REQUIRED_ROLE.upper() in authorities:
+            user.is_staff = True
+            # user.is_superuser = True
+        else:
+            user.is_staff = False
+        user.save()
+    return user
+
+
+class OAuthAPIJWTAuthentication(authentication.BaseAuthentication):
     def authenticate(self, request):
         auth_header = get_authorization_header(request)
         if not auth_header:
@@ -42,45 +105,33 @@ def authenticate(self, request):
             return None  # attempt other configured authentication methods
         token = auth_header[1]
         # get JWT public key
-        public_key = ""
+        decoded_token = decode_token(token)
+        user = get_or_create_user_from_token(decoded_token)
+        logger.info("user from token: " + str(user.email))
+        return (user, decoded_token)
+
+
+class OAuthSessionAuthentication(authentication.BaseAuthentication):
+    """
+    Use OAuth session for authentication.
+    """
+
+    def authenticate(self, request):
+        """
+        Returns a `User` if the request session currently has a logged in user.
+        Otherwise returns `None`.
+        """
+
+        if not "oauth_token" in request.session:
+            return None
+
+        token = request.session["oauth_token"]
+        access_token = token["access_token"].encode("utf-8")
         try:
-            with open(settings.PATH_TO_JWT_PUBLIC_KEY) as public_key_file:
-                public_key = public_key_file.read()
-        except Exception as e:
-            logger.error(e)
-        if not public_key:
-            error = exceptions.AuthenticationFailed(
-                "Unable to get public key to decode jwt"
-            )
-            logger.error(error)
+            decoded_token = decode_token(access_token)
+        except exceptions.AuthenticationFailed as error:
+            del request.session["oauth_token"]
             raise error
-        try:
-            # decode JWT token
-            # verifies jwt signature using RS256 algorithm and public key
-            # requires exp claim to verify token is not expired
-            # decodes and returns base64 encoded payload
-            decoded_key = jwt.decode(
-                token,
-                public_key,
-                verify=True,
-                algorithms="RS256",
-                options={"require": ["exp"], "verify_exp": True},
-            )
-        except ExpiredSignatureError as e:
-            logger.error(e)
-            raise exceptions.AuthenticationFailed("Token is expired!")
-        except InvalidSignatureError as e:
-            logger.error(e)
-            raise exceptions.AuthenticationFailed("Unable to verify token!")
-        except Exception as e:
-            logger.error(e)
-            raise exceptions.AuthenticationFailed(f"Unable to decode token! {e}")
-        jwt_username = decoded_key["user_name"]
-        user_model = get_user_model()
-        user = None
-        try:
-            user = user_model.objects.get(username=jwt_username)
-        except user_model.DoesNotExist:
-            user = user_model.objects.create_user(username=jwt_username)
-            user.save()
-        return (user, decoded_key)
+        user = get_or_create_user_from_token(decoded_token)
+        logger.info("user from token: " + str(user.email))
+        return (user, decoded_token)

src/authentication/oauth.py

@@ -37,7 +37,6 @@ def get_oauth_token():
             verify=verify_ssl,
         )
         oauth.close()
-        logger.debug("Response from oauth.fetch_token: " + str(token))
         return token
     except Exception:
         raise

src/authentication/oauth_urls.py

@@ -0,0 +1,12 @@
+from django.conf import settings
+from django.contrib.auth import views
+from django.urls import path
+
+from authentication.views import oauth_login_callback, oauth_login_view
+
+urlpatterns = (
+    path("oauth2/", oauth_login_view, name="oauth-login"),
+    path(f"oauth2/code/{settings.FQDN}", oauth_login_callback, name="oauth-callback"),
+    # https://github.com/encode/django-rest-framework/blob/master/rest_framework/urls.py
+    path("oauth2/logout/", views.LogoutView.as_view(), name="oauth-logout"),
+)

src/authentication/permissions.py

@@ -1,13 +1,23 @@
+import logging
+
 from rest_framework import permissions
 
-from .auth import jwt_request_has_required_role, oauth_jwt_authentication_enabled
+from .auth import (
+    jwt_request_has_required_role,
+    oauth_jwt_authentication_enabled,
+    oauth_session_authentication_enabled,
+)
+
+logger = logging.getLogger(__name__)
 
 
-class RequiredJWTRolePermissionOrIsSuperuser(permissions.BasePermission):
+class JWTRoleOrIsSuperuser(permissions.BasePermission):
     message = "User missing required role"
 
     def has_permission(self, request, view):
-        if oauth_jwt_authentication_enabled and jwt_request_has_required_role(request):
+        if (
+            oauth_jwt_authentication_enabled or oauth_session_authentication_enabled
+        ) and jwt_request_has_required_role(request):
             return True
         if request.user.is_superuser:
             return True

src/authentication/tests/jwt_content_example.json

@@ -9,7 +9,7 @@
         "id": null,
         "uid": "",
         "altSecurityIdenties": null,
-        "email": "sensor01",
+        "email": "sensor01@example.com",
         "firstname": "sensor01",
         "lastname": "",
         "cn": "sensor01",

src/authentication/tests/test_jwt_auth.py

@@ -231,7 +231,7 @@ def test_token_role_user_required_role_accepted(settings, live_server):
 
 
 @pytest.mark.django_db
-def test_token_mulitple_roles_accepted(settings, live_server):
+def test_token_multiple_roles_accepted(settings, live_server):
     settings.PATH_TO_JWT_PUBLIC_KEY = TEST_JWT_PUBLIC_KEY_FILE
     token_payload = get_token_payload(
         authorities=["ROLE_MANAGER", "ROLE_USER", "ROLE_ITS"]
@@ -381,7 +381,6 @@ def test_user_cannot_view_user_detail(settings, live_server):
     encoded = jwt.encode(sensor01_token_payload, str(PRIVATE_KEY), algorithm="RS256")
     utf8_bytes = encoded.decode("utf-8")
     client = RequestsClient()
-    # authenticating with "ROLE_MANAGER" creates user if does not already exist
     response = client.get(
         f"{live_server.url}", headers={"Authorization": f"Bearer {utf8_bytes}"}
     )
@@ -411,7 +410,6 @@ def test_user_cannot_view_user_detail_role_change(settings, live_server):
     encoded = jwt.encode(sensor01_token_payload, str(PRIVATE_KEY), algorithm="RS256")
     utf8_bytes = encoded.decode("utf-8")
     client = RequestsClient()
-    # authenticating with "ROLE_MANAGER" creates user if does not already exist
     response = client.get(
         f"{live_server.url}", headers={"Authorization": f"Bearer {utf8_bytes}"}
     )
@@ -440,7 +438,6 @@ def test_admin_can_view_user_detail(settings, live_server):
     encoded = jwt.encode(token_payload, str(PRIVATE_KEY), algorithm="RS256")
     utf8_bytes = encoded.decode("utf-8")
     client = RequestsClient()
-    # authenticating with "ROLE_MANAGER" creates user if does not already exist
     response = client.get(
         f"{live_server.url}", headers={"Authorization": f"Bearer {utf8_bytes}"}
     )
@@ -464,7 +461,6 @@ def test_admin_can_view_other_user_detail(settings, live_server):
     encoded = jwt.encode(sensor01_token_payload, str(PRIVATE_KEY), algorithm="RS256")
     utf8_bytes = encoded.decode("utf-8")
     client = RequestsClient()
-    # authenticating with "ROLE_MANAGER" creates user if does not already exist
     response = client.get(
         f"{live_server.url}", headers={"Authorization": f"Bearer {utf8_bytes}"}
     )
@@ -494,7 +490,6 @@ def test_token_hidden(settings, live_server):
     encoded = jwt.encode(token_payload, str(PRIVATE_KEY), algorithm="RS256")
     utf8_bytes = encoded.decode("utf-8")
     client = RequestsClient()
-    # authenticating with "ROLE_MANAGER" creates user if does not already exist
     response = client.get(
         f"{live_server.url}", headers={"Authorization": f"Bearer {utf8_bytes}"}
     )