From 99dfb2c0e97bce2f8827a6e8eef79b4abb60297a Mon Sep 17 00:00:00 2001
From: Sean Smith <ssmith@iol.unh.edu>
Date: Wed, 19 Aug 2020 11:00:50 -0400
Subject: [PATCH] LFID login for both projects

Signed-off-by: Sean Smith <ssmith@iol.unh.edu>
Change-Id: I4a14dc75d7890a6d395b3f52177a7000ae1a2150
---
 config.env.sample                            | 11 +++++++
 src/account/views.py                         | 43 +++++++++++++++++++++-----
 src/dashboard/views.py                       |  6 +++-
 src/laas_dashboard/settings.py               | 28 +++++++++++------
 src/templates/akraino/base.html              | 20 -------------
 src/templates/akraino/dashboard/landing.html |  6 ----
 src/templates/base/base.html                 | 45 ++++++++++++++++++++++------
 src/templates/base/dashboard/landing.html    |  8 +++--
 src/templates/base/dashboard/login.html      |  5 ++--
 9 files changed, 115 insertions(+), 57 deletions(-)

diff --git a/config.env.sample b/config.env.sample
index 137ecb0..5b34217 100644
--- a/config.env.sample
+++ b/config.env.sample
@@ -22,6 +22,12 @@ DB_PASS=sample_pass
 DB_SERVICE=postgres
 DB_PORT=5432
 
+# tells the dashboard to expect host forwarding from proxy (if using LFID, needs to be True)
+EXPECT_HOST_FORWARDING=False
+
+# string indicating what authorization to deploy with
+AUTH_SETTING=choose_auth # LFID or OAUTH
+
 # SECURITY WARNING: keep the secret key used in production secret!
 SECRET_KEY=http://www.miniwebtool.com/django-secret-key-generator/
 
@@ -43,6 +49,11 @@ OIDC_AUTHORIZATION_ENDPOINT=https://linuxfoundation-test.auth0.com/authorize
 OIDC_TOKEN_ENDPOINT=https://linuxfoundation-test.auth0.com/oauth/token
 OIDC_USER_ENDPOINT=https://linuxfoundation-test.auth0.com/userinfo
 
+CLAIMS_ENDPOINT=https://sso.linuxfoundation.org/claims/
+
+OIDC_RP_SIGN_ALGO=RS256
+OIDC_OP_JWKS_ENDPOINT=https://sso.linuxfoundation.org/.well-known/jwks.json
+
 # Rabbitmq
 RABBITMQ_DEFAULT_USER=opnfv
 RABBITMQ_DEFAULT_PASS=opnfvopnfv
diff --git a/src/account/views.py b/src/account/views.py
index f282369..08da918 100644
--- a/src/account/views.py
+++ b/src/account/views.py
@@ -61,15 +61,44 @@ class AccountSettingsView(UpdateView):
 
 class MyOIDCAB(OIDCAuthenticationBackend):
     def filter_users_by_claims(self, claims):
-        email = claims.get('email')
-        if not email:
-            return self.User.objects.none()
+        """
+        Checks to see if user exists and create user if not
+
+        Linux foundation does not allow users to change their
+        username, so chose to match users based on their username.
+        If this changes we will need to match users based on some
+        other criterea.
+        """
+        username = claims.get(os.environ['CLAIMS_ENDPOINT'] + 'username')
+
+        if not username:
+            return HttpResponse('No username provided, contact support.')
 
         try:
-            profile = UserProfile.objects.get('email')
-            return profile
-        except UserProfile.DoesNotExist:
-            return self.User.objects.none()
+            # For literally no (good) reason user needs to be a queryset
+            user = User.objects.filter(username=username)
+            return user
+        except User.DoesNotExist:
+            return self.UserModel.objects.none()
+
+    def create_user(self, claims):
+        """ This creates a user and user profile"""
+        user = super(MyOIDCAB, self).create_user(claims)
+        user.username = claims.get(os.environ['CLAIMS_ENDPOINT'] + 'username')
+        user.save()
+
+        up = UserProfile()
+        up.user = user
+        up.email_addr = claims.get('email')
+        up.save()
+        return user
+
+    def update_user(self, user, claims):
+        """ If their account has different email, change the email """
+        up = UserProfile.objects.get(user=user)
+        up.email_addr = claims.get('email')
+        up.save()
+        return user
 
 
 class JiraLoginView(RedirectView):
diff --git a/src/dashboard/views.py b/src/dashboard/views.py
index f9a908c..7c85250 100644
--- a/src/dashboard/views.py
+++ b/src/dashboard/views.py
@@ -22,6 +22,8 @@ from booking.models import Booking
 from resource_inventory.models import Image, ResourceProfile, ResourceQuery
 from workflow.workflow_manager import ManagerTracker
 
+import os
+
 
 def lab_list_view(request):
     labs = Lab.objects.all()
@@ -78,13 +80,15 @@ def landing_view(request):
     else:
         bookings = None
 
+    LFID = True if os.environ['AUTH_SETTING'] == 'LFID' else False
     return render(
         request,
         'dashboard/landing.html',
         {
             'manager': manager is not None,
             'title': "Welcome to the Lab as a Service Dashboard",
-            'bookings': bookings
+            'bookings': bookings,
+            'LFID': LFID
         }
     )
 
diff --git a/src/laas_dashboard/settings.py b/src/laas_dashboard/settings.py
index 92f763f..a32b1c5 100644
--- a/src/laas_dashboard/settings.py
+++ b/src/laas_dashboard/settings.py
@@ -53,19 +53,29 @@ MIDDLEWARE = [
     'account.middleware.TimezoneMiddleware',
 ]
 
-AUTHENTICATION_BACKENDS = ['account.views.MyOIDCAB']
+if os.environ['AUTH_SETTING'] == 'LFID':
+    AUTHENTICATION_BACKENDS = ['account.views.MyOIDCAB']
 
+    # OpenID Authentications
+    OIDC_RP_CLIENT_ID = os.environ['OIDC_CLIENT_ID']
+    OIDC_RP_CLIENT_SECRET = os.environ['OIDC_CLIENT_SECRET']
 
-# OpenID Authentications
-OIDC_RP_CLIENT_ID = os.environ['OIDC_CLIENT_ID']
-OIDC_RP_CLIENT_SECRET = os.environ['OIDC_CLIENT_SECRET']
+    OIDC_OP_AUTHORIZATION_ENDPOINT = os.environ['OIDC_AUTHORIZATION_ENDPOINT']
+    OIDC_OP_TOKEN_ENDPOINT = os.environ['OIDC_TOKEN_ENDPOINT']
+    OIDC_OP_USER_ENDPOINT = os.environ['OIDC_USER_ENDPOINT']
 
-OIDC_OP_AUTHORIZATION_ENDPOINT = os.environ['OIDC_AUTHORIZATION_ENDPOINT']
-OIDC_OP_TOKEN_ENDPOINT = os.environ['OIDC_TOKEN_ENDPOINT']
-OIDC_OP_USER_ENDPOINT = os.environ['OIDC_USER_ENDPOINT']
+    LOGIN_REDIRECT_URL = os.environ['DASHBOARD_URL']
+    LOGOUT_REDIRECT_URL = os.environ['DASHBOARD_URL']
 
-LOGIN_REDIRECT_URL = os.environ['DASHBOARD_URL']
-LOGOUT_REDIRECT_URL = os.environ['DASHBOARD_URL']
+    OIDC_RP_SIGN_ALGO = os.environ["OIDC_RP_SIGN_ALGO"]
+
+    if OIDC_RP_SIGN_ALGO == "RS256":
+        OIDC_OP_JWKS_ENDPOINT = os.environ["OIDC_OP_JWKS_ENDPOINT"]
+
+# This is for LFID auth setups w/ an HTTPS proxy
+if os.environ['EXPECT_HOST_FORWARDING'] == 'True':
+    SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', "https")
+    USE_X_FORWARDED_HOST = True
 
 ROOT_URLCONF = 'laas_dashboard.urls'
 
diff --git a/src/templates/akraino/base.html b/src/templates/akraino/base.html
index b93dcd2..1368476 100644
--- a/src/templates/akraino/base.html
+++ b/src/templates/akraino/base.html
@@ -22,23 +22,3 @@
 {% endblock logo %}
 {% block dropDown %}
 {% endblock dropDown %}
-
-{% block login %}
-    <div class="dropdown-menu dropdown-menu-right">
-        {% if user.is_authenticated %}
-        <a href="{% url 'account:settings' %}" class="text-dark dropdown-item">
-            <i class="fas fa-cog"></i>
-                Settings
-        </a>
-        <a href="{% url 'oidc_logout' %}" class="text-dark dropdown-item">
-            <i class="fas fa-sign-out-alt"></i>
-                Logout
-        </a>
-        {% else %}
-        <a href="{% url 'oidc_authentication_init' %}" class="text-dark dropdown-item">
-            <i class="fas fa-sign-in-alt"></i>
-                Login with LFID
-        </a>
-        {% endif %}
-    </div>
-{% endblock login %}
\ No newline at end of file
diff --git a/src/templates/akraino/dashboard/landing.html b/src/templates/akraino/dashboard/landing.html
index 39eebb6..5533469 100644
--- a/src/templates/akraino/dashboard/landing.html
+++ b/src/templates/akraino/dashboard/landing.html
@@ -19,11 +19,5 @@
 <a class="btn btnAkr btn-lg d-flex flex-column justify-content-center align-content-center border text-white p-4" href="/booking/quick/">Book a Pod</a>
 {% endblock btnGrp %}
 
-{% block biglogin %}
-<h4 class="text-center">
-    To get started, please log in with <a href="{% url 'oidc_authentication_init' %}"> Linux Foundation ID</a>
-</h4>
-{% endblock biglogin %}
-
 {% block returningUsers %}
 {% endblock returningUsers %}
diff --git a/src/templates/base/base.html b/src/templates/base/base.html
index f86cff8..3ecad1a 100644
--- a/src/templates/base/base.html
+++ b/src/templates/base/base.html
@@ -44,25 +44,52 @@
                             {% endif %}
                             <i class="fas fa-caret-down rotate"></i>
                         </a>
-                        {% block login %}
                         <div class="dropdown-menu dropdown-menu-right">
-                            {% if user.is_authenticated %}
+                            {% if LFID %}
+                                {% if user.is_authenticated %}
                                 <a href="{% url 'account:settings' %}" class="text-dark dropdown-item">
                                     <i class="fas fa-cog"></i>
-                                    Settings
+                                        Settings
                                 </a>
-                                <a href="{% url 'account:logout' %}?next={{ request.path }}" class="text-dark dropdown-item">
+                                <a id="logout_btn" href="#" method="post" class="text-dark dropdown-item">
                                     <i class="fas fa-sign-out-alt"></i>
-                                    Logout
+                                        Logout
                                 </a>
-                            {% else %}
-                                <a href="{% url 'account:login' %}" class="text-dark dropdown-item">
+                                <form id="logout_form" action="{% url 'oidc_logout' %}" method="post" style="visibility: hidden;">
+                                    {% csrf_token %}
+                                    <input type="submit" value="logout">
+                                </form>
+                                <script>
+                                    const logout_btn = document.getElementById("logout_btn");
+
+                                    const logout_form = document.getElementById("logout_form");
+
+                                    logout_btn.onclick = function() { logout_form.submit(); };
+                                </script>
+                                {% else %}
+                                <a href="{% url 'oidc_authentication_init' %}" class="text-dark dropdown-item">
                                     <i class="fas fa-sign-in-alt"></i>
-                                    Login with Jira
+                                        Login with LFID
                                 </a>
+                                {% endif %}
+                            {% else %}
+                                {% if user.is_authenticated %}
+                                    <a href="{% url 'account:settings' %}" class="text-dark dropdown-item">
+                                        <i class="fas fa-cog"></i>
+                                        Settings
+                                    </a>
+                                    <a href="{% url 'account:logout' %}?next={{ request.path }}" class="text-dark dropdown-item">
+                                        <i class="fas fa-sign-out-alt"></i>
+                                        Logout
+                                    </a>
+                                {% else %}
+                                    <a href="{% url 'account:login' %}" class="text-dark dropdown-item">
+                                        <i class="fas fa-sign-in-alt"></i>
+                                        Login with Jira
+                                    </a>
+                                {% endif %}
                             {% endif %}
                         </div>
-                        {% endblock login %}
                     </li>
                 </ul>
             </div>
diff --git a/src/templates/base/dashboard/landing.html b/src/templates/base/dashboard/landing.html
index 3291606..4ed2ec1 100644
--- a/src/templates/base/dashboard/landing.html
+++ b/src/templates/base/dashboard/landing.html
@@ -43,11 +43,15 @@
     <div class="col-12 col-lg-6 mb-4">
         <h2 class="border-bottom">Get Started</h2>
         {% if request.user.is_anonymous %}
-        {% block biglogin %}
+        {% if LFID %}
+        <h4 class="text-center">
+            To get started, please log in with <a href="{% url 'oidc_authentication_init' %}">Linux Foundation ID</a>
+        </h4>
+        {% else %}
         <h4 class="text-center">
             To get started, please log in with your <a href="/accounts/login">Linux Foundation Jira account</a>
         </h4>
-        {% endblock biglogin %}
+        {% endif %}
         {% else %}
         {% block btnGrp %}
         <p>To get started, book a server below:</p>
diff --git a/src/templates/base/dashboard/login.html b/src/templates/base/dashboard/login.html
index d3aa4ad..5af201a 100644
--- a/src/templates/base/dashboard/login.html
+++ b/src/templates/base/dashboard/login.html
@@ -1,8 +1,7 @@
 {% extends "base.html" %}
 
 {% block content %}
-<h3>You Must Login To Do That</h3>
-
-<a href="/accounts/login">Login Here</a>
+<h3> You Must Login To Do That<h3>
 
+<a href="{% url 'oidc_authentication_init' %}"> Login Here </a>
 {% endblock %}
-- 
2.16.6