Add pipeline fetch functions

4 years ago · 6b65247629
3 changed files with 66 additions and 2 deletions
--- a/app/app/settings.py
+++ b/app/app/settings.py
@ -178,10 +178,18 @@ if AZUREAD_ADMIN_GROUP_ID:
 SOCIAL_AUTH_OKTA_OAUTH2_KEY = env('OAUTH_OKTA_OAUTH2_KEY', None)
 SOCIAL_AUTH_OKTA_OAUTH2_SECRET = env('OAUTH_OKTA_OAUTH2_SECRET', None)
 SOCIAL_AUTH_OKTA_OAUTH2_API_URL = env('OAUTH_OKTA_OAUTH2_API_URL', None)
+OKTA_OAUTH2_ADMIN_GROUP_NAME = env('OKTA_OAUTH2_ADMIN_GROUP_NAME', None)
+
+if SOCIAL_AUTH_OKTA_OAUTH2_API_URL:
+    SOCIAL_AUTH_OKTA_OAUTH2_SCOPE = ["groups"]

 SOCIAL_AUTH_OKTA_OPENIDCONNECT_KEY = env('OAUTH_OKTA_OPENIDCONNECT_KEY', None)
 SOCIAL_AUTH_OKTA_OPENIDCONNECT_SECRET = env('OAUTH_OKTA_OPENIDCONNECT_SECRET', None)
 SOCIAL_AUTH_OKTA_OPENIDCONNECT_API_URL = env('OAUTH_OKTA_OPENIDCONNECT_API_URL', None)
+OKTA_OPENIDCONNECT_ADMIN_GROUP_NAME = env('OKTA_OPENIDCONNECT_ADMIN_GROUP_NAME', None)
+
+if SOCIAL_AUTH_OKTA_OPENIDCONNECT_API_URL:
+    SOCIAL_AUTH_OKTA_OPENIDCONNECT_SCOPE = ["groups"]

 SOCIAL_AUTH_PIPELINE = [
    'social_core.pipeline.social_auth.social_details',
@ -195,6 +203,8 @@ SOCIAL_AUTH_PIPELINE = [
    'social_core.pipeline.user.user_details',
    'server.social_auth.fetch_github_permissions',
    'server.social_auth.fetch_azuread_permissions',
+    'server.social_auth.fetch_okta_oauth2_permissions',
+    'server.social_auth.fetch_okta_openidconnect_permissions',
 ]

 ROLE_PROJECT_ADMIN = env('ROLE_PROJECT_ADMIN', 'project_admin')
--- a/app/server/social_auth.py
+++ b/app/server/social_auth.py
@ -2,6 +2,8 @@ import requests
 from django.conf import settings
 from social_core.backends.azuread_tenant import AzureADTenantOAuth2
 from social_core.backends.github import GithubOAuth2
+from social_core.backends.okta import OktaOAuth2
+from social_core.backends.okta_openidconnect import OktaOpenIdConnect


 # noinspection PyUnusedLocal
@ -68,3 +70,49 @@ def fetch_azuread_permissions(strategy, details, user=None, is_new=False, *args,
    if user.is_superuser != is_superuser:
        user.is_superuser = is_superuser
        user.save()
+
+
+# noinspection PyUnusedLocal
+def fetch_okta_oauth2_permissions(strategy, details, user=None, is_new=False, *args, **kwargs):
+    org_url = getattr(settings, 'SOCIAL_AUTH_OKTA_OAUTH2_API_URL', '')
+    group_name = getattr(settings, "OKTA_OAUTH2_ADMIN_GROUP_NAME", "")
+    if not user or not isinstance(kwargs['backend'], OktaOAuth2):
+        return
+
+    response = requests.post(
+        url=f"{org_url}/v1/userinfo",
+        headers={
+            'Authorization': 'Bearer {}'.format(kwargs['response']['access_token']),
+        },
+    )
+    response.raise_for_status()
+    response = response.json()
+
+    is_superuser = group_name in response.get("groups", [])
+
+    if user.is_superuser != is_superuser:
+        user.is_superuser = is_superuser
+        user.save()
+
+
+# noinspection PyUnusedLocal
+def fetch_okta_openidconnect_permissions(strategy, details, user=None, is_new=False, *args, **kwargs):
+    org_url = getattr(settings, 'SOCIAL_AUTH_OKTA_OPENIDCONNECT_API_URL', '')
+    group_name = getattr(settings, "OKTA_OPENIDCONNECT_ADMIN_GROUP_NAME", "")
+    if not user or not isinstance(kwargs['backend'], OktaOpenIdConnect):
+        return
+
+    response = requests.post(
+        url=f"{org_url}/v1/userinfo",
+        headers={
+            'Authorization': 'Bearer {}'.format(kwargs['response']['access_token']),
+        },
+    )
+    response.raise_for_status()
+    response = response.json()
+
+    is_superuser = group_name in response.get("groups", [])
+
+    if user.is_superuser != is_superuser:
+        user.is_superuser = is_superuser
+        user.save()
--- a/app/server/templates/login.html
+++ b/app/server/templates/login.html
@ -71,8 +71,14 @@
          <span>Login with Active Directory</span>
        </a>
        {% endif %}
-        {% if (okta_oauth_login or okta_openidconnect_login) %}
-        <a href="{% url 'social:begin' 'okta' %}" class="button is-fullwidth mb10">
+        {% if okta_oauth_login %}
+        <a href="{% url 'social:begin' 'okta-oauth2' %}" class="button is-fullwidth mb10">
+          <span class="icon"><i class="fab fa-openid"></i></span>
+          <span>Login with Okta</span>
+        </a>
+        {% endif %}
+        {% if okta_openidconnect_login %}
+        <a href="{% url 'social:begin' 'okta-openidconnect' %}" class="button is-fullwidth mb10">
          <span class="icon"><i class="fab fa-openid"></i></span>
          <span>Login with Okta</span>
        </a>