From 6b65247629e718bd0dc2e09456f947c846fd20a4 Mon Sep 17 00:00:00 2001
From: Setu Shah <setu4993@yahoo.co.in>
Date: Thu, 23 Apr 2020 19:08:48 -0700
Subject: [PATCH] Add pipeline fetch functions

---
 app/app/settings.py             | 10 +++++++
 app/server/social_auth.py       | 48 +++++++++++++++++++++++++++++++++
 app/server/templates/login.html | 10 +++++--
 3 files changed, 66 insertions(+), 2 deletions(-)

diff --git a/app/app/settings.py b/app/app/settings.py
index 1fa81b2a..a204a563 100644
--- a/app/app/settings.py
+++ b/app/app/settings.py
@@ -178,10 +178,18 @@ if AZUREAD_ADMIN_GROUP_ID:
 SOCIAL_AUTH_OKTA_OAUTH2_KEY = env('OAUTH_OKTA_OAUTH2_KEY', None)
 SOCIAL_AUTH_OKTA_OAUTH2_SECRET = env('OAUTH_OKTA_OAUTH2_SECRET', None)
 SOCIAL_AUTH_OKTA_OAUTH2_API_URL = env('OAUTH_OKTA_OAUTH2_API_URL', None)
+OKTA_OAUTH2_ADMIN_GROUP_NAME = env('OKTA_OAUTH2_ADMIN_GROUP_NAME', None)
+
+if SOCIAL_AUTH_OKTA_OAUTH2_API_URL:
+    SOCIAL_AUTH_OKTA_OAUTH2_SCOPE = ["groups"]
 
 SOCIAL_AUTH_OKTA_OPENIDCONNECT_KEY = env('OAUTH_OKTA_OPENIDCONNECT_KEY', None)
 SOCIAL_AUTH_OKTA_OPENIDCONNECT_SECRET = env('OAUTH_OKTA_OPENIDCONNECT_SECRET', None)
 SOCIAL_AUTH_OKTA_OPENIDCONNECT_API_URL = env('OAUTH_OKTA_OPENIDCONNECT_API_URL', None)
+OKTA_OPENIDCONNECT_ADMIN_GROUP_NAME = env('OKTA_OPENIDCONNECT_ADMIN_GROUP_NAME', None)
+
+if SOCIAL_AUTH_OKTA_OPENIDCONNECT_API_URL:
+    SOCIAL_AUTH_OKTA_OPENIDCONNECT_SCOPE = ["groups"]
 
 SOCIAL_AUTH_PIPELINE = [
     'social_core.pipeline.social_auth.social_details',
@@ -195,6 +203,8 @@ SOCIAL_AUTH_PIPELINE = [
     'social_core.pipeline.user.user_details',
     'server.social_auth.fetch_github_permissions',
     'server.social_auth.fetch_azuread_permissions',
+    'server.social_auth.fetch_okta_oauth2_permissions',
+    'server.social_auth.fetch_okta_openidconnect_permissions',
 ]
 
 ROLE_PROJECT_ADMIN = env('ROLE_PROJECT_ADMIN', 'project_admin')
diff --git a/app/server/social_auth.py b/app/server/social_auth.py
index 35adf722..6be612c1 100644
--- a/app/server/social_auth.py
+++ b/app/server/social_auth.py
@@ -2,6 +2,8 @@ import requests
 from django.conf import settings
 from social_core.backends.azuread_tenant import AzureADTenantOAuth2
 from social_core.backends.github import GithubOAuth2
+from social_core.backends.okta import OktaOAuth2
+from social_core.backends.okta_openidconnect import OktaOpenIdConnect
 
 
 # noinspection PyUnusedLocal
@@ -68,3 +70,49 @@ def fetch_azuread_permissions(strategy, details, user=None, is_new=False, *args,
     if user.is_superuser != is_superuser:
         user.is_superuser = is_superuser
         user.save()
+
+
+# noinspection PyUnusedLocal
+def fetch_okta_oauth2_permissions(strategy, details, user=None, is_new=False, *args, **kwargs):
+    org_url = getattr(settings, 'SOCIAL_AUTH_OKTA_OAUTH2_API_URL', '')
+    group_name = getattr(settings, "OKTA_OAUTH2_ADMIN_GROUP_NAME", "")
+    if not user or not isinstance(kwargs['backend'], OktaOAuth2):
+        return
+
+    response = requests.post(
+        url=f"{org_url}/v1/userinfo",
+        headers={
+            'Authorization': 'Bearer {}'.format(kwargs['response']['access_token']),
+        },
+    )
+    response.raise_for_status()
+    response = response.json()
+
+    is_superuser = group_name in response.get("groups", [])
+
+    if user.is_superuser != is_superuser:
+        user.is_superuser = is_superuser
+        user.save()
+
+
+# noinspection PyUnusedLocal
+def fetch_okta_openidconnect_permissions(strategy, details, user=None, is_new=False, *args, **kwargs):
+    org_url = getattr(settings, 'SOCIAL_AUTH_OKTA_OPENIDCONNECT_API_URL', '')
+    group_name = getattr(settings, "OKTA_OPENIDCONNECT_ADMIN_GROUP_NAME", "")
+    if not user or not isinstance(kwargs['backend'], OktaOpenIdConnect):
+        return
+
+    response = requests.post(
+        url=f"{org_url}/v1/userinfo",
+        headers={
+            'Authorization': 'Bearer {}'.format(kwargs['response']['access_token']),
+        },
+    )
+    response.raise_for_status()
+    response = response.json()
+
+    is_superuser = group_name in response.get("groups", [])
+
+    if user.is_superuser != is_superuser:
+        user.is_superuser = is_superuser
+        user.save()
diff --git a/app/server/templates/login.html b/app/server/templates/login.html
index 34c9d576..1917ffbe 100644
--- a/app/server/templates/login.html
+++ b/app/server/templates/login.html
@@ -71,8 +71,14 @@
           <span>Login with Active Directory</span>
         </a>
         {% endif %}
-        {% if (okta_oauth_login or okta_openidconnect_login) %}
-        <a href="{% url 'social:begin' 'okta' %}" class="button is-fullwidth mb10">
+        {% if okta_oauth_login %}
+        <a href="{% url 'social:begin' 'okta-oauth2' %}" class="button is-fullwidth mb10">
+          <span class="icon"><i class="fab fa-openid"></i></span>
+          <span>Login with Okta</span>
+        </a>
+        {% endif %}
+        {% if okta_openidconnect_login %}
+        <a href="{% url 'social:begin' 'okta-openidconnect' %}" class="button is-fullwidth mb10">
           <span class="icon"><i class="fab fa-openid"></i></span>
           <span>Login with Okta</span>
         </a>