-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Allow users to authenticate with Azure in order to capture their Just…
…ice email address (#1280) * Add authlib and register oauth azure client * Implement a basic auth flow, that allows the user email to be retrieved via an auth token * Add field to capture justice email and store after authenticating * Add feature flag for justice identity authentication flow, so it can be tested in dev first
- Loading branch information
1 parent
d4ca7c2
commit 8292e21
Showing
13 changed files
with
343 additions
and
12 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
# Generated by Django 4.2.7 on 2024-03-26 12:21 | ||
|
||
from django.db import migrations, models | ||
|
||
|
||
class Migration(migrations.Migration): | ||
dependencies = [ | ||
("api", "0035_user_is_bedrock_enabled"), | ||
] | ||
|
||
operations = [ | ||
migrations.AddField( | ||
model_name="user", | ||
name="justice_email", | ||
field=models.EmailField(blank=True, max_length=254, null=True, unique=True), | ||
), | ||
] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
{% extends "base.html" %} | ||
|
||
{% set page_name = "home" %} | ||
{% set hide_nav = True %} | ||
{% set page_title = "Hello " ~ ( request.user.name if request.user ) %} | ||
|
||
{% block content %} | ||
|
||
<div class="govuk-grid-row"> | ||
<div class="govuk-grid-column-two-thirds"> | ||
<h1 class="govuk-heading-xl">Authenticate with your Justice identity</h1> | ||
<p class="govuk-body-l">As part of upcoming work to offer new tools and services, all Analytical Platform will need to authenticate with their Justice identity so that we can store your @justice.gov.uk email address.</p> | ||
<p class="govuk-body">You will need to complete authentication by 30th April 2024. If you do not currently have a @justice.gov.uk email address, <a href="#" class="govuk-link">see our guidance on requesting one.</a></p> | ||
<div class="govuk-button-group"> | ||
<form method="POST" action="."> | ||
{{ csrf_input }} | ||
<button type="submit" class="govuk-button" data-module="govuk-button"> | ||
Authenticate with Justice identity | ||
</button> | ||
<a class="govuk-button govuk-button--secondary" href="{{ url('list-tools') }}"> | ||
Skip for now | ||
</a> | ||
</form> | ||
</div> | ||
</div> | ||
</div> | ||
|
||
{% endblock %} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
# Standard library | ||
|
||
# Third-party | ||
import sentry_sdk | ||
from authlib.integrations.django_client import OAuthError | ||
from django.conf import settings | ||
from django.contrib import messages | ||
from django.http import HttpResponseRedirect, Http404 | ||
from django.urls import reverse | ||
from django.views import View | ||
|
||
# First-party/Local | ||
from controlpanel.oidc import OIDCLoginRequiredMixin, oauth | ||
|
||
|
||
class EntraIdAuthView(OIDCLoginRequiredMixin, View): | ||
""" | ||
This view is used as the callback after a user authenticates with their Justice | ||
identity via Azure EntraID, in order to capture a users Justice email address. | ||
""" | ||
http_method_names = ["get"] | ||
|
||
def _get_access_token(self): | ||
""" | ||
Attempts to valiate and return the access token | ||
""" | ||
try: | ||
token = oauth.azure.authorize_access_token(self.request) | ||
except OAuthError as error: | ||
sentry_sdk.capture_exception(error) | ||
token = None | ||
return token | ||
|
||
def get(self, request, *args, **kwargs): | ||
""" | ||
Attempts to retrieve the auth token, and update the user. | ||
""" | ||
if not settings.features.justice_auth.enabled and not request.user.is_superuser: | ||
raise Http404() | ||
|
||
token = self._get_access_token() | ||
if not token: | ||
messages.error(request, "Something went wrong, please try again") | ||
return HttpResponseRedirect(reverse("index")) | ||
|
||
self.update_user(token=token) | ||
messages.success( | ||
request=request, | ||
message=f"Successfully authenticated with your email {request.user.justice_email}", | ||
) | ||
return HttpResponseRedirect(reverse("index")) | ||
|
||
def update_user(self, token): | ||
""" | ||
Update user with details from the ID token returned by the provided EntraID | ||
access token | ||
""" | ||
email = token["userinfo"]["email"] | ||
self.request.user.justice_email = email | ||
self.request.user.save() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,6 @@ | ||
asgiref==3.7.2 | ||
auth0-python==4.5.0 | ||
authlib==1.3.0 | ||
beautifulsoup4==4.12.2 | ||
boto3==1.34.64 | ||
celery[sqs]==5.3.1 | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
# Third-party | ||
import pytest | ||
from authlib.integrations.base_client import OAuthError | ||
from django.urls import reverse, reverse_lazy | ||
from mock import patch | ||
from pytest_django.asserts import assertContains | ||
|
||
|
||
class TestEntraIdAuthView: | ||
url = reverse_lazy("entraid-auth") | ||
|
||
def test_unauthorised(self, client): | ||
response = client.get(self.url) | ||
|
||
assert response.status_code == 302 | ||
|
||
@patch("django.conf.settings.features.justice_auth.enabled", False) | ||
def test_justice_auth_feature_flag_disabled_for_normal_user(self, users, client): | ||
user = users["normal_user"] | ||
|
||
client.force_login(user) | ||
response = client.get(self.url) | ||
|
||
assert response.status_code == 404 | ||
|
||
@patch("controlpanel.frontend.views.auth.oauth") | ||
def test_success(self, oauth, client, users): | ||
oauth.azure.authorize_access_token.return_value = { | ||
"userinfo": {"email": "[email protected]"}, | ||
} | ||
user = users["normal_user"] | ||
assert user.justice_email is None | ||
|
||
client.force_login(user) | ||
response = client.get(self.url, follow=True) | ||
|
||
user.refresh_from_db() | ||
assert user.justice_email == "[email protected]" | ||
assertContains(response, "Successfully authenticated with your email [email protected]") | ||
|
||
@patch("controlpanel.frontend.views.auth.oauth") | ||
def test_failure(self, oauth, client, users): | ||
oauth.azure.authorize_access_token.side_effect = OAuthError() | ||
user = users["normal_user"] | ||
assert user.justice_email is None | ||
|
||
client.force_login(user) | ||
response = client.get(self.url, follow=True) | ||
|
||
user.refresh_from_db() | ||
assert user.justice_email is None | ||
assertContains(response, "Something went wrong, please try again") |
Oops, something went wrong.