auth_oidc: disable local webkey json edition when fetched remotely (#83841)

2023-11-23 15:12:50 +01:00 · 2023-11-23 15:12:50 +01:00 · 5468f61029
parent 57dd6b1a08
commit 5468f61029
2 changed files with 40 additions and 0 deletions
--- a/src/authentic2_auth_oidc/forms.py
+++ b/src/authentic2_auth_oidc/forms.py
@ -15,6 +15,7 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.

 from django import forms
+from django.utils.translation import gettext_lazy as _

 from authentic2.forms.widgets import DatalistTextInput, SelectAttributeWidget
 from authentic2.manager import fields as manager_fields
@ -35,6 +36,9 @@ class OIDCProviderEditForm(forms.ModelForm):
        super().__init__(*args, **kwargs)
        self.fields['ou'].required = True
        self.fields['ou'].empty_label = None
+        if self.instance.jwkset_url:
+            self.fields['jwkset_json'].disabled = True
+            self.fields['jwkset_json'].help_text = _('JSON is fetched from the WebKey Set URL')


 class OIDCProviderAdvancedForm(forms.ModelForm):
--- a/tests/test_manager_authenticators.py
+++ b/tests/test_manager_authenticators.py
@ -17,8 +17,10 @@
 import json

 import pytest
+import responses
 from django import VERSION as DJ_VERSION
 from django.utils.html import escape
+from jwcrypto.jwk import JWK, JWKSet
 from webtest import Upload

 from authentic2.a2_rbac.models import Role
@ -219,6 +221,7 @@ def test_authenticators_password_export(app, superuser):


@pytest.mark.freeze_time('2022-04-19 14:00')
+@responses.activate
 def test_authenticators_oidc(app, superuser, ou1, ou2):
    resp = login(app, superuser, path='/manage/authenticators/')

@ -282,6 +285,39 @@ def test_authenticators_oidc(app, superuser, ou1, ou2):
    )
    assert 'creation' in resp.text

+    jwkset_url = 'https://www.example.com/common/discovery/v3.0/keys'
+    kid_rsa = '123'
+
+    def generate_remote_jwkset_json():
+        key_rsa = JWK.generate(kty='RSA', size=512, kid=kid_rsa)
+        jwkset = JWKSet()
+        jwkset.add(key_rsa)
+        return jwkset.export(as_dict=True)
+
+    responses.get(
+        jwkset_url,
+        json={
+            'headers': {
+                'content-type': 'application/json',
+            },
+            'status_code': 200,
+            **generate_remote_jwkset_json(),
+        },
+    )
+
+    provider.refresh_from_db()
+    provider.jwkset_url = jwkset_url
+    provider.save()
+
+    resp = app.get('/manage/authenticators/%s/edit/' % provider.pk)
+    assert resp.pyquery('input#id_jwkset_url')[0].value == jwkset_url
+    assert 'disabled' in resp.pyquery('textarea#id_jwkset_json')[0].keys()
+    assert '"kid": "123"' in resp.pyquery('textarea#id_jwkset_json')[0].text
+    assert (
+        resp.pyquery('div[aria-labelledby="id_jwkset_json_title"] div.hint')[0].text
+        == 'JSON is fetched from the WebKey Set URL'
+    )
+
    resp = app.get('/manage/authenticators/')
    assert 'class="section disabled"' not in resp.text
    assert 'OIDC provider linked to https://oidc.example.com with scopes profile, email.' not in resp.text