Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add siret attribute and mapper to Keycloak #577

Merged
merged 2 commits into from
Dec 23, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,10 @@ and this project adheres to

## [Unreleased]

### Added

- 🧑‍💻(oidc) add ability to pull registration ID (e.g. SIRET) from OIDC #577

### Fixed

- 🧑‍💻(user) fix the User.language infinite migration #611
Expand Down
60 changes: 58 additions & 2 deletions docker/auth/realm.json
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,23 @@
],
"realmRoles": ["user"]
},
{
"username": "e2e.marie",
"email": "[email protected]",
"firstName": "Marie",
"lastName": "Devarzy",
"enabled": true,
"attributes": {
"siret": "21580304000017"
},
"credentials": [
{
"type": "password",
"value": "password-e2e.marie"
}
],
"realmRoles": ["user"]
},
{
"username": "user-e2e-chromium",
"email": "[email protected]",
Expand Down Expand Up @@ -695,9 +712,17 @@
"webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false,
"webAuthnPolicyPasswordlessAcceptableAaguids": [],
"scopeMappings": [
{
"clientScope": "siret",
"roles": [
"user"
]
},
{
"clientScope": "offline_access",
"roles": ["offline_access"]
"roles": [
"offline_access"
]
}
],
"clientScopeMappings": {
Expand Down Expand Up @@ -947,6 +972,7 @@
"acr",
"roles",
"profile",
"siret",
"email"
],
"optionalClientScopes": [
Expand Down Expand Up @@ -1107,6 +1133,35 @@
}
]
},
{
"id": "eb220fbb-02ac-4105-95a3-727954f6565d",
"name": "siret",
"description": "siret",
"protocol": "openid-connect",
"attributes": {
"include.in.token.scope": "true",
"display.on.consent.screen": "false",
"gui.order": ""
},
"protocolMappers": [
{
"id": "333a4e89-9363-4c36-b56f-79c6b019c6c6",
"name": "siret",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-attribute-mapper",
"consentRequired": false,
"config": {
"aggregate.attrs": "false",
"userinfo.token.claim": "true",
"multivalued": "false",
"user.attribute": "siret",
"id.token.claim": "true",
"access.token.claim": "true",
"claim.name": "siret"
}
}
]
},
{
"id": "af52ccc3-4ecb-49b4-9a67-5d4172f16070",
"name": "role_list",
Expand Down Expand Up @@ -1573,7 +1628,8 @@
"email",
"roles",
"web-origins",
"acr"
"acr",
"siret"
],
"defaultOptionalClientScopes": [
"offline_access",
Expand Down
4 changes: 2 additions & 2 deletions src/backend/core/api/client/serializers.py
Original file line number Diff line number Diff line change
Expand Up @@ -88,8 +88,8 @@ class UserOrganizationSerializer(serializers.ModelSerializer):

class Meta:
model = models.Organization
fields = ["id", "name"]
read_only_fields = ["id", "name"]
fields = ["id", "name", "registration_id_list"]
read_only_fields = ["id", "name", "registration_id_list"]


class UserSerializer(DynamicFieldsModelSerializer):
Expand Down
25 changes: 22 additions & 3 deletions src/backend/core/tests/users/test_api_users_list.py
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@

from unittest import mock

import jq
import pytest
from rest_framework.status import (
HTTP_200_OK,
Expand Down Expand Up @@ -77,7 +78,13 @@ def test_api_users_list_authenticated_response_content(
response = client.get("/api/v1.0/users/")

assert response.status_code == HTTP_200_OK
assert response.json() == {
json = response.json()
edited_json = (
jq.compile(".results[] |= (.organization |= del(.registration_id_list))")
.input(json)
.first()
)
assert edited_json == {
"count": 2,
"next": None,
"previous": None,
Expand Down Expand Up @@ -155,7 +162,13 @@ def test_api_users_authenticated_list_by_email():
response = client.get("/api/v1.0/users/?q=ool")

assert response.status_code == HTTP_200_OK
assert response.json()["results"] == [
json = response.json()
edited_json = (
jq.compile(".results[] |= (.organization |= del(.registration_id_list))")
.input(json)
.first()
)
assert edited_json["results"] == [
{
"id": str(frank.id),
"email": frank.email,
Expand Down Expand Up @@ -228,7 +241,13 @@ def test_api_users_authenticated_list_by_name():
response = client.get("/api/v1.0/users/?q=oole")

assert response.status_code == HTTP_200_OK
assert response.json()["results"] == [
json = response.json()
edited_json = (
jq.compile(".results[] |= (.organization |= del(.registration_id_list))")
.input(json)
.first()
)
assert edited_json["results"] == [
{
"id": str(frank.id),
"email": frank.email,
Expand Down
1 change: 1 addition & 0 deletions src/backend/core/tests/users/test_api_users_retrieve.py
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@ def test_api_users_retrieve_me_authenticated():
"organization": {
"id": str(user.organization.pk),
"name": user.organization.name,
"registration_id_list": user.organization.registration_id_list,
},
}

Expand Down
2 changes: 2 additions & 0 deletions src/backend/people/settings.py
Original file line number Diff line number Diff line change
Expand Up @@ -639,6 +639,8 @@ class Development(Base):
# this is a dev credentials for mail provisioning API
MAIL_PROVISIONING_API_CREDENTIALS = "bGFfcmVnaWU6cGFzc3dvcmQ="

OIDC_ORGANIZATION_REGISTRATION_ID_FIELD = "siret"

def __init__(self):
"""In dev, force installs needed for Swagger API."""
# pylint: disable=invalid-name
Expand Down
1 change: 1 addition & 0 deletions src/backend/pyproject.toml
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,7 @@ dev = [
"drf-spectacular-sidecar==2024.12.1",
"ipdb==0.13.13",
"ipython==8.31.0",
"jq==1.8.0",
"pyfakefs==5.7.3",
"pylint-django==2.6.1",
"pylint==3.3.2",
Expand Down
23 changes: 23 additions & 0 deletions src/frontend/apps/e2e/__tests__/app-desk/siret.spec.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
import { expect, test } from '@playwright/test';

import { keyCloakSignIn } from './common';

test.beforeEach(async ({ page, browserName }) => {
await page.goto('/');
await keyCloakSignIn(page, browserName, 'marie');
});

test.describe('OIDC interop with SIRET', () => {
test('it checks the SIRET is displayed in /me endpoint', async ({ page }) => {
const header = page.locator('header').first();
await expect(header.getByAltText('Marianne Logo')).toBeVisible();

const response = await page.request.get(
'http://localhost:8071/api/v1.0/users/me/',
);
expect(response.ok()).toBeTruthy();
expect(await response.json()).toMatchObject({
organization: { registration_id_list: ['21580304000017'] },
});
});
});
1 change: 1 addition & 0 deletions src/helm/env.d/dev/values.desk.yaml.gotmpl
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ backend:
OIDC_OP_TOKEN_ENDPOINT: https://fca.integ01.dev-agentconnect.fr/api/v2/token
OIDC_OP_USER_ENDPOINT: https://fca.integ01.dev-agentconnect.fr/api/v2/userinfo
OIDC_OP_LOGOUT_ENDPOINT: https://fca.integ01.dev-agentconnect.fr/api/v2/session/end
OIDC_ORGANIZATION_REGISTRATION_ID_FIELD: "siret"
OIDC_RP_CLIENT_ID:
secretKeyRef:
name: backend
Expand Down
Loading