feat: allow using client id as user for client-secret auth

When authentication happens with a "service user" instead of a regular user, we may not get a username. However, we can now configure Caluma to use the client ID as username instead. This is optional to ensure that the behaviour is intended, and no "wrong" fallback happens in case the username claim was just configured incorrectly.
projectcaluma · Nov 25, 2022 · 3e45c61 · 3e45c61
1 parent 8baa6d0
commit 3e45c61
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 1 deletion.
diff --git a/caluma/caluma_user/models.py b/caluma/caluma_user/models.py
@@ -24,7 +24,16 @@ def __init__(self, token: str, userinfo: dict = None, introspection: dict = None
         super().__init__()
 
         self.claims, self.claims_source = self._get_claims(userinfo, introspection)
-        self.username = self.claims[settings.OIDC_USERNAME_CLAIM]
+
+        if (
+            self.claims_source == "introspection"
+            and settings.OIDC_CLIENT_AS_USERNAME
+            and settings.OIDC_USERNAME_CLAIM not in self.claims
+        ):
+            self.username = self.claims[settings.OIDC_CLIENT_CLAIM]
+        else:
+            self.username = self.claims[settings.OIDC_USERNAME_CLAIM]
+
         self.groups = self.claims.get(settings.OIDC_GROUPS_CLAIM)
         self.group = self.groups[0] if self.groups else None
         self.token = token

diff --git a/caluma/caluma_user/tests/test_views.py b/caluma/caluma_user/tests/test_views.py
@@ -92,3 +92,33 @@ def test_no_client_id(rf, requests_mock, settings):
     request = rf.get("/graphql", HTTP_AUTHORIZATION=authentication_header)
     response = views.AuthenticationGraphQLView.as_view()(request)
     assert response.status_code == status.HTTP_401_UNAUTHORIZED
+
+
+@pytest.mark.parametrize(
+    "client_as_username, client_claim, expect_success",
+    [
+        (True, "client_id", True),
+        (True, "other_key", False),
+        (False, "client_id", False),
+    ],
+)
+def test_introspection_no_username(
+    rf, requests_mock, settings, client_as_username, client_claim, expect_success
+):
+
+    settings.OIDC_CLIENT_CLAIM = client_claim
+    if client_as_username:
+        settings.OIDC_CLIENT_AS_USERNAME = True
+
+    requests_mock.get(settings.OIDC_USERINFO_ENDPOINT, status_code=401)
+    requests_mock.post(
+        settings.OIDC_INTROSPECT_ENDPOINT, text=json.dumps({"client_id": "test_client"})
+    )
+
+    request = rf.get("/graphql", HTTP_AUTHORIZATION="Bearer foo")
+    if expect_success:
+        views.AuthenticationGraphQLView.as_view()(request)
+        assert request.user.is_authenticated == expect_success
+    else:
+        with pytest.raises(KeyError):
+            views.AuthenticationGraphQLView.as_view()(request)
diff --git a/caluma/settings/caluma.py b/caluma/settings/caluma.py
@@ -58,6 +58,12 @@ def default(default_dev=env.NOTSET, default_prod=env.NOTSET):
 OIDC_VERIFY_SSL = env.bool("OIDC_VERIFY_SSL", default=True)
 OIDC_GROUPS_CLAIM = env.str("OIDC_GROUPS_CLAIM", default="caluma_groups")
 OIDC_USERNAME_CLAIM = env.str("OIDC_USERNAME_CLAIM", default="sub")
+# Claim to use for the "client" claim. Should normally be left to the default value
+OIDC_CLIENT_CLAIM = env.str("OIDC_CLIENT_CLAIM", default="client_id")
+
+# When service clients are used, should we pretend they're users?
+OIDC_CLIENT_AS_USERNAME = env.bool("OIDC_CLIENT_AS_USERNAME", default=False)
+
 OIDC_BEARER_TOKEN_REVALIDATION_TIME = env.int(
     "OIDC_BEARER_TOKEN_REVALIDATION_TIME", default=0
 )