Refactor FxA authentication configuration and fake auth handling

Makefile-os

@@ -17,6 +17,9 @@ export DOCKER_VERSION ?=
 export DATA_BACKUP_SKIP ?=
 override DOCKER_MYSQLD_VOLUME = addons-server_data_mysqld
 
+export FXA_CLIENT_ID ?=
+export FXA_CLIENT_SECRET ?=
+
 INITIALIZE_ARGS ?=
 INIT_CLEAN ?=
 INIT_LOAD ?=

docker-compose.yml

@@ -22,6 +22,8 @@ x-env-mapping: &env
     - ENV=local
     - CIRCLECI
     - DATA_BACKUP_SKIP
+    - FXA_CLIENT_ID
+    - FXA_CLIENT_SECRET
 
 x-olympia: &olympia
   <<: *env

docs/topics/development/authentication.md

@@ -0,0 +1,42 @@
+# Authentication
+
+## Firefox Accounts
+
+Firefox Accounts (FXA) is the authentication system used by addons-server.
+In local development and in testing, we default to fake credentials which redirect
+to a local fake auth page. If you define real credentials, you will be redirected
+to fxa using the specified client id and secret.
+
+### Local development
+
+In local development, we default to fake credentials which redirect to a local
+fake auth page. Fake credentials of '' are defined by default on the environment and read
+into the FXA_CONFIG settings.
+
+### Production environments
+
+In production environments, we defined real FXA_CLIENT_ID and FXA_CLIENT_SECRET values
+to be used on the corrresponding FXA servers.
+
+### use_fake_fxa
+
+A utility method is used to determine if we should use the fake or real fxa redirect.
+This function only returns true if the environment is local/test and if the fake fxa client
+id and secret are defined. This forces us to use real auth redirection in production environments.
+
+### Getting real credentials for local development
+
+You must contact the FxA team to get your own credentials for FxA stage.
+
+To use these credentials, you can pass them to make up:
+
+```bash
+make up FXA_CLIENT_ID=<your-client-id> FXA_CLIENT_SECRET=<your-client-secret>
+```
+
+or set them in your environment (on the host machine, not inside the container):
+
+```bash
+export FXA_CLIENT_ID=<your-client-id>
+export FXA_CLIENT_SECRET=<your-client-secret>
+

docs/topics/development/index.md

@@ -28,4 +28,5 @@ docs
 waffle
 remote_settings
 ../../../README.rst
+authentication
 ```

settings.py

@@ -115,14 +115,6 @@ def insert_debug_toolbar_middleware(middlewares):
 FXA_OAUTH_HOST = 'https://oauth.stage.mozaws.net/v1'
 FXA_PROFILE_HOST = 'https://profile.stage.mozaws.net/v1'
 
-# When USE_FAKE_FXA_AUTH and settings.DEV_MODE are both True, we serve a fake
-# authentication page, bypassing FxA. To disable this behavior, set
-# USE_FAKE_FXA = False in your local settings.
-# You will also need to specify `client_id` and `client_secret` in your
-# local_settings.py or environment variables - you must contact the FxA team to get your
-# own credentials for FxA stage.
-USE_FAKE_FXA_AUTH = True
-
 # CSP report endpoint which returns a 204 from addons-nginx in local dev.
 CSP_REPORT_URI = '/csp-report'
 RESTRICTED_DOWNLOAD_CSP['REPORT_URI'] = CSP_REPORT_URI

settings_test.py

@@ -113,3 +113,11 @@
 
 # This is a testing environment
 TESTING_ENV = True
+
+FXA_CONFIG = {
+    # Default FxA config should simulate a real FxA config with redirection
+    'default': {
+        'client_id': 'amodefault',
+        'client_secret': 'amodefault',
+    },
+}

src/olympia/accounts/tests/test_utils.py

@@ -1,6 +1,7 @@
 from base64 import urlsafe_b64decode, urlsafe_b64encode
 from urllib.parse import parse_qs, urlparse
 
+from django.conf import settings
 from django.test import RequestFactory
 from django.test.utils import override_settings
 from django.urls import reverse
@@ -10,24 +11,14 @@
 from olympia.amo.tests import TestCase
 
 
-FXA_CONFIG = {
-    'default': {
-        'client_id': 'foo',
-        'client_secret': 'bar',
-    },
-    'other': {'client_id': 'foo_other', 'client_secret': 'bar_other'},
-}
-
-
-@override_settings(FXA_CONFIG=FXA_CONFIG)
 @override_settings(FXA_OAUTH_HOST='https://accounts.firefox.com/oauth')
 def test_fxa_login_url_without_requiring_two_factor_auth():
     path = '/en-US/addons/abp/?source=ddg'
     request = RequestFactory().get(path)
     request.session = {'fxa_state': 'myfxastate'}
 
     raw_url = utils.fxa_login_url(
-        config=FXA_CONFIG['default'],
+        config=settings.FXA_CONFIG['default'],
         state=request.session['fxa_state'],
         next_path=path,
         enforce_2fa=False,
@@ -41,22 +32,21 @@ def test_fxa_login_url_without_requiring_two_factor_auth():
     query = parse_qs(url.query)
     next_path = urlsafe_b64encode(path.encode('utf-8')).rstrip(b'=')
     assert query == {
-        'client_id': ['foo'],
+        'client_id': ['amodefault'],
         'scope': ['profile openid'],
         'state': [f'myfxastate:{force_str(next_path)}'],
         'access_type': ['offline'],
     }
 
 
-@override_settings(FXA_CONFIG=FXA_CONFIG)
 @override_settings(FXA_OAUTH_HOST='https://accounts.firefox.com/oauth')
 def test_fxa_login_url_requiring_two_factor_auth():
     path = '/en-US/addons/abp/?source=ddg'
     request = RequestFactory().get(path)
     request.session = {'fxa_state': 'myfxastate'}
 
     raw_url = utils.fxa_login_url(
-        config=FXA_CONFIG['default'],
+        config=settings.FXA_CONFIG['default'],
         state=request.session['fxa_state'],
         next_path=path,
         enforce_2fa=True,
@@ -71,22 +61,21 @@ def test_fxa_login_url_requiring_two_factor_auth():
     next_path = urlsafe_b64encode(path.encode('utf-8')).rstrip(b'=')
     assert query == {
         'acr_values': ['AAL2'],
-        'client_id': ['foo'],
+        'client_id': ['amodefault'],
         'scope': ['profile openid'],
         'state': [f'myfxastate:{force_str(next_path)}'],
         'access_type': ['offline'],
     }
 
 
-@override_settings(FXA_CONFIG=FXA_CONFIG)
 @override_settings(FXA_OAUTH_HOST='https://accounts.firefox.com/oauth')
 def test_fxa_login_url_requiring_two_factor_auth_passing_token():
     path = '/en-US/addons/abp/?source=ddg'
     request = RequestFactory().get(path)
     request.session = {'fxa_state': 'myfxastate'}
 
     raw_url = utils.fxa_login_url(
-        config=FXA_CONFIG['default'],
+        config=settings.FXA_CONFIG['default'],
         state=request.session['fxa_state'],
         next_path=path,
         enforce_2fa=True,
@@ -102,7 +91,7 @@ def test_fxa_login_url_requiring_two_factor_auth_passing_token():
     next_path = urlsafe_b64encode(path.encode('utf-8')).rstrip(b'=')
     assert query == {
         'acr_values': ['AAL2'],
-        'client_id': ['foo'],
+        'client_id': ['amodefault'],
         'id_token_hint': ['YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXo='],
         'prompt': ['none'],
         'scope': ['profile openid'],
@@ -111,15 +100,14 @@ def test_fxa_login_url_requiring_two_factor_auth_passing_token():
     }
 
 
-@override_settings(FXA_CONFIG=FXA_CONFIG)
 @override_settings(FXA_OAUTH_HOST='https://accounts.firefox.com/oauth')
 def test_fxa_login_url_requiring_two_factor_auth_passing_request():
     path = '/en-US/addons/abp/?source=ddg'
     request = RequestFactory().get(path)
     request.session = {'fxa_state': 'myfxastate'}
 
     raw_url = utils.fxa_login_url(
-        config=FXA_CONFIG['default'],
+        config=settings.FXA_CONFIG['default'],
         state=request.session['fxa_state'],
         next_path=path,
         enforce_2fa=True,
@@ -135,22 +123,21 @@ def test_fxa_login_url_requiring_two_factor_auth_passing_request():
     next_path = urlsafe_b64encode(path.encode('utf-8')).rstrip(b'=')
     assert query == {
         'acr_values': ['AAL2'],
-        'client_id': ['foo'],
+        'client_id': ['amodefault'],
         'scope': ['profile openid'],
         'state': [f'myfxastate:{force_str(next_path)}'],
         'access_type': ['offline'],
     }
 
 
-@override_settings(FXA_CONFIG=FXA_CONFIG)
 @override_settings(FXA_OAUTH_HOST='https://accounts.firefox.com/oauth')
 def test_fxa_login_url_requiring_two_factor_auth_passing_login_hint():
     path = '/en-US/addons/abp/?source=ddg'
     request = RequestFactory().get(path)
     request.session = {'fxa_state': 'myfxastate'}
 
     raw_url = utils.fxa_login_url(
-        config=FXA_CONFIG['default'],
+        config=settings.FXA_CONFIG['default'],
         state=request.session['fxa_state'],
         next_path=path,
         enforce_2fa=True,
@@ -167,7 +154,7 @@ def test_fxa_login_url_requiring_two_factor_auth_passing_login_hint():
     next_path = urlsafe_b64encode(path.encode('utf-8')).rstrip(b'=')
     assert query == {
         'acr_values': ['AAL2'],
-        'client_id': ['foo'],
+        'client_id': ['amodefault'],
         'login_hint': ['[email protected]'],
         'prompt': ['none'],
         'scope': ['profile openid'],
@@ -181,7 +168,7 @@ def test_unicode_next_path():
     request = RequestFactory().get(path)
     request.session = {'fxa_state': 'fake-state'}
     url = utils.fxa_login_url(
-        config=FXA_CONFIG['default'],
+        config=settings.FXA_CONFIG['default'],
         state=request.session['fxa_state'],
         next_path=utils.path_with_query(request),
     )
@@ -190,68 +177,51 @@ def test_unicode_next_path():
     assert next_path.decode('utf-8') == path
 
 
-@override_settings(FXA_CONFIG=FXA_CONFIG)
 def test_redirect_for_login():
     request = RequestFactory().get('/somewhere')
     request.session = {'fxa_state': 'fake-state'}
     response = utils.redirect_for_login(request)
     assert response['location'] == utils.fxa_login_url(
-        config=FXA_CONFIG['default'],
+        config=settings.FXA_CONFIG['default'],
         state=request.session['fxa_state'],
         next_path='/somewhere',
     )
     assert request.session['enforce_2fa'] is False
 
 
-@override_settings(FXA_CONFIG=FXA_CONFIG)
 def test_redirect_for_login_with_next_path():
     request = RequestFactory().get('/somewhere')
     request.session = {'fxa_state': 'fake-state'}
     response = utils.redirect_for_login(request, next_path='/over/the/rainbow')
     assert response['location'] == utils.fxa_login_url(
-        config=FXA_CONFIG['default'],
+        config=settings.FXA_CONFIG['default'],
         state=request.session['fxa_state'],
         next_path='/over/the/rainbow',
     )
     assert request.session['enforce_2fa'] is False
 
 
-@override_settings(FXA_CONFIG=FXA_CONFIG)
-def test_redirect_for_login_with_config():
-    request = RequestFactory().get('/somewhere')
-    request.session = {'fxa_state': 'fake-state'}
-    response = utils.redirect_for_login(request, config=FXA_CONFIG['other'])
-    assert response['location'] == utils.fxa_login_url(
-        config=FXA_CONFIG['other'],
-        state=request.session['fxa_state'],
-        next_path='/somewhere',
-    )
-    assert request.session['enforce_2fa'] is False
-
-
-@override_settings(FXA_CONFIG=FXA_CONFIG)
 def test_redirect_for_login_with_2fa_enforced():
     request = RequestFactory().get('/somewhere')
     request.session = {'fxa_state': 'fake-state'}
     response = utils.redirect_for_login_with_2fa_enforced(request)
     assert response['location'] == utils.fxa_login_url(
-        config=FXA_CONFIG['default'],
+        config=settings.FXA_CONFIG['default'],
         state=request.session['fxa_state'],
         next_path='/somewhere',
         enforce_2fa=True,
     )
     assert request.session['enforce_2fa'] is True
 
 
-@override_settings(FXA_CONFIG=FXA_CONFIG)
 def test_redirect_for_login_with_2fa_enforced_id_token_hint():
     request = RequestFactory().get('/somewhere')
     request.session = {'fxa_state': 'fake-state'}
     response = utils.redirect_for_login_with_2fa_enforced(
         request, id_token_hint='some_token_hint'
     )
     assert response['location'] == utils.fxa_login_url(
-        config=FXA_CONFIG['default'],
+        config=settings.FXA_CONFIG['default'],
         state=request.session['fxa_state'],
         next_path='/somewhere',
         enforce_2fa=True,
@@ -260,56 +230,56 @@ def test_redirect_for_login_with_2fa_enforced_id_token_hint():
     assert request.session['enforce_2fa'] is True
 
 
-@override_settings(FXA_CONFIG=FXA_CONFIG)
 def test_redirect_for_login_with_2fa_enforced_and_next_path():
     request = RequestFactory().get('/somewhere')
     request.session = {'fxa_state': 'fake-state'}
     response = utils.redirect_for_login_with_2fa_enforced(
         request, next_path='/over/the/rainbow'
     )
     assert response['location'] == utils.fxa_login_url(
-        config=FXA_CONFIG['default'],
+        config=settings.FXA_CONFIG['default'],
         state=request.session['fxa_state'],
         next_path='/over/the/rainbow',
         enforce_2fa=True,
     )
     assert request.session['enforce_2fa'] is True
 
 
-@override_settings(FXA_CONFIG=FXA_CONFIG)
 def test_redirect_for_login_with_2fa_enforced_and_config():
     request = RequestFactory().get('/somewhere')
     request.session = {'fxa_state': 'fake-state'}
     response = utils.redirect_for_login_with_2fa_enforced(
-        request, config=FXA_CONFIG['other']
+        request,
+        config={'client_id': 'foo_other', 'client_secret': 'bar_other'},
     )
     assert response['location'] == utils.fxa_login_url(
-        config=FXA_CONFIG['other'],
+        config={'client_id': 'foo_other', 'client_secret': 'bar_other'},
         state=request.session['fxa_state'],
         next_path='/somewhere',
         enforce_2fa=True,
     )
     assert request.session['enforce_2fa'] is True
 
 
-@override_settings(DEV_MODE=True, USE_FAKE_FXA_AUTH=True)
+@override_settings(FXA_CONFIG={'default': {'client_id': ''}})
 def test_fxa_login_url_when_faking_fxa_auth():
     path = '/en-US/addons/abp/?source=ddg'
     request = RequestFactory().get(path)
     request.session = {'fxa_state': 'myfxastate'}
     raw_url = utils.fxa_login_url(
-        config=FXA_CONFIG['default'],
+        config=settings.FXA_CONFIG['default'],
         state=request.session['fxa_state'],
         next_path=path,
     )
     url = urlparse(raw_url)
     assert url.scheme == ''
     assert url.netloc == ''
     assert url.path == reverse('fake-fxa-authorization')
-    query = parse_qs(url.query)
+    # client_id has a blank value, so we should inspect blank values
+    query = parse_qs(url.query, keep_blank_values=True)
     next_path = urlsafe_b64encode(path.encode('utf-8')).rstrip(b'=')
     assert query == {
-        'client_id': ['foo'],
+        'client_id': [''],
         'scope': ['profile openid'],
         'state': [f'myfxastate:{force_str(next_path)}'],
         'access_type': ['offline'],