Fixed OIDC authentication for SCIM endpoints

QuanMPhm · QuanMPhm · commit c54ac1bf88e1 · 2024-08-16T15:33:55.000-04:00
Previously, the Coldfront SCIM endpoints could not perform OIDC authentication,
preventing usage of the client credentials and device authorization flows.

A authentication middleware which subclasses from the one provided by
`django_scim` has been added, which will perform OIDC authentication
given an access token in the "Authorization" HTTP request header.

The SCIM endpoint is now available to Coldfront users with
"staff" or "superuser" status. It will perform OIDC authentication
if the `PLUGIN_AUTH_OIDC` env var is set to True.
diff --git a/src/coldfront_plugin_api/config.py b/src/coldfront_plugin_api/config.py
@@ -14,4 +14,5 @@
     "GROUP_ADAPTER": "coldfront_plugin_api.scim_v2.adapter_group.SCIMColdfrontGroup",
     "GROUP_FILTER_PARSER": "coldfront_plugin_api.scim_v2.filters.ColdfrontGroupFilterQuery",
     "GET_IS_AUTHENTICATED_PREDICATE": "coldfront_plugin_api.utils.is_user_superuser",
+    "AUTH_CHECK_MIDDLEWARE": "coldfront_plugin_api.scim_v2.auth_middleware.SCIMColdfrontAuthCheckMiddleware",
 }
diff --git a/src/coldfront_plugin_api/scim_v2/auth_middleware.py b/src/coldfront_plugin_api/scim_v2/auth_middleware.py
@@ -0,0 +1,17 @@
+import os
+import logging
+
+from django_scim.middleware import SCIMAuthCheckMiddleware
+from mozilla_django_oidc.contrib.drf import OIDCAuthentication
+
+logger = logging.getLogger(__name__)
+
+
+class SCIMColdfrontAuthCheckMiddleware(SCIMAuthCheckMiddleware):
+    def process_request(self, request):
+        if not request.user or not request.user.is_staff:
+            # PLUGIN_AUTH_OIDC implies DRF OIDC backend is configured
+            if os.getenv("PLUGIN_AUTH_OIDC") == "True":
+                oidc_auth_obj = OIDCAuthentication()
+                request.user = oidc_auth_obj.authenticate(request)
+            return super().process_request(request)
diff --git a/src/coldfront_plugin_api/utils.py b/src/coldfront_plugin_api/utils.py
@@ -59,7 +59,7 @@ def is_user_superuser(user: User):
     As a temporary hack, this function will handle raising the appropriate 403 error if
     user is authenticated, but not superuser
     """
-    if user.is_authenticated and not user.is_superuser:
+    if user.is_authenticated and not user.is_staff:
         raise PermissionDenied
     else:
         return user.is_authenticated

Original file line number	Diff line number	Diff line change
`@@ -14,4 +14,5 @@`
`14`	`14`	`"GROUP_ADAPTER": "coldfront_plugin_api.scim_v2.adapter_group.SCIMColdfrontGroup",`
`15`	`15`	`"GROUP_FILTER_PARSER": "coldfront_plugin_api.scim_v2.filters.ColdfrontGroupFilterQuery",`
`16`	`16`	`"GET_IS_AUTHENTICATED_PREDICATE": "coldfront_plugin_api.utils.is_user_superuser",`
	`17`	`+ "AUTH_CHECK_MIDDLEWARE": "coldfront_plugin_api.scim_v2.auth_middleware.SCIMColdfrontAuthCheckMiddleware",`
`17`	`18`	`}`