Fixed OIDC authentication for SCIM endpoints

QuanMPhm · QuanMPhm · commit f6f1f6089e4a · 2024-08-15T15:02:27.000-04:00
Previously, the Coldfront SCIM endpoints could not perform OIDC authentication,
preventing usage of the client credentials and device authorization flows.

A authentication middleware which subclasses from the one provided by
`django_scim` has been added, which will perform OIDC authentication
given an access token in the "Authorization" HTTP request header.

The SCIM endpoint is now available to Coldfront users with
"staff" or "superuser" status.
diff --git a/src/coldfront_plugin_api/config.py b/src/coldfront_plugin_api/config.py
@@ -14,4 +14,5 @@
     "GROUP_ADAPTER": "coldfront_plugin_api.scim_v2.adapter_group.SCIMColdfrontGroup",
     "GROUP_FILTER_PARSER": "coldfront_plugin_api.scim_v2.filters.ColdfrontGroupFilterQuery",
     "GET_IS_AUTHENTICATED_PREDICATE": "coldfront_plugin_api.utils.is_user_superuser",
+    "AUTH_CHECK_MIDDLEWARE": "coldfront_plugin_api.scim_v2.auth_middleware.SCIMColdfrontAuthCheckMiddleware",
 }
diff --git a/src/coldfront_plugin_api/scim_v2/auth_middleware.py b/src/coldfront_plugin_api/scim_v2/auth_middleware.py
@@ -0,0 +1,30 @@
+import logging
+
+from django.http.response import HttpResponse
+from django.urls import reverse
+from django_scim.middleware import SCIMAuthCheckMiddleware
+from mozilla_django_oidc.contrib.drf import OIDCAuthentication
+
+logger = logging.getLogger(__name__)
+
+
+class SCIMColdfrontAuthCheckMiddleware(SCIMAuthCheckMiddleware):
+    def __call__(self, request, *args, **kwargs):
+        response = None
+        if hasattr(self, 'process_request'):
+            response = self.process_request(request)
+        if not response:
+            response = self.get_response(request, *args, **kwargs)
+        if hasattr(self, 'process_response'):
+            response = self.process_response(request, response)
+        return response
+    
+    def process_request(self, request):
+        oidc_auth_obj = OIDCAuthentication()
+        user = oidc_auth_obj.authenticate(request)
+
+        if not user or not user[0].is_staff:
+            return super().process_request(request)
+
+    def process_response(self, request, response):
+        return response
diff --git a/src/coldfront_plugin_api/utils.py b/src/coldfront_plugin_api/utils.py
@@ -59,7 +59,7 @@ def is_user_superuser(user: User):
     As a temporary hack, this function will handle raising the appropriate 403 error if
     user is authenticated, but not superuser
     """
-    if user.is_authenticated and not user.is_superuser:
+    if user.is_authenticated and not user.is_staff:
         raise PermissionDenied
     else:
         return user.is_authenticated

Original file line number	Diff line number	Diff line change
`@@ -14,4 +14,5 @@`
`14`	`14`	`"GROUP_ADAPTER": "coldfront_plugin_api.scim_v2.adapter_group.SCIMColdfrontGroup",`
`15`	`15`	`"GROUP_FILTER_PARSER": "coldfront_plugin_api.scim_v2.filters.ColdfrontGroupFilterQuery",`
`16`	`16`	`"GET_IS_AUTHENTICATED_PREDICATE": "coldfront_plugin_api.utils.is_user_superuser",`
	`17`	`+ "AUTH_CHECK_MIDDLEWARE": "coldfront_plugin_api.scim_v2.auth_middleware.SCIMColdfrontAuthCheckMiddleware",`
`17`	`18`	`}`