Add a simple oauth implementation via django-oauth-toolkit (#447)

* Add a simple oauth implementation via django-oauth-toolkit.

* Refactor settings

* Skip TestMigrations when --migrations flag is omitted

* Add simple unit tests

* Remove redundant imports, modify the default REST_FRAMEWORK object when adding OAuth2 classes instead, refactor two constants

Author: gkju

conftest.py

@@ -47,3 +47,11 @@ def pytest_html_results_table_header(cells):
 @pytest.hookimpl(optionalhook=True)
 def pytest_html_results_table_row(report, cells):
     cells.pop()
+
+@pytest.fixture()
+def require_migrations_flag(request):
+    config = request.config
+    nomigrations_enabled_flag = config.getoption("nomigrations")
+
+    if nomigrations_enabled_flag:
+        pytest.skip("Test requires the --migrations flag to run.")

oioioi/base/tests/tests.py

@@ -8,6 +8,7 @@
 import subprocess
 import sys
 import tempfile
+import pytest
 from importlib import import_module, reload
 
 from captcha.models import CaptchaStore
@@ -79,7 +80,7 @@
 
 basedir = os.path.dirname(__file__)
 
-
+@pytest.mark.usefixtures("require_migrations_flag")
 class TestMigrations(TestCase):
     # This only works if pytest is ran with `--migrations`, which is the case
     # in github workflow files. Otherwise the test seemingly always passes.

oioioi/deployment/settings.py.template

@@ -598,3 +598,14 @@ CONTEST_ADMINS_CAN_SU = False
 
 # If set to False, contest admins switched to a participant will be able to make any type of request.
 ALLOW_ONLY_GET_FOR_SU_CONTEST_ADMINS = True
+
+# OAuth2 support
+#
+# INSTALLED_APPS = (
+#    'oauth2_provider',
+#    'oioioi.oauth',
+# ) + INSTALLED_APPS
+#
+# REST_FRAMEWORK['DEFAULT_AUTHENTICATION_CLASSES'] += (
+#    'oauth2_provider.contrib.rest_framework.OAuth2Authentication',
+# )

oioioi/oauth/__init__.py

@@ -0,0 +1,31 @@
+from django.contrib.auth.mixins import UserPassesTestMixin
+from oauth2_provider.views import (
+    ApplicationRegistration,
+    ApplicationUpdate,
+    ApplicationDelete,
+    ApplicationList,
+    ApplicationDetail,
+)
+from oauth2_provider.models import Application
+
+class AdminRequiredMixin(UserPassesTestMixin):
+    def test_func(self):
+        return self.request.user.is_superuser or self.request.user.is_staff
+
+class AdminApplicationList(AdminRequiredMixin, ApplicationList):
+    def get_queryset(self):
+        return Application.objects.all()
+
+class AdminApplicationRegistration(AdminRequiredMixin, ApplicationRegistration):
+    pass
+
+class AdminApplicationUpdate(AdminRequiredMixin, ApplicationUpdate):
+    pass
+
+class AdminApplicationDelete(AdminRequiredMixin, ApplicationDelete):
+    pass
+
+class AdminApplicationDetail(AdminRequiredMixin, ApplicationDetail):
+    def get_object(self, queryset=None):
+        obj = super().get_object(queryset)
+        return obj

oioioi/oauth/middleware.py

@@ -0,0 +1,88 @@
+from datetime import timedelta
+
+import pytest
+
+from django.conf import settings
+from django.test.utils import override_settings
+from django.urls import reverse
+from django.contrib.auth import get_user_model
+from oauth2_provider.models import Application, AccessToken
+from django.utils import timezone
+from rest_framework.test import APIClient
+import json
+
+from oioioi.base.tests import TestCase
+
+User = get_user_model()
+
+@override_settings(
+    OAUTH2_PROVIDER={
+        'SCOPES': {'read': 'Read access', 'write': 'Write access'},
+        'ALLOWED_GRANT_TYPES': ['password', 'authorization_code', 'client_credentials', 'refresh_token'],
+    }
+)
+class PasswordGrantTestCase(TestCase):
+    fixtures = ['test_users']
+
+    def setUp(self):
+        # For this test, we need to explicitly create a password-grant-based app
+        # Since secrets are hashed we will store their plaintext as members
+        self.user_pwd = 'password'
+        self.user = User.objects.create_user('oauth_test_user', '[email protected]', self.user_pwd)
+
+        self.app_secret = 'test-client-secret'
+        self.application = Application.objects.create(
+            name='Password Grant Test App',
+            user=self.user,
+            client_type=Application.CLIENT_CONFIDENTIAL,
+            authorization_grant_type=Application.GRANT_PASSWORD,
+            client_id='test-client-id',
+            client_secret=self.app_secret,
+            redirect_uris=''
+        )
+
+        # Create an access token for reference
+        self.access_token = AccessToken.objects.create(
+            user=self.user,
+            application=self.application,
+            token='test_token',
+            expires=timezone.now() + timedelta(days=1),
+            scope='read write'
+        )
+
+        self.api_client = APIClient()
+
+    # Test a token created without a grant for reference
+    def test_protected_endpoint_with_token(self):
+        self.api_client.credentials(HTTP_AUTHORIZATION=f'Bearer {self.access_token.token}')
+        response = self.api_client.get('/api/auth_ping')
+        self.assertEqual(response.status_code, 200)
+
+        self.api_client.credentials()
+        response = self.api_client.get('/api/auth_ping')
+        self.assertEqual(response.status_code, 403)
+
+    def test_token_flow(self):
+        token_url = reverse('oauth2_provider:token')
+
+        response = self.client.post(token_url, {
+            'grant_type': Application.GRANT_PASSWORD,
+            'username': self.user.username,
+            'password': self.user_pwd,
+            'client_id': self.application.client_id,
+            'client_secret': self.app_secret,
+        })
+
+        self.assertEqual(response.status_code, 200)
+        content = json.loads(response.content.decode('utf-8'))
+        self.assertIn('access_token', content)
+        self.assertIn('token_type', content)
+        self.assertEqual(content['token_type'], 'Bearer')
+
+        self.api_client.credentials(HTTP_AUTHORIZATION=f'Bearer {content["access_token"]}')
+        response = self.api_client.get('/api/auth_ping')
+        self.assertEqual(response.status_code, 200)
+
+        self.api_client.credentials()
+        response = self.api_client.get('/api/auth_ping')
+        self.assertEqual(response.status_code, 403)

oioioi/oauth/tests/__init__.py

@@ -0,0 +1,40 @@
+import oauth2_provider.views as oauth2_views
+from django.conf import settings
+from django.contrib import admin as django_admin
+from django.views import i18n
+from django.urls import include, re_path
+from .middleware import (
+    AdminApplicationList,
+    AdminApplicationRegistration,
+    AdminApplicationUpdate,
+    AdminApplicationDelete,
+    AdminApplicationDetail,
+)
+
+app_name = 'oauth'
+
+oauth2_endpoint_views = [
+    re_path(r'^authorize/', oauth2_views.AuthorizationView.as_view(), name="authorize"),
+    re_path(r'^token/', oauth2_views.TokenView.as_view(), name="token"),
+    re_path(r'^revoke-token/', oauth2_views.RevokeTokenView.as_view(), name="revoke-token"),
+]
+
+if settings.DEBUG:
+    # OAuth2 Application Management endpoints
+    oauth2_endpoint_views += [
+        re_path(r'^applications/register/', AdminApplicationRegistration.as_view(), name="register"),
+        re_path(r'^applications/(?P<pk>\d+)/', AdminApplicationDetail.as_view(), name="detail"),
+        re_path(r'^applications/(?P<pk>\d+)/delete/', AdminApplicationDelete.as_view(), name="delete"),
+        re_path(r'^applications/(?P<pk>\d+)/update/', AdminApplicationUpdate.as_view(), name="update"),
+        re_path(r'^applications/', AdminApplicationList.as_view(), name="list"),
+    ]
+
+    oauth2_endpoint_views += [
+        re_path(r'^authorized-tokens/', oauth2_views.AuthorizedTokensListView.as_view(), name="authorized-token-list"),
+        re_path(r'^authorized-tokens/<pk>/delete/', oauth2_views.AuthorizedTokenDeleteView.as_view(),
+            name="authorized-token-delete"),
+    ]
+
+urlpatterns = [
+    re_path(r'^o/', include((oauth2_endpoint_views, 'oauth2_provider'), namespace="oauth2_provider")),
+]

oioioi/oauth/tests/tests.py

@@ -62,6 +62,8 @@
     'oioioi.usercontests',
     'oioioi.mp',
     'oioioi.welcomepage',
+    'oauth2_provider',
+    'oioioi.oauth',
 ) + INSTALLED_APPS
 
 TEMPLATES[0]['OPTIONS']['context_processors'] += [
@@ -125,3 +127,7 @@
     'handlers': ['console'],
     'level': 'INFO',
 }
+
+REST_FRAMEWORK['DEFAULT_AUTHENTICATION_CLASSES'] += (
+    'oauth2_provider.contrib.rest_framework.OAuth2Authentication',
+)

oioioi/oauth/urls.py

@@ -38,6 +38,7 @@
     "django-debug-toolbar",
     "django-extensions>=3.2,<3.3",
     "djangorestframework>=3.14,<3.15",
+    "django-oauth-toolkit>=3.0,<3.1",
     "Werkzeug",
     "pytest>=7.2,<8.0",
     "pytest-cov>=4.0,<5.0",