From 244f093fe5d0d44ab622fcff0a373a70187c20b2 Mon Sep 17 00:00:00 2001
From: Dimitris Papagiannis <d.papag.a@gmail.com>
Date: Tue, 8 Aug 2023 12:26:56 +0200
Subject: [PATCH 1/2] Update to use OIDC

---
 .env_sample                    | 13 +++++++++
 .gitignore                     |  5 ++++
 home/templates/home/login.html | 48 ++++++++++++++--------------------
 mlp/settings.py                | 35 ++++++++++++++++++++++---
 4 files changed, 68 insertions(+), 33 deletions(-)
 create mode 100644 .env_sample

diff --git a/.env_sample b/.env_sample
new file mode 100644
index 0000000..df81708
--- /dev/null
+++ b/.env_sample
@@ -0,0 +1,13 @@
+DJANGO_SECRET_KEY=
+DIR_PATH_DQMIO_STORAGE=
+DJANGO_DATABASE_ENGINE=django.db.backends.postgresql
+DJANGO_DATABASE_NAME=testmlp
+DJANGO_DATABASE_USER=postgres
+DJANGO_DATABASE_PASSWORD=postgres
+DJANGO_DATABASE_PORT=5432
+DJANGO_DATABASE_HOST=127.0.0.1
+DJANGO_ALLOWED_HOSTS=*
+DJANGO_DEBUG=True
+SITE_ID=1
+CERN_SSO_REGISTRATION_CLIENT_ID=
+CERN_SSO_REGISTRATION_CLIENT_SECRET=
\ No newline at end of file
diff --git a/.gitignore b/.gitignore
index 54649af..43bca51 100644
--- a/.gitignore
+++ b/.gitignore
@@ -103,3 +103,8 @@ venv/
 node_modules/
 package.json
 package-lock.json
+
+
+*.crt
+*.key
+.env_*
diff --git a/home/templates/home/login.html b/home/templates/home/login.html
index a90eeec..524533a 100644
--- a/home/templates/home/login.html
+++ b/home/templates/home/login.html
@@ -19,7 +19,9 @@
 		border-color: #0033a0;
 	}
 
-	.btn-cern:hover, .btn-cern:active, .btn-cern:focus {
+	.btn-cern:hover,
+	.btn-cern:active,
+	.btn-cern:focus {
 		background-color: #0033a0;
 		border-color: #0033a0;
 	}
@@ -38,6 +40,7 @@
 		border-bottom-right-radius: 0;
 		border-bottom-left-radius: 0;
 	}
+
 	.form-signin input[type="password"] {
 		margin-bottom: 10px;
 		border-top-left-radius: 0;
@@ -51,8 +54,9 @@
 <div class="container-fluid">
 	{% if user.is_authenticated %}
 	<div class="alert-signed-in alert alert-primary col-4 mx-auto" role="alert">
-		<h3><i class="bi bi-emoji-smile mr-3"></i> You are already logged in, {% if user.first_name %}{{ user.first_name }}{% else %}{{user.username}}{% endif %}.</h3>
-		Click on any button above to continue. 
+		<h3><i class="bi bi-emoji-smile mr-3"></i> You are already logged in, {% if user.first_name %}{{ user.first_name
+			}}{% else %}{{user.username}}{% endif %}.</h3>
+		Click on any button above to continue.
 	</div>
 	{% else %}
 
@@ -64,7 +68,7 @@ <h4>Log in</h4>
 			{% if form.non_field_errors %}
 			<div class="alert alert-danger container-fluid">
 				{% for error in form.non_field_errors %}
-					<strong>{{ error|escape }}</strong>
+				<strong>{{ error|escape }}</strong>
 				{% endfor %}
 			</div>
 			{% endif %}
@@ -72,19 +76,21 @@ <h4>Log in</h4>
 			<!--{{ form.as_p }}-->
 
 			<div class="form-floating mt-1">
-				<input type="username" name="username" autofocus autocapitalize="none" autocomplete="username" required class="form-control" id="{{ form.username.id_for_label }}" placeholder="username">
+				<input type="username" name="username" autofocus autocapitalize="none" autocomplete="username" required
+					class="form-control" id="{{ form.username.id_for_label }}" placeholder="username">
 				<label for="{{ form.username.id_for_label }}">Username</label>
 			</div>
 			<div class="form-floating mb-3">
-				<input type="password" name="password" autocomplete="current-password" required class="form-control" id="{{ form.password.id_for_label }}" placeholder="password">
+				<input type="password" name="password" autocomplete="current-password" required class="form-control"
+					id="{{ form.password.id_for_label }}" placeholder="password">
 				<label for="{{ form.password.id_for_label }}">Password</label>
 			</div>
-			
+
 			<div class="d-grid gap-2">
-				<button class ="btn btn-primary" type="submit" name="submit">Log in</button>
+				<button class="btn btn-primary" type="submit" name="submit">Log in</button>
 			</div>
 		</form>
-		
+
 		<hr>
 
 		<form action="{% provider_login_url 'cern' %}" method="post">
@@ -92,7 +98,8 @@ <h4>Log in</h4>
 			<div class="d-grid">
 				<button class="btn btn-primary btn-cern" type="submit">
 					<div class="d-flex gap-2">
-						<img class="cern-svg" src="{% static 'img/LogoOutline-White.svg' %}" alt="CERN logo" style="height:3em;"/>
+						<img class="cern-svg" src="{% static 'img/LogoOutline-White.svg' %}" alt="CERN logo"
+							style="height:3em;" />
 						<div class="align-self-center">
 							<h6>Log in with CERN</h6>
 						</div>
@@ -100,27 +107,10 @@ <h6>Log in with CERN</h6>
 				</button>
 			</div>
 		</form>
-		<!-- Just in case we want to implement GitHub sign-in later. -->
-		<!--
-		<form action="{% provider_login_url 'github' %}" method="post">
-			{% csrf_token %}
-			<div class="d-grid">
-				<button class="btn btn-primary btn-dark" type="submit">
-					<div class="d-flex gap-2">
-						<svg xmlns="http://www.w3.org/2000/svg" width="3em" height="3em" fill="white" class="bi bi-github" viewBox="0 0 16 16">
-							<path d="M8 0C3.58 0 0 3.58 0 8c0 3.54 2.29 6.53 5.47 7.59.4.07.55-.17.55-.38 0-.19-.01-.82-.01-1.49-2.01.37-2.53-.49-2.69-.94-.09-.23-.48-.94-.82-1.13-.28-.15-.68-.52-.01-.53.63-.01 1.08.58 1.23.82.72 1.21 1.87.87 2.33.66.07-.52.28-.87.51-1.07-1.78-.2-3.64-.89-3.64-3.95 0-.87.31-1.59.82-2.15-.08-.2-.36-1.02.08-2.12 0 0 .67-.21 2.2.82.64-.18 1.32-.27 2-.27.68 0 1.36.09 2 .27 1.53-1.04 2.2-.82 2.2-.82.44 1.1.16 1.92.08 2.12.51.56.82 1.27.82 2.15 0 3.07-1.87 3.75-3.65 3.95.29.25.54.73.54 1.48 0 1.07-.01 1.93-.01 2.2 0 .21.15.46.55.38A8.012 8.012 0 0 0 16 8c0-4.42-3.58-8-8-8z"/>
-						</svg>
-						<div class="align-self-center">
-							<h6>Log in with GitHub</h6>
-						</div>
-					</div>
-				</button>
-			</div>
-		</form>
-		-->
+
 	</div>
 
 	{% endif %}
 </div>
 
-{% endblock content %}
+{% endblock content %}
\ No newline at end of file
diff --git a/mlp/settings.py b/mlp/settings.py
index 3bd46db..934c1fc 100644
--- a/mlp/settings.py
+++ b/mlp/settings.py
@@ -69,12 +69,9 @@
     "allauth",
     "allauth.account",
     "allauth.socialaccount",
-    "allauth.socialaccount.providers.cern",
-    "allauth.socialaccount.providers.github",
+    "allauth.socialaccount.providers.openid_connect",
 ]
 
-SITE_ID = 1
-
 MIDDLEWARE = [
     "django.middleware.security.SecurityMiddleware",
     "whitenoise.middleware.WhiteNoiseMiddleware",
@@ -249,3 +246,33 @@
 SITE_ID = config("SITE_ID", default=1, cast=int)
 
 ACCOUNT_EMAIL_VERIFICATION = "none"
+
+SOCIALACCOUNT_PROVIDERS = {
+    "openid_connect": {
+        "SERVERS": [
+            {
+                "id": "cern",  # 30 characters or less
+                "name": "CERN",
+                "server_url": "https://auth.cern.ch/auth/realms/cern",
+                # Optional token endpoint authentication method.
+                # May be one of "client_secret_basic", "client_secret_post"
+                # If omitted, a method from the the server's
+                # token auth methods list is used
+                "token_auth_method": "client_secret_post",
+                "APP": {
+                    "client_id": config("CERN_SSO_REGISTRATION_CLIENT_ID"),
+                    "secret": config("CERN_SSO_REGISTRATION_CLIENT_SECRET"),
+                },
+            },
+        ]
+    }
+}
+
+# This is used to get the public key and decode access tokens
+# for users when they login. The URL can be found under the
+# jwks_uri key of the JSON pointed to by the server_url of
+# CERN's well-known config URL:
+# https://auth.cern.ch/auth/realms/cern/.well-known/openid-configuration
+CERN_SSO_JWKS_URI = (
+    "https://auth.cern.ch/auth/realms/cern/protocol/openid-connect/certs"
+)

From 224fa2c29d5cfc06320be45cf53ac5c3097b050e Mon Sep 17 00:00:00 2001
From: Dimitris Papagiannis <d.papag.a@gmail.com>
Date: Tue, 8 Aug 2023 12:40:01 +0200
Subject: [PATCH 2/2] Fix for HTTPS redirection

---
 mlp/settings.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/mlp/settings.py b/mlp/settings.py
index 934c1fc..dcd0a66 100644
--- a/mlp/settings.py
+++ b/mlp/settings.py
@@ -276,3 +276,6 @@
 CERN_SSO_JWKS_URI = (
     "https://auth.cern.ch/auth/realms/cern/protocol/openid-connect/certs"
 )
+
+# Needed for redirections after logging in
+SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")