OpenID Connect SSO using Pirates app

majak/settings/base.py

@@ -15,6 +15,7 @@ INSTALLED_APPS = [
     "search",
     "senator",
     "pirates",
+    "users",
     "wagtail.contrib.forms",
     "wagtail.contrib.redirects",
     "wagtail.contrib.modeladmin",
@@ -139,6 +140,15 @@ WAGTAIL_ALLOW_UNICODE_SLUGS = False
 
 TAGGIT_CASE_INSENSITIVE = True
 
+AUTH_USER_MODEL = "users.User"
+
+WAGTAIL_USER_EDIT_FORM = "users.forms.UserEditForm"
+WAGTAIL_USER_CREATION_FORM = "users.forms.UserCreationForm"
+WAGTAIL_PASSWORD_MANAGEMENT_ENABLED = False
+WAGTAIL_PASSWORD_RESET_ENABLED = False
+WAGTAILUSERS_PASSWORD_ENABLED = False
+WAGTAILUSERS_PASSWORD_REQUIRED = False
+WAGTAIL_EMAIL_MANAGEMENT_ENABLED = False
 
 AUTHENTICATION_BACKENDS = ["pirates.auth.PiratesOIDCAuthenticationBackend"]
 
@@ -150,3 +160,7 @@ OIDC_OP_JWKS_ENDPOINT = join(OIDC_RP_REALM_URL, "protocol/openid-connect/certs")
 OIDC_OP_AUTHORIZATION_ENDPOINT = join(OIDC_RP_REALM_URL, "protocol/openid-connect/auth")
 OIDC_OP_TOKEN_ENDPOINT = join(OIDC_RP_REALM_URL, "protocol/openid-connect/token")
 OIDC_OP_USER_ENDPOINT = join(OIDC_RP_REALM_URL, "protocol/openid-connect/userinfo")
+
+LOGIN_REDIRECT_URL = "/admin"
+LOGOUT_REDIRECT_URL = "/admin"
+LOGIN_URL = "/admin"

requirements/base.in

@@ -3,4 +3,4 @@ wagtailmenus
 django-environ
 django-extensions
 psycopg2-binary
-git+https://gitlab.pirati.cz/to/pirates@v0.2.0
+git+https://gitlab.pirati.cz/to/pirates@v0.2.1

requirements/base.txt

@@ -25,7 +25,7 @@ josepy==1.3.0             # via mozilla-django-oidc
 l18n==2018.5              # via wagtail
 mozilla-django-oidc==1.2.3  # via pirates
 pillow==6.2.2             # via wagtail
-git+https://gitlab.pirati.cz/to/pirates@v0.2.0  # via -r base.in
+git+https://gitlab.pirati.cz/to/pirates@v0.2.1  # via -r base.in
 psycopg2-binary==2.8.5    # via -r base.in
 pyasn1-modules==0.2.8     # via python-ldap
 pyasn1==0.4.8             # via pyasn1-modules, python-ldap

users/apps.py

+from django.apps import AppConfig
+
+
+class UsersConfig(AppConfig):
+    name = "users"

users/forms.py

+from django import forms
+from django.contrib.auth import get_user_model
+
+
+class UserCreationForm(forms.ModelForm):
+    class Meta:
+        model = get_user_model()
+
+
+class UserEditForm(forms.ModelForm):
+    class Meta:
+        model = get_user_model()

users/migrations/0001_initial.py

+# Generated by Django 3.0.5 on 2020-05-04 16:02
+
+import django.utils.timezone
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        ("auth", "0011_update_proxy_permissions"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="User",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True,
+                        primary_key=True,
+                        serialize=False,
+                        verbose_name="ID",
+                    ),
+                ),
+                (
+                    "is_superuser",
+                    models.BooleanField(
+                        default=False,
+                        help_text="Designates that this user has all permissions without explicitly assigning them.",
+                        verbose_name="superuser status",
+                    ),
+                ),
+                (
+                    "sso_id",
+                    models.CharField(
+                        error_messages={
+                            "unique": "A user with that SSO ID already exists."
+                        },
+                        max_length=150,
+                        unique=True,
+                        verbose_name="SSO ID",
+                    ),
+                ),
+                (
+                    "first_name",
+                    models.CharField(
+                        blank=True, max_length=150, verbose_name="first name"
+                    ),
+                ),
+                (
+                    "last_name",
+                    models.CharField(
+                        blank=True, max_length=150, verbose_name="last name"
+                    ),
+                ),
+                (
+                    "email",
+                    models.EmailField(
+                        blank=True, max_length=254, verbose_name="email address"
+                    ),
+                ),
+                (
+                    "is_staff",
+                    models.BooleanField(
+                        default=False,
+                        help_text="Designates whether the user can log into this admin site.",
+                        verbose_name="staff status",
+                    ),
+                ),
+                (
+                    "is_active",
+                    models.BooleanField(
+                        default=True,
+                        help_text="Designates whether this user should be treated as active. Unselect this instead of deleting accounts.",
+                        verbose_name="active",
+                    ),
+                ),
+                (
+                    "date_joined",
+                    models.DateTimeField(
+                        default=django.utils.timezone.now, verbose_name="date joined"
+                    ),
+                ),
+                (
+                    "groups",
+                    models.ManyToManyField(
+                        blank=True,
+                        help_text="The groups this user belongs to. A user will get all permissions granted to each of their groups.",
+                        related_name="user_set",
+                        related_query_name="user",
+                        to="auth.Group",
+                        verbose_name="groups",
+                    ),
+                ),
+                (
+                    "user_permissions",
+                    models.ManyToManyField(
+                        blank=True,
+                        help_text="Specific permissions for this user.",
+                        related_name="user_set",
+                        related_query_name="user",
+                        to="auth.Permission",
+                        verbose_name="user permissions",
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "user",
+                "verbose_name_plural": "users",
+                "abstract": False,
+            },
+        ),
+    ]

users/models.py

+from pirates.models import AbstractUser
+
+
+class User(AbstractUser):
+    def get_username(self):
+        """Used in wagtail templates"""
+        return self.email or self.sso_id

users/templates/wagtailadmin/login.html

+{% extends "wagtailadmin/login.html" %}
+
+{% block login_form %}
+    <h1>Redakční systém Maják</h1>
+    <a class="button" href="{% url 'oidc_authentication_init' %}">Přihlásit se Pirátskou identitou</a>
+{% endblock %}