✨[maykinmedia/open-api-framework#23] OIDC setup configuration

requirements/base.in

@@ -27,3 +27,5 @@ drf-writable-nested
 notifications-api-common
 humanize
 drc-cmis
+
+mozilla-django-oidc-db[setupconfig]@git+https://github.com/maykinmedia/mozilla-django-oidc-db.git@9e2250fec6e87e510312bb6283f1aeb99db8196b

requirements/base.txt

@@ -181,8 +181,10 @@ django-rest-framework-condition==0.1.1
     # via commonground-api-common
 django-sendfile2==0.7.0
     # via django-privates
-django-setup-configuration==0.1.0
-    # via open-api-framework
+django-setup-configuration==0.3.0
+    # via
+    #   mozilla-django-oidc-db
+    #   open-api-framework
 django-simple-certmanager==1.3.0
     # via zgw-consumers
 django-sniplates==0.7.2
@@ -292,13 +294,15 @@ maykin-2fa==1.0.1
     # via open-api-framework
 mozilla-django-oidc==4.0.1
     # via mozilla-django-oidc-db
-mozilla-django-oidc-db==0.16.0
-    # via open-api-framework
+mozilla-django-oidc-db[setupconfig] @ git+https://github.com/maykinmedia/mozilla-django-oidc-db.git@9e2250fec6e87e510312bb6283f1aeb99db8196b
+    # via
+    #   -r requirements/base.in
+    #   open-api-framework
 notifications-api-common==0.2.2
     # via
     #   -r requirements/base.in
     #   commonground-api-common
-open-api-framework==0.5.0
+open-api-framework==0.6.0
     # via -r requirements/base.in
 orderedmultidict==1.0.1
     # via furl
@@ -405,6 +409,7 @@ tornado==6.4
     # via flower
 typing-extensions==4.11.0
     # via
+    #   mozilla-django-oidc-db
     #   pydantic
     #   qrcode
 tzdata==2024.1

requirements/ci.txt

@@ -259,9 +259,10 @@ django-sendfile2==0.7.0
     # via
     #   -r requirements/base.txt
     #   django-privates
-django-setup-configuration==0.1.0
+django-setup-configuration==0.3.0
     # via
     #   -r requirements/base.txt
+    #   mozilla-django-oidc-db
     #   open-api-framework
 django-simple-certmanager==1.3.0
     # via
@@ -443,7 +444,7 @@ mozilla-django-oidc==4.0.1
     # via
     #   -r requirements/base.txt
     #   mozilla-django-oidc-db
-mozilla-django-oidc-db==0.16.0
+mozilla-django-oidc-db[setupconfig] @ git+https://github.com/maykinmedia/mozilla-django-oidc-db.git@9e2250fec6e87e510312bb6283f1aeb99db8196b
     # via
     #   -r requirements/base.txt
     #   open-api-framework
@@ -453,7 +454,7 @@ notifications-api-common==0.2.2
     # via
     #   -r requirements/base.txt
     #   commonground-api-common
-open-api-framework==0.5.0
+open-api-framework==0.6.0
     # via -r requirements/base.txt
 orderedmultidict==1.0.1
     # via
@@ -621,6 +622,7 @@ tornado==6.4
 typing-extensions==4.11.0
     # via
     #   -r requirements/base.txt
+    #   mozilla-django-oidc-db
     #   pydantic
     #   qrcode
 tzdata==2024.1

requirements/dev.txt

@@ -288,9 +288,10 @@ django-sendfile2==0.7.0
     # via
     #   -r requirements/ci.txt
     #   django-privates
-django-setup-configuration==0.1.0
+django-setup-configuration==0.3.0
     # via
     #   -r requirements/ci.txt
+    #   mozilla-django-oidc-db
     #   open-api-framework
 django-silk==4.3.0
     # via -r requirements/dev.in
@@ -503,7 +504,7 @@ mozilla-django-oidc==4.0.1
     # via
     #   -r requirements/ci.txt
     #   mozilla-django-oidc-db
-mozilla-django-oidc-db==0.16.0
+mozilla-django-oidc-db[setupconfig] @ git+https://github.com/maykinmedia/mozilla-django-oidc-db.git@9e2250fec6e87e510312bb6283f1aeb99db8196b
     # via
     #   -r requirements/ci.txt
     #   open-api-framework
@@ -517,7 +518,7 @@ notifications-api-common==0.2.2
     #   commonground-api-common
 oauthlib==3.1.0
     # via requests-oauthlib
-open-api-framework==0.5.0
+open-api-framework==0.6.0
     # via -r requirements/ci.txt
 openshift==0.11.2
     # via -r requirements/../deployment/requirements.in
@@ -776,6 +777,7 @@ tornado==6.4
 typing-extensions==4.11.0
     # via
     #   -r requirements/ci.txt
+    #   mozilla-django-oidc-db
     #   pydantic
     #   qrcode
 tzdata==2024.1

src/openzaak/accounts/tests/test_oidc.py

@@ -53,7 +53,7 @@ def test_oidc_button_enabled(self):
 
 class AdminSessionRefreshMiddlewareTests(WebTest):
     @patch(
-        "mozilla_django_oidc_db.mixins.OpenIDConnectConfig.get_solo",
+        "mozilla_django_oidc_db.models.OpenIDConnectConfig.get_solo",
         return_value=OpenIDConnectConfig(
             enabled=True,
             oidc_op_authorization_endpoint="https://example.com/auth/",

src/openzaak/components/zaken/tests/test_auth.py

@@ -495,7 +495,7 @@ def setUpTestData(cls):
         cls.autorisatie.delete()
         # strip out some queries that we don't normally have to run
         cls.patcher = patch(
-            "mozilla_django_oidc_db.mixins.OpenIDConnectConfig.get_solo",
+            "mozilla_django_oidc_db.models.OpenIDConnectConfig.get_solo",
             return_value=OpenIDConnectConfig(enabled=False),
         )
 

src/openzaak/conf/includes/base.py

@@ -221,7 +221,9 @@
     "openzaak.config.bootstrap.notifications.NotificationsAPIConfigurationStep",
     "openzaak.config.bootstrap.selectielijst.SelectielijstAPIConfigurationStep",
     "openzaak.config.bootstrap.demo.DemoUserStep",
+    "mozilla_django_oidc_db.setupconfig.bootstrap.AdminOIDCConfigurationStep",
 ]
+OIDC_CALLBACK_CLASS = "mozilla_django_oidc_db.views.OIDCCallbackView"
 
 CELERY_BEAT_SCHEDULER = "django_celery_beat.schedulers:DatabaseScheduler"
 # Note that by default UTC times are used here (see `nowfun` kwarg)

src/openzaak/config/bootstrap/demo.py

@@ -4,7 +4,10 @@
 from django.urls import reverse
 
 import requests
-from django_setup_configuration.configuration import BaseConfigurationStep
+from django_setup_configuration.configuration import (
+    BaseConfigurationStep,
+    ConfigSettings,
+)
 from django_setup_configuration.exceptions import SelfTestFailed
 from vng_api_common.authorizations.models import Applicatie
 from vng_api_common.models import JWTSecret
@@ -26,8 +29,13 @@ class DemoUserStep(BaseConfigurationStep):
     # todo load permissions with yaml file and env var?
 
     verbose_name = "Demo User Configuration"
-    required_settings = ["DEMO_CLIENT_ID", "DEMO_SECRET", "OPENZAAK_DOMAIN"]
-    enable_setting = "DEMO_CONFIG_ENABLE"
+    config_settings = ConfigSettings(
+        enable_setting="DEMO_CONFIG_ENABLE",
+        display_name="Demo User Configuration",
+        namespace="DEMO",
+        update_fields=True,
+        required_settings=["DEMO_CLIENT_ID", "DEMO_SECRET", "OPENZAAK_DOMAIN"],
+    )
 
     def is_configured(self) -> bool:
         return (

src/openzaak/config/bootstrap/notifications.py

@@ -4,6 +4,7 @@
 from django.urls import reverse
 
 import requests
+from django_setup_configuration.config_settings import ConfigSettings
 from django_setup_configuration.configuration import BaseConfigurationStep
 from django_setup_configuration.exceptions import SelfTestFailed
 from notifications_api_common.constants import (
@@ -35,8 +36,14 @@ class AuthNotificationStep(BaseConfigurationStep):
     """
 
     verbose_name = "Notification Autorisaties API Configuration"
-    required_settings = ["NOTIF_OPENZAAK_CLIENT_ID", "NOTIF_OPENZAAK_SECRET"]
-    enable_setting = "NOTIF_OPENZAAK_CONFIG_ENABLE"
+
+    config_settings = ConfigSettings(
+        enable_setting="NOTIF_OPENZAAK_CONFIG_ENABLE",
+        display_name="Notification Autorisaties API Configuration",
+        namespace="NOTIF_OPENZAAK",
+        update_fields=True,
+        required_settings=["NOTIF_OPENZAAK_CLIENT_ID", "NOTIF_OPENZAAK_SECRET"],
+    )
 
     def is_configured(self) -> bool:
         return (
@@ -133,12 +140,17 @@ class NotificationsAPIConfigurationStep(BaseConfigurationStep):
     """
 
     verbose_name = "Notification API Configuration"
-    required_settings = [
-        "NOTIF_API_ROOT",
-        "OPENZAAK_NOTIF_CLIENT_ID",
-        "OPENZAAK_NOTIF_SECRET",
-    ]
-    enable_setting = "OPENZAAK_NOTIF_CONFIG_ENABLE"
+    config_settings = ConfigSettings(
+        enable_setting="OPENZAAK_NOTIF_CONFIG_ENABLE",
+        display_name="Notification API Configuration",
+        namespace="OPENZAAK_NOTIF",
+        update_fields=True,
+        required_settings=[
+            "NOTIF_API_ROOT",
+            "OPENZAAK_NOTIF_CLIENT_ID",
+            "OPENZAAK_NOTIF_SECRET",
+        ],
+    )
 
     def is_enabled(self) -> bool:
         result = super().is_enabled()

src/openzaak/config/bootstrap/selectielijst.py

@@ -3,6 +3,7 @@
 from django.conf import settings
 
 import requests
+from django_setup_configuration.config_settings import ConfigSettings
 from django_setup_configuration.configuration import BaseConfigurationStep
 from django_setup_configuration.exceptions import SelfTestFailed
 from zds_client import ClientError
@@ -25,7 +26,14 @@ class SelectielijstAPIConfigurationStep(BaseConfigurationStep):
     """
 
     verbose_name = "Selectielijst API Configuration"
-    enable_setting = "OPENZAAK_SELECTIELIJST_CONFIG_ENABLE"
+
+    config_settings = ConfigSettings(
+        enable_setting="OPENZAAK_SELECTIELIJST_CONFIG_ENABLE",
+        display_name="Selectielijst API Configuration",
+        namespace="OPENZAAK_SELECTIELIJST",
+        update_fields=True,
+        required_settings=[],
+    )
 
     def is_configured(self) -> bool:
         service = Service.objects.filter(api_root=settings.SELECTIELIJST_API_ROOT)

src/openzaak/config/bootstrap/site.py

@@ -5,6 +5,7 @@
 from django.urls import reverse
 
 import requests
+from django_setup_configuration.config_settings import ConfigSettings
 from django_setup_configuration.configuration import BaseConfigurationStep
 from django_setup_configuration.exceptions import SelfTestFailed
 
@@ -21,8 +22,13 @@ class SiteConfigurationStep(BaseConfigurationStep):
     """
 
     verbose_name = "Site Configuration"
-    required_settings = ["OPENZAAK_DOMAIN", "OPENZAAK_ORGANIZATION"]
-    enable_setting = "SITES_CONFIG_ENABLE"
+    config_settings = ConfigSettings(
+        enable_setting="SITES_CONFIG_ENABLE",
+        display_name="Site Configuration",
+        namespace="SITES_CONFIG",
+        update_fields=True,
+        required_settings=["OPENZAAK_DOMAIN", "OPENZAAK_ORGANIZATION"],
+    )
 
     def is_configured(self) -> bool:
         site = Site.objects.get_current()

src/openzaak/tests/management/test_setup_configuration.py

@@ -9,6 +9,8 @@
 import requests
 import requests_mock
 from jwt import decode
+from mozilla_django_oidc_db.models import OpenIDConnectConfig
+from mozilla_django_oidc_db.setupconfig.bootstrap import AdminOIDCConfigurationStep
 from notifications_api_common.models import NotificationsConfig
 from rest_framework import status
 from rest_framework.reverse import reverse
@@ -39,6 +41,13 @@
     DEMO_CONFIG_ENABLE=True,
     DEMO_CLIENT_ID="demo-client-id",
     DEMO_SECRET="demo-secret",
+    OIDC_DB_SETUP_CONFIG_ADMIN_AUTH={
+        "oidc_rp_client_id": "client-id",
+        "oidc_rp_client_secret": "secret",
+        "oidc_op_authorization_endpoint": f"https://oidc.example.com/protocol/openid-connect/auth",
+        "oidc_op_token_endpoint": f"https://oidc.example.com/protocol/openid-connect/token",
+        "oidc_op_user_endpoint": f"https://oidc.example.com/protocol/openid-connect/userinfo",
+    },
 )
 class SetupConfigurationTests(APITestCase):
     def setUp(self):
@@ -69,7 +78,7 @@ def test_setup_configuration_success(self, m):
                 "Configuration will be set up with following steps: "
                 f"[{SiteConfigurationStep()}, {AuthNotificationStep()}, "
                 f"{NotificationsAPIConfigurationStep()}, {SelectielijstAPIConfigurationStep()}, "
-                f"{DemoUserStep()}]",
+                f"{DemoUserStep()}, {AdminOIDCConfigurationStep()}]",
                 f"Configuring {SiteConfigurationStep()}...",
                 f"{SiteConfigurationStep()} is successfully configured",
                 f"Configuring {AuthNotificationStep()}...",
@@ -79,6 +88,8 @@ def test_setup_configuration_success(self, m):
                 f"Step {SelectielijstAPIConfigurationStep()} is skipped, because the configuration already exists.",
                 f"Configuring {DemoUserStep()}...",
                 f"{DemoUserStep()} is successfully configured",
+                f"Configuring {AdminOIDCConfigurationStep()}...",
+                f"{AdminOIDCConfigurationStep()} is successfully configured",
                 "Instance configuration completed.",
             ]
             self.assertEqual(command_output, expected_output)
@@ -124,6 +135,21 @@ def test_setup_configuration_success(self, m):
 
             self.assertEqual(response.status_code, status.HTTP_200_OK)
 
+        with self.subTest("OpenID Connect configured correctly"):
+            config = OpenIDConnectConfig.get_solo()
+
+            self.assertEqual(config.oidc_rp_client_id, "client-id")
+            self.assertEqual(config.oidc_rp_client_secret, "secret")
+            self.assertEqual(
+                config.oidc_op_authorization_endpoint, "https://oidc.example.com/auth"
+            )
+            self.assertEqual(
+                config.oidc_op_user_endpoint, "https://oidc.example.com/user"
+            )
+            self.assertEqual(
+                config.oidc_op_token_endpoint, "https://oidc.example.com/token"
+            )
+
     @requests_mock.Mocker()
     def test_setup_configuration_selftest_fails(self, m):
         m.get("http://open-zaak.example.com/", exc=requests.ConnectionError)