✨(project) Django boilerplate

This commit introduces a boilerplate inspired by https://github.com/numerique-gouv/impress.
The code has been cleaned to remove unnecessary Impress logic and dependencies.

Changes made:
- Removed Minio, WebRTC, and create bucket from the stack.
- Removed the Next.js frontend (it will be replaced by Vite).
- Cleaned up impress-specific backend logics.

The whole stack remains functional:
- All tests pass.
- Linter checks pass.
- Agent Connexion sources are already set-up.

Why clear out the code?

To adhere to the KISS principle, we aim to maintain a minimalist codebase. Cloning Impress
allowed us to quickly inherit its code quality tools and deployment configurations for staging,
pre-production, and production environments.

What’s broken?
- The tsclient is not functional anymore.
- Some make commands need to be fixed.
- Helm sources are outdated.
- Naming across the project sources are inconsistent (impress, visio, etc.)
- CI is not configured properly.

This list might be incomplete. Let's grind it.

src/backend/core/tests/authentication/test_backends.py

@@ -0,0 +1,101 @@
+"""Unit tests for the Authentication Backends."""
+
+from django.core.exceptions import SuspiciousOperation
+
+import pytest
+
+from core import models
+from core.authentication.backends import OIDCAuthenticationBackend
+from core.factories import UserFactory
+
+pytestmark = pytest.mark.django_db
+
+
+def test_authentication_getter_existing_user_no_email(
+    django_assert_num_queries, monkeypatch
+):
+    """
+    If an existing user matches the user's info sub, the user should be returned.
+    """
+
+    klass = OIDCAuthenticationBackend()
+    db_user = UserFactory()
+
+    def get_userinfo_mocked(*args):
+        return {"sub": db_user.sub}
+
+    monkeypatch.setattr(OIDCAuthenticationBackend, "get_userinfo", get_userinfo_mocked)
+
+    with django_assert_num_queries(1):
+        user = klass.get_or_create_user(
+            access_token="test-token", id_token=None, payload=None
+        )
+
+    assert user == db_user
+
+
+def test_authentication_getter_new_user_no_email(monkeypatch):
+    """
+    If no user matches the user's info sub, a user should be created.
+    User's info doesn't contain an email, created user's email should be empty.
+    """
+    klass = OIDCAuthenticationBackend()
+
+    def get_userinfo_mocked(*args):
+        return {"sub": "123"}
+
+    monkeypatch.setattr(OIDCAuthenticationBackend, "get_userinfo", get_userinfo_mocked)
+
+    user = klass.get_or_create_user(
+        access_token="test-token", id_token=None, payload=None
+    )
+
+    assert user.sub == "123"
+    assert user.email is None
+    assert user.password == "!"
+    assert models.User.objects.count() == 1
+
+
+def test_authentication_getter_new_user_with_email(monkeypatch):
+    """
+    If no user matches the user's info sub, a user should be created.
+    User's email and name should be set on the identity.
+    The "email" field on the User model should not be set as it is reserved for staff users.
+    """
+    klass = OIDCAuthenticationBackend()
+
+    email = "impress@example.com"
+
+    def get_userinfo_mocked(*args):
+        return {"sub": "123", "email": email, "first_name": "John", "last_name": "Doe"}
+
+    monkeypatch.setattr(OIDCAuthenticationBackend, "get_userinfo", get_userinfo_mocked)
+
+    user = klass.get_or_create_user(
+        access_token="test-token", id_token=None, payload=None
+    )
+
+    assert user.sub == "123"
+    assert user.email == email
+    assert user.password == "!"
+    assert models.User.objects.count() == 1
+
+
+def test_models_oidc_user_getter_invalid_token(django_assert_num_queries, monkeypatch):
+    """The user's info doesn't contain a sub."""
+    klass = OIDCAuthenticationBackend()
+
+    def get_userinfo_mocked(*args):
+        return {
+            "test": "123",
+        }
+
+    monkeypatch.setattr(OIDCAuthenticationBackend, "get_userinfo", get_userinfo_mocked)
+
+    with django_assert_num_queries(0), pytest.raises(
+        SuspiciousOperation,
+        match="User info contained no recognizable user identification",
+    ):
+        klass.get_or_create_user(access_token="test-token", id_token=None, payload=None)
+
+    assert models.User.objects.exists() is False

src/backend/core/tests/authentication/test_urls.py

@@ -0,0 +1,10 @@
+"""Unit tests for the Authentication URLs."""
+
+from core.authentication.urls import urlpatterns
+
+
+def test_urls_override_default_mozilla_django_oidc():
+    """Custom URL patterns should override default ones from Mozilla Django OIDC."""
+
+    url_names = [u.name for u in urlpatterns]
+    assert url_names.index("oidc_logout_custom") < url_names.index("oidc_logout")

src/backend/core/tests/authentication/test_views.py

@@ -0,0 +1,231 @@
+"""Unit tests for the Authentication Views."""
+
+from unittest import mock
+from urllib.parse import parse_qs, urlparse
+
+from django.contrib.auth.models import AnonymousUser
+from django.contrib.sessions.middleware import SessionMiddleware
+from django.core.exceptions import SuspiciousOperation
+from django.test import RequestFactory
+from django.test.utils import override_settings
+from django.urls import reverse
+from django.utils import crypto
+
+import pytest
+from rest_framework.test import APIClient
+
+from core import factories
+from core.authentication.views import OIDCLogoutCallbackView, OIDCLogoutView
+
+pytestmark = pytest.mark.django_db
+
+
+@override_settings(LOGOUT_REDIRECT_URL="/example-logout")
+def test_view_logout_anonymous():
+    """Anonymous users calling the logout url,
+    should be redirected to the specified LOGOUT_REDIRECT_URL."""
+
+    url = reverse("oidc_logout_custom")
+    response = APIClient().get(url)
+
+    assert response.status_code == 302
+    assert response.url == "/example-logout"
+
+
+@mock.patch.object(
+    OIDCLogoutView, "construct_oidc_logout_url", return_value="/example-logout"
+)
+def test_view_logout(mocked_oidc_logout_url):
+    """Authenticated users should be redirected to OIDC provider for logout."""
+
+    user = factories.UserFactory()
+
+    client = APIClient()
+    client.force_login(user)
+
+    url = reverse("oidc_logout_custom")
+    response = client.get(url)
+
+    mocked_oidc_logout_url.assert_called_once()
+
+    assert response.status_code == 302
+    assert response.url == "/example-logout"
+
+
+@override_settings(LOGOUT_REDIRECT_URL="/default-redirect-logout")
+@mock.patch.object(
+    OIDCLogoutView, "construct_oidc_logout_url", return_value="/default-redirect-logout"
+)
+def test_view_logout_no_oidc_provider(mocked_oidc_logout_url):
+    """Authenticated users should be logged out when no OIDC provider is available."""
+
+    user = factories.UserFactory()
+
+    client = APIClient()
+    client.force_login(user)
+
+    url = reverse("oidc_logout_custom")
+
+    with mock.patch("mozilla_django_oidc.views.auth.logout") as mock_logout:
+        response = client.get(url)
+        mocked_oidc_logout_url.assert_called_once()
+        mock_logout.assert_called_once()
+
+    assert response.status_code == 302
+    assert response.url == "/default-redirect-logout"
+
+
+@override_settings(LOGOUT_REDIRECT_URL="/example-logout")
+def test_view_logout_callback_anonymous():
+    """Anonymous users calling the logout callback url,
+    should be redirected to the specified LOGOUT_REDIRECT_URL."""
+
+    url = reverse("oidc_logout_callback")
+    response = APIClient().get(url)
+
+    assert response.status_code == 302
+    assert response.url == "/example-logout"
+
+
+@pytest.mark.parametrize(
+    "initial_oidc_states",
+    [{}, {"other_state": "foo"}],
+)
+def test_view_logout_persist_state(initial_oidc_states):
+    """State value should be persisted in session's data."""
+
+    user = factories.UserFactory()
+
+    request = RequestFactory().request()
+    request.user = user
+
+    middleware = SessionMiddleware(get_response=lambda x: x)
+    middleware.process_request(request)
+
+    if initial_oidc_states:
+        request.session["oidc_states"] = initial_oidc_states
+        request.session.save()
+
+    mocked_state = "mock_state"
+
+    OIDCLogoutView().persist_state(request, mocked_state)
+
+    assert "oidc_states" in request.session
+    assert request.session["oidc_states"] == {
+        "mock_state": {},
+        **initial_oidc_states,
+    }
+
+
+@override_settings(OIDC_OP_LOGOUT_ENDPOINT="/example-logout")
+@mock.patch.object(OIDCLogoutView, "persist_state")
+@mock.patch.object(crypto, "get_random_string", return_value="mocked_state")
+def test_view_logout_construct_oidc_logout_url(
+    mocked_get_random_string, mocked_persist_state
+):
+    """Should construct the logout URL to initiate the logout flow with the OIDC provider."""
+
+    user = factories.UserFactory()
+
+    request = RequestFactory().request()
+    request.user = user
+
+    middleware = SessionMiddleware(get_response=lambda x: x)
+    middleware.process_request(request)
+
+    request.session["oidc_id_token"] = "mocked_oidc_id_token"
+    request.session.save()
+
+    redirect_url = OIDCLogoutView().construct_oidc_logout_url(request)
+
+    mocked_persist_state.assert_called_once()
+    mocked_get_random_string.assert_called_once()
+
+    params = parse_qs(urlparse(redirect_url).query)
+
+    assert params["id_token_hint"][0] == "mocked_oidc_id_token"
+    assert params["state"][0] == "mocked_state"
+
+    url = reverse("oidc_logout_callback")
+    assert url in params["post_logout_redirect_uri"][0]
+
+
+@override_settings(LOGOUT_REDIRECT_URL="/")
+def test_view_logout_construct_oidc_logout_url_none_id_token():
+    """If no ID token is available in the session,
+    the user should be redirected to the final URL."""
+
+    user = factories.UserFactory()
+
+    request = RequestFactory().request()
+    request.user = user
+
+    middleware = SessionMiddleware(get_response=lambda x: x)
+    middleware.process_request(request)
+
+    redirect_url = OIDCLogoutView().construct_oidc_logout_url(request)
+
+    assert redirect_url == "/"
+
+
+@pytest.mark.parametrize(
+    "initial_state",
+    [None, {"other_state": "foo"}],
+)
+def test_view_logout_callback_wrong_state(initial_state):
+    """Should raise an error if OIDC state doesn't match session data."""
+
+    user = factories.UserFactory()
+
+    request = RequestFactory().request()
+    request.user = user
+
+    middleware = SessionMiddleware(get_response=lambda x: x)
+    middleware.process_request(request)
+
+    if initial_state:
+        request.session["oidc_states"] = initial_state
+        request.session.save()
+
+    callback_view = OIDCLogoutCallbackView.as_view()
+
+    with pytest.raises(SuspiciousOperation) as excinfo:
+        callback_view(request)
+
+    assert (
+        str(excinfo.value) == "OIDC callback state not found in session `oidc_states`!"
+    )
+
+
+@override_settings(LOGOUT_REDIRECT_URL="/example-logout")
+def test_view_logout_callback():
+    """If state matches, callback should clear OIDC state and redirects."""
+
+    user = factories.UserFactory()
+
+    request = RequestFactory().get("/logout-callback/", data={"state": "mocked_state"})
+    request.user = user
+
+    middleware = SessionMiddleware(get_response=lambda x: x)
+    middleware.process_request(request)
+
+    mocked_state = "mocked_state"
+
+    request.session["oidc_states"] = {mocked_state: {}}
+    request.session.save()
+
+    callback_view = OIDCLogoutCallbackView.as_view()
+
+    with mock.patch("mozilla_django_oidc.views.auth.logout") as mock_logout:
+
+        def clear_user(request):
+            # Assert state is cleared prior to logout
+            assert request.session["oidc_states"] == {}
+            request.user = AnonymousUser()
+
+        mock_logout.side_effect = clear_user
+        response = callback_view(request)
+        mock_logout.assert_called_once()
+
+    assert response.status_code == 302
+    assert response.url == "/example-logout"