✨(oidc) add django-oauth-toolkit w/ configuration

This allows to use `people` as an identity provider using OIDC and local users. This commit is partial, because it does not manage a way to create "local" users and the login page is the admin one, which can't be used for non staff users or login with email.
2025-01-14 11:43:42 +01:00
parent 8faa049046
commit db6cdadd72
30 changed files with 1505 additions and 38 deletions
--- a/src/backend/mailbox_manager/models.py
+++ b/src/backend/mailbox_manager/models.py
@@ -3,6 +3,7 @@ Declare and configure the models for the People additional application : mailbox
 """

 from django.conf import settings
+from django.contrib.auth.base_user import AbstractBaseUser
 from django.core import exceptions, validators
 from django.db import models
 from django.utils.text import slugify
@@ -94,6 +95,14 @@ class MailDomain(BaseModel):
            "manage_accesses": is_owner_or_admin,
        }

+    def is_identity_provider_ready(self) -> bool:
+        """
+        Check if the identity provider is ready to manage the domain.
+        """
+        return (
+            bool(self.organization) and self.status == MailDomainStatusChoices.ENABLED
+        )
+

 class MailDomainAccess(BaseModel):
    """Allow to manage users' accesses to mail domains."""
@@ -188,7 +197,7 @@ class MailDomainAccess(BaseModel):
        }


-class Mailbox(BaseModel):
+class Mailbox(AbstractBaseUser, BaseModel):
    """Mailboxes for users from mail domain."""

    first_name = models.CharField(max_length=200, blank=False)
@@ -216,6 +225,13 @@ class Mailbox(BaseModel):
        default=MailboxStatusChoices.PENDING,
    )

+    # Store the denormalized email address to allow Django admin to work (USERNAME_FIELD)
+    # This field *must* not be used for authentication (or anything sensitive),
+    # use the `local_part` and `domain__name` fields
+    dn_email = models.EmailField(_("email"), blank=True, unique=True, editable=False)
+
+    USERNAME_FIELD = "dn_email"
+
    class Meta:
        db_table = "people_mail_box"
        verbose_name = _("Mailbox")
@@ -241,9 +257,19 @@ class Mailbox(BaseModel):
        Override save function to not allow to create or update mailbox of a disabled domain.
        """
        self.full_clean()
+        self.dn_email = self.get_email()

        if self.domain.status == MailDomainStatusChoices.DISABLED:
            raise exceptions.ValidationError(
                _("You can't create or update a mailbox for a disabled domain.")
            )
        return super().save(*args, **kwargs)
+
+    @property
+    def is_active(self):
+        """Return True if the mailbox is enabled."""
+        return self.status == MailboxStatusChoices.ENABLED
+
+    def get_email(self):
+        """Return the email address of the mailbox."""
+        return f"{self.local_part}@{self.domain.name}"