EREGCSC-2448-End-EUA-Session (#1117)

* EREGCSC-2448-End-EUA-Session
Enterprise-CMCS · Jan 5, 2024 · a925bdf · a925bdf
1 parent ead0d40
commit a925bdf
Show file tree

Hide file tree

Showing 12 changed files with 120 additions and 13 deletions.
diff --git a/solution/backend/cmcs_regulations/settings/deploy.py b/solution/backend/cmcs_regulations/settings/deploy.py
@@ -51,10 +51,13 @@
 OIDC_OP_JWKS_ENDPOINT = os.environ.get("OIDC_OP_JWKS_ENDPOINT", None)
 OIDC_REDIRECT_URL = "/admin/oidc/callback/"
 OIDC_RP_SIGN_ALGO = 'RS256'
+OIDC_END_EUA_SESSION = os.environ.get("OIDC_END_EUA_SESSION", None)
+OIDC_OP_LOGOUT_URL_METHOD = 'regulations.logout.eua_logout'
+OIDC_STORE_ID_TOKEN = True
 LOGIN_REDIRECT_URL = '/admin/'
-LOGOUT_REDIRECT_URL = '/'
+LOGOUT_REDIRECT_URL = 'localhost:8000/admin'
 EUA_FEATUREFLAG = os.getenv('EUA_FEATUREFLAG', 'False').lower() == 'true'
 
 if re.match(r'^dev\d*$', STAGE_ENV) or STAGE_ENV == 'dev' or STAGE_ENV == 'val':
     LOGIN_REDIRECT_URL = f"/{STAGE_ENV}/admin/"
-    LOGOUT_REDIRECT_URL = f"/{STAGE_ENV}/"
+    LOGOUT_REDIRECT_URL = f"/{STAGE_ENV}/admin"
diff --git a/solution/backend/cmcs_regulations/settings/local.py b/solution/backend/cmcs_regulations/settings/local.py
@@ -63,9 +63,13 @@
 OIDC_REDIRECT_URL = "/admin/oidc/callback/"
 OIDC_RP_SIGN_ALGO = 'RS256'
 LOGIN_REDIRECT_URL = '/admin/'
-LOGOUT_REDIRECT_URL = '/'
+
+LOGOUT_REDIRECT_URL = 'http://localhost:8000/admin'
 EUA_FEATUREFLAG = os.getenv('EUA_FEATUREFLAG', 'False').lower() == 'true'
+OIDC_END_EUA_SESSION = os.environ.get("OIDC_END_EUA_SESSION", None)
+OIDC_OP_LOGOUT_URL_METHOD = 'regulations.logout.eua_logout'
+OIDC_STORE_ID_TOKEN = True
 
 if re.match(r'^dev\d*$', STAGE_ENV) or STAGE_ENV == 'dev' or STAGE_ENV == 'val':
     LOGIN_REDIRECT_URL = f"/{STAGE_ENV}/admin/"
-    LOGOUT_REDIRECT_URL = f"/{STAGE_ENV}/"
+    LOGOUT_REDIRECT_URL = f"/{STAGE_ENV}/admin/"
diff --git a/solution/backend/cmcs_regulations/settings/test_settings.py b/solution/backend/cmcs_regulations/settings/test_settings.py
@@ -29,15 +29,13 @@
 OIDC_REDIRECT_URL = "/admin/oidc/callback/"
 OIDC_RP_SIGN_ALGO = 'RS256'
 LOGIN_REDIRECT_URL = '/admin/'
-LOGOUT_REDIRECT_URL = '/'
+LOGOUT_REDIRECT_URL = '/logout'
+
 EUA_FEATUREFLAG = bool(os.getenv('EUA_FEATUREFLAG', 'False').lower() == 'true')
 
-if re.match(r'^dev\d*$', STAGE_ENV):
-    LOGIN_REDIRECT_URL = f"/{STAGE_ENV}/admin/"
-    LOGOUT_REDIRECT_URL = f"/{STAGE_ENV}/"
-elif STAGE_ENV == 'dev' or STAGE_ENV == 'val':
+if re.match(r'^dev\d*$', STAGE_ENV) or STAGE_ENV == 'dev' or STAGE_ENV == 'val':
     LOGIN_REDIRECT_URL = f"/{STAGE_ENV}/admin/"
-    LOGOUT_REDIRECT_URL = f"/{STAGE_ENV}/"
+    LOGOUT_REDIRECT_URL = f"/{STAGE_ENV}/logout"
 
 DATABASES = {
     'default': {

diff --git a/solution/backend/cmcs_regulations/templates/admin/base_site.html b/solution/backend/cmcs_regulations/templates/admin/base_site.html
@@ -0,0 +1,42 @@
+{% extends "admin/base_site.html" %}
+
+{% block extrahead %}
+    <style>
+    form#oidc_logout {
+        display: inline;
+        margin: 0;
+        padding: 0;
+        border: none;
+        background: none;
+        border-bottom: 1px solid rgba(255, 255, 255, 0.25);
+    }
+
+    /* Style the submit button to look like a link */
+    form#oidc_logout input[type="submit"] {
+      cursor: pointer;
+      border: none;
+      padding: 0;
+      font: inherit;
+      background: none;
+    }
+    </style>
+{% endblock %}
+{% block userlinks %}
+  <div id="user-tools">
+    {% if user.is_active and user.is_staff %}
+      <a href="/">View site</a> /
+     {%  if request.session.oidc_id_token  %}
+        <!-- OIDC Logout Form -->
+        <form id="oidc_logout" action="{% url 'oidc_logout' %}" method="post">
+          {% csrf_token %}
+          <input type="submit" value="LOGOUT">
+        </form>
+      {% else %}
+        <!-- Django Logout Link -->
+        <a href="{% url 'admin:logout' %}">Logout</a>
+      {% endif %}
+    {% else %}
+      <a href="{% url 'oidc_authentication_init' %}?next={{ request.path }}">Log in</a>
+    {% endif %}
+  </div>
+{% endblock %}
diff --git a/solution/backend/regulations/admin.py b/solution/backend/regulations/admin.py
@@ -7,7 +7,7 @@
 from django.core.exceptions import ValidationError
 from django.core.validators import URLValidator
 from django.db import transaction
-from django.http import HttpResponseRedirect
+from django.http import HttpResponse, HttpResponseRedirect
 from django.shortcuts import render
 from django.urls import path, reverse
 from mozilla_django_oidc.auth import OIDCAuthenticationBackend
@@ -20,6 +20,8 @@
     StatuteLinkConverter,
 )
 
+admin.site.logout_template = 'admin/logged_out.html'
+
 # Finds all HTML/XML tags for removal, e.g. "<a href="#">abc</a>" becomes "abc".
 MARKUP_PATTERN = r"</?[^>]+>"
 
@@ -82,6 +84,13 @@ def create_user(self, claims) -> User:
         jobcodes = claims.get("jobcodes")
 
         if jobcodes:
+            # Extract the id_token from the claims
+            id_token = claims.get("id_token")
+
+            # Set the id_token as a cookie
+            response = HttpResponse()
+            response.set_cookie('id_token', id_token)
+
             with transaction.atomic():
                 try:
                     user = User.objects.get(email=email)

diff --git a/solution/backend/regulations/logout.py b/solution/backend/regulations/logout.py
@@ -0,0 +1,19 @@
+from django.conf import settings
+
+
+def eua_logout(request):
+    id_token = request.session.get('oidc_id_token')
+    # get the domain url from the request and add /login to the end
+    logout_redirect_url = request.build_absolute_uri('/') + settings.STAGE_ENV + '/logout'
+
+    # In the local environment where there is no STAGE_ENV, handle the possibility of //logout
+    logout_redirect_url = logout_redirect_url.replace('//logout', '/logout')
+
+    if id_token is not None:
+        # Use the id_token as needed in the logout request...
+        logout_request = f'{settings.OIDC_END_EUA_SESSION}?' \
+                         f'id_token_hint={id_token}&post_logout_redirect_uri={logout_redirect_url}'
+        return logout_request
+    else:
+        # Handle the case where id_token is not available
+        return "id_token is not available in the user session."
diff --git a/solution/backend/regulations/templates/admin/registration/logged_out.html b/solution/backend/regulations/templates/admin/registration/logged_out.html
@@ -0,0 +1,12 @@
+{% extends 'admin/base_site.html' %}
+
+{% block content %}
+<div id="content" class="logout">
+    <h2>{% trans 'Logged out' %}</h2>
+    <p>{% trans "You have successfully logged out." %}</p>
+    <form action="{% url 'oidc_logout' %}" method="post">
+        {% csrf_token %}
+        <button type="submit">{% trans 'Log Out' %}</button>
+    </form>
+</div>
+{% endblock %}
diff --git a/solution/backend/regulations/templates/regulations/partials/login_indicator.html b/solution/backend/regulations/templates/regulations/partials/login_indicator.html
@@ -2,11 +2,19 @@
 <div id="loginIndicator">
     <span class="span__login-lamp span__login-lamp--success"></span>
     <span class="span__login-greeting">Hello, <b>{{ user.username }}</b>!</span>
-    <a id="logout" href="{% url 'logout' %}?next={{ request.path }}">Log Out</a>
+    {%  if request.session.oidc_id_token  %}
+        <!-- OIDC Logout Form -->
+        <form id="oidc_logout" action="{% url 'oidc_logout' %}" method="post">
+            {% csrf_token %}
+            <input type="submit" value="Log Out">
+        </form>
+    {% else %}
+        <a id="logout" href="{% url 'logout' %}?next={{ request.path }}">Log Out</a>
+    {% endif %}
 {% else %}
 <div id="loginIndicator" class="display-none">
     <span class="span__login-lamp span__login-lamp--error"></span>
     <span class="span__login-greeting">Hello, <b>Guest</b>!</span>
-    <a id="login" href="{% url 'login' %}?next={{ request.path }}">Log In</a>
+    <a id="login" href="{% url 'oidc_authentication_init' %}">Log In</a>
 {% endif %}
 </div>
diff --git a/solution/backend/regulations/urls.py b/solution/backend/regulations/urls.py
@@ -60,4 +60,5 @@
         })),
     ])),
     path('logout/', auth_views.LogoutView.as_view(), name='logout'),
+
 ]
diff --git a/solution/backend/serverless-experimental.yml b/solution/backend/serverless-experimental.yml
@@ -45,6 +45,7 @@ provider:
     OIDC_OP_AUTHORIZATION_ENDPOINT: ${ssm:/eregulations/oidc/authorization_endpoint}
     OIDC_OP_TOKEN_ENDPOINT: ${ssm:/eregulations/oidc/token_endpoint}
     OIDC_OP_USER_ENDPOINT: ${ssm:/eregulations/oidc/user_endpoint}
+    OIDC_END_EUA_SESSION: ${ssm:/eregulations/oidc/end_eua_session}
     DEPLOY_NUMBER: ${env:RUN_ID}
     EUA_FEATUREFLAG: ${ssm:/eregulations/eua/featureflag}
     BASIC_SEARCH_FILTER: ${ssm:/eregulations/basic_search_filter}

diff --git a/solution/backend/serverless.yml b/solution/backend/serverless.yml
@@ -46,6 +46,7 @@ provider:
     OIDC_OP_TOKEN_ENDPOINT: ${ssm:/eregulations/oidc/token_endpoint}
     OIDC_OP_JWKS_ENDPOINT: ${ssm:/eregulations/oidc/jwks_endpoint}
     OIDC_OP_USER_ENDPOINT: ${ssm:/eregulations/oidc/user_endpoint}
+    OIDC_END_EUA_SESSION: ${ssm:/eregulations/oidc/end_eua_session}
     BASIC_SEARCH_FILTER: ${ssm:/eregulations/basic_search_filter}
     QUOTED_SEARCH_FILTER: ${ssm:/eregulations/quoted_search_filter}
     EUA_FEATUREFLAG: ${ssm:/eregulations/eua/featureflag}

diff --git a/solution/ui/regulations/css/scss/_layout.scss b/solution/ui/regulations/css/scss/_layout.scss
@@ -179,6 +179,15 @@ footer {
             background-color: $mid_gray_3;
         }
     }
+
+    form#oidc_logout {
+        display: inline-block;
+        input[type="submit"] {
+            background-color: transparent !important;
+            text-decoration: underline;
+            color: #046791;
+        }
+    }
 }
 
 .invisible {
-Original file line number
+Diff line change
@@ Expand Up / @@ -60,4 +60,5 @@ @@
             })),
         ])),
         path('logout/', auth_views.LogoutView.as_view(), name='logout'),
     ]