🚧 [#1471] Splitting DigiD/DigiD machtigen config models

src/digid_eherkenning_oidc_generics/admin.py

@@ -4,8 +4,16 @@
 from django_better_admin_arrayfield.admin.mixins import DynamicArrayMixin
 from solo.admin import SingletonModelAdmin
 
-from .forms import OpenIDConnectEHerkenningConfigForm, OpenIDConnectPublicConfigForm
-from .models import OpenIDConnectEHerkenningConfig, OpenIDConnectPublicConfig
+from .forms import (
+    OpenIDConnectDigiDMachtigenConfigForm,
+    OpenIDConnectEHerkenningConfigForm,
+    OpenIDConnectPublicConfigForm,
+)
+from .models import (
+    OpenIDConnectDigiDMachtigenConfig,
+    OpenIDConnectEHerkenningConfig,
+    OpenIDConnectPublicConfig,
+)
 
 
 class OpenIDConnectConfigBaseAdmin(DynamicArrayMixin, SingletonModelAdmin):
@@ -52,3 +60,50 @@ class OpenIDConnectConfigDigiDAdmin(OpenIDConnectConfigBaseAdmin):
 @admin.register(OpenIDConnectEHerkenningConfig)
 class OpenIDConnectConfigEHerkenningAdmin(OpenIDConnectConfigBaseAdmin):
     form = OpenIDConnectEHerkenningConfigForm
+
+
+@admin.register(OpenIDConnectDigiDMachtigenConfig)
+class OpenIDConnectConfigDigiDMachtigenAdmin(DynamicArrayMixin, SingletonModelAdmin):
+    form = OpenIDConnectDigiDMachtigenConfigForm
+
+    fieldsets = (
+        (
+            _("Activation"),
+            {"fields": ("enabled",)},
+        ),
+        (
+            _("Common settings"),
+            {
+                "fields": (
+                    "oidc_rp_client_id",
+                    "oidc_rp_client_secret",
+                    "oidc_rp_scopes_list",
+                    "oidc_rp_sign_algo",
+                    "oidc_rp_idp_sign_key",
+                )
+            },
+        ),
+        (
+            _("Attributes to extract from claim"),
+            {
+                "fields": (
+                    "vertegenwoordigde_claim_name",
+                    "gemachtigde_claim_name",
+                )
+            },
+        ),
+        (
+            _("Endpoints"),
+            {
+                "fields": (
+                    "oidc_op_discovery_endpoint",
+                    "oidc_op_jwks_endpoint",
+                    "oidc_op_authorization_endpoint",
+                    "oidc_op_token_endpoint",
+                    "oidc_op_user_endpoint",
+                    "oidc_op_logout_endpoint",
+                )
+            },
+        ),
+        (_("Keycloak specific settings"), {"fields": ("oidc_keycloak_idp_hint",)}),
+    )

src/digid_eherkenning_oidc_generics/digid_machtigen_settings.py

@@ -0,0 +1,2 @@
+DIGID_MACHTIGEN_CUSTOM_OIDC_DB_PREFIX = "digid_machtigen_oidc"
+OIDC_AUTHENTICATION_CALLBACK_URL = "digid_machtigen_oidc:callback"

src/digid_eherkenning_oidc_generics/forms.py

@@ -8,7 +8,11 @@
 
 from openforms.forms.models import Form
 
-from .models import OpenIDConnectEHerkenningConfig, OpenIDConnectPublicConfig
+from .models import (
+    OpenIDConnectDigiDMachtigenConfig,
+    OpenIDConnectEHerkenningConfig,
+    OpenIDConnectPublicConfig,
+)
 
 OIDC_MAPPING = deepcopy(_OIDC_MAPPING)
 
@@ -58,3 +62,11 @@ class OpenIDConnectEHerkenningConfigForm(OpenIDConnectBaseConfigForm):
     class Meta:
         model = OpenIDConnectEHerkenningConfig
         fields = "__all__"
+
+
+class OpenIDConnectDigiDMachtigenConfigForm(OpenIDConnectBaseConfigForm):
+    plugin_identifier = "digid_machtigen_oidc"
+
+    class Meta:
+        model = OpenIDConnectDigiDMachtigenConfig
+        fields = "__all__"

src/digid_eherkenning_oidc_generics/migrations/0002_openidconnectdigidmachtigenconfig.py

@@ -0,0 +1,167 @@
+# Generated by Django 3.2.12 on 2022-03-31 12:45
+
+import digid_eherkenning_oidc_generics.models
+from django.db import migrations, models
+import django_better_admin_arrayfield.models.fields
+import mozilla_django_oidc_db.models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("digid_eherkenning_oidc_generics", "0001_initial"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="OpenIDConnectDigiDMachtigenConfig",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True,
+                        primary_key=True,
+                        serialize=False,
+                        verbose_name="ID",
+                    ),
+                ),
+                (
+                    "enabled",
+                    models.BooleanField(
+                        default=False,
+                        help_text="Indicates whether OpenID Connect for authentication/authorization is enabled",
+                        verbose_name="enable",
+                    ),
+                ),
+                (
+                    "oidc_rp_client_id",
+                    models.CharField(
+                        help_text="OpenID Connect client ID provided by the OIDC Provider",
+                        max_length=1000,
+                        verbose_name="OpenID Connect client ID",
+                    ),
+                ),
+                (
+                    "oidc_rp_client_secret",
+                    models.CharField(
+                        help_text="OpenID Connect secret provided by the OIDC Provider",
+                        max_length=1000,
+                        verbose_name="OpenID Connect secret",
+                    ),
+                ),
+                (
+                    "oidc_rp_sign_algo",
+                    models.CharField(
+                        default="HS256",
+                        help_text="Algorithm the Identity Provider uses to sign ID tokens",
+                        max_length=50,
+                        verbose_name="OpenID sign algorithm",
+                    ),
+                ),
+                (
+                    "oidc_op_discovery_endpoint",
+                    models.URLField(
+                        blank=True,
+                        help_text="URL of your OpenID Connect provider discovery endpoint ending with a slash (`.well-known/...` will be added automatically). If this is provided, the remaining endpoints can be omitted, as they will be derived from this endpoint.",
+                        max_length=1000,
+                        verbose_name="Discovery endpoint",
+                    ),
+                ),
+                (
+                    "oidc_op_jwks_endpoint",
+                    models.URLField(
+                        blank=True,
+                        help_text="URL of your OpenID Connect provider JSON Web Key Set endpoint. Required if `RS256` is used as signing algorithm",
+                        max_length=1000,
+                        verbose_name="JSON Web Key Set endpoint",
+                    ),
+                ),
+                (
+                    "oidc_op_authorization_endpoint",
+                    models.URLField(
+                        help_text="URL of your OpenID Connect provider authorization endpoint",
+                        max_length=1000,
+                        verbose_name="Authorization endpoint",
+                    ),
+                ),
+                (
+                    "oidc_op_token_endpoint",
+                    models.URLField(
+                        help_text="URL of your OpenID Connect provider token endpoint",
+                        max_length=1000,
+                        verbose_name="Token endpoint",
+                    ),
+                ),
+                (
+                    "oidc_op_user_endpoint",
+                    models.URLField(
+                        help_text="URL of your OpenID Connect provider userinfo endpoint",
+                        max_length=1000,
+                        verbose_name="User endpoint",
+                    ),
+                ),
+                (
+                    "oidc_rp_idp_sign_key",
+                    models.CharField(
+                        blank=True,
+                        help_text="Key the Identity Provider uses to sign ID tokens in the case of an RSA sign algorithm. Should be the signing key in PEM or DER format",
+                        max_length=1000,
+                        verbose_name="Sign key",
+                    ),
+                ),
+                (
+                    "oidc_op_logout_endpoint",
+                    models.URLField(
+                        blank=True,
+                        help_text="URL of your OpenID Connect provider logout endpoint",
+                        max_length=1000,
+                        verbose_name="Logout endpoint",
+                    ),
+                ),
+                (
+                    "oidc_keycloak_idp_hint",
+                    models.CharField(
+                        blank=True,
+                        help_text="Specific for Keycloak: parameter that indicates which identity provider should be used (therefore skipping the Keycloak login screen).",
+                        max_length=1000,
+                        verbose_name="Keycloak Identity Provider hint",
+                    ),
+                ),
+                (
+                    "vertegenwoordigde_claim_name",
+                    models.CharField(
+                        default="aanvrager.bsn",
+                        help_text="Name of the claim in which the BSN of the person being represented is stored",
+                        max_length=50,
+                        verbose_name="vertegenwoordigde claim name",
+                    ),
+                ),
+                (
+                    "gemachtigde_claim_name",
+                    models.CharField(
+                        default="gemachtigde.bsn",
+                        help_text="Name of the claim in which the BSN of the person representing someone else is stored",
+                        max_length=50,
+                        verbose_name="gemachtigde claim name",
+                    ),
+                ),
+                (
+                    "oidc_rp_scopes_list",
+                    django_better_admin_arrayfield.models.fields.ArrayField(
+                        base_field=models.CharField(
+                            max_length=50, verbose_name="OpenID Connect scope"
+                        ),
+                        blank=True,
+                        default=digid_eherkenning_oidc_generics.models.get_default_scopes_bsn,
+                        help_text="OpenID Connect scopes that are requested during login. These scopes are hardcoded and must be supported by the identity provider",
+                        size=None,
+                        verbose_name="OpenID Connect scopes",
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "OpenID Connect configuration for DigiD Machtigen",
+            },
+            bases=(mozilla_django_oidc_db.models.CachingMixin, models.Model),
+        ),
+    ]

src/digid_eherkenning_oidc_generics/mixins.py

@@ -1,24 +1,36 @@
-from mozilla_django_oidc_db.mixins import SoloConfigMixin
+from mozilla_django_oidc_db.mixins import SoloConfigMixin as _SoloConfigMixin
 
+import digid_eherkenning_oidc_generics.digid_machtigen_settings as digid_machtigen_settings
 import digid_eherkenning_oidc_generics.digid_settings as digid_settings
 import digid_eherkenning_oidc_generics.eherkenning_settings as eherkenning_settings
 
-from .models import OpenIDConnectEHerkenningConfig, OpenIDConnectPublicConfig
+from .models import (
+    OpenIDConnectDigiDMachtigenConfig,
+    OpenIDConnectEHerkenningConfig,
+    OpenIDConnectPublicConfig,
+)
 
 
-class SoloConfigDigiDMixin(SoloConfigMixin):
-    config_class = OpenIDConnectPublicConfig
+class SoloConfigMixin(_SoloConfigMixin):
+    config_class = ""
+    settings_attribute = None
 
     def get_settings(self, attr, *args):
-        if hasattr(digid_settings, attr):
-            return getattr(digid_settings, attr)
+        if hasattr(self.settings_attribute, attr):
+            return getattr(self.settings_attribute, attr)
         return super().get_settings(attr, *args)
 
 
+class SoloConfigDigiDMixin(SoloConfigMixin):
+    config_class = OpenIDConnectPublicConfig
+    settings_attribute = digid_settings
+
+
 class SoloConfigEHerkenningMixin(SoloConfigMixin):
     config_class = OpenIDConnectEHerkenningConfig
+    settings_attribute = eherkenning_settings
 
-    def get_settings(self, attr, *args):
-        if hasattr(eherkenning_settings, attr):
-            return getattr(eherkenning_settings, attr)
-        return super().get_settings(attr, *args)
+
+class SoloConfigDigiDMachtigenMixin(SoloConfigMixin):
+    config_class = OpenIDConnectDigiDMachtigenConfig
+    settings_attribute = digid_machtigen_settings

src/digid_eherkenning_oidc_generics/models.py

@@ -7,6 +7,7 @@
 
 from openforms.authentication.constants import AuthAttribute
 
+from .digid_machtigen_settings import DIGID_MACHTIGEN_CUSTOM_OIDC_DB_PREFIX
 from .digid_settings import DIGID_CUSTOM_OIDC_DB_PREFIX
 from .eherkenning_settings import EHERKENNING_CUSTOM_OIDC_DB_PREFIX
 
@@ -74,6 +75,16 @@ class OpenIDConnectPublicConfig(OpenIDConnectBaseConfig):
             "These scopes are hardcoded and must be supported by the identity provider"
         ),
     )
+
+    @classproperty
+    def custom_oidc_db_prefix(cls):
+        return DIGID_CUSTOM_OIDC_DB_PREFIX
+
+    class Meta:
+        verbose_name = _("OpenID Connect configuration for DigiD")
+
+
+class OpenIDConnectDigiDMachtigenConfig(OpenIDConnectBaseConfig):
     vertegenwoordigde_claim_name = models.CharField(
         verbose_name=_("vertegenwoordigde claim name"),
         default="aanvrager.bsn",
@@ -90,13 +101,23 @@ class OpenIDConnectPublicConfig(OpenIDConnectBaseConfig):
             "Name of the claim in which the BSN of the person representing someone else is stored"
         ),
     )
+    oidc_rp_scopes_list = ArrayField(
+        verbose_name=_("OpenID Connect scopes"),
+        base_field=models.CharField(_("OpenID Connect scope"), max_length=50),
+        default=get_default_scopes_bsn,
+        blank=True,
+        help_text=_(
+            "OpenID Connect scopes that are requested during login. "
+            "These scopes are hardcoded and must be supported by the identity provider"
+        ),
+    )
 
     @classproperty
     def custom_oidc_db_prefix(cls):
-        return DIGID_CUSTOM_OIDC_DB_PREFIX
+        return DIGID_MACHTIGEN_CUSTOM_OIDC_DB_PREFIX
 
     class Meta:
-        verbose_name = _("OpenID Connect configuration for DigiD")
+        verbose_name = _("OpenID Connect configuration for DigiD Machtigen")
 
 
 class OpenIDConnectEHerkenningConfig(OpenIDConnectBaseConfig):