Merge pull request #23154 from edx/diana/move-trusted-applications

Use DOT for creating new sites instead of DOP.

openedx/core/djangoapps/theming/management/commands/create_sites_and_configurations.py

@@ -12,11 +12,10 @@ from textwrap import dedent
 from django.contrib.auth.models import User
 from django.contrib.sites.models import Site
 from django.core.management.base import BaseCommand
-from edx_oauth2_provider.models import TrustedClient
-from provider.constants import CONFIDENTIAL
-from provider.oauth2.models import Client
+from oauth2_provider.models import Application
 
 from lms.djangoapps.commerce.models import CommerceConfiguration
+from openedx.core.djangoapps.oauth_dispatch.models import ApplicationAccess
 from openedx.core.djangoapps.site_configuration.models import SiteConfiguration
 from openedx.core.djangoapps.theming.models import SiteTheme
 from student.models import UserProfile
@@ -36,10 +35,10 @@ class Command(BaseCommand):
     theme_path = None
     ecommerce_user = None
     ecommerce_base_url_fmt = None
-    ecommerce_oidc_url = None
+    ecommerce_oauth_complete_url = None
     discovery_user = None
     discovery_base_url_fmt = None
-    discovery_oidc_url = None
+    discovery_oauth_complete_url = None
 
     configuration_filename = None
 
@@ -75,26 +74,31 @@ class Command(BaseCommand):
             service_name=service_name,
             site_name="" if site_name == "edx" else "-{}".format(site_name)
         )
-        client, created = Client.objects.update_or_create(
+        app, _ = Application.objects.update_or_create(
             client_id=client_id,
             defaults={
                 "user": service_user,
-                "name": "{site_name}_{service_name}_client".format(
+                "name": "{service_name}-sso-{site_name}".format(
                     site_name=site_name,
                     service_name=service_name,
                 ),
-                "url": url,
                 "client_secret": "{service_name}-secret".format(
                     service_name=service_name
                 ),
-                "client_type": CONFIDENTIAL,
-                "redirect_uri": "{url}complete/edx-oidc/".format(url=url),
-                "logout_uri": "{url}logout/".format(url=url)
+                "client_type": Application.CLIENT_CONFIDENTIAL,
+                "authorization_grant_type": Application.GRANT_AUTHORIZATION_CODE,
+                "redirect_uris": "{url}complete/edx-oauth2/".format(url=url),
+                "skip_authorization": True,
             }
         )
-        if created:
-            LOG.info(u"Adding {client} oauth2 client as trusted client".format(client=client.name))
-            TrustedClient.objects.get_or_create(client=client)
+
+        access = ApplicationAccess.objects.filter(application_id=app.id).first()
+        default_scopes = 'user_id'
+        if access:
+            access.scopes = default_scopes
+            access.save()
+        else:
+            ApplicationAccess.objects.create(application_id=app.id, scopes=default_scopes)
 
     def _create_sites(self, site_domain, theme_dir_name, site_configuration):
         """
@@ -143,14 +147,14 @@ class Command(BaseCommand):
         These two clients are being created by default without service
         users so we have to associate the service users to them.
         """
-        ecommerce_queryset = Client.objects.filter(redirect_uri=self.ecommerce_oidc_url)
+        ecommerce_queryset = Application.objects.filter(redirect_uris=self.ecommerce_oauth_complete_url)
 
         if ecommerce_queryset:
             ecommerce_client = ecommerce_queryset[0]
             ecommerce_client.user = self.ecommerce_user
             ecommerce_client.save()
 
-        discovery_queryset = Client.objects.filter(redirect_uri=self.discovery_oidc_url)
+        discovery_queryset = Application.objects.filter(redirect_uris=self.discovery_oauth_complete_url)
         if discovery_queryset:
             discovery_client = discovery_queryset[0]
             discovery_client.user = self.discovery_user
@@ -210,15 +214,23 @@ class Command(BaseCommand):
 
         if options['devstack']:
             configuration_prefix = "devstack"
-            self.discovery_oidc_url = "http://discovery-{}.e2e.devstack:18381/complete/edx-oidc/".format(self.dns_name)
+            self.discovery_oauth_complete_url = "http://discovery-{}.e2e.devstack:18381/complete/edx-oauth2/".format(
+                self.dns_name
+            )
             self.discovery_base_url_fmt = "http://discovery-{site_domain}:18381/"
-            self.ecommerce_oidc_url = "http://ecommerce-{}.e2e.devstack:18130/complete/edx-oidc/".format(self.dns_name)
+            self.ecommerce_oauth_complete_url = "http://ecommerce-{}.e2e.devstack:18130/complete/edx-oauth2/".format(
+                self.dns_name
+            )
             self.ecommerce_base_url_fmt = "http://ecommerce-{site_domain}:18130/"
         else:
             configuration_prefix = "sandbox"
-            self.discovery_oidc_url = "https://discovery-{}.sandbox.edx.org/complete/edx-oidc/".format(self.dns_name)
+            self.discovery_oauth_complete_url = "https://discovery-{}.sandbox.edx.org/complete/edx-oauth2/".format(
+                self.dns_name
+            )
             self.discovery_base_url_fmt = "https://discovery-{site_domain}/"
-            self.ecommerce_oidc_url = "https://ecommerce-{}.sandbox.edx.org/complete/edx-oidc/".format(self.dns_name)
+            self.ecommerce_oauth_complete_url = "https://ecommerce-{}.sandbox.edx.org/complete/edx-oauth2/".format(
+                self.dns_name
+            )
             self.ecommerce_base_url_fmt = "https://ecommerce-{site_domain}/"
 
         self.configuration_filename = '{}_configuration.json'.format(configuration_prefix)

openedx/core/djangoapps/theming/management/commands/tests/test_create_sites_and_configurations.py

@@ -8,9 +8,9 @@ from django.contrib.auth.models import User
 from django.contrib.sites.models import Site
 from django.core.management import CommandError, call_command
 from django.test import TestCase
-from edx_oauth2_provider.models import TrustedClient
-from provider.oauth2.models import Client
 
+from oauth2_provider.models import Application
+from openedx.core.djangoapps.oauth_dispatch.models import ApplicationAccess
 from openedx.core.djangoapps.theming.models import SiteTheme
 from student.models import UserProfile
 
@@ -96,7 +96,8 @@ class TestCreateSiteAndConfiguration(TestCase):
         """
         service_user = self._assert_service_user_is_valid("ecommerce_worker")
 
-        clients = Client.objects.filter(user=service_user)
+        clients = Application.objects.filter(user=service_user)
+
         self.assertEqual(len(clients), len(SITES))
 
         if devstack:
@@ -106,27 +107,23 @@ class TestCreateSiteAndConfiguration(TestCase):
 
         for client in clients:
             self.assertEqual(client.user.username, service_user[0].username)
-            site_name = client.name[:6]
+            site_name = [name for name in SITES if name in client.name][0]
             ecommerce_url = ecommerce_url_fmt.format(
                 site_name=site_name,
                 dns_name=self.dns_name
             )
-            self.assertEqual(client.url, ecommerce_url)
             self.assertEqual(
-                client.redirect_uri,
-                "{ecommerce_url}complete/edx-oidc/".format(ecommerce_url=ecommerce_url)
+                client.redirect_uris,
+                "{ecommerce_url}complete/edx-oauth2/".format(ecommerce_url=ecommerce_url)
             )
             self.assertEqual(
                 client.client_id,
                 "ecommerce-key-{site_name}".format(site_name=site_name)
             )
+            access = ApplicationAccess.objects.filter(application_id=client.id).first()
             self.assertEqual(
-                client.client_secret,
-                "ecommerce-secret"
-            )
-            self.assertEqual(
-                len(TrustedClient.objects.filter(client=client)),
-                1
+                access.scopes,
+                ["user_id"]
             )
 
     def _assert_discovery_clients_are_valid(self, devstack=False):
@@ -135,7 +132,7 @@ class TestCreateSiteAndConfiguration(TestCase):
         """
         service_user = self._assert_service_user_is_valid("lms_catalog_service_user")
 
-        clients = Client.objects.filter(user=service_user)
+        clients = Application.objects.filter(user=service_user)
 
         self.assertEqual(len(clients), len(SITES))
 
@@ -146,28 +143,24 @@ class TestCreateSiteAndConfiguration(TestCase):
 
         for client in clients:
             self.assertEqual(client.user.username, service_user[0].username)
-            site_name = client.name[:6]
+            site_name = [name for name in SITES if name in client.name][0]
             discovery_url = discovery_url_fmt.format(
                 site_name=site_name,
                 dns_name=self.dns_name
             )
 
-            self.assertEqual(client.url, discovery_url)
             self.assertEqual(
-                client.redirect_uri,
-                "{discovery_url}complete/edx-oidc/".format(discovery_url=discovery_url)
+                client.redirect_uris,
+                "{discovery_url}complete/edx-oauth2/".format(discovery_url=discovery_url)
             )
             self.assertEqual(
                 client.client_id,
                 "discovery-key-{site_name}".format(site_name=site_name)
             )
+            access = ApplicationAccess.objects.filter(application_id=client.id).first()
             self.assertEqual(
-                client.client_secret,
-                "discovery-secret"
-            )
-            self.assertEqual(
-                len(TrustedClient.objects.filter(client=client)),
-                1
+                access.scopes,
+                ["user_id"]
             )
 
     def test_without_dns(self):