ФУНКЦИИ - МЕЖПРОЕКТНАЯ КОММУНИКАЦИЯ: Tasker OIDC handoff и автопровижининг

2026-05-06 08:59:01 +03:00 · 2026-05-06 08:59:01 +03:00 · 73f0e41e79
parent a111574039
commit 73f0e41e79
5 changed files with 223 additions and 5 deletions
--- a/plane-app/docker-compose.yaml
+++ b/plane-app/docker-compose.yaml
@ -61,7 +61,9 @@ x-app-env: &app-env
  PLANE_OIDC_SCOPE: ${PLANE_OIDC_SCOPE:-openid email profile groups}
  PLANE_OIDC_REQUIRED_GROUPS: ${PLANE_OIDC_REQUIRED_GROUPS:-nodedc:superadmin,nodedc:taskmanager:admin,nodedc:taskmanager:user}
  PLANE_OIDC_AUTO_LINK_EMAIL: ${PLANE_OIDC_AUTO_LINK_EMAIL:-0}
  PLANE_OIDC_AUTO_CREATE_USER: ${PLANE_OIDC_AUTO_CREATE_USER:-0}
  PLANE_OIDC_SYNC_PROFILE: ${PLANE_OIDC_SYNC_PROFILE:-1}
  PLANE_NODEDC_SKIP_PROFILE_ONBOARDING: ${PLANE_NODEDC_SKIP_PROFILE_ONBOARDING:-0}
  PLANE_NODEDC_ACCESS_ENFORCEMENT: ${PLANE_NODEDC_ACCESS_ENFORCEMENT:-0}
  PLANE_NODEDC_ACCESS_CHECK_URL: ${PLANE_NODEDC_ACCESS_CHECK_URL:-}
  PLANE_NODEDC_ACCESS_TOKEN: ${PLANE_NODEDC_ACCESS_TOKEN:-}
@ -70,6 +72,8 @@ x-app-env: &app-env
  PLANE_NODEDC_ACCESS_CACHE_SECONDS: ${PLANE_NODEDC_ACCESS_CACHE_SECONDS:-0}
  PLANE_NODEDC_ACCESS_DENIED_REDIRECT_URL: ${PLANE_NODEDC_ACCESS_DENIED_REDIRECT_URL:-http://launcher.local.nodedc/}
  PLANE_NODEDC_GLOBAL_LOGOUT_URL: ${PLANE_NODEDC_GLOBAL_LOGOUT_URL:-http://launcher.local.nodedc/auth/logout?global=1&returnTo=/}
  PLANE_NODEDC_HANDOFF_URL: ${PLANE_NODEDC_HANDOFF_URL:-http://launcher.local.nodedc/api/internal/handoff/consume}
  PLANE_NODEDC_HANDOFF_TIMEOUT_SECONDS: ${PLANE_NODEDC_HANDOFF_TIMEOUT_SECONDS:-3}
  GUNICORN_WORKERS: 1
  POSTHOG_API_KEY: ${POSTHOG_API_KEY:-}
  POSTHOG_HOST: ${POSTHOG_HOST:-}
--- a/plane-app/plane.env
+++ b/plane-app/plane.env
@ -101,6 +101,8 @@ PLANE_OIDC_REDIRECT_URI=http://task.local.nodedc/auth/oidc/callback
 PLANE_OIDC_SCOPE=openid email profile groups
 PLANE_OIDC_REQUIRED_GROUPS=nodedc:superadmin,nodedc:taskmanager:admin,nodedc:taskmanager:user
 PLANE_OIDC_AUTO_LINK_EMAIL=1
 PLANE_OIDC_AUTO_CREATE_USER=1
 PLANE_NODEDC_SKIP_PROFILE_ONBOARDING=1
 PLANE_NODEDC_ACCESS_ENFORCEMENT=1
 PLANE_NODEDC_ACCESS_CHECK_URL=http://launcher.local.nodedc/api/internal/access/check
 PLANE_NODEDC_ACCESS_TOKEN=
@ -109,3 +111,5 @@ PLANE_NODEDC_ACCESS_TIMEOUT_SECONDS=3
 PLANE_NODEDC_ACCESS_CACHE_SECONDS=0
 PLANE_NODEDC_ACCESS_DENIED_REDIRECT_URL=http://launcher.local.nodedc/
 PLANE_NODEDC_GLOBAL_LOGOUT_URL=http://launcher.local.nodedc/auth/logout?global=1&returnTo=/
 PLANE_NODEDC_HANDOFF_URL=http://launcher.local.nodedc/api/internal/handoff/consume
 PLANE_NODEDC_HANDOFF_TIMEOUT_SECONDS=3
--- a/plane-src/apps/api/plane/authentication/urls.py
+++ b/plane-src/apps/api/plane/authentication/urls.py
@ -21,6 +21,7 @@ from .views import (
    MagicGenerateEndpoint,
    MagicSignInEndpoint,
    MagicSignUpEndpoint,
    NodeDCHandoffEndpoint,
    NodeDCOIDCCallbackEndpoint,
    NodeDCOIDCInitiateEndpoint,
    SignInAuthEndpoint,
@ -56,6 +57,7 @@ urlpatterns = [
    path("oidc/login/", NodeDCOIDCInitiateEndpoint.as_view(), name="nodedc-oidc-login"),
    path("oidc/callback/", NodeDCOIDCCallbackEndpoint.as_view(), name="nodedc-oidc-callback"),
    path("oidc/callback", NodeDCOIDCCallbackEndpoint.as_view(), name="nodedc-oidc-callback-no-slash"),
    path("nodedc/handoff/", NodeDCHandoffEndpoint.as_view(), name="nodedc-handoff"),
    path("spaces/sign-in/", SignInAuthSpaceEndpoint.as_view(), name="space-sign-in"),
    path("spaces/sign-up/", SignUpAuthSpaceEndpoint.as_view(), name="space-sign-up"),
    # signout
--- a/plane-src/apps/api/plane/authentication/views/init.py
+++ b/plane-src/apps/api/plane/authentication/views/init.py
@ -12,7 +12,7 @@ from .app.gitlab import GitLabCallbackEndpoint, GitLabOauthInitiateEndpoint
 from .app.gitea import GiteaCallbackEndpoint, GiteaOauthInitiateEndpoint
 from .app.google import GoogleCallbackEndpoint, GoogleOauthInitiateEndpoint
 from .app.magic import MagicGenerateEndpoint, MagicSignInEndpoint, MagicSignUpEndpoint
-from .app.oidc import NodeDCOIDCCallbackEndpoint, NodeDCOIDCInitiateEndpoint
+from .app.oidc import NodeDCHandoffEndpoint, NodeDCOIDCCallbackEndpoint, NodeDCOIDCInitiateEndpoint
 from .app.signout import SignOutAuthEndpoint
--- a/plane-src/apps/api/plane/authentication/views/app/oidc.py
+++ b/plane-src/apps/api/plane/authentication/views/app/oidc.py
@ -1,5 +1,6 @@
 import base64
 import hashlib
 import logging
 import os
 import secrets
 from urllib.parse import urlencode
@ -8,19 +9,22 @@ import jwt
 import requests
 from django.core.cache import cache
 from django.http import HttpResponseRedirect
 from django.utils.crypto import get_random_string
 from django.utils import timezone
 from django.views import View
 from plane.authentication.utils.host import base_host
 from plane.authentication.utils.login import user_login
 from plane.authentication.utils.redirection_path import get_redirection_path
-from plane.db.models import ExternalIdentityLink, User
+from plane.authentication.views.nodedc_logout import get_nodedc_internal_token
 from plane.db.models import ExternalIdentityLink, Profile, User
 from plane.utils.path_validator import get_safe_redirect_url, validate_next_path
 OIDC_SESSION_KEY = "nodedc_oidc"
 OIDC_PROVIDER = "authentik"
 DEFAULT_REQUIRED_GROUPS = "nodedc:superadmin,nodedc:taskmanager:admin,nodedc:taskmanager:user"
 logger = logging.getLogger(__name__)
 class NodeDCOIDCInitiateEndpoint(View):
@ -98,7 +102,9 @@ class NodeDCOIDCCallbackEndpoint(View):
            claims=claims,
            groups=groups,
            auto_link=config["auto_link_email"],
            auto_create=config["auto_create_user"],
            sync_profile=config["sync_profile"],
            skip_profile_onboarding=config["skip_profile_onboarding"],
        )
        if user is None or not user.is_active:
@ -111,6 +117,53 @@ class NodeDCOIDCCallbackEndpoint(View):
        return HttpResponseRedirect(get_safe_redirect_url(base_url=base_url, next_path=path, params={}))
 class NodeDCHandoffEndpoint(View):
    def get(self, request):
        config = get_oidc_config()
        base_url = base_host(request=request, is_app=True)
        next_path = validate_next_path(request.GET.get("next_path", ""))
        token = request.GET.get("token", "")
        try:
            handoff = consume_launcher_handoff(token)
        except (RuntimeError, requests.RequestException, ValueError):
            logger.warning("NODEDC handoff failed", exc_info=True)
            return oidc_login_redirect(base_url, next_path)
        handoff_user = handoff.get("user") or {}
        groups = normalize_groups(handoff_user.get("groups"))
        if not has_required_group(groups):
            return oidc_error_redirect(base_url, next_path, "handoff_access_denied")
        claims = {
            "sub": str(handoff_user.get("subject") or handoff_user.get("authentikUserId") or handoff_user.get("id") or ""),
            "email": str(handoff_user.get("email") or "").strip().lower(),
            "name": handoff_user.get("name"),
            "preferred_username": handoff_user.get("email"),
            "picture": handoff_user.get("avatarUrl"),
            "groups": groups,
            "email_verified": True,
        }
        user = resolve_linked_user(
            claims=claims,
            groups=groups,
            auto_link=config["auto_link_email"],
            auto_create=config["auto_create_user"],
            sync_profile=config["sync_profile"],
            skip_profile_onboarding=config["skip_profile_onboarding"],
        )
        if user is None or not user.is_active:
            return oidc_error_redirect(base_url, next_path, "handoff_user_not_linked")
        user_login(request=request, user=user, is_app=True)
        path = next_path or get_redirection_path(user=user)
        return HttpResponseRedirect(get_safe_redirect_url(base_url=base_url, next_path=path, params={}))
 def get_oidc_config():
    issuer = os.environ.get("PLANE_OIDC_ISSUER", "").strip()
    client_id = os.environ.get("PLANE_OIDC_CLIENT_ID", "").strip()
@ -127,10 +180,44 @@ def get_oidc_config():
        "redirect_uri": redirect_uri,
        "scope": os.environ.get("PLANE_OIDC_SCOPE", "openid email profile groups"),
        "auto_link_email": os.environ.get("PLANE_OIDC_AUTO_LINK_EMAIL", "0") == "1",
        "auto_create_user": os.environ.get("PLANE_OIDC_AUTO_CREATE_USER", "0") == "1",
        "sync_profile": os.environ.get("PLANE_OIDC_SYNC_PROFILE", "1") == "1",
        "skip_profile_onboarding": os.environ.get("PLANE_NODEDC_SKIP_PROFILE_ONBOARDING", "0") == "1",
        "handoff_url": os.environ.get(
            "PLANE_NODEDC_HANDOFF_URL",
            "http://launcher.local.nodedc/api/internal/handoff/consume",
        ).strip(),
    }
 def consume_launcher_handoff(token):
    if not token:
        raise RuntimeError("NODEDC handoff token is missing")
    config = get_oidc_config()
    internal_token = get_nodedc_internal_token()
    if not config["handoff_url"] or not internal_token:
        raise RuntimeError("NODEDC handoff is not configured")
    response = requests.post(
        config["handoff_url"],
        json={
            "token": token,
            "serviceSlug": os.environ.get("PLANE_NODEDC_ACCESS_SERVICE_SLUG", "task-manager"),
        },
        headers={"Authorization": f"Bearer {internal_token}"},
        timeout=float(os.environ.get("PLANE_NODEDC_HANDOFF_TIMEOUT_SECONDS", "3")),
    )
    response.raise_for_status()
    payload = response.json()
    if not payload.get("ok"):
        raise RuntimeError("NODEDC handoff was rejected")
    return payload
 def load_discovery(issuer):
    response = requests.get(f"{issuer}.well-known/openid-configuration", timeout=10)
    response.raise_for_status()
@ -192,19 +279,26 @@ def has_required_group(groups):
    return bool(required_groups.intersection(set(groups)))
-def resolve_linked_user(claims, groups, auto_link, sync_profile):
+def resolve_linked_user(claims, groups, auto_link, auto_create, sync_profile, skip_profile_onboarding):
    subject = str(claims.get("sub") or "")
    email = str(claims.get("email") or "").strip().lower()
-    if not subject:
+    if not subject or not email:
        return None
    link = ExternalIdentityLink.objects.select_related("user").filter(
        provider=OIDC_PROVIDER,
        subject=subject,
        status=ExternalIdentityLink.Status.ACTIVE,
    ).first()
    if link and link.status != ExternalIdentityLink.Status.ACTIVE:
        logger.warning(
            "NODEDC OIDC denied disabled external identity link: provider=%s subject_hash=%s",
            OIDC_PROVIDER,
            hash_subject(subject),
        )
        return None
    if link is None and auto_link and email:
        user = User.objects.filter(email__iexact=email, is_active=True).first()
        if user:
@ -214,7 +308,28 @@ def resolve_linked_user(claims, groups, auto_link, sync_profile):
                defaults={"user": user, "email": email, "groups": groups},
            )
    if link is None and auto_create and email:
        user, user_created = get_or_create_oidc_user(email=email, claims=claims)
        link, _ = ExternalIdentityLink.objects.get_or_create(
            provider=OIDC_PROVIDER,
            subject=subject,
            defaults={"user": user, "email": email, "groups": groups},
        )
        if user_created:
            logger.info(
                "NODEDC OIDC provisioned Tasker user: user_id=%s email_hash=%s subject_hash=%s",
                user.id,
                hash_email(email),
                hash_subject(subject),
            )
    if link is None:
        logger.warning(
            "NODEDC OIDC user is not linked: provider=%s email_hash=%s subject_hash=%s",
            OIDC_PROVIDER,
            hash_email(email),
            hash_subject(subject),
        )
        return None
    link.email = email or link.email
@ -231,9 +346,92 @@ def resolve_linked_user(claims, groups, auto_link, sync_profile):
        update_fields.extend(sync_user_profile_from_claims(user, claims))
    user.save(update_fields=list(dict.fromkeys(update_fields)))
    if skip_profile_onboarding:
        ensure_nodedc_profile_onboarded(user)
    return user
 def get_or_create_oidc_user(email, claims):
    user = User.objects.filter(email__iexact=email).first()
    if user:
        return user, False
    username = build_unique_username(email)
    display_name = first_string_claim(claims, "name", "preferred_username") or User.get_display_name(email)
    given_name = first_string_claim(claims, "given_name") or ""
    family_name = first_string_claim(claims, "family_name") or ""
    avatar_url = first_string_claim(claims, "picture", "avatar_url", "avatar") or ""
    user = User.objects.create_user(
        email=email,
        username=username,
        display_name=display_name,
        first_name=given_name,
        last_name=family_name,
        avatar=avatar_url,
        is_active=True,
        is_managed=True,
        is_password_autoset=True,
        is_email_verified=bool(claims.get("email_verified", False)),
        last_login_medium=OIDC_PROVIDER,
        last_login_time=timezone.now(),
    )
    return user, True
 def ensure_nodedc_profile_onboarded(user):
    profile, _ = Profile.objects.get_or_create(user=user)
    onboarding_step = dict(profile.onboarding_step or {})
    required_onboarding_step = {
        "profile_complete": True,
        "workspace_create": True,
        "workspace_invite": True,
        "workspace_join": True,
    }
    next_onboarding_step = {**onboarding_step, **required_onboarding_step}
    update_fields = []
    if not profile.is_onboarded:
        profile.is_onboarded = True
        update_fields.append("is_onboarded")
    if not profile.is_tour_completed:
        profile.is_tour_completed = True
        update_fields.append("is_tour_completed")
    if profile.onboarding_step != next_onboarding_step:
        profile.onboarding_step = next_onboarding_step
        update_fields.append("onboarding_step")
    if update_fields:
        update_fields.append("updated_at")
        profile.save(update_fields=list(dict.fromkeys(update_fields)))
 def build_unique_username(email):
    base_username = email.split("@", 1)[0].strip().lower() or "nodedc-user"
    username = normalize_username(base_username)
    if not User.objects.filter(username=username).exists():
        return username
    for _ in range(10):
        candidate = f"{username}-{get_random_string(6).lower()}"
        if not User.objects.filter(username=candidate).exists():
            return candidate
    return f"{username}-{get_random_string(12).lower()}"
 def normalize_username(value):
    normalized = "".join(char if char.isalnum() or char in {"_", "-", "."} else "-" for char in value)
    normalized = normalized.strip("-._")
    return normalized[:96] or "nodedc-user"
 def sync_user_profile_from_claims(user, claims):
    updated_fields = []
    display_name = first_string_claim(claims, "name", "preferred_username")
@ -273,6 +471,16 @@ def first_string_claim(claims, *keys):
    return None
 def hash_email(email):
    normalized_email = str(email or "").strip().lower()
    return hashlib.sha256(normalized_email.encode()).hexdigest()[:12] if normalized_email else ""
 def hash_subject(subject):
    normalized_subject = str(subject or "").strip()
    return hashlib.sha256(normalized_subject.encode()).hexdigest()[:12] if normalized_subject else ""
 def normalize_logout_guard_value(value):
    return value.strip().lower() if isinstance(value, str) else ""