Merge branch '223-trusted-clients' into 'main'

rename Client.preconsent in Client.trusted

Closes #223

See merge request yaal/canaille!243

Author: azmeuk

CHANGES.rst

@@ -599,7 +599,7 @@ Added
 - Display TOS and policy URI on the consent list page. :pr:`102`
 - Admin token deletion. :pr:`100` :pr:`101`
 - Revoked consents can be restored. :pr:`103`
-- Pre-consented clients are displayed in the user consent list,
+- Trusted clients are displayed in the user consent list,
   and their consents can be revoked. :issue:`69` :pr:`103`
 - A ``populate`` command can be used to fill the database with
   random users generated with faker. :pr:`105`

canaille/backends/ldap/models.py

@@ -140,7 +140,7 @@ class Client(canaille.oidc.models.Client, LDAPObject):
         "id": "entryUUID",
         "created": "createTimestamp",
         "last_modified": "modifyTimestamp",
-        "preconsent": "oauthPreconsent",
+        "trusted": "oauthPreconsent",
         # post_logout_redirect_uris is not yet supported by authlib
         "post_logout_redirect_uris": "oauthPostLogoutRedirectURI",
         "audience": "oauthAudience",

canaille/backends/sql/migrations/1740765703_rename_client_preconsent_in_client_.py

@@ -0,0 +1,32 @@
+"""Rename client.preconsent in client.trusted.
+
+Revision ID: 1740765703
+Revises: 1738929510
+Create Date: 2025-02-28 19:01:43.485715
+
+"""
+
+from collections.abc import Sequence
+
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision: str = "1740765703"
+down_revision: str | None = "1738929510"
+branch_labels: str | Sequence[str] | None = ()
+depends_on: str | Sequence[str] | None = None
+
+
+def upgrade() -> None:
+    # ### commands auto generated by Alembic - please adjust! ###
+
+    with op.batch_alter_table("client") as batch_op:
+        batch_op.alter_column("preconsent", new_column_name="trusted")
+    # ### end Alembic commands ###
+
+
+def downgrade() -> None:
+    # ### commands auto generated by Alembic - please adjust! ###
+    with op.batch_alter_table("client") as batch_op:
+        batch_op.alter_column("trusted", new_column_name="preconsent")
+    # ### end Alembic commands ###

canaille/backends/sql/models.py

@@ -185,7 +185,7 @@ class Client(canaille.oidc.models.Client, Base, SqlAlchemyModel):
     )
 
     description: Mapped[str] = mapped_column(String, nullable=True)
-    preconsent: Mapped[bool] = mapped_column(Boolean, nullable=True)
+    trusted: Mapped[bool] = mapped_column(Boolean, nullable=True)
     post_logout_redirect_uris: Mapped[list[str]] = mapped_column(
         MutableJson, nullable=True
     )

canaille/oidc/basemodels.py

@@ -18,7 +18,7 @@ class Client(Model):
     identifier_attribute: ClassVar[str] = "client_id"
 
     description: str | None = None
-    preconsent: bool | None = False
+    trusted: bool | None = False
     # keep 'List' instead of 'list' do not break py310 with the memory backend
     audience: List["Client"] = []  # noqa: UP006
 

canaille/oidc/endpoints/clients.py

@@ -70,7 +70,7 @@ def add(user):
         software_version=form["software_version"].data,
         jwks=form["jwks"].data,
         jwks_uri=form["jwks_uri"].data,
-        preconsent=form["preconsent"].data,
+        trusted=form["trusted"].data,
         client_secret=""
         if form["token_endpoint_auth_method"].data == "none"
         else gen_salt(48),
@@ -105,7 +105,7 @@ def client_edit(client):
     data = {attribute: getattr(client, attribute) for attribute in client.attributes}
     if data["scope"]:
         data["scope"] = " ".join(data["scope"])
-    data["preconsent"] = client.preconsent
+    data["trusted"] = client.trusted
     form = ClientAddForm(request.form or None, data=data, client=client)
 
     if not request.form or form.form_control():
@@ -141,7 +141,7 @@ def client_edit(client):
         jwks=form["jwks"].data,
         jwks_uri=form["jwks_uri"].data,
         audience=form["audience"].data,
-        preconsent=form["preconsent"].data,
+        trusted=form["trusted"].data,
     )
     Backend.instance.save(client)
     flash(

canaille/oidc/endpoints/consents.py

@@ -25,10 +25,10 @@ def consents(user):
     clients = {t.client for t in consents}
 
     nb_consents = len(consents)
-    nb_preconsents = sum(
+    nb_trusted = sum(
         1
         for client in Backend.instance.query(models.Client)
-        if client.preconsent and client not in clients
+        if client.trusted and client not in clients
     )
 
     return render_template(
@@ -38,33 +38,33 @@ def consents(user):
         scope_details=SCOPE_DETAILS,
         ignored_scopes=["openid"],
         nb_consents=nb_consents,
-        nb_preconsents=nb_preconsents,
+        nb_trusted=nb_trusted,
     )
 
 
-@bp.route("/pre-consents")
+@bp.route("/trusted-applications")
 @user_needed()
 def pre_consents(user):
     consents = Backend.instance.query(models.Consent, subject=user)
     clients = {t.client for t in consents}
-    preconsented = [
+    trusted = [
         client
         for client in Backend.instance.query(models.Client)
-        if client.preconsent and client not in clients
+        if client.trusted and client not in clients
     ]
 
     nb_consents = len(consents)
-    nb_preconsents = len(preconsented)
+    nb_trusted = len(trusted)
 
     return render_template(
-        "oidc/preconsent_list.html",
+        "oidc/trusted_list.html",
         menuitem="consents",
         scope_details=SCOPE_DETAILS,
         # TODO: do not delegate this var to the templates, or set this explicitly in the templates.
         ignored_scopes=["openid"],
-        preconsented=preconsented,
+        trusted=trusted,
         nb_consents=nb_consents,
-        nb_preconsents=nb_preconsents,
+        nb_trusted=nb_trusted,
     )
 
 
@@ -106,10 +106,10 @@ def restore(user, consent):
     return redirect(url_for("oidc.consents.consents"))
 
 
-@bp.route("/revoke-preconsent/<client(required=False):client>")
+@bp.route("/revoke-trusted/<client(required=False):client>")
 @user_needed()
-def revoke_preconsent(user, client):
-    if not client or not client.preconsent:
+def revoke_trusted(user, client):
+    if not client or not client.trusted:
         flash(_("Could not revoke this access"), "error")
         return redirect(url_for("oidc.consents.consents"))
 

canaille/oidc/endpoints/forms.py

@@ -182,8 +182,8 @@ class ClientAddForm(Form):
         ],
         render_kw={"placeholder": ""},
     )
-    preconsent = wtforms.BooleanField(
-        _("Pre-consent"),
+    trusted = wtforms.BooleanField(
+        _("Trusted"),
         validators=[wtforms.validators.Optional()],
         default=False,
     )

canaille/oidc/endpoints/oauth.py

@@ -142,7 +142,7 @@ def authorize_consent(client, user):
     # Get the authorization code, or display the user consent form
     if request.method == "GET":
         client_has_user_consent = (
-            (client.preconsent and (not consent or not consent.revoked))
+            (client.trusted and (not consent or not consent.revoked))
             or (
                 consent and all(scope in set(consent.scope) for scope in allowed_scopes)
             )

canaille/oidc/oauth.py

@@ -410,9 +410,7 @@ def authenticate_user(self, subject: str):
 
     def has_granted_permission(self, client, user):
         grant = Backend.instance.get(models.Consent, client=client, subject=user)
-        has_permission = (grant and not grant.revoked) or (
-            not grant and client.preconsent
-        )
+        has_permission = (grant and not grant.revoked) or (not grant and client.trusted)
         return has_permission
 
 

canaille/scim/client.py

@@ -189,12 +189,12 @@ def get_clients_to_notify(user):
     """Return a list of clients that should be notified of updates on 'user'."""
     consents = Backend.instance.query(models.Consent, subject=user)
     consented_clients = {t.client for t in consents}
-    preconsented_clients = [
+    trusted_clients = [
         client
         for client in Backend.instance.query(models.Client)
-        if client.preconsent and client not in consented_clients
+        if client.trusted and client not in consented_clients
     ]
-    return list(consented_clients) + list(preconsented_clients)
+    return list(consented_clients) + list(trusted_clients)
 
 
 def after_user_query(user):

canaille/templates/oidc/consent_list.html

@@ -16,8 +16,8 @@
 :type ignored_scopes: :class:`list`
 :param nb_consents: The number of consents.
 :type nb_consents: :class:`int`
-:param nb_preconsents: The number of preconsented clients.
-:type nb_preconsents: :class:`int`
+:param nb_trusted: The number of trusted clients.
+:type nb_trusted: :class:`int`
 #}
 {% extends theme('base.html') %}
 
@@ -34,7 +34,7 @@
     <a class="item" href="{{ url_for('oidc.consents.pre_consents') }}">
         <i class="stamp icon"></i>
         {% trans %}Pre-authorized applications{% endtrans %}
-        {% if nb_preconsents %}<div class="ui mini label">{{ nb_preconsents|numberformat }}</div>{% endif %}
+        {% if nb_trusted %}<div class="ui mini label">{{ nb_trusted|numberformat }}</div>{% endif %}
     </a>
 {% endblock %}
 

canaille/templates/oidc/preconsent_list.html canaille/templates/oidc/trusted_list.html

@@ -1,25 +1,25 @@
 {#
-.. screenshot:: |canaille|/consent/pre-consents
+.. screenshot:: |canaille|/consent/trusted-applications
    :context: user
    :align: right
    :width: 275px
 
-   The preconsented applications list.
+   The trusted applications list.
 
-The preconsented applications list.
+The trusted applications list.
 
 Display a list of trusted clients for which it is implied that users don't need to explicitly give their consent.
 
 :param scope_details: Description of the OIDC scopes.
 :type scope_details: :class:`dict`
 :param ignored_scopes: The scopes to hide.
 :type ignored_scopes: :class:`list`
-:param preconsented: The list of implicitly consented clients.
-:type preconsented: :class:`list` [ :class:`~canaille.oidc.basemodels.Client` ]
+:param trusted: The list of implicitly consented clients.
+:type trusted: :class:`list` [ :class:`~canaille.oidc.basemodels.Client` ]
 :param nb_consents: The number of consents.
 :type nb_consents: :class:`int`
-:param nb_preconsents: The number of preconsented clients.
-:type nb_preconsents: :class:`int`
+:param nb_trusted: The number of trusted clients.
+:type nb_trusted: :class:`int`
 #}
 {% extends theme('base.html') %}
 
@@ -36,7 +36,7 @@
     <a class="active item" href="{{ url_for('oidc.consents.pre_consents') }}">
         <i class="stamp icon"></i>
         {% trans %}Pre-authorized applications{% endtrans %}
-        {% if nb_preconsents %}<div class="ui mini label">{{ nb_preconsents|numberformat }}</div>{% endif %}
+        {% if nb_trusted %}<div class="ui mini label">{{ nb_trusted|numberformat }}</div>{% endif %}
     </a>
 {% endblock %}
 
@@ -51,9 +51,9 @@ <h2 class="ui center aligned header">
             </div>
         </h2>
 
-        {% if preconsented %}
+        {% if trusted %}
             <div class="ui centered cards">
-                {% for client in preconsented %}
+                {% for client in trusted %}
                     <div class="ui card">
                         <div class="content">
                             {% if client.logo_uri %}
@@ -100,7 +100,7 @@ <h2 class="ui center aligned header">
                                 </span>
                             </div>
                         {% endif %}
-                        <a class="ui bottom attached button" href="{{ url_for('oidc.consents.revoke_preconsent', client=client ) }}">
+                        <a class="ui bottom attached button" href="{{ url_for('oidc.consents.revoke_trusted', client=client ) }}">
                             <i class="remove icon"></i>
                             {% trans %}Revoke access{% endtrans %}
                         </a>

canaille/translations/messages.pot

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PROJECT VERSION\n"
 "Report-Msgid-Bugs-To: EMAIL@ADDRESS\n"
-"POT-Creation-Date: 2025-02-27 14:14+0100\n"
+"POT-Creation-Date: 2025-02-28 19:18+0100\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <[email protected]>\n"
@@ -803,14 +803,14 @@ msgid "JKWS URI"
 msgstr ""
 
 #: canaille/oidc/endpoints/forms.py:186
-msgid "Pre-consent"
+msgid "Trusted"
 msgstr ""
 
-#: canaille/oidc/endpoints/oauth.py:416
+#: canaille/oidc/endpoints/oauth.py:409
 msgid "You have been disconnected"
 msgstr ""
 
-#: canaille/oidc/endpoints/oauth.py:433
+#: canaille/oidc/endpoints/oauth.py:426
 msgid "You have not been disconnected"
 msgstr ""
 

demo/demoapp.py

@@ -161,7 +161,7 @@ def populate(app):
                 scope=["openid", "profile", "email", "groups", "address", "phone"],
                 response_types=["code", "id_token"],
                 token_endpoint_auth_method="client_secret_basic",
-                preconsent=True,
+                trusted=True,
             )
             app.backend.save(client2)
             client2.audience = [client2]