From caa0adad480cb86a644f292c6d3bc861f106c0f1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=89loi=20Rivard?= <eloi@yaal.coop>
Date: Fri, 28 Jul 2023 11:46:23 +0200
Subject: [PATCH] feat: attendee authentication can be disabled

If OIDC_ATTENDEE_ENABLED configuration option is set to False,
attendee authentication step will be skipped.
---
 web.env.example                |  1 +
 web/flaskr/models.py           |  6 +++++-
 web/instance/config.py         |  9 +++++++++
 web/tests/meeting/test_join.py | 24 ++++++++++++++++++++++++
 4 files changed, 39 insertions(+), 1 deletion(-)

diff --git a/web.env.example b/web.env.example
index 0b33569b..46584c25 100644
--- a/web.env.example
+++ b/web.env.example
@@ -42,6 +42,7 @@ OIDC_USERINFO_HTTP_METHOD=POST
 OIDC_REDIRECT_URI=http://localhost:5000/oidc_callback
 
 # Attendee OIDC Configuration (back to default if empty)
+OIDC_ATTENDEE_ENABLED=
 OIDC_ATTENDEE_ISSUER=
 OIDC_ATTENDEE_CLIENT_ID=
 OIDC_ATTENDEE_CLIENT_SECRET=
diff --git a/web/flaskr/models.py b/web/flaskr/models.py
index 6f78fc73..df46c40a 100755
--- a/web/flaskr/models.py
+++ b/web/flaskr/models.py
@@ -773,7 +773,11 @@ def get_role(self, hashed_role):
         elif self.get_hash("moderator") == hashed_role:
             role = "moderator"
         elif self.get_hash("authenticated") == hashed_role:
-            role = "authenticated"
+            role = (
+                "authenticated"
+                if current_app.config["OIDC_ATTENDEE_ENABLED"]
+                else "attendee"
+            )
         else:
             role = None
         return role
diff --git a/web/instance/config.py b/web/instance/config.py
index 886f9b46..d069a41b 100755
--- a/web/instance/config.py
+++ b/web/instance/config.py
@@ -47,6 +47,15 @@
 OIDC_SERVICE_NAME = os.environ.get("OIDC_SERVICE_NAME")
 
 # Attendee OIDC Configuration (back to default if empty)
+OIDC_ATTENDEE_ENABLED = os.environ.get("OIDC_ATTENDEE_ENABLED") not in [
+    0,
+    False,
+    "0",
+    "false",
+    "False",
+    "off",
+    "OFF",
+]
 OIDC_ATTENDEE_ISSUER = os.environ.get("OIDC_ATTENDEE_ISSUER") or OIDC_ISSUER
 OIDC_ATTENDEE_CLIENT_ID = os.environ.get("OIDC_ATTENDEE_CLIENT_ID") or OIDC_CLIENT_ID
 OIDC_ATTENDEE_CLIENT_SECRET = (
diff --git a/web/tests/meeting/test_join.py b/web/tests/meeting/test_join.py
index fd0f7f63..3ea0d125 100644
--- a/web/tests/meeting/test_join.py
+++ b/web/tests/meeting/test_join.py
@@ -54,6 +54,30 @@ def test_signin_meeting_with_authenticated_attendee(client_app, app, meeting):
     assert response.location.endswith("/meeting/join/1/authenticated")
 
 
+def test_auth_attendee_disabled(client_app, app, meeting):
+    """
+    If attendee authentication service is temporarily disabled, we should skip
+    the attendee authentication step.
+    https://github.com/numerique-gouv/b3desk/issues/9
+    """
+    # TODO: refactor this test with modern test conventions when #6 is merged
+
+    app.config["OIDC_ATTENDEE_ENABLED"] = False
+
+    with app.app_context():
+        user_id = 1
+        meeting = Meeting.query.get(1)
+        meeting_id = meeting.id
+        meeting_hash = meeting.get_hash("authenticated")
+
+    url = f"/meeting/signin/{meeting_id}/creator/{user_id}/hash/{meeting_hash}"
+    response = client_app.get(url)
+
+    assert response.status_code == 200
+    form_action_url = "/meeting/join"
+    assert form_action_url in response.data.decode()
+
+
 def test_join_meeting_as_authenticated_attendee(
     client_app, app, meeting, authenticated_attendee
 ):