From c9f6d049ed485c424e2fa3a633d8c0135ab51d67 Mon Sep 17 00:00:00 2001
From: OllieJC <5426038+OllieJC@users.noreply.github.com>
Date: Fri, 16 Feb 2024 15:35:04 +0000
Subject: [PATCH] Add client viewers and view config page

---
 templates/dashboard.html |  10 +--
 templates/manage.html    |   2 +-
 templates/view.html      | 127 +++++++++++++++++++++++++++++++++++++++
 wsgi.py                  |  35 ++++++++++-
 4 files changed, 168 insertions(+), 6 deletions(-)
 create mode 100644 templates/view.html

diff --git a/templates/dashboard.html b/templates/dashboard.html
index 68aa654..0ff00b4 100644
--- a/templates/dashboard.html
+++ b/templates/dashboard.html
@@ -42,12 +42,14 @@ <h3 class="govuk-heading-m" id="{{ a }}">
           {%- if app["sign_in_url"] %}
             <a href="{{ app['sign_in_url'] }}" role="button" draggable="false" class="govuk-button" data-module="govuk-button">{{ app["button_text"] }}</a>
           {%- endif %}
-
-          {%- if app["sign_in_url"] and app["can_manage"] %}
-          &nbsp;
-          {%- endif %}
           
+          {%- if app["can_view"] %}
+            &nbsp;
+            <a href="/view?client_id={{ a }}" role="button" draggable="false" class="govuk-button govuk-button--secondary" data-module="govuk-button">View configuration</a>
+          {%- endif %}
+
           {%- if app["can_manage"] %}
+            &nbsp;
             <a href="/manage?client_id={{ a }}" role="button" draggable="false" class="govuk-button govuk-button--secondary" data-module="govuk-button">Manage</a>
           {%- endif %}
         </p>
diff --git a/templates/manage.html b/templates/manage.html
index 03fc43d..517f163 100644
--- a/templates/manage.html
+++ b/templates/manage.html
@@ -51,7 +51,7 @@ <h3 class="govuk-label-wrapper">
     </a>
     {%- endif %}
   </div>
-  {%- elif manager_type %}
+  {%- elif manager_type and manager_type in ["owner", "manager"] %}
   <form method="post">
     <input type="hidden" name="csrf_token" value="{{ csrf_token }}">
     <div>
diff --git a/templates/view.html b/templates/view.html
new file mode 100644
index 0000000..22ed400
--- /dev/null
+++ b/templates/view.html
@@ -0,0 +1,127 @@
+{% extends "_primary.html" %}
+
+{% block content %}
+<div class="govuk-breadcrumbs">
+  <ol class="govuk-breadcrumbs__list">
+    <li class="govuk-breadcrumbs__list-item">
+      <a class="govuk-breadcrumbs__link" href="/">Single Sign-On</a>
+    </li>
+    <li class="govuk-breadcrumbs__list-item" aria-current="page">View {{ client.get("name") }} configuration</li>
+  </ol>
+</div>
+
+<main class="govuk-main-wrapper govuk-body " id="main-content" role="main">
+  <h2 class="govuk-heading-l">View {{ client.get("name") }} configuration</h2>
+
+  {%- if manager_type and manager_type in ["owner", "manager", "viewer"] %}
+  <div>
+    <h3 class="govuk-heading-m">Client ID</h3>
+    <p>{{ client_id }}</p>
+
+    {%- if client.get("description", None) %}
+    <h3 class="govuk-heading-m">Client Description</h3>
+    <p>{{ client.get("description") }}</p>
+    {%- endif %}
+
+    {%- if client.get("owners", []) %}
+    <h3 class="govuk-heading-m">Client Owners</h3>
+    <div id="owners_hint" class="govuk-hint">
+      Owners can manage all aspects of this application, including resetting the client secret
+    </div>
+    <ul aria-describedby="owners_hint">
+      {%- for em in client.get("owners", []) | sort %}
+      <li>{{ em }}</li>
+      {%- endfor %}
+    </ul>
+    {%- endif %}
+
+    {%- if client.get("managers", []) %}
+    <h3 class="govuk-heading-m">Client Managers</h3>
+    <div id="managers_hint" class="govuk-hint">
+      Managers can manage this application's allowed/blocked list and some other settings
+    </div>
+    <ul aria-describedby="managers_hint">
+      {%- for em in client.get("managers", []) | sort %}
+      <li>{{ em }}</li>
+      {%- endfor %}
+    </ul>
+    {%- endif %}
+
+    {%- if client.get("viewers", []) %}
+    <h3 class="govuk-heading-m">Client Viewers</h3>
+    <div id="viewers_hint" class="govuk-hint">
+      Viewers can view some settings via this current page
+    </div>
+    <ul aria-describedby="viewers_hint">
+      {%- for em in client.get("viewers", []) | sort %}
+      <li>{{ em }}</li>
+      {%- endfor %}
+    </ul>
+    {%- endif %}
+
+    {%- if client.get("blocked_domains", []) %}
+    <h3 class="govuk-heading-m">Blocked domains</h3>
+    <div id="blocked_domains_hint" class="govuk-hint">
+      Blocked domains take precedence over any allowed domains or emails
+    </div>
+    <ul aria-describedby="blocked_domains_hint">
+      {%- for d in client.get("blocked_domains", []) | sort %}
+      <li>{{ d }}</li>
+      <li>*.{{ d }}</li>
+      {%- endfor %}
+    </ul>
+    {%- endif %}
+
+    {%- if client.get("blocked_emails", []) %}
+    <h3 class="govuk-heading-m">Blocked emails</h3>
+    <div id="blocked_emails_hint" class="govuk-hint">
+      Blocked emails take precedence over any allowed domains or emails
+    </div>
+    <ul aria-describedby="blocked_emails_hint">
+      {%- for em in client.get("blocked_emails", []) | sort %}
+      <li>{{ em }}</li>
+      {%- endfor %}
+    </ul>
+    {%- endif %}
+
+    {%- if client.get("allowed_emails", []) %}
+    <h3 class="govuk-heading-m">Allowed emails</h3>
+    <div id="allowed_emails_hint" class="govuk-hint">
+      The below emails can authenticate using this client. Note that the client may include additional authorisation steps that prevents user access.
+    </div>
+    <ul aria-describedby="allowed_emails_hint">
+      {%- for em in client.get("allowed_emails", []) | sort %}
+      <li>{{ em }}</li>
+      {%- endfor %}
+    </ul>
+    {%- endif %}
+
+    {%- if client.get("allowed_domains", []) %}
+    <h3 class="govuk-heading-m">Allowed domains</h3>
+    <div id="allowed_domains_hint" class="govuk-hint">
+      Users with email addresses ending in the below domains can authenticate using this client. Note that the client may include additional authorisation steps that prevents user access.
+    </div>
+    <ul aria-describedby="allowed_domains_hint">
+      {%- for d in client.get("allowed_domains", []) | sort %}
+      <li>{{ d }}</li>
+      <li>*.{{ d }}</li>
+      {%- endfor %}
+    </ul>
+    {%- endif %}
+    
+    <div>
+      <a href="/dashboard#{{ client_id }}" class="govuk-button govuk-button--secondary" data-module="govuk-button">
+        Return to dashboard
+      </a>
+      {%- if manager_type and manager_type in ["owner", "manager"] %}
+      &nbsp;
+      <a href="/manage?client_id={{ client_id }}" class="govuk-button govuk-button--secondary" data-module="govuk-button">
+        Manage
+      </a>
+      {%- endif %}
+    </div>
+  </div>
+  {%- endif %}
+
+</main>
+{% endblock %}
diff --git a/wsgi.py b/wsgi.py
index f3c992b..783ef17 100644
--- a/wsgi.py
+++ b/wsgi.py
@@ -1246,6 +1246,7 @@ def signout(country_missmatch: bool = False):
     return redirect(redirect_url)
 
 
+@app.route("/view", methods=["GET"])
 @app.route("/manage", methods=["GET", "POST"])
 @UserShouldBeSignedIn
 @SetBrowserCookie
@@ -1294,6 +1295,7 @@ def route_manage():
 
     owners = client.get("owners", [])
     managers = client.get("managers", [])
+    viewers = client.get("viewers", [])
 
     manager_type = None
 
@@ -1305,6 +1307,8 @@ def route_manage():
         manager_type = "owner"
     elif users_email and users_email in managers:
         manager_type = "manager"
+    elif users_email and users_email in viewers:
+        manager_type = "viewer"
 
     if not manager_type:
         jprint(
@@ -1317,6 +1321,19 @@ def route_manage():
         )
         return redirect("/dashboard?error=management-no-access")
 
+    if "view" in request.path or manager_type == "viewer":
+        return renderTemplate(
+            "view.html",
+            {
+                "session": session,
+                "client_id": client_id,
+                "manager_type": manager_type,
+                "client": client,
+                "title": "View",
+                "nav_item": "view",
+            },
+        )
+
     client_json = None
     client_json_lines = 0
 
@@ -1347,9 +1364,10 @@ def route_manage():
                 else:
                     new_config["secret"] = client["secret"]
 
-                if manager_type == "manager":
+                if manager_type != "owner":
                     new_config["owners"] = client.get("owners", [])
                     new_config["managers"] = client.get("managers", [])
+                    new_config["viewers"] = client.get("viewers", [])
 
                 save_success = sso_oidc.save_client(
                     filename=client.get("_filename", None),
@@ -1409,6 +1427,20 @@ def dashboard():
                 else f"Open {name}"
             )
 
+            can_view = (
+                True
+                if (
+                    users_email
+                    in (
+                        client.get("owners", [])
+                        + client.get("managers", [])
+                        + client.get("viewers", [])
+                    )
+                    or users_email in SUPERUSERS
+                )
+                else False
+            )
+
             can_manage = (
                 True
                 if (
@@ -1435,6 +1467,7 @@ def dashboard():
                 "sign_in_url": sign_in_url,
                 "button_text": button_text,
                 "dashboard_display": dashboard_display,
+                "can_view": can_view,
                 "can_manage": can_manage,
             }