Support toml config and config social auth

[hmpf]

Scope and purpose

Fixes #3814

Depends on #3924

Setting up social providers (like saml, oidc, github, google, facebook..) with NAV-config isn't supported very well with today's nav config infrastructure, so here's an attempt at using toml instead.

The new TOMLConfigParser-class does not support everything the old class does. It does not support writing out toml-files, because we'd need an additional library for that if we don't want to roll our own.

It does not support multiple files per config section, as I couldn't find that this feature was used anywhere in the existing code.

It does support predefining a default-config section, and we need that for any None-value since toml does not support None as a value on principle. We can have 'em in default config anyway.

This pull request

• adds/changes/removes a dependency
  tomli, so that tests pass on Python < 3.11

How to test

This involves a new config file, "/etc/nav/webfront/authentication.toml". Make sure a copy is in the right location when testing. If using "docker compose" it might be easiest to copy the new file manually to the correct location, the container "config" should always be up and running.

It is necessary to have a client id and secret from "some" provider for a full manual test.

Contributor Checklist

Every pull request should have this checklist filled out, no matter how small it is.
More information about contributing to NAV can be found in the
Hacker's guide to NAV.

• Added a changelog fragment for towncrier
• Added/amended tests for new/changed code
• Added/changed documentation
• Linted/formatted the code with ruff, easiest by using pre-commit
• Wrote the commit message so that the first line continues the sentence "If applied, this commit will ...", starts with a capital letter, does not end with punctuation and is 50 characters or less long. See https://cbea.ms/git-commit/
• Based this pull request on the correct upstream branch: For a patch/bugfix affecting the latest stable version, it should be based on that version's branch (<major>.<minor>.x). For a new feature or other additions, it should be based on master.
• If applicable: Created new issues if this PR does not fix the issue completely/there is further work to be done
• If it's not obvious from a linked issue, described how to interact with NAV in order for a reviewer to observe the effects of this change first-hand (commands, URLs, UI interactions)
• If this results in changes in the UI: Added screenshots of the before and after
• If this adds a new Python source code file: Added the boilerplate header to that file

[github-actions]

Test results

    7 files      7 suites   13m 28s ⏱️
2 980 tests 2 980 ✅ 0 💤 0 ❌
8 757 runs  8 757 ✅ 0 💤 0 ❌

Results for commit 240a4c2.

♻️ This comment has been updated with latest results.

[codecov]

Codecov Report

❌ Patch coverage is 87.35632% with 22 lines in your changes missing coverage. Please review.
✅ Project coverage is 64.13%. Comparing base (234c86d) to head (3f86990).
⚠️ Report is 109 commits behind head on master.

Files with missing lines	Patch %	Lines
python/nav/web/auth/allauth/__init__.py	80.85%	18 Missing ⚠️
python/nav/config/toml.py	93.93%	4 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #3889      +/-   ##
==========================================
+ Coverage   63.83%   64.13%   +0.29%     
==========================================
  Files         624      625       +1     
  Lines       46174    46530     +356     
  Branches       43       43              
==========================================
+ Hits        29476    29840     +364     
+ Misses      16688    16680       -8     
  Partials       10       10              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[lunkwill42]

The new TOMLConfigParser-class does not support everything the old class does. It does not support writing out toml-files, because we'd need an additional library for that if we don't want to roll our own.

That may be built-in to Python's ConfigParser (which NAV's is based on), but I don't think we use it to write config files anywhere in the codebase - we only care about reading.

[lunkwill42]

The new TOMLConfigParser-class does not support everything the old class does. It does not support writing out toml-files, because we'd need an additional library for that if we don't want to roll our own.

That may be built-in to Python's ConfigParser (which NAV's is based on), but I don't think we use it to write config files anywhere in the codebase - we only care about reading.

If we, at some point, want to migrate existing config files from .ini to .toml, however, we may need write functionality.

[hmpf]

If we, at some point, want to migrate existing config files from .ini to .toml, however, we may need write functionality.

Sounds like a future problem.

There is one feature missing: SAML-support (out of scope, will take some effort), and there should probably be docs.

[hmpf]

The provider "openid" need extra models (tables!) That seems to be the only one among the ones bundled with allauth.

[lunkwill42]

I find this PR a bit hard to follow at first - I wanted to play around with it, but we should probably get my questions out of the way first :)

[hmpf]

I'm thinking self.data is a good candidate for frozendict when Python 3.15 is out.

[github-actions]

Warning

5 of 12 new test names are missing convention keywords (given/when/then/it_should)

File	Test name
tests/unittests/config_toml_test.py	test_merge_with_default_returns_the_combined_output
tests/unittests/config_toml_test.py	test_if_section_is_set_and_no_default_config_get_item_fetches_from_inputted_subdict
tests/unittests/config_toml_test.py	test_if_section_is_set_and_no_input_get_item_fetches_from_default_subdict
tests/unittests/config_toml_test.py	test_golden_path
tests/unittests/config_toml_test.py	test_deeper_recursion

Why am I seeing this?

Test names should follow a loose given/when/then pattern with keywords like given, when, then, or it_should. This is a suggestion, not a blocker. The check runs on new test methods added in this PR.

Examples:

• test_when_no_incidents_then_returns_empty_list
• test_it_should_create_incident_with_set_description
• test_given_expired_token_when_refreshing_then_raises_error

[lunkwill42]

The functionality works for me now; I am able to configure both MFA and OIDC for Feide quite easily.

However, I found the tests are broken. In fact, all the test files in the tests/unittests/web/auth/ (including the pre-existing ones) are named incorrectly, so they are not collected by a full test run, only if run explicitly as arguments to pytest.

Test files should end in _test.py, not _tests.py (or they should start with test_).

[lunkwill42]

Added #3944 to fix the pre-existing test files

[lunkwill42]

Pushed fixups for the incorrectly named test file, and also for fixing the failing tests in it.

[lunkwill42]

Since @hmpf is busy with other things, I've fixed all my issues and nitpicks and pushed fixups myself.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
3 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud