Credential handling for password-less learner certificate generation

kolibri/core/auth/backends.py

@@ -3,26 +3,33 @@
 The appropriate classes should be listed in the AUTHENTICATION_BACKENDS. Note that authentication
 backends are checked in the order they're listed.
 """
+from kolibri.core.auth.models import Facility
 from kolibri.core.auth.models import FacilityUser
 
 
+FACILITY_CREDENTIAL_NAME = "facility"
+
+
 class FacilityUserBackend(object):
     """
     A class that implements authentication for FacilityUsers.
     """
 
-    def authenticate(self, username=None, password=None, facility=None):
+    def authenticate(self, request, username=None, password=None, **kwargs):
         """
         Authenticates the user if the credentials correspond to a FacilityUser for the specified Facility.
 
         :param username: a string
         :param password: a string
-        :param facility: a Facility
+        :param kwargs: a dict of additional credentials (see `keyword`s)
+        :keyword facility: a Facility object or facility ID
         :return: A FacilityUser instance if successful, or None if authentication failed.
         """
+        facility = kwargs.get(FACILITY_CREDENTIAL_NAME, None)
         users = FacilityUser.objects.filter(username__iexact=username)
         if facility:
-            users = users.filter(facility=facility)
+            facility_id = facility.pk if isinstance(facility, Facility) else facility
+            users = users.filter(facility_id=facility_id)
         for user in users:
             if user.check_password(password):
                 return user

kolibri/core/auth/management/utils.py

@@ -15,6 +15,7 @@
 from morango.models import ScopeDefinition
 from six.moves.urllib.parse import urljoin
 
+from kolibri.core.auth.backends import FACILITY_CREDENTIAL_NAME
 from kolibri.core.auth.constants.morango_sync import ScopeDefinitions
 from kolibri.core.auth.models import Facility
 from kolibri.core.auth.models import FacilityUser
@@ -227,11 +228,16 @@ def get_client_and_server_certs(
                 username = input("Please enter username: ")
                 password = getpass.getpass("Please enter password: ")
 
+        # add facility so `FacilityUserBackend` can validate
+        userargs = {
+            FacilityUser.USERNAME_FIELD: username,
+            FACILITY_CREDENTIAL_NAME: dataset_id,
+        }
         client_cert = nc.certificate_signing_request(
             server_cert,
             client_scope,
             csr_scope_params,
-            userargs=username,
+            userargs=userargs,
             password=password,
         )
     else: