canaille-globuzma/canaille/oidc/models.py

import datetime
from typing import ClassVar
from typing import List

from authlib.oauth2.rfc6749 import AuthorizationCodeMixin
from authlib.oauth2.rfc6749 import ClientMixin
from authlib.oauth2.rfc6749 import TokenMixin
from authlib.oauth2.rfc6749 import util

from canaille.app import models
from canaille.backends import BaseBackend

from .basemodels import AuthorizationCode as BaseAuthorizationCode
from .basemodels import Client as BaseClient
from .basemodels import Consent as BaseConsent
from .basemodels import Token as BaseToken


class Client(BaseClient, ClientMixin):
    client_info_attributes: ClassVar[List[str]] = [
        "client_id",
        "client_secret",
        "client_id_issued_at",
        "client_secret_expires_at",
    ]

    client_metadata_attributes: ClassVar[List[str]] = [
        "client_name",
        "contacts",
        "client_uri",
        "redirect_uris",
        "logo_uri",
        "grant_types",
        "response_types",
        "scope",
        "tos_uri",
        "policy_uri",
        "jwks_uri",
        "jwk",
        "token_endpoint_auth_method",
        "software_id",
        "software_version",
    ]

    def get_client_id(self):
        return self.client_id

    def get_default_redirect_uri(self):
        return self.redirect_uris[0]

    def get_allowed_scope(self, scope):
        return util.list_to_scope(
            [scope_piece for scope_piece in self.scope if scope_piece in scope]
        )

    def check_redirect_uri(self, redirect_uri):
        return redirect_uri in self.redirect_uris

    def check_client_secret(self, client_secret):
        return client_secret == self.client_secret

    def check_endpoint_auth_method(self, method, endpoint):
        if endpoint == "token":
            return method == self.token_endpoint_auth_method
        return True

    def check_response_type(self, response_type):
        return all(r in self.response_types for r in response_type.split(" "))

    def check_grant_type(self, grant_type):
        return grant_type in self.grant_types

    @property
    def client_info(self):
        result = {
            attribute_name: getattr(self, attribute_name)
            for attribute_name in self.client_info_attributes
        }
        result["client_id_issued_at"] = int(
            datetime.datetime.timestamp(result["client_id_issued_at"])
        )
        result["client_secret_expires_at"] = (
            int(datetime.datetime.timestamp(result["client_secret_expires_at"]))
            if result["client_secret_expires_at"]
            else 0
        )
        return result

    @property
    def client_metadata(self):
        metadata = {
            attribute_name: getattr(self, attribute_name)
            for attribute_name in self.client_metadata_attributes
        }
        metadata["scope"] = " ".join(metadata["scope"])
        return metadata

    def delete(self):
        for consent in BaseBackend.instance.query(models.Consent, client=self):
            consent.delete()

        for code in BaseBackend.instance.query(models.AuthorizationCode, client=self):
            code.delete()

        for token in BaseBackend.instance.query(models.Token, client=self):
            token.delete()

        super().delete()


class AuthorizationCode(BaseAuthorizationCode, AuthorizationCodeMixin):
    def get_redirect_uri(self):
        return self.redirect_uri

    def get_scope(self):
        return self.scope

    def get_nonce(self):
        return self.nonce

    def is_expired(self):
        return self.issue_date + datetime.timedelta(
            seconds=int(self.lifetime)
        ) < datetime.datetime.now(datetime.timezone.utc)

    def get_auth_time(self):
        return int(
            (
                self.issue_date
                - datetime.datetime(1970, 1, 1, tzinfo=datetime.timezone.utc)
            ).total_seconds()
        )


class Token(BaseToken, TokenMixin):
    @property
    def expire_date(self):
        return self.issue_date + datetime.timedelta(seconds=int(self.lifetime))

    @property
    def revoked(self):
        return bool(self.revokation_date)

    def get_scope(self):
        return " ".join(self.scope)

    def get_issued_at(self):
        return int(
            (
                self.issue_date
                - datetime.datetime(1970, 1, 1, tzinfo=datetime.timezone.utc)
            ).total_seconds()
        )

    def get_expires_at(self):
        issue_timestamp = (
            self.issue_date
            - datetime.datetime(1970, 1, 1, tzinfo=datetime.timezone.utc)
        ).total_seconds()
        return int(issue_timestamp) + int(self.lifetime)

    def is_refresh_token_active(self):
        if self.revokation_date:
            return False

        return self.expire_date >= datetime.datetime.now(datetime.timezone.utc)

    def is_expired(self):
        return self.issue_date + datetime.timedelta(
            seconds=int(self.lifetime)
        ) < datetime.datetime.now(datetime.timezone.utc)

    def is_revoked(self):
        return bool(self.revokation_date)

    def check_client(self, client):
        return client.client_id == self.client.client_id


class Consent(BaseConsent):
    @property
    def revoked(self):
        return bool(self.revokation_date)

    def revoke(self):
        self.revokation_date = datetime.datetime.now(datetime.timezone.utc)
        BaseBackend.instance.save(self)

        tokens = BaseBackend.instance.query(
            models.Token,
            client=self.client,
            subject=self.subject,
        )
        tokens = [token for token in tokens if not token.revoked]
        for t in tokens:
            t.revokation_date = self.revokation_date
            BaseBackend.instance.save(t)

    def restore(self):
        self.revokation_date = None
        BaseBackend.instance.save(self)
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`import datetime`
refactor: add some typing to models 2024-04-07 14:39:05 +00:00			`from typing import ClassVar`
			`from typing import List`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`from authlib.oauth2.rfc6749 import AuthorizationCodeMixin`
			`from authlib.oauth2.rfc6749 import ClientMixin`
			`from authlib.oauth2.rfc6749 import TokenMixin`
			`from authlib.oauth2.rfc6749 import util`
chore: use isort instead of reoder-python-imports 2024-03-15 18:58:06 +00:00
Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`from canaille.app import models`
refactor: move BackendModel.query to Backend.query 2024-04-10 13:44:11 +00:00			`from canaille.backends import BaseBackend`
doc: models types draft 2023-08-23 13:18:43 +00:00
doc: better model inheritance to generate a clearer documentation 2023-08-23 14:41:41 +00:00			`from .basemodels import AuthorizationCode as BaseAuthorizationCode`
			`from .basemodels import Client as BaseClient`
			`from .basemodels import Consent as BaseConsent`
			`from .basemodels import Token as BaseToken`


			`class Client(BaseClient, ClientMixin):`
refactor: add some typing to models 2024-04-07 14:39:05 +00:00			`client_info_attributes: ClassVar[List[str]] = [`
Moved models specificities in the backend module 2023-04-10 11:45:52 +00:00			`"client_id",`
			`"client_secret",`
			`"client_id_issued_at",`
			`"client_secret_expires_at",`
			`]`

refactor: add some typing to models 2024-04-07 14:39:05 +00:00			`client_metadata_attributes: ClassVar[List[str]] = [`
Moved models specificities in the backend module 2023-04-10 11:45:52 +00:00			`"client_name",`
			`"contacts",`
			`"client_uri",`
			`"redirect_uris",`
			`"logo_uri",`
			`"grant_types",`
			`"response_types",`
			`"scope",`
			`"tos_uri",`
			`"policy_uri",`
			`"jwks_uri",`
			`"jwk",`
			`"token_endpoint_auth_method",`
			`"software_id",`
			`"software_version",`
			`]`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
Implemented RFC7592 OAuth Client Registration Management 2022-10-24 15:18:46 +00:00			`def get_client_id(self):`
			`return self.client_id`

split oidc code from the rest 2022-01-11 18:49:06 +00:00			`def get_default_redirect_uri(self):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return self.redirect_uris[0]`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def get_allowed_scope(self, scope):`
Client only return the asked scopes 2022-07-07 14:05:34 +00:00			`return util.list_to_scope(`
			`[scope_piece for scope_piece in self.scope if scope_piece in scope]`
			`)`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def check_redirect_uri(self, redirect_uri):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return redirect_uri in self.redirect_uris`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def check_client_secret(self, client_secret):`
Variable renaming 2022-10-17 15:49:52 +00:00			`return client_secret == self.client_secret`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
Bumped to authlib 1 2022-04-10 14:00:51 +00:00			`def check_endpoint_auth_method(self, method, endpoint):`
			`if endpoint == "token":`
			`return method == self.token_endpoint_auth_method`
			`return True`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def check_response_type(self, response_type):`
Variable renaming 2022-10-17 15:49:52 +00:00			`return all(r in self.response_types for r in response_type.split(" "))`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def check_grant_type(self, grant_type):`
Variable renaming 2022-10-17 15:49:52 +00:00			`return grant_type in self.grant_types`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`@property`
			`def client_info(self):`
Implemented RFC7592 OAuth Client Registration Management 2022-10-24 15:18:46 +00:00			`result = {`
			`attribute_name: getattr(self, attribute_name)`
			`for attribute_name in self.client_info_attributes`
			`}`
			`result["client_id_issued_at"] = int(`
			`datetime.datetime.timestamp(result["client_id_issued_at"])`
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`)`
fix: OIDC client 'client_secret_expires_at' claim must be 0, not None 2023-11-23 08:15:40 +00:00			`result["client_secret_expires_at"] = (`
			`int(datetime.datetime.timestamp(result["client_secret_expires_at"]))`
			`if result["client_secret_expires_at"]`
			`else 0`
			`)`
Implemented RFC7592 OAuth Client Registration Management 2022-10-24 15:18:46 +00:00			`return result`

			`@property`
			`def client_metadata(self):`
Fixed dynamic client registration scope management 2023-01-28 13:04:04 +00:00			`metadata = {`
Implemented RFC7592 OAuth Client Registration Management 2022-10-24 15:18:46 +00:00			`attribute_name: getattr(self, attribute_name)`
			`for attribute_name in self.client_metadata_attributes`
			`}`
Fix coverage 2023-01-28 17:35:39 +00:00			`metadata["scope"] = " ".join(metadata["scope"])`
Fixed dynamic client registration scope management 2023-01-28 13:04:04 +00:00			`return metadata`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
Client deletion also delete related objects 2023-01-30 18:58:00 +00:00			`def delete(self):`
refactor: BackendModel.get() is now Backend.instance 2024-04-10 13:59:25 +00:00			`for consent in BaseBackend.instance.query(models.Consent, client=self):`
Client deletion also delete related objects 2023-01-30 18:58:00 +00:00			`consent.delete()`

refactor: BackendModel.get() is now Backend.instance 2024-04-10 13:59:25 +00:00			`for code in BaseBackend.instance.query(models.AuthorizationCode, client=self):`
Client deletion also delete related objects 2023-01-30 18:58:00 +00:00			`code.delete()`

refactor: BackendModel.get() is now Backend.instance 2024-04-10 13:59:25 +00:00			`for token in BaseBackend.instance.query(models.Token, client=self):`
Client deletion also delete related objects 2023-01-30 18:58:00 +00:00			`token.delete()`

			`super().delete()`

split oidc code from the rest 2022-01-11 18:49:06 +00:00
doc: better model inheritance to generate a clearer documentation 2023-08-23 14:41:41 +00:00			`class AuthorizationCode(BaseAuthorizationCode, AuthorizationCodeMixin):`
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`def get_redirect_uri(self):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return self.redirect_uri`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def get_scope(self):`
refactor: OIDC authorization codes scopes are stored as lists 2023-11-22 15:30:38 +00:00			`return self.scope`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def get_nonce(self):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return self.nonce`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def is_expired(self):`
Properly handle LDAP date timezones 2023-03-17 23:38:56 +00:00			`return self.issue_date + datetime.timedelta(`
			`seconds=int(self.lifetime)`
			`) < datetime.datetime.now(datetime.timezone.utc)`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def get_auth_time(self):`
Properly handle LDAP date timezones 2023-03-17 23:38:56 +00:00			`return int(`
			`(`
			`self.issue_date`
			`- datetime.datetime(1970, 1, 1, tzinfo=datetime.timezone.utc)`
			`).total_seconds()`
			`)`
split oidc code from the rest 2022-01-11 18:49:06 +00:00

doc: better model inheritance to generate a clearer documentation 2023-08-23 14:41:41 +00:00			`class Token(BaseToken, TokenMixin):`
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`@property`
			`def expire_date(self):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return self.issue_date + datetime.timedelta(seconds=int(self.lifetime))`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`@property`
			`def revoked(self):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return bool(self.revokation_date)`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def get_scope(self):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return " ".join(self.scope)`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def get_issued_at(self):`
Properly handle LDAP date timezones 2023-03-17 23:38:56 +00:00			`return int(`
			`(`
			`self.issue_date`
			`- datetime.datetime(1970, 1, 1, tzinfo=datetime.timezone.utc)`
			`).total_seconds()`
			`)`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def get_expires_at(self):`
			`issue_timestamp = (`
Properly handle LDAP date timezones 2023-03-17 23:38:56 +00:00			`self.issue_date`
			`- datetime.datetime(1970, 1, 1, tzinfo=datetime.timezone.utc)`
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`).total_seconds()`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return int(issue_timestamp) + int(self.lifetime)`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def is_refresh_token_active(self):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`if self.revokation_date:`
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`return False`

Properly handle LDAP date timezones 2023-03-17 23:38:56 +00:00			`return self.expire_date >= datetime.datetime.now(datetime.timezone.utc)`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def is_expired(self):`
Properly handle LDAP date timezones 2023-03-17 23:38:56 +00:00			`return self.issue_date + datetime.timedelta(`
			`seconds=int(self.lifetime)`
			`) < datetime.datetime.now(datetime.timezone.utc)`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
Bumped to authlib 1 2022-04-10 14:00:51 +00:00			`def is_revoked(self):`
			`return bool(self.revokation_date)`

			`def check_client(self, client):`
LDAPObject dn attributes are automatically initialized 2023-03-08 22:53:53 +00:00			`return client.client_id == self.client.client_id`
Bumped to authlib 1 2022-04-10 14:00:51 +00:00
split oidc code from the rest 2022-01-11 18:49:06 +00:00
doc: better model inheritance to generate a clearer documentation 2023-08-23 14:41:41 +00:00			`class Consent(BaseConsent):`
Revoked consents can be restored 2023-02-14 17:43:43 +00:00			`@property`
			`def revoked(self):`
			`return bool(self.revokation_date)`

split oidc code from the rest 2022-01-11 18:49:06 +00:00			`def revoke(self):`
Properly handle LDAP date timezones 2023-03-17 23:38:56 +00:00			`self.revokation_date = datetime.datetime.now(datetime.timezone.utc)`
refactor: move BackendModel.save to Backend.save 2024-04-14 18:31:43 +00:00			`BaseBackend.instance.save(self)`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
refactor: BackendModel.get() is now Backend.instance 2024-04-10 13:59:25 +00:00			`tokens = BaseBackend.instance.query(`
refactor: move BackendModel.query to Backend.query 2024-04-10 13:44:11 +00:00			`models.Token,`
Fixes calls to the Consent.oauthClient and Consent.oauthSubject attributes 2023-05-17 10:07:52 +00:00			`client=self.client,`
			`subject=self.subject,`
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`)`
Revoked consents can be restored 2023-02-14 17:43:43 +00:00			`tokens = [token for token in tokens if not token.revoked]`
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`for t in tokens:`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`t.revokation_date = self.revokation_date`
refactor: move BackendModel.save to Backend.save 2024-04-14 18:31:43 +00:00			`BaseBackend.instance.save(t)`
Revoked consents can be restored 2023-02-14 17:43:43 +00:00
			`def restore(self):`
			`self.revokation_date = None`
refactor: move BackendModel.save to Backend.save 2024-04-14 18:31:43 +00:00			`BaseBackend.instance.save(self)`