canaille-globuzma/canaille/models.py

import datetime
import uuid

import ldap.filter
from authlib.oauth2.rfc6749 import AuthorizationCodeMixin
from authlib.oauth2.rfc6749 import ClientMixin
from authlib.oauth2.rfc6749 import TokenMixin
from authlib.oauth2.rfc6749 import util
from flask import current_app
from flask import session

from .ldaputils import LDAPObject


class User(LDAPObject):
    DEFAULT_OBJECT_CLASS = "inetOrgPerson"
    DEFAULT_FILTER = "(|(uid={login})(mail={login}))"
    DEFAULT_ID_ATTRIBUTE = "cn"

    def __init__(self, *args, **kwargs):
        self.read = set()
        self.write = set()
        self.permissions = set()
        self._groups = None
        super().__init__(*args, **kwargs)

    @classmethod
    def get(cls, login=None, dn=None, filter=None, conn=None):
        conn = conn or cls.ldap()

        if login:
            filter = (
                current_app.config["LDAP"]
                .get("USER_FILTER", User.DEFAULT_FILTER)
                .format(login=ldap.filter.escape_filter_chars(login))
            )

        user = super().get(dn, filter, conn)
        if user:
            user.load_permissions(conn)

        return user

    def load_groups(self, conn=None):
        try:
            group_filter = (
                current_app.config["LDAP"]
                .get("GROUP_USER_FILTER", Group.DEFAULT_USER_FILTER)
                .format(user=self)
            )
            escaped_group_filter = ldap.filter.escape_filter_chars(group_filter)
            self._groups = Group.filter(filter=escaped_group_filter, conn=conn)
        except KeyError:
            pass

    @classmethod
    def authenticate(cls, login, password, signin=False):
        user = User.get(login)
        if not user or not user.check_password(password):
            return None

        if signin:
            user.login()

        return user

    def login(self):
        try:
            previous = (
                session["user_dn"]
                if isinstance(session["user_dn"], list)
                else [session["user_dn"]]
            )
            session["user_dn"] = previous + [self.dn]
        except KeyError:
            session["user_dn"] = [self.dn]

    @classmethod
    def logout(self):
        try:
            if isinstance(session["user_dn"], list):
                session["user_dn"].pop()
            else:
                del session["user_dn"]
        except (IndexError, KeyError):
            pass

    def has_password(self):
        return bool(self.userPassword)

    def check_password(self, password):
        conn = ldap.initialize(current_app.config["LDAP"]["URI"])

        if current_app.config["LDAP"].get("TIMEOUT"):
            conn.set_option(
                ldap.OPT_NETWORK_TIMEOUT, current_app.config["LDAP"]["TIMEOUT"]
            )

        try:
            conn.simple_bind_s(self.dn, password)
            return True
        except ldap.INVALID_CREDENTIALS:
            return False
        finally:
            conn.unbind_s()

    def set_password(self, password, conn=None):
        conn = conn or self.ldap()

        try:
            conn.passwd_s(
                self.dn,
                None,
                password.encode("utf-8"),
            )

        except ldap.LDAPError:
            return False

        return True

    @property
    def name(self):
        return self.cn[0]

    @property
    def groups(self):
        if self._groups is None:
            self.load_groups()
        return self._groups

    def set_groups(self, values, conn=None):
        before = self._groups
        after = [
            v if isinstance(v, Group) else Group.get(dn=v, conn=conn) for v in values
        ]
        to_add = set(after) - set(before)
        to_del = set(before) - set(after)
        for group in to_add:
            group.add_member(self, conn=conn)
        for group in to_del:
            group.remove_member(self, conn=conn)
        self._groups = after

    def load_permissions(self, conn=None):
        conn = conn or self.ldap()

        for access_group_name, details in current_app.config["ACL"].items():
            if not details.get("FILTER") or (
                self.dn
                and conn.search_s(self.dn, ldap.SCOPE_SUBTREE, details["FILTER"])
            ):
                self.permissions |= set(details.get("PERMISSIONS", []))
                self.read |= set(details.get("READ", []))
                self.write |= set(details.get("WRITE", []))

    def can_read(self, field):
        return field in self.read | self.write

    def can_writec(self, field):
        return field in self.write

    @property
    def can_use_oidc(self):
        return "use_oidc" in self.permissions

    @property
    def can_manage_users(self):
        return "manage_users" in self.permissions

    @property
    def can_manage_groups(self):
        return "manage_groups" in self.permissions

    @property
    def can_manage_oidc(self):
        return "manage_oidc" in self.permissions

    @property
    def can_delete_account(self):
        return "delete_account" in self.permissions

    @property
    def can_impersonate_users(self):
        return "impersonate_users" in self.permissions


class Group(LDAPObject):
    DEFAULT_OBJECT_CLASS = "groupOfNames"
    DEFAULT_ID_ATTRIBUTE = "cn"
    DEFAULT_NAME_ATTRIBUTE = "cn"
    DEFAULT_USER_FILTER = "member={user.dn}"

    @classmethod
    def available_groups(cls, conn=None):
        conn = conn or cls.ldap()
        try:
            attribute = current_app.config["LDAP"].get(
                "GROUP_NAME_ATTRIBUTE", Group.DEFAULT_NAME_ATTRIBUTE
            )
            object_class = current_app.config["LDAP"].get(
                "GROUP_CLASS", Group.DEFAULT_OBJECT_CLASS
            )
        except KeyError:
            return []

        groups = cls.filter(objectClass=object_class, conn=conn)
        Group.ldap_object_attributes(conn=conn)
        return [(group[attribute][0], group.dn) for group in groups]

    @property
    def name(self):
        attribute = current_app.config["LDAP"].get(
            "GROUP_NAME_ATTRIBUTE", Group.DEFAULT_NAME_ATTRIBUTE
        )
        return self[attribute][0]

    def get_members(self, conn=None):
        return [
            User.get(dn=user_dn, conn=conn)
            for user_dn in self.member
            if User.get(dn=user_dn, conn=conn)
        ]

    def add_member(self, user, conn=None):
        self.member = self.member + [user.dn]
        self.save(conn=conn)

    def remove_member(self, user, conn=None):
        self.member = [m for m in self.member if m != user.dn]
        self.save(conn=conn)


class Client(LDAPObject, ClientMixin):
    object_class = ["oauthClient"]
    base = "ou=clients,ou=oauth"
    id = "oauthClientID"

    @property
    def issue_date(self):
        return self.oauthIssueDate

    @property
    def preconsent(self):
        return self.oauthPreconsent

    def get_client_id(self):
        return self.oauthClientID

    def get_default_redirect_uri(self):
        return self.oauthRedirectURIs[0]

    def get_allowed_scope(self, scope):
        return util.list_to_scope(self.oauthScope)

    def check_redirect_uri(self, redirect_uri):
        return redirect_uri in self.oauthRedirectURIs

    def has_client_secret(self):
        return bool(self.oauthClientSecret)

    def check_client_secret(self, client_secret):
        return client_secret == self.oauthClientSecret

    def check_token_endpoint_auth_method(self, method):
        return method == self.oauthTokenEndpointAuthMethod

    def check_response_type(self, response_type):
        return all(r in self.oauthResponseType for r in response_type.split(" "))

    def check_grant_type(self, grant_type):
        return grant_type in self.oauthGrantType

    @property
    def client_info(self):
        return dict(
            client_id=self.client_id,
            client_secret=self.client_secret,
            client_id_issued_at=self.client_id_issued_at,
            client_secret_expires_at=self.client_secret_expires_at,
        )


class AuthorizationCode(LDAPObject, AuthorizationCodeMixin):
    object_class = ["oauthAuthorizationCode"]
    base = "ou=authorizations,ou=oauth"
    id = "oauthCode"

    @property
    def issue_date(self):
        return self.oauthIssueDate

    def get_redirect_uri(self):
        return self.oauthRedirectURI

    def get_scope(self):
        return self.oauthScope

    def get_nonce(self):
        return self.oauthNonce

    def is_expired(self):
        return (
            self.oauthAuthorizationDate
            + datetime.timedelta(seconds=int(self.oauthAuthorizationLifetime))
            < datetime.datetime.now()
        )

    def get_auth_time(self):
        return int(
            (
                self.oauthAuthorizationDate - datetime.datetime(1970, 1, 1)
            ).total_seconds()
        )


class Token(LDAPObject, TokenMixin):
    object_class = ["oauthToken"]
    base = "ou=tokens,ou=oauth"
    id = "oauthAccessToken"

    @property
    def issue_date(self):
        return self.oauthIssueDate

    @property
    def expire_date(self):
        return self.oauthIssueDate + datetime.timedelta(
            seconds=int(self.oauthTokenLifetime)
        )

    @property
    def revoked(self):
        return bool(self.oauthRevokationDate)

    def get_client_id(self):
        return Client.get(self.oauthClient).oauthClientID

    def get_scope(self):
        return " ".join(self.oauthScope)

    def get_expires_in(self):
        return int(self.oauthTokenLifetime)

    def get_issued_at(self):
        return int(
            (self.oauthIssueDate - datetime.datetime(1970, 1, 1)).total_seconds()
        )

    def get_expires_at(self):
        issue_timestamp = (
            self.oauthIssueDate - datetime.datetime(1970, 1, 1)
        ).total_seconds()
        return int(issue_timestamp) + int(self.oauthTokenLifetime)

    def is_refresh_token_active(self):
        if self.oauthRevokationDate:
            return False

        return self.expire_date >= datetime.datetime.now()

    def is_expired(self):
        return (
            self.oauthIssueDate
            + datetime.timedelta(seconds=int(self.oauthTokenLifetime))
            < datetime.datetime.now()
        )


class Consent(LDAPObject):
    object_class = ["oauthConsent"]
    base = "ou=consents,ou=oauth"
    id = "cn"

    def __init__(self, *args, **kwargs):
        if "cn" not in kwargs:
            kwargs["cn"] = str(uuid.uuid4())

        super().__init__(*args, **kwargs)

    @property
    def issue_date(self):
        return self.oauthIssueDate

    @property
    def revokation_date(self):
        return self.oauthRevokationDate

    def revoke(self):
        self.oauthRevokationDate = datetime.datetime.now()
        self.save()

        tokens = Token.filter(
            oauthClient=self.oauthClient,
            oauthSubject=self.oauthSubject,
        )
        for t in tokens:
            if t.revoked or any(
                scope not in t.oauthScope[0] for scope in self.oauthScope
            ):
                continue

            t.oauthRevokationDate = self.oauthRevokationDate
            t.save()
draft 2020-08-14 11:18:08 +00:00			`import datetime`
Remember consents 2020-09-17 08:00:39 +00:00			`import uuid`
pre-commit tox test 2021-12-20 22:57:27 +00:00
			`import ldap.filter`
			`from authlib.oauth2.rfc6749 import AuthorizationCodeMixin`
			`from authlib.oauth2.rfc6749 import ClientMixin`
			`from authlib.oauth2.rfc6749 import TokenMixin`
			`from authlib.oauth2.rfc6749 import util`
			`from flask import current_app`
			`from flask import session`

Renamed LDAPObjectHelper into LDAPObject 2020-09-24 13:16:25 +00:00			`from .ldaputils import LDAPObject`
draft 2020-08-14 11:18:08 +00:00

Renamed LDAPObjectHelper into LDAPObject 2020-09-24 13:16:25 +00:00			`class User(LDAPObject):`
Documentation improvements 2021-12-03 17:37:25 +00:00			`DEFAULT_OBJECT_CLASS = "inetOrgPerson"`
			`DEFAULT_FILTER = "(\|(uid={login})(mail={login}))"`
			`DEFAULT_ID_ATTRIBUTE = "cn"`

Permissions overhaul 2021-12-02 17:23:14 +00:00			`def __init__(self, args, *kwargs):`
			`self.read = set()`
			`self.write = set()`
			`self.permissions = set()`
display groups on user list page 2021-12-03 15:49:19 +00:00			`self._groups = None`
Permissions overhaul 2021-12-02 17:23:14 +00:00			`super().__init__(args, *kwargs)`

Admin login 2020-08-19 14:20:57 +00:00			`@classmethod`
User model utility 2020-10-21 15:15:33 +00:00			`def get(cls, login=None, dn=None, filter=None, conn=None):`
Admin login 2020-08-19 14:20:57 +00:00			`conn = conn or cls.ldap()`

User model utility 2020-10-21 15:15:33 +00:00			`if login:`
Escape filters 2021-12-06 14:40:30 +00:00			`filter = (`
			`current_app.config["LDAP"]`
Documentation improvements 2021-12-03 17:37:25 +00:00			`.get("USER_FILTER", User.DEFAULT_FILTER)`
Escape filters 2021-12-06 14:40:30 +00:00			`.format(login=ldap.filter.escape_filter_chars(login))`
			`)`
User model utility 2020-10-21 15:15:33 +00:00
Admin login 2020-08-19 14:20:57 +00:00			`user = super().get(dn, filter, conn)`
Issue 12 groups 2021-06-03 13:00:11 +00:00			`if user:`
Permissions overhaul 2021-12-02 17:23:14 +00:00			`user.load_permissions(conn)`
Issue 12 groups 2021-06-03 13:00:11 +00:00
Admin login 2020-08-19 14:20:57 +00:00			`return user`

Issue 12 groups 2021-06-03 13:00:11 +00:00			`def load_groups(self, conn=None):`
Hide group entry if there is no group available 2021-07-01 09:36:35 +00:00			`try:`
Documentation improvements 2021-12-03 17:37:25 +00:00			`group_filter = (`
			`current_app.config["LDAP"]`
			`.get("GROUP_USER_FILTER", Group.DEFAULT_USER_FILTER)`
			`.format(user=self)`
Hide group entry if there is no group available 2021-07-01 09:36:35 +00:00			`)`
Escape filters 2021-12-06 14:40:30 +00:00			`escaped_group_filter = ldap.filter.escape_filter_chars(group_filter)`
			`self._groups = Group.filter(filter=escaped_group_filter, conn=conn)`
Hide group entry if there is no group available 2021-07-01 09:36:35 +00:00			`except KeyError:`
			`pass`
Issue 12 groups 2021-06-03 13:00:11 +00:00
Alternate login filters 2020-08-20 08:45:33 +00:00			`@classmethod`
User refactoring 2020-08-21 08:23:39 +00:00			`def authenticate(cls, login, password, signin=False):`
User model utility 2020-10-21 15:15:33 +00:00			`user = User.get(login)`
Alternate login filters 2020-08-20 08:45:33 +00:00			`if not user or not user.check_password(password):`
			`return None`
Admin login 2020-08-19 14:20:57 +00:00
User refactoring 2020-08-21 08:23:39 +00:00			`if signin:`
			`user.login()`

Alternate login filters 2020-08-20 08:45:33 +00:00			`return user`
draft 2020-08-14 11:18:08 +00:00
User refactoring 2020-08-21 08:23:39 +00:00			`def login(self):`
Admins can impersonate users. Fixes #39 2020-12-11 10:52:37 +00:00			`try:`
Session compatibility fix 2020-12-29 08:31:46 +00:00			`previous = (`
			`session["user_dn"]`
			`if isinstance(session["user_dn"], list)`
			`else [session["user_dn"]]`
			`)`
			`session["user_dn"] = previous + [self.dn]`
Admins can impersonate users. Fixes #39 2020-12-11 10:52:37 +00:00			`except KeyError:`
			`session["user_dn"] = [self.dn]`
User refactoring 2020-08-21 08:23:39 +00:00
Session compatibility fix 2020-12-29 08:31:46 +00:00			`@classmethod`
User refactoring 2020-08-21 08:23:39 +00:00			`def logout(self):`
			`try:`
Session compatibility fix 2020-12-29 08:31:46 +00:00			`if isinstance(session["user_dn"], list):`
			`session["user_dn"].pop()`
			`else:`
			`del session["user_dn"]`
Admins can impersonate users. Fixes #39 2020-12-11 10:52:37 +00:00			`except (IndexError, KeyError):`
User refactoring 2020-08-21 08:23:39 +00:00			`pass`

Password setup for new users. Fixes #37 2020-11-16 14:39:58 +00:00			`def has_password(self):`
			`return bool(self.userPassword)`

draft 2020-08-14 11:18:08 +00:00			`def check_password(self, password):`
Actually authentify against LDAP password 2020-08-19 11:49:38 +00:00			`conn = ldap.initialize(current_app.config["LDAP"]["URI"])`
fixed forgotten ldap connection timeout options 2021-10-13 14:04:08 +00:00
			`if current_app.config["LDAP"].get("TIMEOUT"):`
			`conn.set_option(`
			`ldap.OPT_NETWORK_TIMEOUT, current_app.config["LDAP"]["TIMEOUT"]`
			`)`

Actually authentify against LDAP password 2020-08-19 11:49:38 +00:00			`try:`
			`conn.simple_bind_s(self.dn, password)`
			`return True`
			`except ldap.INVALID_CREDENTIALS:`
			`return False`
			`finally:`
			`conn.unbind_s()`
draft 2020-08-14 11:18:08 +00:00
Password edition in user profile 2020-10-21 08:26:31 +00:00			`def set_password(self, password, conn=None):`
			`conn = conn or self.ldap()`

			`try:`
			`conn.passwd_s(`
fixed forgotten ldap connection timeout options 2021-10-13 14:04:08 +00:00			`self.dn,`
			`None,`
			`password.encode("utf-8"),`
Password edition in user profile 2020-10-21 08:26:31 +00:00			`)`

			`except ldap.LDAPError:`
			`return False`

			`return True`

Some authorization_code work 2020-08-17 15:49:49 +00:00			`@property`
			`def name(self):`
			`return self.cn[0]`

Issue 12 groups 2021-06-03 13:00:11 +00:00			`@property`
			`def groups(self):`
display groups on user list page 2021-12-03 15:49:19 +00:00			`if self._groups is None:`
			`self.load_groups()`
Issue 12 groups 2021-06-03 13:00:11 +00:00			`return self._groups`

			`def set_groups(self, values, conn=None):`
			`before = self._groups`
			`after = [`
			`v if isinstance(v, Group) else Group.get(dn=v, conn=conn) for v in values`
			`]`
			`to_add = set(after) - set(before)`
			`to_del = set(before) - set(after)`
			`for group in to_add:`
			`group.add_member(self, conn=conn)`
			`for group in to_del:`
			`group.remove_member(self, conn=conn)`
			`self._groups = after`

Permissions overhaul 2021-12-02 17:23:14 +00:00			`def load_permissions(self, conn=None):`
			`conn = conn or self.ldap()`

			`for access_group_name, details in current_app.config["ACL"].items():`
			`if not details.get("FILTER") or (`
			`self.dn`
			`and conn.search_s(self.dn, ldap.SCOPE_SUBTREE, details["FILTER"])`
			`):`
			`self.permissions \|= set(details.get("PERMISSIONS", []))`
			`self.read \|= set(details.get("READ", []))`
			`self.write \|= set(details.get("WRITE", []))`

jpegPhoto profile form 2021-12-08 17:06:50 +00:00			`def can_read(self, field):`
			`return field in self.read \| self.write`

			`def can_writec(self, field):`
			`return field in self.write`

Option to not use OIDC 2021-12-06 23:07:32 +00:00			`@property`
			`def can_use_oidc(self):`
			`return "use_oidc" in self.permissions`

Permissions overhaul 2021-12-02 17:23:14 +00:00			`@property`
			`def can_manage_users(self):`
			`return "manage_users" in self.permissions`

			`@property`
			`def can_manage_groups(self):`
			`return "manage_groups" in self.permissions`

			`@property`
			`def can_manage_oidc(self):`
			`return "manage_oidc" in self.permissions`

			`@property`
			`def can_delete_account(self):`
			`return "delete_account" in self.permissions`

			`@property`
			`def can_impersonate_users(self):`
			`return "impersonate_users" in self.permissions`

Issue 12 groups 2021-06-03 13:00:11 +00:00
			`class Group(LDAPObject):`
Documentation improvements 2021-12-03 17:37:25 +00:00			`DEFAULT_OBJECT_CLASS = "groupOfNames"`
			`DEFAULT_ID_ATTRIBUTE = "cn"`
			`DEFAULT_NAME_ATTRIBUTE = "cn"`
			`DEFAULT_USER_FILTER = "member={user.dn}"`

Issue 12 groups 2021-06-03 13:00:11 +00:00			`@classmethod`
			`def available_groups(cls, conn=None):`
			`conn = conn or cls.ldap()`
Hide group entry if there is no group available 2021-07-01 09:36:35 +00:00			`try:`
Documentation improvements 2021-12-03 17:37:25 +00:00			`attribute = current_app.config["LDAP"].get(`
			`"GROUP_NAME_ATTRIBUTE", Group.DEFAULT_NAME_ATTRIBUTE`
			`)`
			`object_class = current_app.config["LDAP"].get(`
			`"GROUP_CLASS", Group.DEFAULT_OBJECT_CLASS`
			`)`
Hide group entry if there is no group available 2021-07-01 09:36:35 +00:00			`except KeyError:`
			`return []`

			`groups = cls.filter(objectClass=object_class, conn=conn)`
ldaputils variable renaming 2021-12-08 14:01:35 +00:00			`Group.ldap_object_attributes(conn=conn)`
Issue 12 groups 2021-06-03 13:00:11 +00:00			`return [(group[attribute][0], group.dn) for group in groups]`

Show groups and enable group creation 2021-07-01 16:21:20 +00:00			`@property`
			`def name(self):`
Documentation improvements 2021-12-03 17:37:25 +00:00			`attribute = current_app.config["LDAP"].get(`
			`"GROUP_NAME_ATTRIBUTE", Group.DEFAULT_NAME_ATTRIBUTE`
			`)`
Show groups and enable group creation 2021-07-01 16:21:20 +00:00			`return self[attribute][0]`

Issue 12 groups 2021-06-03 13:00:11 +00:00			`def get_members(self, conn=None):`
Fix bug on groups with non-existent members 2021-10-29 12:19:46 +00:00			`return [`
			`User.get(dn=user_dn, conn=conn)`
			`for user_dn in self.member`
			`if User.get(dn=user_dn, conn=conn)`
			`]`
Issue 12 groups 2021-06-03 13:00:11 +00:00
			`def add_member(self, user, conn=None):`
			`self.member = self.member + [user.dn]`
			`self.save(conn=conn)`

			`def remove_member(self, user, conn=None):`
			`self.member = [m for m in self.member if m != user.dn]`
			`self.save(conn=conn)`

draft 2020-08-14 11:18:08 +00:00
Renamed LDAPObjectHelper into LDAPObject 2020-09-24 13:16:25 +00:00			`class Client(LDAPObject, ClientMixin):`
Pythonic variable name 2020-09-24 13:20:36 +00:00			`object_class = ["oauthClient"]`
LDAP tree refactoring 2020-09-03 15:19:41 +00:00			`base = "ou=clients,ou=oauth"`
draft 2020-08-14 11:18:08 +00:00			`id = "oauthClientID"`

Client forms 2020-08-17 13:49:48 +00:00			`@property`
			`def issue_date(self):`
python to ldap two-ways serialization 2021-12-08 14:53:20 +00:00			`return self.oauthIssueDate`
Client forms 2020-08-17 13:49:48 +00:00
Implemented client pre-authorization 2021-10-20 10:05:08 +00:00			`@property`
			`def preconsent(self):`
python to ldap two-ways serialization 2021-12-08 14:53:20 +00:00			`return self.oauthPreconsent`
Implemented client pre-authorization 2021-10-20 10:05:08 +00:00
draft 2020-08-14 11:18:08 +00:00			`def get_client_id(self):`
wip 2020-08-16 18:16:57 +00:00			`return self.oauthClientID`
draft 2020-08-14 11:18:08 +00:00
			`def get_default_redirect_uri(self):`
Some authorization_code work 2020-08-17 15:49:49 +00:00			`return self.oauthRedirectURIs[0]`
draft 2020-08-14 11:18:08 +00:00
			`def get_allowed_scope(self, scope):`
Implicit flow test 2020-08-20 12:30:42 +00:00			`return util.list_to_scope(self.oauthScope)`
draft 2020-08-14 11:18:08 +00:00
			`def check_redirect_uri(self, redirect_uri):`
Some authorization_code work 2020-08-17 15:49:49 +00:00			`return redirect_uri in self.oauthRedirectURIs`
draft 2020-08-14 11:18:08 +00:00
			`def has_client_secret(self):`
LDAPHelper shortcut 2020-08-17 07:45:35 +00:00			`return bool(self.oauthClientSecret)`
draft 2020-08-14 11:18:08 +00:00
			`def check_client_secret(self, client_secret):`
wip 2020-08-16 18:16:57 +00:00			`return client_secret == self.oauthClientSecret`
draft 2020-08-14 11:18:08 +00:00
			`def check_token_endpoint_auth_method(self, method):`
wip 2020-08-16 18:16:57 +00:00			`return method == self.oauthTokenEndpointAuthMethod`
draft 2020-08-14 11:18:08 +00:00
			`def check_response_type(self, response_type):`
Fixed hybrid grant 2020-08-21 08:06:53 +00:00			`return all(r in self.oauthResponseType for r in response_type.split(" "))`
draft 2020-08-14 11:18:08 +00:00
			`def check_grant_type(self, grant_type):`
			`return grant_type in self.oauthGrantType`

wip 2020-08-14 13:26:14 +00:00			`@property`
			`def client_info(self):`
			`return dict(`
			`client_id=self.client_id,`
			`client_secret=self.client_secret,`
			`client_id_issued_at=self.client_id_issued_at,`
			`client_secret_expires_at=self.client_secret_expires_at,`
			`)`

draft 2020-08-14 11:18:08 +00:00
Renamed LDAPObjectHelper into LDAPObject 2020-09-24 13:16:25 +00:00			`class AuthorizationCode(LDAPObject, AuthorizationCodeMixin):`
Pythonic variable name 2020-09-24 13:20:36 +00:00			`object_class = ["oauthAuthorizationCode"]`
LDAP tree refactoring 2020-09-03 15:19:41 +00:00			`base = "ou=authorizations,ou=oauth"`
wip 2020-08-14 13:26:14 +00:00			`id = "oauthCode"`
draft 2020-08-14 11:18:08 +00:00
Token list and auth code list views 2020-08-26 14:27:08 +00:00			`@property`
			`def issue_date(self):`
python to ldap two-ways serialization 2021-12-08 14:53:20 +00:00			`return self.oauthIssueDate`
Token list and auth code list views 2020-08-26 14:27:08 +00:00
draft 2020-08-14 11:18:08 +00:00			`def get_redirect_uri(self):`
Some authorization_code work 2020-08-17 15:49:49 +00:00			`return self.oauthRedirectURI`
draft 2020-08-14 11:18:08 +00:00
			`def get_scope(self):`
Some authorization_code work 2020-08-17 16:02:38 +00:00			`return self.oauthScope`
draft 2020-08-14 11:18:08 +00:00
Some authorization_code work 2020-08-17 16:02:38 +00:00			`def get_nonce(self):`
			`return self.oauthNonce`
wip 2020-08-14 13:26:14 +00:00
Full authorization_code flow 2020-08-17 16:49:05 +00:00			`def is_expired(self):`
			`return (`
python to ldap two-ways serialization 2021-12-08 14:53:20 +00:00			`self.oauthAuthorizationDate`
Full authorization_code flow 2020-08-17 16:49:05 +00:00			`+ datetime.timedelta(seconds=int(self.oauthAuthorizationLifetime))`
			`< datetime.datetime.now()`
			`)`
wip 2020-08-14 13:26:14 +00:00
Some authorization_code work 2020-08-17 16:02:38 +00:00			`def get_auth_time(self):`
python to ldap two-ways serialization 2021-12-08 14:53:20 +00:00			`return int(`
			`(`
			`self.oauthAuthorizationDate - datetime.datetime(1970, 1, 1)`
			`).total_seconds()`
Full authorization_code flow 2020-08-17 16:49:05 +00:00			`)`
Some authorization_code work 2020-08-17 16:02:38 +00:00
draft 2020-08-14 11:18:08 +00:00
Renamed LDAPObjectHelper into LDAPObject 2020-09-24 13:16:25 +00:00			`class Token(LDAPObject, TokenMixin):`
Pythonic variable name 2020-09-24 13:20:36 +00:00			`object_class = ["oauthToken"]`
LDAP tree refactoring 2020-09-03 15:19:41 +00:00			`base = "ou=tokens,ou=oauth"`
Fixed password flow 2020-08-16 17:39:14 +00:00			`id = "oauthAccessToken"`
draft 2020-08-14 11:18:08 +00:00
Token list and auth code list views 2020-08-26 14:27:08 +00:00			`@property`
			`def issue_date(self):`
python to ldap two-ways serialization 2021-12-08 14:53:20 +00:00			`return self.oauthIssueDate`
Token list and auth code list views 2020-08-26 14:27:08 +00:00
User token list view 2020-08-27 08:50:50 +00:00			`@property`
			`def expire_date(self):`
python to ldap two-ways serialization 2021-12-08 14:53:20 +00:00			`return self.oauthIssueDate + datetime.timedelta(`
			`seconds=int(self.oauthTokenLifetime)`
			`)`
User token list view 2020-08-27 08:50:50 +00:00
Tokens and codes can be revoked 2020-08-24 13:38:11 +00:00			`@property`
			`def revoked(self):`
Remember revokation dates 2020-09-17 09:10:12 +00:00			`return bool(self.oauthRevokationDate)`
Tokens and codes can be revoked 2020-08-24 13:38:11 +00:00
draft 2020-08-14 11:18:08 +00:00			`def get_client_id(self):`
Schema use client dn instead of client id 2020-09-07 13:39:51 +00:00			`return Client.get(self.oauthClient).oauthClientID`
draft 2020-08-14 11:18:08 +00:00
			`def get_scope(self):`
Fixed password flow 2020-08-16 17:39:14 +00:00			`return " ".join(self.oauthScope)`
draft 2020-08-14 11:18:08 +00:00
			`def get_expires_in(self):`
wip 2020-08-16 18:16:57 +00:00			`return int(self.oauthTokenLifetime)`
draft 2020-08-14 11:18:08 +00:00
Token introspection 2020-08-24 12:44:32 +00:00			`def get_issued_at(self):`
python to ldap two-ways serialization 2021-12-08 14:53:20 +00:00			`return int(`
			`(self.oauthIssueDate - datetime.datetime(1970, 1, 1)).total_seconds()`
			`)`
Token introspection 2020-08-24 12:44:32 +00:00
draft 2020-08-14 11:18:08 +00:00			`def get_expires_at(self):`
python to ldap two-ways serialization 2021-12-08 14:53:20 +00:00			`issue_timestamp = (`
			`self.oauthIssueDate - datetime.datetime(1970, 1, 1)`
			`).total_seconds()`
Integer values for model times 2020-08-26 09:03:26 +00:00			`return int(issue_timestamp) + int(self.oauthTokenLifetime)`
wip 2020-08-14 13:26:14 +00:00
			`def is_refresh_token_active(self):`
Remember revokation dates 2020-09-17 09:10:12 +00:00			`if self.oauthRevokationDate:`
Tokens and codes can be revoked 2020-08-24 13:38:11 +00:00			`return False`

User token list view 2020-08-27 08:50:50 +00:00			`return self.expire_date >= datetime.datetime.now()`
Remember consents 2020-09-17 08:00:39 +00:00
Added a command to clean tokens and codes. Fixes #17 2020-10-23 09:31:16 +00:00			`def is_expired(self):`
			`return (`
python to ldap two-ways serialization 2021-12-08 14:53:20 +00:00			`self.oauthIssueDate`
Added a command to clean tokens and codes. Fixes #17 2020-10-23 09:31:16 +00:00			`+ datetime.timedelta(seconds=int(self.oauthTokenLifetime))`
			`< datetime.datetime.now()`
			`)`

Remember consents 2020-09-17 08:00:39 +00:00
Renamed LDAPObjectHelper into LDAPObject 2020-09-24 13:16:25 +00:00			`class Consent(LDAPObject):`
Pythonic variable name 2020-09-24 13:20:36 +00:00			`object_class = ["oauthConsent"]`
Remember consents 2020-09-17 08:00:39 +00:00			`base = "ou=consents,ou=oauth"`
			`id = "cn"`

			`def __init__(self, args, *kwargs):`
			`if "cn" not in kwargs:`
			`kwargs["cn"] = str(uuid.uuid4())`

			`super().__init__(args, *kwargs)`
Consents page 2020-09-17 10:01:21 +00:00
			`@property`
			`def issue_date(self):`
python to ldap two-ways serialization 2021-12-08 14:53:20 +00:00			`return self.oauthIssueDate`
Consents page 2020-09-17 10:01:21 +00:00
			`@property`
			`def revokation_date(self):`
python to ldap two-ways serialization 2021-12-08 14:53:20 +00:00			`return self.oauthRevokationDate`
Consents page 2020-09-17 10:01:21 +00:00
			`def revoke(self):`
python to ldap two-ways serialization 2021-12-08 14:53:20 +00:00			`self.oauthRevokationDate = datetime.datetime.now()`
Consents page 2020-09-17 10:01:21 +00:00			`self.save()`

			`tokens = Token.filter(`
fixed forgotten ldap connection timeout options 2021-10-13 14:04:08 +00:00			`oauthClient=self.oauthClient,`
			`oauthSubject=self.oauthSubject,`
Consents page 2020-09-17 10:01:21 +00:00			`)`
			`for t in tokens:`
			`if t.revoked or any(`
			`scope not in t.oauthScope[0] for scope in self.oauthScope`
			`):`
			`continue`

			`t.oauthRevokationDate = self.oauthRevokationDate`
			`t.save()`