canaille-globuzma/website/oauth2.py

import datetime
from authlib.integrations.flask_oauth2 import AuthorizationServer, ResourceProtector
from authlib.oauth2.rfc6749.grants import (
    AuthorizationCodeGrant as _AuthorizationCodeGrant,
    ResourceOwnerPasswordCredentialsGrant as _ResourceOwnerPasswordCredentialsGrant,
    RefreshTokenGrant as _RefreshTokenGrant,
)
from authlib.oauth2.rfc6750 import BearerTokenValidator as _BearerTokenValidator
from authlib.oidc.core.grants import (
    OpenIDCode as _OpenIDCode,
    OpenIDImplicitGrant as _OpenIDImplicitGrant,
    OpenIDHybridGrant as _OpenIDHybridGrant,
)
from authlib.oidc.core import UserInfo
from werkzeug.security import gen_salt
from .models import Client, AuthorizationCode, Token, User

DUMMY_JWT_CONFIG = {
    "key": "secret-key",
    "alg": "HS256",
    "iss": "https://authlib.org",
    "exp": 3600,
}


def exists_nonce(nonce, req):
    exists = AuthorizationCode.query.filter_by(
        client_id=req.client_id, nonce=nonce
    ).first()
    return bool(exists)


def generate_user_info(user, scope):
    return UserInfo(sub=str(user.id), name=user.username)


def create_authorization_code(client, grant_user, request):
    raise NotImplementedError()
    code = gen_salt(48)
    nonce = request.data.get("nonce")
    item = AuthorizationCode(
        code=code,
        client_id=client.client_id,
        redirect_uri=request.redirect_uri,
        scope=request.scope,
        user_id=grant_user.id,
        nonce=nonce,
    )
    return code


class AuthorizationCodeGrant(_AuthorizationCodeGrant):
    def create_authorization_code(self, client, grant_user, request):
        return create_authorization_code(client, grant_user, request)

    def parse_authorization_code(self, code, client):
        item = AuthorizationCode.query.filter_by(
            code=code, client_id=client.client_id
        ).first()
        if item and not item.is_expired():
            return item

    def delete_authorization_code(self, authorization_code):
        raise NotImplementedError()

    def authenticate_user(self, authorization_code):
        return User.query.get(authorization_code.user_id)


class OpenIDCode(_OpenIDCode):
    def exists_nonce(self, nonce, request):
        return exists_nonce(nonce, request)

    def get_jwt_config(self, grant):
        return DUMMY_JWT_CONFIG

    def generate_user_info(self, user, scope):
        return generate_user_info(user, scope)


class PasswordGrant(_ResourceOwnerPasswordCredentialsGrant):
    def authenticate_user(self, username, password):
        user = User.get(username)
        if user is not None and user.check_password(password):
            return user


class RefreshTokenGrant(_RefreshTokenGrant):
    def authenticate_refresh_token(self, refresh_token):
        raise NotImplementedError()
        token = Token.query.filter_by(refresh_token=refresh_token).first()
        if token and token.is_refresh_token_active():
            return token

    def authenticate_user(self, credential):
        raise NotImplementedError()
        return User.query.get(credential.user_id)

    def revoke_old_credential(self, credential):
        raise NotImplementedError()
        credential.revoked = True


class ImplicitGrant(_OpenIDImplicitGrant):
    def exists_nonce(self, nonce, request):
        return exists_nonce(nonce, request)

    def get_jwt_config(self, grant):
        return DUMMY_JWT_CONFIG

    def generate_user_info(self, user, scope):
        return generate_user_info(user, scope)


class HybridGrant(_OpenIDHybridGrant):
    def create_authorization_code(self, client, grant_user, request):
        return create_authorization_code(client, grant_user, request)

    def exists_nonce(self, nonce, request):
        return exists_nonce(nonce, request)

    def get_jwt_config(self):
        return DUMMY_JWT_CONFIG

    def generate_user_info(self, user, scope):
        return generate_user_info(user, scope)


def query_client(client_id):
    return Client.get(client_id)


def save_token(token, request):
    now = datetime.datetime.now()
    token = Token(
        oauthTokenType=token["token_type"],
        oauthAccessToken=token["access_token"],
        oauthRefreshToken=token["refresh_token"],
        oauthIssueDate=now.strftime("%Y%m%d%H%M%SZ"),
        oauthTokenLifetime=str(token["expires_in"]),
        oauthScope=token["scope"],
        oauthClientID=request.client.oauthClientID[0],
    )
    token.save()


class BearerTokenValidator(_BearerTokenValidator):
    def authenticate_token(self, token_string):
        return Token.get(token_string)

    def request_invalid(self, request):
        return False

    def token_revoked(self, token):
        return False


authorization = AuthorizationServer()
require_oauth = ResourceProtector()


def config_oauth(app):
    authorization.init_app(app, query_client=query_client, save_token=save_token)

    authorization.register_grant(
        AuthorizationCodeGrant, [OpenIDCode(require_nonce=True)]
    )
    authorization.register_grant(ImplicitGrant)
    authorization.register_grant(HybridGrant)
    authorization.register_grant(PasswordGrant)

    require_oauth.register_token_validator(BearerTokenValidator())
Fixed password flow 2020-08-16 17:39:14 +00:00			`import datetime`
wip 2020-08-14 13:26:14 +00:00			`from authlib.integrations.flask_oauth2 import AuthorizationServer, ResourceProtector`
			`from authlib.oauth2.rfc6749.grants import (`
			`AuthorizationCodeGrant as _AuthorizationCodeGrant,`
			`ResourceOwnerPasswordCredentialsGrant as _ResourceOwnerPasswordCredentialsGrant,`
			`RefreshTokenGrant as _RefreshTokenGrant,`
draft 2020-08-14 11:18:08 +00:00			`)`
wip 2020-08-14 13:26:14 +00:00			`from authlib.oauth2.rfc6750 import BearerTokenValidator as _BearerTokenValidator`
			`from authlib.oidc.core.grants import (`
			`OpenIDCode as _OpenIDCode,`
			`OpenIDImplicitGrant as _OpenIDImplicitGrant,`
			`OpenIDHybridGrant as _OpenIDHybridGrant,`
			`)`
			`from authlib.oidc.core import UserInfo`
			`from werkzeug.security import gen_salt`
			`from .models import Client, AuthorizationCode, Token, User`

			`DUMMY_JWT_CONFIG = {`
			`"key": "secret-key",`
			`"alg": "HS256",`
			`"iss": "https://authlib.org",`
			`"exp": 3600,`
			`}`


			`def exists_nonce(nonce, req):`
			`exists = AuthorizationCode.query.filter_by(`
			`client_id=req.client_id, nonce=nonce`
			`).first()`
			`return bool(exists)`


			`def generate_user_info(user, scope):`
			`return UserInfo(sub=str(user.id), name=user.username)`


			`def create_authorization_code(client, grant_user, request):`
			`raise NotImplementedError()`
			`code = gen_salt(48)`
			`nonce = request.data.get("nonce")`
			`item = AuthorizationCode(`
			`code=code,`
			`client_id=client.client_id,`
			`redirect_uri=request.redirect_uri,`
			`scope=request.scope,`
			`user_id=grant_user.id,`
			`nonce=nonce,`
			`)`
			`return code`
draft 2020-08-14 11:18:08 +00:00

wip 2020-08-14 13:26:14 +00:00			`class AuthorizationCodeGrant(_AuthorizationCodeGrant):`
			`def create_authorization_code(self, client, grant_user, request):`
			`return create_authorization_code(client, grant_user, request)`
draft 2020-08-14 11:18:08 +00:00
wip 2020-08-14 13:26:14 +00:00			`def parse_authorization_code(self, code, client):`
			`item = AuthorizationCode.query.filter_by(`
draft 2020-08-14 11:18:08 +00:00			`code=code, client_id=client.client_id`
			`).first()`
wip 2020-08-14 13:26:14 +00:00			`if item and not item.is_expired():`
			`return item`
draft 2020-08-14 11:18:08 +00:00
			`def delete_authorization_code(self, authorization_code):`
			`raise NotImplementedError()`

			`def authenticate_user(self, authorization_code):`
			`return User.query.get(authorization_code.user_id)`


wip 2020-08-14 13:26:14 +00:00			`class OpenIDCode(_OpenIDCode):`
			`def exists_nonce(self, nonce, request):`
			`return exists_nonce(nonce, request)`

			`def get_jwt_config(self, grant):`
			`return DUMMY_JWT_CONFIG`

			`def generate_user_info(self, user, scope):`
			`return generate_user_info(user, scope)`


			`class PasswordGrant(_ResourceOwnerPasswordCredentialsGrant):`
draft 2020-08-14 11:18:08 +00:00			`def authenticate_user(self, username, password):`
			`user = User.get(username)`
			`if user is not None and user.check_password(password):`
			`return user`


wip 2020-08-14 13:26:14 +00:00			`class RefreshTokenGrant(_RefreshTokenGrant):`
draft 2020-08-14 11:18:08 +00:00			`def authenticate_refresh_token(self, refresh_token):`
			`raise NotImplementedError()`
			`token = Token.query.filter_by(refresh_token=refresh_token).first()`
			`if token and token.is_refresh_token_active():`
			`return token`

			`def authenticate_user(self, credential):`
			`raise NotImplementedError()`
			`return User.query.get(credential.user_id)`

			`def revoke_old_credential(self, credential):`
			`raise NotImplementedError()`
			`credential.revoked = True`
wip 2020-08-14 13:26:14 +00:00
Fixed password flow 2020-08-16 17:39:14 +00:00
wip 2020-08-14 13:26:14 +00:00			`class ImplicitGrant(_OpenIDImplicitGrant):`
			`def exists_nonce(self, nonce, request):`
			`return exists_nonce(nonce, request)`

			`def get_jwt_config(self, grant):`
			`return DUMMY_JWT_CONFIG`

			`def generate_user_info(self, user, scope):`
			`return generate_user_info(user, scope)`


			`class HybridGrant(_OpenIDHybridGrant):`
			`def create_authorization_code(self, client, grant_user, request):`
			`return create_authorization_code(client, grant_user, request)`

			`def exists_nonce(self, nonce, request):`
			`return exists_nonce(nonce, request)`

			`def get_jwt_config(self):`
			`return DUMMY_JWT_CONFIG`

			`def generate_user_info(self, user, scope):`
			`return generate_user_info(user, scope)`
draft 2020-08-14 11:18:08 +00:00

			`def query_client(client_id):`
			`return Client.get(client_id)`


			`def save_token(token, request):`
Fixed password flow 2020-08-16 17:39:14 +00:00			`now = datetime.datetime.now()`
			`token = Token(`
			`oauthTokenType=token["token_type"],`
			`oauthAccessToken=token["access_token"],`
			`oauthRefreshToken=token["refresh_token"],`
			`oauthIssueDate=now.strftime("%Y%m%d%H%M%SZ"),`
			`oauthTokenLifetime=str(token["expires_in"]),`
LDAPHelper shortcut 2020-08-17 07:45:35 +00:00			`oauthScope=token["scope"],`
Fixed password flow 2020-08-16 17:39:14 +00:00			`oauthClientID=request.client.oauthClientID[0],`
			`)`
			`token.save()`
draft 2020-08-14 11:18:08 +00:00

wip 2020-08-14 13:26:14 +00:00			`class BearerTokenValidator(_BearerTokenValidator):`
draft 2020-08-14 11:18:08 +00:00			`def authenticate_token(self, token_string):`
			`return Token.get(token_string)`

			`def request_invalid(self, request):`
			`return False`

			`def token_revoked(self, token):`
			`return False`

wip 2020-08-14 13:26:14 +00:00
			`authorization = AuthorizationServer()`
draft 2020-08-14 11:18:08 +00:00			`require_oauth = ResourceProtector()`


			`def config_oauth(app):`
wip 2020-08-14 13:26:14 +00:00			`authorization.init_app(app, query_client=query_client, save_token=save_token)`
draft 2020-08-14 11:18:08 +00:00
wip 2020-08-14 13:26:14 +00:00			`authorization.register_grant(`
			`AuthorizationCodeGrant, [OpenIDCode(require_nonce=True)]`
			`)`
			`authorization.register_grant(ImplicitGrant)`
			`authorization.register_grant(HybridGrant)`
draft 2020-08-14 11:18:08 +00:00			`authorization.register_grant(PasswordGrant)`

			`require_oauth.register_token_validator(BearerTokenValidator())`