canaille-globuzma/canaille/oidc/models.py

import datetime
from typing import List
from typing import Optional

from authlib.oauth2.rfc6749 import AuthorizationCodeMixin
from authlib.oauth2.rfc6749 import ClientMixin
from authlib.oauth2.rfc6749 import TokenMixin
from authlib.oauth2.rfc6749 import util
from canaille.app import models
from canaille.core.models import User


class Client(ClientMixin):
    """
    OpenID Connect client definition.
    """

    id: str
    description: Optional[str]
    preconsent: Optional[bool]
    post_logout_redirect_uris: List[str]
    audience: List["Client"]
    client_id: Optional[str]
    client_secret: Optional[str]
    client_id_issued_at: Optional[datetime.datetime]
    client_secret_expires_at: Optional[datetime.datetime]
    client_name: Optional[str]
    contacts: List[str]
    client_uri: Optional[str]
    redirect_uris: List[str]
    logo_uri: Optional[str]
    grant_types: List[str]
    response_types: List[str]
    scope: Optional[str]
    tos_uri: Optional[str]
    policy_uri: Optional[str]
    jwks_uri: Optional[str]
    jwk: Optional[str]
    token_endpoint_auth_method: Optional[str]
    software_id: Optional[str]
    software_version: Optional[str]

    client_info_attributes = [
        "client_id",
        "client_secret",
        "client_id_issued_at",
        "client_secret_expires_at",
    ]

    client_metadata_attributes = [
        "client_name",
        "contacts",
        "client_uri",
        "redirect_uris",
        "logo_uri",
        "grant_types",
        "response_types",
        "scope",
        "tos_uri",
        "policy_uri",
        "jwks_uri",
        "jwk",
        "token_endpoint_auth_method",
        "software_id",
        "software_version",
    ]

    def get_client_id(self):
        return self.client_id

    def get_default_redirect_uri(self):
        return self.redirect_uris[0]

    def get_allowed_scope(self, scope):
        return util.list_to_scope(
            [scope_piece for scope_piece in self.scope if scope_piece in scope]
        )

    def check_redirect_uri(self, redirect_uri):
        return redirect_uri in self.redirect_uris

    def check_client_secret(self, client_secret):
        return client_secret == self.client_secret

    def check_endpoint_auth_method(self, method, endpoint):
        if endpoint == "token":
            return method == self.token_endpoint_auth_method
        return True

    def check_response_type(self, response_type):
        return all(r in self.response_types for r in response_type.split(" "))

    def check_grant_type(self, grant_type):
        return grant_type in self.grant_types

    @property
    def client_info(self):
        result = {
            attribute_name: getattr(self, attribute_name)
            for attribute_name in self.client_info_attributes
        }
        result["client_id_issued_at"] = int(
            datetime.datetime.timestamp(result["client_id_issued_at"])
        )
        return result

    @property
    def client_metadata(self):
        metadata = {
            attribute_name: getattr(self, attribute_name)
            for attribute_name in self.client_metadata_attributes
        }
        metadata["scope"] = " ".join(metadata["scope"])
        return metadata

    def delete(self):
        for consent in models.Consent.query(client=self):
            consent.delete()

        for code in models.AuthorizationCode.query(client=self):
            code.delete()

        for token in models.Token.query(client=self):
            token.delete()

        super().delete()


class AuthorizationCode(AuthorizationCodeMixin):
    """
    OpenID Connect temporary authorization code definition.
    """

    id: str
    authorization_code_id: str
    code: str
    client: "Client"
    subject: User
    redirect_uri: Optional[str]
    response_type: Optional[str]
    scope: Optional[str]
    nonce: Optional[str]
    issue_date: datetime.datetime
    lifetime: int
    challenge: Optional[str]
    challenge_method: Optional[str]
    revokation_date: datetime.datetime

    def get_redirect_uri(self):
        return self.redirect_uri

    def get_scope(self):
        return self.scope[0].split(" ")

    def get_nonce(self):
        return self.nonce

    def is_expired(self):
        return self.issue_date + datetime.timedelta(
            seconds=int(self.lifetime)
        ) < datetime.datetime.now(datetime.timezone.utc)

    def get_auth_time(self):
        return int(
            (
                self.issue_date
                - datetime.datetime(1970, 1, 1, tzinfo=datetime.timezone.utc)
            ).total_seconds()
        )


class Token(TokenMixin):
    """
    OpenID Connect token definition.
    """

    id: str
    token_id: str
    access_token: str
    client: "Client"
    subject: User
    type: str
    refresh_token: str
    scope: str
    issue_date: datetime.datetime
    lifetime: int
    revokation_date: datetime.datetime
    audience: List["Client"]

    @property
    def expire_date(self):
        return self.issue_date + datetime.timedelta(seconds=int(self.lifetime))

    @property
    def revoked(self):
        return bool(self.revokation_date)

    def get_scope(self):
        return " ".join(self.scope)

    def get_issued_at(self):
        return int(
            (
                self.issue_date
                - datetime.datetime(1970, 1, 1, tzinfo=datetime.timezone.utc)
            ).total_seconds()
        )

    def get_expires_at(self):
        issue_timestamp = (
            self.issue_date
            - datetime.datetime(1970, 1, 1, tzinfo=datetime.timezone.utc)
        ).total_seconds()
        return int(issue_timestamp) + int(self.lifetime)

    def is_refresh_token_active(self):
        if self.revokation_date:
            return False

        return self.expire_date >= datetime.datetime.now(datetime.timezone.utc)

    def is_expired(self):
        return self.issue_date + datetime.timedelta(
            seconds=int(self.lifetime)
        ) < datetime.datetime.now(datetime.timezone.utc)

    def is_revoked(self):
        return bool(self.revokation_date)

    def check_client(self, client):
        return client.client_id == self.client.client_id


class Consent:
    """
    Long-term user consent to an application.
    """

    id: str
    consent_id: str
    subject: User
    client: "Client"
    scope: str
    issue_date: datetime.datetime
    revokation_date: datetime.datetime

    @property
    def revoked(self):
        return bool(self.revokation_date)

    def revoke(self):
        self.revokation_date = datetime.datetime.now(datetime.timezone.utc)
        self.save()

        tokens = models.Token.query(
            client=self.client,
            subject=self.subject,
        )
        tokens = [token for token in tokens if not token.revoked]
        for t in tokens:
            t.revokation_date = self.revokation_date
            t.save()

    def restore(self):
        self.revokation_date = None
        self.save()
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`import datetime`
doc: models types draft 2023-08-23 13:18:43 +00:00			`from typing import List`
			`from typing import Optional`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`from authlib.oauth2.rfc6749 import AuthorizationCodeMixin`
			`from authlib.oauth2.rfc6749 import ClientMixin`
			`from authlib.oauth2.rfc6749 import TokenMixin`
			`from authlib.oauth2.rfc6749 import util`
Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`from canaille.app import models`
doc: models types draft 2023-08-23 13:18:43 +00:00			`from canaille.core.models import User`
Moved models specificities in the backend module 2023-04-10 11:45:52 +00:00

			`class Client(ClientMixin):`
doc: model documentation 2023-08-17 13:55:41 +00:00			`"""`
			`OpenID Connect client definition.`
			`"""`

doc: models types draft 2023-08-23 13:18:43 +00:00			`id: str`
			`description: Optional[str]`
			`preconsent: Optional[bool]`
			`post_logout_redirect_uris: List[str]`
			`audience: List["Client"]`
			`client_id: Optional[str]`
			`client_secret: Optional[str]`
			`client_id_issued_at: Optional[datetime.datetime]`
			`client_secret_expires_at: Optional[datetime.datetime]`
			`client_name: Optional[str]`
			`contacts: List[str]`
			`client_uri: Optional[str]`
			`redirect_uris: List[str]`
			`logo_uri: Optional[str]`
			`grant_types: List[str]`
			`response_types: List[str]`
			`scope: Optional[str]`
			`tos_uri: Optional[str]`
			`policy_uri: Optional[str]`
			`jwks_uri: Optional[str]`
			`jwk: Optional[str]`
			`token_endpoint_auth_method: Optional[str]`
			`software_id: Optional[str]`
			`software_version: Optional[str]`

Moved models specificities in the backend module 2023-04-10 11:45:52 +00:00			`client_info_attributes = [`
			`"client_id",`
			`"client_secret",`
			`"client_id_issued_at",`
			`"client_secret_expires_at",`
			`]`

			`client_metadata_attributes = [`
			`"client_name",`
			`"contacts",`
			`"client_uri",`
			`"redirect_uris",`
			`"logo_uri",`
			`"grant_types",`
			`"response_types",`
			`"scope",`
			`"tos_uri",`
			`"policy_uri",`
			`"jwks_uri",`
			`"jwk",`
			`"token_endpoint_auth_method",`
			`"software_id",`
			`"software_version",`
			`]`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
Implemented RFC7592 OAuth Client Registration Management 2022-10-24 15:18:46 +00:00			`def get_client_id(self):`
			`return self.client_id`

split oidc code from the rest 2022-01-11 18:49:06 +00:00			`def get_default_redirect_uri(self):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return self.redirect_uris[0]`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def get_allowed_scope(self, scope):`
Client only return the asked scopes 2022-07-07 14:05:34 +00:00			`return util.list_to_scope(`
			`[scope_piece for scope_piece in self.scope if scope_piece in scope]`
			`)`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def check_redirect_uri(self, redirect_uri):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return redirect_uri in self.redirect_uris`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def check_client_secret(self, client_secret):`
Variable renaming 2022-10-17 15:49:52 +00:00			`return client_secret == self.client_secret`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
Bumped to authlib 1 2022-04-10 14:00:51 +00:00			`def check_endpoint_auth_method(self, method, endpoint):`
			`if endpoint == "token":`
			`return method == self.token_endpoint_auth_method`
			`return True`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def check_response_type(self, response_type):`
Variable renaming 2022-10-17 15:49:52 +00:00			`return all(r in self.response_types for r in response_type.split(" "))`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def check_grant_type(self, grant_type):`
Variable renaming 2022-10-17 15:49:52 +00:00			`return grant_type in self.grant_types`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`@property`
			`def client_info(self):`
Implemented RFC7592 OAuth Client Registration Management 2022-10-24 15:18:46 +00:00			`result = {`
			`attribute_name: getattr(self, attribute_name)`
			`for attribute_name in self.client_info_attributes`
			`}`
			`result["client_id_issued_at"] = int(`
			`datetime.datetime.timestamp(result["client_id_issued_at"])`
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`)`
Implemented RFC7592 OAuth Client Registration Management 2022-10-24 15:18:46 +00:00			`return result`

			`@property`
			`def client_metadata(self):`
Fixed dynamic client registration scope management 2023-01-28 13:04:04 +00:00			`metadata = {`
Implemented RFC7592 OAuth Client Registration Management 2022-10-24 15:18:46 +00:00			`attribute_name: getattr(self, attribute_name)`
			`for attribute_name in self.client_metadata_attributes`
			`}`
Fix coverage 2023-01-28 17:35:39 +00:00			`metadata["scope"] = " ".join(metadata["scope"])`
Fixed dynamic client registration scope management 2023-01-28 13:04:04 +00:00			`return metadata`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
Client deletion also delete related objects 2023-01-30 18:58:00 +00:00			`def delete(self):`
Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`for consent in models.Consent.query(client=self):`
Client deletion also delete related objects 2023-01-30 18:58:00 +00:00			`consent.delete()`

Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`for code in models.AuthorizationCode.query(client=self):`
Client deletion also delete related objects 2023-01-30 18:58:00 +00:00			`code.delete()`

Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`for token in models.Token.query(client=self):`
Client deletion also delete related objects 2023-01-30 18:58:00 +00:00			`token.delete()`

			`super().delete()`

split oidc code from the rest 2022-01-11 18:49:06 +00:00
Moved models specificities in the backend module 2023-04-10 11:45:52 +00:00			`class AuthorizationCode(AuthorizationCodeMixin):`
doc: model documentation 2023-08-17 13:55:41 +00:00			`"""`
			`OpenID Connect temporary authorization code definition.`
			`"""`

doc: models types draft 2023-08-23 13:18:43 +00:00			`id: str`
			`authorization_code_id: str`
			`code: str`
			`client: "Client"`
			`subject: User`
			`redirect_uri: Optional[str]`
			`response_type: Optional[str]`
			`scope: Optional[str]`
			`nonce: Optional[str]`
			`issue_date: datetime.datetime`
			`lifetime: int`
			`challenge: Optional[str]`
			`challenge_method: Optional[str]`
			`revokation_date: datetime.datetime`

split oidc code from the rest 2022-01-11 18:49:06 +00:00			`def get_redirect_uri(self):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return self.redirect_uri`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def get_scope(self):`
Client only return the asked scopes 2022-07-07 14:05:34 +00:00			`return self.scope[0].split(" ")`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def get_nonce(self):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return self.nonce`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def is_expired(self):`
Properly handle LDAP date timezones 2023-03-17 23:38:56 +00:00			`return self.issue_date + datetime.timedelta(`
			`seconds=int(self.lifetime)`
			`) < datetime.datetime.now(datetime.timezone.utc)`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def get_auth_time(self):`
Properly handle LDAP date timezones 2023-03-17 23:38:56 +00:00			`return int(`
			`(`
			`self.issue_date`
			`- datetime.datetime(1970, 1, 1, tzinfo=datetime.timezone.utc)`
			`).total_seconds()`
			`)`
split oidc code from the rest 2022-01-11 18:49:06 +00:00

Moved models specificities in the backend module 2023-04-10 11:45:52 +00:00			`class Token(TokenMixin):`
doc: model documentation 2023-08-17 13:55:41 +00:00			`"""`
			`OpenID Connect token definition.`
			`"""`

doc: models types draft 2023-08-23 13:18:43 +00:00			`id: str`
			`token_id: str`
			`access_token: str`
			`client: "Client"`
			`subject: User`
			`type: str`
			`refresh_token: str`
			`scope: str`
			`issue_date: datetime.datetime`
			`lifetime: int`
			`revokation_date: datetime.datetime`
			`audience: List["Client"]`

split oidc code from the rest 2022-01-11 18:49:06 +00:00			`@property`
			`def expire_date(self):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return self.issue_date + datetime.timedelta(seconds=int(self.lifetime))`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`@property`
			`def revoked(self):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return bool(self.revokation_date)`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def get_scope(self):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return " ".join(self.scope)`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def get_issued_at(self):`
Properly handle LDAP date timezones 2023-03-17 23:38:56 +00:00			`return int(`
			`(`
			`self.issue_date`
			`- datetime.datetime(1970, 1, 1, tzinfo=datetime.timezone.utc)`
			`).total_seconds()`
			`)`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def get_expires_at(self):`
			`issue_timestamp = (`
Properly handle LDAP date timezones 2023-03-17 23:38:56 +00:00			`self.issue_date`
			`- datetime.datetime(1970, 1, 1, tzinfo=datetime.timezone.utc)`
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`).total_seconds()`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return int(issue_timestamp) + int(self.lifetime)`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def is_refresh_token_active(self):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`if self.revokation_date:`
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`return False`

Properly handle LDAP date timezones 2023-03-17 23:38:56 +00:00			`return self.expire_date >= datetime.datetime.now(datetime.timezone.utc)`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def is_expired(self):`
Properly handle LDAP date timezones 2023-03-17 23:38:56 +00:00			`return self.issue_date + datetime.timedelta(`
			`seconds=int(self.lifetime)`
			`) < datetime.datetime.now(datetime.timezone.utc)`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
Bumped to authlib 1 2022-04-10 14:00:51 +00:00			`def is_revoked(self):`
			`return bool(self.revokation_date)`

			`def check_client(self, client):`
LDAPObject dn attributes are automatically initialized 2023-03-08 22:53:53 +00:00			`return client.client_id == self.client.client_id`
Bumped to authlib 1 2022-04-10 14:00:51 +00:00
split oidc code from the rest 2022-01-11 18:49:06 +00:00
Moved models specificities in the backend module 2023-04-10 11:45:52 +00:00			`class Consent:`
doc: model documentation 2023-08-17 13:55:41 +00:00			`"""`
			`Long-term user consent to an application.`
			`"""`

doc: models types draft 2023-08-23 13:18:43 +00:00			`id: str`
			`consent_id: str`
			`subject: User`
			`client: "Client"`
			`scope: str`
			`issue_date: datetime.datetime`
			`revokation_date: datetime.datetime`

Revoked consents can be restored 2023-02-14 17:43:43 +00:00			`@property`
			`def revoked(self):`
			`return bool(self.revokation_date)`

split oidc code from the rest 2022-01-11 18:49:06 +00:00			`def revoke(self):`
Properly handle LDAP date timezones 2023-03-17 23:38:56 +00:00			`self.revokation_date = datetime.datetime.now(datetime.timezone.utc)`
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`self.save()`

Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`tokens = models.Token.query(`
Fixes calls to the Consent.oauthClient and Consent.oauthSubject attributes 2023-05-17 10:07:52 +00:00			`client=self.client,`
			`subject=self.subject,`
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`)`
Revoked consents can be restored 2023-02-14 17:43:43 +00:00			`tokens = [token for token in tokens if not token.revoked]`
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`for t in tokens:`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`t.revokation_date = self.revokation_date`
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`t.save()`
Revoked consents can be restored 2023-02-14 17:43:43 +00:00
			`def restore(self):`
			`self.revokation_date = None`
			`self.save()`