canaille-globuzma/canaille/oidc/models.py

import datetime
import uuid

from authlib.oauth2.rfc6749 import AuthorizationCodeMixin
from authlib.oauth2.rfc6749 import ClientMixin
from authlib.oauth2.rfc6749 import TokenMixin
from authlib.oauth2.rfc6749 import util
from canaille.ldap_backend.ldapobject import LDAPObject


class Client(LDAPObject, ClientMixin):
    object_class = ["oauthClient"]
    base = "ou=clients,ou=oauth"
    id = "oauthClientID"
    attribute_table = {
        "description": "description",
        "client_id": "oauthClientID",
        "name": "oauthClientName",
        "contact": "oauthClientContact",
        "uri": "oauthClientURI",
        "redirect_uris": "oauthRedirectURIs",
        "logo_uri": "oauthLogoURI",
        "issue_date": "oauthIssueDate",
        "secret": "oauthClientSecret",
        "secret_expires_date": "oauthClientSecretExpDate",
        "grant_type": "oauthGrantType",
        "response_type": "oauthResponseType",
        "scope": "oauthScope",
        "tos_uri": "oauthTermsOfServiceURI",
        "policy_uri": "oauthPolicyURI",
        "jwk_uri": "oauthJWKURI",
        "jwk": "oauthJWK",
        "token_endpoint_auth_method": "oauthTokenEndpointAuthMethod",
        "software_id": "oauthSoftwareID",
        "software_version": "oauthSoftwareVersion",
        "audience": "oauthAudience",
        "preconsent": "oauthPreconsent",
    }

    def get_client_id(self):
        return self.id

    def get_default_redirect_uri(self):
        return self.redirect_uris[0]

    def get_allowed_scope(self, scope):
        return util.list_to_scope(self.scope)

    def check_redirect_uri(self, redirect_uri):
        return redirect_uri in self.redirect_uris

    def has_client_secret(self):
        return bool(self.secret)

    def check_client_secret(self, client_secret):
        return client_secret == self.secret

    def check_token_endpoint_auth_method(self, method):
        return method == self.token_endpoint_auth_method

    def check_response_type(self, response_type):
        return all(r in self.response_type for r in response_type.split(" "))

    def check_grant_type(self, grant_type):
        return grant_type in self.grant_type

    @property
    def client_info(self):
        return dict(
            client_id=self.client_id,
            client_secret=self.client_secret,
            client_id_issued_at=self.client_id_issued_at,
            client_secret_expires_at=self.client_secret_expires_date,
        )


class AuthorizationCode(LDAPObject, AuthorizationCodeMixin):
    object_class = ["oauthAuthorizationCode"]
    base = "ou=authorizations,ou=oauth"
    id = "oauthAuthorizationCodeID"
    attribute_table = {
        "authorization_code_id": "oauthAuthorizationCodeID",
        "description": "description",
        "code": "oauthCode",
        "client": "oauthClient",
        "subject": "oauthSubject",
        "redirect_uri": "oauthRedirectURI",
        "response_type": "oauthResponseType",
        "scope": "oauthScope",
        "nonce": "oauthNonce",
        "issue_date": "oauthAuthorizationDate",
        "lifetime": "oauthAuthorizationLifetime",
        "challenge": "oauthCodeChallenge",
        "challenge_method": "oauthCodeChallengeMethod",
        "revokation_date": "oauthRevokationDate",
    }

    def get_redirect_uri(self):
        return self.redirect_uri

    def get_scope(self):
        return self.scope

    def get_nonce(self):
        return self.nonce

    def is_expired(self):
        return (
            self.issue_date + datetime.timedelta(seconds=int(self.lifetime))
            < datetime.datetime.now()
        )

    def get_auth_time(self):
        return int((self.issue_date - datetime.datetime(1970, 1, 1)).total_seconds())


class Token(LDAPObject, TokenMixin):
    object_class = ["oauthToken"]
    base = "ou=tokens,ou=oauth"
    id = "oauthTokenID"
    attribute_table = {
        "token_id": "oauthTokenID",
        "access_token": "oauthAccessToken",
        "description": "description",
        "client": "oauthClient",
        "subject": "oauthSubject",
        "type": "oauthTokenType",
        "refresh_token": "oauthRefreshToken",
        "scope": "oauthScope",
        "issue_date": "oauthIssueDate",
        "lifetime": "oauthTokenLifetime",
        "revokation_date": "oauthRevokationDate",
        "audience": "oauthAudience",
    }

    @property
    def expire_date(self):
        return self.issue_date + datetime.timedelta(seconds=int(self.lifetime))

    @property
    def revoked(self):
        return bool(self.revokation_date)

    def get_client_id(self):
        return Client.get(self.client).id

    def get_scope(self):
        return " ".join(self.scope)

    def get_expires_in(self):
        return int(self.lifetime)

    def get_issued_at(self):
        return int((self.issue_date - datetime.datetime(1970, 1, 1)).total_seconds())

    def get_expires_at(self):
        issue_timestamp = (
            self.issue_date - datetime.datetime(1970, 1, 1)
        ).total_seconds()
        return int(issue_timestamp) + int(self.lifetime)

    def is_refresh_token_active(self):
        if self.revokation_date:
            return False

        return self.expire_date >= datetime.datetime.now()

    def is_expired(self):
        return (
            self.issue_date + datetime.timedelta(seconds=int(self.lifetime))
            < datetime.datetime.now()
        )


class Consent(LDAPObject):
    object_class = ["oauthConsent"]
    base = "ou=consents,ou=oauth"
    id = "cn"
    attribute_table = {
        "cn": "cn",
        "subject": "oauthSubject",
        "client": "oauthClient",
        "scope": "oauthScope",
        "issue_date": "oauthIssueDate",
        "revokation_date": "oauthRevokationDate",
    }

    def __init__(self, *args, **kwargs):
        if "cn" not in kwargs:
            kwargs["cn"] = str(uuid.uuid4())

        super().__init__(*args, **kwargs)

    def revoke(self):
        self.revokation_date = datetime.datetime.now()
        self.save()

        tokens = Token.filter(
            oauthClient=self.client,
            oauthSubject=self.subject,
        )
        for t in tokens:
            if t.revoked or any(scope not in t.scope[0] for scope in self.scope):
                continue

            t.revokation_date = self.revokation_date
            t.save()
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`import datetime`
			`import uuid`

			`from authlib.oauth2.rfc6749 import AuthorizationCodeMixin`
			`from authlib.oauth2.rfc6749 import ClientMixin`
			`from authlib.oauth2.rfc6749 import TokenMixin`
			`from authlib.oauth2.rfc6749 import util`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`from canaille.ldap_backend.ldapobject import LDAPObject`
split oidc code from the rest 2022-01-11 18:49:06 +00:00

			`class Client(LDAPObject, ClientMixin):`
			`object_class = ["oauthClient"]`
			`base = "ou=clients,ou=oauth"`
			`id = "oauthClientID"`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`attribute_table = {`
			`"description": "description",`
			`"client_id": "oauthClientID",`
			`"name": "oauthClientName",`
			`"contact": "oauthClientContact",`
			`"uri": "oauthClientURI",`
			`"redirect_uris": "oauthRedirectURIs",`
			`"logo_uri": "oauthLogoURI",`
			`"issue_date": "oauthIssueDate",`
			`"secret": "oauthClientSecret",`
			`"secret_expires_date": "oauthClientSecretExpDate",`
			`"grant_type": "oauthGrantType",`
			`"response_type": "oauthResponseType",`
			`"scope": "oauthScope",`
			`"tos_uri": "oauthTermsOfServiceURI",`
			`"policy_uri": "oauthPolicyURI",`
			`"jwk_uri": "oauthJWKURI",`
			`"jwk": "oauthJWK",`
			`"token_endpoint_auth_method": "oauthTokenEndpointAuthMethod",`
			`"software_id": "oauthSoftwareID",`
			`"software_version": "oauthSoftwareVersion",`
			`"audience": "oauthAudience",`
			`"preconsent": "oauthPreconsent",`
			`}`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def get_client_id(self):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return self.id`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def get_default_redirect_uri(self):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return self.redirect_uris[0]`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def get_allowed_scope(self, scope):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return util.list_to_scope(self.scope)`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def check_redirect_uri(self, redirect_uri):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return redirect_uri in self.redirect_uris`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def has_client_secret(self):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return bool(self.secret)`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def check_client_secret(self, client_secret):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return client_secret == self.secret`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def check_token_endpoint_auth_method(self, method):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return method == self.token_endpoint_auth_method`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def check_response_type(self, response_type):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return all(r in self.response_type for r in response_type.split(" "))`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def check_grant_type(self, grant_type):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return grant_type in self.grant_type`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`@property`
			`def client_info(self):`
			`return dict(`
			`client_id=self.client_id,`
			`client_secret=self.client_secret,`
			`client_id_issued_at=self.client_id_issued_at,`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`client_secret_expires_at=self.client_secret_expires_date,`
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`)`


			`class AuthorizationCode(LDAPObject, AuthorizationCodeMixin):`
			`object_class = ["oauthAuthorizationCode"]`
			`base = "ou=authorizations,ou=oauth"`
AuthorizationCode and Token have a new id parameter 2022-02-16 17:00:30 +00:00			`id = "oauthAuthorizationCodeID"`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`attribute_table = {`
AuthorizationCode and Token have a new id parameter 2022-02-16 17:00:30 +00:00			`"authorization_code_id": "oauthAuthorizationCodeID",`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`"description": "description",`
			`"code": "oauthCode",`
			`"client": "oauthClient",`
			`"subject": "oauthSubject",`
			`"redirect_uri": "oauthRedirectURI",`
			`"response_type": "oauthResponseType",`
			`"scope": "oauthScope",`
			`"nonce": "oauthNonce",`
			`"issue_date": "oauthAuthorizationDate",`
			`"lifetime": "oauthAuthorizationLifetime",`
			`"challenge": "oauthCodeChallenge",`
			`"challenge_method": "oauthCodeChallengeMethod",`
			`"revokation_date": "oauthRevokationDate",`
			`}`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def get_redirect_uri(self):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return self.redirect_uri`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def get_scope(self):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return self.scope`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def get_nonce(self):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return self.nonce`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def is_expired(self):`
			`return (`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`self.issue_date + datetime.timedelta(seconds=int(self.lifetime))`
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`< datetime.datetime.now()`
			`)`

			`def get_auth_time(self):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return int((self.issue_date - datetime.datetime(1970, 1, 1)).total_seconds())`
split oidc code from the rest 2022-01-11 18:49:06 +00:00

			`class Token(LDAPObject, TokenMixin):`
			`object_class = ["oauthToken"]`
			`base = "ou=tokens,ou=oauth"`
AuthorizationCode and Token have a new id parameter 2022-02-16 17:00:30 +00:00			`id = "oauthTokenID"`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`attribute_table = {`
AuthorizationCode and Token have a new id parameter 2022-02-16 17:00:30 +00:00			`"token_id": "oauthTokenID",`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`"access_token": "oauthAccessToken",`
			`"description": "description",`
			`"client": "oauthClient",`
			`"subject": "oauthSubject",`
			`"type": "oauthTokenType",`
			`"refresh_token": "oauthRefreshToken",`
			`"scope": "oauthScope",`
			`"issue_date": "oauthIssueDate",`
			`"lifetime": "oauthTokenLifetime",`
			`"revokation_date": "oauthRevokationDate",`
			`"audience": "oauthAudience",`
			`}`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`@property`
			`def expire_date(self):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return self.issue_date + datetime.timedelta(seconds=int(self.lifetime))`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`@property`
			`def revoked(self):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return bool(self.revokation_date)`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def get_client_id(self):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return Client.get(self.client).id`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def get_scope(self):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return " ".join(self.scope)`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def get_expires_in(self):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return int(self.lifetime)`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def get_issued_at(self):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return int((self.issue_date - datetime.datetime(1970, 1, 1)).total_seconds())`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def get_expires_at(self):`
			`issue_timestamp = (`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`self.issue_date - datetime.datetime(1970, 1, 1)`
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`).total_seconds()`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return int(issue_timestamp) + int(self.lifetime)`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def is_refresh_token_active(self):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`if self.revokation_date:`
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`return False`

			`return self.expire_date >= datetime.datetime.now()`

			`def is_expired(self):`
			`return (`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`self.issue_date + datetime.timedelta(seconds=int(self.lifetime))`
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`< datetime.datetime.now()`
			`)`


			`class Consent(LDAPObject):`
			`object_class = ["oauthConsent"]`
			`base = "ou=consents,ou=oauth"`
			`id = "cn"`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`attribute_table = {`
			`"cn": "cn",`
			`"subject": "oauthSubject",`
			`"client": "oauthClient",`
			`"scope": "oauthScope",`
			`"issue_date": "oauthIssueDate",`
			`"revokation_date": "oauthRevokationDate",`
			`}`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def __init__(self, args, *kwargs):`
			`if "cn" not in kwargs:`
			`kwargs["cn"] = str(uuid.uuid4())`

			`super().__init__(args, *kwargs)`

			`def revoke(self):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`self.revokation_date = datetime.datetime.now()`
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`self.save()`

			`tokens = Token.filter(`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`oauthClient=self.client,`
			`oauthSubject=self.subject,`
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`)`
			`for t in tokens:`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`if t.revoked or any(scope not in t.scope[0] for scope in self.scope):`
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`continue`

LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`t.revokation_date = self.revokation_date`
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`t.save()`