canaille-globuzma/web/models.py

import ldap
import datetime
from authlib.common.encoding import json_loads, json_dumps
from authlib.oauth2.rfc6749 import (
    ClientMixin,
    TokenMixin,
    AuthorizationCodeMixin,
    util,
)
from flask import current_app, session
from .ldaputils import LDAPObjectHelper


class User(LDAPObjectHelper):
    objectClass = ["person", "simpleSecurityObject", "uidObject"]
    base = "ou=users"
    id = "cn"
    admin = False

    @classmethod
    def get(cls, dn=None, filter=None, conn=None):
        conn = conn or cls.ldap()

        user = super().get(dn, filter, conn)
        admin_filter = current_app.config["LDAP"].get("ADMIN_FILTER")
        if (
            admin_filter
            and user
            and conn.search_s(user.dn, ldap.SCOPE_SUBTREE, admin_filter)
        ):

            user.admin = True
        return user

    @classmethod
    def authenticate(cls, login, password, signin=False):
        filter = current_app.config["LDAP"].get("USER_FILTER").format(login=login)
        user = User.get(filter=filter)
        if not user or not user.check_password(password):
            return None

        if signin:
            user.login()

        return user

    def login(self):
        session["user_dn"] = self.dn

    def logout(self):
        try:
            del session["user_dn"]
        except KeyError:
            pass

    def check_password(self, password):
        conn = ldap.initialize(current_app.config["LDAP"]["URI"])
        try:
            conn.simple_bind_s(self.dn, password)
            return True
        except ldap.INVALID_CREDENTIALS:
            return False
        finally:
            conn.unbind_s()

    @property
    def name(self):
        return self.cn[0]


class Client(LDAPObjectHelper, ClientMixin):
    objectClass = ["oauthClient"]
    base = "ou=clients"
    id = "oauthClientID"

    @property
    def issue_date(self):
        return datetime.datetime.strptime(self.oauthIssueDate, "%Y%m%d%H%M%SZ")

    def get_client_id(self):
        return self.oauthClientID

    def get_default_redirect_uri(self):
        return self.oauthRedirectURIs[0]

    def get_allowed_scope(self, scope):
        return util.list_to_scope(self.oauthScope)

    def check_redirect_uri(self, redirect_uri):
        return redirect_uri in self.oauthRedirectURIs

    def has_client_secret(self):
        return bool(self.oauthClientSecret)

    def check_client_secret(self, client_secret):
        return client_secret == self.oauthClientSecret

    def check_token_endpoint_auth_method(self, method):
        return method == self.oauthTokenEndpointAuthMethod

    def check_response_type(self, response_type):
        return all(r in self.oauthResponseType for r in response_type.split(" "))

    def check_grant_type(self, grant_type):
        return grant_type in self.oauthGrantType

    @property
    def client_info(self):
        return dict(
            client_id=self.client_id,
            client_secret=self.client_secret,
            client_id_issued_at=self.client_id_issued_at,
            client_secret_expires_at=self.client_secret_expires_at,
        )

    @property
    def client_metadata(self):
        if "client_metadata" in self.__dict__:
            return self.__dict__["client_metadata"]
        if self._client_metadata:
            data = json_loads(self._client_metadata)
            self.__dict__["client_metadata"] = data
            return data
        return {}

    def set_client_metadata(self, value):
        self._client_metadata = json_dumps(value)

    @property
    def redirect_uris(self):
        return self.client_metadata.get("redirect_uris", [])

    @property
    def token_endpoint_auth_method(self):
        return self.client_metadata.get(
            "token_endpoint_auth_method", "client_secret_basic"
        )


class AuthorizationCode(LDAPObjectHelper, AuthorizationCodeMixin):
    objectClass = ["oauthAuthorizationCode"]
    base = "ou=authorizations"
    id = "oauthCode"

    def get_redirect_uri(self):
        return self.oauthRedirectURI

    def get_scope(self):
        return self.oauthScope

    def get_nonce(self):
        return self.oauthNonce

    def is_expired(self):
        return (
            datetime.datetime.strptime(self.oauthAuthorizationDate, "%Y%m%d%H%M%SZ")
            + datetime.timedelta(seconds=int(self.oauthAuthorizationLifetime))
            < datetime.datetime.now()
        )

    def get_auth_time(self):
        auth_time = datetime.datetime.strptime(
            self.oauthAuthorizationDate, "%Y%m%d%H%M%SZ"
        )
        return (auth_time - datetime.datetime(1970, 1, 1)).total_seconds()

    @property
    def code_challenge(self):
        return self.oauthCodeChallenge


class Token(LDAPObjectHelper, TokenMixin):
    objectClass = ["oauthToken"]
    base = "ou=tokens"
    id = "oauthAccessToken"

    @property
    def revoked(self):
        return self.oauthRevoked in ("yes", "YES", 1, "on", "ON", "TRUE", "true")

    @revoked.setter
    def revoked(self, value):
        if value:
            self.oauthRevoked = "TRUE"
        else:
            self.oauthRevoked = "FALSE"

    def get_client_id(self):
        return self.oauthClientID

    def get_scope(self):
        return " ".join(self.oauthScope)

    def get_expires_in(self):
        return int(self.oauthTokenLifetime)

    def get_issued_at(self):
        issue_date = datetime.datetime.strptime(self.oauthIssueDate, "%Y%m%d%H%M%SZ")
        return (issue_date - datetime.datetime(1970, 1, 1)).total_seconds()

    def get_expires_at(self):
        issue_date = datetime.datetime.strptime(self.oauthIssueDate, "%Y%m%d%H%M%SZ")
        issue_timestamp = (issue_date - datetime.datetime(1970, 1, 1)).total_seconds()
        return issue_timestamp + int(self.oauthTokenLifetime)

    def is_refresh_token_active(self):
        if self.revoked:
            return False

        return (
            datetime.datetime.strptime(self.oauthIssueDate, "%Y%m%d%H%M%SZ")
            + datetime.timedelta(seconds=int(self.oauthTokenLifetime))
            >= datetime.datetime.now()
        )
Actually authentify against LDAP password 2020-08-19 11:49:38 +00:00			`import ldap`
draft 2020-08-14 11:18:08 +00:00			`import datetime`
			`from authlib.common.encoding import json_loads, json_dumps`
			`from authlib.oauth2.rfc6749 import (`
			`ClientMixin,`
			`TokenMixin,`
			`AuthorizationCodeMixin,`
Implicit flow test 2020-08-20 12:30:42 +00:00			`util,`
draft 2020-08-14 11:18:08 +00:00			`)`
Admin login 2020-08-19 14:20:57 +00:00			`from flask import current_app, session`
Client forms 2020-08-17 13:49:48 +00:00			`from .ldaputils import LDAPObjectHelper`
draft 2020-08-14 11:18:08 +00:00

			`class User(LDAPObjectHelper):`
Better user objectClasses 2020-08-19 14:56:04 +00:00			`objectClass = ["person", "simpleSecurityObject", "uidObject"]`
tests workflow 2020-08-18 15:39:34 +00:00			`base = "ou=users"`
draft 2020-08-14 11:18:08 +00:00			`id = "cn"`
Admin login 2020-08-19 14:20:57 +00:00			`admin = False`

			`@classmethod`
Alternate login filters 2020-08-20 08:45:33 +00:00			`def get(cls, dn=None, filter=None, conn=None):`
Admin login 2020-08-19 14:20:57 +00:00			`conn = conn or cls.ldap()`

			`user = super().get(dn, filter, conn)`
			`admin_filter = current_app.config["LDAP"].get("ADMIN_FILTER")`
			`if (`
			`admin_filter`
			`and user`
			`and conn.search_s(user.dn, ldap.SCOPE_SUBTREE, admin_filter)`
			`):`

			`user.admin = True`
			`return user`

Alternate login filters 2020-08-20 08:45:33 +00:00			`@classmethod`
User refactoring 2020-08-21 08:23:39 +00:00			`def authenticate(cls, login, password, signin=False):`
Alternate login filters 2020-08-20 08:45:33 +00:00			`filter = current_app.config["LDAP"].get("USER_FILTER").format(login=login)`
			`user = User.get(filter=filter)`
			`if not user or not user.check_password(password):`
			`return None`
Admin login 2020-08-19 14:20:57 +00:00
User refactoring 2020-08-21 08:23:39 +00:00			`if signin:`
			`user.login()`

Alternate login filters 2020-08-20 08:45:33 +00:00			`return user`
draft 2020-08-14 11:18:08 +00:00
User refactoring 2020-08-21 08:23:39 +00:00			`def login(self):`
			`session["user_dn"] = self.dn`

			`def logout(self):`
			`try:`
			`del session["user_dn"]`
			`except KeyError:`
			`pass`

draft 2020-08-14 11:18:08 +00:00			`def check_password(self, password):`
Actually authentify against LDAP password 2020-08-19 11:49:38 +00:00			`conn = ldap.initialize(current_app.config["LDAP"]["URI"])`
			`try:`
			`conn.simple_bind_s(self.dn, password)`
			`return True`
			`except ldap.INVALID_CREDENTIALS:`
			`return False`
			`finally:`
			`conn.unbind_s()`
draft 2020-08-14 11:18:08 +00:00
Some authorization_code work 2020-08-17 15:49:49 +00:00			`@property`
			`def name(self):`
			`return self.cn[0]`

draft 2020-08-14 11:18:08 +00:00
			`class Client(LDAPObjectHelper, ClientMixin):`
wip 2020-08-14 13:26:14 +00:00			`objectClass = ["oauthClient"]`
tests workflow 2020-08-18 15:39:34 +00:00			`base = "ou=clients"`
draft 2020-08-14 11:18:08 +00:00			`id = "oauthClientID"`

Client forms 2020-08-17 13:49:48 +00:00			`@property`
			`def issue_date(self):`
			`return datetime.datetime.strptime(self.oauthIssueDate, "%Y%m%d%H%M%SZ")`

draft 2020-08-14 11:18:08 +00:00			`def get_client_id(self):`
wip 2020-08-16 18:16:57 +00:00			`return self.oauthClientID`
draft 2020-08-14 11:18:08 +00:00
			`def get_default_redirect_uri(self):`
Some authorization_code work 2020-08-17 15:49:49 +00:00			`return self.oauthRedirectURIs[0]`
draft 2020-08-14 11:18:08 +00:00
			`def get_allowed_scope(self, scope):`
Implicit flow test 2020-08-20 12:30:42 +00:00			`return util.list_to_scope(self.oauthScope)`
draft 2020-08-14 11:18:08 +00:00
			`def check_redirect_uri(self, redirect_uri):`
Some authorization_code work 2020-08-17 15:49:49 +00:00			`return redirect_uri in self.oauthRedirectURIs`
draft 2020-08-14 11:18:08 +00:00
			`def has_client_secret(self):`
LDAPHelper shortcut 2020-08-17 07:45:35 +00:00			`return bool(self.oauthClientSecret)`
draft 2020-08-14 11:18:08 +00:00
			`def check_client_secret(self, client_secret):`
wip 2020-08-16 18:16:57 +00:00			`return client_secret == self.oauthClientSecret`
draft 2020-08-14 11:18:08 +00:00
			`def check_token_endpoint_auth_method(self, method):`
wip 2020-08-16 18:16:57 +00:00			`return method == self.oauthTokenEndpointAuthMethod`
draft 2020-08-14 11:18:08 +00:00
			`def check_response_type(self, response_type):`
Fixed hybrid grant 2020-08-21 08:06:53 +00:00			`return all(r in self.oauthResponseType for r in response_type.split(" "))`
draft 2020-08-14 11:18:08 +00:00
			`def check_grant_type(self, grant_type):`
			`return grant_type in self.oauthGrantType`

wip 2020-08-14 13:26:14 +00:00			`@property`
			`def client_info(self):`
			`return dict(`
			`client_id=self.client_id,`
			`client_secret=self.client_secret,`
			`client_id_issued_at=self.client_id_issued_at,`
			`client_secret_expires_at=self.client_secret_expires_at,`
			`)`

			`@property`
			`def client_metadata(self):`
			`if "client_metadata" in self.__dict__:`
			`return self.__dict__["client_metadata"]`
			`if self._client_metadata:`
			`data = json_loads(self._client_metadata)`
			`self.__dict__["client_metadata"] = data`
			`return data`
			`return {}`

			`def set_client_metadata(self, value):`
			`self._client_metadata = json_dumps(value)`

			`@property`
			`def redirect_uris(self):`
			`return self.client_metadata.get("redirect_uris", [])`

			`@property`
			`def token_endpoint_auth_method(self):`
			`return self.client_metadata.get(`
			`"token_endpoint_auth_method", "client_secret_basic"`
			`)`

draft 2020-08-14 11:18:08 +00:00
			`class AuthorizationCode(LDAPObjectHelper, AuthorizationCodeMixin):`
Fixed password flow 2020-08-16 17:39:14 +00:00			`objectClass = ["oauthAuthorizationCode"]`
tests workflow 2020-08-18 15:39:34 +00:00			`base = "ou=authorizations"`
wip 2020-08-14 13:26:14 +00:00			`id = "oauthCode"`
draft 2020-08-14 11:18:08 +00:00
			`def get_redirect_uri(self):`
Some authorization_code work 2020-08-17 15:49:49 +00:00			`return self.oauthRedirectURI`
draft 2020-08-14 11:18:08 +00:00
			`def get_scope(self):`
Some authorization_code work 2020-08-17 16:02:38 +00:00			`return self.oauthScope`
draft 2020-08-14 11:18:08 +00:00
Some authorization_code work 2020-08-17 16:02:38 +00:00			`def get_nonce(self):`
			`return self.oauthNonce`
wip 2020-08-14 13:26:14 +00:00
Full authorization_code flow 2020-08-17 16:49:05 +00:00			`def is_expired(self):`
			`return (`
			`datetime.datetime.strptime(self.oauthAuthorizationDate, "%Y%m%d%H%M%SZ")`
			`+ datetime.timedelta(seconds=int(self.oauthAuthorizationLifetime))`
			`< datetime.datetime.now()`
			`)`
wip 2020-08-14 13:26:14 +00:00
Some authorization_code work 2020-08-17 16:02:38 +00:00			`def get_auth_time(self):`
Full authorization_code flow 2020-08-17 16:49:05 +00:00			`auth_time = datetime.datetime.strptime(`
			`self.oauthAuthorizationDate, "%Y%m%d%H%M%SZ"`
			`)`
Some authorization_code work 2020-08-17 16:02:38 +00:00			`return (auth_time - datetime.datetime(1970, 1, 1)).total_seconds()`

Token introspection 2020-08-24 12:44:32 +00:00			`@property`
			`def code_challenge(self):`
			`return self.oauthCodeChallenge`

draft 2020-08-14 11:18:08 +00:00
			`class Token(LDAPObjectHelper, TokenMixin):`
Fixed password flow 2020-08-16 17:39:14 +00:00			`objectClass = ["oauthToken"]`
tests workflow 2020-08-18 15:39:34 +00:00			`base = "ou=tokens"`
Fixed password flow 2020-08-16 17:39:14 +00:00			`id = "oauthAccessToken"`
draft 2020-08-14 11:18:08 +00:00
Tokens and codes can be revoked 2020-08-24 13:38:11 +00:00			`@property`
			`def revoked(self):`
			`return self.oauthRevoked in ("yes", "YES", 1, "on", "ON", "TRUE", "true")`

			`@revoked.setter`
			`def revoked(self, value):`
			`if value:`
Token revocation endpoint 2020-08-24 13:56:30 +00:00			`self.oauthRevoked = "TRUE"`
Tokens and codes can be revoked 2020-08-24 13:38:11 +00:00			`else:`
Token revocation endpoint 2020-08-24 13:56:30 +00:00			`self.oauthRevoked = "FALSE"`
Tokens and codes can be revoked 2020-08-24 13:38:11 +00:00
draft 2020-08-14 11:18:08 +00:00			`def get_client_id(self):`
Implemented refresh grant 2020-08-24 08:52:21 +00:00			`return self.oauthClientID`
draft 2020-08-14 11:18:08 +00:00
			`def get_scope(self):`
Fixed password flow 2020-08-16 17:39:14 +00:00			`return " ".join(self.oauthScope)`
draft 2020-08-14 11:18:08 +00:00
			`def get_expires_in(self):`
wip 2020-08-16 18:16:57 +00:00			`return int(self.oauthTokenLifetime)`
draft 2020-08-14 11:18:08 +00:00
Token introspection 2020-08-24 12:44:32 +00:00			`def get_issued_at(self):`
			`issue_date = datetime.datetime.strptime(self.oauthIssueDate, "%Y%m%d%H%M%SZ")`
			`return (issue_date - datetime.datetime(1970, 1, 1)).total_seconds()`

draft 2020-08-14 11:18:08 +00:00			`def get_expires_at(self):`
wip 2020-08-16 18:16:57 +00:00			`issue_date = datetime.datetime.strptime(self.oauthIssueDate, "%Y%m%d%H%M%SZ")`
draft 2020-08-14 11:18:08 +00:00			`issue_timestamp = (issue_date - datetime.datetime(1970, 1, 1)).total_seconds()`
wip 2020-08-16 18:16:57 +00:00			`return issue_timestamp + int(self.oauthTokenLifetime)`
wip 2020-08-14 13:26:14 +00:00
			`def is_refresh_token_active(self):`
Tokens and codes can be revoked 2020-08-24 13:38:11 +00:00			`if self.revoked:`
			`return False`

Implemented refresh grant 2020-08-24 08:52:21 +00:00			`return (`
			`datetime.datetime.strptime(self.oauthIssueDate, "%Y%m%d%H%M%SZ")`
			`+ datetime.timedelta(seconds=int(self.oauthTokenLifetime))`
			`>= datetime.datetime.now()`
			`)`