canaille-globuzma/canaille/oidc/consents.py

import datetime
import uuid

from canaille.app import models
from canaille.app.flask import user_needed
from canaille.app.i18n import gettext as _
from canaille.app.themes import render_template
from flask import Blueprint
from flask import flash
from flask import redirect
from flask import url_for

from .utils import SCOPE_DETAILS


bp = Blueprint("consents", __name__, url_prefix="/consent")


@bp.route("/")
@user_needed()
def consents(user):
    consents = models.Consent.query(subject=user)
    clients = {t.client for t in consents}

    nb_consents = len(consents)
    nb_preconsents = sum(
        1
        for client in models.Client.query()
        if client.preconsent and client not in clients
    )

    return render_template(
        "consent_list.html",
        consents=consents,
        menuitem="consents",
        scope_details=SCOPE_DETAILS,
        ignored_scopes=["openid"],
        nb_consents=nb_consents,
        nb_preconsents=nb_preconsents,
    )


@bp.route("/pre-consents")
@user_needed()
def pre_consents(user):
    consents = models.Consent.query(subject=user)
    clients = {t.client for t in consents}
    preconsented = [
        client
        for client in models.Client.query()
        if client.preconsent and client not in clients
    ]

    nb_consents = len(consents)
    nb_preconsents = len(preconsented)

    return render_template(
        "preconsent_list.html",
        menuitem="consents",
        scope_details=SCOPE_DETAILS,
        ignored_scopes=["openid"],
        preconsented=preconsented,
        nb_consents=nb_consents,
        nb_preconsents=nb_preconsents,
    )


@bp.route("/revoke/<consent(required=False):consent>")
@user_needed()
def revoke(user, consent):
    if not consent or consent.subject != user:
        flash(_("Could not revoke this access"), "error")

    elif consent.revokation_date:
        flash(_("The access is already revoked"), "error")

    else:
        consent.revoke()
        flash(_("The access has been revoked"), "success")

    return redirect(url_for("oidc.consents.consents"))


@bp.route("/restore/<consent(required=False):consent>")
@user_needed()
def restore(user, consent):
    if not consent or consent.subject != user:
        flash(_("Could not restore this access"), "error")

    elif not consent.revokation_date:
        flash(_("The access is not revoked"), "error")

    else:
        consent.restore()
        if not consent.issue_date:
            consent.issue_date = datetime.datetime.now(datetime.timezone.utc)
        consent.save()
        flash(_("The access has been restored"), "success")

    return redirect(url_for("oidc.consents.consents"))


@bp.route("/revoke-preconsent/<client(required=False):client>")
@user_needed()
def revoke_preconsent(user, client):
    if not client or not client.preconsent:
        flash(_("Could not revoke this access"), "error")
        return redirect(url_for("oidc.consents.consents"))

    consent = models.Consent.get(client=client, subject=user)
    if consent:
        return redirect(url_for("oidc.consents.revoke", consent=consent))

    consent = models.Consent(
        consent_id=str(uuid.uuid4()),
        client=client,
        subject=user,
        scope=client.scope,
    )
    consent.revoke()
    consent.save()
    flash(_("The access has been revoked"), "success")

    return redirect(url_for("oidc.consents.consents"))
Pre-consented clients are displayed in the user consent list, and their consents can be revoked. 2023-02-14 20:55:46 +00:00			`import datetime`
			`import uuid`

Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`from canaille.app import models`
'app' submodule 2023-04-09 13:52:55 +00:00			`from canaille.app.flask import user_needed`
feat: flask-babel and pytz are now part of the front extras 2023-09-01 08:46:56 +00:00			`from canaille.app.i18n import gettext as _`
feat: split installation in different extras packages 2023-08-16 15:14:11 +00:00			`from canaille.app.themes import render_template`
pre-commit tox test 2021-12-20 22:57:27 +00:00			`from flask import Blueprint`
			`from flask import flash`
			`from flask import redirect`
			`from flask import url_for`
Consents page 2020-09-17 10:01:21 +00:00
fixed the consent list and authorization pages translations 2022-12-28 00:46:05 +00:00			`from .utils import SCOPE_DETAILS`

Consents page 2020-09-17 10:01:21 +00:00
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`bp = Blueprint("consents", __name__, url_prefix="/consent")`
Consents page 2020-09-17 10:01:21 +00:00

			`@bp.route("/")`
			`@user_needed()`
			`def consents(user):`
Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`consents = models.Consent.query(subject=user)`
LDAPObject dn attributes are automatically initialized 2023-03-08 22:53:53 +00:00			`clients = {t.client for t in consents}`
Split the consent page in two 2023-03-15 16:38:32 +00:00
			`nb_consents = len(consents)`
			`nb_preconsents = sum(`
Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`1`
			`for client in models.Client.query()`
			`if client.preconsent and client not in clients`
Split the consent page in two 2023-03-15 16:38:32 +00:00			`)`

			`return render_template(`
refactor: template overhaul 2023-08-14 13:28:20 +00:00			`"consent_list.html",`
Split the consent page in two 2023-03-15 16:38:32 +00:00			`consents=consents,`
			`menuitem="consents",`
			`scope_details=SCOPE_DETAILS,`
			`ignored_scopes=["openid"],`
			`nb_consents=nb_consents,`
			`nb_preconsents=nb_preconsents,`
			`)`


			`@bp.route("/pre-consents")`
			`@user_needed()`
			`def pre_consents(user):`
Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`consents = models.Consent.query(subject=user)`
Split the consent page in two 2023-03-15 16:38:32 +00:00			`clients = {t.client for t in consents}`
Pre-consented clients are displayed in the user consent list, and their consents can be revoked. 2023-02-14 20:55:46 +00:00			`preconsented = [`
			`client`
Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`for client in models.Client.query()`
LDAPObject dn attributes are automatically initialized 2023-03-08 22:53:53 +00:00			`if client.preconsent and client not in clients`
Pre-consented clients are displayed in the user consent list, and their consents can be revoked. 2023-02-14 20:55:46 +00:00			`]`

Split the consent page in two 2023-03-15 16:38:32 +00:00			`nb_consents = len(consents)`
			`nb_preconsents = len(preconsented)`

Menu items activity 2020-10-21 10:14:35 +00:00			`return render_template(`
refactor: template overhaul 2023-08-14 13:28:20 +00:00			`"preconsent_list.html",`
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`menuitem="consents",`
fixed the consent list and authorization pages translations 2022-12-28 00:46:05 +00:00			`scope_details=SCOPE_DETAILS,`
			`ignored_scopes=["openid"],`
Pre-consented clients are displayed in the user consent list, and their consents can be revoked. 2023-02-14 20:55:46 +00:00			`preconsented=preconsented,`
Split the consent page in two 2023-03-15 16:38:32 +00:00			`nb_consents=nb_consents,`
			`nb_preconsents=nb_preconsents,`
Menu items activity 2020-10-21 10:14:35 +00:00			`)`
Consents page 2020-09-17 10:01:21 +00:00

Implements flask OIDC converters 2023-06-29 10:15:12 +00:00			`@bp.route("/revoke/<consent(required=False):consent>")`
Consents page 2020-09-17 10:01:21 +00:00			`@user_needed()`
Implements flask OIDC converters 2023-06-29 10:15:12 +00:00			`def revoke(user, consent):`
LDAPObject dn attributes are automatically initialized 2023-03-08 22:53:53 +00:00			`if not consent or consent.subject != user:`
Revoked consents can be restored 2023-02-14 17:43:43 +00:00			`flash(_("Could not revoke this access"), "error")`

			`elif consent.revokation_date:`
			`flash(_("The access is already revoked"), "error")`
Consents page 2020-09-17 10:01:21 +00:00
			`else:`
			`consent.revoke()`
Revoked consents can be restored 2023-02-14 17:43:43 +00:00			`flash(_("The access has been revoked"), "success")`

			`return redirect(url_for("oidc.consents.consents"))`


Implements flask OIDC converters 2023-06-29 10:15:12 +00:00			`@bp.route("/restore/<consent(required=False):consent>")`
Revoked consents can be restored 2023-02-14 17:43:43 +00:00			`@user_needed()`
Implements flask OIDC converters 2023-06-29 10:15:12 +00:00			`def restore(user, consent):`
LDAPObject dn attributes are automatically initialized 2023-03-08 22:53:53 +00:00			`if not consent or consent.subject != user:`
Revoked consents can be restored 2023-02-14 17:43:43 +00:00			`flash(_("Could not restore this access"), "error")`

			`elif not consent.revokation_date:`
			`flash(_("The access is not revoked"), "error")`

			`else:`
			`consent.restore()`
Pre-consented clients are displayed in the user consent list, and their consents can be revoked. 2023-02-14 20:55:46 +00:00			`if not consent.issue_date:`
Properly handle LDAP date timezones 2023-03-17 23:38:56 +00:00			`consent.issue_date = datetime.datetime.now(datetime.timezone.utc)`
Pre-consented clients are displayed in the user consent list, and their consents can be revoked. 2023-02-14 20:55:46 +00:00			`consent.save()`
Revoked consents can be restored 2023-02-14 17:43:43 +00:00			`flash(_("The access has been restored"), "success")`
Consents page 2020-09-17 10:01:21 +00:00
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`return redirect(url_for("oidc.consents.consents"))`
Pre-consented clients are displayed in the user consent list, and their consents can be revoked. 2023-02-14 20:55:46 +00:00

Implements flask OIDC converters 2023-06-29 10:15:12 +00:00			`@bp.route("/revoke-preconsent/<client(required=False):client>")`
Pre-consented clients are displayed in the user consent list, and their consents can be revoked. 2023-02-14 20:55:46 +00:00			`@user_needed()`
Implements flask OIDC converters 2023-06-29 10:15:12 +00:00			`def revoke_preconsent(user, client):`
Pre-consented clients are displayed in the user consent list, and their consents can be revoked. 2023-02-14 20:55:46 +00:00			`if not client or not client.preconsent:`
			`flash(_("Could not revoke this access"), "error")`
This is too soon for the walrus operator 2023-02-14 21:06:03 +00:00			`return redirect(url_for("oidc.consents.consents"))`
Pre-consented clients are displayed in the user consent list, and their consents can be revoked. 2023-02-14 20:55:46 +00:00
Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`consent = models.Consent.get(client=client, subject=user)`
This is too soon for the walrus operator 2023-02-14 21:06:03 +00:00			`if consent:`
Implements flask OIDC converters 2023-06-29 10:15:12 +00:00			`return redirect(url_for("oidc.consents.revoke", consent=consent))`
Pre-consented clients are displayed in the user consent list, and their consents can be revoked. 2023-02-14 20:55:46 +00:00
Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`consent = models.Consent(`
Use generic Consent.consent_id instead of LDAP Consent.cn attribute 2023-05-17 06:54:13 +00:00			`consent_id=str(uuid.uuid4()),`
LDAPObject dn attributes are automatically initialized 2023-03-08 22:53:53 +00:00			`client=client,`
			`subject=user,`
This is too soon for the walrus operator 2023-02-14 21:06:03 +00:00			`scope=client.scope,`
			`)`
			`consent.revoke()`
			`consent.save()`
			`flash(_("The access has been revoked"), "success")`
Pre-consented clients are displayed in the user consent list, and their consents can be revoked. 2023-02-14 20:55:46 +00:00
			`return redirect(url_for("oidc.consents.consents"))`