canaille-globuzma/canaille/models.py

import datetime
import ldap
import uuid
from authlib.common.encoding import json_loads, json_dumps
from authlib.oauth2.rfc6749 import (
    ClientMixin,
    TokenMixin,
    AuthorizationCodeMixin,
    util,
)
from flask import current_app, session
from .ldaputils import LDAPObject


class User(LDAPObject):
    id = "cn"
    admin = False
    moderator = False

    @classmethod
    def get(cls, login=None, dn=None, filter=None, conn=None):
        conn = conn or cls.ldap()

        if login:
            filter = current_app.config["LDAP"].get("USER_FILTER").format(login=login)

        user = super().get(dn, filter, conn)

        admin_filter = current_app.config["LDAP"].get("ADMIN_FILTER")
        moderator_filter = current_app.config["LDAP"].get("USER_ADMIN_FILTER")
        if (
            admin_filter
            and user
            and user.dn
            and conn.search_s(user.dn, ldap.SCOPE_SUBTREE, admin_filter)
        ):

            user.admin = True
            user.moderator = True

        elif (
            moderator_filter
            and user
            and user.dn
            and conn.search_s(user.dn, ldap.SCOPE_SUBTREE, moderator_filter)
        ):

            user.moderator = True

        return user

    @classmethod
    def authenticate(cls, login, password, signin=False):
        user = User.get(login)
        if not user or not user.check_password(password):
            return None

        if signin:
            user.login()

        return user

    def login(self):
        session["user_dn"] = self.dn

    def logout(self):
        try:
            del session["user_dn"]
        except KeyError:
            pass

    def check_password(self, password):
        conn = ldap.initialize(current_app.config["LDAP"]["URI"])
        try:
            conn.simple_bind_s(self.dn, password)
            return True
        except ldap.INVALID_CREDENTIALS:
            return False
        finally:
            conn.unbind_s()

    def set_password(self, password, conn=None):
        conn = conn or self.ldap()

        try:
            conn.passwd_s(
                self.dn,
                None,
                password.encode("utf-8"),
            )

        except ldap.LDAPError:
            return False

        return True

    @property
    def name(self):
        return self.cn[0]


class Client(LDAPObject, ClientMixin):
    object_class = ["oauthClient"]
    base = "ou=clients,ou=oauth"
    id = "oauthClientID"

    @property
    def issue_date(self):
        return datetime.datetime.strptime(self.oauthIssueDate, "%Y%m%d%H%M%SZ")

    def get_client_id(self):
        return self.oauthClientID

    def get_default_redirect_uri(self):
        return self.oauthRedirectURIs[0]

    def get_allowed_scope(self, scope):
        return util.list_to_scope(self.oauthScope)

    def check_redirect_uri(self, redirect_uri):
        return redirect_uri in self.oauthRedirectURIs

    def has_client_secret(self):
        return bool(self.oauthClientSecret)

    def check_client_secret(self, client_secret):
        return client_secret == self.oauthClientSecret

    def check_token_endpoint_auth_method(self, method):
        return method == self.oauthTokenEndpointAuthMethod

    def check_response_type(self, response_type):
        return all(r in self.oauthResponseType for r in response_type.split(" "))

    def check_grant_type(self, grant_type):
        return grant_type in self.oauthGrantType

    @property
    def client_info(self):
        return dict(
            client_id=self.client_id,
            client_secret=self.client_secret,
            client_id_issued_at=self.client_id_issued_at,
            client_secret_expires_at=self.client_secret_expires_at,
        )

    @property
    def client_metadata(self):
        if "client_metadata" in self.__dict__:
            return self.__dict__["client_metadata"]
        if self._client_metadata:
            data = json_loads(self._client_metadata)
            self.__dict__["client_metadata"] = data
            return data
        return {}

    def set_client_metadata(self, value):
        self._client_metadata = json_dumps(value)

    @property
    def redirect_uris(self):
        return self.client_metadata.get("redirect_uris", [])

    @property
    def token_endpoint_auth_method(self):
        return self.client_metadata.get(
            "token_endpoint_auth_method", "client_secret_basic"
        )


class AuthorizationCode(LDAPObject, AuthorizationCodeMixin):
    object_class = ["oauthAuthorizationCode"]
    base = "ou=authorizations,ou=oauth"
    id = "oauthCode"

    @property
    def issue_date(self):
        return datetime.datetime.strptime(self.oauthIssueDate, "%Y%m%d%H%M%SZ")

    def get_redirect_uri(self):
        return self.oauthRedirectURI

    def get_scope(self):
        return self.oauthScope

    def get_nonce(self):
        return self.oauthNonce

    def is_expired(self):
        return (
            datetime.datetime.strptime(self.oauthAuthorizationDate, "%Y%m%d%H%M%SZ")
            + datetime.timedelta(seconds=int(self.oauthAuthorizationLifetime))
            < datetime.datetime.now()
        )

    def get_auth_time(self):
        auth_time = datetime.datetime.strptime(
            self.oauthAuthorizationDate, "%Y%m%d%H%M%SZ"
        )
        return int((auth_time - datetime.datetime(1970, 1, 1)).total_seconds())

    @property
    def code_challenge(self):
        return self.oauthCodeChallenge


class Token(LDAPObject, TokenMixin):
    object_class = ["oauthToken"]
    base = "ou=tokens,ou=oauth"
    id = "oauthAccessToken"

    @property
    def issue_date(self):
        return datetime.datetime.strptime(self.oauthIssueDate, "%Y%m%d%H%M%SZ")

    @property
    def expire_date(self):
        return datetime.datetime.strptime(
            self.oauthIssueDate, "%Y%m%d%H%M%SZ"
        ) + datetime.timedelta(seconds=int(self.oauthTokenLifetime))

    @property
    def revoked(self):
        return bool(self.oauthRevokationDate)

    def get_client_id(self):
        return Client.get(self.oauthClient).oauthClientID

    def get_scope(self):
        return " ".join(self.oauthScope)

    def get_expires_in(self):
        return int(self.oauthTokenLifetime)

    def get_issued_at(self):
        issue_date = datetime.datetime.strptime(self.oauthIssueDate, "%Y%m%d%H%M%SZ")
        return int((issue_date - datetime.datetime(1970, 1, 1)).total_seconds())

    def get_expires_at(self):
        issue_date = datetime.datetime.strptime(self.oauthIssueDate, "%Y%m%d%H%M%SZ")
        issue_timestamp = (issue_date - datetime.datetime(1970, 1, 1)).total_seconds()
        return int(issue_timestamp) + int(self.oauthTokenLifetime)

    def is_refresh_token_active(self):
        if self.oauthRevokationDate:
            return False

        return self.expire_date >= datetime.datetime.now()

    def is_expired(self):
        return (
            datetime.datetime.strptime(self.oauthIssueDate, "%Y%m%d%H%M%SZ")
            + datetime.timedelta(seconds=int(self.oauthTokenLifetime))
            < datetime.datetime.now()
        )


class Consent(LDAPObject):
    object_class = ["oauthConsent"]
    base = "ou=consents,ou=oauth"
    id = "cn"

    def __init__(self, *args, **kwargs):
        if "cn" not in kwargs:
            kwargs["cn"] = str(uuid.uuid4())

        super().__init__(*args, **kwargs)

    @property
    def issue_date(self):
        return datetime.datetime.strptime(self.oauthIssueDate, "%Y%m%d%H%M%SZ")

    @property
    def revokation_date(self):
        return datetime.datetime.strptime(self.oauthRevokationDate, "%Y%m%d%H%M%SZ")

    def revoke(self):
        self.oauthRevokationDate = datetime.datetime.now().strftime("%Y%m%d%H%M%SZ")
        self.save()

        tokens = Token.filter(
            oauthClient=self.oauthClient,
            oauthSubject=self.oauthSubject,
        )
        for t in tokens:
            if t.revoked or any(
                scope not in t.oauthScope[0] for scope in self.oauthScope
            ):
                continue

            t.oauthRevokationDate = self.oauthRevokationDate
            t.save()
draft 2020-08-14 11:18:08 +00:00			`import datetime`
Remember consents 2020-09-17 08:00:39 +00:00			`import ldap`
			`import uuid`
draft 2020-08-14 11:18:08 +00:00			`from authlib.common.encoding import json_loads, json_dumps`
			`from authlib.oauth2.rfc6749 import (`
			`ClientMixin,`
			`TokenMixin,`
			`AuthorizationCodeMixin,`
Implicit flow test 2020-08-20 12:30:42 +00:00			`util,`
draft 2020-08-14 11:18:08 +00:00			`)`
Admin login 2020-08-19 14:20:57 +00:00			`from flask import current_app, session`
Renamed LDAPObjectHelper into LDAPObject 2020-09-24 13:16:25 +00:00			`from .ldaputils import LDAPObject`
draft 2020-08-14 11:18:08 +00:00

Renamed LDAPObjectHelper into LDAPObject 2020-09-24 13:16:25 +00:00			`class User(LDAPObject):`
draft 2020-08-14 11:18:08 +00:00			`id = "cn"`
Admin login 2020-08-19 14:20:57 +00:00			`admin = False`
Moderators group. #12 2020-11-02 11:13:03 +00:00			`moderator = False`
Admin login 2020-08-19 14:20:57 +00:00
			`@classmethod`
User model utility 2020-10-21 15:15:33 +00:00			`def get(cls, login=None, dn=None, filter=None, conn=None):`
Admin login 2020-08-19 14:20:57 +00:00			`conn = conn or cls.ldap()`

User model utility 2020-10-21 15:15:33 +00:00			`if login:`
			`filter = current_app.config["LDAP"].get("USER_FILTER").format(login=login)`

Admin login 2020-08-19 14:20:57 +00:00			`user = super().get(dn, filter, conn)`
User model utility 2020-10-21 15:15:33 +00:00
Admin login 2020-08-19 14:20:57 +00:00			`admin_filter = current_app.config["LDAP"].get("ADMIN_FILTER")`
Moderators group. #12 2020-11-02 11:13:03 +00:00			`moderator_filter = current_app.config["LDAP"].get("USER_ADMIN_FILTER")`
Admin login 2020-08-19 14:20:57 +00:00			`if (`
			`admin_filter`
			`and user`
Client unit tests 2020-08-26 13:37:15 +00:00			`and user.dn`
Admin login 2020-08-19 14:20:57 +00:00			`and conn.search_s(user.dn, ldap.SCOPE_SUBTREE, admin_filter)`
			`):`

			`user.admin = True`
Moderators group. #12 2020-11-02 11:13:03 +00:00			`user.moderator = True`

			`elif (`
			`moderator_filter`
			`and user`
			`and user.dn`
			`and conn.search_s(user.dn, ldap.SCOPE_SUBTREE, moderator_filter)`
			`):`

			`user.moderator = True`

Admin login 2020-08-19 14:20:57 +00:00			`return user`

Alternate login filters 2020-08-20 08:45:33 +00:00			`@classmethod`
User refactoring 2020-08-21 08:23:39 +00:00			`def authenticate(cls, login, password, signin=False):`
User model utility 2020-10-21 15:15:33 +00:00			`user = User.get(login)`
Alternate login filters 2020-08-20 08:45:33 +00:00			`if not user or not user.check_password(password):`
			`return None`
Admin login 2020-08-19 14:20:57 +00:00
User refactoring 2020-08-21 08:23:39 +00:00			`if signin:`
			`user.login()`

Alternate login filters 2020-08-20 08:45:33 +00:00			`return user`
draft 2020-08-14 11:18:08 +00:00
User refactoring 2020-08-21 08:23:39 +00:00			`def login(self):`
			`session["user_dn"] = self.dn`

			`def logout(self):`
			`try:`
			`del session["user_dn"]`
			`except KeyError:`
			`pass`

draft 2020-08-14 11:18:08 +00:00			`def check_password(self, password):`
Actually authentify against LDAP password 2020-08-19 11:49:38 +00:00			`conn = ldap.initialize(current_app.config["LDAP"]["URI"])`
			`try:`
			`conn.simple_bind_s(self.dn, password)`
			`return True`
			`except ldap.INVALID_CREDENTIALS:`
			`return False`
			`finally:`
			`conn.unbind_s()`
draft 2020-08-14 11:18:08 +00:00
Password edition in user profile 2020-10-21 08:26:31 +00:00			`def set_password(self, password, conn=None):`
			`conn = conn or self.ldap()`

			`try:`
			`conn.passwd_s(`
			`self.dn,`
			`None,`
			`password.encode("utf-8"),`
			`)`

			`except ldap.LDAPError:`
			`return False`

			`return True`

Some authorization_code work 2020-08-17 15:49:49 +00:00			`@property`
			`def name(self):`
			`return self.cn[0]`

draft 2020-08-14 11:18:08 +00:00
Renamed LDAPObjectHelper into LDAPObject 2020-09-24 13:16:25 +00:00			`class Client(LDAPObject, ClientMixin):`
Pythonic variable name 2020-09-24 13:20:36 +00:00			`object_class = ["oauthClient"]`
LDAP tree refactoring 2020-09-03 15:19:41 +00:00			`base = "ou=clients,ou=oauth"`
draft 2020-08-14 11:18:08 +00:00			`id = "oauthClientID"`

Client forms 2020-08-17 13:49:48 +00:00			`@property`
			`def issue_date(self):`
			`return datetime.datetime.strptime(self.oauthIssueDate, "%Y%m%d%H%M%SZ")`

draft 2020-08-14 11:18:08 +00:00			`def get_client_id(self):`
wip 2020-08-16 18:16:57 +00:00			`return self.oauthClientID`
draft 2020-08-14 11:18:08 +00:00
			`def get_default_redirect_uri(self):`
Some authorization_code work 2020-08-17 15:49:49 +00:00			`return self.oauthRedirectURIs[0]`
draft 2020-08-14 11:18:08 +00:00
			`def get_allowed_scope(self, scope):`
Implicit flow test 2020-08-20 12:30:42 +00:00			`return util.list_to_scope(self.oauthScope)`
draft 2020-08-14 11:18:08 +00:00
			`def check_redirect_uri(self, redirect_uri):`
Some authorization_code work 2020-08-17 15:49:49 +00:00			`return redirect_uri in self.oauthRedirectURIs`
draft 2020-08-14 11:18:08 +00:00
			`def has_client_secret(self):`
LDAPHelper shortcut 2020-08-17 07:45:35 +00:00			`return bool(self.oauthClientSecret)`
draft 2020-08-14 11:18:08 +00:00
			`def check_client_secret(self, client_secret):`
wip 2020-08-16 18:16:57 +00:00			`return client_secret == self.oauthClientSecret`
draft 2020-08-14 11:18:08 +00:00
			`def check_token_endpoint_auth_method(self, method):`
wip 2020-08-16 18:16:57 +00:00			`return method == self.oauthTokenEndpointAuthMethod`
draft 2020-08-14 11:18:08 +00:00
			`def check_response_type(self, response_type):`
Fixed hybrid grant 2020-08-21 08:06:53 +00:00			`return all(r in self.oauthResponseType for r in response_type.split(" "))`
draft 2020-08-14 11:18:08 +00:00
			`def check_grant_type(self, grant_type):`
			`return grant_type in self.oauthGrantType`

wip 2020-08-14 13:26:14 +00:00			`@property`
			`def client_info(self):`
			`return dict(`
			`client_id=self.client_id,`
			`client_secret=self.client_secret,`
			`client_id_issued_at=self.client_id_issued_at,`
			`client_secret_expires_at=self.client_secret_expires_at,`
			`)`

			`@property`
			`def client_metadata(self):`
			`if "client_metadata" in self.__dict__:`
			`return self.__dict__["client_metadata"]`
			`if self._client_metadata:`
			`data = json_loads(self._client_metadata)`
			`self.__dict__["client_metadata"] = data`
			`return data`
			`return {}`

			`def set_client_metadata(self, value):`
			`self._client_metadata = json_dumps(value)`

			`@property`
			`def redirect_uris(self):`
			`return self.client_metadata.get("redirect_uris", [])`

			`@property`
			`def token_endpoint_auth_method(self):`
			`return self.client_metadata.get(`
			`"token_endpoint_auth_method", "client_secret_basic"`
			`)`

draft 2020-08-14 11:18:08 +00:00
Renamed LDAPObjectHelper into LDAPObject 2020-09-24 13:16:25 +00:00			`class AuthorizationCode(LDAPObject, AuthorizationCodeMixin):`
Pythonic variable name 2020-09-24 13:20:36 +00:00			`object_class = ["oauthAuthorizationCode"]`
LDAP tree refactoring 2020-09-03 15:19:41 +00:00			`base = "ou=authorizations,ou=oauth"`
wip 2020-08-14 13:26:14 +00:00			`id = "oauthCode"`
draft 2020-08-14 11:18:08 +00:00
Token list and auth code list views 2020-08-26 14:27:08 +00:00			`@property`
			`def issue_date(self):`
			`return datetime.datetime.strptime(self.oauthIssueDate, "%Y%m%d%H%M%SZ")`

draft 2020-08-14 11:18:08 +00:00			`def get_redirect_uri(self):`
Some authorization_code work 2020-08-17 15:49:49 +00:00			`return self.oauthRedirectURI`
draft 2020-08-14 11:18:08 +00:00
			`def get_scope(self):`
Some authorization_code work 2020-08-17 16:02:38 +00:00			`return self.oauthScope`
draft 2020-08-14 11:18:08 +00:00
Some authorization_code work 2020-08-17 16:02:38 +00:00			`def get_nonce(self):`
			`return self.oauthNonce`
wip 2020-08-14 13:26:14 +00:00
Full authorization_code flow 2020-08-17 16:49:05 +00:00			`def is_expired(self):`
			`return (`
			`datetime.datetime.strptime(self.oauthAuthorizationDate, "%Y%m%d%H%M%SZ")`
			`+ datetime.timedelta(seconds=int(self.oauthAuthorizationLifetime))`
			`< datetime.datetime.now()`
			`)`
wip 2020-08-14 13:26:14 +00:00
Some authorization_code work 2020-08-17 16:02:38 +00:00			`def get_auth_time(self):`
Full authorization_code flow 2020-08-17 16:49:05 +00:00			`auth_time = datetime.datetime.strptime(`
			`self.oauthAuthorizationDate, "%Y%m%d%H%M%SZ"`
			`)`
Integer values for model times 2020-08-26 09:03:26 +00:00			`return int((auth_time - datetime.datetime(1970, 1, 1)).total_seconds())`
Some authorization_code work 2020-08-17 16:02:38 +00:00
Token introspection 2020-08-24 12:44:32 +00:00			`@property`
			`def code_challenge(self):`
			`return self.oauthCodeChallenge`

draft 2020-08-14 11:18:08 +00:00
Renamed LDAPObjectHelper into LDAPObject 2020-09-24 13:16:25 +00:00			`class Token(LDAPObject, TokenMixin):`
Pythonic variable name 2020-09-24 13:20:36 +00:00			`object_class = ["oauthToken"]`
LDAP tree refactoring 2020-09-03 15:19:41 +00:00			`base = "ou=tokens,ou=oauth"`
Fixed password flow 2020-08-16 17:39:14 +00:00			`id = "oauthAccessToken"`
draft 2020-08-14 11:18:08 +00:00
Token list and auth code list views 2020-08-26 14:27:08 +00:00			`@property`
			`def issue_date(self):`
			`return datetime.datetime.strptime(self.oauthIssueDate, "%Y%m%d%H%M%SZ")`

User token list view 2020-08-27 08:50:50 +00:00			`@property`
			`def expire_date(self):`
			`return datetime.datetime.strptime(`
			`self.oauthIssueDate, "%Y%m%d%H%M%SZ"`
			`) + datetime.timedelta(seconds=int(self.oauthTokenLifetime))`

Tokens and codes can be revoked 2020-08-24 13:38:11 +00:00			`@property`
			`def revoked(self):`
Remember revokation dates 2020-09-17 09:10:12 +00:00			`return bool(self.oauthRevokationDate)`
Tokens and codes can be revoked 2020-08-24 13:38:11 +00:00
draft 2020-08-14 11:18:08 +00:00			`def get_client_id(self):`
Schema use client dn instead of client id 2020-09-07 13:39:51 +00:00			`return Client.get(self.oauthClient).oauthClientID`
draft 2020-08-14 11:18:08 +00:00
			`def get_scope(self):`
Fixed password flow 2020-08-16 17:39:14 +00:00			`return " ".join(self.oauthScope)`
draft 2020-08-14 11:18:08 +00:00
			`def get_expires_in(self):`
wip 2020-08-16 18:16:57 +00:00			`return int(self.oauthTokenLifetime)`
draft 2020-08-14 11:18:08 +00:00
Token introspection 2020-08-24 12:44:32 +00:00			`def get_issued_at(self):`
			`issue_date = datetime.datetime.strptime(self.oauthIssueDate, "%Y%m%d%H%M%SZ")`
Integer values for model times 2020-08-26 09:03:26 +00:00			`return int((issue_date - datetime.datetime(1970, 1, 1)).total_seconds())`
Token introspection 2020-08-24 12:44:32 +00:00
draft 2020-08-14 11:18:08 +00:00			`def get_expires_at(self):`
wip 2020-08-16 18:16:57 +00:00			`issue_date = datetime.datetime.strptime(self.oauthIssueDate, "%Y%m%d%H%M%SZ")`
draft 2020-08-14 11:18:08 +00:00			`issue_timestamp = (issue_date - datetime.datetime(1970, 1, 1)).total_seconds()`
Integer values for model times 2020-08-26 09:03:26 +00:00			`return int(issue_timestamp) + int(self.oauthTokenLifetime)`
wip 2020-08-14 13:26:14 +00:00
			`def is_refresh_token_active(self):`
Remember revokation dates 2020-09-17 09:10:12 +00:00			`if self.oauthRevokationDate:`
Tokens and codes can be revoked 2020-08-24 13:38:11 +00:00			`return False`

User token list view 2020-08-27 08:50:50 +00:00			`return self.expire_date >= datetime.datetime.now()`
Remember consents 2020-09-17 08:00:39 +00:00
Added a command to clean tokens and codes. Fixes #17 2020-10-23 09:31:16 +00:00			`def is_expired(self):`
			`return (`
			`datetime.datetime.strptime(self.oauthIssueDate, "%Y%m%d%H%M%SZ")`
			`+ datetime.timedelta(seconds=int(self.oauthTokenLifetime))`
			`< datetime.datetime.now()`
			`)`

Remember consents 2020-09-17 08:00:39 +00:00
Renamed LDAPObjectHelper into LDAPObject 2020-09-24 13:16:25 +00:00			`class Consent(LDAPObject):`
Pythonic variable name 2020-09-24 13:20:36 +00:00			`object_class = ["oauthConsent"]`
Remember consents 2020-09-17 08:00:39 +00:00			`base = "ou=consents,ou=oauth"`
			`id = "cn"`

			`def __init__(self, args, *kwargs):`
			`if "cn" not in kwargs:`
			`kwargs["cn"] = str(uuid.uuid4())`

			`super().__init__(args, *kwargs)`
Consents page 2020-09-17 10:01:21 +00:00
			`@property`
			`def issue_date(self):`
			`return datetime.datetime.strptime(self.oauthIssueDate, "%Y%m%d%H%M%SZ")`

			`@property`
			`def revokation_date(self):`
			`return datetime.datetime.strptime(self.oauthRevokationDate, "%Y%m%d%H%M%SZ")`

			`def revoke(self):`
			`self.oauthRevokationDate = datetime.datetime.now().strftime("%Y%m%d%H%M%SZ")`
			`self.save()`

			`tokens = Token.filter(`
			`oauthClient=self.oauthClient,`
			`oauthSubject=self.oauthSubject,`
			`)`
			`for t in tokens:`
			`if t.revoked or any(`
			`scope not in t.oauthScope[0] for scope in self.oauthScope`
			`):`
			`continue`

			`t.oauthRevokationDate = self.oauthRevokationDate`
			`t.save()`