canaille-globuzma/canaille/oidc/models.py

import datetime

from authlib.oauth2.rfc6749 import AuthorizationCodeMixin
from authlib.oauth2.rfc6749 import ClientMixin
from authlib.oauth2.rfc6749 import TokenMixin
from authlib.oauth2.rfc6749 import util
from canaille.ldap_backend.ldapobject import LDAPObject


class Client(LDAPObject, ClientMixin):
    object_class = ["oauthClient"]
    base = "ou=clients,ou=oauth"
    rdn = "oauthClientID"

    client_info_attributes = {
        "client_id": "oauthClientID",
        "client_secret": "oauthClientSecret",
        "client_id_issued_at": "oauthIssueDate",
        "client_secret_expires_at": "oauthClientSecretExpDate",
    }

    client_metadata_attributes = {
        "client_name": "oauthClientName",
        "contacts": "oauthClientContact",
        "client_uri": "oauthClientURI",
        "redirect_uris": "oauthRedirectURIs",
        "logo_uri": "oauthLogoURI",
        "grant_types": "oauthGrantType",
        "response_types": "oauthResponseType",
        "scope": "oauthScope",
        "tos_uri": "oauthTermsOfServiceURI",
        "policy_uri": "oauthPolicyURI",
        "jwks_uri": "oauthJWKURI",
        "jwk": "oauthJWK",
        "token_endpoint_auth_method": "oauthTokenEndpointAuthMethod",
        "software_id": "oauthSoftwareID",
        "software_version": "oauthSoftwareVersion",
    }

    attribute_table = {
        "description": "description",
        "preconsent": "oauthPreconsent",
        # post_logout_redirect_uris is not yet supported by authlib
        "post_logout_redirect_uris": "oauthPostLogoutRedirectURI",
        "audience": "oauthAudience",
        **client_info_attributes,
        **client_metadata_attributes,
    }

    def get_client_id(self):
        return self.client_id

    def get_default_redirect_uri(self):
        return self.redirect_uris[0]

    def get_allowed_scope(self, scope):
        return util.list_to_scope(
            [scope_piece for scope_piece in self.scope if scope_piece in scope]
        )

    def check_redirect_uri(self, redirect_uri):
        return redirect_uri in self.redirect_uris

    def check_client_secret(self, client_secret):
        return client_secret == self.client_secret

    def check_endpoint_auth_method(self, method, endpoint):
        if endpoint == "token":
            return method == self.token_endpoint_auth_method
        return True

    def check_response_type(self, response_type):
        return all(r in self.response_types for r in response_type.split(" "))

    def check_grant_type(self, grant_type):
        return grant_type in self.grant_types

    @property
    def client_info(self):
        result = {
            attribute_name: getattr(self, attribute_name)
            for attribute_name in self.client_info_attributes
        }
        result["client_id_issued_at"] = int(
            datetime.datetime.timestamp(result["client_id_issued_at"])
        )
        return result

    @property
    def client_metadata(self):
        metadata = {
            attribute_name: getattr(self, attribute_name)
            for attribute_name in self.client_metadata_attributes
        }
        metadata["scope"] = " ".join(metadata["scope"])
        return metadata


class AuthorizationCode(LDAPObject, AuthorizationCodeMixin):
    object_class = ["oauthAuthorizationCode"]
    base = "ou=authorizations,ou=oauth"
    rdn = "oauthAuthorizationCodeID"
    attribute_table = {
        "authorization_code_id": "oauthAuthorizationCodeID",
        "description": "description",
        "code": "oauthCode",
        "client": "oauthClient",
        "subject": "oauthSubject",
        "redirect_uri": "oauthRedirectURI",
        "response_type": "oauthResponseType",
        "scope": "oauthScope",
        "nonce": "oauthNonce",
        "issue_date": "oauthAuthorizationDate",
        "lifetime": "oauthAuthorizationLifetime",
        "challenge": "oauthCodeChallenge",
        "challenge_method": "oauthCodeChallengeMethod",
        "revokation_date": "oauthRevokationDate",
    }

    def get_redirect_uri(self):
        return self.redirect_uri

    def get_scope(self):
        return self.scope[0].split(" ")

    def get_nonce(self):
        return self.nonce

    def is_expired(self):
        return (
            self.issue_date + datetime.timedelta(seconds=int(self.lifetime))
            < datetime.datetime.now()
        )

    def get_auth_time(self):
        return int((self.issue_date - datetime.datetime(1970, 1, 1)).total_seconds())


class Token(LDAPObject, TokenMixin):
    object_class = ["oauthToken"]
    base = "ou=tokens,ou=oauth"
    rdn = "oauthTokenID"
    attribute_table = {
        "token_id": "oauthTokenID",
        "access_token": "oauthAccessToken",
        "description": "description",
        "client": "oauthClient",
        "subject": "oauthSubject",
        "type": "oauthTokenType",
        "refresh_token": "oauthRefreshToken",
        "scope": "oauthScope",
        "issue_date": "oauthIssueDate",
        "lifetime": "oauthTokenLifetime",
        "revokation_date": "oauthRevokationDate",
        "audience": "oauthAudience",
    }

    @property
    def expire_date(self):
        return self.issue_date + datetime.timedelta(seconds=int(self.lifetime))

    @property
    def revoked(self):
        return bool(self.revokation_date)

    def get_scope(self):
        return " ".join(self.scope)

    def get_expires_in(self):
        return int(self.lifetime)

    def get_issued_at(self):
        return int((self.issue_date - datetime.datetime(1970, 1, 1)).total_seconds())

    def get_expires_at(self):
        issue_timestamp = (
            self.issue_date - datetime.datetime(1970, 1, 1)
        ).total_seconds()
        return int(issue_timestamp) + int(self.lifetime)

    def is_refresh_token_active(self):
        if self.revokation_date:
            return False

        return self.expire_date >= datetime.datetime.now()

    def is_expired(self):
        return (
            self.issue_date + datetime.timedelta(seconds=int(self.lifetime))
            < datetime.datetime.now()
        )

    def is_revoked(self):
        return bool(self.revokation_date)

    def check_client(self, client):
        return client.client_id == Client.get(self.client).client_id


class Consent(LDAPObject):
    object_class = ["oauthConsent"]
    base = "ou=consents,ou=oauth"
    rdn = "cn"
    attribute_table = {
        "cn": "cn",
        "subject": "oauthSubject",
        "client": "oauthClient",
        "scope": "oauthScope",
        "issue_date": "oauthIssueDate",
        "revokation_date": "oauthRevokationDate",
    }

    def revoke(self):
        self.revokation_date = datetime.datetime.now()
        self.save()

        tokens = Token.filter(
            oauthClient=self.client,
            oauthSubject=self.subject,
        )
        for t in tokens:
            different_scope = any(scope not in t.scope[0] for scope in self.scope)
            if t.revoked or different_scope:
                continue

            t.revokation_date = self.revokation_date
            t.save()
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`import datetime`

			`from authlib.oauth2.rfc6749 import AuthorizationCodeMixin`
			`from authlib.oauth2.rfc6749 import ClientMixin`
			`from authlib.oauth2.rfc6749 import TokenMixin`
			`from authlib.oauth2.rfc6749 import util`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`from canaille.ldap_backend.ldapobject import LDAPObject`
split oidc code from the rest 2022-01-11 18:49:06 +00:00

			`class Client(LDAPObject, ClientMixin):`
			`object_class = ["oauthClient"]`
			`base = "ou=clients,ou=oauth"`
Renamed LDAPObject 'id' attribute in 'rdn' 2023-01-24 17:32:44 +00:00			`rdn = "oauthClientID"`
Implemented RFC7592 OAuth Client Registration Management 2022-10-24 15:18:46 +00:00
			`client_info_attributes = {`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`"client_id": "oauthClientID",`
Implemented RFC7592 OAuth Client Registration Management 2022-10-24 15:18:46 +00:00			`"client_secret": "oauthClientSecret",`
			`"client_id_issued_at": "oauthIssueDate",`
			`"client_secret_expires_at": "oauthClientSecretExpDate",`
			`}`

			`client_metadata_attributes = {`
Variable renaming 2022-10-17 15:49:52 +00:00			`"client_name": "oauthClientName",`
			`"contacts": "oauthClientContact",`
			`"client_uri": "oauthClientURI",`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`"redirect_uris": "oauthRedirectURIs",`
			`"logo_uri": "oauthLogoURI",`
Variable renaming 2022-10-17 15:49:52 +00:00			`"grant_types": "oauthGrantType",`
			`"response_types": "oauthResponseType",`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`"scope": "oauthScope",`
			`"tos_uri": "oauthTermsOfServiceURI",`
			`"policy_uri": "oauthPolicyURI",`
Variable renaming 2022-10-17 15:49:52 +00:00			`"jwks_uri": "oauthJWKURI",`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`"jwk": "oauthJWK",`
			`"token_endpoint_auth_method": "oauthTokenEndpointAuthMethod",`
			`"software_id": "oauthSoftwareID",`
			`"software_version": "oauthSoftwareVersion",`
Implemented RFC7592 OAuth Client Registration Management 2022-10-24 15:18:46 +00:00			`}`

			`attribute_table = {`
			`"description": "description",`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`"preconsent": "oauthPreconsent",`
Implemented RFC7592 OAuth Client Registration Management 2022-10-24 15:18:46 +00:00			`# post_logout_redirect_uris is not yet supported by authlib`
			`"post_logout_redirect_uris": "oauthPostLogoutRedirectURI",`
			`"audience": "oauthAudience",`
			`**client_info_attributes,`
			`**client_metadata_attributes,`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`}`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
Implemented RFC7592 OAuth Client Registration Management 2022-10-24 15:18:46 +00:00			`def get_client_id(self):`
			`return self.client_id`

split oidc code from the rest 2022-01-11 18:49:06 +00:00			`def get_default_redirect_uri(self):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return self.redirect_uris[0]`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def get_allowed_scope(self, scope):`
Client only return the asked scopes 2022-07-07 14:05:34 +00:00			`return util.list_to_scope(`
			`[scope_piece for scope_piece in self.scope if scope_piece in scope]`
			`)`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def check_redirect_uri(self, redirect_uri):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return redirect_uri in self.redirect_uris`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def check_client_secret(self, client_secret):`
Variable renaming 2022-10-17 15:49:52 +00:00			`return client_secret == self.client_secret`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
Bumped to authlib 1 2022-04-10 14:00:51 +00:00			`def check_endpoint_auth_method(self, method, endpoint):`
			`if endpoint == "token":`
			`return method == self.token_endpoint_auth_method`
			`return True`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def check_response_type(self, response_type):`
Variable renaming 2022-10-17 15:49:52 +00:00			`return all(r in self.response_types for r in response_type.split(" "))`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def check_grant_type(self, grant_type):`
Variable renaming 2022-10-17 15:49:52 +00:00			`return grant_type in self.grant_types`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`@property`
			`def client_info(self):`
Implemented RFC7592 OAuth Client Registration Management 2022-10-24 15:18:46 +00:00			`result = {`
			`attribute_name: getattr(self, attribute_name)`
			`for attribute_name in self.client_info_attributes`
			`}`
			`result["client_id_issued_at"] = int(`
			`datetime.datetime.timestamp(result["client_id_issued_at"])`
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`)`
Implemented RFC7592 OAuth Client Registration Management 2022-10-24 15:18:46 +00:00			`return result`

			`@property`
			`def client_metadata(self):`
Fixed dynamic client registration scope management 2023-01-28 13:04:04 +00:00			`metadata = {`
Implemented RFC7592 OAuth Client Registration Management 2022-10-24 15:18:46 +00:00			`attribute_name: getattr(self, attribute_name)`
			`for attribute_name in self.client_metadata_attributes`
			`}`
Fix coverage 2023-01-28 17:35:39 +00:00			`metadata["scope"] = " ".join(metadata["scope"])`
Fixed dynamic client registration scope management 2023-01-28 13:04:04 +00:00			`return metadata`
split oidc code from the rest 2022-01-11 18:49:06 +00:00

			`class AuthorizationCode(LDAPObject, AuthorizationCodeMixin):`
			`object_class = ["oauthAuthorizationCode"]`
			`base = "ou=authorizations,ou=oauth"`
Renamed LDAPObject 'id' attribute in 'rdn' 2023-01-24 17:32:44 +00:00			`rdn = "oauthAuthorizationCodeID"`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`attribute_table = {`
AuthorizationCode and Token have a new id parameter 2022-02-16 17:00:30 +00:00			`"authorization_code_id": "oauthAuthorizationCodeID",`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`"description": "description",`
			`"code": "oauthCode",`
			`"client": "oauthClient",`
			`"subject": "oauthSubject",`
			`"redirect_uri": "oauthRedirectURI",`
			`"response_type": "oauthResponseType",`
			`"scope": "oauthScope",`
			`"nonce": "oauthNonce",`
			`"issue_date": "oauthAuthorizationDate",`
			`"lifetime": "oauthAuthorizationLifetime",`
			`"challenge": "oauthCodeChallenge",`
			`"challenge_method": "oauthCodeChallengeMethod",`
			`"revokation_date": "oauthRevokationDate",`
			`}`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def get_redirect_uri(self):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return self.redirect_uri`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def get_scope(self):`
Client only return the asked scopes 2022-07-07 14:05:34 +00:00			`return self.scope[0].split(" ")`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def get_nonce(self):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return self.nonce`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def is_expired(self):`
			`return (`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`self.issue_date + datetime.timedelta(seconds=int(self.lifetime))`
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`< datetime.datetime.now()`
			`)`

			`def get_auth_time(self):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return int((self.issue_date - datetime.datetime(1970, 1, 1)).total_seconds())`
split oidc code from the rest 2022-01-11 18:49:06 +00:00

			`class Token(LDAPObject, TokenMixin):`
			`object_class = ["oauthToken"]`
			`base = "ou=tokens,ou=oauth"`
Renamed LDAPObject 'id' attribute in 'rdn' 2023-01-24 17:32:44 +00:00			`rdn = "oauthTokenID"`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`attribute_table = {`
AuthorizationCode and Token have a new id parameter 2022-02-16 17:00:30 +00:00			`"token_id": "oauthTokenID",`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`"access_token": "oauthAccessToken",`
			`"description": "description",`
			`"client": "oauthClient",`
			`"subject": "oauthSubject",`
			`"type": "oauthTokenType",`
			`"refresh_token": "oauthRefreshToken",`
			`"scope": "oauthScope",`
			`"issue_date": "oauthIssueDate",`
			`"lifetime": "oauthTokenLifetime",`
			`"revokation_date": "oauthRevokationDate",`
			`"audience": "oauthAudience",`
			`}`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`@property`
			`def expire_date(self):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return self.issue_date + datetime.timedelta(seconds=int(self.lifetime))`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`@property`
			`def revoked(self):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return bool(self.revokation_date)`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def get_scope(self):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return " ".join(self.scope)`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def get_expires_in(self):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return int(self.lifetime)`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def get_issued_at(self):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return int((self.issue_date - datetime.datetime(1970, 1, 1)).total_seconds())`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def get_expires_at(self):`
			`issue_timestamp = (`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`self.issue_date - datetime.datetime(1970, 1, 1)`
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`).total_seconds()`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return int(issue_timestamp) + int(self.lifetime)`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def is_refresh_token_active(self):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`if self.revokation_date:`
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`return False`

			`return self.expire_date >= datetime.datetime.now()`

			`def is_expired(self):`
			`return (`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`self.issue_date + datetime.timedelta(seconds=int(self.lifetime))`
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`< datetime.datetime.now()`
			`)`

Bumped to authlib 1 2022-04-10 14:00:51 +00:00			`def is_revoked(self):`
			`return bool(self.revokation_date)`

			`def check_client(self, client):`
			`return client.client_id == Client.get(self.client).client_id`

split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`class Consent(LDAPObject):`
			`object_class = ["oauthConsent"]`
			`base = "ou=consents,ou=oauth"`
Renamed LDAPObject 'id' attribute in 'rdn' 2023-01-24 17:32:44 +00:00			`rdn = "cn"`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`attribute_table = {`
			`"cn": "cn",`
			`"subject": "oauthSubject",`
			`"client": "oauthClient",`
			`"scope": "oauthScope",`
			`"issue_date": "oauthIssueDate",`
			`"revokation_date": "oauthRevokationDate",`
			`}`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def revoke(self):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`self.revokation_date = datetime.datetime.now()`
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`self.save()`

			`tokens = Token.filter(`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`oauthClient=self.client,`
			`oauthSubject=self.subject,`
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`)`
			`for t in tokens:`
test consent removal with arleady revoked tokens 2022-12-10 10:24:53 +00:00			`different_scope = any(scope not in t.scope[0] for scope in self.scope)`
			`if t.revoked or different_scope:`
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`continue`

LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`t.revokation_date = self.revokation_date`
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`t.save()`