globuzma/canaille-globuzma
1
0
Fork 0
forked from Github-Mirrors/canaille
Code Pull requests Activity

Tokens and codes can be revoked

Browse source
This commit is contained in:
Éloi Rivard 2020-08-24 15:38:11 +02:00
parent 863a073eb2
commit a364b7ef1b
5 changed files with 38 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
schemas/oauth2-openldap.ldif
View file

@ -278,6 +278,13 @@ olcAttributeTypes: ( 1.3.6.1.4.1.56207.1.1.32 NAME 'oauthAuthorizationLifetime'
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OAuth 2.0' )
olcAttributeTypes: ( 1.3.6.1.4.1.56207.1.1.33 NAME 'oauthRevoked'
DESC 'OAuth 2.0 token or code revoked'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OAuth 2.0' )
olcObjectClasses: ( 1.3.6.1.4.1.56207.1.2.1 NAME 'oauthClient'
DESC 'OAuth 2.0 Authorization Code'
SUP top
@ -319,7 +326,8 @@ olcObjectClasses: ( 1.3.6.1.4.1.56207.1.2.2 NAME 'oauthAuthorizationCode'
oauthAuthorizationDate $
oauthAuthorizationLifetime $
oauthCodeChallenge $
oauthCodeChallengeMethod )
oauthCodeChallengeMethod $
oauthRevoked )
X-ORIGIN 'OAuth 2.0' )
olcObjectClasses: ( 1.3.6.1.4.1.56207.1.2.3 NAME 'oauthToken'
DESC 'OAuth 2.0 Token'
@ -333,5 +341,6 @@ olcObjectClasses: ( 1.3.6.1.4.1.56207.1.2.3 NAME 'oauthToken'
oauthRefreshToken $
oauthScope $
oauthIssueDate $
oauthTokenLifetime )
oauthTokenLifetime $
oauthRevoked )
X-ORIGIN 'OAuth 2.0' )

13
schemas/oauth2-openldap.schema
View file

@ -275,6 +275,13 @@ attributetype ( 1.3.6.1.4.1.56207.1.1.32 NAME 'oauthAuthorizationLifetime'
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OAuth 2.0' )
attributetype ( 1.3.6.1.4.1.56207.1.1.33 NAME 'oauthRevoked'
DESC 'OAuth 2.0 token or code revoked'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE
USAGE userApplications
X-ORIGIN 'OAuth 2.0' )
objectclass ( 1.3.6.1.4.1.56207.1.2.1 NAME 'oauthClient'
DESC 'OAuth 2.0 Authorization Code'
SUP top
@ -316,7 +323,8 @@ objectclass ( 1.3.6.1.4.1.56207.1.2.2 NAME 'oauthAuthorizationCode'
oauthAuthorizationDate $
oauthAuthorizationLifetime $
oauthCodeChallenge $
oauthCodeChallengeMethod )
oauthCodeChallengeMethod $
oauthRevoked )
X-ORIGIN 'OAuth 2.0' )
objectclass ( 1.3.6.1.4.1.56207.1.2.3 NAME 'oauthToken'
DESC 'OAuth 2.0 Token'
@ -330,5 +338,6 @@ objectclass ( 1.3.6.1.4.1.56207.1.2.3 NAME 'oauthToken'
oauthRefreshToken $
oauthScope $
oauthIssueDate $
oauthTokenLifetime )
oauthTokenLifetime $
oauthRevoked )
X-ORIGIN 'OAuth 2.0' )

2
tests/test_token_introspection.py
View file

@ -29,4 +29,4 @@ def test_token_invalid(testclient, client):
headers={"Authorization": f"Basic {client_credentials(client)}"},
)
assert 200 == res.status_code
assert {"active": False,} == res.json
assert {"active": False} == res.json

20
web/models.py
View file

@ -175,6 +175,17 @@ class Token(LDAPObjectHelper, TokenMixin):
base = "ou=tokens"
id = "oauthAccessToken"
@property
def revoked(self):
return self.oauthRevoked in ("yes", "YES", 1, "on", "ON", "TRUE", "true")
@revoked.setter
def revoked(self, value):
if value:
self.oauthRevoked = "true"
else:
self.oauthRevoked = "false"
def get_client_id(self):
return self.oauthClientID
@ -194,14 +205,11 @@ class Token(LDAPObjectHelper, TokenMixin):
return issue_timestamp + int(self.oauthTokenLifetime)
def is_refresh_token_active(self):
# if self.revoked:
# return False
if self.revoked:
return False
return (
datetime.datetime.strptime(self.oauthIssueDate, "%Y%m%d%H%M%SZ")
+ datetime.timedelta(seconds=int(self.oauthTokenLifetime))
>= datetime.datetime.now()
)
@property
def revoked(self):
return False

2
web/oauth2utils.py
View file

@ -195,7 +195,7 @@ class BearerTokenValidator(_BearerTokenValidator):
return False
def token_revoked(self, token):
return False
return token.revoked
class IntrospectionEndpoint(_IntrospectionEndpoint):