quay/data/model/oauth.py

import logging
import json

from flask import url_for
from datetime import datetime, timedelta
from oauth2lib.provider import AuthorizationProvider
from oauth2lib import utils

from data.database import (OAuthApplication, OAuthAuthorizationCode, OAuthAccessToken, User,
                           random_string_generator)
from data.model.legacy import get_user
from auth import scopes


logger = logging.getLogger(__name__)

class DatabaseAuthorizationProvider(AuthorizationProvider):
  def get_authorized_user(self):
    raise NotImplementedError('Subclasses must fill in the ability to get the authorized_user.')

  def _generate_data_string(self):
    return json.dumps({'username': self.get_authorized_user().username})

  @property
  def token_expires_in(self):
    """Property method to get the token expiration time in seconds.
    """
    return int(60*60*24*365.25*10)  # 10 Years

  def validate_client_id(self, client_id):
    return self.get_application_for_client_id(client_id) is not None

  def get_application_for_client_id(self, client_id):
    try:
      return OAuthApplication.get(client_id=client_id)
    except OAuthApplication.DoesNotExist:
      return None

  def validate_client_secret(self, client_id, client_secret):
    try:
      OAuthApplication.get(client_id=client_id, client_secret=client_secret)
      return True
    except OAuthApplication.DoesNotExist:
      return False

  def validate_redirect_uri(self, client_id, redirect_uri):
    if redirect_uri == url_for('web.oauth_local_handler', _external=True):
      return True

    try:
      oauth_app = OAuthApplication.get(client_id=client_id)
      if oauth_app.redirect_uri and redirect_uri and redirect_uri.startswith(oauth_app.redirect_uri):
        return True
      return False
    except OAuthApplication.DoesNotExist:
      return False

  def validate_scope(self, client_id, scopes_string):
    return scopes.validate_scope_string(scopes_string)

  def validate_access(self):
    return self.get_authorized_user() is not None

  def load_authorized_scope_string(self, client_id, username):
    found = (OAuthAccessToken
      .select()
      .join(OAuthApplication)
      .switch(OAuthAccessToken)
      .join(User)
      .where(OAuthApplication.client_id == client_id, User.username == username,
             OAuthAccessToken.expires_at > datetime.utcnow()))
    found = list(found)
    logger.debug('Found %s matching tokens.', len(found))
    long_scope_string = ','.join([token.scope for token in found])
    logger.debug('Computed long scope string: %s', long_scope_string)
    return long_scope_string

  def validate_has_scopes(self, client_id, username, scope):
    long_scope_string = self.load_authorized_scope_string(client_id, username)

    # Make sure the token contains the given scopes (at least).
    return scopes.is_subset_string(long_scope_string, scope)

  def from_authorization_code(self, client_id, code, scope):
    try:
      found = (OAuthAuthorizationCode
        .select()
        .join(OAuthApplication)
        .where(OAuthApplication.client_id == client_id, OAuthAuthorizationCode.code == code,
               OAuthAuthorizationCode.scope == scope)
        .get())
      logger.debug('Returning data: %s', found.data)
      return found.data
    except OAuthAuthorizationCode.DoesNotExist:
      return None

  def from_refresh_token(self, client_id, refresh_token, scope):
    try:
      found = (OAuthAccessToken
        .select()
        .join(OAuthApplication)
        .where(OAuthApplication.client_id == client_id,
               OAuthAccessToken.refresh_token == refresh_token,
               OAuthAccessToken.scope == scope)
        .get())
      return found.data
    except OAuthAccessToken.DoesNotExist:
      return None

  def persist_authorization_code(self, client_id, code, scope):
    oauth_app = OAuthApplication.get(client_id=client_id)
    data = self._generate_data_string()
    OAuthAuthorizationCode.create(application=oauth_app, code=code, scope=scope, data=data)

  def persist_token_information(self, client_id, scope, access_token, token_type, expires_in,
                                refresh_token, data):
    user = get_user(json.loads(data)['username'])
    if not user:
      raise RuntimeError('Username must be in the data field')

    oauth_app = OAuthApplication.get(client_id=client_id)
    expires_at = datetime.utcnow() + timedelta(seconds=expires_in)
    OAuthAccessToken.create(application=oauth_app, authorized_user=user, scope=scope,
                            access_token=access_token, token_type=token_type,
                            expires_at=expires_at, refresh_token=refresh_token, data=data)

  def discard_authorization_code(self, client_id, code):
    found = (OAuthAuthorizationCode
      .select()
      .join(OAuthApplication)
      .where(OAuthApplication.client_id == client_id, OAuthAuthorizationCode.code == code)
      .get())
    found.delete_instance()

  def discard_refresh_token(self, client_id, refresh_token):
    found = (AccessToken
      .select()
      .join(OAuthApplication)
      .where(OAuthApplication.client_id == client_id,
             OAuthAccessToken.refresh_token == refresh_token)
      .get())
    found.delete_instance()


  def get_auth_denied_response(self, response_type, client_id, redirect_uri, **params):
    # Ensure proper response_type
    if response_type != 'token':
      err = 'unsupported_response_type'
      return self._make_redirect_error_response(redirect_uri, err)

    # Check redirect URI
    is_valid_redirect_uri = self.validate_redirect_uri(client_id, redirect_uri)
    if not is_valid_redirect_uri:
      return self._invalid_redirect_uri_response()

    return self._make_redirect_error_response(redirect_uri, 'authorization_denied')


  def get_token_response(self, response_type, client_id, redirect_uri, **params):

    # Ensure proper response_type
    if response_type != 'token':
      err = 'unsupported_response_type'
      return self._make_redirect_error_response(redirect_uri, err)

    # Check redirect URI
    is_valid_redirect_uri = self.validate_redirect_uri(client_id, redirect_uri)
    if not is_valid_redirect_uri:
      return self._invalid_redirect_uri_response()

    # Check conditions
    is_valid_client_id = self.validate_client_id(client_id)
    is_valid_access = self.validate_access()
    scope = params.get('scope', '')
    are_valid_scopes = self.validate_scope(client_id, scope)

    # Return proper error responses on invalid conditions
    if not is_valid_client_id:
      err = 'unauthorized_client'
      return self._make_redirect_error_response(redirect_uri, err)

    if not is_valid_access:
      err = 'access_denied'
      return self._make_redirect_error_response(redirect_uri, err)

    if not are_valid_scopes:
      err = 'invalid_scope'
      return self._make_redirect_error_response(redirect_uri, err)

    access_token = self.generate_access_token()
    token_type = self.token_type
    expires_in = self.token_expires_in
    refresh_token = None  # No refresh token for this kind of flow

    data = self._generate_data_string()
    self.persist_token_information(client_id=client_id, scope=scope, access_token=access_token,
                                   token_type=token_type, expires_in=expires_in,
                                   refresh_token=refresh_token, data=data)

    url = utils.build_url(redirect_uri, params)
    url += '#access_token=%s&token_type=%s&expires_in=%s' % (access_token, token_type, expires_in)

    return self._make_response(headers={'Location': url}, status_code=302)


def create_application(org, name, application_uri, redirect_uri, **kwargs):
  return OAuthApplication.create(organization=org, name=name, application_uri=application_uri,
                                 redirect_uri=redirect_uri, **kwargs)


def validate_access_token(access_token):
  try:
    found = (OAuthAccessToken
      .select(OAuthAccessToken, User)
      .join(User)
      .where(OAuthAccessToken.access_token == access_token)
      .get())
    return found
  except OAuthAccessToken.DoesNotExist:
    return None


def get_application_for_client_id(client_id):
  try:
    return OAuthApplication.get(client_id=client_id)
  except OAuthApplication.DoesNotExist:
    return None


def reset_client_secret(application):
  application.client_secret = random_string_generator(length=40)()
  application.save()
  return application


def lookup_application(org, client_id):
  try:
    return OAuthApplication.get(organization = org, client_id=client_id)
  except OAuthApplication.DoesNotExist:
    return None


def delete_application(org, client_id):
  application = lookup_application(org, client_id)
  if not application:
    return

  application.delete_instance(recursive=True, delete_nullable=True)
  return application


def lookup_access_token_for_user(user, token_uuid):
  try:
    return OAuthAccessToken.get(OAuthAccessToken.authorized_user == user,
                                OAuthAccessToken.uuid == token_uuid)
  except OAuthAccessToken.DoesNotExist:
    return None


def list_access_tokens_for_user(user):
  query = (OAuthAccessToken
           .select()
           .join(OAuthApplication)
           .switch(OAuthAccessToken)
           .join(User)
           .where(OAuthAccessToken.authorized_user == user))

  return query


def list_applications_for_org(org):
  query = (OAuthApplication
           .select()
           .join(User)
           .where(OAuthApplication.organization == org))

  return query


def create_access_token_for_testing(user, client_id, scope):
  expires_at = datetime.utcnow() + timedelta(seconds=10000)
  application = get_application_for_client_id(client_id)
  OAuthAccessToken.create(application=application, authorized_user=user, scope=scope,
                          token_type='token', access_token='test',
                          expires_at=expires_at, refresh_token='', data='')
User scope objects everywhere. Switch scope objects to namedtuples. Pass the user when validating whether the user has authorized such scopes in the past. Make sure we calculate the scope string using all user scopes form all previously granted tokens. 2014-03-19 22:09:09 +00:00			`import logging`
Finally figure out what the data field is supposed to be for and use it to implement and fix 3LO. 2014-03-25 16:42:40 +00:00			`import json`
User scope objects everywhere. Switch scope objects to namedtuples. Pass the user when validating whether the user has authorized such scopes in the past. Make sure we calculate the scope string using all user scopes form all previously granted tokens. 2014-03-19 22:09:09 +00:00
Fix OAuth redirect for denial action when generating for internal tokens 2015-06-01 17:43:38 +00:00			`from flask import url_for`
Add some sort of oauth. 2014-03-12 16:37:06 +00:00			`from datetime import datetime, timedelta`
			`from oauth2lib.provider import AuthorizationProvider`
			`from oauth2lib import utils`

Add full application management API, UI and test cases 2014-03-20 19:46:13 +00:00			`from data.database import (OAuthApplication, OAuthAuthorizationCode, OAuthAccessToken, User,`
			`random_string_generator)`
Finally figure out what the data field is supposed to be for and use it to implement and fix 3LO. 2014-03-25 16:42:40 +00:00			`from data.model.legacy import get_user`
Add some sort of oauth. 2014-03-12 16:37:06 +00:00			`from auth import scopes`


User scope objects everywhere. Switch scope objects to namedtuples. Pass the user when validating whether the user has authorized such scopes in the past. Make sure we calculate the scope string using all user scopes form all previously granted tokens. 2014-03-19 22:09:09 +00:00			`logger = logging.getLogger(__name__)`

Add some sort of oauth. 2014-03-12 16:37:06 +00:00			`class DatabaseAuthorizationProvider(AuthorizationProvider):`
			`def get_authorized_user(self):`
			`raise NotImplementedError('Subclasses must fill in the ability to get the authorized_user.')`

Finally figure out what the data field is supposed to be for and use it to implement and fix 3LO. 2014-03-25 16:42:40 +00:00			`def _generate_data_string(self):`
			`return json.dumps({'username': self.get_authorized_user().username})`

Change the token expiration time to 10 years. 2014-03-25 19:38:16 +00:00			`@property`
			`def token_expires_in(self):`
			`"""Property method to get the token expiration time in seconds.`
			`"""`
			`return int(606024365.2510) # 10 Years`

Add some sort of oauth. 2014-03-12 16:37:06 +00:00			`def validate_client_id(self, client_id):`
Add an oauth authorization page 2014-03-14 22:57:28 +00:00			`return self.get_application_for_client_id(client_id) is not None`

			`def get_application_for_client_id(self, client_id):`
Add some sort of oauth. 2014-03-12 16:37:06 +00:00			`try:`
Add an oauth authorization page 2014-03-14 22:57:28 +00:00			`return OAuthApplication.get(client_id=client_id)`
Add some sort of oauth. 2014-03-12 16:37:06 +00:00			`except OAuthApplication.DoesNotExist:`
Add an oauth authorization page 2014-03-14 22:57:28 +00:00			`return None`
Add some sort of oauth. 2014-03-12 16:37:06 +00:00
			`def validate_client_secret(self, client_id, client_secret):`
			`try:`
			`OAuthApplication.get(client_id=client_id, client_secret=client_secret)`
			`return True`
			`except OAuthApplication.DoesNotExist:`
			`return False`

			`def validate_redirect_uri(self, client_id, redirect_uri):`
Fix OAuth redirect for denial action when generating for internal tokens 2015-06-01 17:43:38 +00:00			`if redirect_uri == url_for('web.oauth_local_handler', _external=True):`
			`return True`

Add some sort of oauth. 2014-03-12 16:37:06 +00:00			`try:`
Fix OAuth redirect for denial action when generating for internal tokens 2015-06-01 17:43:38 +00:00			`oauth_app = OAuthApplication.get(client_id=client_id)`
			`if oauth_app.redirect_uri and redirect_uri and redirect_uri.startswith(oauth_app.redirect_uri):`
Add some sort of oauth. 2014-03-12 16:37:06 +00:00			`return True`
			`return False`
			`except OAuthApplication.DoesNotExist:`
			`return False`

Add an oauth authorization page 2014-03-14 22:57:28 +00:00			`def validate_scope(self, client_id, scopes_string):`
			`return scopes.validate_scope_string(scopes_string)`
Add some sort of oauth. 2014-03-12 16:37:06 +00:00
			`def validate_access(self):`
			`return self.get_authorized_user() is not None`

User scope objects everywhere. Switch scope objects to namedtuples. Pass the user when validating whether the user has authorized such scopes in the past. Make sure we calculate the scope string using all user scopes form all previously granted tokens. 2014-03-19 22:09:09 +00:00			`def load_authorized_scope_string(self, client_id, username):`
			`found = (OAuthAccessToken`
			`.select()`
			`.join(OAuthApplication)`
			`.switch(OAuthAccessToken)`
			`.join(User)`
			`.where(OAuthApplication.client_id == client_id, User.username == username,`
Fix the metrics so they are usable for scaling the workers down and up. Switch all datetimes which touch the database from now to utcnow. Fix the worker Dockerfile. 2014-05-23 18:16:26 +00:00			`OAuthAccessToken.expires_at > datetime.utcnow()))`
User scope objects everywhere. Switch scope objects to namedtuples. Pass the user when validating whether the user has authorized such scopes in the past. Make sure we calculate the scope string using all user scopes form all previously granted tokens. 2014-03-19 22:09:09 +00:00			`found = list(found)`
			`logger.debug('Found %s matching tokens.', len(found))`
			`long_scope_string = ','.join([token.scope for token in found])`
			`logger.debug('Computed long scope string: %s', long_scope_string)`
			`return long_scope_string`
Add an oauth authorization page 2014-03-14 22:57:28 +00:00
User scope objects everywhere. Switch scope objects to namedtuples. Pass the user when validating whether the user has authorized such scopes in the past. Make sure we calculate the scope string using all user scopes form all previously granted tokens. 2014-03-19 22:09:09 +00:00			`def validate_has_scopes(self, client_id, username, scope):`
			`long_scope_string = self.load_authorized_scope_string(client_id, username)`
Add an oauth authorization page 2014-03-14 22:57:28 +00:00
			`# Make sure the token contains the given scopes (at least).`
User scope objects everywhere. Switch scope objects to namedtuples. Pass the user when validating whether the user has authorized such scopes in the past. Make sure we calculate the scope string using all user scopes form all previously granted tokens. 2014-03-19 22:09:09 +00:00			`return scopes.is_subset_string(long_scope_string, scope)`
Add an oauth authorization page 2014-03-14 22:57:28 +00:00
Add some sort of oauth. 2014-03-12 16:37:06 +00:00			`def from_authorization_code(self, client_id, code, scope):`
			`try:`
			`found = (OAuthAuthorizationCode`
			`.select()`
			`.join(OAuthApplication)`
			`.where(OAuthApplication.client_id == client_id, OAuthAuthorizationCode.code == code,`
			`OAuthAuthorizationCode.scope == scope)`
			`.get())`
Finally figure out what the data field is supposed to be for and use it to implement and fix 3LO. 2014-03-25 16:42:40 +00:00			`logger.debug('Returning data: %s', found.data)`
Add some sort of oauth. 2014-03-12 16:37:06 +00:00			`return found.data`
			`except OAuthAuthorizationCode.DoesNotExist:`
			`return None`

			`def from_refresh_token(self, client_id, refresh_token, scope):`
			`try:`
			`found = (OAuthAccessToken`
			`.select()`
			`.join(OAuthApplication)`
			`.where(OAuthApplication.client_id == client_id,`
			`OAuthAccessToken.refresh_token == refresh_token,`
			`OAuthAccessToken.scope == scope)`
			`.get())`
			`return found.data`
			`except OAuthAccessToken.DoesNotExist:`
Strip whitespace from ALL the things. 2014-11-24 21:07:38 +00:00			`return None`
Add some sort of oauth. 2014-03-12 16:37:06 +00:00
			`def persist_authorization_code(self, client_id, code, scope):`
Fix OAuth redirect for denial action when generating for internal tokens 2015-06-01 17:43:38 +00:00			`oauth_app = OAuthApplication.get(client_id=client_id)`
Finally figure out what the data field is supposed to be for and use it to implement and fix 3LO. 2014-03-25 16:42:40 +00:00			`data = self._generate_data_string()`
Fix OAuth redirect for denial action when generating for internal tokens 2015-06-01 17:43:38 +00:00			`OAuthAuthorizationCode.create(application=oauth_app, code=code, scope=scope, data=data)`
Add some sort of oauth. 2014-03-12 16:37:06 +00:00
			`def persist_token_information(self, client_id, scope, access_token, token_type, expires_in,`
			`refresh_token, data):`
Finally figure out what the data field is supposed to be for and use it to implement and fix 3LO. 2014-03-25 16:42:40 +00:00			`user = get_user(json.loads(data)['username'])`
			`if not user:`
			`raise RuntimeError('Username must be in the data field')`

Fix OAuth redirect for denial action when generating for internal tokens 2015-06-01 17:43:38 +00:00			`oauth_app = OAuthApplication.get(client_id=client_id)`
Fix the metrics so they are usable for scaling the workers down and up. Switch all datetimes which touch the database from now to utcnow. Fix the worker Dockerfile. 2014-05-23 18:16:26 +00:00			`expires_at = datetime.utcnow() + timedelta(seconds=expires_in)`
Fix OAuth redirect for denial action when generating for internal tokens 2015-06-01 17:43:38 +00:00			`OAuthAccessToken.create(application=oauth_app, authorized_user=user, scope=scope,`
Add some sort of oauth. 2014-03-12 16:37:06 +00:00			`access_token=access_token, token_type=token_type,`
			`expires_at=expires_at, refresh_token=refresh_token, data=data)`

			`def discard_authorization_code(self, client_id, code):`
Finally figure out what the data field is supposed to be for and use it to implement and fix 3LO. 2014-03-25 16:42:40 +00:00			`found = (OAuthAuthorizationCode`
Add some sort of oauth. 2014-03-12 16:37:06 +00:00			`.select()`
			`.join(OAuthApplication)`
			`.where(OAuthApplication.client_id == client_id, OAuthAuthorizationCode.code == code)`
			`.get())`
			`found.delete_instance()`

			`def discard_refresh_token(self, client_id, refresh_token):`
			`found = (AccessToken`
			`.select()`
			`.join(OAuthApplication)`
			`.where(OAuthApplication.client_id == client_id,`
			`OAuthAccessToken.refresh_token == refresh_token)`
			`.get())`
			`found.delete_instance()`

Add cancel button to the oauth authorization page, add the org icon to said page, and fix some other minor bugs 2014-03-24 22:30:22 +00:00
			`def get_auth_denied_response(self, response_type, client_id, redirect_uri, **params):`
			`# Ensure proper response_type`
			`if response_type != 'token':`
			`err = 'unsupported_response_type'`
			`return self._make_redirect_error_response(redirect_uri, err)`

			`# Check redirect URI`
			`is_valid_redirect_uri = self.validate_redirect_uri(client_id, redirect_uri)`
			`if not is_valid_redirect_uri:`
			`return self._invalid_redirect_uri_response()`

			`return self._make_redirect_error_response(redirect_uri, 'authorization_denied')`


Add some sort of oauth. 2014-03-12 16:37:06 +00:00			`def get_token_response(self, response_type, client_id, redirect_uri, **params):`
Add ability to one-click generate an authorization access token in the applications panel 2014-11-17 19:54:07 +00:00
Add some sort of oauth. 2014-03-12 16:37:06 +00:00			`# Ensure proper response_type`
			`if response_type != 'token':`
			`err = 'unsupported_response_type'`
			`return self._make_redirect_error_response(redirect_uri, err)`

			`# Check redirect URI`
			`is_valid_redirect_uri = self.validate_redirect_uri(client_id, redirect_uri)`
Fix OAuth redirect for denial action when generating for internal tokens 2015-06-01 17:43:38 +00:00			`if not is_valid_redirect_uri:`
Add some sort of oauth. 2014-03-12 16:37:06 +00:00			`return self._invalid_redirect_uri_response()`

			`# Check conditions`
			`is_valid_client_id = self.validate_client_id(client_id)`
			`is_valid_access = self.validate_access()`
			`scope = params.get('scope', '')`
Add an oauth authorization page 2014-03-14 22:57:28 +00:00			`are_valid_scopes = self.validate_scope(client_id, scope)`
Add some sort of oauth. 2014-03-12 16:37:06 +00:00
			`# Return proper error responses on invalid conditions`
			`if not is_valid_client_id:`
			`err = 'unauthorized_client'`
			`return self._make_redirect_error_response(redirect_uri, err)`

			`if not is_valid_access:`
			`err = 'access_denied'`
			`return self._make_redirect_error_response(redirect_uri, err)`

Add an oauth authorization page 2014-03-14 22:57:28 +00:00			`if not are_valid_scopes:`
Add some sort of oauth. 2014-03-12 16:37:06 +00:00			`err = 'invalid_scope'`
			`return self._make_redirect_error_response(redirect_uri, err)`

			`access_token = self.generate_access_token()`
			`token_type = self.token_type`
			`expires_in = self.token_expires_in`
			`refresh_token = None # No refresh token for this kind of flow`

Finally figure out what the data field is supposed to be for and use it to implement and fix 3LO. 2014-03-25 16:42:40 +00:00			`data = self._generate_data_string()`
Add some sort of oauth. 2014-03-12 16:37:06 +00:00			`self.persist_token_information(client_id=client_id, scope=scope, access_token=access_token,`
			`token_type=token_type, expires_in=expires_in,`
Finally figure out what the data field is supposed to be for and use it to implement and fix 3LO. 2014-03-25 16:42:40 +00:00			`refresh_token=refresh_token, data=data)`
Add some sort of oauth. 2014-03-12 16:37:06 +00:00
			`url = utils.build_url(redirect_uri, params)`
			`url += '#access_token=%s&token_type=%s&expires_in=%s' % (access_token, token_type, expires_in)`

			`return self._make_response(headers={'Location': url}, status_code=302)`

Formatting changes. 2014-03-25 18:32:02 +00:00
Add an oauth authorization page 2014-03-14 22:57:28 +00:00			`def create_application(org, name, application_uri, redirect_uri, **kwargs):`
Finally figure out what the data field is supposed to be for and use it to implement and fix 3LO. 2014-03-25 16:42:40 +00:00			`return OAuthApplication.create(organization=org, name=name, application_uri=application_uri,`
			`redirect_uri=redirect_uri, **kwargs)`
Add scope ordinality and translations. Process oauth tokens and limit scopes accordingly. 2014-03-12 20:31:37 +00:00
Formatting changes. 2014-03-25 18:32:02 +00:00
Add scope ordinality and translations. Process oauth tokens and limit scopes accordingly. 2014-03-12 20:31:37 +00:00			`def validate_access_token(access_token):`
			`try:`
			`found = (OAuthAccessToken`
			`.select(OAuthAccessToken, User)`
			`.join(User)`
			`.where(OAuthAccessToken.access_token == access_token)`
			`.get())`
			`return found`
			`except OAuthAccessToken.DoesNotExist:`
Add an oauth authorization page 2014-03-14 22:57:28 +00:00			`return None`
Add OAuth usage information the API logs, have it be displayed in the logs UI and start on the code to display application information when clicked. Note that this does not (yet) do anything with the information returned as we need to wait for the mainline merge of Angular 1.2.9 (which is in master) before I can continue on the display 2014-03-18 20:45:18 +00:00
Formatting changes. 2014-03-25 18:32:02 +00:00
Add OAuth usage information the API logs, have it be displayed in the logs UI and start on the code to display application information when clicked. Note that this does not (yet) do anything with the information returned as we need to wait for the mainline merge of Angular 1.2.9 (which is in master) before I can continue on the display 2014-03-18 20:45:18 +00:00			`def get_application_for_client_id(client_id):`
			`try:`
			`return OAuthApplication.get(client_id=client_id)`
			`except OAuthApplication.DoesNotExist:`
			`return None`
Add full application management API, UI and test cases 2014-03-20 19:46:13 +00:00
Formatting changes. 2014-03-25 18:32:02 +00:00
Add full application management API, UI and test cases 2014-03-20 19:46:13 +00:00			`def reset_client_secret(application):`
			`application.client_secret = random_string_generator(length=40)()`
			`application.save()`
			`return application`

Formatting changes. 2014-03-25 18:32:02 +00:00
Add full application management API, UI and test cases 2014-03-20 19:46:13 +00:00			`def lookup_application(org, client_id):`
			`try:`
			`return OAuthApplication.get(organization = org, client_id=client_id)`
			`except OAuthApplication.DoesNotExist:`
			`return None`


			`def delete_application(org, client_id):`
			`application = lookup_application(org, client_id)`
			`if not application:`
			`return`

			`application.delete_instance(recursive=True, delete_nullable=True)`
			`return application`

Add ability for users to see their authorized applications and revoke the access 2014-03-25 00:57:02 +00:00
			`def lookup_access_token_for_user(user, token_uuid):`
			`try:`
			`return OAuthAccessToken.get(OAuthAccessToken.authorized_user == user,`
			`OAuthAccessToken.uuid == token_uuid)`
			`except OAuthAccessToken.DoesNotExist:`
			`return None`


			`def list_access_tokens_for_user(user):`
			`query = (OAuthAccessToken`
			`.select()`
			`.join(OAuthApplication)`
			`.switch(OAuthAccessToken)`
			`.join(User)`
			`.where(OAuthAccessToken.authorized_user == user))`

Strip whitespace from ALL the things. 2014-11-24 21:07:38 +00:00			`return query`
Add ability for users to see their authorized applications and revoke the access 2014-03-25 00:57:02 +00:00

Add full application management API, UI and test cases 2014-03-20 19:46:13 +00:00			`def list_applications_for_org(org):`
			`query = (OAuthApplication`
			`.select()`
			`.join(User)`
			`.where(OAuthApplication.organization == org))`

			`return query`
Add ability for users to see their authorized applications and revoke the access 2014-03-25 00:57:02 +00:00

			`def create_access_token_for_testing(user, client_id, scope):`
Fix the metrics so they are usable for scaling the workers down and up. Switch all datetimes which touch the database from now to utcnow. Fix the worker Dockerfile. 2014-05-23 18:16:26 +00:00			`expires_at = datetime.utcnow() + timedelta(seconds=10000)`
Add ability for users to see their authorized applications and revoke the access 2014-03-25 00:57:02 +00:00			`application = get_application_for_client_id(client_id)`
			`OAuthAccessToken.create(application=application, authorized_user=user, scope=scope,`
			`token_type='token', access_token='test',`
			`expires_at=expires_at, refresh_token='', data='')`