194 lines
6.8 KiB
Python
194 lines
6.8 KiB
Python
|
import copy
|
||
|
|
import logging
|
||
|
|
import urllib
|
||
|
|
import urlparse
|
||
|
|
|
||
|
|
from abc import ABCMeta, abstractmethod
|
||
|
|
from six import add_metaclass
|
||
|
|
|
||
|
|
from util.config import URLSchemeAndHostname
|
||
|
|
|
||
|
|
logger = logging.getLogger(__name__)
|
||
|
|
|
||
|
|
|
||
|
|
class OAuthEndpoint(object):
|
||
|
|
def __init__(self, base_url, params=None):
|
||
|
|
self.base_url = base_url
|
||
|
|
self.params = params or {}
|
||
|
|
|
||
|
|
def with_param(self, name, value):
|
||
|
|
params_copy = copy.copy(self.params)
|
||
|
|
params_copy[name] = value
|
||
|
|
return OAuthEndpoint(self.base_url, params_copy)
|
||
|
|
|
||
|
|
def with_params(self, parameters):
|
||
|
|
params_copy = copy.copy(self.params)
|
||
|
|
params_copy.update(parameters)
|
||
|
|
return OAuthEndpoint(self.base_url, params_copy)
|
||
|
|
|
||
|
|
def to_url(self):
|
||
|
|
(scheme, netloc, path, _, fragment) = urlparse.urlsplit(self.base_url)
|
||
|
|
updated_query = urllib.urlencode(self.params)
|
||
|
|
return urlparse.urlunsplit((scheme, netloc, path, updated_query, fragment))
|
||
|
|
|
||
|
|
class OAuthExchangeCodeException(Exception):
|
||
|
|
""" Exception raised if a code exchange fails. """
|
||
|
|
pass
|
||
|
|
|
||
|
|
class OAuthGetUserInfoException(Exception):
|
||
|
|
""" Exception raised if a call to get user information fails. """
|
||
|
|
pass
|
||
|
|
|
||
|
|
@add_metaclass(ABCMeta)
|
||
|
|
class OAuthService(object):
|
||
|
|
""" A base class for defining an external service, exposed via OAuth. """
|
||
|
|
def __init__(self, config, key_name):
|
||
|
|
self.key_name = key_name
|
||
|
|
self.config = config.get(key_name) or {}
|
||
|
|
|
||
|
|
@abstractmethod
|
||
|
|
def service_id(self):
|
||
|
|
""" The internal ID for this service. Must match the URL portion for the service, e.g. `github`
|
||
|
|
"""
|
||
|
|
pass
|
||
|
|
|
||
|
|
@abstractmethod
|
||
|
|
def service_name(self):
|
||
|
|
""" The user-readable name for the service, e.g. `GitHub`"""
|
||
|
|
pass
|
||
|
|
|
||
|
|
@abstractmethod
|
||
|
|
def token_endpoint(self):
|
||
|
|
""" Returns the endpoint at which the OAuth code can be exchanged for a token. """
|
||
|
|
pass
|
||
|
|
|
||
|
|
@abstractmethod
|
||
|
|
def user_endpoint(self):
|
||
|
|
""" Returns the endpoint at which user information can be looked up. """
|
||
|
|
pass
|
||
|
|
|
||
|
|
@abstractmethod
|
||
|
|
def authorize_endpoint(self):
|
||
|
|
""" Returns the for authorization of the OAuth service. """
|
||
|
|
pass
|
||
|
|
|
||
|
|
@abstractmethod
|
||
|
|
def validate_client_id_and_secret(self, http_client, url_scheme_and_hostname):
|
||
|
|
""" Performs validation of the client ID and secret, raising an exception on failure. """
|
||
|
|
pass
|
||
|
|
|
||
|
|
def requires_form_encoding(self):
|
||
|
|
""" Returns True if form encoding is necessary for the exchange_code_for_token call. """
|
||
|
|
return False
|
||
|
|
|
||
|
|
def client_id(self):
|
||
|
|
return self.config.get('CLIENT_ID')
|
||
|
|
|
||
|
|
def client_secret(self):
|
||
|
|
return self.config.get('CLIENT_SECRET')
|
||
|
|
|
||
|
|
def login_binding_field(self):
|
||
|
|
""" Returns the name of the field (`username` or `email`) used for auto binding an external
|
||
|
|
login service account to an *internal* login service account. For example, if the external
|
||
|
|
login service is GitHub and the internal login service is LDAP, a value of `email` here
|
||
|
|
will cause login-with-Github to conduct a search (via email) in LDAP for a user, an auto
|
||
|
|
bind the external and internal users together. May return None, in which case no binding
|
||
|
|
is performing, and login with this external account will simply create a new account in the
|
||
|
|
database.
|
||
|
|
"""
|
||
|
|
return self.config.get('LOGIN_BINDING_FIELD', None)
|
||
|
|
|
||
|
|
def get_auth_url(self, url_scheme_and_hostname, redirect_suffix, csrf_token, scopes):
|
||
|
|
""" Retrieves the authorization URL for this login service. """
|
||
|
|
redirect_uri = '%s/oauth2/%s/callback%s' % (url_scheme_and_hostname.get_url(),
|
||
|
|
self.service_id(),
|
||
|
|
redirect_suffix)
|
||
|
|
params = {
|
||
|
|
'client_id': self.client_id(),
|
||
|
|
'redirect_uri': redirect_uri,
|
||
|
|
'scope': ' '.join(scopes),
|
||
|
|
'state': csrf_token,
|
||
|
|
}
|
||
|
|
|
||
|
|
return self.authorize_endpoint().with_params(params).to_url()
|
||
|
|
|
||
|
|
def get_redirect_uri(self, url_scheme_and_hostname, redirect_suffix=''):
|
||
|
|
return '%s://%s/oauth2/%s/callback%s' % (url_scheme_and_hostname.url_scheme,
|
||
|
|
url_scheme_and_hostname.hostname,
|
||
|
|
self.service_id(),
|
||
|
|
redirect_suffix)
|
||
|
|
|
||
|
|
def get_user_info(self, http_client, token):
|
||
|
|
token_param = {
|
||
|
|
'alt': 'json',
|
||
|
|
}
|
||
|
|
|
||
|
|
headers = {
|
||
|
|
'Authorization': 'Bearer %s' % token,
|
||
|
|
}
|
||
|
|
|
||
|
|
got_user = http_client.get(self.user_endpoint().to_url(), params=token_param, headers=headers)
|
||
|
|
if got_user.status_code // 100 != 2:
|
||
|
|
raise OAuthGetUserInfoException('Non-2XX response code for user_info call: %s' %
|
||
|
|
got_user.status_code)
|
||
|
|
|
||
|
|
user_info = got_user.json()
|
||
|
|
if user_info is None:
|
||
|
|
raise OAuthGetUserInfoException()
|
||
|
|
|
||
|
|
return user_info
|
||
|
|
|
||
|
|
def exchange_code_for_token(self, app_config, http_client, code, form_encode=False,
|
||
|
|
redirect_suffix='', client_auth=False):
|
||
|
|
""" Exchanges an OAuth access code for the associated OAuth token. """
|
||
|
|
json_data = self.exchange_code(app_config, http_client, code, form_encode, redirect_suffix,
|
||
|
|
client_auth)
|
||
|
|
|
||
|
|
access_token = json_data.get('access_token', None)
|
||
|
|
if access_token is None:
|
||
|
|
logger.debug('Got successful get_access_token response with missing token: %s', json_data)
|
||
|
|
raise OAuthExchangeCodeException('Missing `access_token` in OAuth response')
|
||
|
|
|
||
|
|
return access_token
|
||
|
|
|
||
|
|
def exchange_code(self, app_config, http_client, code, form_encode=False, redirect_suffix='',
|
||
|
|
client_auth=False):
|
||
|
|
""" Exchanges an OAuth access code for associated OAuth token and other data. """
|
||
|
|
url_scheme_and_hostname = URLSchemeAndHostname.from_app_config(app_config)
|
||
|
|
payload = {
|
||
|
|
'code': code,
|
||
|
|
'grant_type': 'authorization_code',
|
||
|
|
'redirect_uri': self.get_redirect_uri(url_scheme_and_hostname, redirect_suffix)
|
||
|
|
}
|
||
|
|
|
||
|
|
headers = {
|
||
|
|
'Accept': 'application/json'
|
||
|
|
}
|
||
|
|
|
||
|
|
auth = None
|
||
|
|
if client_auth:
|
||
|
|
auth = (self.client_id(), self.client_secret())
|
||
|
|
else:
|
||
|
|
payload['client_id'] = self.client_id()
|
||
|
|
payload['client_secret'] = self.client_secret()
|
||
|
|
|
||
|
|
token_url = self.token_endpoint().to_url()
|
||
|
|
if form_encode:
|
||
|
|
get_access_token = http_client.post(token_url, data=payload, headers=headers, auth=auth)
|
||
|
|
else:
|
||
|
|
get_access_token = http_client.post(token_url, params=payload, headers=headers, auth=auth)
|
||
|
|
|
||
|
|
if get_access_token.status_code // 100 != 2:
|
||
|
|
logger.debug('Got get_access_token response %s', get_access_token.text)
|
||
|
|
raise OAuthExchangeCodeException('Got non-2XX response for code exchange: %s' %
|
||
|
|
get_access_token.status_code)
|
||
|
|
|
||
|
|
json_data = get_access_token.json()
|
||
|
|
if not json_data:
|
||
|
|
raise OAuthExchangeCodeException('Got non-JSON response for code exchange')
|
||
|
|
|
||
|
|
if 'error' in json_data:
|
||
|
|
raise OAuthExchangeCodeException(json_data.get('error_description', json_data['error']))
|
||
|
|
|
||
|
|
return json_data
|