Add some sort of oauth.

2014-03-12 12:37:06 -04:00 · 2014-03-12 12:37:06 -04:00 · 25ceb90fc6
commit 25ceb90fc6
parent 220649e579
13 changed files with 290 additions and 46 deletions
--- a/auth/auth.py
+++ b/auth/auth.py
@ -9,12 +9,12 @@ from data import model
 from app import app
 from permissions import QuayDeferredPermissionUser

-from util.names import parse_namespace_repository
 from util.http import abort


 logger = logging.getLogger(__name__)

+
 def process_basic_auth(auth):
  normalized = [part.strip() for part in auth.split(' ') if part]
  if normalized[0].lower() != 'basic' or len(normalized) != 2:
@ -87,7 +87,8 @@ def process_token(auth):
                (detail.split('=') for detail in token_details)}
  if 'signature' not in token_vals:
    logger.warning('Token does not contain signature: %s' % auth)
-    abort(401, message="Token does not contain a valid signature: %(auth)", issue='invalid-auth-token', auth=auth)
+    abort(401, message="Token does not contain a valid signature: %(auth)",
+          issue='invalid-auth-token', auth=auth)

  try:
    token_data = model.load_token_data(token_vals['signature'])
@ -95,7 +96,8 @@ def process_token(auth):
  except model.InvalidTokenException:
    logger.warning('Token could not be validated: %s' %
                   token_vals['signature'])
-    abort(401, message="Token could not be validated: %(auth)", issue='invalid-auth-token', auth=auth)
+    abort(401, message="Token could not be validated: %(auth)", issue='invalid-auth-token',
+          auth=auth)

  logger.debug('Successfully validated token: %s' % token_data.code)
  ctx = _request_ctx_stack.top
--- a/auth/scopes.py
+++ b/auth/scopes.py
@ -0,0 +1,25 @@
+READ_REPO = {
+  'scope': 'repo:read',
+  'description': ('Grants read-only access to all repositories for which the granting user or '
+                  ' robot has access.')
+}
+
+WRITE_REPO = {
+  'scope': 'repo:write',
+  'description': ('Grants read-write access to all repositories for which the granting user or '
+                  'robot has access, and is a superset of repo:read.')
+}
+
+ADMIN_REPO = {
+  'scope': 'repo:admin',
+  'description': ('Grants administrator access to all repositories for which the granting user or '
+                  'robot has access, and is a superset of repo:read and repo:write.')  
+}
+
+CREATE_REPO = {
+  'scope': 'repo:create',
+  'description': ('Grants create repository access to all namespaces for which the granting user '
+                  'or robot is allowed to create repositories.')
+}
+
+ALL_SCOPES = {scope['scope']:scope for scope in (READ_REPO, WRITE_REPO, ADMIN_REPO, CREATE_REPO)}
--- a/data/database.py
+++ b/data/database.py
@ -271,9 +271,33 @@ class LogEntry(BaseModel):
  metadata_json = TextField(default='{}')


-all_models = [User, Repository, Image, AccessToken, Role,
-              RepositoryPermission, Visibility, RepositoryTag,
-              EmailConfirmation, FederatedLogin, LoginService, QueueItem,
-              RepositoryBuild, Team, TeamMember, TeamRole, Webhook,
-              LogEntryKind, LogEntry, PermissionPrototype, ImageStorage,
-              BuildTriggerService, RepositoryBuildTrigger]
+class OAuthApplication(BaseModel):
+  client_id = CharField(index=True, default=random_string_generator(length=20))
+  client_secret = CharField(default=random_string_generator(length=40))
+  redirect_uri = CharField()
+  organization = ForeignKeyField(User)
+
+
+class OAuthAuthorizationCode(BaseModel):
+  application = ForeignKeyField(OAuthApplication)
+  code = CharField(index=True)
+  scope = CharField()
+  data = CharField(default=random_string_generator())
+
+
+class OAuthAccessToken(BaseModel):
+  application = ForeignKeyField(OAuthApplication)
+  authorized_user = ForeignKeyField(User)
+  scope = CharField()
+  access_token = CharField(index=True)
+  token_type = CharField(default='Bearer')
+  expires_at = DateTimeField()
+  refresh_token = CharField(index=True, null=True)
+  data = CharField()  # What the hell is this field for?
+
+
+all_models = [User, Repository, Image, AccessToken, Role, RepositoryPermission, Visibility,
+              RepositoryTag, EmailConfirmation, FederatedLogin, LoginService, QueueItem,
+              RepositoryBuild, Team, TeamMember, TeamRole, Webhook, LogEntryKind, LogEntry,
+              PermissionPrototype, ImageStorage, BuildTriggerService, RepositoryBuildTrigger,
+              OAuthApplication, OAuthAuthorizationCode, OAuthAccessToken]
--- a/data/model/init.py
+++ b/data/model/init.py
@ -0,0 +1 @@
+from data.model.legacy import *
--- a/data/model/legacy.py
+++ b/data/model/legacy.py
@ -2,11 +2,10 @@ import bcrypt
 import logging
 import datetime
 import dateutil.parser
-import operator
 import json


-from database import *
+from data.database import *
 from util.validation import *
 from util.names import format_robot_username

--- a/data/model/oauth.py
+++ b/data/model/oauth.py
@ -0,0 +1,142 @@
+from datetime import datetime, timedelta
+from oauth2lib.provider import AuthorizationProvider
+from oauth2lib import utils
+
+from data.database import OAuthApplication, OAuthAuthorizationCode, OAuthAccessToken
+from auth import scopes
+
+
+class DatabaseAuthorizationProvider(AuthorizationProvider):
+  def get_authorized_user(self):
+    raise NotImplementedError('Subclasses must fill in the ability to get the authorized_user.')
+
+  def validate_client_id(self, client_id):
+    try:
+      OAuthApplication.get(client_id=client_id)
+      return True
+    except OAuthApplication.DoesNotExist:
+      return False
+
+  def validate_client_secret(self, client_id, client_secret):
+    try:
+      OAuthApplication.get(client_id=client_id, client_secret=client_secret)
+      return True
+    except OAuthApplication.DoesNotExist:
+      return False
+
+  def validate_redirect_uri(self, client_id, redirect_uri):
+    try:
+      app = OAuthApplication.get(client_id=client_id)
+      if app.redirect_uri and redirect_uri.startswith(app.redirect_uri):
+        return True
+      return False
+    except OAuthApplication.DoesNotExist:
+      return False
+
+  def validate_scope(self, client_id, scope):
+    return scope in scopes.ALL_SCOPES.keys()
+
+  def validate_access(self):
+    return self.get_authorized_user() is not None
+
+  def from_authorization_code(self, client_id, code, scope):
+    try:
+      found = (OAuthAuthorizationCode
+        .select()
+        .join(OAuthApplication)
+        .where(OAuthApplication.client_id == client_id, OAuthAuthorizationCode.code == code,
+               OAuthAuthorizationCode.scope == scope)
+        .get())
+      return found.data
+    except OAuthAuthorizationCode.DoesNotExist:
+      return None
+
+  def from_refresh_token(self, client_id, refresh_token, scope):
+    try:
+      found = (OAuthAccessToken
+        .select()
+        .join(OAuthApplication)
+        .where(OAuthApplication.client_id == client_id,
+               OAuthAccessToken.refresh_token == refresh_token,
+               OAuthAccessToken.scope == scope)
+        .get())
+      return found.data
+    except OAuthAccessToken.DoesNotExist:
+      return None  
+
+  def persist_authorization_code(self, client_id, code, scope):
+    app = OAuthApplication.get(client_id=client_id)
+    OAuthAuthorizationCode.create(application=app, code=code, scope=scope)
+
+  def persist_token_information(self, client_id, scope, access_token, token_type, expires_in,
+                                refresh_token, data):
+    app = OAuthApplication.get(client_id=client_id)
+    user = self.get_authorized_user()
+    expires_at = datetime.now() + timedelta(seconds=expires_in)
+    OAuthAccessToken.create(application=app, authorized_user=user, scope=scope,
+                            access_token=access_token, token_type=token_type,
+                            expires_at=expires_at, refresh_token=refresh_token, data=data)
+
+  def discard_authorization_code(self, client_id, code):
+    found = (AuthorizationCode
+      .select()
+      .join(OAuthApplication)
+      .where(OAuthApplication.client_id == client_id, OAuthAuthorizationCode.code == code)
+      .get())
+    found.delete_instance()
+
+  def discard_refresh_token(self, client_id, refresh_token):
+    found = (AccessToken
+      .select()
+      .join(OAuthApplication)
+      .where(OAuthApplication.client_id == client_id,
+             OAuthAccessToken.refresh_token == refresh_token)
+      .get())
+    found.delete_instance()
+
+  def get_token_response(self, response_type, client_id, redirect_uri, **params):
+    # Ensure proper response_type
+    if response_type != 'token':
+      err = 'unsupported_response_type'
+      return self._make_redirect_error_response(redirect_uri, err)
+
+    # Check redirect URI
+    is_valid_redirect_uri = self.validate_redirect_uri(client_id, redirect_uri)
+    if not is_valid_redirect_uri:
+      return self._invalid_redirect_uri_response()
+
+    # Check conditions
+    is_valid_client_id = self.validate_client_id(client_id)
+    is_valid_access = self.validate_access()
+    scope = params.get('scope', '')
+    is_valid_scope = self.validate_scope(client_id, scope)
+
+    # Return proper error responses on invalid conditions
+    if not is_valid_client_id:
+      err = 'unauthorized_client'
+      return self._make_redirect_error_response(redirect_uri, err)
+
+    if not is_valid_access:
+      err = 'access_denied'
+      return self._make_redirect_error_response(redirect_uri, err)
+
+    if not is_valid_scope:
+      err = 'invalid_scope'
+      return self._make_redirect_error_response(redirect_uri, err)
+
+    access_token = self.generate_access_token()
+    token_type = self.token_type
+    expires_in = self.token_expires_in
+    refresh_token = None  # No refresh token for this kind of flow
+
+    self.persist_token_information(client_id=client_id, scope=scope, access_token=access_token,
+                                   token_type=token_type, expires_in=expires_in,
+                                   refresh_token=refresh_token, data='')
+
+    url = utils.build_url(redirect_uri, params)
+    url += '#access_token=%s&token_type=%s&expires_in=%s' % (access_token, token_type, expires_in)
+
+    return self._make_response(headers={'Location': url}, status_code=302)
+
+def create_application(org, redirect_uri, **kwargs):
+  return OAuthApplication.create(organization=org, redirect_uri=redirect_uri, **kwargs)
--- a/endpoints/api/init.py
+++ b/endpoints/api/init.py
@ -14,6 +14,7 @@ from util.names import parse_namespace_repository
 from auth.permissions import (ReadRepositoryPermission,
                              ModifyRepositoryPermission,
                              AdministerRepositoryPermission)
+from auth import scopes


 logger = logging.getLogger(__name__)
@ -100,8 +101,9 @@ class RepositoryParamResource(Resource):
  method_decorators = [parse_repository_name]


-def require_repo_permission(permission_class, allow_public=False):
+def require_repo_permission(permission_class, scope, allow_public=False):
  def wrapper(func):
+    @add_method_metadata('oauth2_scope', scope)
    @wraps(func)
    def wrapped(self, namespace, repository, *args, **kwargs):
      permission = permission_class(namespace, repository)
@ -114,9 +116,9 @@ def require_repo_permission(permission_class, allow_public=False):
  return wrapper


-require_repo_read = require_repo_permission(ReadRepositoryPermission, True)
-require_repo_write = require_repo_permission(ModifyRepositoryPermission)
-require_repo_admin = require_repo_permission(AdministerRepositoryPermission)
+require_repo_read = require_repo_permission(ReadRepositoryPermission, scopes.READ_REPO, True)
+require_repo_write = require_repo_permission(ModifyRepositoryPermission, scopes.WRITE_REPO)
+require_repo_admin = require_repo_permission(AdministerRepositoryPermission, scopes.ADMIN_REPO)


 def validate_json_request(schema_name):
--- a/endpoints/api/discovery.py
+++ b/endpoints/api/discovery.py
@ -5,6 +5,7 @@ from flask.ext.restful import Resource, reqparse

 from endpoints.api import resource, method_metadata, nickname, truthy_bool
 from app import app
+from auth import scopes


 logger = logging.getLogger(__name__)
@ -46,42 +47,50 @@ def swagger_route_data():
            'required': True,
          })

-        req_schema_name = method_metadata(method, 'request_schema')
-        if req_schema_name:
-          parameters.append({
-            'paramType': 'body',
-            'name': 'body',
-            'description': 'Request body contents.',
-            'dataType': req_schema_name,
-            'required': True,
-          })
-
-          schema = view_class.schemas[req_schema_name]
-          models[req_schema_name] = schema
-
-        if '__api_query_params' in dir(method):
-          for param_spec in method.__api_query_params:
-            new_param = {
-              'paramType': 'query',
-              'name': param_spec['name'],
-              'description': param_spec['help'],
-              'dataType': TYPE_CONVERTER[param_spec['type']],
-              'required': param_spec['required'],
-            }
-
-            if len(param_spec['choices']) > 0:
-              new_param['enum'] = list(param_spec['choices'])
-
-            parameters.append(new_param)
-
        if method is not None:
-          operations.append({
+          req_schema_name = method_metadata(method, 'request_schema')
+          if req_schema_name:
+            parameters.append({
+              'paramType': 'body',
+              'name': 'body',
+              'description': 'Request body contents.',
+              'dataType': req_schema_name,
+              'required': True,
+            })
+
+            schema = view_class.schemas[req_schema_name]
+            models[req_schema_name] = schema
+
+          if '__api_query_params' in dir(method):
+            for param_spec in method.__api_query_params:
+              new_param = {
+                'paramType': 'query',
+                'name': param_spec['name'],
+                'description': param_spec['help'],
+                'dataType': TYPE_CONVERTER[param_spec['type']],
+                'required': param_spec['required'],
+              }
+
+              if len(param_spec['choices']) > 0:
+                new_param['enum'] = list(param_spec['choices'])
+
+              parameters.append(new_param)
+
+          new_operation = {
            'method': method_name,
            'nickname': method_metadata(method, 'nickname'),
            'type': 'void',
            'summary': method.__doc__ if method.__doc__ else '',
            'parameters': parameters,
-          })
+          }
+
+          scope = method_metadata(method, 'oauth2_scope')
+          if scope:
+            new_operation['authorizations'] = {
+              'oauth2': [scope]
+            }
+
+          operations.append(new_operation)

      swagger_path = PARAM_REGEX.sub(r'{\2}', rule.rule)
      apis.append({
@ -103,6 +112,19 @@ def swagger_route_data():
      'termsOfServiceUrl': 'https://quay.io/tos',
      'contact': 'support@quay.io',
    },
+    'authorizations': {
+      'oauth2': {
+        'scopes': list(scopes.ALL_SCOPES.values()),
+        'grantTypes': {
+          "implicit": {
+            "tokenName": "access_token",
+            "loginEndpoint": {
+              "url": "http://ci.devtable.com:5000/oauth/authorize",
+            },
+          },
+        },
+      },
+    },
    'apis': apis,
    'models': models,
  }
--- a/endpoints/callbacks.py
+++ b/endpoints/callbacks.py
@ -19,7 +19,6 @@ client = app.config['HTTPCLIENT']
 callback = Blueprint('callback', __name__)


-
 def exchange_github_code_for_token(code):
  code = request.args.get('code')
  payload = {
--- a/endpoints/web.py
+++ b/endpoints/web.py
@ -8,6 +8,7 @@ from flask.ext.login import current_user
 from urlparse import urlparse

 from data import model
+from data.model.oauth import DatabaseAuthorizationProvider
 from app import app
 from auth.permissions import AdministerOrganizationPermission
 from util.invoice import renderInvoiceToPdf
@ -228,3 +229,26 @@ def build_status_badge(namespace, repository):
  response = make_response(STATUS_TAGS[status_name])
  response.content_type = 'image/svg+xml'
  return response
+
+
+class FlaskAuthorizationProvider(DatabaseAuthorizationProvider):
+  def get_authorized_user(self):
+    return current_user.db_user()
+
+  def _make_response(self, body='', headers=None, status_code=200):
+    return make_response(body, status_code, headers)
+
+
+@web.route('/oauth/authorize', methods=['GET'])
+@no_cache
+def request_authorization_code():
+  provider = FlaskAuthorizationProvider()
+  response_type = request.args.get('response_type', 'code')
+  client_id = request.args.get('client_id', None)
+  redirect_uri = request.args.get('redirect_uri', None)
+  scope = request.args.get('scope', None)
+
+  if response_type == 'token':
+    return provider.get_token_response(response_type, client_id, redirect_uri, scope=scope)
+  else:
+    return provider.get_authorization_code(response_type, client_id, redirect_uri, scope=scope)
--- a/initdb.py
+++ b/initdb.py
@ -9,6 +9,7 @@ from peewee import (SqliteDatabase, create_model_tables, drop_model_tables,

 from data.database import *
 from data import model
+from data.model import oauth
 from app import app


@ -338,6 +339,8 @@ def populate_database():
  org.stripe_id = TEST_STRIPE_ID
  org.save()

+  oauth.create_application(org, 'http://localhost:8000/o2c.html', client_id='deadbeef')
+
  model.create_robot('neworgrobot', org)

  owners = model.get_organization_team('buynlarge', 'owners')
--- a/requirements-nover.txt
+++ b/requirements-nover.txt
@ -26,3 +26,4 @@ loremipsum
 pygithub
 flask-restful
 jsonschema
+git+https://github.com/NateFerrero/oauth2lib.git
--- a/test/data/test.db
+++ b/test/data/test.db