User scope objects everywhere. Switch scope objects to namedtuples. Pass the user when validating whether the user has authorized such scopes in the past. Make sure we calculate the scope string using all user scopes form all previously granted tokens.

2014-03-19 18:09:09 -04:00 · 2014-03-19 18:09:09 -04:00 · 3b7b12085d
commit 3b7b12085d
parent c93c62600d
6 changed files with 103 additions and 76 deletions
--- a/data/model/oauth.py
+++ b/data/model/oauth.py
@ -1,3 +1,5 @@
+import logging
+
 from datetime import datetime, timedelta
 from oauth2lib.provider import AuthorizationProvider
 from oauth2lib import utils
@ -6,6 +8,9 @@ from data.database import OAuthApplication, OAuthAuthorizationCode, OAuthAccessT
 from auth import scopes


+logger = logging.getLogger(__name__)
+
+
 class DatabaseAuthorizationProvider(AuthorizationProvider):
  def get_authorized_user(self):
    raise NotImplementedError('Subclasses must fill in the ability to get the authorized_user.')
@ -41,28 +46,25 @@ class DatabaseAuthorizationProvider(AuthorizationProvider):
  def validate_access(self):
    return self.get_authorized_user() is not None

-  def lookup_access_token(self, client_id):
-    try:
-      found = (OAuthAccessToken
-        .select()
-        .join(OAuthApplication)
-        .where(OAuthApplication.client_id == client_id)
-        .get())
-      return found
-    except OAuthAccessToken.DoesNotExist:
-      return None
+  def load_authorized_scope_string(self, client_id, username):
+    found = (OAuthAccessToken
+      .select()
+      .join(OAuthApplication)
+      .switch(OAuthAccessToken)
+      .join(User)
+      .where(OAuthApplication.client_id == client_id, User.username == username,
+             OAuthAccessToken.expires_at > datetime.now()))
+    found = list(found)
+    logger.debug('Found %s matching tokens.', len(found))
+    long_scope_string = ','.join([token.scope for token in found])
+    logger.debug('Computed long scope string: %s', long_scope_string)
+    return long_scope_string

-  def validate_has_scopes(self, client_id, scope):
-    access_token = self.lookup_access_token(client_id)
-    if not access_token:
-      return False
-
-    # Make sure the token is not expired.
-    if access_token.expires_at <= datetime.now():
-      return False
+  def validate_has_scopes(self, client_id, username, scope):
+    long_scope_string = self.load_authorized_scope_string(client_id, username)

    # Make sure the token contains the given scopes (at least).
-    return scopes.is_subset_string(access_token.scope, scope)
+    return scopes.is_subset_string(long_scope_string, scope)

  def from_authorization_code(self, client_id, code, scope):
    try: