archive/pillar
0
0
Fork 0
Code Issues 42 Pull Requests Projects Releases Wiki Activity
Files
263d68071ef7eb01a2c16601b8ceb6adbb076f08
pillar/pillar/auth/oauth.py

229 lines
7.4 KiB
Python
Raw Normal View History

Switch to class-based OAuthUserResponse Instead of returning an arbirary number of items, we provide a standardized and better documented response.
2017-08-23 17:58:52 +02:00
import abc
Initial work to support multiple OAuth clients
2017-07-25 17:50:22 +02:00
import json
OAuth signin: streamlined instantiation of OAuthSignIn subclasses
2017-08-25 12:35:08 +02:00
import logging
Store Blender ID OAuth scopes in MongoDB + request `badge` scope too This also changes the way we treat Blender ID tokens. Before, the Blender ID token was discarded and a random token was generated & stored. Now the actual Blender ID token is stored. The Facebook and Google OAuth code still uses the old approach of generating a new token. Not sure what the added value is, though, because once the Django session is gone there is nothing left to authenticate the user and thus the random token is useless anyway.
2018-09-11 15:36:25 +02:00
import typing
Initial work to support multiple OAuth clients
2017-07-25 17:50:22 +02:00
Store Blender ID OAuth scopes in MongoDB + request `badge` scope too This also changes the way we treat Blender ID tokens. Before, the Blender ID token was discarded and a random token was generated & stored. Now the actual Blender ID token is stored. The Facebook and Google OAuth code still uses the old approach of generating a new token. Not sure what the added value is, though, because once the Django session is gone there is nothing left to authenticate the user and thus the random token is useless anyway.
2018-09-11 15:36:25 +02:00
import attr
Initial work to support multiple OAuth clients
2017-07-25 17:50:22 +02:00
from rauth import OAuth2Service
Initial tests for OAuthSignIn
2017-08-24 12:38:43 +02:00
from flask import current_app, url_for, request, redirect, session, Response
Initial work to support multiple OAuth clients
2017-07-25 17:50:22 +02:00
Switch to class-based OAuthUserResponse Instead of returning an arbirary number of items, we provide a standardized and better documented response.
2017-08-23 17:58:52 +02:00
@attr.s
class OAuthUserResponse:
"""Represents user information requested to an OAuth provider after
authenticating.
"""
id = attr.ib(validator=attr.validators.instance_of(str))
email = attr.ib(validator=attr.validators.instance_of(str))
Store Blender ID OAuth scopes in MongoDB + request `badge` scope too This also changes the way we treat Blender ID tokens. Before, the Blender ID token was discarded and a random token was generated & stored. Now the actual Blender ID token is stored. The Facebook and Google OAuth code still uses the old approach of generating a new token. Not sure what the added value is, though, because once the Django session is gone there is nothing left to authenticate the user and thus the random token is useless anyway.
2018-09-11 15:36:25 +02:00
access_token = attr.ib(validator=attr.validators.instance_of(str))
scopes: typing.List[str] = attr.ib(validator=attr.validators.instance_of(list))
Switch to class-based OAuthUserResponse Instead of returning an arbirary number of items, we provide a standardized and better documented response.
2017-08-23 17:58:52 +02:00
Tests for providers callbacks Also added SERVER_NAME in config_testing and pre-populated the keys of OAUTH_CREDENTIALS, since the implementation of providers is part of the application.
2017-08-25 10:32:04 +02:00
class OAuthError(Exception):
"""Superclass of all exceptions raised by this module."""
class ProviderConfigurationMissing(OAuthError):
Initial tests for OAuthSignIn
2017-08-24 12:38:43 +02:00
"""Raised when an OAuth provider is used but not configured."""
Tests for providers callbacks Also added SERVER_NAME in config_testing and pre-populated the keys of OAUTH_CREDENTIALS, since the implementation of providers is part of the application.
2017-08-25 10:32:04 +02:00
class ProviderNotImplemented(OAuthError):
Initial tests for OAuthSignIn
2017-08-24 12:38:43 +02:00
"""Raised when a provider is requested that does not exist."""
Tests for providers callbacks Also added SERVER_NAME in config_testing and pre-populated the keys of OAUTH_CREDENTIALS, since the implementation of providers is part of the application.
2017-08-25 10:32:04 +02:00
class OAuthCodeNotProvided(OAuthError):
"""Raised when the 'code' arg is not provided in the OAuth callback."""
OAuth signin: streamlined instantiation of OAuthSignIn subclasses
2017-08-25 12:35:08 +02:00
class ProviderNotConfigured:
"""Dummy class that indicates a provider isn't configured."""
Switch to class-based OAuthUserResponse Instead of returning an arbirary number of items, we provide a standardized and better documented response.
2017-08-23 17:58:52 +02:00
class OAuthSignIn(metaclass=abc.ABCMeta):
OAuth signin: streamlined instantiation of OAuthSignIn subclasses
2017-08-25 12:35:08 +02:00
provider_name: str = None # set in each subclass.
Initial tests for OAuthSignIn
2017-08-24 12:38:43 +02:00
_providers = None # initialized in get_provider()
OAuth signin: streamlined instantiation of OAuthSignIn subclasses
2017-08-25 12:35:08 +02:00
_log = logging.getLogger(f'{__name__}.OAuthSignIn')
Initial work to support multiple OAuth clients
2017-07-25 17:50:22 +02:00
OAuth signin: streamlined instantiation of OAuthSignIn subclasses
2017-08-25 12:35:08 +02:00
def __init__(self):
credentials = current_app.config['OAUTH_CREDENTIALS'].get(self.provider_name)
Tests for providers callbacks Also added SERVER_NAME in config_testing and pre-populated the keys of OAUTH_CREDENTIALS, since the implementation of providers is part of the application.
2017-08-25 10:32:04 +02:00
if not credentials:
OAuth signin: streamlined instantiation of OAuthSignIn subclasses
2017-08-25 12:35:08 +02:00
raise ProviderConfigurationMissing(
f'Missing OAuth credentials for {self.provider_name}')
Initial work to support multiple OAuth clients
2017-07-25 17:50:22 +02:00
self.consumer_id = credentials['id']
self.consumer_secret = credentials['secret']
Tests for providers callbacks Also added SERVER_NAME in config_testing and pre-populated the keys of OAUTH_CREDENTIALS, since the implementation of providers is part of the application.
2017-08-25 10:32:04 +02:00
# Set in a subclass
self.service: OAuth2Service = None
Switch to class-based OAuthUserResponse Instead of returning an arbirary number of items, we provide a standardized and better documented response.
2017-08-23 17:58:52 +02:00
@abc.abstractmethod
Initial tests for OAuthSignIn
2017-08-24 12:38:43 +02:00
def authorize(self) -> Response:
"""Redirect to the correct authorization endpoint for the current provider.
Switch to class-based OAuthUserResponse Instead of returning an arbirary number of items, we provide a standardized and better documented response.
2017-08-23 17:58:52 +02:00
Depending on the provider, we sometimes have to specify a different
'scope'.
"""
Initial work to support multiple OAuth clients
2017-07-25 17:50:22 +02:00
pass
Switch to class-based OAuthUserResponse Instead of returning an arbirary number of items, we provide a standardized and better documented response.
2017-08-23 17:58:52 +02:00
@abc.abstractmethod
def callback(self) -> OAuthUserResponse:
Initial tests for OAuthSignIn
2017-08-24 12:38:43 +02:00
"""Callback performed after authorizing the user.
Switch to class-based OAuthUserResponse Instead of returning an arbirary number of items, we provide a standardized and better documented response.
2017-08-23 17:58:52 +02:00
This is usually a request to a protected /me endpoint to query for
user information, such as user id and email address.
"""
Initial work to support multiple OAuth clients
2017-07-25 17:50:22 +02:00
pass
def get_callback_url(self):
Revert "Replaced config SCHEME with Flask's own PREFERRED_URL_SCHEME setting." This reverts commit 8318d4b1f69846e21002acafd4f410f5003af6f6.
2017-09-01 16:19:58 +02:00
return url_for('users.oauth_callback', provider=self.provider_name,
_external=True, _scheme=current_app.config['SCHEME'])
Initial work to support multiple OAuth clients
2017-07-25 17:50:22 +02:00
Tests for providers callbacks Also added SERVER_NAME in config_testing and pre-populated the keys of OAUTH_CREDENTIALS, since the implementation of providers is part of the application.
2017-08-25 10:32:04 +02:00
@staticmethod
def auth_code_from_request() -> str:
try:
return request.args['code']
except KeyError:
raise OAuthCodeNotProvided('A code argument was not provided in the request')
@staticmethod
def decode_json(payload):
return json.loads(payload.decode('utf-8'))
def make_oauth_session(self):
return self.service.get_auth_session(
data={'code': self.auth_code_from_request(),
'grant_type': 'authorization_code',
'redirect_uri': self.get_callback_url()},
decoder=self.decode_json
)
Initial work to support multiple OAuth clients
2017-07-25 17:50:22 +02:00
@classmethod
Initial tests for OAuthSignIn
2017-08-24 12:38:43 +02:00
def get_provider(cls, provider_name) -> 'OAuthSignIn':
if cls._providers is None:
OAuth signin: streamlined instantiation of OAuthSignIn subclasses
2017-08-25 12:35:08 +02:00
cls._init_providers()
Initial tests for OAuthSignIn
2017-08-24 12:38:43 +02:00
try:
OAuth signin: streamlined instantiation of OAuthSignIn subclasses
2017-08-25 12:35:08 +02:00
provider = cls._providers[provider_name]
Initial tests for OAuthSignIn
2017-08-24 12:38:43 +02:00
except KeyError:
raise ProviderNotImplemented(f'No such OAuth provider {provider_name}')
Initial work to support multiple OAuth clients
2017-07-25 17:50:22 +02:00
OAuth signin: streamlined instantiation of OAuthSignIn subclasses
2017-08-25 12:35:08 +02:00
if provider is ProviderNotConfigured:
raise ProviderConfigurationMissing(f'OAuth provider {provider_name} not configured')
return provider
@classmethod
def _init_providers(cls):
cls._providers = {}
for provider_class in cls.__subclasses__():
try:
provider = provider_class()
except ProviderConfigurationMissing:
cls._log.info('OAuth provider %s not configured',
provider_class.provider_name)
provider = ProviderNotConfigured
cls._providers[provider_class.provider_name] = provider
Initial work to support multiple OAuth clients
2017-07-25 17:50:22 +02:00
Move Blender ID to extensible OAuth Also, added support for Google OAuth.
2017-07-27 23:31:26 +02:00
class BlenderIdSignIn(OAuthSignIn):
OAuth signin: streamlined instantiation of OAuthSignIn subclasses
2017-08-25 12:35:08 +02:00
provider_name = 'blender-id'
Store Blender ID OAuth scopes in MongoDB + request `badge` scope too This also changes the way we treat Blender ID tokens. Before, the Blender ID token was discarded and a random token was generated & stored. Now the actual Blender ID token is stored. The Facebook and Google OAuth code still uses the old approach of generating a new token. Not sure what the added value is, though, because once the Django session is gone there is nothing left to authenticate the user and thus the random token is useless anyway.
2018-09-11 15:36:25 +02:00
scopes = ['email', 'badge']
OAuth signin: streamlined instantiation of OAuthSignIn subclasses
2017-08-25 12:35:08 +02:00
Move Blender ID to extensible OAuth Also, added support for Google OAuth.
2017-07-27 23:31:26 +02:00
def __init__(self):
Use urljoin() to compose OAuth URLs instead of string concatenation String concatenation is bound to mess up; in this case it was producing double slashes instead of single ones when `BLENDER_ID_ENDPOINT` ends in a slash. Since URLs generally end in a slash, this should be supported.
2018-08-29 14:17:17 +02:00
from urllib.parse import urljoin
OAuth signin: streamlined instantiation of OAuthSignIn subclasses
2017-08-25 12:35:08 +02:00
super().__init__()
Move Blender ID to extensible OAuth Also, added support for Google OAuth.
2017-07-27 23:31:26 +02:00
Make more consistent use of BLENDER_ID_ENDPOINT Now BLENDER_ID_ENDPOINT is used for the Blender ID OAuth config, and it's directly accessed when building requests for Blender ID token validation (without using utility functions).
2018-06-22 19:38:27 +02:00
base_url = current_app.config['BLENDER_ID_ENDPOINT']
Move Blender ID to extensible OAuth Also, added support for Google OAuth.
2017-07-27 23:31:26 +02:00
self.service = OAuth2Service(
name='blender-id',
client_id=self.consumer_id,
client_secret=self.consumer_secret,
Use urljoin() to compose OAuth URLs instead of string concatenation String concatenation is bound to mess up; in this case it was producing double slashes instead of single ones when `BLENDER_ID_ENDPOINT` ends in a slash. Since URLs generally end in a slash, this should be supported.
2018-08-29 14:17:17 +02:00
authorize_url=urljoin(base_url, 'oauth/authorize'),
access_token_url=urljoin(base_url, 'oauth/token'),
Always use urljoin to construct Blender ID URLs
2018-09-11 17:53:23 +02:00
base_url=urljoin(base_url, 'api/'),
Move Blender ID to extensible OAuth Also, added support for Google OAuth.
2017-07-27 23:31:26 +02:00
)
def authorize(self):
return redirect(self.service.get_authorize_url(
Store Blender ID OAuth scopes in MongoDB + request `badge` scope too This also changes the way we treat Blender ID tokens. Before, the Blender ID token was discarded and a random token was generated & stored. Now the actual Blender ID token is stored. The Facebook and Google OAuth code still uses the old approach of generating a new token. Not sure what the added value is, though, because once the Django session is gone there is nothing left to authenticate the user and thus the random token is useless anyway.
2018-09-11 15:36:25 +02:00
scope=' '.join(self.scopes),
Move Blender ID to extensible OAuth Also, added support for Google OAuth.
2017-07-27 23:31:26 +02:00
response_type='code',
redirect_uri=self.get_callback_url())
)
def callback(self):
Tests for providers callbacks Also added SERVER_NAME in config_testing and pre-populated the keys of OAUTH_CREDENTIALS, since the implementation of providers is part of the application.
2017-08-25 10:32:04 +02:00
oauth_session = self.make_oauth_session()
Initial tests for OAuthSignIn
2017-08-24 12:38:43 +02:00
Move Blender ID to extensible OAuth Also, added support for Google OAuth.
2017-07-27 23:31:26 +02:00
# TODO handle exception for failed oauth or not authorized
Added some type checks before assigning to session['blender_id_oauth_token'] There were some sporadic TypeErrors where the session var was set to a tuple instead of a string; this is a way to figure out where that happens.
2017-10-17 12:16:20 +02:00
access_token = oauth_session.access_token
assert isinstance(access_token, str), f'oauth token must be str, not {type(access_token)}'
session['blender_id_oauth_token'] = access_token
Switch to class-based OAuthUserResponse Instead of returning an arbirary number of items, we provide a standardized and better documented response.
2017-08-23 17:58:52 +02:00
me = oauth_session.get('user').json()
Store Blender ID OAuth scopes in MongoDB + request `badge` scope too This also changes the way we treat Blender ID tokens. Before, the Blender ID token was discarded and a random token was generated & stored. Now the actual Blender ID token is stored. The Facebook and Google OAuth code still uses the old approach of generating a new token. Not sure what the added value is, though, because once the Django session is gone there is nothing left to authenticate the user and thus the random token is useless anyway.
2018-09-11 15:36:25 +02:00
# Blender ID doesn't tell us which scopes were granted by the user, so
# for now assume we got all the scopes we requested.
# (see https://github.com/jazzband/django-oauth-toolkit/issues/644)
return OAuthUserResponse(str(me['id']), me['email'], access_token, self.scopes)
Move Blender ID to extensible OAuth Also, added support for Google OAuth.
2017-07-27 23:31:26 +02:00
Initial work to support multiple OAuth clients
2017-07-25 17:50:22 +02:00
class FacebookSignIn(OAuthSignIn):
OAuth signin: streamlined instantiation of OAuthSignIn subclasses
2017-08-25 12:35:08 +02:00
provider_name = 'facebook'
Initial work to support multiple OAuth clients
2017-07-25 17:50:22 +02:00
def __init__(self):
OAuth signin: streamlined instantiation of OAuthSignIn subclasses
2017-08-25 12:35:08 +02:00
super().__init__()
Initial work to support multiple OAuth clients
2017-07-25 17:50:22 +02:00
self.service = OAuth2Service(
name='facebook',
client_id=self.consumer_id,
client_secret=self.consumer_secret,
authorize_url='https://graph.facebook.com/oauth/authorize',
access_token_url='https://graph.facebook.com/oauth/access_token',
base_url='https://graph.facebook.com/'
)
def authorize(self):
return redirect(self.service.get_authorize_url(
scope='email',
response_type='code',
redirect_uri=self.get_callback_url())
)
def callback(self):
Tests for providers callbacks Also added SERVER_NAME in config_testing and pre-populated the keys of OAUTH_CREDENTIALS, since the implementation of providers is part of the application.
2017-08-25 10:32:04 +02:00
oauth_session = self.make_oauth_session()
Initial work to support multiple OAuth clients
2017-07-25 17:50:22 +02:00
me = oauth_session.get('me?fields=id,email').json()
# TODO handle case when user chooses not to disclose en email
Switch to class-based OAuthUserResponse Instead of returning an arbirary number of items, we provide a standardized and better documented response.
2017-08-23 17:58:52 +02:00
# see https://developers.facebook.com/docs/graph-api/reference/user/
Store Blender ID OAuth scopes in MongoDB + request `badge` scope too This also changes the way we treat Blender ID tokens. Before, the Blender ID token was discarded and a random token was generated & stored. Now the actual Blender ID token is stored. The Facebook and Google OAuth code still uses the old approach of generating a new token. Not sure what the added value is, though, because once the Django session is gone there is nothing left to authenticate the user and thus the random token is useless anyway.
2018-09-11 15:36:25 +02:00
return OAuthUserResponse(me['id'], me.get('email'), '', [])
Move Blender ID to extensible OAuth Also, added support for Google OAuth.
2017-07-27 23:31:26 +02:00
class GoogleSignIn(OAuthSignIn):
OAuth signin: streamlined instantiation of OAuthSignIn subclasses
2017-08-25 12:35:08 +02:00
provider_name = 'google'
Move Blender ID to extensible OAuth Also, added support for Google OAuth.
2017-07-27 23:31:26 +02:00
def __init__(self):
OAuth signin: streamlined instantiation of OAuthSignIn subclasses
2017-08-25 12:35:08 +02:00
super().__init__()
Move Blender ID to extensible OAuth Also, added support for Google OAuth.
2017-07-27 23:31:26 +02:00
self.service = OAuth2Service(
name='google',
client_id=self.consumer_id,
client_secret=self.consumer_secret,
authorize_url='https://accounts.google.com/o/oauth2/auth',
access_token_url='https://accounts.google.com/o/oauth2/token',
base_url='https://www.googleapis.com/oauth2/v1/'
)
def authorize(self):
return redirect(self.service.get_authorize_url(
scope='https://www.googleapis.com/auth/userinfo.email',
response_type='code',
redirect_uri=self.get_callback_url())
)
def callback(self):
Tests for providers callbacks Also added SERVER_NAME in config_testing and pre-populated the keys of OAUTH_CREDENTIALS, since the implementation of providers is part of the application.
2017-08-25 10:32:04 +02:00
oauth_session = self.make_oauth_session()
Move Blender ID to extensible OAuth Also, added support for Google OAuth.
2017-07-27 23:31:26 +02:00
me = oauth_session.get('userinfo').json()
Store Blender ID OAuth scopes in MongoDB + request `badge` scope too This also changes the way we treat Blender ID tokens. Before, the Blender ID token was discarded and a random token was generated & stored. Now the actual Blender ID token is stored. The Facebook and Google OAuth code still uses the old approach of generating a new token. Not sure what the added value is, though, because once the Django session is gone there is nothing left to authenticate the user and thus the random token is useless anyway.
2018-09-11 15:36:25 +02:00
return OAuthUserResponse(str(me['id']), me['email'], '', [])
Reference in New Issue Copy Permalink