def test_register_conf_from_app(self):
app = Flask(__name__)
app.config.update({
'DEV_CLIENT_KEY': 'dev',
'DEV_CLIENT_SECRET': 'dev',
})
oauth = OAuth(app)
oauth.register('dev')
self.assertEqual(oauth.dev.client_key, 'dev')
def register(self, app):
oauth = OAuth(app)
oauth.register(
name=self.name,
client_id=self.client_id,
client_secret=self.client_secret,
access_token_url=self.access_token_url,
authorize_url=self.authorize_url,
client_kwargs=self.client_kwargs,
fetch_token=self.fetch_token_from_session,
)
return oauth
def test_register_remote_app(self):
app = Flask(__name__)
oauth = OAuth(app)
self.assertRaises(AttributeError, lambda: oauth.dev)
oauth.register(
'dev',
client_key='dev',
client_secret='dev',
)
self.assertEqual(oauth.dev.name, 'dev')
self.assertEqual(oauth.dev.client_key, 'dev')
def test_register_oauth1_remote_app(self):
app = Flask(__name__)
oauth = OAuth(app)
oauth.register('dev',
client_id='dev',
client_secret='dev',
request_token_url='https://i.b/reqeust-token',
api_base_url='https://i.b/api',
access_token_url='https://i.b/token',
authorize_url='https://i.b/authorize')
self.assertEqual(oauth.dev.name, 'dev')
self.assertEqual(oauth.dev.client_id, 'dev')
def test_init_app_later(self):
app = Flask(__name__)
app.config.update({
'DEV_CLIENT_KEY': 'dev',
'DEV_CLIENT_SECRET': 'dev',
})
oauth = OAuth()
remote = oauth.register('dev')
self.assertRaises(RuntimeError, lambda: oauth.dev.client_key)
oauth.init_app(app)
self.assertEqual(oauth.dev.client_key, 'dev')
self.assertEqual(remote.client_key, 'dev')
def test_register_oauth1_remote_app(self):
app = Flask(__name__)
app.config.update({'OAUTH_CLIENT_CACHE_TYPE': 'null'})
oauth = OAuth(app)
oauth.register('dev',
client_key='dev',
client_secret='dev',
request_token_url='https://i.b/reqeust-token',
base_url='https://i.b/api',
access_token_url='https://i.b/token',
authorize_url='https://i.b/authorize')
self.assertEqual(oauth.dev.name, 'dev')
self.assertEqual(oauth.dev.client_key, 'dev')
def test_register_oauth2_remote_app(self):
app = Flask(__name__)
oauth = OAuth(app)
oauth.register('dev',
client_id='dev',
client_secret='dev',
api_base_url='https://i.b/api',
access_token_url='https://i.b/token',
refresh_token_url='https://i.b/token',
authorize_url='https://i.b/authorize',
update_token=lambda name: 'hi')
self.assertEqual(oauth.dev.name, 'dev')
session = oauth.dev._get_session()
self.assertIsNotNone(session.token_updater)
def init_app(self, app):
"""Do setup required by a Flask app."""
app.config.setdefault('AUTH0_ALGORITHMS', 'RS256')
app.config.setdefault('AUTH0_AUDIENCE', None)
app.config.setdefault('AUTH0_CALLBACK_URL', None)
app.config.setdefault('AUTH0_CLIENT_ID', None)
app.config.setdefault('AUTH0_CLIENT_SECRET', None)
app.config.setdefault('AUTH0_DOMAIN', None)
app.config.setdefault('AUTH0_LOGOUT_URL', None)
app.config.setdefault('AUTH0_REQUIRE_VERIFIED_EMAIL', True)
app.config.setdefault('AUTH0_SESSION_JWT_PAYLOAD_KEY', 'jwt_payload')
app.config.setdefault('AUTH0_SESSION_TOKEN_KEY', 'auth0_token')
app.config.setdefault('AUTH0_SCOPE', 'openid profile email')
self._client_id = app.config['AUTH0_CLIENT_ID']
self._client_secret = app.config['AUTH0_CLIENT_SECRET']
self._domain = app.config['AUTH0_DOMAIN']
self._base_url = 'https://{}'.format(self._domain)
self._access_token_url = self._base_url + '/oauth/token'
self._callback_url = app.config['AUTH0_CALLBACK_URL']
self._logout_url = app.config['AUTH0_LOGOUT_URL']
self._authorize_url = self._base_url + '/authorize'
default_audience = self._base_url + '/userinfo'
self._audience = app.config.get('AUTH0_AUDIENCE', default_audience)
self._scope = app.config['AUTH0_SCOPE']
self._session_token_key = app.config['AUTH0_SESSION_TOKEN_KEY']
self._session_jwt_payload_key = \
app.config['AUTH0_SESSION_JWT_PAYLOAD_KEY']
self._auth0 = OAuth(app).register(
'auth0',
client_id=self._client_id,
client_secret=self._client_secret,
api_base_url=self._base_url,
access_token_url=self._access_token_url,
authorize_url=self._authorize_url,
client_kwargs={
'audience': self._audience,
'scope': self._scope,
},
)
route = urlparse(self._callback_url).path
app.route(route)(self._callback)
@app.errorhandler(AuthError)
def handle_auth_error(ex):
response = flask.jsonify(ex.error)
response.status_code = ex.status_code
return response
def establish_login_auth(app):
oauth = OAuth(app)
auth0 = oauth.register(
"auth0",
client_id=AUTH0_CLIENT_ID,
client_secret=AUTH0_CLIENT_SECRET,
api_base_url="https://%s/" % AUTH0_DOMAIN,
access_token_url="https://%s/oauth/token" % AUTH0_DOMAIN,
authorize_url="https://%s/authorize" % AUTH0_DOMAIN,
client_kwargs={"scope": "openid profile email"},
)
return auth0
def add_auth_controllers(app: Flask, config: Config, db: Database):
oauth = OAuth(app, Cache())
def handle_authorize(remote, token, user_info):
sub = user_info['sub']
email = user_info['email']
user_info['providerName'] = remote.name
session['user_info'] = user_info
with db.session_scope() as conn:
user = conn.query(User).filter(
or_(User.sub == sub,
and_(User.email == email, User.email != None))).first()
if not user:
user = User(sub=sub, email=email)
conn.add(user)
user.email = email
user.name = user_info['name']
user.avatar = user_info['picture']
conn.flush()
session['user_id'] = user.id
return redirect('/')
for backend in backends:
bp = create_flask_blueprint(backend, oauth, handle_authorize)
app.register_blueprint(bp, url_prefix='/{}'.format(backend.OAUTH_NAME))
@app.route('/logout')
def logout(): # pylint: disable=unused-variable
del session['user_info']
del session['user_id']
return redirect('/')
def test_init_app_later(self):
app = Flask(__name__)
app.config.update({
'DEV_CLIENT_ID': 'dev',
'DEV_CLIENT_SECRET': 'dev',
})
oauth = OAuth()
remote = oauth.register('dev')
self.assertRaises(RuntimeError, lambda: oauth.dev.client_id)
oauth.init_app(app)
self.assertEqual(oauth.dev.client_id, 'dev')
self.assertEqual(remote.client_id, 'dev')
self.assertIsNone(oauth.cache)
self.assertIsNone(oauth.fetch_token)
self.assertIsNone(oauth.update_token)
def test_register_with_overwrite(self):
app = Flask(__name__)
app.config.update({
'DEV_CLIENT_ID': 'dev-1',
'DEV_CLIENT_SECRET': 'dev',
'DEV_ACCESS_TOKEN_PARAMS': {'foo': 'foo-1'}
})
oauth = OAuth(app)
oauth.register(
'dev', overwrite=True,
client_id='dev',
access_token_params={'foo': 'foo'}
)
self.assertEqual(oauth.dev.client_id, 'dev-1')
self.assertEqual(oauth.dev.client_secret, 'dev')
self.assertEqual(oauth.dev.access_token_params['foo'], 'foo-1')
def setup():
# Initializing OAuth.
oauth = OAuth(current_app)
current_app.secret_key = os.environ['APP_SECRET_KEY']
global auth0
auth0 = oauth.register(
'auth0',
client_id=os.environ['CLIENT_ID'],
client_secret=os.environ['CLIENT_SECRET'],
api_base_url=os.environ['AUTH0_DOMAIN'],
access_token_url=os.environ['AUTH0_DOMAIN'] + '/oauth/token',
authorize_url=os.environ['AUTH0_DOMAIN'] + '/authorize',
client_kwargs={
'scope': 'openid email profile', # What data you want to fetch.
},
)
def setup():
# Initializing OAuth
oauth = OAuth(current_app)
current_app.secret_key = 'random_string'
global auth0
auth0 = oauth.register(
'auth0',
client_id=os.environ['CLIENT_ID'],
client_secret=os.environ['CLIENT_SECRET'],
api_base_url=os.environ['AUTH0_DOMAIN'],
access_token_url=os.environ['AUTH0_DOMAIN'] + '/oauth/token',
authorize_url=os.environ['AUTH0_DOMAIN'] + '/authorize',
client_kwargs={
'scope': 'openid profile',
},
)
def test_oauth2_access_token_with_post(self):
app = Flask(__name__)
app.secret_key = '!'
oauth = OAuth(app)
client = oauth.register('dev',
client_id='dev',
client_secret='dev',
api_base_url='https://i.b/api',
access_token_url='https://i.b/token',
authorize_url='https://i.b/authorize')
payload = {'code': 'a', 'state': 'b'}
with app.test_request_context(data=payload, method='POST'):
session['_dev_authlib_state_'] = 'b'
with mock.patch('requests.sessions.Session.send') as send:
send.return_value = mock_send_value(get_bearer_token())
token = client.authorize_access_token()
self.assertEqual(token['access_token'], 'a')
def init_app(self, app):
self.app = app
app.auth_manager = self
app.context_processor(_user_context_processor)
app.context_processor(_user_roles_context_processor)
if app.config.get('AUTH_METHOD') == 'google':
app.config.setdefault('GOOGLE_ALLOWED_DOMAINS', [])
from authlib.flask.client import OAuth
self.oauth = OAuth(app)
from loginpass import create_flask_blueprint
from loginpass.google import Google
from .google import handle_authorize
google_bp = create_flask_blueprint(Google, self.oauth,
handle_authorize)
app.register_blueprint(google_bp, url_prefix='/auth/google')
self.login_view = 'loginpass_google.login'
elif app.config.get('AUTH_METHOD') == 'oidc':
from authlib.flask.client import OAuth
self.oauth = OAuth(app)
from loginpass import create_flask_blueprint
from .oidc import create_oidc_backend, handle_authorize
backend = create_oidc_backend('oidc',
app.config['OIDC_CLIENT_SECRETS'],
app.config.get('OIDC_SCOPES'))
oidc_bp = create_flask_blueprint(backend, self.oauth,
handle_authorize)
app.register_blueprint(oidc_bp, url_prefix='/auth/oidc')
self.login_view = 'loginpass_oidc.login'
else:
from . import local_views
app.register_blueprint(local_views.bp, url_prefix='/auth/local')
self.login_view = 'auth_local.login'
from . import views
app.register_blueprint(views.bp, url_prefix='/auth')
def register_extensions(app: Flask):
# Initializes oauth
global oauth
oauth = OAuth(app)
# Initializes JWT
global jwt
jwt = JWTManager(app)
return app
def setup_oauth_backends(main_app: Flask, cache: Cache) -> OAuth:
"""
Configure the OAuth2 service providers.
"""
oauth = OAuth(main_app, cache=cache)
for backend in OAUTH_BACKENDS.values():
remote = register_to(backend, oauth, RemoteApp)
OAUTH_REMOTE_APPS[backend.OAUTH_NAME] = remote
return oauth
class Federation:
def __init__(self):
self.clients = set()
self._authlib_clients = OAuth()
def register(self, client_name, **kwargs):
self.clients.add(client_name)
self._authlib_clients.register(client_name, **kwargs)
def get(self, client_name):
if client_name in self.clients:
return self._authlib_clients.create_client(client_name)
return None
def init_app(self, app):
self.register('solidsea',
client_cls=OIDCClient,
discovery_url=app.config['SOLIDSEA_DISCOVERY_URL'])
self._authlib_clients.init_app(app)
class CAPOAuth(object):
"""CAP auth extension."""
def __init__(self, app=None):
"""Extension initialization."""
if app:
self.init_app(app)
def init_app(self, app):
"""Flask application initialization."""
self.auth = OAuth(app,
fetch_token=_fetch_token,
update_token=_update_token)
self.register_oauth_services()
self.app = app
app.extensions['cap-auth'] = self
def register_oauth_services(self):
for service in OAUTH_SERVICES:
self.auth.register(**OAUTH_SERVICES[service])
def __init__(self, app):
self.app = app
self.auth0 = OAuth(app).register(
"auth0",
client_id=Auth.AUTH0_CLIENT_ID,
client_secret=Auth.AUTH0_CLIENT_SECRET,
api_base_url=Auth.AUTH0_BASE_URL,
access_token_url=Auth.AUTH0_BASE_URL + "/oauth/token",
authorize_url=Auth.AUTH0_BASE_URL + "/authorize",
client_kwargs={"scope": Auth.SCOPE},
)
class Federation:
def __init__(self):
self.clients = []
self._authlib_clients = OAuth()
def register(self, client_name, **kwargs):
self.clients.append(client_name)
self._authlib_clients.register(client_name, **kwargs)
def get(self, client_name):
if client_name in self.clients:
return self._authlib_clients.create_client(client_name)
return None
def init_app(self, app):
for client_name in app.config['FEDERATION']:
log.info('Registering client "{}"'.format(client_name))
module_name = app.config.get('{}_CLIENT_MODULE'.format(
client_name.upper()))
self.register(client_name, client_cls=get_client_cls(module_name))
self._authlib_clients.init_app(app)
def test_request_with_refresh_token(self):
app = Flask(__name__)
app.secret_key = '!'
oauth = OAuth()
expired_token = {
'token_type': 'Bearer',
'access_token': 'expired-a',
'refresh_token': 'expired-b',
'expires_in': '3600',
'expires_at': 1566465749,
}
oauth.init_app(app, fetch_token=lambda name: expired_token)
client = oauth.register('dev',
client_id='dev',
client_secret='dev',
api_base_url='https://i.b/api',
access_token_url='https://i.b/token',
refresh_token_url='https://i.b/token',
authorize_url='https://i.b/authorize')
def fake_send(sess, req, **kwargs):
if req.url == 'https://i.b/token':
auth = req.headers['Authorization']
self.assertIn('Basic', auth)
resp = mock.MagicMock()
resp.json = get_bearer_token
resp.status_code = 200
return resp
resp = mock.MagicMock()
resp.text = 'hi'
resp.status_code = 200
return resp
with app.test_request_context():
with mock.patch('requests.sessions.Session.send', fake_send):
resp = client.get('/api/user', token=expired_token)
self.assertEqual(resp.text, 'hi')
def init_auth(state):
global auth
oauth = OAuth(state.app)
config = state.app.config
provider = config.get('AUTH_PROVIDER')
scope = config.get('AUTH_SCOPE')
domain = config.get('AUTH_DOMAIN')
client_id = config.get('AUTH_CLIENT_ID')
client_secret = config.get('AUTH_CLIENT_SECRET')
auth = oauth.register(
provider,
client_id=client_id,
client_secret=client_secret,
api_base_url=domain,
access_token_url='{}/oauth/token'.format(domain),
authorize_url='{}/authorize'.format(domain),
client_kwargs={
'scope': scope,
},
)
def test_register_built_in_app(self):
app = Flask(__name__)
app.config.update({
'OAUTH_CLIENT_CACHE_TYPE': 'null',
'TWITTER_CLIENT_KEY': 'twitter_key',
'TWITTER_CLIENT_SECRET': 'twitter_secret',
})
oauth = OAuth(app)
twitter.register_to(oauth)
self.assertEqual(oauth.twitter.name, 'twitter')
self.assertEqual(twitter.client.name, 'twitter')
self.assertTrue(callable(twitter.fetch_user))
self.assertTrue(callable(twitter.client.fetch_user))
self.assertTrue(callable(oauth.twitter.fetch_user))
def test_request_withhold_token(self):
app = Flask(__name__)
app.secret_key = '!'
oauth = OAuth(app)
client = oauth.register('dev',
client_id='dev',
client_secret='dev',
api_base_url='https://i.b/api',
access_token_url='https://i.b/token',
authorize_url='https://i.b/authorize')
def fake_send(sess, req, **kwargs):
auth = req.headers.get('Authorization')
self.assertIsNone(auth)
resp = mock.MagicMock()
resp.text = 'hi'
resp.status_code = 200
return resp
with app.test_request_context():
with mock.patch('requests.sessions.Session.send', fake_send):
resp = client.get('/api/user', withhold_token=True)
self.assertEqual(resp.text, 'hi')
def test_init_app_params(self):
app = Flask(__name__)
oauth = OAuth()
oauth.init_app(app, SimpleCache())
self.assertIsNotNone(oauth.cache)
self.assertIsNone(oauth.update_token)
oauth.init_app(app, update_token=lambda o: o)
self.assertIsNotNone(oauth.update_token)
def test_oauth2_authorize_code_challenge(self):
app = Flask(__name__)
app.secret_key = '!'
oauth = OAuth(app)
client = oauth.register(
'dev',
client_id='dev',
api_base_url='https://i.b/api',
access_token_url='https://i.b/token',
authorize_url='https://i.b/authorize',
code_challenge_method='S256',
)
with app.test_request_context():
resp = client.authorize_redirect('https://b.com/bar')
self.assertEqual(resp.status_code, 302)
url = resp.headers.get('Location')
self.assertIn('code_challenge=', url)
self.assertIn('code_challenge_method=S256', url)
state = session['_dev_authlib_state_']
self.assertIsNotNone(state)
verifier = session['_dev_authlib_code_verifier_']
self.assertIsNotNone(verifier)
def fake_send(sess, req, **kwargs):
self.assertIn('code_verifier={}'.format(verifier), req.body)
return mock_send_value(get_bearer_token())
path = '/?code=a&state={}'.format(state)
with app.test_request_context(path=path):
# session is cleared in tests
session['_dev_authlib_state_'] = state
session['_dev_authlib_code_verifier_'] = verifier
with mock.patch('requests.sessions.Session.send', fake_send):
token = client.authorize_access_token()
self.assertEqual(token['access_token'], 'a')
def get_auth0_client(self):
if ('OAuth' not in g):
g.OAuth = OAuth(current_app).register(
'auth0',
client_id=g.service_data['clientId'],
client_secret=g.service_data['clientSecret'],
api_base_url=g.service_data['domain'],
access_token_url=g.service_data['domain'] + '/oauth/token',
authorize_url=g.service_data['domain'] + '/authorize',
client_kwargs={
'scope':'openid profile'
},
)
return g.OAuth
def test_register_built_in_app(self):
app = Flask(__name__)
app.config.update({
'TWITTER_CLIENT_ID': 'twitter_key',
'TWITTER_CLIENT_SECRET': 'twitter_secret',
})
oauth = OAuth(app)
register_apps(oauth, ['twitter'])
self.assertEqual(oauth.twitter.name, 'twitter')
twitter = get_oauth_app(oauth, 'twitter')
self.assertEqual(twitter, get_app('twitter'))
self.assertEqual(twitter.name, 'twitter')
self.assertEqual(twitter.client.name, 'twitter')
self.assertTrue(callable(twitter.profile))
app = Flask(__name__.split()[0], instance_relative_config='NO_INSTANCE_CONFIG' not in os.environ)
# Loads configuration information from config.py and instance/config.py
app.config.from_object('config')
if 'NO_INSTANCE_CONFIG' not in os.environ:
app.config.from_pyfile('config.py')
celery = Celery(app.name, broker=app.config['CELERY_BROKER_URL'])
celery.conf.update(app.config)
# Enable authentication if configured.
oauth = None # pylint: disable=C0103
if app.config.get('WATERAUTH_AUTHORIZE_URL'):
oauth = OAuth(app) # pylint: disable=C0103
oauth.register('waterauth',
client_kwargs={'verify': app.config.get('VERIFY_CERT', True)}
)
if app.config.get('LOGGING_ENABLED'):
log_directory = app.config.get('LOGGING_DIRECTORY')
loglevel = app.config.get('LOGGING_LEVEL')
handler = _create_log_handler(log_directory)
# Do not set logging level in the handler.
# Otherwise, if Flask's DEBUG is set to False,
# all logging will be disabled.
# Instead, set the level in the logger object.
app.logger.setLevel(loglevel)
app.logger.addHandler(handler)
# celery uses two loggers: one global/worker logger and a second task logger
fh.setLevel(logging.INFO)
fh.setFormatter(fmt)
ch = logging.StreamHandler()
ch.setLevel(logging.INFO)
ch.setFormatter(fmt)
log = logging.getLogger('notebook2')
log.setLevel(logging.INFO)
logging.basicConfig(
handlers=[fh, ch],
level=logging.INFO)
app = Flask(__name__)
sockets = Sockets(app)
oauth = OAuth(app)
scss_path = os.path.join(app.static_folder, 'styles')
css_path = os.path.join(app.static_folder, 'css')
os.makedirs(css_path, exist_ok=True)
sass.compile(dirname=(scss_path, css_path), output_style='compressed')
def read_string(f):
with open(f, 'r') as f:
return f.read().strip()
# Must be int for Kubernetes V1 api timeout_seconds property
KUBERNETES_TIMEOUT_IN_SECONDS = float(os.environ.get('KUBERNETES_TIMEOUT_IN_SECONDS', 5))
