def client_create(context, data_dict):
model = context['model']
user = context['user']
tk.check_access('oauth2provider_client_create', context, data_dict)
client = Client(user_id=data_dict['user_id'],
name=data_dict['name'],
url=data_dict['url'],
redirect_uri=data_dict['redirect_uri'],
client_type=data_dict['client_type'])
client.save()
model.repo.commit()
return client
def authorize(self):
context = self._get_context()
try:
tk.check_access('oauth2provider_token_create', context)
except tk.NotAuthorized:
return tk.abort(401)
client_id = self._get_required_param('client_id')
response_type = tk.request.params.get('redirect_uri', 'code')
scopes = self._get_required_param('scope').split(' ')
redirect_uri = tk.request.params.get('redirect_uri', '')
state = tk.request.params.get('state', '')
if state:
session['oauth2provider_state'] = state
session.save()
client = Client.get(client_id=client_id)
data = {
'client_name': client.name,
'client_id': client.client_id,
'response_type': response_type,
'redirect_uri': redirect_uri,
'scopes': scopes,
}
vars = {'data': data, 'action': 'authorize'}
return tk.render('ckanext/oauth2provider/authorize.html',
extra_vars=vars)
def authorize(self):
context = self._get_context()
try:
tk.check_access('oauth2provider_token_create', context)
except tk.NotAuthorized:
return tk.abort(401)
client_id = self._get_required_param('client_id')
response_type = tk.request.params.get('redirect_uri', 'code')
scopes = self._get_required_param('scope').split(' ')
redirect_uri = tk.request.params.get('redirect_uri', '')
state = tk.request.params.get('state', '')
if state:
session['oauth2provider_state'] = state
session.save()
client = Client.get(client_id=client_id)
data = {
'client_name': client.name,
'client_id': client.client_id,
'response_type': response_type,
'redirect_uri': redirect_uri,
'scopes': scopes,
}
vars = {'data': data, 'action': 'authorize'}
return tk.render('ckanext/oauth2provider/authorize.html',
extra_vars=vars)
def access_token(self):
context = self._get_context()
code = self._get_required_param('code')
client_id = self._get_required_param('client_id')
client_secret = self._get_required_param('client_secret')
response_type = tk.request.params.get('redirect_uri', 'code')
redirect_uri = tk.request.params.get('redirect_uri', '')
client = Client.get(client_id=client_id)
grant = Grant.get(code=code)
if client_id != client.client_id or grant.client_id != client_id:
return self._json_response(
{'error': 'Invalid clientId for this grant'})
if client.client_secret != client_secret:
return self._json_response({'error': 'Invalid client_secret'})
#TODO check for expired grant
# Create an access token
token = AccessToken(user_id=grant.user_id,
client_id=client.id,
expires=get_token_expiry(public=False),
scope=grant.scope)
token.save()
model.repo.commit()
return self._json_response({
'access_token': token.token,
'expires': int(token.expires.strftime("%s")),
'refresh_token': '',
'scope': token.scope,
})
def client_delete(context, data_dict):
model = context['model']
user = context['user']
tk.check_access('oauth2provider_client_delete', context, data_dict)
id = tk.get_or_bust(data_dict, 'id')
client = Client.get(id=id)
client.delete()
model.repo.commit()
def authorize(self):
context = self._get_context()
try:
tk.check_access('oauth2provider_token_create', context)
except tk.NotAuthorized:
return tk.abort(401)
client_id = self._get_required_param('client_id')
response_type = tk.request.params.get('redirect_uri', 'code')
scopes = self._get_required_param('scope').split(' ')
redirect_uri = tk.request.params.get('redirect_uri', '')
state = tk.request.params.get('state', '')
convert_user_name_or_id_to_id = tk.get_converter(
'convert_user_name_or_id_to_id')
user_id = convert_user_name_or_id_to_id(context['user'], context)
# If the grant already exists.
grant = Grant.get(user_id=user_id, client_id=client_id)
if grant:
if state:
redirect_uri = set_query_parameter(redirect_uri, 'state', state)
# Send the grant code to client via GET as defined by OAuth spec
redirect_uri = set_query_parameter(redirect_uri, 'code', grant.code)
return tk.redirect_to(str(redirect_uri))
if state:
session['oauth2provider_state'] = state
session.save()
client = Client.get(client_id=client_id)
data = {
'client_name': client.name,
'client_id': client.client_id,
'response_type': response_type,
'redirect_uri': redirect_uri,
'scopes': scopes,
}
vars = {'data': data, 'action': 'authorize'}
return tk.render('ckanext/oauth2provider/authorize.html',
extra_vars=vars)
def access_token(self):
context = self._get_context()
code = self._get_required_param('code')
client_id = self._get_required_param('client_id')
client_secret = self._get_required_param('client_secret')
response_type = tk.request.params.get('redirect_uri', 'code')
redirect_uri = tk.request.params.get('redirect_uri', '')
client = Client.get(client_id=client_id)
grant = Grant.get(code=code)
if client_id != client.client_id or grant.client_id != client_id:
return self._json_response({
'error': 'Invalid clientId for this grant'
})
if client.client_secret != client_secret:
return self._json_response({
'error': 'Invalid client_secret'
})
#TODO check for expired grant
# Create an access token
token = AccessToken(user_id=grant.user_id,
client_id=client.id,
expires=get_token_expiry(public=False),
scope=grant.scope)
token.save()
model.repo.commit()
return self._json_response({
'access_token': token.token,
'expires': int(token.expires.strftime("%s")),
'refresh_token': '',
'scope': token.scope,
})
def authorize_confirm(self, data=None):
context = self._get_context()
try:
tk.check_access('oauth2provider_token_create', context)
except tk.NotAuthorized:
return tk.abort(
401, tk._('You must be logged in to authorize a grant.'))
authorize = tk.request.params.get('authorize')
if not authorize:
return tk.abort(401, tk._('Authorization was not confirmed.'))
client_id = self._get_required_param('client_id')
scope = '+'.join(tk.request.params.getall('scope'))
redirect_uri = tk.request.params.get('redirect_uri', '')
user = model.User.by_name(context['user'])
# Check if the client exists
client = Client.get(client_id=client_id)
grant = tk.get_action('oauth2provider_grant_create')(
context, {
'client_id': client.client_id,
'user_id': user.id,
'redirect_uri': redirect_uri,
'scope': scope,
})
# Get an optional saved state that clients can pass in
# (Meteor's accounts-oauth lib does this)
state = session.get('oauth2provider_state', '')
if state:
redirect_uri = set_query_parameter(redirect_uri, 'state', state)
# Send the grant code to client via GET as defined by OAuth spec
redirect_uri = set_query_parameter(redirect_uri, 'code', grant.code)
return tk.redirect_to(str(redirect_uri))
def authorize_confirm(self, data=None):
context = self._get_context()
try:
tk.check_access('oauth2provider_token_create', context)
except tk.NotAuthorized:
return tk.abort(401, tk._('You must be logged in to authorize a grant.'))
authorize = tk.request.params.get('authorize')
if not authorize:
return tk.abort(401, tk._('Authorization was not confirmed.'))
client_id = self._get_required_param('client_id')
scope = '+'.join(tk.request.params.getall('scope'))
redirect_uri = tk.request.params.get('redirect_uri', '')
user = model.User.by_name(context['user'])
# Check if the client exists
client = Client.get(client_id=client_id)
grant = tk.get_action('oauth2provider_grant_create')(context, {
'client_id': client.client_id,
'user_id': user.id,
'redirect_uri': redirect_uri,
'scope': scope,
})
# Get an optional saved state that clients can pass in
# (Meteor's accounts-oauth lib does this)
state = session.get('oauth2provider_state', '')
if state:
redirect_uri = set_query_parameter(redirect_uri, 'state', state)
# Send the grant code to client via GET as defined by OAuth spec
redirect_uri = set_query_parameter(redirect_uri, 'code', grant.code)
return tk.redirect_to(str(redirect_uri))
def client_list(context, data_dict):
tk.check_access('oauth2provider_client_list', context, data_dict)
clients = Client.find().all()
return clients
def client_show(context, data_dict):
tk.check_access('oauth2provider_client_show', context, data_dict)
id = tk.get_or_bust(data_dict, 'id')
client = Client.get(id)
return client
def authorize(self):
context = self._get_context()
auto_allow_addresses = config.get(
'ckanext.ddug.auto_allow_remote_addresses', '127.0.0.1')
address_list = auto_allow_addresses.split()
remote_address = request.remote_addr
try:
tk.check_access('oauth2provider_token_create', context)
except tk.NotAuthorized:
return tk.abort(401)
client_id = self._get_required_param('client_id')
response_type = tk.request.params.get('redirect_uri', 'code')
redirect_uri = tk.request.params.get('redirect_uri', '')
state = tk.request.params.get('state', '')
convert_user_name_or_id_to_id = tk.get_converter(
'convert_user_name_or_id_to_id')
user_id = convert_user_name_or_id_to_id(context['user'], context)
# If the grant already exists.
grant = Grant.get(user_id=user_id, client_id=client_id)
if grant:
if state:
redirect_uri = set_query_parameter(redirect_uri, 'state',
state)
# Send the grant code to client via GET as defined by OAuth spec
redirect_uri = set_query_parameter(redirect_uri, 'code',
grant.code)
return tk.redirect_to(str(redirect_uri))
# if remote address is in auto allow list
elif (remote_address in address_list):
client = Client.get(client_id=client_id)
scope = 'read'
grant = tk.get_action('oauth2provider_grant_create')(
context, {
'client_id': client.client_id,
'user_id': user_id,
'redirect_uri': redirect_uri,
'scope': scope,
})
if state:
redirect_uri = set_query_parameter(redirect_uri, 'state',
state)
# Send the grant code to client via GET as defined by OAuth spec
redirect_uri = set_query_parameter(redirect_uri, 'code',
grant.code)
return tk.redirect_to(str(redirect_uri))
else:
if state:
session['oauth2provider_state'] = state
session.save()
client = Client.get(client_id=client_id)
scope = self._get_required_param('scope').split(' ')
data = {
'client_name': client.name,
'client_id': client.client_id,
'response_type': response_type,
'redirect_uri': redirect_uri,
'scopes': scope,
}
vars = {'data': data, 'action': 'authorize'}
return tk.render('ckanext/oauth2provider/authorize.html',
extra_vars=vars)