Example #1
0
    def wrap_action(self, action_, *args, **kwargs):
        """
        Wrap the controller action ``action_``.

        :param action_: The controller action to be wrapped.

        ``args`` and ``kwargs`` are the positional and named arguments which
        will be passed to ``action_`` when called.

        """
        try:
            # get token
            # from header information
            request = RequestOAuth(args[0].R)
            with ResponseHTTP(response=request.response) as t:
                _in = u'Failed'
                # handle token
                token = request.access_token

                if token:
                    oauth_context = TokenManager.get_token_context(token.get('token'))
                    if oauth_context.valid:
                        args[0].__dict__.update(R=request)
                        kwargs.update(dict(oauth_context=oauth_context))
                        # not mandatory use of oauth, but valid token
                        if self.anon:
                            LOG.debug(oauth_context.valid)
                            return action_(*args, **kwargs)
                        # validate scope
                        elif TokenManager.has_valid_scope(oauth_context.scopes, self.allowed_scopes):
                            LOG.debug(oauth_context.scopes)
                            # kwargs.update(dict(oauth_context=oauth_context))
                            return action_(*args, **kwargs)
                else:
                    if self.anon:
                        return action_(*args, **kwargs)

                # api_key = request.matchdict.get(self.api_field, None)

                # otherwise, we're done, you're not allowed
                message = 'Not authorized for request.'
                code, status = ResponseHTTP.FORBIDDEN
            return t.to_json(_in,
                             message=message,
                             code=code, status=status)
        except ValueError as e:
            LOG.debug(e.message)
def client_credentials_authorization(auth_credentials, scopes=[]):
    """
    The client can request an access token using only its client
    credentials (or other supported means of authentication) when the
    client is requesting access to the protected resources under its
    control, or those of another resource owner which has been previously
    arranged with the authorization server (the method of which is beyond
    the scope of this specification).

    The client credentials grant type MUST only be used by private
    clients.

    +---------+                                  +---------------+
    |         |                                  |               |
    |         |>--(A)- Client Authentication --->| Authorization |
    | Client  |                                  |    Server     |
    |         |<--(B)---- Access Token ---------<|               |
    |         |                                  |               |
    +---------+                                  +---------------+

                 Figure 6: Client Credentials Flow


    The flow illustrated in Figure 6 includes the following steps:

    (A)  The client authenticates with the authorization server and
         requests an access token from the token endpoint.
    (B)  The authorization server authenticates the client, and if valid
         issues an access token.

    Authorization Request and Response
    ----------------------------------

    Since the client authentication is used as the authorization grant,
    no additional authorization request is needed.
    """

    # Authentication
    LOG.debug("Starting client_credentials workflow")
    LOG.debug("Requested scopes: %s" % scopes)

    if auth_credentials is None:
        return AuthErrorHandling.error_unauthorized_client()

    authenticated, client_id = TokenManager.authenticate(auth_credentials.get('client_key'),
                                                         auth_credentials.get('client_secret'))
    if authenticated:
        # Validate allowed
        allowed = TokenManager.can_request_scope(client_id, scopes)
        LOG.debug(allowed)
        if allowed:
            LOG.debug("Authentication allowed, issueing token.")
            access_token = TokenManager.issue_access_token(client_id=client_id,
                                                           allowed_scopes=scopes,
                                                           refreshable=False)
            response = dict(access_token=access_token.token,
                            token_type="bearer",
                            expires_in=access_token.expires_at.isoformat())
            transaction.commit()
            return response
        else:
            LOG.debug("One or more scopes were not allowed: %s" % scopes)
            # Scope was not allowed
            return AuthErrorHandling.error_invalid_scope()
    else:
        LOG.debug("Client is not authorized to ask tokens.")
        # Client not authorized
        return AuthErrorHandling.error_unauthorized_client()
def get_token_context(token):
    return TokenManager.get_token_context(token)
def validate_access_token(access_token, allowed_scopes):
    return TokenManager.is_valid_access_token(access_token, allowed_scopes)