def test_required_roles(self): """ Validates whether the required_roles decorator works """ from api.backend.decorators import required_roles @required_roles(['read', 'write', 'manage']) def the_function_rr(input_value, *args, **kwargs): """ Decorated function """ _ = args, kwargs output['value'] = input_value return HttpResponse(json.dumps(input_value)) time.sleep(180) output = {'value': None} request = self.factory.get('/') with self.assertRaises(HttpUnauthorizedException) as context: the_function_rr(1, request) self.assertEqual(context.exception.status_code, 401) time.sleep(180) request.client = type('Client', (), {}) request.user = type('User', (), {}) request.user.username = '******' with self.assertRaises(HttpUnauthorizedException) as context: the_function_rr(2, request) self.assertEqual(context.exception.status_code, 401) time.sleep(180) user = UserList.get_user_by_username('user') access_token, _ = OAuth2Toolbox.generate_tokens( user.clients[0], generate_access=True, scopes=RoleList.get_roles_by_codes(['read'])) access_token.expiration = int(time.time() + 86400) access_token.save() request.user.username = '******' request.token = access_token with self.assertRaises(HttpForbiddenException) as context: the_function_rr(3, request) self.assertEqual(context.exception.status_code, 403) self.assertEqual(context.exception.error, 'invalid_roles') self.assertEqual(context.exception.error_description, 'This call requires roles: read, write, manage') time.sleep(180) user = UserList.get_user_by_username('admin') access_token, _ = OAuth2Toolbox.generate_tokens( user.clients[0], generate_access=True, scopes=RoleList.get_roles_by_codes(['read', 'write', 'manage'])) access_token.expiration = int(time.time() + 86400) access_token.save() request.username = '******' request.token = access_token response = the_function_rr(4, request) self.assertEqual(response.status_code, 200) self.assertEqual(response.content, '4')
def test_required_roles(self): """ Validates whether the required_roles decorator works """ from api.backend.decorators import required_roles @required_roles(['read', 'write', 'manage']) def the_function_rr(input_value, *args, **kwargs): """ Decorated function """ _ = args, kwargs output['value'] = input_value return HttpResponse(json.dumps(input_value)) time.sleep(180) output = {'value': None} request = self.factory.get('/') with self.assertRaises(HttpUnauthorizedException) as context: the_function_rr(1, request) self.assertEqual(context.exception.status_code, 401) time.sleep(180) request.client = type('Client', (), {}) request.user = type('User', (), {}) request.user.username = '******' with self.assertRaises(HttpUnauthorizedException) as context: the_function_rr(2, request) self.assertEqual(context.exception.status_code, 401) time.sleep(180) user = UserList.get_user_by_username('user') access_token, _ = OAuth2Toolbox.generate_tokens(user.clients[0], generate_access=True, scopes=RoleList.get_roles_by_codes(['read'])) access_token.expiration = int(time.time() + 86400) access_token.save() request.user.username = '******' request.token = access_token with self.assertRaises(HttpForbiddenException) as context: the_function_rr(3, request) self.assertEqual(context.exception.status_code, 403) self.assertEqual(context.exception.error, 'invalid_roles') self.assertEqual(context.exception.error_description, 'This call requires roles: read, write, manage') time.sleep(180) user = UserList.get_user_by_username('admin') access_token, _ = OAuth2Toolbox.generate_tokens(user.clients[0], generate_access=True, scopes=RoleList.get_roles_by_codes(['read', 'write', 'manage'])) access_token.expiration = int(time.time() + 86400) access_token.save() request.username = '******' request.token = access_token response = the_function_rr(4, request) self.assertEqual(response.status_code, 200) self.assertEqual(response.content, '4')
def get(self, request, *args, **kwargs): """ Handles token post """ _ = args, kwargs html_endpoint = Configuration.get( '/ovs/framework/webapps|html_endpoint') if 'code' not in request.GET: OAuth2RedirectView._logger.error( 'Got OAuth2 redirection request without code') return HttpResponseRedirect(html_endpoint) code = request.GET['code'] if 'state' not in request.GET: OAuth2RedirectView._logger.error( 'Got OAuth2 redirection request without state') return HttpResponseRedirect(html_endpoint) state = request.GET['state'] if 'error' in request.GET: error = request.GET['error'] description = request.GET[ 'error_description'] if 'error_description' in request.GET else '' OAuth2RedirectView._logger.error( 'Error {0} during OAuth2 redirection request: {1}'.format( error, description)) return HttpResponseRedirect(html_endpoint) base_url = Configuration.get('/ovs/framework/webapps|oauth2.token_uri') client_id = Configuration.get( '/ovs/framework/webapps|oauth2.client_id') client_secret = Configuration.get( '/ovs/framework/webapps|oauth2.client_secret') parameters = { 'grant_type': 'authorization_code', 'redirect_url': 'https://{0}/api/oauth2/redirect/'.format( System.get_my_storagerouter().ip), 'client_id': client_id, 'code': code } url = '{0}?{1}'.format(base_url, urllib.urlencode(parameters)) headers = { 'Accept': 'application/json', 'Authorization': 'Basic {0}'.format( base64.b64encode('{0}:{1}'.format(client_id, client_secret)).strip()) } raw_response = requests.post(url=url, headers=headers, verify=False) response = raw_response.json() if 'error' in response: error = response['error'] description = response[ 'error_description'] if 'error_description' in response else '' OAuth2RedirectView._logger.error( 'Error {0} during OAuth2 redirection access token: {1}'.format( error, description)) return HttpResponseRedirect(html_endpoint) token = response['access_token'] expires_in = response['expires_in'] clients = ClientList.get_by_types('INTERNAL', 'CLIENT_CREDENTIALS') client = None for current_client in clients: if current_client.user.group.name == 'administrators': client = current_client break if client is None: OAuth2RedirectView._logger.error( 'Could not find INTERNAL CLIENT_CREDENTIALS client in administrator group.' ) return HttpResponseRedirect(html_endpoint) roles = RoleList.get_roles_by_codes(['read', 'write', 'manage']) access_token, _ = Toolbox.generate_tokens(client, generate_access=True, scopes=roles) access_token.expiration = int(time.time() + expires_in) access_token.access_token = token access_token.save() expires = datetime.datetime.now() + datetime.timedelta(minutes=2) response = HttpResponseRedirect(html_endpoint) response.set_cookie('state', state, expires=expires, secure=True) response.set_cookie('accesstoken', token, expires=expires, secure=True) return response
def post(self, request, *args, **kwargs): """ Handles token post """ logger = LogHandler.get('api', 'oauth2') _ = args, kwargs if 'grant_type' not in request.POST: raise HttpBadRequestException( error='invalid_request', error_description='No grant type specified') grant_type = request.POST['grant_type'] scopes = None if 'scope' in request.POST: scopes = RoleList.get_roles_by_codes( request.POST['scope'].split(' ')) if grant_type == 'password': # Resource Owner Password Credentials Grant if 'username' not in request.POST or 'password' not in request.POST: raise HttpBadRequestException( error='invalid_request', error_description='Invalid request') username = request.POST['username'] password = request.POST['password'] user = UserList.get_user_by_username(username) if user is None or user.password != hashlib.sha256( password).hexdigest(): raise HttpBadRequestException( error='invalid_client', error_description='Invalid client') if user.is_active is False: raise HttpBadRequestException( error='inactive_user', error_description='User is inactive') clients = [ client for client in user.clients if client.ovs_type == 'INTERNAL' and client.grant_type == 'PASSWORD' ] if len(clients) != 1: raise HttpBadRequestException( error='unauthorized_client', error_description='Client is unautorized') client = clients[0] try: access_token, _ = Toolbox.generate_tokens(client, generate_access=True, scopes=scopes) access_token.expiration = int(time.time() + 86400) access_token.save() except ValueError as error: if error.message == 'invalid_scope': raise HttpBadRequestException( error='invalid_scope', error_description='Invalid scope requested') raise Toolbox.clean_tokens(client) return HttpResponse(json.dumps({ 'access_token': access_token.access_token, 'token_type': 'bearer', 'expires_in': 86400 }), content_type='application/json') elif grant_type == 'client_credentials': # Client Credentials if 'HTTP_AUTHORIZATION' not in request.META: raise HttpBadRequestException( error='missing_header', error_description='Authorization header missing') _, password_hash = request.META['HTTP_AUTHORIZATION'].split(' ') client_id, client_secret = base64.b64decode(password_hash).split( ':', 1) try: client = Client(client_id) if client.grant_type != 'CLIENT_CREDENTIALS': raise HttpBadRequestException( error='invalid_grant', error_description= 'The given grant type is not supported') if client.client_secret != client_secret: raise HttpBadRequestException( error='invalid_client', error_description='Invalid client') if not client.user.is_active: raise HttpBadRequestException( error='inactive_user', error_description='User is inactive') try: access_token, _ = Toolbox.generate_tokens( client, generate_access=True, scopes=scopes) except ValueError as error: if error.message == 'invalid_scope': raise HttpBadRequestException( error='invalid_scope', error_description='Invalid scope requested') raise try: Toolbox.clean_tokens(client) except Exception as error: logger.error( 'Error during session cleanup: {0}'.format(error)) return HttpResponse(json.dumps({ 'access_token': access_token.access_token, 'token_type': 'bearer', 'expires_in': 3600 }), content_type='application/json') except HttpBadRequestException: raise except ObjectNotFoundException as ex: logger.warning('Error matching client: {0}'.format(ex)) raise HttpBadRequestException( error='invalid_client', error_description='Client could not be found') except Exception as ex: logger.exception('Error matching client: {0}'.format(ex)) raise HttpBadRequestException( error='invalid_client', error_description='Error loading client') else: raise HttpBadRequestException( error='unsupported_grant_type', error_description='Unsupported grant type')
def get(self, request, *args, **kwargs): """ Handles token post """ _ = args, kwargs html_endpoint = Configuration.get('/ovs/framework/webapps|html_endpoint') if 'code' not in request.GET: OAuth2RedirectView._logger.error('Got OAuth2 redirection request without code') return HttpResponseRedirect(html_endpoint) code = request.GET['code'] if 'state' not in request.GET: OAuth2RedirectView._logger.error('Got OAuth2 redirection request without state') return HttpResponseRedirect(html_endpoint) state = request.GET['state'] if 'error' in request.GET: error = request.GET['error'] description = request.GET['error_description'] if 'error_description' in request.GET else '' OAuth2RedirectView._logger.error('Error {0} during OAuth2 redirection request: {1}'.format(error, description)) return HttpResponseRedirect(html_endpoint) base_url = Configuration.get('/ovs/framework/webapps|oauth2.token_uri') client_id = Configuration.get('/ovs/framework/webapps|oauth2.client_id') client_secret = Configuration.get('/ovs/framework/webapps|oauth2.client_secret') parameters = {'grant_type': 'authorization_code', 'redirect_url': 'https://{0}/api/oauth2/redirect/'.format(System.get_my_storagerouter().ip), 'client_id': client_id, 'code': code} url = '{0}?{1}'.format(base_url, urllib.urlencode(parameters)) headers = {'Accept': 'application/json', 'Authorization': 'Basic {0}'.format(base64.b64encode('{0}:{1}'.format(client_id, client_secret)).strip())} raw_response = requests.post(url=url, headers=headers, verify=False) response = raw_response.json() if 'error' in response: error = response['error'] description = response['error_description'] if 'error_description' in response else '' OAuth2RedirectView._logger.error('Error {0} during OAuth2 redirection access token: {1}'.format(error, description)) return HttpResponseRedirect(html_endpoint) token = response['access_token'] expires_in = response['expires_in'] clients = ClientList.get_by_types('INTERNAL', 'CLIENT_CREDENTIALS') client = None for current_client in clients: if current_client.user.group.name == 'administrators': client = current_client break if client is None: OAuth2RedirectView._logger.error('Could not find INTERNAL CLIENT_CREDENTIALS client in administrator group.') return HttpResponseRedirect(html_endpoint) roles = RoleList.get_roles_by_codes(['read', 'write', 'manage']) access_token, _ = Toolbox.generate_tokens(client, generate_access=True, scopes=roles) access_token.expiration = int(time.time() + expires_in) access_token.access_token = token access_token.save() expires = datetime.datetime.now() + datetime.timedelta(minutes=2) response = HttpResponseRedirect(html_endpoint) response.set_cookie('state', state, expires=expires, secure=True) response.set_cookie('accesstoken', token, expires=expires, secure=True) return response
def post(self, request, *args, **kwargs): """ Handles token post """ logger = LogHandler.get('api', 'oauth2') _ = args, kwargs if 'grant_type' not in request.POST: raise HttpBadRequestException(error='invalid_request', error_description='No grant type specified') grant_type = request.POST['grant_type'] scopes = None if 'scope' in request.POST: scopes = RoleList.get_roles_by_codes(request.POST['scope'].split(' ')) if grant_type == 'password': # Resource Owner Password Credentials Grant if 'username' not in request.POST or 'password' not in request.POST: raise HttpBadRequestException(error='invalid_request', error_description='Invalid request') username = request.POST['username'] password = request.POST['password'] user = UserList.get_user_by_username(username) if user is None or user.password != hashlib.sha256(password).hexdigest(): raise HttpBadRequestException(error='invalid_client', error_description='Invalid client') if user.is_active is False: raise HttpBadRequestException(error='inactive_user', error_description='User is inactive') clients = [client for client in user.clients if client.ovs_type == 'INTERNAL' and client.grant_type == 'PASSWORD'] if len(clients) != 1: raise HttpBadRequestException(error='unauthorized_client', error_description='Client is unautorized') client = clients[0] try: access_token, _ = Toolbox.generate_tokens(client, generate_access=True, scopes=scopes) access_token.expiration = int(time.time() + 86400) access_token.save() except ValueError as error: if error.message == 'invalid_scope': raise HttpBadRequestException(error='invalid_scope', error_description='Invalid scope requested') raise Toolbox.clean_tokens(client) return HttpResponse(json.dumps({'access_token': access_token.access_token, 'token_type': 'bearer', 'expires_in': 86400}), content_type='application/json') elif grant_type == 'client_credentials': # Client Credentials if 'HTTP_AUTHORIZATION' not in request.META: raise HttpBadRequestException(error='missing_header', error_description='Authorization header missing') _, password_hash = request.META['HTTP_AUTHORIZATION'].split(' ') client_id, client_secret = base64.b64decode(password_hash).split(':', 1) try: client = Client(client_id) if client.grant_type != 'CLIENT_CREDENTIALS': raise HttpBadRequestException(error='invalid_grant', error_description='The given grant type is not supported') if client.client_secret != client_secret: raise HttpBadRequestException(error='invalid_client', error_description='Invalid client') if not client.user.is_active: raise HttpBadRequestException(error='inactive_user', error_description='User is inactive') try: access_token, _ = Toolbox.generate_tokens(client, generate_access=True, scopes=scopes) except ValueError as error: if error.message == 'invalid_scope': raise HttpBadRequestException(error='invalid_scope', error_description='Invalid scope requested') raise try: Toolbox.clean_tokens(client) except Exception as error: logger.error('Error during session cleanup: {0}'.format(error)) return HttpResponse(json.dumps({'access_token': access_token.access_token, 'token_type': 'bearer', 'expires_in': 3600}), content_type='application/json') except HttpBadRequestException: raise except ObjectNotFoundException as ex: logger.warning('Error matching client: {0}'.format(ex)) raise HttpBadRequestException(error='invalid_client', error_description='Client could not be found') except Exception as ex: logger.exception('Error matching client: {0}'.format(ex)) raise HttpBadRequestException(error='invalid_client', error_description='Error loading client') else: raise HttpBadRequestException(error='unsupported_grant_type', error_description='Unsupported grant type')