def __do_verify(self, errors):
self.__output('Verifying OAuth Client ' + self.__name)
try:
auth = 'Bearer ' + self.__get_bootstrap_token()
response = self.__request_utils.do_get_request(
self.__idcs_url + OAuthClient._CLIENT_EP + self.__name + '%22',
Utils.scim_headers(self.__host, auth), self.__timeout_ms)
self.__check_not_none(response, 'client metadata')
response_code = response.get_status_code()
content = response.get_content()
if response_code >= codes.multiple_choices:
OAuthClient.__idcs_errors(
response, 'Getting client ' + self.__name)
grants = Utils.get_field(content, 'allowedGrants')
if grants is None:
# No results in response
raise IllegalStateException(
'OAuth Client ' + self.__name + ' doesn\'t exist, or the ' +
'token file is invalid, user who downloads the token ' +
'must have Identity Domain Administrator role')
# Verify if client has required grants
self.__verify_grants(grants, errors)
# Verify if client has PSM and ANDC FQS
self.__verify_scopes(
Utils.get_field(content, 'allowedScopes', 'fqs'), errors)
# Verify if client has ANDC role
self.__verify_role(
Utils.get_field(content, 'grantedAppRoles', 'display'), errors)
if len(errors) > 0:
return
self.__output('Verification succeed')
except Exception as e:
self.__output('Verification failed of OAuth client ' + self.__name)
raise e
def __add_app(self, auth, payload):
# Add the custom OAuth client
response = self.__request_utils.do_post_request(
self.__idcs_url + Utils.APP_ENDPOINT,
Utils.scim_headers(self.__host, auth), payload, self.__timeout_ms)
self.__check_not_none(response, 'response of adding OAuth client')
response_code = response.get_status_code()
content = response.get_content()
if response_code == codes.conflict:
raise IllegalStateException(
'OAuth Client ' + self.__name + ' already exists. To ' +
'recreate, run with ' + OAuthClient._DELETE_FLAG + '. To ' +
'verify if existing client is configured correctly, run with ' +
OAuthClient._VERIFY_FLAG)
elif response_code >= codes.multiple_choices:
OAuthClient.__idcs_errors(response, 'Adding custom client')
app_id = 'id'
oauth_id = 'name'
secret = 'clientSecret'
app_id_value = Utils.get_field(content, app_id)
oauth_id_value = Utils.get_field(content, oauth_id)
secret_value = Utils.get_field(content, secret)
if (app_id_value is None or oauth_id_value is None or
secret_value is None):
raise IllegalStateException(
str.format('Unable to find {0} or {1} or {2} in ,' + content,
app_id, oauth_id, secret))
return OAuthClient.Client(app_id_value, oauth_id_value, secret_value)
def __get_id(self, auth, url, resource):
response = self.__request_utils.do_get_request(
url, Utils.scim_headers(self.__host, auth), self.__timeout_ms)
self.__check_not_none(response, 'getting ' + resource + ' id')
if response.get_status_code() >= codes.multiple_choices:
OAuthClient.__idcs_errors(response, 'Getting id of ' + resource)
return str(Utils.get_field(
response.get_content(), 'id', allow_none=False))
def __get_psm_audience(self, auth):
response = self.__request_utils.do_get_request(
self.__idcs_url + OAuthClient._PSM_APP_EP,
Utils.scim_headers(self.__host, auth), self.__timeout_ms)
self.__check_not_none(response, 'getting account metadata')
if response.get_status_code() >= codes.multiple_choices:
OAuthClient.__idcs_errors(response, 'Getting account metadata')
return str(Utils.get_field(
response.get_content(), 'audience', allow_none=False))
def __remove_client(self, auth, app_id):
response = self.__request_utils.do_delete_request(
self.__idcs_url + Utils.APP_ENDPOINT + sep + app_id,
Utils.scim_headers(self.__host, auth), self.__timeout_ms)
self.__check_not_none(response, 'response of deleting OAuth client')
if codes.ok <= response.get_status_code() < codes.multiple_choices:
return
OAuthClient.__idcs_errors(
response, 'removing OAuth client ' + self.__name)
def __get_andc_info(self, auth):
# Get App ANDC metadata from IDCS
response = self.__request_utils.do_get_request(
self.__idcs_url + OAuthClient._ANDC_APP_EP,
Utils.scim_headers(self.__host, auth), self.__timeout_ms)
self.__check_not_none(response, 'getting service metadata')
content = response.get_content()
if response.get_status_code() >= codes.multiple_choices:
OAuthClient.__idcs_errors(response, 'Getting service metadata')
audience = 'audience'
app_id = 'id'
audience_value = Utils.get_field(content, audience)
app_id_value = Utils.get_field(content, app_id)
if audience_value is None or app_id_value is None:
raise IllegalStateException(
str.format('Unable to find {0} or {1} in ,' + content,
audience, app_id))
return OAuthClient.ANDC(app_id_value, audience_value)
def _grant_role(self, auth, payload):
# Grant ANDC_FullAccessRole to OAuth client
response = self._request_utils.do_post_request(
self._idcs_url + Utils.GRANT_ENDPOINT,
Utils.scim_headers(self._host, auth), payload, self._timeout_ms)
self._check_not_none(response, ' response of granting role')
if codes.ok <= response.get_status_code() < codes.multiple_choices:
return
OAuthClient._idcs_errors(response, 'Granting required role to client')
def _deactivate_app(self, auth, app_id):
# Deactivate OAuth client
response = self._request_utils.do_put_request(
self._idcs_url + Utils.STATUS_ENDPOINT + sep + app_id,
Utils.scim_headers(self._host, auth), OAuthClient._DEACTIVATE,
self._timeout_ms)
self._check_not_none(response, 'response of deactivating OAuth client')
if codes.ok <= response.get_status_code() < codes.multiple_choices:
return
OAuthClient._idcs_errors(response,
'deactivating OAuth client ' + self._name)
def __idcs_errors(response, action):
Utils.handle_idcs_errors(
response, action, ' Access token in the token file expired,' +
' or the token file is generated with incorrect scopes,' +
' requires Identity Domain Administrator')