def post(self, request, *args, **kwargs):
"""
Handles token post
"""
_ = args, kwargs
if 'grant_type' not in request.POST:
return HttpResponseBadRequest, {'error': 'invalid_request'}
grant_type = request.POST['grant_type']
scopes = None
if 'scope' in request.POST:
scopes = RoleList.get_roles_by_codes(request.POST['scope'].split(' '))
if grant_type == 'password':
# Resource Owner Password Credentials Grant
if 'username' not in request.POST or 'password' not in request.POST:
return HttpResponseBadRequest, {'error': 'invalid_request'}
username = request.POST['username']
password = request.POST['password']
user = UserList.get_user_by_username(username)
if user is None or user.password != hashlib.sha256(password).hexdigest():
return HttpResponseBadRequest, {'error': 'invalid_client'}
if user.is_active is False:
return HttpResponseBadRequest, {'error': 'inactive_user'}
clients = [client for client in user.clients if client.ovs_type == 'FRONTEND' and client.grant_type == 'PASSWORD']
if len(clients) != 1:
return HttpResponseBadRequest, {'error': 'unauthorized_client'}
client = clients[0]
try:
access_token, _ = Toolbox.generate_tokens(client, generate_access=True, scopes=scopes)
access_token.expiration = int(time.time() + 86400)
access_token.save()
except ValueError as error:
return HttpResponseBadRequest, {'error': str(error)}
Toolbox.clean_tokens(client)
return HttpResponse, {'access_token': access_token.access_token,
'token_type': 'bearer',
'expires_in': 86400}
elif grant_type == 'client_credentials':
# Client Credentials
if 'HTTP_AUTHORIZATION' not in request.META:
return HttpResponseBadRequest, {'error': 'missing_header'}
_, password_hash = request.META['HTTP_AUTHORIZATION'].split(' ')
client_id, client_secret = base64.decodestring(password_hash).split(':', 1)
try:
client = Client(client_id)
if client.grant_type != 'CLIENT_CREDENTIALS':
return HttpResponseBadRequest, {'error': 'invalid_grant'}
if not client.user.is_active:
return HttpResponseBadRequest, {'error': 'inactive_user'}
try:
access_token, _ = Toolbox.generate_tokens(client, generate_access=True, scopes=scopes)
except ValueError as error:
return HttpResponseBadRequest, {'error': str(error)}
Toolbox.clean_tokens(client)
return HttpResponse, {'access_token': access_token.access_token,
'token_type': 'bearer',
'expires_in': 3600}
except:
return HttpResponseBadRequest, {'error': 'invalid_client'}
else:
return HttpResponseBadRequest, {'error': 'unsupported_grant_type'}
def post(self, request, *args, **kwargs):
"""
Handles token post
"""
logger = LogHandler.get('api', 'oauth2')
_ = args, kwargs
if 'grant_type' not in request.POST:
return HttpResponseBadRequest, {'error': 'invalid_request'}
grant_type = request.POST['grant_type']
scopes = None
if 'scope' in request.POST:
scopes = RoleList.get_roles_by_codes(request.POST['scope'].split(' '))
if grant_type == 'password':
# Resource Owner Password Credentials Grant
if 'username' not in request.POST or 'password' not in request.POST:
return HttpResponseBadRequest, {'error': 'invalid_request'}
username = request.POST['username']
password = request.POST['password']
user = UserList.get_user_by_username(username)
if user is None or user.password != hashlib.sha256(password).hexdigest():
return HttpResponseBadRequest, {'error': 'invalid_client'}
if user.is_active is False:
return HttpResponseBadRequest, {'error': 'inactive_user'}
clients = [client for client in user.clients if client.ovs_type == 'INTERNAL' and client.grant_type == 'PASSWORD']
if len(clients) != 1:
return HttpResponseBadRequest, {'error': 'unauthorized_client'}
client = clients[0]
try:
access_token, _ = Toolbox.generate_tokens(client, generate_access=True, scopes=scopes)
access_token.expiration = int(time.time() + 86400)
access_token.save()
except ValueError as error:
return HttpResponseBadRequest, {'error': str(error)}
Toolbox.clean_tokens(client)
return HttpResponse, {'access_token': access_token.access_token,
'token_type': 'bearer',
'expires_in': 86400}
elif grant_type == 'client_credentials':
# Client Credentials
if 'HTTP_AUTHORIZATION' not in request.META:
return HttpResponseBadRequest, {'error': 'missing_header'}
_, password_hash = request.META['HTTP_AUTHORIZATION'].split(' ')
client_id, client_secret = base64.b64decode(password_hash).split(':', 1)
try:
client = Client(client_id)
if client.grant_type != 'CLIENT_CREDENTIALS':
return HttpResponseBadRequest, {'error': 'invalid_grant'}
if client.client_secret != client_secret:
return HttpResponseBadRequest, {'error': 'invalid_client'}
if not client.user.is_active:
return HttpResponseBadRequest, {'error': 'inactive_user'}
try:
access_token, _ = Toolbox.generate_tokens(client, generate_access=True, scopes=scopes)
except ValueError as error:
return HttpResponseBadRequest, {'error': str(error)}
try:
Toolbox.clean_tokens(client)
except Exception as error:
logger.error('Error during session cleanup: {0}'.format(error))
return HttpResponse, {'access_token': access_token.access_token,
'token_type': 'bearer',
'expires_in': 3600}
except Exception as ex:
logger.exception('Error matching client: {0}'.format(ex))
return HttpResponseBadRequest, {'error': 'invalid_client'}
else:
return HttpResponseBadRequest, {'error': 'unsupported_grant_type'}
