def home():
"""homepage of the app
gui:
shows the group name as title along with an input field for emails
shows number of users in group, if specified in flag (see SHOW_USERS)
view:
sends a POST request to slack to get the number of users
entering a valid email results in a POST request to /invite
"""
# get number of users if flag is True
if show_users:
url = 'https://' + slack_group + '.slack.com/api/users.list'
data = {
'token': token,
}
r = request_post(url, data)
data = json_load(r.text)
users = len(data['members'])
else:
users = ''
# render the template 'homepage.tpl'
return template(
'homepage',
show_users=show_users,
users=users,
bg_color=bg_color,
group_name=group_name,
)
def slack_invite(email):
return request_post('https://%s.slack.com/api/users.admin.invite' %
(env['SLACK_TEAM_NAME']),
data={
"token": env['SLACK_API_TOKEN'],
"email": email,
"set_active": True,
})
def slack_invite(email):
return request_post(
'https://%s.slack.com/api/users.admin.invite' % (env['SLACK_TEAM_NAME']),
data={
"token": env['SLACK_API_TOKEN'],
"email": email,
"set_active": True,
}
)
def check_access_token(self, request):
if not self.is_refreshable_url(request):
debug(f"{request.path} is not refreshable")
return
debug(f"{request.path} is refreshable")
if constants.SESSION_REFRESH_TOKEN not in request.session:
return
expiration = request.session[constants.SESSION_ACCESS_EXPIRES_AT]
now = time()
if expiration > now:
# The id_token is still valid, so we don't have to do anything.
debug('access token is still valid (%s > %s)',
strftime('%d/%m/%Y, %H:%M:%S', gmtime(expiration)),
strftime('%d/%m/%Y, %H:%M:%S', gmtime(now)))
return
debug('access token has expired')
# The access_token has expired, so we have to refresh silently.
# Build the parameters.
params = {
'grant_type': 'refresh_token',
'client_id': settings.OIDC_RP_CLIENT_ID,
'client_secret': settings.OIDC_RP_CLIENT_SECRET,
'refresh_token': request.session[constants.SESSION_REFRESH_TOKEN],
}
resp = request_post(request.session[constants.SESSION_OP_TOKEN_URL],
data=params)
if not resp:
error(resp.text)
raise MiddlewareException(resp.text)
result = resp.json()
access_token = result['access_token']
expires_in = result['expires_in'] # in secs
id_token = result.get('id_token',
request.session[constants.SESSION_ID_TOKEN])
refresh_token = result.get(
'refresh_token', request.session[constants.SESSION_REFRESH_TOKEN])
if id_token != request.session[constants.SESSION_ID_TOKEN]:
# blacklist old token
BlacklistedToken.blacklist(
request.session[constants.SESSION_ID_TOKEN])
now = time()
request.session[constants.SESSION_ID_TOKEN] = id_token
request.session[constants.SESSION_ACCESS_TOKEN] = access_token
request.session[constants.SESSION_ACCESS_EXPIRES_AT] = now + expires_in
request.session[constants.SESSION_REFRESH_TOKEN] = refresh_token
request.session.save()
def invite():
"""invite
REST endpoint for sending invites to slack from homepage
retrieves email id from form, and sends it to slack
uses the slack web API along with supplied token to authenticate user
returns response as json to hompeage to be displayed to the user
"""
# retrieve email field from form
email = request.POST.allitems()[0][1]
# send invite request to slack
url = 'https://' + slack_group + '.slack.com/api/users.admin.invite'
data = {
'email': email,
'token': token,
'set_active': True,
}
# set response as json, and return response
response.content_type = 'application/json'
return request_post(url, data).text
def authenticate(self, request, use_pkce: bool, code: str,
state: Optional[str], nonce: Optional[str],
code_verifier: Optional[str],
**kwargs) -> AbstractBaseUser:
"""Authenticates users using OpenID Connect Authorization code flow."""
if not request:
return None
try:
if use_pkce:
if any((
not code,
not code_verifier,
)):
raise SuspiciousOperation(
'code and code_verifier values are required')
else:
if any((
not code,
not state,
not nonce,
)):
raise SuspiciousOperation(
'code, state and nonce values are required')
params = {
'grant_type':
'authorization_code',
'client_id':
settings.OIDC_RP_CLIENT_ID,
'client_secret':
settings.OIDC_RP_CLIENT_SECRET,
'redirect_uri':
request.build_absolute_uri(
reverse(constants.OIDC_URL_CALLBACK_NAME)),
'code':
code,
}
if use_pkce:
params['code_verifier'] = code_verifier
resp = request_post(
request.session[constants.SESSION_OP_TOKEN_URL], data=params)
if resp.status_code != 200:
raise SuspiciousOperation(f"{resp.status_code} {resp.text}")
result = resp.json()
id_token = result['id_token']
access_token = result['access_token']
expires_in = result.get('expires_in') # in secs, could be missing
refresh_token = result.get(
'refresh_token'
) if 'offline_access' in settings.OIDC_RP_SCOPES else None
id_claims = self.validate_and_decode_id_token(
id_token, nonce, request.session[constants.SESSION_OP_JWKS])
self.validate_claims(id_claims)
now = time()
if expires_in:
expires_at = now + expires_in
else:
expires_at = id_claims.get(
'exp',
now + settings.OIDC_MIDDLEWARE_SESSION_TIMEOUT_SECONDS)
request.session[constants.SESSION_ID_TOKEN] = id_token
request.session[constants.SESSION_ACCESS_TOKEN] = access_token
request.session[constants.SESSION_ACCESS_EXPIRES_AT] = expires_at
request.session[
constants.
SESSION_EXPIRES_AT] = now + settings.OIDC_MIDDLEWARE_SESSION_TIMEOUT_SECONDS
if refresh_token:
request.session[
constants.SESSION_REFRESH_TOKEN] = refresh_token
user = self.get_or_create_user(request, id_claims, access_token)
return user
except Exception as e:
warning(e, str(e))
return None
finally:
# be sure the session is in sync
request.session.save()
