def client_create(context, data_dict): model = context['model'] user = context['user'] tk.check_access('oauth2provider_client_create', context, data_dict) client = Client(user_id=data_dict['user_id'], name=data_dict['name'], url=data_dict['url'], redirect_uri=data_dict['redirect_uri'], client_type=data_dict['client_type']) client.save() model.repo.commit() return client
def authorize(self): context = self._get_context() try: tk.check_access('oauth2provider_token_create', context) except tk.NotAuthorized: return tk.abort(401) client_id = self._get_required_param('client_id') response_type = tk.request.params.get('redirect_uri', 'code') scopes = self._get_required_param('scope').split(' ') redirect_uri = tk.request.params.get('redirect_uri', '') state = tk.request.params.get('state', '') if state: session['oauth2provider_state'] = state session.save() client = Client.get(client_id=client_id) data = { 'client_name': client.name, 'client_id': client.client_id, 'response_type': response_type, 'redirect_uri': redirect_uri, 'scopes': scopes, } vars = {'data': data, 'action': 'authorize'} return tk.render('ckanext/oauth2provider/authorize.html', extra_vars=vars)
def access_token(self): context = self._get_context() code = self._get_required_param('code') client_id = self._get_required_param('client_id') client_secret = self._get_required_param('client_secret') response_type = tk.request.params.get('redirect_uri', 'code') redirect_uri = tk.request.params.get('redirect_uri', '') client = Client.get(client_id=client_id) grant = Grant.get(code=code) if client_id != client.client_id or grant.client_id != client_id: return self._json_response( {'error': 'Invalid clientId for this grant'}) if client.client_secret != client_secret: return self._json_response({'error': 'Invalid client_secret'}) #TODO check for expired grant # Create an access token token = AccessToken(user_id=grant.user_id, client_id=client.id, expires=get_token_expiry(public=False), scope=grant.scope) token.save() model.repo.commit() return self._json_response({ 'access_token': token.token, 'expires': int(token.expires.strftime("%s")), 'refresh_token': '', 'scope': token.scope, })
def client_delete(context, data_dict): model = context['model'] user = context['user'] tk.check_access('oauth2provider_client_delete', context, data_dict) id = tk.get_or_bust(data_dict, 'id') client = Client.get(id=id) client.delete() model.repo.commit()
def authorize(self): context = self._get_context() try: tk.check_access('oauth2provider_token_create', context) except tk.NotAuthorized: return tk.abort(401) client_id = self._get_required_param('client_id') response_type = tk.request.params.get('redirect_uri', 'code') scopes = self._get_required_param('scope').split(' ') redirect_uri = tk.request.params.get('redirect_uri', '') state = tk.request.params.get('state', '') convert_user_name_or_id_to_id = tk.get_converter( 'convert_user_name_or_id_to_id') user_id = convert_user_name_or_id_to_id(context['user'], context) # If the grant already exists. grant = Grant.get(user_id=user_id, client_id=client_id) if grant: if state: redirect_uri = set_query_parameter(redirect_uri, 'state', state) # Send the grant code to client via GET as defined by OAuth spec redirect_uri = set_query_parameter(redirect_uri, 'code', grant.code) return tk.redirect_to(str(redirect_uri)) if state: session['oauth2provider_state'] = state session.save() client = Client.get(client_id=client_id) data = { 'client_name': client.name, 'client_id': client.client_id, 'response_type': response_type, 'redirect_uri': redirect_uri, 'scopes': scopes, } vars = {'data': data, 'action': 'authorize'} return tk.render('ckanext/oauth2provider/authorize.html', extra_vars=vars)
def access_token(self): context = self._get_context() code = self._get_required_param('code') client_id = self._get_required_param('client_id') client_secret = self._get_required_param('client_secret') response_type = tk.request.params.get('redirect_uri', 'code') redirect_uri = tk.request.params.get('redirect_uri', '') client = Client.get(client_id=client_id) grant = Grant.get(code=code) if client_id != client.client_id or grant.client_id != client_id: return self._json_response({ 'error': 'Invalid clientId for this grant' }) if client.client_secret != client_secret: return self._json_response({ 'error': 'Invalid client_secret' }) #TODO check for expired grant # Create an access token token = AccessToken(user_id=grant.user_id, client_id=client.id, expires=get_token_expiry(public=False), scope=grant.scope) token.save() model.repo.commit() return self._json_response({ 'access_token': token.token, 'expires': int(token.expires.strftime("%s")), 'refresh_token': '', 'scope': token.scope, })
def authorize_confirm(self, data=None): context = self._get_context() try: tk.check_access('oauth2provider_token_create', context) except tk.NotAuthorized: return tk.abort( 401, tk._('You must be logged in to authorize a grant.')) authorize = tk.request.params.get('authorize') if not authorize: return tk.abort(401, tk._('Authorization was not confirmed.')) client_id = self._get_required_param('client_id') scope = '+'.join(tk.request.params.getall('scope')) redirect_uri = tk.request.params.get('redirect_uri', '') user = model.User.by_name(context['user']) # Check if the client exists client = Client.get(client_id=client_id) grant = tk.get_action('oauth2provider_grant_create')( context, { 'client_id': client.client_id, 'user_id': user.id, 'redirect_uri': redirect_uri, 'scope': scope, }) # Get an optional saved state that clients can pass in # (Meteor's accounts-oauth lib does this) state = session.get('oauth2provider_state', '') if state: redirect_uri = set_query_parameter(redirect_uri, 'state', state) # Send the grant code to client via GET as defined by OAuth spec redirect_uri = set_query_parameter(redirect_uri, 'code', grant.code) return tk.redirect_to(str(redirect_uri))
def authorize_confirm(self, data=None): context = self._get_context() try: tk.check_access('oauth2provider_token_create', context) except tk.NotAuthorized: return tk.abort(401, tk._('You must be logged in to authorize a grant.')) authorize = tk.request.params.get('authorize') if not authorize: return tk.abort(401, tk._('Authorization was not confirmed.')) client_id = self._get_required_param('client_id') scope = '+'.join(tk.request.params.getall('scope')) redirect_uri = tk.request.params.get('redirect_uri', '') user = model.User.by_name(context['user']) # Check if the client exists client = Client.get(client_id=client_id) grant = tk.get_action('oauth2provider_grant_create')(context, { 'client_id': client.client_id, 'user_id': user.id, 'redirect_uri': redirect_uri, 'scope': scope, }) # Get an optional saved state that clients can pass in # (Meteor's accounts-oauth lib does this) state = session.get('oauth2provider_state', '') if state: redirect_uri = set_query_parameter(redirect_uri, 'state', state) # Send the grant code to client via GET as defined by OAuth spec redirect_uri = set_query_parameter(redirect_uri, 'code', grant.code) return tk.redirect_to(str(redirect_uri))
def client_list(context, data_dict): tk.check_access('oauth2provider_client_list', context, data_dict) clients = Client.find().all() return clients
def client_show(context, data_dict): tk.check_access('oauth2provider_client_show', context, data_dict) id = tk.get_or_bust(data_dict, 'id') client = Client.get(id) return client
def authorize(self): context = self._get_context() auto_allow_addresses = config.get( 'ckanext.ddug.auto_allow_remote_addresses', '127.0.0.1') address_list = auto_allow_addresses.split() remote_address = request.remote_addr try: tk.check_access('oauth2provider_token_create', context) except tk.NotAuthorized: return tk.abort(401) client_id = self._get_required_param('client_id') response_type = tk.request.params.get('redirect_uri', 'code') redirect_uri = tk.request.params.get('redirect_uri', '') state = tk.request.params.get('state', '') convert_user_name_or_id_to_id = tk.get_converter( 'convert_user_name_or_id_to_id') user_id = convert_user_name_or_id_to_id(context['user'], context) # If the grant already exists. grant = Grant.get(user_id=user_id, client_id=client_id) if grant: if state: redirect_uri = set_query_parameter(redirect_uri, 'state', state) # Send the grant code to client via GET as defined by OAuth spec redirect_uri = set_query_parameter(redirect_uri, 'code', grant.code) return tk.redirect_to(str(redirect_uri)) # if remote address is in auto allow list elif (remote_address in address_list): client = Client.get(client_id=client_id) scope = 'read' grant = tk.get_action('oauth2provider_grant_create')( context, { 'client_id': client.client_id, 'user_id': user_id, 'redirect_uri': redirect_uri, 'scope': scope, }) if state: redirect_uri = set_query_parameter(redirect_uri, 'state', state) # Send the grant code to client via GET as defined by OAuth spec redirect_uri = set_query_parameter(redirect_uri, 'code', grant.code) return tk.redirect_to(str(redirect_uri)) else: if state: session['oauth2provider_state'] = state session.save() client = Client.get(client_id=client_id) scope = self._get_required_param('scope').split(' ') data = { 'client_name': client.name, 'client_id': client.client_id, 'response_type': response_type, 'redirect_uri': redirect_uri, 'scopes': scope, } vars = {'data': data, 'action': 'authorize'} return tk.render('ckanext/oauth2provider/authorize.html', extra_vars=vars)