def validate_client_secret(self, client_id, client_secret):
try:
application = OAuthApplication.get(client_id=client_id)
assert application.secure_client_secret is not None
return application.secure_client_secret.matches(client_secret)
except OAuthApplication.DoesNotExist:
return False
def persist_token_information(self, client_id, scope, access_token,
token_type, expires_in, refresh_token, data):
assert not refresh_token
found = user.get_user(json.loads(data)["username"])
if not found:
raise RuntimeError("Username must be in the data field")
token_name = access_token[:ACCESS_TOKEN_PREFIX_LENGTH]
token_code = access_token[ACCESS_TOKEN_PREFIX_LENGTH:]
assert token_name
assert token_code
assert len(token_name) == ACCESS_TOKEN_PREFIX_LENGTH
assert len(token_code) >= ACCESS_TOKEN_MINIMUM_CODE_LENGTH
oauth_app = OAuthApplication.get(client_id=client_id)
expires_at = datetime.utcnow() + timedelta(seconds=expires_in)
OAuthAccessToken.create(
application=oauth_app,
authorized_user=found,
scope=scope,
token_name=token_name,
token_code=Credential.from_string(token_code),
access_token="",
token_type=token_type,
expires_at=expires_at,
data=data,
)
def validate_client_secret(self, client_id, client_secret):
try:
application = OAuthApplication.get(client_id=client_id)
# TODO(remove-unenc): Remove legacy check.
if ActiveDataMigration.has_flag(ERTMigrationFlags.READ_OLD_FIELDS):
if application.secure_client_secret is None:
return application.client_secret == client_secret
assert application.secure_client_secret is not None
return application.secure_client_secret.matches(client_secret)
except OAuthApplication.DoesNotExist:
return False
def persist_authorization_code(self, client_id, full_code, scope):
oauth_app = OAuthApplication.get(client_id=client_id)
data = self._generate_data_string()
assert len(full_code) >= (AUTHORIZATION_CODE_PREFIX_LENGTH * 2)
code_name = full_code[:AUTHORIZATION_CODE_PREFIX_LENGTH]
code_credential = full_code[AUTHORIZATION_CODE_PREFIX_LENGTH:]
OAuthAuthorizationCode.create(
application=oauth_app,
scope=scope,
code_name=code_name,
code_credential=Credential.from_string(code_credential),
data=data,
)
def validate_redirect_uri(self, client_id, redirect_uri):
internal_redirect_url = '%s%s' % (get_app_url(
config.app_config), url_for('web.oauth_local_handler'))
if redirect_uri == internal_redirect_url:
return True
try:
oauth_app = OAuthApplication.get(client_id=client_id)
if (oauth_app.redirect_uri and redirect_uri
and redirect_uri.startswith(oauth_app.redirect_uri)):
return True
return False
except OAuthApplication.DoesNotExist:
return False
def persist_authorization_code(self, client_id, full_code, scope):
oauth_app = OAuthApplication.get(client_id=client_id)
data = self._generate_data_string()
assert len(full_code) >= (AUTHORIZATION_CODE_PREFIX_LENGTH * 2)
code_name = full_code[:AUTHORIZATION_CODE_PREFIX_LENGTH]
code_credential = full_code[AUTHORIZATION_CODE_PREFIX_LENGTH:]
# TODO(remove-unenc): Remove legacy fallback.
full_code = None
if ActiveDataMigration.has_flag(ERTMigrationFlags.WRITE_OLD_FIELDS):
full_code = code_name + code_credential
OAuthAuthorizationCode.create(
application=oauth_app,
code=full_code,
scope=scope,
code_name=code_name,
code_credential=Credential.from_string(code_credential),
data=data)
def get_application_for_client_id(self, client_id):
try:
return OAuthApplication.get(client_id=client_id)
except OAuthApplication.DoesNotExist:
return None
def lookup_application(org, client_id):
try:
return OAuthApplication.get(organization=org, client_id=client_id)
except OAuthApplication.DoesNotExist:
return None
