def post(self, request, *args, **kwargs):
"""
Handles token post
"""
logger = LogHandler.get('api', 'oauth2')
_ = args, kwargs
if 'grant_type' not in request.POST:
raise HttpBadRequestException(
error='invalid_request',
error_description='No grant type specified')
grant_type = request.POST['grant_type']
scopes = None
if 'scope' in request.POST:
scopes = RoleList.get_roles_by_codes(
request.POST['scope'].split(' '))
if grant_type == 'password':
# Resource Owner Password Credentials Grant
if 'username' not in request.POST or 'password' not in request.POST:
raise HttpBadRequestException(
error='invalid_request',
error_description='Invalid request')
username = request.POST['username']
password = request.POST['password']
user = UserList.get_user_by_username(username)
if user is None or user.password != hashlib.sha256(
password).hexdigest():
raise HttpBadRequestException(
error='invalid_client', error_description='Invalid client')
if user.is_active is False:
raise HttpBadRequestException(
error='inactive_user',
error_description='User is inactive')
clients = [
client for client in user.clients
if client.ovs_type == 'INTERNAL'
and client.grant_type == 'PASSWORD'
]
if len(clients) != 1:
raise HttpBadRequestException(
error='unauthorized_client',
error_description='Client is unautorized')
client = clients[0]
try:
access_token, _ = Toolbox.generate_tokens(client,
generate_access=True,
scopes=scopes)
access_token.expiration = int(time.time() + 86400)
access_token.save()
except ValueError as error:
if error.message == 'invalid_scope':
raise HttpBadRequestException(
error='invalid_scope',
error_description='Invalid scope requested')
raise
Toolbox.clean_tokens(client)
return HttpResponse(json.dumps({
'access_token': access_token.access_token,
'token_type': 'bearer',
'expires_in': 86400
}),
content_type='application/json')
elif grant_type == 'client_credentials':
# Client Credentials
if 'HTTP_AUTHORIZATION' not in request.META:
raise HttpBadRequestException(
error='missing_header',
error_description='Authorization header missing')
_, password_hash = request.META['HTTP_AUTHORIZATION'].split(' ')
client_id, client_secret = base64.b64decode(password_hash).split(
':', 1)
try:
client = Client(client_id)
if client.grant_type != 'CLIENT_CREDENTIALS':
raise HttpBadRequestException(
error='invalid_grant',
error_description=
'The given grant type is not supported')
if client.client_secret != client_secret:
raise HttpBadRequestException(
error='invalid_client',
error_description='Invalid client')
if not client.user.is_active:
raise HttpBadRequestException(
error='inactive_user',
error_description='User is inactive')
try:
access_token, _ = Toolbox.generate_tokens(
client, generate_access=True, scopes=scopes)
except ValueError as error:
if error.message == 'invalid_scope':
raise HttpBadRequestException(
error='invalid_scope',
error_description='Invalid scope requested')
raise
try:
Toolbox.clean_tokens(client)
except Exception as error:
logger.error(
'Error during session cleanup: {0}'.format(error))
return HttpResponse(json.dumps({
'access_token': access_token.access_token,
'token_type': 'bearer',
'expires_in': 3600
}),
content_type='application/json')
except HttpBadRequestException:
raise
except ObjectNotFoundException as ex:
logger.warning('Error matching client: {0}'.format(ex))
raise HttpBadRequestException(
error='invalid_client',
error_description='Client could not be found')
except Exception as ex:
logger.exception('Error matching client: {0}'.format(ex))
raise HttpBadRequestException(
error='invalid_client',
error_description='Error loading client')
else:
raise HttpBadRequestException(
error='unsupported_grant_type',
error_description='Unsupported grant type')
def post(self, request, *args, **kwargs):
"""
Handles token post
"""
logger = LogHandler.get('api', 'oauth2')
_ = args, kwargs
if 'grant_type' not in request.POST:
raise HttpBadRequestException(error='invalid_request',
error_description='No grant type specified')
grant_type = request.POST['grant_type']
scopes = None
if 'scope' in request.POST:
scopes = RoleList.get_roles_by_codes(request.POST['scope'].split(' '))
if grant_type == 'password':
# Resource Owner Password Credentials Grant
if 'username' not in request.POST or 'password' not in request.POST:
raise HttpBadRequestException(error='invalid_request',
error_description='Invalid request')
username = request.POST['username']
password = request.POST['password']
user = UserList.get_user_by_username(username)
if user is None or user.password != hashlib.sha256(password).hexdigest():
raise HttpBadRequestException(error='invalid_client',
error_description='Invalid client')
if user.is_active is False:
raise HttpBadRequestException(error='inactive_user',
error_description='User is inactive')
clients = [client for client in user.clients if client.ovs_type == 'INTERNAL' and client.grant_type == 'PASSWORD']
if len(clients) != 1:
raise HttpBadRequestException(error='unauthorized_client',
error_description='Client is unautorized')
client = clients[0]
try:
access_token, _ = Toolbox.generate_tokens(client, generate_access=True, scopes=scopes)
access_token.expiration = int(time.time() + 86400)
access_token.save()
except ValueError as error:
if error.message == 'invalid_scope':
raise HttpBadRequestException(error='invalid_scope',
error_description='Invalid scope requested')
raise
Toolbox.clean_tokens(client)
return HttpResponse(json.dumps({'access_token': access_token.access_token,
'token_type': 'bearer',
'expires_in': 86400}),
content_type='application/json')
elif grant_type == 'client_credentials':
# Client Credentials
if 'HTTP_AUTHORIZATION' not in request.META:
raise HttpBadRequestException(error='missing_header',
error_description='Authorization header missing')
_, password_hash = request.META['HTTP_AUTHORIZATION'].split(' ')
client_id, client_secret = base64.b64decode(password_hash).split(':', 1)
try:
client = Client(client_id)
if client.grant_type != 'CLIENT_CREDENTIALS':
raise HttpBadRequestException(error='invalid_grant',
error_description='The given grant type is not supported')
if client.client_secret != client_secret:
raise HttpBadRequestException(error='invalid_client',
error_description='Invalid client')
if not client.user.is_active:
raise HttpBadRequestException(error='inactive_user',
error_description='User is inactive')
try:
access_token, _ = Toolbox.generate_tokens(client, generate_access=True, scopes=scopes)
except ValueError as error:
if error.message == 'invalid_scope':
raise HttpBadRequestException(error='invalid_scope',
error_description='Invalid scope requested')
raise
try:
Toolbox.clean_tokens(client)
except Exception as error:
logger.error('Error during session cleanup: {0}'.format(error))
return HttpResponse(json.dumps({'access_token': access_token.access_token,
'token_type': 'bearer',
'expires_in': 3600}),
content_type='application/json')
except HttpBadRequestException:
raise
except ObjectNotFoundException as ex:
logger.warning('Error matching client: {0}'.format(ex))
raise HttpBadRequestException(error='invalid_client',
error_description='Client could not be found')
except Exception as ex:
logger.exception('Error matching client: {0}'.format(ex))
raise HttpBadRequestException(error='invalid_client',
error_description='Error loading client')
else:
raise HttpBadRequestException(error='unsupported_grant_type',
error_description='Unsupported grant type')
