def oauth_login():
"""Called at the end of the oauth flow. We'll receive an auth code from UAA and use it to
retrieve a bearer token that we can use to actually do stuff
"""
logging.info(request.referrer)
is_invitation = (request.referrer
and request.referrer.find("invitations/accept") != 1)
if is_invitation and "code" not in request.args:
return redirect(url_for("first_login"))
try:
# connect a client with no token
uaac = UAAClient(
app.config["UAA_BASE_URL"],
None,
verify_tls=app.config["UAA_VERIFY_TLS"],
)
# auth with our client secret and the code they gave us
token = uaac.oauth_token(
request.args["code"],
app.config["UAA_CLIENT_ID"],
app.config["UAA_CLIENT_SECRET"],
)
# if it's valid, but missing the scope we need, bail
if "scim.invite" not in token["scope"].split(" "):
raise RuntimeError(
"Valid oauth authentication but missing the scim.invite scope. Scopes: {0}"
.format(token["scope"]))
# make flask expire our session for us, by expiring it shortly before the token expires
session.permanent = True
app.permanent_session_lifetime = timedelta(
seconds=token["expires_in"] - 30)
# stash the stuff we care about
session["UAA_TOKEN"] = token["access_token"]
session["UAA_TOKEN_SCOPES"] = token["scope"].split(" ")
if is_invitation:
return redirect(url_for("first_login"))
endpoint = session.pop("_endpoint", None)
if not endpoint:
endpoint = "index"
logging.info(endpoint)
return redirect(url_for(endpoint))
except UAAError:
logging.exception(
"An invalid authorization_code was received from UAA")
return render_template("error/token_validation.html"), 401
except RuntimeError:
logging.exception("Token validated but had wrong scope")
return render_template("error/missing_scope.html"), 403
def test_oauth_token(self):
"""oauth_token() makes a POST to /oauth/token with the appropriate headers and query params"""
uaac = UAAClient('http://example.com', 'foo', False)
m = Mock()
uaac._request = m
uaac.oauth_token('foo', 'bar', 'baz')
args, kwargs = m.call_args
assert args == ('/oauth/token', 'POST')
assert kwargs['params'] == {
'code': 'foo',
'grant_type': 'authorization_code',
'response_type': 'token'
}
assert isinstance(kwargs['auth'], HTTPBasicAuth)
assert kwargs['auth'].username == 'bar'
assert kwargs['auth'].password == 'baz'
def test_oauth_token(self):
"""oauth_token() makes a POST to /oauth/token with the appropriate headers and query params"""
uaac = UAAClient("http://example.com", "foo", False)
m = Mock()
uaac._request = m
uaac.oauth_token("foo", "bar", "baz")
args, kwargs = m.call_args
assert args == ("/oauth/token", "POST")
assert kwargs["params"] == {
"code": "foo",
"grant_type": "authorization_code",
"response_type": "token",
}
assert isinstance(kwargs["auth"], HTTPBasicAuth)
assert kwargs["auth"].username == "bar"
assert kwargs["auth"].password == "baz"
def test_oauth_token(self):
"""oauth_token() makes a POST to /oauth/token with the appropriate headers and query params"""
uaac = UAAClient('http://example.com', 'foo', False)
m = Mock()
uaac._request = m
uaac.oauth_token('foo', 'bar', 'baz')
args, kwargs = m.call_args
assert args == ('/oauth/token', 'POST')
assert kwargs['params'] == {
'code': 'foo',
'grant_type': 'authorization_code',
'response_type': 'token'
}
assert isinstance(kwargs['auth'], HTTPBasicAuth)
assert kwargs['auth'].username == 'bar'
assert kwargs['auth'].password == 'baz'
def oauth_login():
"""Called at the end of the oauth flow. We'll receive an auth code from UAA and use it to
retrieve a bearer token that we can use to actually do stuff
"""
logging.info(request.referrer)
is_invitation = request.referrer and request.referrer.find(
'invitations/accept') != 1
if is_invitation and 'code' not in request.args:
return redirect(url_for('first_login'))
try:
# connect a client with no token
uaac = UAAClient(app.config['UAA_BASE_URL'],
None,
verify_tls=app.config['UAA_VERIFY_TLS'])
# auth with our client secret and the code they gave us
token = uaac.oauth_token(request.args['code'],
app.config['UAA_CLIENT_ID'],
app.config['UAA_CLIENT_SECRET'])
# if it's valid, but missing the scope we need, bail
if 'scim.invite' not in token['scope'].split(' '):
raise RuntimeError(
'Valid oauth authentication but missing the scim.invite scope. Scopes: {0}'
.format(token['scope']))
# make flask expire our session for us, by expiring it shortly before the token expires
session.permanent = True
app.permanent_session_lifetime = timedelta(
seconds=token['expires_in'] - 30)
# stash the stuff we care about
session['UAA_TOKEN'] = token['access_token']
session['UAA_TOKEN_SCOPES'] = token['scope'].split(' ')
if is_invitation:
return redirect(url_for('first_login'))
endpoint = session.pop('_endpoint', None)
if not endpoint:
endpoint = 'index'
logging.info(endpoint)
return redirect(url_for(endpoint))
except UAAError:
logging.exception(
'An invalid authorization_code was received from UAA')
return render_template('error/token_validation.html'), 401
except RuntimeError:
logging.exception('Token validated but had wrong scope')
return render_template('error/missing_scope.html'), 403
def oauth_login():
"""Called at the end of the oauth flow. We'll receive an auth code from UAA and use it to
retrieve a bearer token that we can use to actually do stuff
"""
logging.info(request.referrer)
is_invitation = request.referrer and request.referrer.find('invitations/accept') != 1
if is_invitation and 'code' not in request.args:
return redirect(url_for('first_login'))
try:
# connect a client with no token
uaac = UAAClient(app.config['UAA_BASE_URL'], None, verify_tls=app.config['UAA_VERIFY_TLS'])
# auth with our client secret and the code they gave us
token = uaac.oauth_token(request.args['code'], app.config['UAA_CLIENT_ID'], app.config['UAA_CLIENT_SECRET'])
# if it's valid, but missing the scope we need, bail
if 'scim.invite' not in token['scope'].split(' '):
raise RuntimeError('Valid oauth authentication but missing the scim.invite scope. Scopes: {0}'.format(
token['scope']
))
# make flask expire our session for us, by expiring it shortly before the token expires
session.permanent = True
app.permanent_session_lifetime = timedelta(seconds=token['expires_in'] - 30)
# stash the stuff we care about
session['UAA_TOKEN'] = token['access_token']
session['UAA_TOKEN_SCOPES'] = token['scope'].split(' ')
if is_invitation:
return redirect(url_for('first_login'))
endpoint = session.pop('_endpoint', None)
if not endpoint:
endpoint = 'index'
logging.info(endpoint)
return redirect(url_for(endpoint))
except UAAError:
logging.exception('An invalid authorization_code was received from UAA')
return render_template('error/token_validation.html'), 401
except RuntimeError:
logging.exception('Token validated but had wrong scope')
return render_template('error/missing_scope.html'), 403