def create_oauth2_client(
context,
username,
client_id,
client_secret,
default_scopes=None
):
"""
Create a new OAuth2 Client associated with a given user (username).
"""
from app.modules.users.models import User
from app.modules.auth.models import OAuth2Client
user = User.query.first(User.username == username)
if not user:
raise Exception("User with username '%s' does not exist." % username)
if default_scopes is None:
from app.extensions.api import api_v1
default_scopes = ' '.join(api_v1.authorizations['oauth2_password']['scopes'])
oauth2_client = OAuth2Client(
client_id=client_id,
client_secret=client_secret,
user=user,
_default_scopes=default_scopes
)
from app.extensions import db
db.session.add(oauth2_client)
db.session.commit()
def create_oauth2_client(context, email, guid, secret, default_scopes=None):
"""
Create a new OAuth2 Client associated with a given user (email).
"""
from app.modules.users.models import User
from app.modules.auth.models import OAuth2Client
user = User.query.filter(User.email == email).first()
if not user:
raise Exception("User with email '%s' does not exist." % email)
if default_scopes is None:
from app.extensions.api import api_v1
default_scopes = list(
api_v1.authorizations['oauth2_password']['scopes'].keys())
oauth2_client = OAuth2Client(
guid=guid,
secret=secret,
user=user,
default_scopes=default_scopes,
)
from app.extensions import db
with db.session.begin():
db.session.add(oauth2_client)
def regular_user_oauth2_client(regular_user, temp_db_instance_helper):
# pylint: disable=invalid-name,unused-argument
from app.modules.auth.models import OAuth2Client
for _ in temp_db_instance_helper(
OAuth2Client(user=regular_user,
client_id='regular_user_client',
client_secret='regular_user_secret',
redirect_uris=[],
default_scopes=[])):
yield _
def init_auth(docs_user):
# TODO: OpenAPI documentation has to have OAuth2 Implicit Flow instead
# of Resource Owner Password Credentials Flow
oauth2_client = OAuth2Client(
client_id='documentation',
client_secret='KQ()SWK)SQK)QWSKQW(SKQ)S(QWSQW(SJ*HQ&HQW*SQ*^SSQWSGQSG',
user_id=docs_user.id,
_default_scopes=' '.join(
api.api_v1.authorizations['oauth2_password']['scopes']))
db.session.add(oauth2_client)
db.session.commit()
return oauth2_client
def init_auth(docs_user):
# TODO: OpenAPI documentation has to have OAuth2 Implicit Flow instead
# of Resource Owner Password Credentials Flow
with db.session.begin():
oauth2_client = OAuth2Client(
guid=DOCUMENTATION_CLIENT_GUID,
secret=DOCUMENTATION_CLIENT_SECRET,
user_guid=docs_user.guid,
redirect_uris=[],
default_scopes=api.api_v1.authorizations['oauth2_password']
['scopes'],
)
db.session.add(oauth2_client)
return oauth2_client
def init_auth(docs_user):
# TODO: OpenAPI documentation has to have OAuth2 Implicit Flow instead
# of Resource Owner Password Credentials Flow
with db.session.begin():
oauth2_client = OAuth2Client(
client_id='documentation',
client_secret=
'KQ()SWK)SQK)QWSKQW(SKQ)S(QWSQW(SJ*HQ&HQW*SQ*^SSQWSGQSG',
user_id=docs_user.id,
scope=api.api_v1.authorizations['oauth2_password']['scopes'],
default_scopes=api.api_v1.authorizations['oauth2_password']
['scopes'])
oauth2_client.redirect_uris = []
db.session.add(oauth2_client)
return oauth2_client
def regular_user_oauth2_client(regular_user, db):
# pylint: disable=invalid-name,unused-argument
from app.modules.auth.models import OAuth2Client
admin_oauth2_client_instance = OAuth2Client(
user=regular_user,
client_id='regular_user_client',
client_secret='regular_user_secret',
redirect_uris=[],
default_scopes=[])
db.session.add(admin_oauth2_client_instance)
db.session.commit()
yield admin_oauth2_client_instance
db.session.delete(admin_oauth2_client_instance)
db.session.commit()
def open(self, *args, **kwargs):
if self._user is not None:
from app.extensions import db
from app.modules.auth.models import OAuth2Client, OAuth2Token
oauth2_client = OAuth2Client(
secret='SECRET',
user=self._user,
default_scopes=[],
)
oauth2_bearer_token = OAuth2Token(
client=oauth2_client,
user=self._user,
token_type='Bearer',
access_token='test_access_token',
scopes=self._auth_scopes,
expires=datetime.utcnow() + timedelta(days=1),
)
with db.session.begin():
db.session.add(oauth2_bearer_token)
extra_headers = ((
'Authorization',
'{token.token_type} {token.access_token}'.format(
token=oauth2_bearer_token),
), )
if kwargs.get('headers'):
kwargs['headers'] += extra_headers
else:
kwargs['headers'] = extra_headers
response = super(AutoAuthFlaskClient, self).open(*args, **kwargs)
if self._user is not None:
with db.session.begin():
db.session.delete(oauth2_bearer_token)
db.session.delete(oauth2_bearer_token.client)
return response
def create_session_oauth2_token(cleanup_tokens=False,
check_renewal=False,
user=None,
update_session=True):
from app.extensions import db
from app.modules.auth.models import OAuth2Client, OAuth2Token
from app.extensions.api import api_v1
import datetime
if user is None:
user = current_user
if not user.is_authenticated:
return None
default_scopes = list(
api_v1.authorizations['oauth2_password']['scopes'].keys())
# Retrieve Oauth2 client for user and/or clean-up multiple clients
session_oauth2_clients = OAuth2Client.query.filter_by(
user=user, level=OAuth2Client.ClientLevels.session).all()
session_oauth2_client = None
if len(session_oauth2_clients) == 1:
# We have an existing Oauth2 frontend client for this user, let's re-use it
session_oauth2_client = session_oauth2_clients[0]
elif len(session_oauth2_clients) > 1:
# We have somehow created multiple clients for this user, delete them all and make new ones
with db.session.begin():
for session_oauth2_client_ in session_oauth2_clients:
db.session.delete(session_oauth2_client_)
if session_oauth2_client is None:
session_oauth2_client = OAuth2Client(
level=OAuth2Client.ClientLevels.session,
user=user,
default_scopes=default_scopes,
)
with db.session.begin():
db.session.add(session_oauth2_client)
log.info('Using session Oauth2 client = %r' % (session_oauth2_client, ))
# Clean-up all tokens for the confidential client
session_oauth2_bearer_tokens = OAuth2Token.query.filter_by(
client=session_oauth2_client).all()
log.info('User %s has %d confidential Oauth2 bearer tokens' % (
user.email,
len(session_oauth2_bearer_tokens),
))
if cleanup_tokens:
for session_oauth2_bearer_token_ in session_oauth2_bearer_tokens:
log.info('Cleaning up User %s Oauth2 bearer token: %r' % (
user.email,
len(session_oauth2_bearer_tokens),
))
session_oauth2_bearer_token_.delete()
# IMPORTANT: WE NEED THIS TO BE IN UTC FOR OAUTH2
expires = datetime.datetime.now(tz=pytz.utc) + datetime.timedelta(days=1)
# Create a Oauth2 session bearer token with all scopes for this session
session_oauth2_bearer_token = OAuth2Token(
client=session_oauth2_client,
user=user,
token_type='Bearer',
scopes=default_scopes,
expires=expires,
)
with db.session.begin():
db.session.add(session_oauth2_bearer_token)
# Add the access token to the session
if update_session:
session_oauth2_access_token = session_oauth2_bearer_token.access_token
session['access_token'] = session_oauth2_access_token
return session_oauth2_bearer_token
