def validate_client_secret(self, client_id, client_secret): try: application = OAuthApplication.get(client_id=client_id) assert application.secure_client_secret is not None return application.secure_client_secret.matches(client_secret) except OAuthApplication.DoesNotExist: return False
def persist_token_information(self, client_id, scope, access_token, token_type, expires_in, refresh_token, data): assert not refresh_token found = user.get_user(json.loads(data)["username"]) if not found: raise RuntimeError("Username must be in the data field") token_name = access_token[:ACCESS_TOKEN_PREFIX_LENGTH] token_code = access_token[ACCESS_TOKEN_PREFIX_LENGTH:] assert token_name assert token_code assert len(token_name) == ACCESS_TOKEN_PREFIX_LENGTH assert len(token_code) >= ACCESS_TOKEN_MINIMUM_CODE_LENGTH oauth_app = OAuthApplication.get(client_id=client_id) expires_at = datetime.utcnow() + timedelta(seconds=expires_in) OAuthAccessToken.create( application=oauth_app, authorized_user=found, scope=scope, token_name=token_name, token_code=Credential.from_string(token_code), access_token="", token_type=token_type, expires_at=expires_at, data=data, )
def _delete_user_linked_data(user): if user.organization: # Delete the organization's teams. with db_transaction(): for team in Team.select().where(Team.organization == user): team.delete_instance(recursive=True) # Delete any OAuth approvals and tokens associated with the user. with db_transaction(): for app in OAuthApplication.select().where(OAuthApplication.organization == user): app.delete_instance(recursive=True) else: # Remove the user from any teams in which they are a member. TeamMember.delete().where(TeamMember.user == user).execute() # Delete any repository buildtriggers where the user is the connected user. with db_transaction(): triggers = RepositoryBuildTrigger.select().where(RepositoryBuildTrigger.connected_user == user) for trigger in triggers: trigger.delete_instance(recursive=True, delete_nullable=False) # Delete any mirrors with robots owned by this user. with db_transaction(): robots = list(list_namespace_robots(user.username)) RepoMirrorConfig.delete().where(RepoMirrorConfig.internal_robot << robots).execute() # Delete any robots owned by this user. with db_transaction(): robots = list(list_namespace_robots(user.username)) for robot in robots: robot.delete_instance(recursive=True, delete_nullable=True) # Null out any service key approvals. We technically lose information here, but its better than # falling and only occurs if a superuser is being deleted. ServiceKeyApproval.update(approver=None).where(ServiceKeyApproval.approver == user).execute()
def create_application(org, name, application_uri, redirect_uri, **kwargs): client_secret = kwargs.pop("client_secret", random_string_generator(length=40)()) return OAuthApplication.create( organization=org, name=name, application_uri=application_uri, redirect_uri=redirect_uri, secure_client_secret=DecryptedValue(client_secret), **kwargs)
def validate_client_secret(self, client_id, client_secret): try: application = OAuthApplication.get(client_id=client_id) # TODO(remove-unenc): Remove legacy check. if ActiveDataMigration.has_flag(ERTMigrationFlags.READ_OLD_FIELDS): if application.secure_client_secret is None: return application.client_secret == client_secret assert application.secure_client_secret is not None return application.secure_client_secret.matches(client_secret) except OAuthApplication.DoesNotExist: return False
def persist_authorization_code(self, client_id, full_code, scope): oauth_app = OAuthApplication.get(client_id=client_id) data = self._generate_data_string() assert len(full_code) >= (AUTHORIZATION_CODE_PREFIX_LENGTH * 2) code_name = full_code[:AUTHORIZATION_CODE_PREFIX_LENGTH] code_credential = full_code[AUTHORIZATION_CODE_PREFIX_LENGTH:] OAuthAuthorizationCode.create( application=oauth_app, scope=scope, code_name=code_name, code_credential=Credential.from_string(code_credential), data=data, )
def validate_redirect_uri(self, client_id, redirect_uri): internal_redirect_url = '%s%s' % (get_app_url( config.app_config), url_for('web.oauth_local_handler')) if redirect_uri == internal_redirect_url: return True try: oauth_app = OAuthApplication.get(client_id=client_id) if (oauth_app.redirect_uri and redirect_uri and redirect_uri.startswith(oauth_app.redirect_uri)): return True return False except OAuthApplication.DoesNotExist: return False
def create_application(org, name, application_uri, redirect_uri, **kwargs): client_secret = kwargs.pop("client_secret", random_string_generator(length=40)()) # TODO(remove-unenc): Remove legacy field. old_client_secret = None if ActiveDataMigration.has_flag(ERTMigrationFlags.WRITE_OLD_FIELDS): old_client_secret = client_secret return OAuthApplication.create( organization=org, name=name, application_uri=application_uri, redirect_uri=redirect_uri, client_secret=old_client_secret, secure_client_secret=DecryptedValue(client_secret), **kwargs)
def persist_authorization_code(self, client_id, full_code, scope): oauth_app = OAuthApplication.get(client_id=client_id) data = self._generate_data_string() assert len(full_code) >= (AUTHORIZATION_CODE_PREFIX_LENGTH * 2) code_name = full_code[:AUTHORIZATION_CODE_PREFIX_LENGTH] code_credential = full_code[AUTHORIZATION_CODE_PREFIX_LENGTH:] # TODO(remove-unenc): Remove legacy fallback. full_code = None if ActiveDataMigration.has_flag(ERTMigrationFlags.WRITE_OLD_FIELDS): full_code = code_name + code_credential OAuthAuthorizationCode.create( application=oauth_app, code=full_code, scope=scope, code_name=code_name, code_credential=Credential.from_string(code_credential), data=data)
def get_application_for_client_id(self, client_id): try: return OAuthApplication.get(client_id=client_id) except OAuthApplication.DoesNotExist: return None
def list_applications_for_org(org): query = OAuthApplication.select().join(User).where( OAuthApplication.organization == org) return query
def lookup_application(org, client_id): try: return OAuthApplication.get(organization=org, client_id=client_id) except OAuthApplication.DoesNotExist: return None