Myceliandre
/
galicea-odoo-addons-ecosystem
2
0
Fork 1
Code Issues Pull Requests 1 Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
6 Branches
0 Tags
609 KiB
Tree: 87cabaa178
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '87cabaa178'
${ noResults }
galicea-odoo-addons-ecosystem/galicea_openid_connect/controllers/main.py

355 lines
13 KiB
Raw Normal View History

[openid_connect]
6 years ago
  1. # -*- coding: utf-8 -*-
  3. import json
  4. import time
  5. import os
  6. import base64
  8. from odoo import http
  9. import werkzeug
  11. from .. api import resource
  13. try:
  14. from jwcrypto import jwk, jwt
  15. from cryptography.hazmat.backends import default_backend
  16. from cryptography.hazmat.primitives import hashes
  17. except ImportError:
  18. pass
  20. def jwk_from_json(json_key):
  21. key = jwk.JWK()
  22. key.import_key(**json.loads(json_key))
  23. return key
  25. def jwt_encode(claims, key):
  26. token = jwt.JWT(
  27. header={'alg': key._params['alg'], 'kid': key._params['kid']},
  28. claims=claims
  29. )
  30. token.make_signed_token(key)
  31. return token.serialize()
  33. def jwt_decode(serialized, key):
  34. token = jwt.JWT(jwt=serialized, key=key)
  35. return json.loads(token.claims)
  37. RESPONSE_TYPES_SUPPORTED = [
  38. 'code',
  39. 'token',
  40. 'id_token token',
  41. 'id_token'
  42. ]
  44. class OAuthException(Exception):
  45. INVALID_REQUEST = 'invalid_request'
  46. INVALID_CLIENT = 'invalid_client'
  47. UNSUPPORTED_RESPONSE_TYPE = 'unsupported_response_type'
  48. INVALID_GRANT = 'invalid_grant'
  49. UNSUPPORTED_GRANT_TYPE = 'unsupported_grant_type'
  51. def __init__(self, message, type):
  52. super(Exception, self).__init__(message)
  53. self.type = type
  55. class Main(http.Controller):
  56. def __get_authorization_code_jwk(self, req):
  57. return jwk_from_json(req.env['ir.config_parameter'].sudo().get_param(
  58. 'galicea_openid_connect.authorization_code_jwk'
  59. ))
  61. def __get_id_token_jwk(self, req):
  62. return jwk_from_json(req.env['ir.config_parameter'].sudo().get_param(
  63. 'galicea_openid_connect.id_token_jwk'
  64. ))
  66. def __validate_client(self, req, **query):
  67. if 'client_id' not in query:
  68. raise OAuthException(
  69. 'client_id param is missing',
  70. OAuthException.INVALID_CLIENT,
  71. )
  72. client_id = query['client_id']
  73. client = req.env['galicea_openid_connect.client'].sudo().search(
  74. [('client_id', '=', client_id)]
  75. )
  76. if not client:
  77. raise OAuthException(
  78. 'client_id param is invalid',
  79. OAuthException.INVALID_CLIENT,
  80. )
  81. return client
  83. def __validate_redirect_uri(self, client, req, **query):
  84. if 'redirect_uri' not in query:
  85. raise OAuthException(
  86. 'redirect_uri param is missing',
  87. OAuthException.INVALID_GRANT,
  88. )
  90. redirect_uri = query['redirect_uri']
  91. if client.auth_redirect_uri != redirect_uri:
  92. raise OAuthException(
  93. 'redirect_uri param doesn\'t match the pre-configured redirect URI',
  94. OAuthException.INVALID_GRANT,
  95. )
  97. return redirect_uri
  99. def __validate_client_secret(self, client, req, **query):
  100. if 'client_secret' not in query or query['client_secret'] != client.secret:
  101. raise OAuthException(
  102. 'client_secret param is not valid',
  103. OAuthException.INVALID_CLIENT,
  104. )
  106. @http.route('/.well-known/openid-configuration', auth='public', type='http')
  107. def metadata(self, req, **query):
  108. base_url = http.request.httprequest.host_url
  109. data = {
  110. 'issuer': base_url,
  111. 'authorization_endpoint': base_url + 'oauth/authorize',
  112. 'token_endpoint': base_url + 'oauth/token',
  113. 'userinfo_endpoint': base_url + 'oauth/userinfo',
  114. 'jwks_uri': base_url + 'oauth/jwks',
  115. 'scopes_supported': ['openid'],
  116. 'response_types_supported': RESPONSE_TYPES_SUPPORTED,
  117. 'grant_types_supported': ['authorization_code', 'implicit'],
  118. 'subject_types_supported': ['public'],
  119. 'id_token_signing_alg_values_supported': ['RS256'],
  120. 'token_endpoint_auth_methods_supported': ['client_secret_post']
  121. }
  122. return json.dumps(data)
  124. @http.route('/oauth/jwks', auth='public', type='http')
  125. def jwks(self, req, **query):
  126. keyset = jwk.JWKSet()
  127. keyset.add(self.__get_id_token_jwk(req))
  128. return keyset.export(private_keys=False)
  130. @resource('/oauth/userinfo', method='GET')
  131. def userinfo(self, req, **query):
  132. user = req.env.user
  133. values = {
  134. 'sub': str(user.id),
  135. # Needed in case the client is another Odoo instance
  136. 'user_id': str(user.id),
  137. 'name': user.name,
  138. }
  139. if user.email:
  140. values['email'] = user.email
  141. return values
  143. @resource('/oauth/clientinfo', method='GET', auth='client')
  144. def clientinfo(self, req, **query):
  145. client = req.env['galicea_openid_connect.client'].browse(req.context['client_id'])
  146. return {
  147. 'name': client.name
  148. }
  150. @http.route('/oauth/authorize', auth='public', type='http', csrf=False)
  151. def authorize(self, req, **query):
  152. # First, validate client_id and redirect_uri params.
  153. try:
  154. client = self.__validate_client(req, **query)
  155. redirect_uri = self.__validate_redirect_uri(client, req, **query)
  156. except OAuthException as e:
  157. # If those are not valid, we must not redirect back to the client
  158. # - instead, we display a message to the user
  159. return req.render('galicea_openid_connect.error', {'exception': e})
  161. scopes = query['scope'].split(' ') if query.get('scope') else []
  162. is_openid_request = 'openid' in scopes
  164. # state, if present, is just mirrored back to the client
  165. response_params = {}
  166. if 'state' in query:
  167. response_params['state'] = query['state']
  169. response_mode = query.get('response_mode')
  170. try:
  171. if response_mode and response_mode not in ['query', 'fragment']:
  172. response_mode = None
  173. raise OAuthException(
  174. 'The only supported response_modes are \'query\' and \'fragment\'',
  175. OAuthException.INVALID_REQUEST
  176. )
  178. if 'response_type' not in query:
  179. raise OAuthException(
  180. 'response_type param is missing',
  181. OAuthException.INVALID_REQUEST,
  182. )
  183. response_type = query['response_type']
  184. if response_type not in RESPONSE_TYPES_SUPPORTED:
  185. raise OAuthException(
  186. 'The only supported response_types are: {}'.format(', '.join(RESPONSE_TYPES_SUPPORTED)),
  187. OAuthException.UNSUPPORTED_RESPONSE_TYPE,
  188. )
  189. except OAuthException as e:
  190. response_params['error'] = e.type
  191. response_params['error_description'] = e.message
  192. return self.__redirect(redirect_uri, response_params, response_mode or 'query')
  194. if not response_mode:
  195. response_mode = 'query' if response_type == 'code' else 'fragment'
  197. user = req.env.user
  198. # In case user is not logged in, we redirect to the login page and come back
  199. needs_login = user.login == 'public'
  200. # Also if they didn't authenticate recently enough
  201. if 'max_age' in query and http.request.session.get('auth_time', 0) + int(query['max_age']) < time.time():
  202. needs_login = True
  203. if needs_login:
  204. params = {
  205. 'force_auth_and_redirect': '/oauth/authorize?{}'.format(werkzeug.url_encode(query))
  206. }
  207. return self.__redirect('/web/login', params, 'query')
  209. response_types = response_type.split()
  211. extra_claims = {
  212. 'sid': http.request.httprequest.session.sid,
  213. }
  214. if 'nonce' in query:
  215. extra_claims['nonce'] = query['nonce']
  217. if 'code' in response_types:
  218. # Generate code that can be used by the client server to retrieve
  219. # the token. It's set to be valid for 60 seconds only.
  220. # TODO: The spec says the code should be single-use. We're not enforcing
  221. # that here.
  222. payload = {
  223. 'redirect_uri': redirect_uri,
  224. 'client_id': client.client_id,
  225. 'user_id': user.id,
  226. 'scopes': scopes,
  227. 'exp': int(time.time()) + 60
  228. }
  229. payload.update(extra_claims)
  230. key = self.__get_authorization_code_jwk(req)
  231. response_params['code'] = jwt_encode(payload, key)
  232. if 'token' in response_types:
  233. access_token = req.env['galicea_openid_connect.access_token'].sudo().retrieve_or_create(
  234. user.id,
  235. client.id
  236. ).token
  237. response_params['access_token'] = access_token
  238. response_params['token_type'] = 'bearer'
  240. digest = hashes.Hash(hashes.SHA256(), backend=default_backend())
  241. digest.update(access_token.encode('ascii'))
  242. at_hash = digest.finalize()
  243. extra_claims['at_hash'] = base64.urlsafe_b64encode(at_hash[:16]).strip('=')
  244. if 'id_token' in response_types:
  245. response_params['id_token'] = self.__create_id_token(req, user.id, client, extra_claims)
  247. return self.__redirect(redirect_uri, response_params, response_mode)
  249. @http.route('/oauth/token', auth='public', type='http', methods=['POST'], csrf=False)
  250. def token(self, req, **query):
  251. try:
  252. if 'grant_type' not in query:
  253. raise OAuthException(
  254. 'grant_type param is missing',
  255. OAuthException.INVALID_REQUEST,
  256. )
  257. if query['grant_type'] == 'authorization_code':
  258. return json.dumps(self.__handle_grant_type_authorization_code(req, **query))
  259. elif query['grant_type'] == 'client_credentials':
  260. return json.dumps(self.__handle_grant_type_client_credentials(req, **query))
  261. else:
  262. raise OAuthException(
  263. 'Unsupported grant_type param: \'{}\''.format(query['grant_type']),
  264. OAuthException.UNSUPPORTED_GRANT_TYPE,
  265. )
  266. except OAuthException as e:
  267. body = json.dumps({'error': e.type, 'error_description': e.message})
  268. return werkzeug.Response(response=body, status=400)
  270. def __handle_grant_type_authorization_code(self, req, **query):
  271. client = self.__validate_client(req, **query)
  272. redirect_uri = self.__validate_redirect_uri(client, req, **query)
  273. self.__validate_client_secret(client, req, **query)
  275. if 'code' not in query:
  276. raise OAuthException(
  277. 'code param is missing',
  278. OAuthException.INVALID_GRANT,
  279. )
  280. try:
  281. payload = jwt_decode(query['code'], self.__get_authorization_code_jwk(req))
  282. except jwt.JWTExpired:
  283. raise OAuthException(
  284. 'Code expired',
  285. OAuthException.INVALID_GRANT,
  286. )
  287. except ValueError:
  288. raise OAuthException(
  289. 'code malformed',
  290. OAuthException.INVALID_GRANT,
  291. )
  292. if payload['client_id'] != client.client_id:
  293. raise OAuthException(
  294. 'client_id doesn\'t match the authorization request',
  295. OAuthException.INVALID_GRANT,
  296. )
  297. if payload['redirect_uri'] != redirect_uri:
  298. raise OAuthException(
  299. 'redirect_uri doesn\'t match the authorization request',
  300. OAuthException.INVALID_GRANT,
  301. )
  303. # Retrieve/generate access token. We currently only store one per user/client
  304. token = req.env['galicea_openid_connect.access_token'].sudo().retrieve_or_create(
  305. payload['user_id'],
  306. client.id
  307. )
  308. response = {
  309. 'access_token': token.token,
  310. 'token_type': 'bearer'
  311. }
  312. if 'openid' in payload['scopes']:
  313. extra_claims = { name: payload[name] for name in payload if name in ['sid', 'nonce'] }
  314. response['id_token'] = self.__create_id_token(req, payload['user_id'], client, extra_claims)
  315. return response
  317. def __handle_grant_type_client_credentials(self, req, **query):
  318. client = self.__validate_client(req, **query)
  319. self.__validate_client_secret(client, req, **query)
  320. token = req.env['galicea_openid_connect.client_access_token'].sudo().retrieve_or_create(client.id)
  321. return {
  322. 'access_token': token.token,
  323. 'token_type': 'bearer'
  324. }
  326. def __create_id_token(self, req, user_id, client, extra_claims):
  327. claims = {
  328. 'iss': http.request.httprequest.host_url,
  329. 'sub': str(user_id),
  330. 'aud': client.client_id,
  331. 'iat': int(time.time()),
  332. 'exp': int(time.time()) + 15 * 60
  333. }
  334. auth_time = extra_claims.get('sid') and http.root.session_store.get(extra_claims['sid']).get('auth_time')
  335. if auth_time:
  336. claims['auth_time'] = auth_time
  337. if 'nonce' in extra_claims:
  338. claims['nonce'] = extra_claims['nonce']
  339. if 'at_hash' in extra_claims:
  340. claims['at_hash'] = extra_claims['at_hash']
  342. key = self.__get_id_token_jwk(req)
  343. return jwt_encode(claims, key)
  345. def __redirect(self, url, params, response_mode):
  346. location = '{}{}{}'.format(
  347. url,
  348. '?' if response_mode == 'query' else '#',
  349. werkzeug.url_encode(params)
  350. )
  351. return werkzeug.Response(
  352. headers={'Location': location},
  353. response=None,
  354. status=302,
  355. )