Myceliandre
/
galicea-odoo-addons-ecosystem
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
Browse Source

[FIX] add openid connect debug

13.0
Nicolas JEUDY 4 years ago
parent
c6e30a34b5
commit
67338a9c19
4 changed files with 45 additions and 9 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 6
      galicea_openid_connect/controllers/ext_web_login.py
  2. 40
      galicea_openid_connect/controllers/main.py
  3. 2
      galicea_openid_connect/models/client.py
  4. 6
      galicea_openid_connect/models/config_parameter.py

6
galicea_openid_connect/controllers/ext_web_login.py
View File

@ -1,15 +1,21 @@
import logging
import time
from odoo import http
from odoo.addons import web
_logger = logging.getLogger(__name__)
class Home(web.controllers.main.Home):
@http.route("/web/login", type="http", auth="none")
def web_login(self, redirect=None, **kw):
_logger.debug("#### OPENID (0)")
result = super(Home, self).web_login(redirect, **kw)
_logger.debug("#### OPENID (1): %s" % result)
if result.is_qweb and "force_auth_and_redirect" in kw:
result.qcontext["redirect"] = kw["force_auth_and_redirect"]
if http.request.params.get("login_success"):
http.request.session["auth_time"] = int(time.time())
_logger.debug("#### OPENID (2): %s" % http.request.session)
return result

40
galicea_openid_connect/controllers/main.py
View File

@ -1,3 +1,4 @@
import logging
import json
import time
import os
@ -15,6 +16,8 @@ try:
except ImportError:
pass
_logger = logging.getLogger(__name__)
def jwk_from_json(json_key):
key = jwk.JWK()
@ -80,15 +83,20 @@ class Main(http.Controller):
raise OAuthException(
"client_id param is invalid", OAuthException.INVALID_CLIENT,
)
_logger.debug("#### openid client: %s" % client)
return client
def __validate_redirect_uri(self, client, req, **query):
_logger.debug("#### openid client: %s" % query)
if "redirect_uri" not in query:
raise OAuthException(
"redirect_uri param is missing", OAuthException.INVALID_GRANT,
)
redirect_uri = query["redirect_uri"]
_logger.debug(
"#### openid client: %s (%s)" % (client.auth_redirect_uri, redirect_uri)
)
if client.auth_redirect_uri != redirect_uri:
raise OAuthException(
"redirect_uri param doesn't match the pre-configured redirect URI",
@ -99,6 +107,9 @@ class Main(http.Controller):
def __validate_client_secret(self, client, req, **query):
if "client_secret" not in query or query["client_secret"] != client.secret:
_logger.debug(
"#### openid client: %s (%s)" % (query["client_secret"], client.secret)
)
raise OAuthException(
"client_secret param is not valid", OAuthException.INVALID_CLIENT,
)
@ -143,6 +154,7 @@ class Main(http.Controller):
}
if user.email:
values["email"] = user.email
_logger.debug("#### OPENID (3): %s" % values)
return values
@resource("/oauth/clientinfo", method="GET", auth="client")
@ -155,12 +167,14 @@ class Main(http.Controller):
@http.route("/oauth/authorize", auth="public", type="http", csrf=False)
def authorize(self, req, **query):
# First, validate client_id and redirect_uri params.
_logger.debug("#### OPENID (auth)")
try:
client = self.__validate_client(req, **query)
redirect_uri = self.__validate_redirect_uri(client, req, **query)
except OAuthException as e:
# If those are not valid, we must not redirect back to the client
# - instead, we display a message to the user
_logger.debug("#### OPENID (4): %s" % e)
return req.render("galicea_openid_connect.error", {"exception": e})
scopes = query["scope"].split(" ") if query.get("scope") else []
@ -174,6 +188,7 @@ class Main(http.Controller):
response_mode = query.get("response_mode")
try:
if response_mode and response_mode not in ["query", "fragment"]:
_logger.debug("#### OPENID (auth 1)")
response_mode = None
raise OAuthException(
"The only supported response_modes are 'query' and 'fragment'",
@ -181,11 +196,13 @@ class Main(http.Controller):
)
if "response_type" not in query:
_logger.debug("#### OPENID (auth 2)")
raise OAuthException(
"response_type param is missing", OAuthException.INVALID_REQUEST,
)
response_type = query["response_type"]
if response_type not in RESPONSE_TYPES_SUPPORTED:
_logger.debug("#### OPENID (auth 3)")
raise OAuthException(
"The only supported response_types are: {}".format(
", ".join(RESPONSE_TYPES_SUPPORTED)
@ -193,12 +210,14 @@ class Main(http.Controller):
OAuthException.UNSUPPORTED_RESPONSE_TYPE,
)
except OAuthException as e:
_logger.debug("#### OPENID (5): %s" % e)
response_params["error"] = e.type
response_params["error_description"] = e.message
response_params["error_description"] = e
return self.__redirect(
redirect_uri, response_params, response_mode or "query"
)
_logger.debug("#### OPENID (auth 4)")
if not response_mode:
response_mode = "query" if response_type == "code" else "fragment"
@ -218,6 +237,7 @@ class Main(http.Controller):
werkzeug.url_encode(query)
)
}
_logger.debug("#### OPENID (auth 4.2): %s" % params)
return self.__redirect("/web/login", params, "query")
response_types = response_type.split()
@ -261,7 +281,14 @@ class Main(http.Controller):
response_params["id_token"] = self.__create_id_token(
req, user.id, client, extra_claims
)
_logger.debug(
"#### OPENID (6): %s, %s, %s"
% (redirect_uri, response_params, response_mode)
)
_logger.debug(
"#### OPENID (6.1): %s"
% self.__redirect(redirect_uri, response_params, response_mode)
)
return self.__redirect(redirect_uri, response_params, response_mode)
@http.route(
@ -281,6 +308,7 @@ class Main(http.Controller):
return http.Response(status=200, headers=cors_headers)
try:
_logger.debug("#### OPENID (7): %s" % query)
if "grant_type" not in query:
raise OAuthException(
"grant_type param is missing", OAuthException.INVALID_REQUEST,
@ -306,7 +334,7 @@ class Main(http.Controller):
OAuthException.UNSUPPORTED_GRANT_TYPE,
)
except OAuthException as e:
body = json.dumps({"error": e.type, "error_description": e.message})
body = json.dumps({"error": e.type, "error_description": e})
return werkzeug.Response(response=body, status=400, headers=cors_headers)
def __handle_grant_type_authorization_code(self, req, **query):
@ -320,20 +348,25 @@ class Main(http.Controller):
)
try:
payload = jwt_decode(query["code"], self.__get_authorization_code_jwk(req))
_logger.debug("#### OPENID (8): %s" % payload)
except jwt.JWTExpired:
_logger.debug("#### OPENID (9): %s" % OAuthException.INVALID_GRANT)
raise OAuthException(
"Code expired", OAuthException.INVALID_GRANT,
)
except ValueError:
_logger.debug("#### OPENID (10): %s" % OAuthException.INVALID_GRANT)
raise OAuthException(
"code malformed", OAuthException.INVALID_GRANT,
)
if payload["client_id"] != client.client_id:
_logger.debug("#### OPENID (11): %s" % OAuthException.INVALID_GRANT)
raise OAuthException(
"client_id doesn't match the authorization request",
OAuthException.INVALID_GRANT,
)
if payload["redirect_uri"] != redirect_uri:
_logger.debug("#### OPENID (12): %s" % OAuthException.INVALID_GRANT)
raise OAuthException(
"redirect_uri doesn't match the authorization request",
OAuthException.INVALID_GRANT,
@ -353,6 +386,7 @@ class Main(http.Controller):
response["id_token"] = self.__create_id_token(
req, payload["user_id"], client, extra_claims
)
_logger.debug("#### OPENID (12): %s" % response)
return response
def __handle_grant_type_password(self, req, **query):

2
galicea_openid_connect/models/client.py
View File

@ -50,7 +50,7 @@ class Client(models.Model):
}
)
# Do not include in the "Pending invitations" list
system_user.sudo(system_user.id)._update_last_login()
system_user.with_user(system_user.id)._update_last_login()
values["system_user_id"] = system_user.id
return super(Client, self).create(values)

6
galicea_openid_connect/models/config_parameter.py
View File

@ -32,9 +32,5 @@ class ConfigParameter(models.Model):
for key, gen in iter(keys.items()):
if not self.search([("key", "=", key)]):
self.create(
{
"key": key,
"value": gen(),
"group_ids": [(4, self.env.ref("base.group_erp_manager").id)],
}
{"key": key, "value": gen(),}
)
Write Preview
Loading…
Cancel
Save