From 67338a9c19bdc1d030773b54693568bb835960c9 Mon Sep 17 00:00:00 2001 From: Nicolas JEUDY Date: Tue, 23 Jun 2020 09:35:55 +0200 Subject: [PATCH] [FIX] add openid connect debug --- .../controllers/ext_web_login.py | 6 +++ galicea_openid_connect/controllers/main.py | 40 +++++++++++++++++-- galicea_openid_connect/models/client.py | 2 +- .../models/config_parameter.py | 6 +-- 4 files changed, 45 insertions(+), 9 deletions(-) diff --git a/galicea_openid_connect/controllers/ext_web_login.py b/galicea_openid_connect/controllers/ext_web_login.py index 3b31f9c..6ed1962 100644 --- a/galicea_openid_connect/controllers/ext_web_login.py +++ b/galicea_openid_connect/controllers/ext_web_login.py @@ -1,15 +1,21 @@ +import logging import time from odoo import http from odoo.addons import web +_logger = logging.getLogger(__name__) + class Home(web.controllers.main.Home): @http.route("/web/login", type="http", auth="none") def web_login(self, redirect=None, **kw): + _logger.debug("#### OPENID (0)") result = super(Home, self).web_login(redirect, **kw) + _logger.debug("#### OPENID (1): %s" % result) if result.is_qweb and "force_auth_and_redirect" in kw: result.qcontext["redirect"] = kw["force_auth_and_redirect"] if http.request.params.get("login_success"): http.request.session["auth_time"] = int(time.time()) + _logger.debug("#### OPENID (2): %s" % http.request.session) return result diff --git a/galicea_openid_connect/controllers/main.py b/galicea_openid_connect/controllers/main.py index 84e4ff4..6f40774 100644 --- a/galicea_openid_connect/controllers/main.py +++ b/galicea_openid_connect/controllers/main.py @@ -1,3 +1,4 @@ +import logging import json import time import os @@ -15,6 +16,8 @@ try: except ImportError: pass +_logger = logging.getLogger(__name__) + def jwk_from_json(json_key): key = jwk.JWK() @@ -80,15 +83,20 @@ class Main(http.Controller): raise OAuthException( "client_id param is invalid", OAuthException.INVALID_CLIENT, ) + _logger.debug("#### openid client: %s" % client) return client def __validate_redirect_uri(self, client, req, **query): + _logger.debug("#### openid client: %s" % query) if "redirect_uri" not in query: raise OAuthException( "redirect_uri param is missing", OAuthException.INVALID_GRANT, ) redirect_uri = query["redirect_uri"] + _logger.debug( + "#### openid client: %s (%s)" % (client.auth_redirect_uri, redirect_uri) + ) if client.auth_redirect_uri != redirect_uri: raise OAuthException( "redirect_uri param doesn't match the pre-configured redirect URI", @@ -99,6 +107,9 @@ class Main(http.Controller): def __validate_client_secret(self, client, req, **query): if "client_secret" not in query or query["client_secret"] != client.secret: + _logger.debug( + "#### openid client: %s (%s)" % (query["client_secret"], client.secret) + ) raise OAuthException( "client_secret param is not valid", OAuthException.INVALID_CLIENT, ) @@ -143,6 +154,7 @@ class Main(http.Controller): } if user.email: values["email"] = user.email + _logger.debug("#### OPENID (3): %s" % values) return values @resource("/oauth/clientinfo", method="GET", auth="client") @@ -155,12 +167,14 @@ class Main(http.Controller): @http.route("/oauth/authorize", auth="public", type="http", csrf=False) def authorize(self, req, **query): # First, validate client_id and redirect_uri params. + _logger.debug("#### OPENID (auth)") try: client = self.__validate_client(req, **query) redirect_uri = self.__validate_redirect_uri(client, req, **query) except OAuthException as e: # If those are not valid, we must not redirect back to the client # - instead, we display a message to the user + _logger.debug("#### OPENID (4): %s" % e) return req.render("galicea_openid_connect.error", {"exception": e}) scopes = query["scope"].split(" ") if query.get("scope") else [] @@ -174,6 +188,7 @@ class Main(http.Controller): response_mode = query.get("response_mode") try: if response_mode and response_mode not in ["query", "fragment"]: + _logger.debug("#### OPENID (auth 1)") response_mode = None raise OAuthException( "The only supported response_modes are 'query' and 'fragment'", @@ -181,11 +196,13 @@ class Main(http.Controller): ) if "response_type" not in query: + _logger.debug("#### OPENID (auth 2)") raise OAuthException( "response_type param is missing", OAuthException.INVALID_REQUEST, ) response_type = query["response_type"] if response_type not in RESPONSE_TYPES_SUPPORTED: + _logger.debug("#### OPENID (auth 3)") raise OAuthException( "The only supported response_types are: {}".format( ", ".join(RESPONSE_TYPES_SUPPORTED) @@ -193,12 +210,14 @@ class Main(http.Controller): OAuthException.UNSUPPORTED_RESPONSE_TYPE, ) except OAuthException as e: + _logger.debug("#### OPENID (5): %s" % e) response_params["error"] = e.type - response_params["error_description"] = e.message + response_params["error_description"] = e return self.__redirect( redirect_uri, response_params, response_mode or "query" ) + _logger.debug("#### OPENID (auth 4)") if not response_mode: response_mode = "query" if response_type == "code" else "fragment" @@ -218,6 +237,7 @@ class Main(http.Controller): werkzeug.url_encode(query) ) } + _logger.debug("#### OPENID (auth 4.2): %s" % params) return self.__redirect("/web/login", params, "query") response_types = response_type.split() @@ -261,7 +281,14 @@ class Main(http.Controller): response_params["id_token"] = self.__create_id_token( req, user.id, client, extra_claims ) - + _logger.debug( + "#### OPENID (6): %s, %s, %s" + % (redirect_uri, response_params, response_mode) + ) + _logger.debug( + "#### OPENID (6.1): %s" + % self.__redirect(redirect_uri, response_params, response_mode) + ) return self.__redirect(redirect_uri, response_params, response_mode) @http.route( @@ -281,6 +308,7 @@ class Main(http.Controller): return http.Response(status=200, headers=cors_headers) try: + _logger.debug("#### OPENID (7): %s" % query) if "grant_type" not in query: raise OAuthException( "grant_type param is missing", OAuthException.INVALID_REQUEST, @@ -306,7 +334,7 @@ class Main(http.Controller): OAuthException.UNSUPPORTED_GRANT_TYPE, ) except OAuthException as e: - body = json.dumps({"error": e.type, "error_description": e.message}) + body = json.dumps({"error": e.type, "error_description": e}) return werkzeug.Response(response=body, status=400, headers=cors_headers) def __handle_grant_type_authorization_code(self, req, **query): @@ -320,20 +348,25 @@ class Main(http.Controller): ) try: payload = jwt_decode(query["code"], self.__get_authorization_code_jwk(req)) + _logger.debug("#### OPENID (8): %s" % payload) except jwt.JWTExpired: + _logger.debug("#### OPENID (9): %s" % OAuthException.INVALID_GRANT) raise OAuthException( "Code expired", OAuthException.INVALID_GRANT, ) except ValueError: + _logger.debug("#### OPENID (10): %s" % OAuthException.INVALID_GRANT) raise OAuthException( "code malformed", OAuthException.INVALID_GRANT, ) if payload["client_id"] != client.client_id: + _logger.debug("#### OPENID (11): %s" % OAuthException.INVALID_GRANT) raise OAuthException( "client_id doesn't match the authorization request", OAuthException.INVALID_GRANT, ) if payload["redirect_uri"] != redirect_uri: + _logger.debug("#### OPENID (12): %s" % OAuthException.INVALID_GRANT) raise OAuthException( "redirect_uri doesn't match the authorization request", OAuthException.INVALID_GRANT, @@ -353,6 +386,7 @@ class Main(http.Controller): response["id_token"] = self.__create_id_token( req, payload["user_id"], client, extra_claims ) + _logger.debug("#### OPENID (12): %s" % response) return response def __handle_grant_type_password(self, req, **query): diff --git a/galicea_openid_connect/models/client.py b/galicea_openid_connect/models/client.py index 5dc246c..bbd5bb7 100644 --- a/galicea_openid_connect/models/client.py +++ b/galicea_openid_connect/models/client.py @@ -50,7 +50,7 @@ class Client(models.Model): } ) # Do not include in the "Pending invitations" list - system_user.sudo(system_user.id)._update_last_login() + system_user.with_user(system_user.id)._update_last_login() values["system_user_id"] = system_user.id return super(Client, self).create(values) diff --git a/galicea_openid_connect/models/config_parameter.py b/galicea_openid_connect/models/config_parameter.py index 99d8529..486b788 100644 --- a/galicea_openid_connect/models/config_parameter.py +++ b/galicea_openid_connect/models/config_parameter.py @@ -32,9 +32,5 @@ class ConfigParameter(models.Model): for key, gen in iter(keys.items()): if not self.search([("key", "=", key)]): self.create( - { - "key": key, - "value": gen(), - "group_ids": [(4, self.env.ref("base.group_erp_manager").id)], - } + {"key": key, "value": gen(),} )