OCA
/
server-tools
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1690 Commits
13 Branches
0 Tags
45 MiB
Tree: 57417fb7d2
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '57417fb7d2'
${ noResults }
server-tools/oauth_provider/oauth2/validator.py

256 lines
10 KiB
Raw Normal View History

[ADD] Add oauth_provider module
8 years ago
  1. # -*- coding: utf-8 -*-
  2. # Copyright 2016 SYLEAM
  3. # License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl).
  5. import base64
  6. import logging
  7. from datetime import datetime, timedelta
  8. from openerp import http
  9. from openerp import fields
  11. _logger = logging.getLogger(__name__)
  13. try:
  14. from oauthlib.oauth2 import RequestValidator
  15. except ImportError:
  16. _logger.debug('Cannot `import oauthlib`.')
  19. class OdooValidator(RequestValidator):
  20. """ OAuth2 validator to be used in Odoo
  22. This is an implementation of oauthlib's RequestValidator interface
  23. https://github.com/idan/oauthlib/oauthlib/oauth2/rfc6749/request_validator.py
  24. """
  25. def _load_client(self, request, client_id=None):
  26. """ Returns a client instance for the request """
  27. client = request.client
  28. if not client:
  29. request.client = http.request.env['oauth.provider.client'].search([
  30. ('identifier', '=', client_id or request.client_id),
  31. ])
  32. request.odoo_user = http.request.env.user
  33. request.client.client_id = request.client.identifier
  35. def _extract_auth(self, request):
  36. """ Extract auth string from request headers """
  37. auth = request.headers.get('Authorization', ' ')
  38. auth_type, auth_string = auth.split(' ', 1)
  39. if auth_type != 'Basic':
  40. return ''
  42. return auth_string
  44. def authenticate_client(self, request, *args, **kwargs):
  45. """ Authenticate the client """
  46. auth_string = self._extract_auth(request)
  47. auth_string_decoded = base64.b64decode(auth_string)
  49. # If we don't have a proper auth string, get values in the request body
  50. if ':' not in auth_string_decoded:
  51. client_id = request.client_id
  52. client_secret = request.client_secret
  53. else:
  54. client_id, client_secret = auth_string_decoded.split(':', 1)
  56. self._load_client(request)
  57. return (request.client.identifier == client_id) and \
  58. (request.client.secret or '') == (client_secret or '')
  60. def authenticate_client_id(self, client_id, request, *args, **kwargs):
  61. """ Ensure client_id belong to a non-confidential client """
  62. self._load_client(request, client_id=client_id)
  63. return bool(request.client) and not request.client.secret
  65. def client_authentication_required(self, request, *args, **kwargs):
  66. """ Determine if the client authentication is required for the request
  67. """
  68. # If an auth string was specified, unconditionnally authenticate
  69. if self._extract_auth(request):
  70. return True
  72. self._load_client(request)
  73. return request.client.grant_type in (
  74. 'password',
  75. 'authorization_code',
  76. 'refresh_token',
  77. ) or request.client_secret or \
  78. not request.odoo_user.active
  80. def confirm_redirect_uri(
  81. self, client_id, code, redirect_uri, client, *args, **kwargs):
  82. """ Ensure that the authorization process' redirect URI
  84. The authorization process corresponding to the code must begin by using
  85. this redirect_uri
  86. """
  87. code = http.request.env['oauth.provider.authorization.code'].search([
  88. ('client_id.identifier', '=', client_id),
  89. ('code', '=', code),
  90. ])
  91. return redirect_uri == code.redirect_uri_id.name
  93. def get_default_redirect_uri(self, client_id, request, *args, **kwargs):
  94. """ Returns the default redirect URI for the client """
  95. client = http.request.env['oauth.provider.client'].search([
  96. ('identifier', '=', client_id),
  97. ])
  98. return client.redirect_uri_ids and client.redirect_uri_ids[0].name \
  99. or ''
  101. def get_default_scopes(self, client_id, request, *args, **kwargs):
  102. """ Returns a list of default scoprs for the client """
  103. client = http.request.env['oauth.provider.client'].search([
  104. ('identifier', '=', client_id),
  105. ])
  106. return ' '.join(client.scope_ids.mapped('code'))
  108. def get_original_scopes(self, refresh_token, request, *args, **kwargs):
  109. """ Returns the list of scopes associated to the refresh token """
  110. token = http.request.env['oauth.provider.token'].search([
  111. ('client_id', '=', request.client.id),
  112. ('refresh_token', '=', refresh_token),
  113. ])
  114. return token.scope_ids.mapped('code')
  116. def invalidate_authorization_code(
  117. self, client_id, code, request, *args, **kwargs):
  118. """ Invalidates an authorization code """
  119. code = http.request.env['oauth.provider.authorization.code'].search([
  120. ('client_id.identifier', '=', client_id),
  121. ('code', '=', code),
  122. ])
  123. code.sudo().write({'active': False})
  125. def is_within_original_scope(
  126. self, request_scopes, refresh_token, request, *args, **kwargs):
  127. """ Check if the requested scopes are within a scope of the token """
  128. token = http.request.env['oauth.provider.token'].search([
  129. ('client_id', '=', request.client.id),
  130. ('refresh_token', '=', refresh_token),
  131. ])
  132. return set(request_scopes).issubset(
  133. set(token.scope_ids.mapped('code')))
  135. def revoke_token(self, token, token_type_hint, request, *args, **kwargs):
  136. """ Revoke an access of refresh token """
  137. db_token = http.request.env['oauth.provider.token'].search([
  138. ('token', '=', token),
  139. ])
  140. # If we revoke a full token, simply unlink it
  141. if db_token:
  142. db_token.sudo().unlink()
  143. # If we revoke a refresh token, empty it in the corresponding token
  144. else:
  145. db_token = http.request.env['oauth.provider.token'].search([
  146. ('refresh_token', '=', token),
  147. ])
  148. db_token.sudo().refresh_token = False
  150. def rotate_refresh_token(self, request):
  151. """ Determine if the refresh token has to be renewed
  153. Called after refreshing an access token
  154. Always refresh the token by default, but child classes could override
  155. this method to change this behaviour.
  156. """
  157. return True
  159. def save_authorization_code(
  160. self, client_id, code, request, *args, **kwargs):
  161. """ Store the authorization code into the database """
  162. redirect_uri = http.request.env['oauth.provider.redirect.uri'].search([
  163. ('name', '=', request.redirect_uri),
  164. ])
  165. http.request.env['oauth.provider.authorization.code'].sudo().create({
  166. 'code': code['code'],
  167. 'client_id': request.client.id,
  168. 'user_id': request.odoo_user.id,
  169. 'redirect_uri_id': redirect_uri.id,
  170. 'scope_ids': [(6, 0, request.client.scope_ids.filtered(
  171. lambda record: record.code in request.scopes).ids)],
  172. })
  174. def save_bearer_token(self, token, request, *args, **kwargs):
  175. """ Store the bearer token into the database """
  176. scopes = token.get('scope', '').split()
  177. http.request.env['oauth.provider.token'].sudo().create({
  178. 'token': token['access_token'],
  179. 'token_type': token['token_type'],
  180. 'refresh_token': token.get('refresh_token'),
  181. 'client_id': request.client.id,
  182. 'user_id': token.get('odoo_user_id', request.odoo_user.id),
  183. 'scope_ids': [(6, 0, request.client.scope_ids.filtered(
  184. lambda record: record.code in scopes).ids)],
  185. 'expires_at': fields.Datetime.to_string(
  186. datetime.now() + timedelta(seconds=token['expires_in'])),
  187. })
  188. return request.client.redirect_uri_ids[0].name
  190. def validate_bearer_token(self, token, scopes, request):
  191. """ Ensure the supplied bearer token is valid, and allowed for the scopes
  192. """
  193. token = http.request.env['oauth.provider.token'].search([
  194. ('token', '=', token),
  195. ])
  196. if scopes is None:
  197. scopes = ''
  199. return set(scopes.split()).issubset(
  200. set(token.scope_ids.mapped('code')))
  202. def validate_client_id(self, client_id, request, *args, **kwargs):
  203. """ Ensure client_id belong to a valid and active client """
  204. self._load_client(request)
  205. return bool(request.client)
  207. def validate_code(self, client_id, code, client, request, *args, **kwargs):
  208. """ Check that the code is valid, and assigned to the given client """
  209. code = http.request.env['oauth.provider.authorization.code'].search([
  210. ('client_id.identifier', '=', client_id),
  211. ('code', '=', code),
  212. ])
  213. request.odoo_user = code.user_id
  214. return bool(code)
  216. def validate_grant_type(
  217. self, client_id, grant_type, client, request, *args, **kwargs):
  218. """ Ensure the client is authorized to use the requested grant_type """
  219. return client.identifier == client_id and grant_type in (
  220. client.grant_type, 'refresh_token'
  221. )
  223. def validate_redirect_uri(
  224. self, client_id, redirect_uri, request, *args, **kwargs):
  225. """ Ensure the client is allowed to use the requested redurect_uri """
  226. return request.client.identifier == client_id and \
  227. redirect_uri in request.client.mapped('redirect_uri_ids.name')
  229. def validate_refresh_token(
  230. self, refresh_token, client, request, *args, **kwargs):
  231. """ Ensure the refresh token is valid and associated to the client """
  232. token = http.request.env['oauth.provider.token'].search([
  233. ('client_id', '=', client.id),
  234. ('refresh_token', '=', refresh_token),
  235. ])
  236. return bool(token)
  238. def validate_response_type(
  239. self, client_id, response_type, client, request, *args, **kwargs):
  240. """ Ensure the client is allowed to use the requested response_type """
  241. return request.client.identifier == client_id and \
  242. response_type == request.client.response_type
  244. def validate_scopes(
  245. self, client_id, scopes, client, request, *args, **kwargs):
  246. """ Ensure the client is allowed to access all requested scopes """
  247. return request.client.identifier == client_id and set(scopes).issubset(
  248. set(request.client.mapped('scope_ids.code')))
  250. def validate_user(
  251. self, username, password, client, request, *args, **kwargs):
  252. """ Ensure the usernamd and password are valid """
  253. uid = http.request.session.authenticate(
  254. http.request.session.db, username, password)
  255. request.odoo_user = http.request.env['res.users'].browse(uid)
  256. return bool(uid)