OCA
/
server-tools
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1694 Commits
13 Branches
0 Tags
45 MiB
Tree: 80ac6549d9
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '80ac6549d9'
${ noResults }
server-tools/oauth_provider_jwt/models/oauth_provider_client.py

191 lines
7.3 KiB
Raw Normal View History

[ADD] Add oauth_provider_jwt module
8 years ago
  1. # -*- coding: utf-8 -*-
  2. # Copyright 2016 SYLEAM
  3. # License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl).
  5. import logging
  6. from datetime import datetime, timedelta
  7. from openerp import models, api, fields, exceptions, _
  9. _logger = logging.getLogger(__name__)
  11. try:
  12. from oauthlib.oauth2.rfc6749.tokens import random_token_generator
  13. except ImportError:
  14. _logger.debug('Cannot `import oauthlib`.')
  16. try:
  17. import jwt
  18. except ImportError:
  19. _logger.debug('Cannot `import jwt`.')
  21. try:
  22. from cryptography.hazmat.backends import default_backend
  23. from cryptography.hazmat.primitives.asymmetric.ec import \
  24. EllipticCurvePrivateKey
  25. from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey
  26. from cryptography.hazmat.primitives.serialization import \
  27. Encoding, PublicFormat, PrivateFormat, NoEncryption, \
  28. load_pem_private_key
  29. from cryptography.hazmat.primitives.asymmetric import rsa, ec
  30. except ImportError:
  31. _logger.debug('Cannot `import cryptography`.')
  34. class OAuthProviderClient(models.Model):
  35. _inherit = 'oauth.provider.client'
  37. CRYPTOSYSTEMS = {
  38. 'ES': EllipticCurvePrivateKey,
  39. 'RS': RSAPrivateKey,
  40. 'PS': RSAPrivateKey,
  41. }
  43. token_type = fields.Selection(selection_add=[('jwt', 'JSON Web Token')])
  44. jwt_scope_id = fields.Many2one(
  45. comodel_name='oauth.provider.scope', string='Data Scope',
  46. domain=[('model_id.model', '=', 'res.users')],
  47. help='Scope executed to add some user\'s data in the token.')
  48. jwt_algorithm = fields.Selection(selection=[
  49. ('HS256', 'HMAC using SHA-256 hash algorithm'),
  50. ('HS384', 'HMAC using SHA-384 hash algorithm'),
  51. ('HS512', 'HMAC using SHA-512 hash algorithm'),
  52. ('ES256', 'ECDSA signature algorithm using SHA-256 hash algorithm'),
  53. ('ES384', 'ECDSA signature algorithm using SHA-384 hash algorithm'),
  54. ('ES512', 'ECDSA signature algorithm using SHA-512 hash algorithm'),
  55. ('RS256', 'RSASSA-PKCS1-v1_5 signature algorithm using SHA-256 hash '
  56. 'algorithm'),
  57. ('RS384', 'RSASSA-PKCS1-v1_5 signature algorithm using SHA-384 hash '
  58. 'algorithm'),
  59. ('RS512', 'RSASSA-PKCS1-v1_5 signature algorithm using SHA-512 hash '
  60. 'algorithm'),
  61. ('PS256', 'RSASSA-PSS signature using SHA-256 and MGF1 padding with '
  62. 'SHA-256'),
  63. ('PS384', 'RSASSA-PSS signature using SHA-384 and MGF1 padding with '
  64. 'SHA-384'),
  65. ('PS512', 'RSASSA-PSS signature using SHA-512 and MGF1 padding with '
  66. 'SHA-512'),
  67. ], string='Algorithm', help='Algorithm used to sign the JSON Web Token.')
  68. jwt_private_key = fields.Text(
  69. string='Private Key',
  70. help='Private key used for the JSON Web Token generation.')
  71. jwt_public_key = fields.Text(
  72. string='Public Key', compute='_compute_jwt_public_key',
  73. help='Public key used for the JSON Web Token generation.')
  75. @api.multi
  76. def _load_private_key(self):
  77. """ Load the client's private key into a cryptography's object instance
  78. """
  79. return load_pem_private_key(
  80. str(self.jwt_private_key),
  81. password=None,
  82. backend=default_backend(),
  83. )
  85. @api.multi
  86. @api.constrains('jwt_algorithm', 'jwt_private_key')
  87. def _check_jwt_private_key(self):
  88. """ Check if the private key's type matches the selected algorithm
  90. This check is only performed for asymetric algorithms
  91. """
  92. for client in self:
  93. algorithm_prefix = client.jwt_algorithm[:2]
  94. if client.jwt_private_key and \
  95. algorithm_prefix in self.CRYPTOSYSTEMS:
  96. private_key = client._load_private_key()
  98. if not isinstance(
  99. private_key, self.CRYPTOSYSTEMS[algorithm_prefix]):
  100. raise exceptions.ValidationError(
  101. _('The private key doesn\'t fit the selected '
  102. 'algorithm!'))
  104. @api.multi
  105. def generate_private_key(self):
  106. """ Generate a private key for ECDSA and RSA algorithm clients """
  107. for client in self:
  108. algorithm_prefix = client.jwt_algorithm[:2]
  110. if algorithm_prefix == 'ES':
  111. key = ec.generate_private_key(
  112. curve=ec.SECT283R1,
  113. backend=default_backend(),
  114. )
  115. elif algorithm_prefix in ('RS', 'PS'):
  116. key = rsa.generate_private_key(
  117. public_exponent=65537, key_size=2048,
  118. backend=default_backend(),
  119. )
  120. else:
  121. raise exceptions.UserError(
  122. _('You can only generate private keys for asymetric '
  123. 'algorithms!'))
  125. client.jwt_private_key = key.private_bytes(
  126. encoding=Encoding.PEM,
  127. format=PrivateFormat.TraditionalOpenSSL,
  128. encryption_algorithm=NoEncryption(),
  129. )
  131. @api.multi
  132. def _compute_jwt_public_key(self):
  133. """ Compute the public key associated to the client's private key
  135. This is only done for asymetric algorithms
  136. """
  137. for client in self:
  138. if client.jwt_private_key and \
  139. client.jwt_algorithm[:2] in self.CRYPTOSYSTEMS:
  140. private_key = client._load_private_key()
  141. client.jwt_public_key = private_key.public_key().public_bytes(
  142. Encoding.PEM, PublicFormat.SubjectPublicKeyInfo)
  143. else:
  144. client.jwt_public_key = False
  146. @api.model
  147. def _generate_jwt_payload(self, request):
  148. """ Generate a payload containing data from the client """
  149. utcnow = datetime.utcnow()
  150. data = {
  151. 'exp': utcnow + timedelta(seconds=request.expires_in),
  152. 'nbf': utcnow,
  153. 'iss': 'Odoo',
  154. 'aud': request.client.identifier,
  155. 'iat': utcnow,
  156. 'user_id': request.client.generate_user_id(request.odoo_user),
  157. }
  158. if request.client.jwt_scope_id:
  159. # Sudo as the token's user to execute the scope's filter with that
  160. # user's rights
  161. scope = request.client.jwt_scope_id.sudo(user=request.odoo_user)
  162. scope_data = scope.get_data_for_model(
  163. 'res.users', res_id=request.odoo_user.id)
  164. # Remove the user id in scope data
  165. del scope_data['id']
  166. data.update(scope_data)
  168. return data
  170. @api.multi
  171. def get_oauth2_server(self, validator=None, **kwargs):
  172. """ Add a custom JWT token generator in the server's arguments """
  173. self.ensure_one()
  175. def jwt_generator(request):
  176. """ Generate a JSON Web Token using a custom payload from the client
  177. """
  178. payload = self._generate_jwt_payload(request)
  179. return jwt.encode(
  180. payload,
  181. request.client.jwt_private_key,
  182. algorithm=request.client.jwt_algorithm,
  183. )
  185. # Add the custom generator only if none is already defined
  186. if self.token_type == 'jwt' and 'token_generator' not in kwargs:
  187. kwargs['token_generator'] = jwt_generator
  188. kwargs['refresh_token_generator'] = random_token_generator
  190. return super(OAuthProviderClient, self).get_oauth2_server(
  191. validator=validator, **kwargs)