bgallet
/
galicea-odoo-addons-ecosystem
forked from Myceliandre/galicea-odoo-addons-ecosystem
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
14 Commits
7 Branches
0 Tags
635 KiB
Branch: 10.0
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '10.0'
${ noResults }
galicea-odoo-addons-ecosystem/galicea_openid_connect/controllers/main.py

422 lines
16 KiB
Raw Permalink Normal View History

[openid_connect]
6 years ago
Allow restricting clients to groups, APIs to clients, custom API exceptions
5 years ago
[openid_connect]
6 years ago
Allow restricting clients to groups, APIs to clients, custom API exceptions
5 years ago
[openid_connect]
6 years ago
[openid_connect] OAuth2 Password Flow
6 years ago
[openid_connect]
6 years ago
Allow restricting clients to groups, APIs to clients, custom API exceptions
5 years ago
[openid_connect]
6 years ago
[openid_connect] Fix CORS c.d.
6 years ago
[openid_connect]
6 years ago
[openid_connect] Fix CORS c.d.
6 years ago
[openid_connect]
6 years ago
[openid_connect] OAuth2 Password Flow
6 years ago
[openid_connect] Fix CORS c.d.
6 years ago
[openid_connect]
6 years ago
[openid_connect] Fix CORS c.d.
6 years ago
[openid_connect]
6 years ago
[openid_connect] OAuth2 Password Flow
6 years ago
Allow restricting clients to groups, APIs to clients, custom API exceptions
5 years ago
[openid_connect] OAuth2 Password Flow
6 years ago
[openid_connect]
6 years ago
  1. # -*- coding: utf-8 -*-
  3. import json
  4. import time
  5. import os
  6. import base64
  8. from odoo import http
  9. import werkzeug
  11. from .. api import resource
  13. try:
  14. from jwcrypto import jwk, jwt
  15. from cryptography.hazmat.backends import default_backend
  16. from cryptography.hazmat.primitives import hashes
  17. except ImportError:
  18. pass
  20. def jwk_from_json(json_key):
  21. key = jwk.JWK()
  22. key.import_key(**json.loads(json_key))
  23. return key
  25. def jwt_encode(claims, key):
  26. token = jwt.JWT(
  27. header={'alg': key._params['alg'], 'kid': key._params['kid']},
  28. claims=claims
  29. )
  30. token.make_signed_token(key)
  31. return token.serialize()
  33. def jwt_decode(serialized, key):
  34. token = jwt.JWT(jwt=serialized, key=key)
  35. return json.loads(token.claims)
  37. RESPONSE_TYPES_SUPPORTED = [
  38. 'code',
  39. 'token',
  40. 'id_token token',
  41. 'id_token'
  42. ]
  44. class OAuthException(Exception):
  45. INVALID_REQUEST = 'invalid_request'
  46. INVALID_CLIENT = 'invalid_client'
  47. UNSUPPORTED_RESPONSE_TYPE = 'unsupported_response_type'
  48. INVALID_GRANT = 'invalid_grant'
  49. UNSUPPORTED_GRANT_TYPE = 'unsupported_grant_type'
  50. RESTRICTED_APP = 'restricted_app'
  52. def __init__(self, message, type):
  53. super(Exception, self).__init__(message)
  54. self.type = type
  56. class Main(http.Controller):
  57. def __get_authorization_code_jwk(self, req):
  58. return jwk_from_json(req.env['ir.config_parameter'].sudo().get_param(
  59. 'galicea_openid_connect.authorization_code_jwk'
  60. ))
  62. def __get_id_token_jwk(self, req):
  63. return jwk_from_json(req.env['ir.config_parameter'].sudo().get_param(
  64. 'galicea_openid_connect.id_token_jwk'
  65. ))
  67. def __validate_client(self, req, **query):
  68. if 'client_id' not in query:
  69. raise OAuthException(
  70. 'client_id param is missing',
  71. OAuthException.INVALID_CLIENT,
  72. )
  73. client_id = query['client_id']
  74. client = req.env['galicea_openid_connect.client'].sudo().search(
  75. [('client_id', '=', client_id)]
  76. )
  77. if not client:
  78. raise OAuthException(
  79. 'client_id param is invalid',
  80. OAuthException.INVALID_CLIENT,
  81. )
  82. return client
  84. def __validate_redirect_uri(self, client, req, **query):
  85. if 'redirect_uri' not in query:
  86. raise OAuthException(
  87. 'redirect_uri param is missing',
  88. OAuthException.INVALID_GRANT,
  89. )
  91. redirect_uri = query['redirect_uri']
  92. if client.auth_redirect_uri != redirect_uri:
  93. raise OAuthException(
  94. 'redirect_uri param doesn\'t match the pre-configured redirect URI',
  95. OAuthException.INVALID_GRANT,
  96. )
  98. return redirect_uri
  100. def __validate_client_secret(self, client, req, **query):
  101. if 'client_secret' not in query or query['client_secret'] != client.secret:
  102. raise OAuthException(
  103. 'client_secret param is not valid',
  104. OAuthException.INVALID_CLIENT,
  105. )
  107. def __validate_user(self, client, user):
  108. if not client.user_group_id:
  109. return
  110. if client.user_group_id not in user.groups_id:
  111. raise OAuthException(
  112. 'User is not allowed to use this client',
  113. OAuthException.RESTRICTED_APP
  114. )
  116. @http.route('/.well-known/openid-configuration', auth='public', type='http')
  117. def metadata(self, req, **query):
  118. base_url = http.request.httprequest.host_url
  119. data = {
  120. 'issuer': base_url,
  121. 'authorization_endpoint': base_url + 'oauth/authorize',
  122. 'token_endpoint': base_url + 'oauth/token',
  123. 'userinfo_endpoint': base_url + 'oauth/userinfo',
  124. 'jwks_uri': base_url + 'oauth/jwks',
  125. 'scopes_supported': ['openid'],
  126. 'response_types_supported': RESPONSE_TYPES_SUPPORTED,
  127. 'grant_types_supported': ['authorization_code', 'implicit', 'password', 'client_credentials'],
  128. 'subject_types_supported': ['public'],
  129. 'id_token_signing_alg_values_supported': ['RS256'],
  130. 'token_endpoint_auth_methods_supported': ['client_secret_post']
  131. }
  132. return json.dumps(data)
  134. @http.route('/oauth/jwks', auth='public', type='http')
  135. def jwks(self, req, **query):
  136. keyset = jwk.JWKSet()
  137. keyset.add(self.__get_id_token_jwk(req))
  138. return keyset.export(private_keys=False)
  140. @resource('/oauth/userinfo', method='GET')
  141. def userinfo(self, req, **query):
  142. user = req.env.user
  143. values = {
  144. 'sub': str(user.id),
  145. # Needed in case the client is another Odoo instance
  146. 'user_id': str(user.id),
  147. 'name': user.name,
  148. }
  149. if user.email:
  150. values['email'] = user.email
  151. return values
  153. @resource('/oauth/clientinfo', method='GET', auth='client')
  154. def clientinfo(self, req, **query):
  155. client = req.env['galicea_openid_connect.client'].browse(req.context['client_id'])
  156. return {
  157. 'name': client.name
  158. }
  160. @http.route('/oauth/authorize', auth='public', type='http', csrf=False)
  161. def authorize(self, req, **query):
  162. # First, validate client_id and redirect_uri params.
  163. try:
  164. client = self.__validate_client(req, **query)
  165. redirect_uri = self.__validate_redirect_uri(client, req, **query)
  166. except OAuthException as e:
  167. # If those are not valid, we must not redirect back to the client
  168. # - instead, we display a message to the user
  169. return req.render('galicea_openid_connect.error', {'exception': e})
  171. scopes = query['scope'].split(' ') if query.get('scope') else []
  172. is_openid_request = 'openid' in scopes
  174. # state, if present, is just mirrored back to the client
  175. response_params = {}
  176. if 'state' in query:
  177. response_params['state'] = query['state']
  179. response_mode = query.get('response_mode')
  180. try:
  181. if response_mode and response_mode not in ['query', 'fragment']:
  182. response_mode = None
  183. raise OAuthException(
  184. 'The only supported response_modes are \'query\' and \'fragment\'',
  185. OAuthException.INVALID_REQUEST
  186. )
  188. if 'response_type' not in query:
  189. raise OAuthException(
  190. 'response_type param is missing',
  191. OAuthException.INVALID_REQUEST,
  192. )
  193. response_type = query['response_type']
  194. if response_type not in RESPONSE_TYPES_SUPPORTED:
  195. raise OAuthException(
  196. 'The only supported response_types are: {}'.format(', '.join(RESPONSE_TYPES_SUPPORTED)),
  197. OAuthException.UNSUPPORTED_RESPONSE_TYPE,
  198. )
  199. except OAuthException as e:
  200. response_params['error'] = e.type
  201. response_params['error_description'] = e.message
  202. return self.__redirect(redirect_uri, response_params, response_mode or 'query')
  204. if not response_mode:
  205. response_mode = 'query' if response_type == 'code' else 'fragment'
  207. user = req.env.user
  208. # In case user is not logged in, we redirect to the login page and come back
  209. needs_login = user.login == 'public'
  210. # Also if they didn't authenticate recently enough
  211. if 'max_age' in query and http.request.session.get('auth_time', 0) + int(query['max_age']) < time.time():
  212. needs_login = True
  213. if needs_login:
  214. params = {
  215. 'force_auth_and_redirect': '/oauth/authorize?{}'.format(werkzeug.url_encode(query))
  216. }
  217. return self.__redirect('/web/login', params, 'query')
  219. self.__validate_user(client, user)
  220. response_types = response_type.split()
  222. extra_claims = {
  223. 'sid': http.request.httprequest.session.sid,
  224. }
  225. if 'nonce' in query:
  226. extra_claims['nonce'] = query['nonce']
  228. if 'code' in response_types:
  229. # Generate code that can be used by the client server to retrieve
  230. # the token. It's set to be valid for 60 seconds only.
  231. # TODO: The spec says the code should be single-use. We're not enforcing
  232. # that here.
  233. payload = {
  234. 'redirect_uri': redirect_uri,
  235. 'client_id': client.client_id,
  236. 'user_id': user.id,
  237. 'scopes': scopes,
  238. 'exp': int(time.time()) + 60
  239. }
  240. payload.update(extra_claims)
  241. key = self.__get_authorization_code_jwk(req)
  242. response_params['code'] = jwt_encode(payload, key)
  243. if 'token' in response_types:
  244. access_token = req.env['galicea_openid_connect.access_token'].sudo().retrieve_or_create(
  245. user.id,
  246. client.id
  247. ).token
  248. response_params['access_token'] = access_token
  249. response_params['token_type'] = 'bearer'
  251. digest = hashes.Hash(hashes.SHA256(), backend=default_backend())
  252. digest.update(access_token.encode('ascii'))
  253. at_hash = digest.finalize()
  254. extra_claims['at_hash'] = base64.urlsafe_b64encode(at_hash[:16]).strip('=')
  255. if 'id_token' in response_types:
  256. response_params['id_token'] = self.__create_id_token(req, user.id, client, extra_claims)
  258. return self.__redirect(redirect_uri, response_params, response_mode)
  260. @http.route('/oauth/token', auth='public', type='http', methods=['POST', 'OPTIONS'], csrf=False)
  261. def token(self, req, **query):
  262. cors_headers = {
  263. 'Access-Control-Allow-Origin': '*',
  264. 'Access-Control-Allow-Headers': 'Origin, X-Requested-With, Content-Type, Accept, X-Debug-Mode, Authorization',
  265. 'Access-Control-Max-Age': 60 * 60 * 24,
  266. }
  267. if req.httprequest.method == 'OPTIONS':
  268. return http.Response(
  269. status=200,
  270. headers=cors_headers
  271. )
  273. try:
  274. if 'grant_type' not in query:
  275. raise OAuthException(
  276. 'grant_type param is missing',
  277. OAuthException.INVALID_REQUEST,
  278. )
  279. if query['grant_type'] == 'authorization_code':
  280. return json.dumps(self.__handle_grant_type_authorization_code(req, **query))
  281. elif query['grant_type'] == 'client_credentials':
  282. return json.dumps(self.__handle_grant_type_client_credentials(req, **query))
  283. elif query['grant_type'] == 'password':
  284. return werkzeug.Response(
  285. response=json.dumps(self.__handle_grant_type_password(req, **query)),
  286. headers=cors_headers
  287. )
  288. else:
  289. raise OAuthException(
  290. 'Unsupported grant_type param: \'{}\''.format(query['grant_type']),
  291. OAuthException.UNSUPPORTED_GRANT_TYPE,
  292. )
  293. except OAuthException as e:
  294. body = json.dumps({'error': e.type, 'error_description': e.message})
  295. return werkzeug.Response(response=body, status=400, headers=cors_headers)
  297. def __handle_grant_type_authorization_code(self, req, **query):
  298. client = self.__validate_client(req, **query)
  299. redirect_uri = self.__validate_redirect_uri(client, req, **query)
  300. self.__validate_client_secret(client, req, **query)
  302. if 'code' not in query:
  303. raise OAuthException(
  304. 'code param is missing',
  305. OAuthException.INVALID_GRANT,
  306. )
  307. try:
  308. payload = jwt_decode(query['code'], self.__get_authorization_code_jwk(req))
  309. except jwt.JWTExpired:
  310. raise OAuthException(
  311. 'Code expired',
  312. OAuthException.INVALID_GRANT,
  313. )
  314. except ValueError:
  315. raise OAuthException(
  316. 'code malformed',
  317. OAuthException.INVALID_GRANT,
  318. )
  319. if payload['client_id'] != client.client_id:
  320. raise OAuthException(
  321. 'client_id doesn\'t match the authorization request',
  322. OAuthException.INVALID_GRANT,
  323. )
  324. if payload['redirect_uri'] != redirect_uri:
  325. raise OAuthException(
  326. 'redirect_uri doesn\'t match the authorization request',
  327. OAuthException.INVALID_GRANT,
  328. )
  330. # Retrieve/generate access token. We currently only store one per user/client
  331. token = req.env['galicea_openid_connect.access_token'].sudo().retrieve_or_create(
  332. payload['user_id'],
  333. client.id
  334. )
  335. response = {
  336. 'access_token': token.token,
  337. 'token_type': 'bearer'
  338. }
  339. if 'openid' in payload['scopes']:
  340. extra_claims = { name: payload[name] for name in payload if name in ['sid', 'nonce'] }
  341. response['id_token'] = self.__create_id_token(req, payload['user_id'], client, extra_claims)
  342. return response
  344. def __handle_grant_type_password(self, req, **query):
  345. client = self.__validate_client(req, **query)
  346. if not client.allow_password_grant:
  347. raise OAuthException(
  348. 'This client is not allowed to perform password flow',
  349. OAuthException.UNSUPPORTED_GRANT_TYPE
  350. )
  352. for param in ['username', 'password']:
  353. if param not in query:
  354. raise OAuthException(
  355. '{} is required'.format(param),
  356. OAuthException.INVALID_REQUEST
  357. )
  358. user_id = req.env['res.users'].authenticate(
  359. req.env.cr.dbname,
  360. query['username'],
  361. query['password'],
  362. None
  363. )
  364. if not user_id:
  365. raise OAuthException(
  366. 'Invalid username or password',
  367. OAuthException.INVALID_REQUEST
  368. )
  369. self.__validate_user(client, req.env['res.users'].sudo().browse(user_id))
  370. scopes = query['scope'].split(' ') if query.get('scope') else []
  371. # Retrieve/generate access token. We currently only store one per user/client
  372. token = req.env['galicea_openid_connect.access_token'].sudo().retrieve_or_create(
  373. user_id,
  374. client.id
  375. )
  376. response = {
  377. 'access_token': token.token,
  378. 'token_type': 'bearer'
  379. }
  380. if 'openid' in scopes:
  381. response['id_token'] = self.__create_id_token(req, user_id, client, {})
  382. return response
  384. def __handle_grant_type_client_credentials(self, req, **query):
  385. client = self.__validate_client(req, **query)
  386. self.__validate_client_secret(client, req, **query)
  387. token = req.env['galicea_openid_connect.client_access_token'].sudo().retrieve_or_create(client.id)
  388. return {
  389. 'access_token': token.token,
  390. 'token_type': 'bearer'
  391. }
  393. def __create_id_token(self, req, user_id, client, extra_claims):
  394. claims = {
  395. 'iss': http.request.httprequest.host_url,
  396. 'sub': str(user_id),
  397. 'aud': client.client_id,
  398. 'iat': int(time.time()),
  399. 'exp': int(time.time()) + 15 * 60
  400. }
  401. auth_time = extra_claims.get('sid') and http.root.session_store.get(extra_claims['sid']).get('auth_time')
  402. if auth_time:
  403. claims['auth_time'] = auth_time
  404. if 'nonce' in extra_claims:
  405. claims['nonce'] = extra_claims['nonce']
  406. if 'at_hash' in extra_claims:
  407. claims['at_hash'] = extra_claims['at_hash']
  409. key = self.__get_id_token_jwk(req)
  410. return jwt_encode(claims, key)
  412. def __redirect(self, url, params, response_mode):
  413. location = '{}{}{}'.format(
  414. url,
  415. '?' if response_mode == 'query' else '#',
  416. werkzeug.url_encode(params)
  417. )
  418. return werkzeug.Response(
  419. headers={'Location': location},
  420. response=None,
  421. status=302,
  422. )