bgallet
/
galicea-odoo-addons-ecosystem
forked from Myceliandre/galicea-odoo-addons-ecosystem
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
24 Commits
7 Branches
0 Tags
635 KiB
Tree: 7fae4c5a0a
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7fae4c5a0a'
${ noResults }
galicea-odoo-addons-ecosystem/galicea_openid_connect/controllers/main.py

421 lines
16 KiB
Raw Normal View History

[openid_connect]
6 years ago
[FIX] new request management in V16.0
2 years ago
[openid_connect]
6 years ago
[FIX] fix req parameters
2 years ago
[openid_connect]
6 years ago
[FIX] new request management in V16.0
2 years ago
[openid_connect]
6 years ago
[FIX] new request management in V16.0
2 years ago
[openid_connect]
6 years ago
[FIX] new request management in V16.0
2 years ago
[openid_connect]
6 years ago
[FIX] new request management in V16.0
2 years ago
[openid_connect]
6 years ago
[FIX] new request management in V16.0
2 years ago
[openid_connect]
6 years ago
[FIX] new request management in V16.0
2 years ago
[openid_connect]
6 years ago
[FIX] new request management in V16.0
2 years ago
[openid_connect]
6 years ago
[FIX] new request management in V16.0
2 years ago
[openid_connect]
6 years ago
[FIX] fix req parameters
2 years ago
[openid_connect]
6 years ago
[openid_connect] OAuth2 Password Flow
6 years ago
[openid_connect]
6 years ago
[FIX] fix req parameters
2 years ago
[openid_connect]
6 years ago
[FIX] new request management in V16.0
2 years ago
[openid_connect]
6 years ago
[FIX] fix req parameters
2 years ago
[openid_connect]
6 years ago
[FIX] fix req parameters
2 years ago
[openid_connect]
6 years ago
[FIX] fix req parameters
2 years ago
[openid_connect]
6 years ago
[FIX] new request management in V16.0
2 years ago
[openid_connect]
6 years ago
[FIX] fix req parameters
2 years ago
[openid_connect]
6 years ago
[FIX] AttributeError: 'OAuthException' object has no attribute 'message' -> galicea openid
4 years ago
[openid_connect]
6 years ago
[FIX] fix req parameters
2 years ago
[openid_connect]
6 years ago
[FIX] new request management in V16.0
2 years ago
[openid_connect]
6 years ago
[FIX] new request management in V16.0
2 years ago
[openid_connect]
6 years ago
[FIX] new request management in V16.0
2 years ago
[openid_connect]
6 years ago
[FIX] fix req parameters
2 years ago
[openid_connect]
6 years ago
[FIX] FIxes tracback python 3+
4 years ago
[openid_connect]
6 years ago
[FIX] new request management in V16.0
2 years ago
[openid_connect]
6 years ago
[openid_connect] Fix CORS c.d.
6 years ago
[FIX] new request management in V16.0
2 years ago
[openid_connect] Fix CORS c.d.
6 years ago
[FIX] new request management in V16.0
2 years ago
[openid_connect] Fix CORS c.d.
6 years ago
[FIX] new request management in V16.0
2 years ago
[openid_connect]
6 years ago
[FIX] new request management in V16.0
2 years ago
[openid_connect]
6 years ago
[FIX] new request management in V16.0
2 years ago
[openid_connect] OAuth2 Password Flow
6 years ago
[FIX] new request management in V16.0
2 years ago
[openid_connect] Fix CORS c.d.
6 years ago
[FIX] new request management in V16.0
2 years ago
[openid_connect] Fix CORS c.d.
6 years ago
[openid_connect]
6 years ago
[FIX] AttributeError: 'OAuthException' object has no attribute 'message' -> galicea openid
4 years ago
[openid_connect] Fix CORS c.d.
6 years ago
[openid_connect]
6 years ago
[FIX] new request management in V16.0
2 years ago
[openid_connect]
6 years ago
[FIX] new request management in V16.0
2 years ago
[openid_connect]
6 years ago
[FIX] new request management in V16.0
2 years ago
[openid_connect]
6 years ago
[FIX] new request management in V16.0
2 years ago
[openid_connect]
6 years ago
[FIX] new request management in V16.0
2 years ago
[openid_connect] OAuth2 Password Flow
6 years ago
[FIX] new request management in V16.0
2 years ago
[openid_connect] OAuth2 Password Flow
6 years ago
12.0
5 years ago
[openid_connect] OAuth2 Password Flow
6 years ago
[FIX] new request management in V16.0
2 years ago
[openid_connect] OAuth2 Password Flow
6 years ago
[FIX] new request management in V16.0
2 years ago
[openid_connect] OAuth2 Password Flow
6 years ago
[FIX] new request management in V16.0
2 years ago
[openid_connect]
6 years ago
[FIX] new request management in V16.0
2 years ago
[openid_connect]
6 years ago
[FIX] new request management in V16.0
2 years ago
[openid_connect]
6 years ago
[FIX] new request management in V16.0
2 years ago
[openid_connect]
6 years ago
  1. # -*- coding: utf-8 -*-
  3. import json
  4. import logging
  5. import time
  6. import os
  7. import base64
  9. from odoo import http
  10. from odoo.http import request
  11. import werkzeug
  12. from werkzeug.urls import url_encode
  14. from .. api import resource
  16. try:
  17. from jwcrypto import jwk, jwt
  18. from cryptography.hazmat.backends import default_backend
  19. from cryptography.hazmat.primitives import hashes
  20. except ImportError:
  21. pass
  23. _logger = logging.getLogger(__name__)
  25. def jwk_from_json(json_key):
  26. key = jwk.JWK()
  27. key.import_key(**json.loads(json_key))
  28. return key
  30. def jwt_encode(claims, key):
  31. token = jwt.JWT(
  32. header={'alg': key._params['alg'], 'kid': key._params['kid']},
  33. claims=claims
  34. )
  35. token.make_signed_token(key)
  36. return token.serialize()
  38. def jwt_decode(serialized, key):
  39. token = jwt.JWT(jwt=serialized, key=key)
  40. return json.loads(token.claims)
  42. RESPONSE_TYPES_SUPPORTED = [
  43. 'code',
  44. 'token',
  45. 'id_token token',
  46. 'id_token'
  47. ]
  49. class OAuthException(Exception):
  50. INVALID_REQUEST = 'invalid_request'
  51. INVALID_CLIENT = 'invalid_client'
  52. UNSUPPORTED_RESPONSE_TYPE = 'unsupported_response_type'
  53. INVALID_GRANT = 'invalid_grant'
  54. UNSUPPORTED_GRANT_TYPE = 'unsupported_grant_type'
  56. def __init__(self, message, type):
  57. super(Exception, self).__init__(message)
  58. self.type = type
  60. class Main(http.Controller):
  61. def __get_authorization_code_jwk(self):
  62. return jwk_from_json(request.env['ir.config_parameter'].sudo().get_param(
  63. 'galicea_openid_connect.authorization_code_jwk'
  64. ))
  66. def __get_id_token_jwk(self):
  67. return jwk_from_json(request.env['ir.config_parameter'].sudo().get_param(
  68. 'galicea_openid_connect.id_token_jwk'
  69. ))
  71. def __validate_client(self, **query):
  72. if 'client_id' not in query:
  73. raise OAuthException(
  74. 'client_id param is missing',
  75. OAuthException.INVALID_CLIENT,
  76. )
  77. client_id = query['client_id']
  78. client = request.env['galicea_openid_connect.client'].sudo().search(
  79. [('client_id', '=', client_id)]
  80. )
  81. if not client:
  82. raise OAuthException(
  83. 'client_id param is invalid',
  84. OAuthException.INVALID_CLIENT,
  85. )
  86. return client
  88. def __validate_redirect_uri(self, client, **query):
  89. if 'redirect_uri' not in query:
  90. raise OAuthException(
  91. 'redirect_uri param is missing',
  92. OAuthException.INVALID_GRANT,
  93. )
  95. redirect_uri = query['redirect_uri']
  96. if client.auth_redirect_uri != redirect_uri:
  97. raise OAuthException(
  98. 'redirect_uri param doesn\'t match the pre-configured redirect URI',
  99. OAuthException.INVALID_GRANT,
  100. )
  102. return redirect_uri
  104. def __validate_client_secret(self, client, **query):
  105. if 'client_secret' not in query or query['client_secret'] != client.secret:
  106. raise OAuthException(
  107. 'client_secret param is not valid',
  108. OAuthException.INVALID_CLIENT,
  109. )
  111. @http.route('/.well-known/openid-configuration', auth='public', type='http')
  112. def metadata(self, **query):
  113. base_url = http.request.httprequest.host_url
  114. data = {
  115. 'issuer': base_url,
  116. 'authorization_endpoint': base_url + 'oauth/authorize',
  117. 'token_endpoint': base_url + 'oauth/token',
  118. 'userinfo_endpoint': base_url + 'oauth/userinfo',
  119. 'jwks_uri': base_url + 'oauth/jwks',
  120. 'scopes_supported': ['openid'],
  121. 'response_types_supported': RESPONSE_TYPES_SUPPORTED,
  122. 'grant_types_supported': ['authorization_code', 'implicit', 'password', 'client_credentials'],
  123. 'subject_types_supported': ['public'],
  124. 'id_token_signing_alg_values_supported': ['RS256'],
  125. 'token_endpoint_auth_methods_supported': ['client_secret_post']
  126. }
  127. return json.dumps(data)
  129. @http.route('/oauth/jwks', auth='public', type='http')
  130. def jwks(self, **query):
  131. keyset = jwk.JWKSet()
  132. keyset.add(self.__get_id_token_jwk())
  133. return keyset.export(private_keys=False)
  135. @resource('/oauth/userinfo', method='GET')
  136. def userinfo(self, **query):
  137. user = request.env.user
  138. values = {
  139. 'sub': str(user.id),
  140. # Needed in case the client is another Odoo instance
  141. 'user_id': str(user.id),
  142. 'name': user.name,
  143. }
  144. if user.email:
  145. values['email'] = user.email
  146. return values
  148. @resource('/oauth/clientinfo', method='GET', auth='client')
  149. def clientinfo(self, **query):
  150. client = request.env['galicea_openid_connect.client'].browse(request.context['client_id'])
  151. return {
  152. 'name': client.name
  153. }
  155. @http.route('/oauth/authorize', auth='public', type='http', csrf=False)
  156. def authorize(self, **query):
  157. # First, validate client_id and redirect_uri params.
  158. try:
  159. client = self.__validate_client(**query)
  160. redirect_uri = self.__validate_redirect_uri(client, **query)
  161. except OAuthException as e:
  162. # If those are not valid, we must not redirect back to the client
  163. # - instead, we display a message to the user
  164. return request.render('galicea_openid_connect.error', {'exception': e})
  166. scopes = query['scope'].split(' ') if query.get('scope') else []
  167. is_openid_request = 'openid' in scopes
  169. # state, if present, is just mirrored back to the client
  170. response_params = {}
  171. if 'state' in query:
  172. response_params['state'] = query['state']
  174. response_mode = query.get('response_mode')
  175. try:
  176. if response_mode and response_mode not in ['query', 'fragment']:
  177. response_mode = None
  178. raise OAuthException(
  179. 'The only supported response_modes are \'query\' and \'fragment\'',
  180. OAuthException.INVALID_REQUEST
  181. )
  183. if 'response_type' not in query:
  184. raise OAuthException(
  185. 'response_type param is missing',
  186. OAuthException.INVALID_REQUEST,
  187. )
  188. response_type = query['response_type']
  189. if response_type not in RESPONSE_TYPES_SUPPORTED:
  190. raise OAuthException(
  191. 'The only supported response_types are: {}'.format(', '.join(RESPONSE_TYPES_SUPPORTED)),
  192. OAuthException.UNSUPPORTED_RESPONSE_TYPE,
  193. )
  194. except OAuthException as e:
  195. response_params['error'] = e.type
  196. response_params['error_description'] = e
  197. return self.__redirect(redirect_uri, response_params, response_mode or 'query')
  199. if not response_mode:
  200. response_mode = 'query' if response_type == 'code' else 'fragment'
  202. user = request.env.user
  203. # In case user is not logged in, we redirect to the login page and come back
  204. needs_login = user.login == 'public'
  205. # Also if they didn't authenticate recently enough
  206. if 'max_age' in query and http.request.session.get('auth_time', 0) + int(query['max_age']) < time.time():
  207. needs_login = True
  208. if needs_login:
  209. params = {
  210. 'force_auth_and_redirect': '/oauth/authorize?{}'.format(url_encode(query))
  211. }
  212. return self.__redirect('/web/login', params, 'query')
  214. response_types = response_type.split()
  216. extra_claims = {
  217. 'sid': http.request.session.sid,
  218. }
  219. if 'nonce' in query:
  220. extra_claims['nonce'] = query['nonce']
  222. if 'code' in response_types:
  223. # Generate code that can be used by the client server to retrieve
  224. # the token. It's set to be valid for 60 seconds only.
  225. # TODO: The spec says the code should be single-use. We're not enforcing
  226. # that here.
  227. payload = {
  228. 'redirect_uri': redirect_uri,
  229. 'client_id': client.client_id,
  230. 'user_id': user.id,
  231. 'scopes': scopes,
  232. 'exp': int(time.time()) + 60
  233. }
  234. payload.update(extra_claims)
  235. key = self.__get_authorization_code_jwk()
  236. response_params['code'] = jwt_encode(payload, key)
  237. if 'token' in response_types:
  238. access_token = request.env['galicea_openid_connect.access_token'].sudo().retrieve_or_create(
  239. user.id,
  240. client.id
  241. ).token
  242. response_params['access_token'] = access_token
  243. response_params['token_type'] = 'bearer'
  245. digest = hashes.Hash(hashes.SHA256(), backend=default_backend())
  246. digest.update(access_token.encode('ascii'))
  247. at_hash = digest.finalize()
  248. #extra_claims['at_hash'] = base64.urlsafe_b64encode(at_hash[:16]).strip('=')
  249. extra_claims['at_hash'] = base64.urlsafe_b64encode(at_hash[:16])
  250. if 'id_token' in response_types:
  251. response_params['id_token'] = self.__create_id_token(user.id, client, extra_claims)
  253. return self.__redirect(redirect_uri, response_params, response_mode)
  255. @http.route('/oauth/token', auth='public', type='http', methods=['POST', 'OPTIONS'], csrf=False)
  256. def token(self, **query):
  257. cors_headers = {
  258. 'Access-Control-Allow-Origin': '*',
  259. 'Access-Control-Allow-Headers': 'Origin, X-Requested-With, Content-Type, Accept, X-Debug-Mode, Authorization',
  260. 'Access-Control-Max-Age': 60 * 60 * 24,
  261. }
  262. _logger.info("Test1 %s" % request.httprequest.method)
  263. if request.httprequest.method == 'OPTIONS':
  264. return http.Response(
  265. status=200,
  266. headers=cors_headers
  267. )
  268. _logger.info("Test2 %s" % query)
  269. try:
  270. if 'grant_type' not in query:
  271. raise OAuthException(
  272. 'grant_type param is missing',
  273. OAuthException.INVALID_REQUEST,
  274. )
  275. if query['grant_type'] == 'authorization_code':
  276. _logger.info("Test3")
  277. return json.dumps(self.__handle_grant_type_authorization_code(**query))
  278. elif query['grant_type'] == 'client_credentials':
  279. _logger.info("Test4")
  280. return json.dumps(self.__handle_grant_type_client_credentials(**query))
  281. elif query['grant_type'] == 'password':
  282. _logger.info("Test5")
  283. return werkzeug.Response(
  284. response=json.dumps(self.__handle_grant_type_password(**query)),
  285. headers=cors_headers
  286. )
  287. else:
  288. raise OAuthException(
  289. 'Unsupported grant_type param: \'{}\''.format(query['grant_type']),
  290. OAuthException.UNSUPPORTED_GRANT_TYPE,
  291. )
  292. except OAuthException as e:
  293. body = json.dumps({'error': e.type, 'error_description': e})
  294. return werkzeug.Response(response=body, status=400, headers=cors_headers)
  296. def __handle_grant_type_authorization_code(self, **query):
  297. client = self.__validate_client(**query)
  298. redirect_uri = self.__validate_redirect_uri(client, **query)
  299. self.__validate_client_secret(client, **query)
  301. if 'code' not in query:
  302. raise OAuthException(
  303. 'code param is missing',
  304. OAuthException.INVALID_GRANT,
  305. )
  306. try:
  307. payload = jwt_decode(query['code'], self.__get_authorization_code_jwk())
  308. except jwt.JWTExpired:
  309. raise OAuthException(
  310. 'Code expired',
  311. OAuthException.INVALID_GRANT,
  312. )
  313. except ValueError:
  314. raise OAuthException(
  315. 'code malformed',
  316. OAuthException.INVALID_GRANT,
  317. )
  318. if payload['client_id'] != client.client_id:
  319. raise OAuthException(
  320. 'client_id doesn\'t match the authorization request',
  321. OAuthException.INVALID_GRANT,
  322. )
  323. if payload['redirect_uri'] != redirect_uri:
  324. raise OAuthException(
  325. 'redirect_uri doesn\'t match the authorization request',
  326. OAuthException.INVALID_GRANT,
  327. )
  329. # Retrieve/generate access token. We currently only store one per user/client
  330. token = request.env['galicea_openid_connect.access_token'].sudo().retrieve_or_create(
  331. payload['user_id'],
  332. client.id
  333. )
  334. response = {
  335. 'access_token': token.token,
  336. 'token_type': 'bearer'
  337. }
  338. if 'openid' in payload['scopes']:
  339. extra_claims = { name: payload[name] for name in payload if name in ['sid', 'nonce'] }
  340. response['id_token'] = self.__create_id_token(payload['user_id'], client, extra_claims)
  341. return response
  343. def __handle_grant_type_password(self, **query):
  344. client = self.__validate_client(**query)
  345. if not client.allow_password_grant:
  346. raise OAuthException(
  347. 'This client is not allowed to perform password flow',
  348. OAuthException.UNSUPPORTED_GRANT_TYPE
  349. )
  351. for param in ['username', 'password']:
  352. if param not in query:
  353. raise OAuthException(
  354. '{} is required'.format(param),
  355. OAuthException.INVALID_REQUEST
  356. )
  357. user_id = request.env['res.users'].authenticate(
  358. request.env.cr.dbname,
  359. query['username'],
  360. query['password'],
  361. None
  362. )
  363. if not user_id:
  364. raise OAuthException(
  365. 'Invalid username or password',
  366. OAuthException.INVALID_REQUEST
  367. )
  369. scopes = query['scope'].split(' ') if query.get('scope') else []
  370. # Retrieve/generate access token. We currently only store one per user/client
  371. token = request.env['galicea_openid_connect.access_token'].sudo().retrieve_or_create(
  372. user_id,
  373. client.id
  374. )
  375. response = {
  376. 'access_token': token.token,
  377. 'token_type': 'bearer'
  378. }
  379. if 'openid' in scopes:
  380. response['id_token'] = self.__create_id_token(user_id, client, {})
  381. return response
  383. def __handle_grant_type_client_credentials(self, **query):
  384. client = self.__validate_client(**query)
  385. self.__validate_client_secret(client, **query)
  386. token = request.env['galicea_openid_connect.client_access_token'].sudo().retrieve_or_create(client.id)
  387. return {
  388. 'access_token': token.token,
  389. 'token_type': 'bearer'
  390. }
  392. def __create_id_token(self, user_id, client, extra_claims):
  393. claims = {
  394. 'iss': http.request.httprequest.host_url,
  395. 'sub': str(user_id),
  396. 'aud': client.client_id,
  397. 'iat': int(time.time()),
  398. 'exp': int(time.time()) + 15 * 60
  399. }
  400. auth_time = extra_claims.get('sid') and http.root.session_store.get(extra_claims['sid']).get('auth_time')
  401. if auth_time:
  402. claims['auth_time'] = auth_time
  403. if 'nonce' in extra_claims:
  404. claims['nonce'] = extra_claims['nonce']
  405. if 'at_hash' in extra_claims:
  406. claims['at_hash'] = extra_claims['at_hash']
  408. key = self.__get_id_token_jwk()
  409. return jwt_encode(claims, key)
  411. def __redirect(self, url, params, response_mode):
  412. location = '{}{}{}'.format(
  413. url,
  414. '?' if response_mode == 'query' else '#',
  415. url_encode(params)
  416. )
  417. return werkzeug.Response(
  418. headers={'Location': location},
  419. response=None,
  420. status=302,
  421. )