bgallet
/
galicea-odoo-addons-ecosystem
forked from Myceliandre/galicea-odoo-addons-ecosystem
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
17 Commits
7 Branches
0 Tags
635 KiB
Tree: df0777e6b2
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'df0777e6b2'
${ noResults }
galicea-odoo-addons-ecosystem/galicea_openid_connect/controllers/main.py

429 lines
16 KiB
Raw Normal View History

[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[openid_connect] Fix CORS c.d.
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect] Fix CORS c.d.
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect] Fix CORS c.d.
6 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect] Fix CORS c.d.
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect] Fix CORS c.d.
6 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect] Fix CORS c.d.
6 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[openid_connect] OAuth2 Password Flow
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect] OAuth2 Password Flow
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect] OAuth2 Password Flow
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect] OAuth2 Password Flow
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect] OAuth2 Password Flow
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect] OAuth2 Password Flow
6 years ago
12.0
5 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect] OAuth2 Password Flow
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect] OAuth2 Password Flow
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect] OAuth2 Password Flow
6 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
  1. import json
  2. import time
  3. import os
  4. import base64
  6. from odoo import http
  7. import werkzeug
  9. from ..api import resource
  11. try:
  12. from jwcrypto import jwk, jwt
  13. from cryptography.hazmat.backends import default_backend
  14. from cryptography.hazmat.primitives import hashes
  15. except ImportError:
  16. pass
  19. def jwk_from_json(json_key):
  20. key = jwk.JWK()
  21. key.import_key(**json.loads(json_key))
  22. return key
  25. def jwt_encode(claims, key):
  26. token = jwt.JWT(
  27. header={"alg": key._params["alg"], "kid": key._params["kid"]}, claims=claims
  28. )
  29. token.make_signed_token(key)
  30. return token.serialize()
  33. def jwt_decode(serialized, key):
  34. token = jwt.JWT(jwt=serialized, key=key)
  35. return json.loads(token.claims)
  38. RESPONSE_TYPES_SUPPORTED = ["code", "token", "id_token token", "id_token"]
  41. class OAuthException(Exception):
  42. INVALID_REQUEST = "invalid_request"
  43. INVALID_CLIENT = "invalid_client"
  44. UNSUPPORTED_RESPONSE_TYPE = "unsupported_response_type"
  45. INVALID_GRANT = "invalid_grant"
  46. UNSUPPORTED_GRANT_TYPE = "unsupported_grant_type"
  48. def __init__(self, message, type):
  49. super(Exception, self).__init__(message)
  50. self.type = type
  53. class Main(http.Controller):
  54. def __get_authorization_code_jwk(self, req):
  55. return jwk_from_json(
  56. req.env["ir.config_parameter"]
  57. .sudo()
  58. .get_param("galicea_openid_connect.authorization_code_jwk")
  59. )
  61. def __get_id_token_jwk(self, req):
  62. return jwk_from_json(
  63. req.env["ir.config_parameter"]
  64. .sudo()
  65. .get_param("galicea_openid_connect.id_token_jwk")
  66. )
  68. def __validate_client(self, req, **query):
  69. if "client_id" not in query:
  70. raise OAuthException(
  71. "client_id param is missing", OAuthException.INVALID_CLIENT,
  72. )
  73. client_id = query["client_id"]
  74. client = (
  75. req.env["galicea_openid_connect.client"]
  76. .sudo()
  77. .search([("client_id", "=", client_id)])
  78. )
  79. if not client:
  80. raise OAuthException(
  81. "client_id param is invalid", OAuthException.INVALID_CLIENT,
  82. )
  83. return client
  85. def __validate_redirect_uri(self, client, req, **query):
  86. if "redirect_uri" not in query:
  87. raise OAuthException(
  88. "redirect_uri param is missing", OAuthException.INVALID_GRANT,
  89. )
  91. redirect_uri = query["redirect_uri"]
  92. if client.auth_redirect_uri != redirect_uri:
  93. raise OAuthException(
  94. "redirect_uri param doesn't match the pre-configured redirect URI",
  95. OAuthException.INVALID_GRANT,
  96. )
  98. return redirect_uri
  100. def __validate_client_secret(self, client, req, **query):
  101. if "client_secret" not in query or query["client_secret"] != client.secret:
  102. raise OAuthException(
  103. "client_secret param is not valid", OAuthException.INVALID_CLIENT,
  104. )
  106. @http.route("/.well-known/openid-configuration", auth="public", type="http")
  107. def metadata(self, req, **query):
  108. base_url = http.request.httprequest.host_url
  109. data = {
  110. "issuer": base_url,
  111. "authorization_endpoint": base_url + "oauth/authorize",
  112. "token_endpoint": base_url + "oauth/token",
  113. "userinfo_endpoint": base_url + "oauth/userinfo",
  114. "jwks_uri": base_url + "oauth/jwks",
  115. "scopes_supported": ["openid"],
  116. "response_types_supported": RESPONSE_TYPES_SUPPORTED,
  117. "grant_types_supported": [
  118. "authorization_code",
  119. "implicit",
  120. "password",
  121. "client_credentials",
  122. ],
  123. "subject_types_supported": ["public"],
  124. "id_token_signing_alg_values_supported": ["RS256"],
  125. "token_endpoint_auth_methods_supported": ["client_secret_post"],
  126. }
  127. return json.dumps(data)
  129. @http.route("/oauth/jwks", auth="public", type="http")
  130. def jwks(self, req, **query):
  131. keyset = jwk.JWKSet()
  132. keyset.add(self.__get_id_token_jwk(req))
  133. return keyset.export(private_keys=False)
  135. @resource("/oauth/userinfo", method="GET")
  136. def userinfo(self, req, **query):
  137. user = req.env.user
  138. values = {
  139. "sub": str(user.id),
  140. # Needed in case the client is another Odoo instance
  141. "user_id": str(user.id),
  142. "name": user.name,
  143. }
  144. if user.email:
  145. values["email"] = user.email
  146. return values
  148. @resource("/oauth/clientinfo", method="GET", auth="client")
  149. def clientinfo(self, req, **query):
  150. client = req.env["galicea_openid_connect.client"].browse(
  151. req.context["client_id"]
  152. )
  153. return {"name": client.name}
  155. @http.route("/oauth/authorize", auth="public", type="http", csrf=False)
  156. def authorize(self, req, **query):
  157. # First, validate client_id and redirect_uri params.
  158. try:
  159. client = self.__validate_client(req, **query)
  160. redirect_uri = self.__validate_redirect_uri(client, req, **query)
  161. except OAuthException as e:
  162. # If those are not valid, we must not redirect back to the client
  163. # - instead, we display a message to the user
  164. return req.render("galicea_openid_connect.error", {"exception": e})
  166. scopes = query["scope"].split(" ") if query.get("scope") else []
  167. is_openid_request = "openid" in scopes
  169. # state, if present, is just mirrored back to the client
  170. response_params = {}
  171. if "state" in query:
  172. response_params["state"] = query["state"]
  174. response_mode = query.get("response_mode")
  175. try:
  176. if response_mode and response_mode not in ["query", "fragment"]:
  177. response_mode = None
  178. raise OAuthException(
  179. "The only supported response_modes are 'query' and 'fragment'",
  180. OAuthException.INVALID_REQUEST,
  181. )
  183. if "response_type" not in query:
  184. raise OAuthException(
  185. "response_type param is missing", OAuthException.INVALID_REQUEST,
  186. )
  187. response_type = query["response_type"]
  188. if response_type not in RESPONSE_TYPES_SUPPORTED:
  189. raise OAuthException(
  190. "The only supported response_types are: {}".format(
  191. ", ".join(RESPONSE_TYPES_SUPPORTED)
  192. ),
  193. OAuthException.UNSUPPORTED_RESPONSE_TYPE,
  194. )
  195. except OAuthException as e:
  196. response_params["error"] = e.type
  197. response_params["error_description"] = e.message
  198. return self.__redirect(
  199. redirect_uri, response_params, response_mode or "query"
  200. )
  202. if not response_mode:
  203. response_mode = "query" if response_type == "code" else "fragment"
  205. user = req.env.user
  206. # In case user is not logged in, we redirect to the login page and come back
  207. needs_login = user.login == "public"
  208. # Also if they didn't authenticate recently enough
  209. if (
  210. "max_age" in query
  211. and http.request.session.get("auth_time", 0) + int(query["max_age"])
  212. < time.time()
  213. ):
  214. needs_login = True
  215. if needs_login:
  216. params = {
  217. "force_auth_and_redirect": "/oauth/authorize?{}".format(
  218. werkzeug.url_encode(query)
  219. )
  220. }
  221. return self.__redirect("/web/login", params, "query")
  223. response_types = response_type.split()
  225. extra_claims = {
  226. "sid": http.request.httprequest.session.sid,
  227. }
  228. if "nonce" in query:
  229. extra_claims["nonce"] = query["nonce"]
  231. if "code" in response_types:
  232. # Generate code that can be used by the client server to retrieve
  233. # the token. It's set to be valid for 60 seconds only.
  234. # TODO: The spec says the code should be single-use. We're not enforcing
  235. # that here.
  236. payload = {
  237. "redirect_uri": redirect_uri,
  238. "client_id": client.client_id,
  239. "user_id": user.id,
  240. "scopes": scopes,
  241. "exp": int(time.time()) + 60,
  242. }
  243. payload.update(extra_claims)
  244. key = self.__get_authorization_code_jwk(req)
  245. response_params["code"] = jwt_encode(payload, key)
  246. if "token" in response_types:
  247. access_token = (
  248. req.env["galicea_openid_connect.access_token"]
  249. .sudo()
  250. .retrieve_or_create(user.id, client.id)
  251. .token
  252. )
  253. response_params["access_token"] = access_token
  254. response_params["token_type"] = "bearer"
  256. digest = hashes.Hash(hashes.SHA256(), backend=default_backend())
  257. digest.update(access_token.encode("ascii"))
  258. at_hash = digest.finalize()
  259. extra_claims["at_hash"] = base64.urlsafe_b64encode(at_hash[:16]).strip("=")
  260. if "id_token" in response_types:
  261. response_params["id_token"] = self.__create_id_token(
  262. req, user.id, client, extra_claims
  263. )
  265. return self.__redirect(redirect_uri, response_params, response_mode)
  267. @http.route(
  268. "/oauth/token",
  269. auth="public",
  270. type="http",
  271. methods=["POST", "OPTIONS"],
  272. csrf=False,
  273. )
  274. def token(self, req, **query):
  275. cors_headers = {
  276. "Access-Control-Allow-Origin": "*",
  277. "Access-Control-Allow-Headers": "Origin, X-Requested-With, Content-Type, Accept, X-Debug-Mode, Authorization",
  278. "Access-Control-Max-Age": 60 * 60 * 24,
  279. }
  280. if req.httprequest.method == "OPTIONS":
  281. return http.Response(status=200, headers=cors_headers)
  283. try:
  284. if "grant_type" not in query:
  285. raise OAuthException(
  286. "grant_type param is missing", OAuthException.INVALID_REQUEST,
  287. )
  288. if query["grant_type"] == "authorization_code":
  289. return json.dumps(
  290. self.__handle_grant_type_authorization_code(req, **query)
  291. )
  292. elif query["grant_type"] == "client_credentials":
  293. return json.dumps(
  294. self.__handle_grant_type_client_credentials(req, **query)
  295. )
  296. elif query["grant_type"] == "password":
  297. return werkzeug.Response(
  298. response=json.dumps(
  299. self.__handle_grant_type_password(req, **query)
  300. ),
  301. headers=cors_headers,
  302. )
  303. else:
  304. raise OAuthException(
  305. "Unsupported grant_type param: '{}'".format(query["grant_type"]),
  306. OAuthException.UNSUPPORTED_GRANT_TYPE,
  307. )
  308. except OAuthException as e:
  309. body = json.dumps({"error": e.type, "error_description": e.message})
  310. return werkzeug.Response(response=body, status=400, headers=cors_headers)
  312. def __handle_grant_type_authorization_code(self, req, **query):
  313. client = self.__validate_client(req, **query)
  314. redirect_uri = self.__validate_redirect_uri(client, req, **query)
  315. self.__validate_client_secret(client, req, **query)
  317. if "code" not in query:
  318. raise OAuthException(
  319. "code param is missing", OAuthException.INVALID_GRANT,
  320. )
  321. try:
  322. payload = jwt_decode(query["code"], self.__get_authorization_code_jwk(req))
  323. except jwt.JWTExpired:
  324. raise OAuthException(
  325. "Code expired", OAuthException.INVALID_GRANT,
  326. )
  327. except ValueError:
  328. raise OAuthException(
  329. "code malformed", OAuthException.INVALID_GRANT,
  330. )
  331. if payload["client_id"] != client.client_id:
  332. raise OAuthException(
  333. "client_id doesn't match the authorization request",
  334. OAuthException.INVALID_GRANT,
  335. )
  336. if payload["redirect_uri"] != redirect_uri:
  337. raise OAuthException(
  338. "redirect_uri doesn't match the authorization request",
  339. OAuthException.INVALID_GRANT,
  340. )
  342. # Retrieve/generate access token. We currently only store one per user/client
  343. token = (
  344. req.env["galicea_openid_connect.access_token"]
  345. .sudo()
  346. .retrieve_or_create(payload["user_id"], client.id)
  347. )
  348. response = {"access_token": token.token, "token_type": "bearer"}
  349. if "openid" in payload["scopes"]:
  350. extra_claims = {
  351. name: payload[name] for name in payload if name in ["sid", "nonce"]
  352. }
  353. response["id_token"] = self.__create_id_token(
  354. req, payload["user_id"], client, extra_claims
  355. )
  356. return response
  358. def __handle_grant_type_password(self, req, **query):
  359. client = self.__validate_client(req, **query)
  360. if not client.allow_password_grant:
  361. raise OAuthException(
  362. "This client is not allowed to perform password flow",
  363. OAuthException.UNSUPPORTED_GRANT_TYPE,
  364. )
  366. for param in ["username", "password"]:
  367. if param not in query:
  368. raise OAuthException(
  369. "{} is required".format(param), OAuthException.INVALID_REQUEST
  370. )
  371. user_id = req.env["res.users"].authenticate(
  372. req.env.cr.dbname, query["username"], query["password"], None
  373. )
  374. if not user_id:
  375. raise OAuthException(
  376. "Invalid username or password", OAuthException.INVALID_REQUEST
  377. )
  379. scopes = query["scope"].split(" ") if query.get("scope") else []
  380. # Retrieve/generate access token. We currently only store one per user/client
  381. token = (
  382. req.env["galicea_openid_connect.access_token"]
  383. .sudo()
  384. .retrieve_or_create(user_id, client.id)
  385. )
  386. response = {"access_token": token.token, "token_type": "bearer"}
  387. if "openid" in scopes:
  388. response["id_token"] = self.__create_id_token(req, user_id, client, {})
  389. return response
  391. def __handle_grant_type_client_credentials(self, req, **query):
  392. client = self.__validate_client(req, **query)
  393. self.__validate_client_secret(client, req, **query)
  394. token = (
  395. req.env["galicea_openid_connect.client_access_token"]
  396. .sudo()
  397. .retrieve_or_create(client.id)
  398. )
  399. return {"access_token": token.token, "token_type": "bearer"}
  401. def __create_id_token(self, req, user_id, client, extra_claims):
  402. claims = {
  403. "iss": http.request.httprequest.host_url,
  404. "sub": str(user_id),
  405. "aud": client.client_id,
  406. "iat": int(time.time()),
  407. "exp": int(time.time()) + 15 * 60,
  408. }
  409. auth_time = extra_claims.get("sid") and http.root.session_store.get(
  410. extra_claims["sid"]
  411. ).get("auth_time")
  412. if auth_time:
  413. claims["auth_time"] = auth_time
  414. if "nonce" in extra_claims:
  415. claims["nonce"] = extra_claims["nonce"]
  416. if "at_hash" in extra_claims:
  417. claims["at_hash"] = extra_claims["at_hash"]
  419. key = self.__get_id_token_jwk(req)
  420. return jwt_encode(claims, key)
  422. def __redirect(self, url, params, response_mode):
  423. location = "{}{}{}".format(
  424. url, "?" if response_mode == "query" else "#", werkzeug.url_encode(params)
  425. )
  426. return werkzeug.Response(
  427. headers={"Location": location}, response=None, status=302,
  428. )