2018-11-16 08:10:35 +00:00
|
|
|
"""passbook OAuth2 Views"""
|
2020-05-06 22:32:03 +00:00
|
|
|
from typing import Optional
|
2018-12-09 20:07:18 +00:00
|
|
|
from urllib.parse import urlencode
|
2018-11-16 12:08:37 +00:00
|
|
|
|
2019-03-12 09:56:01 +00:00
|
|
|
from django.contrib import messages
|
2019-03-11 08:48:36 +00:00
|
|
|
from django.contrib.auth.mixins import LoginRequiredMixin
|
2020-05-06 22:32:03 +00:00
|
|
|
from django.forms import Form
|
|
|
|
from django.http import HttpRequest, HttpResponse
|
2018-12-11 14:29:58 +00:00
|
|
|
from django.shortcuts import get_object_or_404, redirect, reverse
|
2018-12-09 20:07:18 +00:00
|
|
|
from django.utils.translation import ugettext as _
|
2018-11-25 11:31:55 +00:00
|
|
|
from oauth2_provider.views.base import AuthorizationView
|
2019-10-01 08:24:10 +00:00
|
|
|
from structlog import get_logger
|
2018-11-16 12:08:37 +00:00
|
|
|
|
2019-12-05 15:14:08 +00:00
|
|
|
from passbook.audit.models import Event, EventAction
|
2019-02-26 08:09:19 +00:00
|
|
|
from passbook.core.models import Application
|
2018-11-25 19:39:09 +00:00
|
|
|
from passbook.core.views.access import AccessMixin
|
2018-12-11 14:29:58 +00:00
|
|
|
from passbook.core.views.utils import LoadingView, PermissionDeniedView
|
2020-05-16 14:02:42 +00:00
|
|
|
from passbook.providers.oauth.models import OAuth2Provider
|
2018-11-16 12:08:37 +00:00
|
|
|
|
2019-10-04 08:08:53 +00:00
|
|
|
LOGGER = get_logger()
|
2018-11-16 12:08:37 +00:00
|
|
|
|
|
|
|
|
2019-03-11 08:48:36 +00:00
|
|
|
class PassbookAuthorizationLoadingView(LoginRequiredMixin, LoadingView):
|
2018-12-09 20:07:18 +00:00
|
|
|
"""Show loading view for permission checks"""
|
|
|
|
|
2019-12-31 11:51:16 +00:00
|
|
|
title = _("Checking permissions...")
|
2018-12-09 20:07:18 +00:00
|
|
|
|
|
|
|
def get_url(self):
|
2020-05-16 14:02:42 +00:00
|
|
|
querystring = urlencode(self.request.GET)
|
|
|
|
return (
|
|
|
|
reverse("passbook_providers_oauth:oauth2-ok-authorize") + "?" + querystring
|
|
|
|
)
|
2018-12-09 20:07:18 +00:00
|
|
|
|
2018-12-11 14:29:58 +00:00
|
|
|
|
|
|
|
class OAuthPermissionDenied(PermissionDeniedView):
|
|
|
|
"""Show permission denied view"""
|
|
|
|
|
|
|
|
|
2018-11-25 19:39:09 +00:00
|
|
|
class PassbookAuthorizationView(AccessMixin, AuthorizationView):
|
2019-02-16 09:24:31 +00:00
|
|
|
"""Custom OAuth2 Authorization View which checks policies, etc"""
|
2018-11-25 11:31:55 +00:00
|
|
|
|
2020-05-06 22:32:03 +00:00
|
|
|
_application: Optional[Application] = None
|
2018-11-25 19:39:09 +00:00
|
|
|
|
2019-04-17 12:25:51 +00:00
|
|
|
def _inject_response_type(self):
|
|
|
|
"""Inject response_type into querystring if not set"""
|
|
|
|
LOGGER.debug("response_type not set, defaulting to 'code'")
|
2020-05-16 14:02:42 +00:00
|
|
|
querystring = urlencode(self.request.GET)
|
2019-12-31 11:51:16 +00:00
|
|
|
querystring += "&response_type=code"
|
|
|
|
return redirect(
|
2020-05-16 14:02:42 +00:00
|
|
|
reverse("passbook_providers_oauth:oauth2-ok-authorize") + "?" + querystring
|
2019-12-31 11:51:16 +00:00
|
|
|
)
|
2019-04-17 12:25:51 +00:00
|
|
|
|
2020-05-06 22:32:03 +00:00
|
|
|
def dispatch(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
|
2020-05-16 14:02:42 +00:00
|
|
|
"""Update OAuth2Provider's skip_authorization state"""
|
|
|
|
# Get client_id to get provider, so we can update skip_authorization field
|
2019-12-31 11:51:16 +00:00
|
|
|
client_id = request.GET.get("client_id")
|
2020-05-16 14:02:42 +00:00
|
|
|
provider = get_object_or_404(OAuth2Provider, client_id=client_id)
|
2019-02-26 08:09:19 +00:00
|
|
|
try:
|
2020-05-16 14:02:42 +00:00
|
|
|
application = self.provider_to_application(provider)
|
2019-02-26 08:09:19 +00:00
|
|
|
except Application.DoesNotExist:
|
2020-05-16 14:02:42 +00:00
|
|
|
return redirect("passbook_providers_oauth:oauth2-permission-denied")
|
2018-11-25 19:39:09 +00:00
|
|
|
# Update field here so oauth-toolkit does work for us
|
2020-05-16 14:02:42 +00:00
|
|
|
provider.skip_authorization = application.skip_authorization
|
|
|
|
provider.save()
|
2018-11-25 19:39:09 +00:00
|
|
|
self._application = application
|
|
|
|
# Check permissions
|
2019-07-05 13:21:48 +00:00
|
|
|
passing, policy_messages = self.user_has_access(self._application, request.user)
|
2019-03-12 09:56:01 +00:00
|
|
|
if not passing:
|
2019-07-05 13:21:48 +00:00
|
|
|
for policy_message in policy_messages:
|
|
|
|
messages.error(request, policy_message)
|
2020-05-16 14:02:42 +00:00
|
|
|
return redirect("passbook_providers_oauth:oauth2-permission-denied")
|
2019-04-17 12:25:51 +00:00
|
|
|
# Some clients don't pass response_type, so we default to code
|
2019-12-31 11:51:16 +00:00
|
|
|
if "response_type" not in request.GET:
|
2019-04-17 12:25:51 +00:00
|
|
|
return self._inject_response_type()
|
2020-05-06 22:32:03 +00:00
|
|
|
actual_response = AuthorizationView.dispatch(self, request, *args, **kwargs)
|
2018-12-09 20:07:18 +00:00
|
|
|
if actual_response.status_code == 400:
|
2020-05-06 22:32:03 +00:00
|
|
|
LOGGER.debug("Bad request", redirect_uri=request.GET.get("redirect_uri"))
|
2018-12-09 20:07:18 +00:00
|
|
|
return actual_response
|
2018-11-25 19:39:09 +00:00
|
|
|
|
2020-05-06 22:32:03 +00:00
|
|
|
def form_valid(self, form: Form):
|
2018-11-25 19:39:09 +00:00
|
|
|
# User has clicked on "Authorize"
|
2019-12-31 11:51:16 +00:00
|
|
|
Event.new(
|
2019-12-31 12:33:07 +00:00
|
|
|
EventAction.AUTHORIZE_APPLICATION, authorized_application=self._application,
|
2019-12-31 11:51:16 +00:00
|
|
|
).from_http(self.request)
|
|
|
|
LOGGER.debug(
|
|
|
|
"User authorized Application",
|
|
|
|
user=self.request.user,
|
|
|
|
application=self._application,
|
|
|
|
)
|
2020-05-06 22:32:03 +00:00
|
|
|
return AuthorizationView.form_valid(self, form)
|