This repository has been archived on 2024-05-31. You can view files and clone it, but cannot push or open issues or pull requests.
authentik/passbook/providers/oauth/views/oauth2.py

77 lines
3.2 KiB
Python
Raw Normal View History

2018-11-16 08:10:35 +00:00
"""passbook OAuth2 Views"""
2020-05-06 22:32:03 +00:00
from typing import Optional
from urllib.parse import urlencode
2019-03-12 09:56:01 +00:00
from django.contrib import messages
2020-05-06 22:32:03 +00:00
from django.forms import Form
from django.http import HttpRequest, HttpResponse
2018-12-11 14:29:58 +00:00
from django.shortcuts import get_object_or_404, redirect, reverse
from oauth2_provider.views.base import AuthorizationView
2019-10-01 08:24:10 +00:00
from structlog import get_logger
from passbook.audit.models import Event, EventAction
from passbook.core.models import Application
from passbook.core.views.access import AccessMixin
from passbook.core.views.utils import PermissionDeniedView
2019-10-07 14:33:48 +00:00
from passbook.providers.oauth.models import OAuth2Provider
LOGGER = get_logger()
2018-12-11 14:29:58 +00:00
class OAuthPermissionDenied(PermissionDeniedView):
"""Show permission denied view"""
class PassbookAuthorizationView(AccessMixin, AuthorizationView):
2019-02-16 09:24:31 +00:00
"""Custom OAuth2 Authorization View which checks policies, etc"""
2020-05-06 22:32:03 +00:00
_application: Optional[Application] = None
def _inject_response_type(self):
"""Inject response_type into querystring if not set"""
LOGGER.debug("response_type not set, defaulting to 'code'")
querystring = urlencode(self.request.GET)
2019-12-31 11:51:16 +00:00
querystring += "&response_type=code"
return redirect(
reverse("passbook_providers_oauth:oauth2-ok-authorize") + "?" + querystring
)
2020-05-06 22:32:03 +00:00
def dispatch(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
"""Update OAuth2Provider's skip_authorization state"""
# Get client_id to get provider, so we can update skip_authorization field
2019-12-31 11:51:16 +00:00
client_id = request.GET.get("client_id")
provider = get_object_or_404(OAuth2Provider, client_id=client_id)
try:
application = self.provider_to_application(provider)
except Application.DoesNotExist:
2019-12-31 11:51:16 +00:00
return redirect("passbook_providers_oauth:oauth2-permission-denied")
# Update field here so oauth-toolkit does work for us
provider.skip_authorization = application.skip_authorization
provider.save()
self._application = application
# Check permissions
Squashed commit of the following: commit 270739a45a14e9d994f95d805c9ee8be205bd40c Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Thu May 28 21:50:43 2020 +0200 admin: fix policy testing form not showing the correct result commit df8995deed1137cc95136786d6961624ccd73191 Author: Jens L <jens@beryju.org> Date: Thu May 28 21:45:54 2020 +0200 policies/*: remove Policy.negate, order, timeout (#39) policies: rewrite engine to use PolicyBinding for order/negate/timeout policies: rewrite engine to use PolicyResult instead of tuple commit fdfc6472d2eddfa93ddb408a926f14f58a592cc6 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Thu May 28 10:36:10 2020 +0200 admin: fixup some urls commit bc495828e7965e58864027269f39f991eccd417e Author: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Thu May 28 09:39:28 2020 +0200 build(deps): bump django-redis from 4.11.0 to 4.12.1 (#38) Bumps [django-redis](https://github.com/jazzband/django-redis) from 4.11.0 to 4.12.1. - [Release notes](https://github.com/jazzband/django-redis/releases) - [Changelog](https://github.com/jazzband/django-redis/blob/master/CHANGES.rst) - [Commits](https://github.com/jazzband/django-redis/compare/4.11.0...4.12.1) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> commit fa138a273f0882e5badd742094c862ad6b3cf6e4 Author: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Thu May 28 08:59:19 2020 +0200 build(deps): bump boto3 from 1.13.17 to 1.13.18 (#37) Bumps [boto3](https://github.com/boto/boto3) from 1.13.17 to 1.13.18. - [Release notes](https://github.com/boto/boto3/releases) - [Changelog](https://github.com/boto/boto3/blob/develop/CHANGELOG.rst) - [Commits](https://github.com/boto/boto3/compare/1.13.17...1.13.18) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-05-28 19:56:18 +00:00
result = self.user_has_access(self._application, request.user)
if not result.passing:
for policy_message in result.messages:
messages.error(request, policy_message)
2019-12-31 11:51:16 +00:00
return redirect("passbook_providers_oauth:oauth2-permission-denied")
# Some clients don't pass response_type, so we default to code
2019-12-31 11:51:16 +00:00
if "response_type" not in request.GET:
return self._inject_response_type()
2020-05-06 22:32:03 +00:00
actual_response = AuthorizationView.dispatch(self, request, *args, **kwargs)
if actual_response.status_code == 400:
2020-05-06 22:32:03 +00:00
LOGGER.debug("Bad request", redirect_uri=request.GET.get("redirect_uri"))
return actual_response
2020-05-06 22:32:03 +00:00
def form_valid(self, form: Form):
# User has clicked on "Authorize"
2019-12-31 11:51:16 +00:00
Event.new(
EventAction.AUTHORIZE_APPLICATION, authorized_application=self._application,
2019-12-31 11:51:16 +00:00
).from_http(self.request)
LOGGER.debug(
"User authorized Application",
user=self.request.user,
application=self._application,
)
2020-05-06 22:32:03 +00:00
return AuthorizationView.form_valid(self, form)