trustchain-oc1-orchestral
/
authentik
Archived
10
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

sources/oauth: fix invalid headers, fix invalid function signature

This commit is contained in:
Jens Langhammer 2020-02-23 19:42:57 +01:00
parent 2b5fddb7bf
commit 64d7b009ab
3 changed files with 52 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
passbook/sources/oauth/clients.py
View File

@ -1,8 +1,9 @@
"""OAuth Clients""" """OAuth Clients"""
import json import json
from typing import Dict from typing import Dict, Optional
from urllib.parse import parse_qs, urlencode from urllib.parse import parse_qs, urlencode
from django.http import HttpRequest
from django.utils.crypto import constant_time_compare, get_random_string from django.utils.crypto import constant_time_compare, get_random_string
from django.utils.encoding import force_text from django.utils.encoding import force_text
from requests import Session from requests import Session
@ -18,30 +19,26 @@ LOGGER = get_logger()
class BaseOAuthClient: class BaseOAuthClient:
"""Base OAuth Client""" """Base OAuth Client"""
_session: Session = None session: Session = None
def __init__(self, source, token=""): # nosec def __init__(self, source, token=""): # nosec
self.source = source self.source = source
self.token = token self.token = token
self._session = Session() self.session = Session()
self._session.headers.update({"User-Agent": "passbook %s" % __version__}) self.session.headers.update({"User-Agent": "passbook %s" % __version__})
def get_access_token(self, request, callback=None): def get_access_token(self, request, callback=None):
"Fetch access token from callback request." "Fetch access token from callback request."
raise NotImplementedError("Defined in a sub-class") # pragma: no cover raise NotImplementedError("Defined in a sub-class") # pragma: no cover
def get_profile_info(self, raw_token): def get_profile_info(self, token: Dict[str, str]):
"Fetch user profile information." "Fetch user profile information."
try: try:
token = json.loads(raw_token)
headers = { headers = {
"Authorization": f"{token['token_type']} {token['access_token']}" "Authorization": f"{token['token_type']} {token['access_token']}"
} }
response = self.request( response = self.session.request(
"get", "get", self.source.profile_url, headers=headers,
self.source.profile_url,
token=token["access_token"],
headers=headers,
) )
response.raise_for_status() response.raise_for_status()
except RequestException as exc: except RequestException as exc:
@ -67,10 +64,6 @@ class BaseOAuthClient:
"Parse token and secret from raw token response." "Parse token and secret from raw token response."
raise NotImplementedError("Defined in a sub-class") # pragma: no cover raise NotImplementedError("Defined in a sub-class") # pragma: no cover
def request(self, method, url, **kwargs):
"Build remote url request."
return self._session.request(method, url, **kwargs)
@property @property
def session_key(self): def session_key(self):
"""Return Session Key""" """Return Session Key"""
@ -80,36 +73,48 @@ class BaseOAuthClient:
class OAuthClient(BaseOAuthClient): class OAuthClient(BaseOAuthClient):
"""OAuth1 Client""" """OAuth1 Client"""
def get_access_token(self, request, callback=None): _default_headers = {
"Accept": "application/json",
}
def get_access_token(
self, request: HttpRequest, callback=None
) -> Optional[Dict[str, str]]:
"Fetch access token from callback request." "Fetch access token from callback request."
raw_token = request.session.get(self.session_key, None) raw_token = request.session.get(self.session_key, None)
verifier = request.GET.get("oauth_verifier", None) verifier = request.GET.get("oauth_verifier", None)
if raw_token is not None and verifier is not None: if raw_token is not None and verifier is not None:
data = {"oauth_verifier": verifier} data = {
"oauth_verifier": verifier,
"oauth_callback": callback,
"token": raw_token,
}
callback = request.build_absolute_uri(callback or request.path) callback = request.build_absolute_uri(callback or request.path)
callback = force_text(callback) callback = force_text(callback)
try: try:
response = self.request( response = self.session.request(
"post", "post",
self.source.access_token_url, self.source.access_token_url,
token=raw_token,
data=data, data=data,
oauth_callback=callback, headers=self._default_headers,
) )
response.raise_for_status() response.raise_for_status()
except RequestException as exc: except RequestException as exc:
LOGGER.warning("Unable to fetch access token", exc=exc) LOGGER.warning("Unable to fetch access token", exc=exc)
return None return None
else: else:
return response.text return response.json()
return None return None
def get_request_token(self, request, callback): def get_request_token(self, request, callback):
"Fetch the OAuth request token. Only required for OAuth 1.0." "Fetch the OAuth request token. Only required for OAuth 1.0."
callback = force_text(request.build_absolute_uri(callback)) callback = force_text(request.build_absolute_uri(callback))
try: try:
response = self.request( response = self.session.request(
"post", self.source.request_token_url, oauth_callback=callback "post",
self.source.request_token_url,
data={"oauth_callback": callback},
headers=self._default_headers,
) )
response.raise_for_status() response.raise_for_status()
except RequestException as exc: except RequestException as exc:
@ -154,7 +159,7 @@ class OAuthClient(BaseOAuthClient):
callback_uri=callback, callback_uri=callback,
) )
kwargs["auth"] = oauth kwargs["auth"] = oauth
return super(OAuthClient, self).request(method, url, **kwargs) return super(OAuthClient, self).session.request(method, url, **kwargs)
@property @property
def session_key(self): def session_key(self):
@ -164,6 +169,10 @@ class OAuthClient(BaseOAuthClient):
class OAuth2Client(BaseOAuthClient): class OAuth2Client(BaseOAuthClient):
"""OAuth2 Client""" """OAuth2 Client"""
_default_headers = {
"Accept": "application/json",
}
# pylint: disable=unused-argument # pylint: disable=unused-argument
def check_application_state(self, request, callback): def check_application_state(self, request, callback):
"Check optional state parameter." "Check optional state parameter."
@ -197,15 +206,19 @@ class OAuth2Client(BaseOAuthClient):
LOGGER.warning("No code returned by the source") LOGGER.warning("No code returned by the source")
return None return None
try: try:
response = self.request( response = self.session.request(
"post", self.source.access_token_url, data=args, **request_kwargs "post",
self.source.access_token_url,
data=args,
headers=self._default_headers,
**request_kwargs,
) )
response.raise_for_status() response.raise_for_status()
except RequestException as exc: except RequestException as exc:
LOGGER.warning("Unable to fetch access token", exc=exc) LOGGER.warning("Unable to fetch access token", exc=exc)
return None return None
else: else:
return response.text return response.json()
# pylint: disable=unused-argument # pylint: disable=unused-argument
def get_application_state(self, request, callback): def get_application_state(self, request, callback):
@ -247,7 +260,7 @@ class OAuth2Client(BaseOAuthClient):
params = kwargs.get("params", {}) params = kwargs.get("params", {})
params["access_token"] = token params["access_token"] = token
kwargs["params"] = params kwargs["params"] = params
return super(OAuth2Client, self).request(method, url, **kwargs) return super(OAuth2Client, self).session.request(method, url, **kwargs)
@property @property
def session_key(self): def session_key(self):

2
passbook/sources/oauth/forms.py
View File

@ -116,7 +116,7 @@ class AzureADOAuthSourceForm(OAuthSourceForm):
class Meta(OAuthSourceForm.Meta): class Meta(OAuthSourceForm.Meta):
overrides = { overrides = {
"provider_type": "azure_ad", "provider_type": "azure-ad",
"request_token_url": "", "request_token_url": "",
"authorization_url": "https://login.microsoftonline.com/common/oauth2/authorize", "authorization_url": "https://login.microsoftonline.com/common/oauth2/authorize",
"access_token_url": "https://login.microsoftonline.com/common/oauth2/token", "access_token_url": "https://login.microsoftonline.com/common/oauth2/token",

16
passbook/sources/oauth/views/core.py
View File

@ -89,13 +89,15 @@ class OAuthCallback(OAuthClientMixin, View):
client = self.get_client(self.source) client = self.get_client(self.source)
callback = self.get_callback_url(self.source) callback = self.get_callback_url(self.source)
# Fetch access token # Fetch access token
raw_token = client.get_access_token(self.request, callback=callback) token = client.get_access_token(self.request, callback=callback)
if raw_token is None: if token is None:
return self.handle_login_failure( return self.handle_login_failure(
self.source, "Could not retrieve token." self.source, "Could not retrieve token."
) )
if "error" in token:
return self.handle_login_failure(self.source, token["error"])
# Fetch profile info # Fetch profile info
info = client.get_profile_info(raw_token) info = client.get_profile_info(token)
if info is None: if info is None:
return self.handle_login_failure( return self.handle_login_failure(
self.source, "Could not retrieve profile." self.source, "Could not retrieve profile."
@ -105,7 +107,7 @@ class OAuthCallback(OAuthClientMixin, View):
return self.handle_login_failure(self.source, "Could not determine id.") return self.handle_login_failure(self.source, "Could not determine id.")
# Get or create access record # Get or create access record
defaults = { defaults = {
"access_token": raw_token, "access_token": token.get("access_token"),
} }
existing = UserOAuthSourceConnection.objects.filter( existing = UserOAuthSourceConnection.objects.filter(
source=self.source, identifier=identifier source=self.source, identifier=identifier
@ -113,13 +115,15 @@ class OAuthCallback(OAuthClientMixin, View):
if existing.exists(): if existing.exists():
connection = existing.first() connection = existing.first()
connection.access_token = raw_token connection.access_token = token.get("access_token")
UserOAuthSourceConnection.objects.filter(pk=connection.pk).update( UserOAuthSourceConnection.objects.filter(pk=connection.pk).update(
**defaults **defaults
) )
else: else:
connection = UserOAuthSourceConnection( connection = UserOAuthSourceConnection(
source=self.source, identifier=identifier, access_token=raw_token source=self.source,
identifier=identifier,
access_token=token.get("access_token"),
) )
user = authenticate( user = authenticate(
source=self.source, identifier=identifier, request=request source=self.source, identifier=identifier, request=request