| author | ymh <ymh.work@gmail.com> |
| Mon, 25 Jul 2016 18:04:10 +0200 | |
| changeset 105 | 957eb2e47c34 |
| parent 94 | f3fa1e9d0b24 |
| permissions | -rw-r--r-- |
| 32 | 1 |
from urllib import parse |
2 |
||
3 |
import requests, re, json, logging |
|
4 |
||
5 |
from django.conf import settings |
|
|
6
39cecdd5260e
Added OAuth2 Client Credentials Authentication workflow for Mtdc Application + Corrected mistakes on Authorization Code flow
durandn
parents:
1
diff
changeset
|
6 |
from django.contrib.auth import get_user_model, login |
|
39cecdd5260e
Added OAuth2 Client Credentials Authentication workflow for Mtdc Application + Corrected mistakes on Authorization Code flow
durandn
parents:
1
diff
changeset
|
7 |
from django.contrib.auth.models import Permission |
| 32 | 8 |
from rest_framework.authentication import BaseAuthentication |
|
47
b25a1526aec3
As Rest framework indicates return None if it should try other authentication methods
ymh <ymh.work@gmail.com>
parents:
44
diff
changeset
|
9 |
from rest_framework import exceptions |
| 32 | 10 |
|
|
81
709541e05240
Small refactoring for tracking handler to correct a but in unregister and also allow to switch user when the api is called with the act_as parameter
ymh <ymh.work@gmail.com>
parents:
57
diff
changeset
|
11 |
from metaeducation.tracking import change_handlers_user |
|
709541e05240
Small refactoring for tracking handler to correct a but in unregister and also allow to switch user when the api is called with the act_as parameter
ymh <ymh.work@gmail.com>
parents:
57
diff
changeset
|
12 |
|
| 32 | 13 |
|
14 |
logger = logging.getLogger(__name__) |
|
| 1 | 15 |
|
|
6
39cecdd5260e
Added OAuth2 Client Credentials Authentication workflow for Mtdc Application + Corrected mistakes on Authorization Code flow
durandn
parents:
1
diff
changeset
|
16 |
class MtdcOAuth2ClientCredentialsAuthentication(BaseAuthentication): |
|
47
b25a1526aec3
As Rest framework indicates return None if it should try other authentication methods
ymh <ymh.work@gmail.com>
parents:
44
diff
changeset
|
17 |
|
| 1 | 18 |
def authenticate(self, request): |
19 |
# get token, get username |
|
| 52 | 20 |
logger.debug("CLIENT CREDENTIAL AUTH: request meta - %r ", request.META) |
|
11
cfc868991b82
Added custom user model to store extra data from the GED + corrected signals and api auth class so they interface correctly with the ged
durandn
parents:
6
diff
changeset
|
21 |
if ("act_as" not in request.GET) and ('HTTP_RENKAN_ACT_AS' not in request.META): |
|
47
b25a1526aec3
As Rest framework indicates return None if it should try other authentication methods
ymh <ymh.work@gmail.com>
parents:
44
diff
changeset
|
22 |
logger.debug("CLIENT CREDENTIAL AUTH: no act_as, not client credentials, trying other authentication methods.") |
|
b25a1526aec3
As Rest framework indicates return None if it should try other authentication methods
ymh <ymh.work@gmail.com>
parents:
44
diff
changeset
|
23 |
return None |
|
b25a1526aec3
As Rest framework indicates return None if it should try other authentication methods
ymh <ymh.work@gmail.com>
parents:
44
diff
changeset
|
24 |
|
|
b25a1526aec3
As Rest framework indicates return None if it should try other authentication methods
ymh <ymh.work@gmail.com>
parents:
44
diff
changeset
|
25 |
external_id = request.GET.get('act_as', request.META.get("HTTP_RENKAN_ACT_AS", "")) |
|
b25a1526aec3
As Rest framework indicates return None if it should try other authentication methods
ymh <ymh.work@gmail.com>
parents:
44
diff
changeset
|
26 |
|
|
b25a1526aec3
As Rest framework indicates return None if it should try other authentication methods
ymh <ymh.work@gmail.com>
parents:
44
diff
changeset
|
27 |
try: |
|
11
cfc868991b82
Added custom user model to store extra data from the GED + corrected signals and api auth class so they interface correctly with the ged
durandn
parents:
6
diff
changeset
|
28 |
user = get_user_model().objects.get(external_id=external_id) |
|
6
39cecdd5260e
Added OAuth2 Client Credentials Authentication workflow for Mtdc Application + Corrected mistakes on Authorization Code flow
durandn
parents:
1
diff
changeset
|
29 |
except get_user_model().DoesNotExist: |
| 32 | 30 |
logger.debug("CLIENT CREDENTIAL AUTH: User does not exist, abort") |
|
47
b25a1526aec3
As Rest framework indicates return None if it should try other authentication methods
ymh <ymh.work@gmail.com>
parents:
44
diff
changeset
|
31 |
raise exceptions.AuthenticationFailed('CLIENT CREDENTIAL AUTH: User does not exist, abort') |
|
b25a1526aec3
As Rest framework indicates return None if it should try other authentication methods
ymh <ymh.work@gmail.com>
parents:
44
diff
changeset
|
32 |
|
|
6
39cecdd5260e
Added OAuth2 Client Credentials Authentication workflow for Mtdc Application + Corrected mistakes on Authorization Code flow
durandn
parents:
1
diff
changeset
|
33 |
if 'HTTP_AUTHORIZATION' not in request.META: |
|
40
10a829681179
Changes on auth.py: better token extraction and validation, better logging, fix to validate response interpretation + changes to oauth.py to properly test changes to auth.py
durandn
parents:
35
diff
changeset
|
34 |
logger.debug("CLIENT CREDENTIAL AUTH: no Authorization header, abort") |
|
47
b25a1526aec3
As Rest framework indicates return None if it should try other authentication methods
ymh <ymh.work@gmail.com>
parents:
44
diff
changeset
|
35 |
raise exceptions.AuthenticationFailed('CLIENT CREDENTIAL AUTH: no Authorization header, abort') |
|
b25a1526aec3
As Rest framework indicates return None if it should try other authentication methods
ymh <ymh.work@gmail.com>
parents:
44
diff
changeset
|
36 |
|
|
b25a1526aec3
As Rest framework indicates return None if it should try other authentication methods
ymh <ymh.work@gmail.com>
parents:
44
diff
changeset
|
37 |
match = re.search("(?<=Bearer\s).*", request.META["HTTP_AUTHORIZATION"]) |
|
b25a1526aec3
As Rest framework indicates return None if it should try other authentication methods
ymh <ymh.work@gmail.com>
parents:
44
diff
changeset
|
38 |
|
|
b25a1526aec3
As Rest framework indicates return None if it should try other authentication methods
ymh <ymh.work@gmail.com>
parents:
44
diff
changeset
|
39 |
if match is None or len(match.group(0)) == 0: |
|
b25a1526aec3
As Rest framework indicates return None if it should try other authentication methods
ymh <ymh.work@gmail.com>
parents:
44
diff
changeset
|
40 |
logger.debug("CLIENT CREDENTIAL AUTH: Authorization header format is invalid: %r", request.META["HTTP_AUTHORIZATION"]) |
|
b25a1526aec3
As Rest framework indicates return None if it should try other authentication methods
ymh <ymh.work@gmail.com>
parents:
44
diff
changeset
|
41 |
raise exceptions.AuthenticationFailed("CLIENT CREDENTIAL AUTH: Authorization header format is invalid") |
|
b25a1526aec3
As Rest framework indicates return None if it should try other authentication methods
ymh <ymh.work@gmail.com>
parents:
44
diff
changeset
|
42 |
|
|
b25a1526aec3
As Rest framework indicates return None if it should try other authentication methods
ymh <ymh.work@gmail.com>
parents:
44
diff
changeset
|
43 |
token = match.group(0) |
|
b25a1526aec3
As Rest framework indicates return None if it should try other authentication methods
ymh <ymh.work@gmail.com>
parents:
44
diff
changeset
|
44 |
logger.debug("CLIENT CREDENTIAL AUTH: token is %r", token) |
|
b25a1526aec3
As Rest framework indicates return None if it should try other authentication methods
ymh <ymh.work@gmail.com>
parents:
44
diff
changeset
|
45 |
|
| 1 | 46 |
# send token to Oauth server |
|
44
1b2019523772
use a new MTDC_GED_REDIRECT_URI in auth.py instead of MTDC_GED_BASE_URL
durandn
parents:
43
diff
changeset
|
47 |
validation_service_url = settings.MTDC_VALIDATE_TOKEN_BASE_URL+token+"?redirect_uri="+parse.quote_plus(settings.MTDC_GED_REDIRECT_URI) |
|
40
10a829681179
Changes on auth.py: better token extraction and validation, better logging, fix to validate response interpretation + changes to oauth.py to properly test changes to auth.py
durandn
parents:
35
diff
changeset
|
48 |
logger.debug("CLIENT CREDENTIAL AUTH: Requesting validation service %r", validation_service_url) |
|
47
b25a1526aec3
As Rest framework indicates return None if it should try other authentication methods
ymh <ymh.work@gmail.com>
parents:
44
diff
changeset
|
49 |
|
|
40
10a829681179
Changes on auth.py: better token extraction and validation, better logging, fix to validate response interpretation + changes to oauth.py to properly test changes to auth.py
durandn
parents:
35
diff
changeset
|
50 |
token_validate_response = requests.get(validation_service_url) |
|
6
39cecdd5260e
Added OAuth2 Client Credentials Authentication workflow for Mtdc Application + Corrected mistakes on Authorization Code flow
durandn
parents:
1
diff
changeset
|
51 |
if token_validate_response.status_code != 200: |
|
40
10a829681179
Changes on auth.py: better token extraction and validation, better logging, fix to validate response interpretation + changes to oauth.py to properly test changes to auth.py
durandn
parents:
35
diff
changeset
|
52 |
logger.warning("CLIENT CREDENTIAL AUTH: Validation service didn't response with 200, there may be a problem") |
|
47
b25a1526aec3
As Rest framework indicates return None if it should try other authentication methods
ymh <ymh.work@gmail.com>
parents:
44
diff
changeset
|
53 |
raise exceptions.AuthenticationFailed("CLIENT CREDENTIAL AUTH: Validation service didn't response with 200, there may be a problem") |
|
b25a1526aec3
As Rest framework indicates return None if it should try other authentication methods
ymh <ymh.work@gmail.com>
parents:
44
diff
changeset
|
54 |
|
|
43
425a2f1e08ea
added error handling if token validation response is not a valid JSON string
durandn
parents:
40
diff
changeset
|
55 |
try: |
|
425a2f1e08ea
added error handling if token validation response is not a valid JSON string
durandn
parents:
40
diff
changeset
|
56 |
validate_response_json = json.loads(token_validate_response.text) |
|
425a2f1e08ea
added error handling if token validation response is not a valid JSON string
durandn
parents:
40
diff
changeset
|
57 |
except json.JSONDecodeError as decode_error: |
|
425a2f1e08ea
added error handling if token validation response is not a valid JSON string
durandn
parents:
40
diff
changeset
|
58 |
logger.warning("CLIENT CREDENTIAL AUTH: Token validate response was not a JSON!") |
|
425a2f1e08ea
added error handling if token validation response is not a valid JSON string
durandn
parents:
40
diff
changeset
|
59 |
logger.warning("CLIENT CREDENTIAL AUTH: Tried to decode: %r", decode_error.doc) |
|
425a2f1e08ea
added error handling if token validation response is not a valid JSON string
durandn
parents:
40
diff
changeset
|
60 |
logger.warning("CLIENT CREDENTIAL AUTH: Error message is %r", decode_error.msg) |
|
47
b25a1526aec3
As Rest framework indicates return None if it should try other authentication methods
ymh <ymh.work@gmail.com>
parents:
44
diff
changeset
|
61 |
raise exceptions.AuthenticationFailed("CLIENT CREDENTIAL AUTH: Token validate response was not a JSON!") |
|
b25a1526aec3
As Rest framework indicates return None if it should try other authentication methods
ymh <ymh.work@gmail.com>
parents:
44
diff
changeset
|
62 |
|
|
b25a1526aec3
As Rest framework indicates return None if it should try other authentication methods
ymh <ymh.work@gmail.com>
parents:
44
diff
changeset
|
63 |
|
|
40
10a829681179
Changes on auth.py: better token extraction and validation, better logging, fix to validate response interpretation + changes to oauth.py to properly test changes to auth.py
durandn
parents:
35
diff
changeset
|
64 |
# Response json validation |
|
10a829681179
Changes on auth.py: better token extraction and validation, better logging, fix to validate response interpretation + changes to oauth.py to properly test changes to auth.py
durandn
parents:
35
diff
changeset
|
65 |
if "access_token" not in validate_response_json.keys(): |
|
10a829681179
Changes on auth.py: better token extraction and validation, better logging, fix to validate response interpretation + changes to oauth.py to properly test changes to auth.py
durandn
parents:
35
diff
changeset
|
66 |
logger.warning("CLIENT_CREDENTIAL_AUTH: Token validate response doesn't have an access_token key!") |
|
10a829681179
Changes on auth.py: better token extraction and validation, better logging, fix to validate response interpretation + changes to oauth.py to properly test changes to auth.py
durandn
parents:
35
diff
changeset
|
67 |
elif validate_response_json["access_token"] != token: |
|
10a829681179
Changes on auth.py: better token extraction and validation, better logging, fix to validate response interpretation + changes to oauth.py to properly test changes to auth.py
durandn
parents:
35
diff
changeset
|
68 |
logger.warning("CLIENT_CREDENTIAL_AUTH: Token in response %r is different from token extracted from header %r", validate_response_json["access_token"], token) |
|
47
b25a1526aec3
As Rest framework indicates return None if it should try other authentication methods
ymh <ymh.work@gmail.com>
parents:
44
diff
changeset
|
69 |
|
| 52 | 70 |
if "uriredirect" not in validate_response_json.keys(): |
|
40
10a829681179
Changes on auth.py: better token extraction and validation, better logging, fix to validate response interpretation + changes to oauth.py to properly test changes to auth.py
durandn
parents:
35
diff
changeset
|
71 |
logger.warning("CLIENT_CREDENTIAL_AUTH: Token validate response doesn't have a redirect_uri key!") |
| 57 | 72 |
elif validate_response_json["uriredirect"] != settings.MTDC_GED_REDIRECT_URI: |
73 |
logger.warning("CLIENT_CREDENTIAL_AUTH: redirect_uri in response %r is different from redirect_uri transmitted in request %r", validate_response_json["uriredirect"], settings.MTDC_GED_REDIRECT_URI) |
|
|
47
b25a1526aec3
As Rest framework indicates return None if it should try other authentication methods
ymh <ymh.work@gmail.com>
parents:
44
diff
changeset
|
74 |
|
| 52 | 75 |
if "error" not in validate_response_json.keys(): |
|
40
10a829681179
Changes on auth.py: better token extraction and validation, better logging, fix to validate response interpretation + changes to oauth.py to properly test changes to auth.py
durandn
parents:
35
diff
changeset
|
76 |
logger.warning("CLIENT_CREDENTIAL_AUTH: Token validate response doesn't have an error key!") |
| 54 | 77 |
logger.warning("CLIENT_CREDENTIAL_AUTH: Aborting as the error keys is required to check if token was validated") |
|
40
10a829681179
Changes on auth.py: better token extraction and validation, better logging, fix to validate response interpretation + changes to oauth.py to properly test changes to auth.py
durandn
parents:
35
diff
changeset
|
78 |
logger.warning("CLIENT_CREDENTIAL_AUTH: Response was %r", validate_response_json) |
|
47
b25a1526aec3
As Rest framework indicates return None if it should try other authentication methods
ymh <ymh.work@gmail.com>
parents:
44
diff
changeset
|
79 |
raise exceptions.AuthenticationFailed("CLIENT_CREDENTIAL_AUTH: Token validate response doesn't have an error key!") |
| 54 | 80 |
elif validate_response_json["error"] != "0" : |
|
40
10a829681179
Changes on auth.py: better token extraction and validation, better logging, fix to validate response interpretation + changes to oauth.py to properly test changes to auth.py
durandn
parents:
35
diff
changeset
|
81 |
logger.debug("CLIENT CREDENTIAL AUTH: There was an error validating the token: %r", validate_response_json.get("description", "no error description in json response")) |
|
47
b25a1526aec3
As Rest framework indicates return None if it should try other authentication methods
ymh <ymh.work@gmail.com>
parents:
44
diff
changeset
|
82 |
raise exceptions.AuthenticationFailed("CLIENT CREDENTIAL AUTH: There was an error validating the token") |
|
40
10a829681179
Changes on auth.py: better token extraction and validation, better logging, fix to validate response interpretation + changes to oauth.py to properly test changes to auth.py
durandn
parents:
35
diff
changeset
|
83 |
|
|
10a829681179
Changes on auth.py: better token extraction and validation, better logging, fix to validate response interpretation + changes to oauth.py to properly test changes to auth.py
durandn
parents:
35
diff
changeset
|
84 |
if "description" not in validate_response_json.keys(): |
|
10a829681179
Changes on auth.py: better token extraction and validation, better logging, fix to validate response interpretation + changes to oauth.py to properly test changes to auth.py
durandn
parents:
35
diff
changeset
|
85 |
logger.warning("CLIENT_CREDENTIAL_AUTH: Token validate response doesn't have a description key!") |
|
47
b25a1526aec3
As Rest framework indicates return None if it should try other authentication methods
ymh <ymh.work@gmail.com>
parents:
44
diff
changeset
|
86 |
|
|
40
10a829681179
Changes on auth.py: better token extraction and validation, better logging, fix to validate response interpretation + changes to oauth.py to properly test changes to auth.py
durandn
parents:
35
diff
changeset
|
87 |
if "scope" not in validate_response_json.keys(): |
|
10a829681179
Changes on auth.py: better token extraction and validation, better logging, fix to validate response interpretation + changes to oauth.py to properly test changes to auth.py
durandn
parents:
35
diff
changeset
|
88 |
logger.warning("CLIENT_CREDENTIAL_AUTH: Token validate response doesn't have a scope key!") |
|
47
b25a1526aec3
As Rest framework indicates return None if it should try other authentication methods
ymh <ymh.work@gmail.com>
parents:
44
diff
changeset
|
89 |
|
|
b25a1526aec3
As Rest framework indicates return None if it should try other authentication methods
ymh <ymh.work@gmail.com>
parents:
44
diff
changeset
|
90 |
|
|
35
e82a0ac6cc2c
used '%r' and removed '+str()' in logger.debug() calls
durandn
parents:
32
diff
changeset
|
91 |
logger.debug("CLIENT CREDENTIAL AUTH: user %r is authenticated by token %r, auth success", external_id, token) |
|
81
709541e05240
Small refactoring for tracking handler to correct a but in unregister and also allow to switch user when the api is called with the act_as parameter
ymh <ymh.work@gmail.com>
parents:
57
diff
changeset
|
92 |
|
|
709541e05240
Small refactoring for tracking handler to correct a but in unregister and also allow to switch user when the api is called with the act_as parameter
ymh <ymh.work@gmail.com>
parents:
57
diff
changeset
|
93 |
|
|
94
f3fa1e9d0b24
Correct recursion loop in authentication
ymh <ymh.work@gmail.com>
parents:
81
diff
changeset
|
94 |
if hasattr(request, 'renkan_request_id'): # ideally should check if new user is different, but that cause a recursion loop in rest famework (c.f. : rest_framework/request.py", line 193, in user : self._authenticate())) - user != getattr(request,'user', None): |
|
81
709541e05240
Small refactoring for tracking handler to correct a but in unregister and also allow to switch user when the api is called with the act_as parameter
ymh <ymh.work@gmail.com>
parents:
57
diff
changeset
|
95 |
# Re-register the tracking handlers with the new user |
|
709541e05240
Small refactoring for tracking handler to correct a but in unregister and also allow to switch user when the api is called with the act_as parameter
ymh <ymh.work@gmail.com>
parents:
57
diff
changeset
|
96 |
logger.debug("CLIENT CREDENTIAL AUTH: Change the registered tracking handlers to user %r", user.external_id) |
|
709541e05240
Small refactoring for tracking handler to correct a but in unregister and also allow to switch user when the api is called with the act_as parameter
ymh <ymh.work@gmail.com>
parents:
57
diff
changeset
|
97 |
change_handlers_user(user, request.renkan_request_id) |
|
709541e05240
Small refactoring for tracking handler to correct a but in unregister and also allow to switch user when the api is called with the act_as parameter
ymh <ymh.work@gmail.com>
parents:
57
diff
changeset
|
98 |
|
| 1 | 99 |
return (user, None) |