erp5_oauth2_authorisation: add method for local token creation

Factorize standard `token` method to implement a protected `tokenInternal`
method that allows getting a token for an user as Manager.

bt5/erp5_oauth2_authorisation/DocumentTemplateItem/portal_components/document.erp5.OAuth2AuthorisationServerConnector.py

@@ -58,10 +58,12 @@ from oauthlib.oauth2 import (
   ServerError,
   TokenEndpoint,
 )
+from oauthlib.common import generate_token
 import six
 from AccessControl.SecurityManagement import (
   getSecurityManager,
   setSecurityManager,
+  newSecurityManager
 )
 from AccessControl import (
   ClassSecurityInfo,
@@ -1084,19 +1086,7 @@ class OAuth2AuthorisationServerConnector(XMLObject):
       )
       # pylint: enable=unexpected-keyword-arg, no-value-for-parameter
 
-  security.declarePublic('token')
-  @_wrapOAuth2Endpoint
-  def token(self, request_validator, REQUEST):
-    """
-    OAuth2 token endpoint
-    https://tools.ietf.org/html/rfc6749#section-4.1.3
-
-    - authorization_code (standard)
-    - refresh_token (standard)
-    - urn:uuid:15a68f81-dbce-4ddd-bfcb-a81f25359cf2
-      Zope-based request authentication (ex: "Authorization: Basic ..."
-      request header).
-    """
+  def _token(self, request_validator, REQUEST):
     now = int(time())
     def getAccessTokenLifespan(request):
       session_value = request.user.erp5_session_value
@@ -1222,7 +1212,75 @@ class OAuth2AuthorisationServerConnector(XMLObject):
           request_validator=request_validator,
         ),
       },
-    ).create_token_response
+    )
+
+  security.declarePublic('token')
+  @_wrapOAuth2Endpoint
+  def token(self, request_validator, REQUEST):
+    """
+    OAuth2 token endpoint
+    https://tools.ietf.org/html/rfc6749#section-4.1.3
+
+    - authorization_code (standard)
+    - refresh_token (standard)
+    - urn:uuid:15a68f81-dbce-4ddd-bfcb-a81f25359cf2
+      Zope-based request authentication (ex: "Authorization: Basic ..."
+      request header).
+    """
+    return self._token(request_validator, REQUEST).create_token_response
+
+  security.declareProtected('tokenInternal', Permissions.ModifyPortalContent)
+  def tokenInternal(self, user_id, client_value, REQUEST):
+    """
+    Get a token from ERP5 internally.
+
+    - `user_id` is the Zope user ID for which to get a token;
+    - `client_value` the OAuth2 Client to use to create the Session.
+    """
+    portal = self.getPortalObject()
+    uf = portal.acl_users
+    user = uf.getUser(user_id)
+    if not hasattr(user, 'aq_base'):
+      user = user.__of__(uf)
+
+    initial_security_manager = getSecurityManager()
+    try:
+      newSecurityManager(None, user)
+
+      redirect_uri = portal.absolute_url()
+      session_value = self.createSession(
+        authorisation_code=generate_token(),
+        client_value=client_value,
+        redirect_uri=redirect_uri,
+        scope_list=(),
+        code_challenge='',
+        code_challenge_method='',
+        network_address=REQUEST.getClientAddr(),
+        user_agent='Internal',
+      )
+
+      response = self._token(
+        request_validator=_ERP5RequestValidator(
+          authorisation_server_connector_value=self,
+        ),
+        REQUEST=REQUEST,
+      ).create_token_response(
+        uri=redirect_uri,
+        http_method='POST',
+        body={
+          'grant_type': 'authorization_code',
+          'code': session_value.getId(),
+          'redirect_uri': redirect_uri,
+          'client_id': client_value.getId(),
+        },
+        headers={
+          'Content-Type': 'application/x-www-form-urlencoded',
+        }
+      )
+
+      return response[1]
+    finally:
+      setSecurityManager(initial_security_manager)
 
   security.declarePublic('revoke')
   @_wrapOAuth2Endpoint

bt5/erp5_oauth2_authorisation/DocumentTemplateItem/portal_components/document.erp5.OAuth2AuthorisationServerConnector.xml

@@ -6,12 +6,6 @@
     </pickle>
     <pickle>
       <dictionary>
-        <item>
-            <key> <string>_recorded_property_dict</string> </key>
-            <value>
-              <persistent> <string encoding="base64">AAAAAAAAAAI=</string> </persistent>
-            </value>
-        </item>
         <item>
             <key> <string>default_reference</string> </key>
             <value> <string>OAuth2AuthorisationServerConnector</string> </value>
@@ -53,28 +47,13 @@
         <item>
             <key> <string>workflow_history</string> </key>
             <value>
-              <persistent> <string encoding="base64">AAAAAAAAAAM=</string> </persistent>
+              <persistent> <string encoding="base64">AAAAAAAAAAI=</string> </persistent>
             </value>
         </item>
       </dictionary>
     </pickle>
   </record>
   <record id="2" aka="AAAAAAAAAAI=">
-    <pickle>
-      <global name="PersistentMapping" module="Persistence.mapping"/>
-    </pickle>
-    <pickle>
-      <dictionary>
-        <item>
-            <key> <string>data</string> </key>
-            <value>
-              <dictionary/>
-            </value>
-        </item>
-      </dictionary>
-    </pickle>
-  </record>
-  <record id="3" aka="AAAAAAAAAAM=">
     <pickle>
       <global name="PersistentMapping" module="Persistence.mapping"/>
     </pickle>
@@ -87,7 +66,7 @@
                 <item>
                     <key> <string>component_validation_workflow</string> </key>
                     <value>
-                      <persistent> <string encoding="base64">AAAAAAAAAAQ=</string> </persistent>
+                      <persistent> <string encoding="base64">AAAAAAAAAAM=</string> </persistent>
                     </value>
                 </item>
               </dictionary>
@@ -96,7 +75,7 @@
       </dictionary>
     </pickle>
   </record>
-  <record id="4" aka="AAAAAAAAAAQ=">
+  <record id="3" aka="AAAAAAAAAAM=">
     <pickle>
       <global name="WorkflowHistoryList" module="Products.ERP5Type.Workflow"/>
     </pickle>