Commit 4ca19b27 authored by Titouan Soulard's avatar Titouan Soulard

erp5_oauth2_authorisation: add method for local token creation

Factorize standard `token` method to implement a protected `tokenInternal`
method that allows getting a token for an user as Manager.
parent 5246d692
...@@ -58,10 +58,12 @@ from oauthlib.oauth2 import ( ...@@ -58,10 +58,12 @@ from oauthlib.oauth2 import (
ServerError, ServerError,
TokenEndpoint, TokenEndpoint,
) )
from oauthlib.common import generate_token
import six import six
from AccessControl.SecurityManagement import ( from AccessControl.SecurityManagement import (
getSecurityManager, getSecurityManager,
setSecurityManager, setSecurityManager,
newSecurityManager
) )
from AccessControl import ( from AccessControl import (
ClassSecurityInfo, ClassSecurityInfo,
...@@ -1084,19 +1086,7 @@ class OAuth2AuthorisationServerConnector(XMLObject): ...@@ -1084,19 +1086,7 @@ class OAuth2AuthorisationServerConnector(XMLObject):
) )
# pylint: enable=unexpected-keyword-arg, no-value-for-parameter # pylint: enable=unexpected-keyword-arg, no-value-for-parameter
security.declarePublic('token') def _token(self, request_validator, REQUEST):
@_wrapOAuth2Endpoint
def token(self, request_validator, REQUEST):
"""
OAuth2 token endpoint
https://tools.ietf.org/html/rfc6749#section-4.1.3
- authorization_code (standard)
- refresh_token (standard)
- urn:uuid:15a68f81-dbce-4ddd-bfcb-a81f25359cf2
Zope-based request authentication (ex: "Authorization: Basic ..."
request header).
"""
now = int(time()) now = int(time())
def getAccessTokenLifespan(request): def getAccessTokenLifespan(request):
session_value = request.user.erp5_session_value session_value = request.user.erp5_session_value
...@@ -1222,7 +1212,75 @@ class OAuth2AuthorisationServerConnector(XMLObject): ...@@ -1222,7 +1212,75 @@ class OAuth2AuthorisationServerConnector(XMLObject):
request_validator=request_validator, request_validator=request_validator,
), ),
}, },
).create_token_response )
security.declarePublic('token')
@_wrapOAuth2Endpoint
def token(self, request_validator, REQUEST):
"""
OAuth2 token endpoint
https://tools.ietf.org/html/rfc6749#section-4.1.3
- authorization_code (standard)
- refresh_token (standard)
- urn:uuid:15a68f81-dbce-4ddd-bfcb-a81f25359cf2
Zope-based request authentication (ex: "Authorization: Basic ..."
request header).
"""
return self._token(request_validator, REQUEST).create_token_response
security.declareProtected('tokenInternal', Permissions.ModifyPortalContent)
def tokenInternal(self, user_id, client_value, REQUEST):
"""
Get a token from ERP5 internally.
- `user_id` is the Zope user ID for which to get a token;
- `client_value` the OAuth2 Client to use to create the Session.
"""
portal = self.getPortalObject()
uf = portal.acl_users
user = uf.getUser(user_id)
if not hasattr(user, 'aq_base'):
user = user.__of__(uf)
initial_security_manager = getSecurityManager()
try:
newSecurityManager(None, user)
redirect_uri = portal.absolute_url()
session_value = self.createSession(
authorisation_code=generate_token(),
client_value=client_value,
redirect_uri=redirect_uri,
scope_list=(),
code_challenge='',
code_challenge_method='',
network_address=REQUEST.getClientAddr(),
user_agent='Internal',
)
response = self._token(
request_validator=_ERP5RequestValidator(
authorisation_server_connector_value=self,
),
REQUEST=REQUEST,
).create_token_response(
uri=redirect_uri,
http_method='POST',
body={
'grant_type': 'authorization_code',
'code': session_value.getId(),
'redirect_uri': redirect_uri,
'client_id': client_value.getId(),
},
headers={
'Content-Type': 'application/x-www-form-urlencoded',
}
)
return response[1]
finally:
setSecurityManager(initial_security_manager)
security.declarePublic('revoke') security.declarePublic('revoke')
@_wrapOAuth2Endpoint @_wrapOAuth2Endpoint
......
...@@ -6,12 +6,6 @@ ...@@ -6,12 +6,6 @@
</pickle> </pickle>
<pickle> <pickle>
<dictionary> <dictionary>
<item>
<key> <string>_recorded_property_dict</string> </key>
<value>
<persistent> <string encoding="base64">AAAAAAAAAAI=</string> </persistent>
</value>
</item>
<item> <item>
<key> <string>default_reference</string> </key> <key> <string>default_reference</string> </key>
<value> <string>OAuth2AuthorisationServerConnector</string> </value> <value> <string>OAuth2AuthorisationServerConnector</string> </value>
...@@ -53,28 +47,13 @@ ...@@ -53,28 +47,13 @@
<item> <item>
<key> <string>workflow_history</string> </key> <key> <string>workflow_history</string> </key>
<value> <value>
<persistent> <string encoding="base64">AAAAAAAAAAM=</string> </persistent> <persistent> <string encoding="base64">AAAAAAAAAAI=</string> </persistent>
</value> </value>
</item> </item>
</dictionary> </dictionary>
</pickle> </pickle>
</record> </record>
<record id="2" aka="AAAAAAAAAAI="> <record id="2" aka="AAAAAAAAAAI=">
<pickle>
<global name="PersistentMapping" module="Persistence.mapping"/>
</pickle>
<pickle>
<dictionary>
<item>
<key> <string>data</string> </key>
<value>
<dictionary/>
</value>
</item>
</dictionary>
</pickle>
</record>
<record id="3" aka="AAAAAAAAAAM=">
<pickle> <pickle>
<global name="PersistentMapping" module="Persistence.mapping"/> <global name="PersistentMapping" module="Persistence.mapping"/>
</pickle> </pickle>
...@@ -87,7 +66,7 @@ ...@@ -87,7 +66,7 @@
<item> <item>
<key> <string>component_validation_workflow</string> </key> <key> <string>component_validation_workflow</string> </key>
<value> <value>
<persistent> <string encoding="base64">AAAAAAAAAAQ=</string> </persistent> <persistent> <string encoding="base64">AAAAAAAAAAM=</string> </persistent>
</value> </value>
</item> </item>
</dictionary> </dictionary>
...@@ -96,7 +75,7 @@ ...@@ -96,7 +75,7 @@
</dictionary> </dictionary>
</pickle> </pickle>
</record> </record>
<record id="4" aka="AAAAAAAAAAQ="> <record id="3" aka="AAAAAAAAAAM=">
<pickle> <pickle>
<global name="WorkflowHistoryList" module="Products.ERP5Type.Workflow"/> <global name="WorkflowHistoryList" module="Products.ERP5Type.Workflow"/>
</pickle> </pickle>
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment