authentik/passbook/sources/oauth/views/core.py

"""Core OAauth Views"""

from django.conf import settings
from django.contrib import messages
from django.contrib.auth import authenticate
from django.contrib.auth.mixins import LoginRequiredMixin
from django.http import Http404
from django.shortcuts import get_object_or_404, redirect, render
from django.urls import reverse
from django.utils.translation import ugettext as _
from django.views.generic import RedirectView, View
from structlog import get_logger

from passbook.audit.models import Event, EventAction
from passbook.factors.view import AuthenticationView, _redirect_with_qs
from passbook.sources.oauth.clients import get_client
from passbook.sources.oauth.models import OAuthSource, UserOAuthSourceConnection

LOGGER = get_logger()


# pylint: disable=too-few-public-methods
class OAuthClientMixin:
    "Mixin for getting OAuth client for a source."

    client_class = None

    def get_client(self, source):
        "Get instance of the OAuth client for this source."
        if self.client_class is not None:
            # pylint: disable=not-callable
            return self.client_class(source)
        return get_client(source)


class OAuthRedirect(OAuthClientMixin, RedirectView):
    "Redirect user to OAuth source to enable access."

    permanent = False
    params = None

    # pylint: disable=unused-argument
    def get_additional_parameters(self, source):
        "Return additional redirect parameters for this source."
        return self.params or {}

    def get_callback_url(self, source):
        "Return the callback url for this source."
        return reverse(
            "passbook_sources_oauth:oauth-client-callback",
            kwargs={"source_slug": source.slug},
        )

    def get_redirect_url(self, **kwargs):
        "Build redirect url for a given source."
        slug = kwargs.get("source_slug", "")
        try:
            source = OAuthSource.objects.get(slug=slug)
        except OAuthSource.DoesNotExist:
            raise Http404("Unknown OAuth source '%s'." % slug)
        else:
            if not source.enabled:
                raise Http404("source %s is not enabled." % slug)
            client = self.get_client(source)
            callback = self.get_callback_url(source)
            params = self.get_additional_parameters(source)
            return client.get_redirect_url(
                self.request, callback=callback, parameters=params
            )


class OAuthCallback(OAuthClientMixin, View):
    "Base OAuth callback view."

    source_id = None
    source = None

    def get(self, request, *_, **kwargs):
        """View Get handler"""
        slug = kwargs.get("source_slug", "")
        try:
            self.source = OAuthSource.objects.get(slug=slug)
        except OAuthSource.DoesNotExist:
            raise Http404("Unknown OAuth source '%s'." % slug)
        else:
            if not self.source.enabled:
                raise Http404("source %s is not enabled." % slug)
            client = self.get_client(self.source)
            callback = self.get_callback_url(self.source)
            # Fetch access token
            raw_token = client.get_access_token(self.request, callback=callback)
            if raw_token is None:
                return self.handle_login_failure(
                    self.source, "Could not retrieve token."
                )
            # Fetch profile info
            info = client.get_profile_info(raw_token)
            if info is None:
                return self.handle_login_failure(
                    self.source, "Could not retrieve profile."
                )
            identifier = self.get_user_id(self.source, info)
            if identifier is None:
                return self.handle_login_failure(self.source, "Could not determine id.")
            # Get or create access record
            defaults = {
                "access_token": raw_token,
            }
            existing = UserOAuthSourceConnection.objects.filter(
                source=self.source, identifier=identifier
            )

            if existing.exists():
                connection = existing.first()
                connection.access_token = raw_token
                UserOAuthSourceConnection.objects.filter(pk=connection.pk).update(
                    **defaults
                )
            else:
                connection = UserOAuthSourceConnection(
                    source=self.source, identifier=identifier, access_token=raw_token
                )
            user = authenticate(
                source=self.source, identifier=identifier, request=request
            )
            if user is None:
                LOGGER.debug("Handling new user")
                return self.handle_new_user(self.source, connection, info)
            LOGGER.debug("Handling existing user")
            return self.handle_existing_user(self.source, user, connection, info)

    # pylint: disable=unused-argument
    def get_callback_url(self, source):
        "Return callback url if different than the current url."
        return False

    # pylint: disable=unused-argument
    def get_error_redirect(self, source, reason):
        "Return url to redirect on login failure."
        return settings.LOGIN_URL

    def get_or_create_user(self, source, access, info):
        "Create a shell auth.User."
        raise NotImplementedError()

    # pylint: disable=unused-argument
    def get_user_id(self, source, info):
        "Return unique identifier from the profile info."
        id_key = self.source_id or "id"
        result = info
        try:
            for key in id_key.split("."):
                result = result[key]
            return result
        except KeyError:
            return None

    def handle_login(self, user, source, access):
        """Prepare AuthenticationView, redirect users to remaining Factors"""
        user = authenticate(
            source=access.source, identifier=access.identifier, request=self.request
        )
        self.request.session[AuthenticationView.SESSION_PENDING_USER] = user.pk
        self.request.session[AuthenticationView.SESSION_USER_BACKEND] = user.backend
        self.request.session[AuthenticationView.SESSION_IS_SSO_LOGIN] = True
        return _redirect_with_qs("passbook_core:auth-process", self.request.GET)

    # pylint: disable=unused-argument
    def handle_existing_user(self, source, user, access, info):
        "Login user and redirect."
        messages.success(
            self.request,
            _(
                "Successfully authenticated with %(source)s!"
                % {"source": self.source.name}
            ),
        )
        return self.handle_login(user, source, access)

    def handle_login_failure(self, source, reason):
        "Message user and redirect on error."
        LOGGER.warning("Authentication Failure: %s", reason)
        messages.error(self.request, _("Authentication Failed."))
        return redirect(self.get_error_redirect(source, reason))

    def handle_new_user(self, source, access, info):
        "Create a shell auth.User and redirect."
        was_authenticated = False
        if self.request.user.is_authenticated:
            # there's already a user logged in, just link them up
            user = self.request.user
            was_authenticated = True
        else:
            user = self.get_or_create_user(source, access, info)
        access.user = user
        access.save()
        UserOAuthSourceConnection.objects.filter(pk=access.pk).update(user=user)
        Event.new(
            EventAction.CUSTOM, message="Linked OAuth Source", source=source
        ).from_http(self.request)
        if was_authenticated:
            messages.success(
                self.request,
                _("Successfully linked %(source)s!" % {"source": self.source.name}),
            )
            return redirect(
                reverse(
                    "passbook_sources_oauth:oauth-client-user",
                    kwargs={"source_slug": self.source.slug},
                )
            )
        # User was not authenticated, new user has been created
        user = authenticate(
            source=access.source, identifier=access.identifier, request=self.request
        )
        messages.success(
            self.request,
            _(
                "Successfully authenticated with %(source)s!"
                % {"source": self.source.name}
            ),
        )
        return self.handle_login(user, source, access)


class DisconnectView(LoginRequiredMixin, View):
    """Delete connection with source"""

    source = None
    aas = None

    def dispatch(self, request, source_slug):
        self.source = get_object_or_404(OAuthSource, slug=source_slug)
        self.aas = get_object_or_404(
            UserOAuthSourceConnection, source=self.source, user=request.user
        )
        return super().dispatch(request, source_slug)

    def post(self, request, source_slug):
        """Delete connection object"""
        if "confirmdelete" in request.POST:
            # User confirmed deletion
            self.aas.delete()
            messages.success(request, _("Connection successfully deleted"))
            return redirect(
                reverse(
                    "passbook_sources_oauth:oauth-client-user",
                    kwargs={"source_slug": self.source.slug},
                )
            )
        return self.get(request, source_slug)

    # pylint: disable=unused-argument
    def get(self, request, source_slug):
        """Show delete form"""
        return render(
            request,
            "generic/delete.html",
            {
                "object": self.source,
                "delete_url": reverse(
                    "passbook_sources_oauth:oauth-client-disconnect",
                    kwargs={"source_slug": self.source.slug,},
                ),
            },
        )
oauth_client: add form, cleanup views 2018-11-22 12:12:24 +00:00			`"""Core OAauth Views"""`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00
			`from django.conf import settings`
			`from django.contrib import messages`
remove unused import 2019-04-29 21:22:54 +00:00			`from django.contrib.auth import authenticate`
oauth_client: add form, cleanup views 2018-11-22 12:12:24 +00:00			`from django.contrib.auth.mixins import LoginRequiredMixin`
			`from django.http import Http404`
			`from django.shortcuts import get_object_or_404, redirect, render`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00			`from django.urls import reverse`
			`from django.utils.translation import ugettext as _`
			`from django.views.generic import RedirectView, View`
*(minor): stdlib logging to structlog 2019-10-01 08:24:10 +00:00			`from structlog import get_logger`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00
audit: rewrite to be independent of django http requests, allow custom actions 2019-12-05 15:14:08 +00:00			`from passbook.audit.models import Event, EventAction`
*(minor): small refactor 2019-10-07 14:33:48 +00:00			`from passbook.factors.view import AuthenticationView, _redirect_with_qs`
			`from passbook.sources.oauth.clients import get_client`
all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`from passbook.sources.oauth.models import OAuthSource, UserOAuthSourceConnection`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00
*(minor): remove __name__ param from get_logger 2019-10-04 08:08:53 +00:00			`LOGGER = get_logger()`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00

oauth_client: cleanup 2018-12-18 12:24:26 +00:00			`# pylint: disable=too-few-public-methods`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00			`class OAuthClientMixin:`
			`"Mixin for getting OAuth client for a source."`

			`client_class = None`

			`def get_client(self, source):`
			`"Get instance of the OAuth client for this source."`
			`if self.client_class is not None:`
			`# pylint: disable=not-callable`
			`return self.client_class(source)`
			`return get_client(source)`


			`class OAuthRedirect(OAuthClientMixin, RedirectView):`
			`"Redirect user to OAuth source to enable access."`

			`permanent = False`
			`params = None`

			`# pylint: disable=unused-argument`
			`def get_additional_parameters(self, source):`
			`"Return additional redirect parameters for this source."`
			`return self.params or {}`

			`def get_callback_url(self, source):`
			`"Return the callback url for this source."`
all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`return reverse(`
			`"passbook_sources_oauth:oauth-client-callback",`
			`kwargs={"source_slug": source.slug},`
			`)`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00
			`def get_redirect_url(self, **kwargs):`
			`"Build redirect url for a given source."`
all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`slug = kwargs.get("source_slug", "")`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00			`try:`
			`source = OAuthSource.objects.get(slug=slug)`
			`except OAuthSource.DoesNotExist:`
			`raise Http404("Unknown OAuth source '%s'." % slug)`
			`else:`
			`if not source.enabled:`
all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`raise Http404("source %s is not enabled." % slug)`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00			`client = self.get_client(source)`
			`callback = self.get_callback_url(source)`
			`params = self.get_additional_parameters(source)`
all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`return client.get_redirect_url(`
			`self.request, callback=callback, parameters=params`
			`)`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00

			`class OAuthCallback(OAuthClientMixin, View):`
			`"Base OAuth callback view."`

			`source_id = None`
			`source = None`

ci: upgrade pylint to latest version core: also upgrade kombu as https://github.com/celery/kombu/issues/1101 is fixed now 2019-12-31 11:45:29 +00:00			`def get(self, request, _, *kwargs):`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00			`"""View Get handler"""`
all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`slug = kwargs.get("source_slug", "")`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00			`try:`
			`self.source = OAuthSource.objects.get(slug=slug)`
			`except OAuthSource.DoesNotExist:`
			`raise Http404("Unknown OAuth source '%s'." % slug)`
			`else:`
			`if not self.source.enabled:`
all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`raise Http404("source %s is not enabled." % slug)`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00			`client = self.get_client(self.source)`
			`callback = self.get_callback_url(self.source)`
			`# Fetch access token`
			`raw_token = client.get_access_token(self.request, callback=callback)`
			`if raw_token is None:`
all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`return self.handle_login_failure(`
			`self.source, "Could not retrieve token."`
			`)`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00			`# Fetch profile info`
			`info = client.get_profile_info(raw_token)`
			`if info is None:`
all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`return self.handle_login_failure(`
			`self.source, "Could not retrieve profile."`
			`)`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00			`identifier = self.get_user_id(self.source, info)`
			`if identifier is None:`
			`return self.handle_login_failure(self.source, "Could not determine id.")`
			`# Get or create access record`
			`defaults = {`
all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`"access_token": raw_token,`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00			`}`
			`existing = UserOAuthSourceConnection.objects.filter(`
all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`source=self.source, identifier=identifier`
			`)`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00
			`if existing.exists():`
			`connection = existing.first()`
			`connection.access_token = raw_token`
all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`UserOAuthSourceConnection.objects.filter(pk=connection.pk).update(`
			`**defaults`
			`)`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00			`else:`
			`connection = UserOAuthSourceConnection(`
all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`source=self.source, identifier=identifier, access_token=raw_token`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00			`)`
all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`user = authenticate(`
			`source=self.source, identifier=identifier, request=request`
			`)`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00			`if user is None:`
Verify OAuth Username vuln and fix closes #9 2019-02-27 12:18:16 +00:00			`LOGGER.debug("Handling new user")`
oauth_client: cleanup 2018-12-18 12:24:26 +00:00			`return self.handle_new_user(self.source, connection, info)`
Verify OAuth Username vuln and fix closes #9 2019-02-27 12:18:16 +00:00			`LOGGER.debug("Handling existing user")`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00			`return self.handle_existing_user(self.source, user, connection, info)`

			`# pylint: disable=unused-argument`
			`def get_callback_url(self, source):`
			`"Return callback url if different than the current url."`
			`return False`

			`# pylint: disable=unused-argument`
			`def get_error_redirect(self, source, reason):`
			`"Return url to redirect on login failure."`
			`return settings.LOGIN_URL`

			`def get_or_create_user(self, source, access, info):`
			`"Create a shell auth.User."`
Add bandit to CI 2018-12-09 16:44:54 +00:00			`raise NotImplementedError()`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00
			`# pylint: disable=unused-argument`
			`def get_user_id(self, source, info):`
			`"Return unique identifier from the profile info."`
all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`id_key = self.source_id or "id"`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00			`result = info`
			`try:`
all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`for key in id_key.split("."):`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00			`result = result[key]`
			`return result`
			`except KeyError:`
			`return None`

create SSOLoginPolicy, which allows factors to be applied when user comes from SSO login implement SESSIION_IS_SSO_LOGIN for OAuth Client and core MFA 2019-04-29 21:19:37 +00:00			`def handle_login(self, user, source, access):`
			`"""Prepare AuthenticationView, redirect users to remaining Factors"""`
all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`user = authenticate(`
			`source=access.source, identifier=access.identifier, request=self.request`
			`)`
create SSOLoginPolicy, which allows factors to be applied when user comes from SSO login implement SESSIION_IS_SSO_LOGIN for OAuth Client and core MFA 2019-04-29 21:19:37 +00:00			`self.request.session[AuthenticationView.SESSION_PENDING_USER] = user.pk`
			`self.request.session[AuthenticationView.SESSION_USER_BACKEND] = user.backend`
			`self.request.session[AuthenticationView.SESSION_IS_SSO_LOGIN] = True`
all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`return _redirect_with_qs("passbook_core:auth-process", self.request.GET)`
create SSOLoginPolicy, which allows factors to be applied when user comes from SSO login implement SESSIION_IS_SSO_LOGIN for OAuth Client and core MFA 2019-04-29 21:19:37 +00:00
add working oauth and ldap client 2018-11-11 12:41:48 +00:00			`# pylint: disable=unused-argument`
			`def handle_existing_user(self, source, user, access, info):`
			`"Login user and redirect."`
all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`messages.success(`
			`self.request,`
			`_(`
			`"Successfully authenticated with %(source)s!"`
			`% {"source": self.source.name}`
			`),`
			`)`
create SSOLoginPolicy, which allows factors to be applied when user comes from SSO login implement SESSIION_IS_SSO_LOGIN for OAuth Client and core MFA 2019-04-29 21:19:37 +00:00			`return self.handle_login(user, source, access)`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00
			`def handle_login_failure(self, source, reason):`
			`"Message user and redirect on error."`
all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`LOGGER.warning("Authentication Failure: %s", reason)`
			`messages.error(self.request, _("Authentication Failed."))`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00			`return redirect(self.get_error_redirect(source, reason))`

			`def handle_new_user(self, source, access, info):`
			`"Create a shell auth.User and redirect."`
oauth_client: add form, cleanup views 2018-11-22 12:12:24 +00:00			`was_authenticated = False`
Fix prospector errors and move secret_key to yaml config 2018-11-27 09:56:40 +00:00			`if self.request.user.is_authenticated:`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00			`# there's already a user logged in, just link them up`
			`user = self.request.user`
oauth_client: add form, cleanup views 2018-11-22 12:12:24 +00:00			`was_authenticated = True`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00			`else:`
			`user = self.get_or_create_user(source, access, info)`
oauth_client: add form, cleanup views 2018-11-22 12:12:24 +00:00			`access.user = user`
			`access.save()`
			`UserOAuthSourceConnection.objects.filter(pk=access.pk).update(user=user)`
all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`Event.new(`
audit: sanitize kwargs when creating audit event 2019-12-31 12:33:07 +00:00			`EventAction.CUSTOM, message="Linked OAuth Source", source=source`
all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`).from_http(self.request)`
oauth_client: add form, cleanup views 2018-11-22 12:12:24 +00:00			`if was_authenticated:`
all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`messages.success(`
			`self.request,`
			`_("Successfully linked %(source)s!" % {"source": self.source.name}),`
			`)`
			`return redirect(`
			`reverse(`
			`"passbook_sources_oauth:oauth-client-user",`
			`kwargs={"source_slug": self.source.slug},`
			`)`
			`)`
create SSOLoginPolicy, which allows factors to be applied when user comes from SSO login implement SESSIION_IS_SSO_LOGIN for OAuth Client and core MFA 2019-04-29 21:19:37 +00:00			`# User was not authenticated, new user has been created`
all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`user = authenticate(`
			`source=access.source, identifier=access.identifier, request=self.request`
			`)`
			`messages.success(`
			`self.request,`
			`_(`
			`"Successfully authenticated with %(source)s!"`
			`% {"source": self.source.name}`
			`),`
			`)`
create SSOLoginPolicy, which allows factors to be applied when user comes from SSO login implement SESSIION_IS_SSO_LOGIN for OAuth Client and core MFA 2019-04-29 21:19:37 +00:00			`return self.handle_login(user, source, access)`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00

oauth_client: add form, cleanup views 2018-11-22 12:12:24 +00:00			`class DisconnectView(LoginRequiredMixin, View):`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00			`"""Delete connection with source"""`
oauth_client: add form, cleanup views 2018-11-22 12:12:24 +00:00
			`source = None`
			`aas = None`

Fix OAuth Client's disconnect view having invalid URL names 2019-03-14 20:19:14 +00:00			`def dispatch(self, request, source_slug):`
			`self.source = get_object_or_404(OAuthSource, slug=source_slug)`
all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`self.aas = get_object_or_404(`
			`UserOAuthSourceConnection, source=self.source, user=request.user`
			`)`
Fix OAuth Client's disconnect view having invalid URL names 2019-03-14 20:19:14 +00:00			`return super().dispatch(request, source_slug)`
oauth_client: add form, cleanup views 2018-11-22 12:12:24 +00:00
Fix OAuth Client's disconnect view having invalid URL names 2019-03-14 20:19:14 +00:00			`def post(self, request, source_slug):`
oauth_client: add form, cleanup views 2018-11-22 12:12:24 +00:00			`"""Delete connection object"""`
all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`if "confirmdelete" in request.POST:`
oauth_client: add form, cleanup views 2018-11-22 12:12:24 +00:00			`# User confirmed deletion`
			`self.aas.delete()`
all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`messages.success(request, _("Connection successfully deleted"))`
			`return redirect(`
			`reverse(`
			`"passbook_sources_oauth:oauth-client-user",`
			`kwargs={"source_slug": self.source.slug},`
			`)`
			`)`
Fix OAuth Client's disconnect view having invalid URL names 2019-03-14 20:19:14 +00:00			`return self.get(request, source_slug)`
oauth_client: add form, cleanup views 2018-11-22 12:12:24 +00:00
ci: upgrade pylint to latest version core: also upgrade kombu as https://github.com/celery/kombu/issues/1101 is fixed now 2019-12-31 11:45:29 +00:00			`# pylint: disable=unused-argument`
			`def get(self, request, source_slug):`
oauth_client: add form, cleanup views 2018-11-22 12:12:24 +00:00			`"""Show delete form"""`
all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`return render(`
			`request,`
			`"generic/delete.html",`
			`{`
			`"object": self.source,`
			`"delete_url": reverse(`
			`"passbook_sources_oauth:oauth-client-disconnect",`
			`kwargs={"source_slug": self.source.slug,},`
			`),`
			`},`
			`)`