authentic2-auth-fc/src/authentic2_auth_fc/models.py

# authentic2-auth-fc - authentic2 authentication for FranceConnect
# Copyright (C) 2019 Entr'ouvert
#
# This program is free software: you can redistribute it and/or modify it
# under the terms of the GNU Affero General Public License as published
# by the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

import base64
import json
import hmac
import hashlib
import urlparse

from django.db import models
from django.utils.translation import ugettext_lazy as _
from django.utils.timezone import now
from django.conf import settings

from authentic2_auth_oidc.utils import parse_timestamp

from . import app_settings


def base64url_decode(input):
    rem = len(input) % 4
    if rem > 0:
        input += b'=' * (4 - rem)
    return base64.urlsafe_b64decode(input)


def parse_id_token(id_token, client_id=None, client_secret=None):
    try:
        splitted = str(id_token).split('.')
    except Exception:
        return None, 'invalid id_token'
    if len(splitted) != 3:
        return None, 'invalid id_token'
    header, payload, signature = splitted
    try:
        signature = base64url_decode(signature)
    except (ValueError, TypeError):
        return None, 'invalid signature'
    signed = '%s.%s' % (header, payload)
    if client_secret is not None:
        h = hmac.HMAC(key=client_secret, msg=signed, digestmod=hashlib.sha256)
        if h.digest() != signature:
            return None, 'hmac signature does not match'
    payload = base64url_decode(str(payload))
    try:
        payload = json.loads(payload)
    except ValueError:
        return None, 'invalid payload'
    if client_id and ('aud' not in payload or payload['aud'] != client_id):
        return None, 'invalid audience'
    if 'exp' not in payload or parse_timestamp(payload['exp']) < now():
        return None, 'id_token is expired'

    def check_issuer():
        parsed = urlparse.urlparse(app_settings.authorize_url)
        if 'iss' not in payload:
            return False
        try:
            parsed_issuer = urlparse.urlparse(payload['iss'])
        except Exception:
            return False
        return parsed_issuer.scheme == parsed.scheme and parsed_issuer.netloc == parsed.netloc

    if not check_issuer():
        return None, 'wrong issuer received, %r' % payload['iss']
    return payload, None


class FcAccount(models.Model):
    user = models.ForeignKey(
        to=settings.AUTH_USER_MODEL,
        verbose_name=_('user'),
        related_name='fc_accounts')
    sub = models.TextField(
        verbose_name=_('sub'),
        db_index=True)
    token = models.TextField(verbose_name=_('access token'))
    user_info = models.TextField(verbose_name=_('access token'), blank=True, null=True)

    @property
    def id_token(self):
        return parse_id_token(self.get_token()['id_token'])

    def get_token(self):
        return json.loads(self.token)

    def get_user_info(self):
        return json.loads(self.user_info)

    def __unicode__(self):
        user_info = self.get_user_info()
        display_name = []
        if 'given_name' in user_info:
            display_name.append(user_info['given_name'])
        if 'family_name' in user_info:
            display_name.append(user_info['family_name'])
        return ' '.join(display_name)
add copyright headers (#32866) 2019-05-07 14:05:39 +02:00			`# authentic2-auth-fc - authentic2 authentication for FranceConnect`
			`# Copyright (C) 2019 Entr'ouvert`
			`#`
			`# This program is free software: you can redistribute it and/or modify it`
			`# under the terms of the GNU Affero General Public License as published`
			`# by the Free Software Foundation, either version 3 of the License, or`
			`# (at your option) any later version.`
			`#`
			`# This program is distributed in the hope that it will be useful,`
			`# but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`# GNU Affero General Public License for more details.`
			`#`
			`# You should have received a copy of the GNU Affero General Public License`
			`# along with this program. If not, see <http://www.gnu.org/licenses/>.`

First working implementation, logout is not finished 2015-05-28 10:57:24 +02:00			`import base64`
msp: add a refresh token method to MspAccount models to verify if the account link is alive 2013-12-06 16:19:05 +01:00			`import json`
validate id_token Signature is validated, exp, aud and iis fields are checked. Also add tests using tox and py.test. Proper validation of signature is verified using jwcrypto. 2017-06-15 15:45:05 +02:00			`import hmac`
			`import hashlib`
			`import urlparse`
msp: log when deleting stale msp accounts 2014-02-06 14:19:46 +01:00
Delete MSP links on account deletion cron job and also when the DeletedUser object is created 2014-11-21 17:08:43 +01:00			`from django.db import models`
add msp integration application Requirements ============ Your base template must use django-sekizai and must contain a sekizai block named "css" and another named "js" respectively for stylesheet and javascript files. Installation ============ Add the application to your installed apps:: INSTALLED_APPS += ( 'msp', ) Install the authentication backend:: AUTHENTICATION_BACKENDS += ( 'msp.backends.MspBackend', ) Define needed settings, we show here the default values:: MSP_AUTHORIZE_URL = 'https://mon.service-public.fr/apis/app/oauth/authorize' MSP_TOKEN_URL = 'https://mon.service-public.fr/apis/app/oauth/token' MSP_API_URL = 'https://mon.service-public.fr/apis/' MSP_CLIENT_ID = 'id assigned by DIMAP' MSP_CLIENT_SECRET = 'secret assigned by DIMAP' MSP_CLIENT_CERTIFICATE = ('/my-path/my-certificate.crt', '/my-path/my-certificate.key') MSP_VERIFY_CERTIFICATE = False You must plug the application views in your urls.py file by adding this content:: url(r'^msp/', include('msp.urls')), To link your account to MSP or unlink your account from MSP, add the following content to your template:: {% include 'msp/linking.html' %} It will show a linking link when unauthenticated and when no msp account is linked to the current account or an unlinking link when authenticated and a to MSP exists. To show a connection box include this content in your template:: {% include 'msp/connecting.html' %} To make the include file use a popup to talk to MSP add the popup parameter like in the following content:: {% include 'msp/connecting.html' with popup=1 %} 2013-10-11 17:33:20 +02:00			`from django.utils.translation import ugettext_lazy as _`
validate id_token Signature is validated, exp, aud and iis fields are checked. Also add tests using tox and py.test. Proper validation of signature is verified using jwcrypto. 2017-06-15 15:45:05 +02:00			`from django.utils.timezone import now`
Remove unused templates 2015-05-28 00:25:55 +02:00			`from django.conf import settings`
add msp integration application Requirements ============ Your base template must use django-sekizai and must contain a sekizai block named "css" and another named "js" respectively for stylesheet and javascript files. Installation ============ Add the application to your installed apps:: INSTALLED_APPS += ( 'msp', ) Install the authentication backend:: AUTHENTICATION_BACKENDS += ( 'msp.backends.MspBackend', ) Define needed settings, we show here the default values:: MSP_AUTHORIZE_URL = 'https://mon.service-public.fr/apis/app/oauth/authorize' MSP_TOKEN_URL = 'https://mon.service-public.fr/apis/app/oauth/token' MSP_API_URL = 'https://mon.service-public.fr/apis/' MSP_CLIENT_ID = 'id assigned by DIMAP' MSP_CLIENT_SECRET = 'secret assigned by DIMAP' MSP_CLIENT_CERTIFICATE = ('/my-path/my-certificate.crt', '/my-path/my-certificate.key') MSP_VERIFY_CERTIFICATE = False You must plug the application views in your urls.py file by adding this content:: url(r'^msp/', include('msp.urls')), To link your account to MSP or unlink your account from MSP, add the following content to your template:: {% include 'msp/linking.html' %} It will show a linking link when unauthenticated and when no msp account is linked to the current account or an unlinking link when authenticated and a to MSP exists. To show a connection box include this content in your template:: {% include 'msp/connecting.html' %} To make the include file use a popup to talk to MSP add the popup parameter like in the following content:: {% include 'msp/connecting.html' with popup=1 %} 2013-10-11 17:33:20 +02:00
validate id_token Signature is validated, exp, aud and iis fields are checked. Also add tests using tox and py.test. Proper validation of signature is verified using jwcrypto. 2017-06-15 15:45:05 +02:00			`from authentic2_auth_oidc.utils import parse_timestamp`

			`from . import app_settings`

First working implementation, logout is not finished 2015-05-28 10:57:24 +02:00
			`def base64url_decode(input):`
			`rem = len(input) % 4`
			`if rem > 0:`
			`input += b'=' * (4 - rem)`
			`return base64.urlsafe_b64decode(input)`


validate id_token Signature is validated, exp, aud and iis fields are checked. Also add tests using tox and py.test. Proper validation of signature is verified using jwcrypto. 2017-06-15 15:45:05 +02:00			`def parse_id_token(id_token, client_id=None, client_secret=None):`
			`try:`
			`splitted = str(id_token).split('.')`
add copyright headers (#32866) 2019-05-07 14:05:39 +02:00			`except Exception:`
validate id_token Signature is validated, exp, aud and iis fields are checked. Also add tests using tox and py.test. Proper validation of signature is verified using jwcrypto. 2017-06-15 15:45:05 +02:00			`return None, 'invalid id_token'`
			`if len(splitted) != 3:`
			`return None, 'invalid id_token'`
			`header, payload, signature = splitted`
			`try:`
			`signature = base64url_decode(signature)`
			`except (ValueError, TypeError):`
			`return None, 'invalid signature'`
			`signed = '%s.%s' % (header, payload)`
			`if client_secret is not None:`
			`h = hmac.HMAC(key=client_secret, msg=signed, digestmod=hashlib.sha256)`
			`if h.digest() != signature:`
			`return None, 'hmac signature does not match'`
First working implementation, logout is not finished 2015-05-28 10:57:24 +02:00			`payload = base64url_decode(str(payload))`
validate id_token Signature is validated, exp, aud and iis fields are checked. Also add tests using tox and py.test. Proper validation of signature is verified using jwcrypto. 2017-06-15 15:45:05 +02:00			`try:`
			`payload = json.loads(payload)`
			`except ValueError:`
			`return None, 'invalid payload'`
			`if client_id and ('aud' not in payload or payload['aud'] != client_id):`
			`return None, 'invalid audience'`
			`if 'exp' not in payload or parse_timestamp(payload['exp']) < now():`
			`return None, 'id_token is expired'`
models: check issuer using only URL scheme and netloc (fixes #18766) 2017-09-18 15:49:20 +02:00
			`def check_issuer():`
			`parsed = urlparse.urlparse(app_settings.authorize_url)`
			`if 'iss' not in payload:`
			`return False`
			`try:`
			`parsed_issuer = urlparse.urlparse(payload['iss'])`
add copyright headers (#32866) 2019-05-07 14:05:39 +02:00			`except Exception:`
models: check issuer using only URL scheme and netloc (fixes #18766) 2017-09-18 15:49:20 +02:00			`return False`
			`return parsed_issuer.scheme == parsed.scheme and parsed_issuer.netloc == parsed.netloc`

			`if not check_issuer():`
validate id_token Signature is validated, exp, aud and iis fields are checked. Also add tests using tox and py.test. Proper validation of signature is verified using jwcrypto. 2017-06-15 15:45:05 +02:00			`return None, 'wrong issuer received, %r' % payload['iss']`
			`return payload, None`
First working implementation, logout is not finished 2015-05-28 10:57:24 +02:00
msp: add a refresh token method to MspAccount models to verify if the account link is alive 2013-12-06 16:19:05 +01:00
Rename MSP plugin as FC plugin 2015-05-27 16:07:44 +02:00			`class FcAccount(models.Model):`
Remove unused templates 2015-05-28 00:25:55 +02:00			`user = models.ForeignKey(`
First working implementation, logout is not finished 2015-05-28 10:57:24 +02:00			`to=settings.AUTH_USER_MODEL,`
			`verbose_name=_('user'),`
			`related_name='fc_accounts')`
			`sub = models.TextField(`
			`verbose_name=_('sub'),`
			`db_index=True)`
msp: store access token in account association object The access token is used to get to the refresh token for verifying existing links. 2013-12-06 15:56:48 +01:00			`token = models.TextField(verbose_name=_('access token'))`
Add user_info field to FcAccount model. 2015-05-29 11:13:44 +02:00			`user_info = models.TextField(verbose_name=_('access token'), blank=True, null=True)`
msp: add a refresh token method to MspAccount models to verify if the account link is alive 2013-12-06 16:19:05 +01:00
First working implementation, logout is not finished 2015-05-28 10:57:24 +02:00			`@property`
			`def id_token(self):`
			`return parse_id_token(self.get_token()['id_token'])`

			`def get_token(self):`
			`return json.loads(self.token)`
Add user_info field to FcAccount model. 2015-05-29 11:13:44 +02:00
			`def get_user_info(self):`
			`return json.loads(self.user_info)`
add an unlink view 2015-10-31 00:39:58 +01:00
			`def __unicode__(self):`
			`user_info = self.get_user_info()`
			`display_name = []`
			`if 'given_name' in user_info:`
			`display_name.append(user_info['given_name'])`
			`if 'family_name' in user_info:`
			`display_name.append(user_info['family_name'])`
Remove deprecated idp info form the unicode of an FCAccount (fixes #10628). 2016-04-12 12:15:30 +02:00			`return ' '.join(display_name)`