diff --git a/authentic2_idp_oauth2/admin.py b/authentic2_idp_oauth2/admin.py index 6cb36c5..883e3e3 100644 --- a/authentic2_idp_oauth2/admin.py +++ b/authentic2_idp_oauth2/admin.py @@ -32,6 +32,7 @@ class A2ClientAdmin(ClientAdmin): (None, {'fields': ( 'name', 'user', + 'authorized_scopes', ) }), (_('Location'), {'fields': ( 'url', @@ -42,7 +43,7 @@ class A2ClientAdmin(ClientAdmin): 'client_type', 'client_secret', ) }), - (_('Logout'), + (_('Logout'), {'fields': ('logout_url', 'logout_use_iframe', 'logout_use_iframe_timeout'),}),) admin.site.register(models.WebService, WebServiceAdmin) diff --git a/authentic2_idp_oauth2/migrations/0004_auto__add_field_a2client_authorized_scopes.py b/authentic2_idp_oauth2/migrations/0004_auto__add_field_a2client_authorized_scopes.py new file mode 100644 index 0000000..e888a4e --- /dev/null +++ b/authentic2_idp_oauth2/migrations/0004_auto__add_field_a2client_authorized_scopes.py @@ -0,0 +1,99 @@ +# -*- coding: utf-8 -*- +from south.utils import datetime_utils as datetime +from south.db import db +from south.v2 import SchemaMigration +from django.db import models + + +class Migration(SchemaMigration): + + def forwards(self, orm): + # Adding field 'A2Client.authorized_scopes' + db.add_column(u'authentic2_idp_oauth2_a2client', 'authorized_scopes', + self.gf('django.db.models.fields.CharField')(max_length=256, null=True, blank=True), + keep_default=False) + + + def backwards(self, orm): + # Deleting field 'A2Client.authorized_scopes' + db.delete_column(u'authentic2_idp_oauth2_a2client', 'authorized_scopes') + + + models = { + u'auth.group': { + 'Meta': {'object_name': 'Group'}, + u'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}), + 'name': ('django.db.models.fields.CharField', [], {'unique': 'True', 'max_length': '80'}), + 'permissions': ('django.db.models.fields.related.ManyToManyField', [], {'to': u"orm['auth.Permission']", 'symmetrical': 'False', 'blank': 'True'}) + }, + u'auth.permission': { + 'Meta': {'ordering': "(u'content_type__app_label', u'content_type__model', u'codename')", 'unique_together': "((u'content_type', u'codename'),)", 'object_name': 'Permission'}, + 'codename': ('django.db.models.fields.CharField', [], {'max_length': '100'}), + 'content_type': ('django.db.models.fields.related.ForeignKey', [], {'to': u"orm['contenttypes.ContentType']"}), + u'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}), + 'name': ('django.db.models.fields.CharField', [], {'max_length': '50'}) + }, + u'auth.user': { + 'Meta': {'object_name': 'User'}, + 'date_joined': ('django.db.models.fields.DateTimeField', [], {'default': 'datetime.datetime.now'}), + 'email': ('django.db.models.fields.EmailField', [], {'max_length': '75', 'blank': 'True'}), + 'first_name': ('django.db.models.fields.CharField', [], {'max_length': '30', 'blank': 'True'}), + 'groups': ('django.db.models.fields.related.ManyToManyField', [], {'to': u"orm['auth.Group']", 'symmetrical': 'False', 'blank': 'True'}), + u'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}), + 'is_active': ('django.db.models.fields.BooleanField', [], {'default': 'True'}), + 'is_staff': ('django.db.models.fields.BooleanField', [], {'default': 'False'}), + 'is_superuser': ('django.db.models.fields.BooleanField', [], {'default': 'False'}), + 'last_login': ('django.db.models.fields.DateTimeField', [], {'default': 'datetime.datetime.now'}), + 'last_name': ('django.db.models.fields.CharField', [], {'max_length': '30', 'blank': 'True'}), + 'password': ('django.db.models.fields.CharField', [], {'max_length': '128'}), + 'user_permissions': ('django.db.models.fields.related.ManyToManyField', [], {'to': u"orm['auth.Permission']", 'symmetrical': 'False', 'blank': 'True'}), + 'username': ('django.db.models.fields.CharField', [], {'unique': 'True', 'max_length': '255'}) + }, + u'authentic2_idp_oauth2.a2client': { + 'Meta': {'object_name': 'A2Client', '_ormbases': [u'oauth2.Client']}, + 'authorized_scopes': ('django.db.models.fields.CharField', [], {'max_length': '256', 'null': 'True', 'blank': 'True'}), + u'client_ptr': ('django.db.models.fields.related.OneToOneField', [], {'to': u"orm['oauth2.Client']", 'unique': 'True', 'primary_key': 'True'}), + 'logout_url': ('django.db.models.fields.URLField', [], {'max_length': '255', 'null': 'True', 'blank': 'True'}), + 'logout_use_iframe': ('django.db.models.fields.BooleanField', [], {'default': 'False'}), + 'logout_use_iframe_timeout': ('django.db.models.fields.PositiveIntegerField', [], {'default': '300'}) + }, + u'authentic2_idp_oauth2.attributerelease': { + 'Meta': {'object_name': 'AttributeRelease'}, + 'attribute_name': ('django.db.models.fields.CharField', [], {'max_length': '64'}), + 'client': ('django.db.models.fields.related.ForeignKey', [], {'to': u"orm['authentic2_idp_oauth2.A2Client']"}), + u'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}), + 'name': ('django.db.models.fields.CharField', [], {'max_length': '64'}) + }, + u'authentic2_idp_oauth2.webservice': { + 'Meta': {'object_name': 'WebService'}, + 'allow_redirects': ('django.db.models.fields.BooleanField', [], {'default': 'True'}), + 'auth_mech': ('django.db.models.fields.CharField', [], {'default': "''", 'max_length': '16', 'blank': 'True'}), + u'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}), + 'name': ('django.db.models.fields.CharField', [], {'max_length': '32'}), + 'signature_key': ('django.db.models.fields.CharField', [], {'default': "''", 'max_length': '128', 'blank': 'True'}), + 'slug': ('django.db.models.fields.SlugField', [], {'max_length': '32'}), + 'timeout': ('django.db.models.fields.IntegerField', [], {'default': '10'}), + 'url': ('django.db.models.fields.CharField', [], {'max_length': '1024'}), + 'verify_certificate': ('django.db.models.fields.BooleanField', [], {'default': 'True'}) + }, + u'contenttypes.contenttype': { + 'Meta': {'ordering': "('name',)", 'unique_together': "(('app_label', 'model'),)", 'object_name': 'ContentType', 'db_table': "'django_content_type'"}, + 'app_label': ('django.db.models.fields.CharField', [], {'max_length': '100'}), + u'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}), + 'model': ('django.db.models.fields.CharField', [], {'max_length': '100'}), + 'name': ('django.db.models.fields.CharField', [], {'max_length': '100'}) + }, + u'oauth2.client': { + 'Meta': {'object_name': 'Client'}, + 'client_id': ('django.db.models.fields.CharField', [], {'default': "'cf075b80aceb0c66e850'", 'max_length': '255'}), + 'client_secret': ('django.db.models.fields.CharField', [], {'default': "'abcfb70705da942c4ab431697857e073f605bf5f'", 'max_length': '255'}), + 'client_type': ('django.db.models.fields.IntegerField', [], {}), + u'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}), + 'name': ('django.db.models.fields.CharField', [], {'max_length': '255', 'blank': 'True'}), + 'redirect_uri': ('django.db.models.fields.URLField', [], {'max_length': '200'}), + 'url': ('django.db.models.fields.URLField', [], {'max_length': '200'}), + 'user': ('django.db.models.fields.related.ForeignKey', [], {'blank': 'True', 'related_name': "'oauth2_client'", 'null': 'True', 'to': u"orm['auth.User']"}) + } + } + + complete_apps = ['authentic2_idp_oauth2'] diff --git a/authentic2_idp_oauth2/models.py b/authentic2_idp_oauth2/models.py index 3303076..d523394 100644 --- a/authentic2_idp_oauth2/models.py +++ b/authentic2_idp_oauth2/models.py @@ -9,6 +9,10 @@ from authentic2.models import LogoutUrlAbstract from authentic2.managers import GetBySlugManager class A2Client(LogoutUrlAbstract, Client): + + authorized_scopes = models.CharField('automatically granted scopes', + max_length=256, blank=True, null=True, + help_text=_('space separated scopes')) class Meta: verbose_name = _('client') verbose_name_plural = _('clients') diff --git a/authentic2_idp_oauth2/views.py b/authentic2_idp_oauth2/views.py index abc1fa0..1fb0369 100644 --- a/authentic2_idp_oauth2/views.py +++ b/authentic2_idp_oauth2/views.py @@ -88,13 +88,19 @@ class Authorize(Authorize): automatic grant for some scopes and some clients ''' def get_authorization_form(self, request, client, data, client_data): - for url_prefix, scopes in app_settings.AUTOMATIC_GRANT: - if client.url.startswith(url_prefix) and \ + + automatic_grant = app_settings.AUTOMATIC_GRANT + if hasattr(client, 'a2client'): + client_scopes = client.a2client.authorized_scopes.split(' ') + automatic_grant += ((client.url, client_scopes),) + + for url_prefix, scopes in automatic_grant: + if client_data['redirect_uri'].startswith(url_prefix) and \ scope.check(client_data['scope'], scope.to_int(*scopes)): - # return an always valid form return forms.EmptyForm({}, scope=client_data['scope']) + return super(Authorize, self).get_authorization_form( - request, client, data, client_data) + request, client, data, client_data) @api_view(['GET', 'POST', 'PUT', 'DELETE']) @authentication_classes([OAuth2Authentication, SessionAuthentication])