ckanext-ozwillo-pyoidc/ckanext/ozwillo_pyoidc/plugin.py

import logging
import conf

import ckan.plugins as plugins
import ckan.plugins.toolkit as toolkit
from ckan.common import session, c, request
from ckan import model
import ckan.lib.base as base

from pylons import config, request

import conf
from oidc import create_client

plugin_config_prefix = 'ckanext.ozwillo_pyoidc.'

log = logging.getLogger(__name__)
plugin_controller = 'ckanext.ozwillo_pyoidc.plugin:OpenidController'

_CLIENTS = {}

class Clients(object):

    @classmethod
    def get(cls, g):
        global _CLIENTS
        if g.id in _CLIENTS:
            return _CLIENTS.get(g.id)
        client = cls().get_client(g)
        _CLIENTS.update({g.id: client})
        return client

    def get_client(self, g):
        params = conf.CLIENT.copy()
        params['client_registration'].update({
            'client_id': g._extras['client_id'].value,
            'client_secret': g._extras['client_secret'].value,
            'redirect_uris': [toolkit.url_for(host=request.host,
                                              controller=plugin_controller,
                                              action='callback',
                                              id=g.name,
                                              qualified=True)]
        })
        return create_client(**params)


class OzwilloPyoidcPlugin(plugins.SingletonPlugin):
    plugins.implements(plugins.IConfigurer)
    plugins.implements(plugins.IRoutes)
    plugins.implements(plugins.IAuthenticator, inherit=True)

    def before_map(self, map):
        map.connect('/organization/{id:.*}/sso',
                    controller=plugin_controller,
                    action='sso')
        map.connect('/organization/{id:.*}/callback',
                    controller=plugin_controller,
                    action='callback')
        map.connect('/user/slo',
                    controller=plugin_controller,
                    action='slo')
        map.redirect('/organization/{id:.*}/logout', '/user/_logout')

        return map

    def after_map(self, map):
        return map

    def identify(self):
        user = session.get('user')
        if user and not toolkit.c.userobj:
            userobj = model.User.get(user)
            toolkit.c.user = userobj.name
            toolkit.c.userobj = userobj

    def login(self):
        if 'organization_id' in session:
            g = model.Group.get(session['organization_id'])
            client = Clients.get(g)
            url, ht_args = client.create_authn_request(session, conf.ACR_VALUES)
            if ht_args:
                toolkit.request.headers.update(ht_args)
            toolkit.redirect_to(url)
        else:
            toolkit.redirect_to('/')

    def logout(self):
        pass

    def update_config(self, config_):
        toolkit.add_template_directory(config_, 'templates')
        toolkit.add_public_directory(config_, 'public')
        toolkit.add_resource('fanstatic', 'ozwillo_pyoidc')

class OpenidController(base.BaseController):

    def sso(self, id):
        log.info('SSO for organization "%s"' % id)
        session['organization_id'] = id
        session.save()
        log.info('redirecting to login page')
        login_url = toolkit.url_for(host=request.host,
                                    controller='user',
                                    action='login',
                                    qualified=True)
        toolkit.redirect_to(login_url)

    def callback(self):
        g = model.Group.get(session['organization_id'])
        client = Clients.get(g)
        userinfo = client.callback(request.GET)
        log.info('Received userinfo: %s' % userinfo)
        userobj = model.User.get(userinfo['sub'])
        if userobj:
            userobj.name = userinfo['nickname']
            userobj.email = userinfo['email']
            if 'given_name' in userinfo:
                userobj.fullname = userinfo['given_name']
            if 'family_name' in userinfo:
                userobj.fullname += userinfo['family_name']
            userobj.save()
            session['user'] = userobj.id
            session.save()

        org_url = toolkit.url_for(host=request.host,
                                  controller="organization",
                                  action='read',
                                  id=g.id,
                                  qualified=True)
        toolkit.redirect_to(org_url)

    def slo(self):
        """
        Revokes the delivered access token. Logs out the user
        """
        g = model.Group.get(session['organization_id'])
        client = Clients.get(g)
        logout_url = client.end_session_endpoint
        org_url = toolkit.url_for(host=request.host,
                                  controller='organization',
                                  action='read',
                                  id=session['organization_id'],
                                  qualified=True)
        redirect_uri = org_url + '/logout'

        # revoke the access token
        headers = {'Content-Type': 'application/x-www-form-urlencoded'}
        data = 'token=%s&token_type_hint=access_token' % client.access_token
        client.http_request(client.revocation_endpoint, 'POST',
                            data=data, headers=headers)

        # redirect to IDP logout
        logout_url += '?id_token_hint=%s&' % client.id_token
        logout_url += 'post_logout_redirect_uri=%s' % redirect_uri
        toolkit.redirect_to(str(logout_url))
login function redirecting to idp and callback view added 2015-02-04 15:24:41 +01:00			`import logging`
retreiving user, update its infos, log in 2015-02-09 17:17:40 +01:00			`import conf`
login function redirecting to idp and callback view added 2015-02-04 15:24:41 +01:00
initial commit with plugin structure 2015-01-23 10:34:03 +01:00			`import ckan.plugins as plugins`
			`import ckan.plugins.toolkit as toolkit`
retreiving user, update its infos, log in 2015-02-09 17:17:40 +01:00			`from ckan.common import session, c, request`
			`from ckan import model`
login function redirecting to idp and callback view added 2015-02-04 15:24:41 +01:00			`import ckan.lib.base as base`

			`from pylons import config, request`

Client building refactored 2015-02-10 11:07:32 +01:00			`import conf`
			`from oidc import create_client`
login function redirecting to idp and callback view added 2015-02-04 15:24:41 +01:00
			`plugin_config_prefix = 'ckanext.ozwillo_pyoidc.'`

			`log = logging.getLogger(__name__)`
retreiving user, update its infos, log in 2015-02-09 17:17:40 +01:00			`plugin_controller = 'ckanext.ozwillo_pyoidc.plugin:OpenidController'`
login function redirecting to idp and callback view added 2015-02-04 15:24:41 +01:00
OIDC client computed for each organization 2015-02-10 11:32:23 +01:00			`_CLIENTS = {}`

			`class Clients(object):`

			`@classmethod`
			`def get(cls, g):`
			`global _CLIENTS`
			`if g.id in _CLIENTS:`
			`return _CLIENTS.get(g.id)`
			`client = cls().get_client(g)`
			`_CLIENTS.update({g.id: client})`
			`return client`

			`def get_client(self, g):`
			`params = conf.CLIENT.copy()`
			`params['client_registration'].update({`
			`'client_id': g._extras['client_id'].value,`
			`'client_secret': g._extras['client_secret'].value,`
			`'redirect_uris': [toolkit.url_for(host=request.host,`
			`controller=plugin_controller,`
			`action='callback',`
			`id=g.name,`
			`qualified=True)]`
			`})`
			`return create_client(**params)`

initial commit with plugin structure 2015-01-23 10:34:03 +01:00
			`class OzwilloPyoidcPlugin(plugins.SingletonPlugin):`
			`plugins.implements(plugins.IConfigurer)`
login function redirecting to idp and callback view added 2015-02-04 15:24:41 +01:00			`plugins.implements(plugins.IRoutes)`
			`plugins.implements(plugins.IAuthenticator, inherit=True)`
initial commit with plugin structure 2015-01-23 10:34:03 +01:00
login function redirecting to idp and callback view added 2015-02-04 15:24:41 +01:00			`def before_map(self, map):`
retreiving user, update its infos, log in 2015-02-09 17:17:40 +01:00			`map.connect('/organization/{id:.*}/sso',`
			`controller=plugin_controller,`
			`action='sso')`
			`map.connect('/organization/{id:.*}/callback',`
			`controller=plugin_controller,`
			`action='callback')`
user logging out 2015-02-09 22:05:24 +01:00			`map.connect('/user/slo',`
			`controller=plugin_controller,`
			`action='slo')`
			`map.redirect('/organization/{id:.*}/logout', '/user/_logout')`

login function redirecting to idp and callback view added 2015-02-04 15:24:41 +01:00			`return map`

			`def after_map(self, map):`
			`return map`

			`def identify(self):`
retreiving user, update its infos, log in 2015-02-09 17:17:40 +01:00			`user = session.get('user')`
			`if user and not toolkit.c.userobj:`
			`userobj = model.User.get(user)`
			`toolkit.c.user = userobj.name`
			`toolkit.c.userobj = userobj`
login function redirecting to idp and callback view added 2015-02-04 15:24:41 +01:00
			`def login(self):`
retreiving user, update its infos, log in 2015-02-09 17:17:40 +01:00			`if 'organization_id' in session:`
			`g = model.Group.get(session['organization_id'])`
OIDC client computed for each organization 2015-02-10 11:32:23 +01:00			`client = Clients.get(g)`
			`url, ht_args = client.create_authn_request(session, conf.ACR_VALUES)`
retreiving user, update its infos, log in 2015-02-09 17:17:40 +01:00			`if ht_args:`
			`toolkit.request.headers.update(ht_args)`
			`toolkit.redirect_to(url)`
			`else:`
			`toolkit.redirect_to('/')`
login function redirecting to idp and callback view added 2015-02-04 15:24:41 +01:00
			`def logout(self):`
retreiving user, update its infos, log in 2015-02-09 17:17:40 +01:00			`pass`
initial commit with plugin structure 2015-01-23 10:34:03 +01:00
			`def update_config(self, config_):`
			`toolkit.add_template_directory(config_, 'templates')`
			`toolkit.add_public_directory(config_, 'public')`
			`toolkit.add_resource('fanstatic', 'ozwillo_pyoidc')`
login function redirecting to idp and callback view added 2015-02-04 15:24:41 +01:00
			`class OpenidController(base.BaseController):`

retreiving user, update its infos, log in 2015-02-09 17:17:40 +01:00			`def sso(self, id):`
			`log.info('SSO for organization "%s"' % id)`
			`session['organization_id'] = id`
			`session.save()`
			`log.info('redirecting to login page')`
			`login_url = toolkit.url_for(host=request.host,`
			`controller='user',`
			`action='login',`
			`qualified=True)`
			`toolkit.redirect_to(login_url)`

			`def callback(self):`
OIDC client computed for each organization 2015-02-10 11:32:23 +01:00			`g = model.Group.get(session['organization_id'])`
			`client = Clients.get(g)`
			`userinfo = client.callback(request.GET)`
			`log.info('Received userinfo: %s' % userinfo)`
Retreving user by 'sub' attribute which represents the user_id. User name updated from received 'nickname' attribute 2015-02-10 13:40:18 +01:00			`userobj = model.User.get(userinfo['sub'])`
OIDC client computed for each organization 2015-02-10 11:32:23 +01:00			`if userobj:`
Retreving user by 'sub' attribute which represents the user_id. User name updated from received 'nickname' attribute 2015-02-10 13:40:18 +01:00			`userobj.name = userinfo['nickname']`
OIDC client computed for each organization 2015-02-10 11:32:23 +01:00			`userobj.email = userinfo['email']`
			`if 'given_name' in userinfo:`
			`userobj.fullname = userinfo['given_name']`
			`if 'family_name' in userinfo:`
			`userobj.fullname += userinfo['family_name']`
			`userobj.save()`
			`session['user'] = userobj.id`
			`session.save()`

			`org_url = toolkit.url_for(host=request.host,`
			`controller="organization",`
			`action='read',`
			`id=g.id,`
			`qualified=True)`
			`toolkit.redirect_to(org_url)`
user logging out 2015-02-09 22:05:24 +01:00
			`def slo(self):`
			`"""`
			`Revokes the delivered access token. Logs out the user`
			`"""`
OIDC client computed for each organization 2015-02-10 11:32:23 +01:00			`g = model.Group.get(session['organization_id'])`
			`client = Clients.get(g)`
			`logout_url = client.end_session_endpoint`
user logging out 2015-02-09 22:05:24 +01:00			`org_url = toolkit.url_for(host=request.host,`
			`controller='organization',`
			`action='read',`
			`id=session['organization_id'],`
			`qualified=True)`
			`redirect_uri = org_url + '/logout'`

			`# revoke the access token`
			`headers = {'Content-Type': 'application/x-www-form-urlencoded'}`
OIDC client computed for each organization 2015-02-10 11:32:23 +01:00			`data = 'token=%s&token_type_hint=access_token' % client.access_token`
			`client.http_request(client.revocation_endpoint, 'POST',`
user logging out 2015-02-09 22:05:24 +01:00			`data=data, headers=headers)`

			`# redirect to IDP logout`
OIDC client computed for each organization 2015-02-10 11:32:23 +01:00			`logout_url += '?id_token_hint=%s&' % client.id_token`
user logging out 2015-02-09 22:05:24 +01:00			`logout_url += 'post_logout_redirect_uri=%s' % redirect_uri`
logout_url casted to string 2015-02-10 11:13:34 +01:00			`toolkit.redirect_to(str(logout_url))`