Skip to content

J
jumpserver
Switch branch/tag
Find file
BlameHistoryPermalink
models.py 5.75 KB
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 
# -*- coding: utf-8 -*-
#

from django.db import transaction
from django.contrib.auth import get_user_model
from keycloak.realm import KeycloakRealm
from keycloak.keycloak_openid import KeycloakOpenID

from .signals import post_create_openid_user
from .decorator import ssl_verification

OIDT_ACCESS_TOKEN = 'oidt_access_token'


class Nonce(object):
    """
    The openid-login is stored in cache as a temporary object, recording the
    user's redirect_uri and next_pat
    """
    def __init__(self, redirect_uri, next_path):
        import uuid
        self.state = uuid.uuid4()
        self.redirect_uri = redirect_uri
        self.next_path = next_path


class OpenIDTokenProfile(object):
    def __init__(self, user, access_token, refresh_token):
        """
        :param user: User object
        :param access_token:
        :param refresh_token:
        """
        self.user = user
        self.access_token = access_token
        self.refresh_token = refresh_token

    def __str__(self):
        return "{}'s OpenID token profile".format(self.user.username)


class Client(object):
    def __init__(self, server_url, realm_name, client_id, client_secret):
        self.server_url = server_url
        self.realm_name = realm_name
        self.client_id = client_id
        self.client_secret = client_secret
        self._openid_client = None
        self._realm = None
        self._openid_connect_client = None

    @property
    def realm(self):
        if self._realm is None:
            self._realm = KeycloakRealm(
                server_url=self.server_url,
                realm_name=self.realm_name,
                headers={}
            )
        return self._realm

    @property
    def openid_connect_client(self):
        """
        :rtype: keycloak.openid_connect.KeycloakOpenidConnect
        """
        if self._openid_connect_client is None:
            self._openid_connect_client = self.realm.open_id_connect(
                client_id=self.client_id,
                client_secret=self.client_secret
            )
        return self._openid_connect_client

    @property
    def openid_client(self):
        """
        :rtype: keycloak.keycloak_openid.KeycloakOpenID
        """
        if self._openid_client is None:
            self._openid_client = KeycloakOpenID(
                server_url='%sauth/' % self.server_url,
                realm_name=self.realm_name,
                client_id=self.client_id,
                client_secret_key=self.client_secret,
            )
        return self._openid_client

    @ssl_verification
    def get_url(self, name):
        return self.openid_connect_client.get_url(name=name)

    def get_url_end_session_endpoint(self):
        return self.get_url(name='end_session_endpoint')

    @ssl_verification
    def get_authorization_url(self, redirect_uri, scope, state):
        url = self.openid_connect_client.authorization_url(
            redirect_uri=redirect_uri, scope=scope, state=state
        )
        return url

    @ssl_verification
    def get_userinfo(self, token):
        user_info = self.openid_connect_client.userinfo(token=token)
        return user_info

    @ssl_verification
    def authorization_code(self, code, redirect_uri):
        token_response = self.openid_connect_client.authorization_code(
            code=code, redirect_uri=redirect_uri
        )
        return token_response

    @ssl_verification
    def authorization_password(self, username, password):
        token_response = self.openid_client.token(
            username=username, password=password
        )
        return token_response

    def update_or_create_from_code(self, code, redirect_uri):
        """
        Update or create an user based on an authentication code.
        Response as specified in:
        https://tools.ietf.org/html/rfc6749#section-4.1.4
        :param str code: authentication code
        :param str redirect_uri:
        :rtype: OpenIDTokenProfile
        """
        token_response = self.authorization_code(code, redirect_uri)
        return self._update_or_create(token_response=token_response)

    def update_or_create_from_password(self, username, password):
        """
        Update or create an user based on an authentication username and password.
        :param str username: authentication username
        :param str password: authentication password
        :return: OpenIDTokenProfile
        """
        token_response = self.authorization_password(username, password)
        return self._update_or_create(token_response=token_response)

    def _update_or_create(self, token_response):
        """
        Update or create an user based on a token response.
        `token_response` contains the items returned by the OpenIDConnect Token API
        end-point:
         - id_token
         - access_token
         - expires_in
         - refresh_token
         - refresh_expires_in
        :param dict token_response:
        :rtype: OpenIDTokenProfile
        """
        userinfo = self.get_userinfo(token=token_response['access_token'])
        with transaction.atomic():
            user, _ = get_user_model().objects.update_or_create(
                username=userinfo.get('preferred_username', ''),
                defaults={
                    'email': userinfo.get('email', ''),
                    'first_name': userinfo.get('given_name', ''),
                    'last_name': userinfo.get('family_name', '')
                }
            )
            oidt_profile = OpenIDTokenProfile(
                user=user,
                access_token=token_response['access_token'],
                refresh_token=token_response['refresh_token'],
            )
            if user:
                post_create_openid_user.send(sender=user.__class__, user=user)

        return oidt_profile

    def __str__(self):
        return self.client_id