Synnefo

# Copyright 2013 GRNET S.A. All rights reserved.

#

# Redistribution and use in source and binary forms, with or

# without modification, are permitted provided that the following

# conditions are met:

#

#   1. Redistributions of source code must retain the above

#      copyright notice, this list of conditions and the following

#      disclaimer.

#

#   2. Redistributions in binary form must reproduce the above

#      copyright notice, this list of conditions and the following

#      disclaimer in the documentation and/or other materials

#      provided with the distribution.

#

# THIS SOFTWARE IS PROVIDED BY GRNET S.A. ``AS IS'' AND ANY EXPRESS

# OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED

# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL GRNET S.A OR

# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT

# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF

# USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED

# AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN

# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE

# POSSIBILITY OF SUCH DAMAGE.

#

# The views and conclusions contained in the software and

# documentation are those of the authors and should not be

# interpreted as representing official policies, either expressed

# or implied, of GRNET S.A.

import urllib

import urlparse

import uuid

import datetime

import json

from base64 import b64encode, b64decode

from hashlib import sha512

from synnefo.util.text import uenc

from synnefo.util import urltools

import logging

logger = logging.getLogger(__name__)

def urlencode(params):

    if hasattr(params, 'urlencode') and callable(getattr(params, 'urlencode')):

        return params.urlencode()

    for k in params:

        params[uenc(k)] = uenc(params.pop(k))

    return urllib.urlencode(params)

def normalize(url):

    return urltools.normalize(uenc(url))

def handles_oa2_requests(func):

    def wrapper(self, *args, **kwargs):

        if not self._errors_to_http:

            return func(self, *args, **kwargs)

        try:

            return func(self, *args, **kwargs)

        except OA2Error, e:

            return self.build_response_from_error(e)

    return wrapper

class OA2Error(Exception):

    error = None

class InvalidClientID(OA2Error):

    pass

class NotAuthenticatedError(OA2Error):

    pass

class InvalidClientRedirectUrl(OA2Error):

    pass

class InvalidAuthorizationRequest(OA2Error):

    pass

class Response(object):

    def __init__(self, status, body='', headers=None,

                 content_type='plain/text'):

        if not body:

            body = ''

        if not headers:

            headers = {}

        self.status = status

        self.body = body

        self.headers = headers

        self.content_type = content_type

    def __repr__(self):

        return "%d RESPONSE (BODY: %r, HEADERS: %r)" % (self.status,

                                                        self.body,

                                                        self.headers)

class Request(object):

    def __init__(self, method, path, GET=None, POST=None, META=None,

                 secure=False, user=None):

        self.method = method

        self.path = path

        if not GET:

            GET = {}

        if not POST:

            POST = {}

        if not META:

            META = {}

        self.secure = secure

        self.GET = GET

        self.POST = POST

        self.META = META

        self.user = user

    def __repr__(self):

        prepend = ""

        if self.secure:

            prepend = "SECURE "

        return "%s%s REQUEST (POST: %r, GET:%r, HEADERS:%r, " % (prepend,

                                                                 self.method,

                                                                 self.POST,

                                                                 self.GET,

                                                                 self.META)

class ORMAbstractBase(type):

    def __new__(cls, name, bases, attrs):

        attrs['ENTRIES'] = {}

        return super(ORMAbstractBase, cls).__new__(cls, name, bases, attrs)

class ORMAbstract(object):

    ENTRIES = {}

    __metaclass__ = ORMAbstractBase

    def __init__(self, **kwargs):

        for key, value in kwargs.iteritems():

            setattr(self, key, value)

    @classmethod

    def create(cls, id, **params):

        params = cls.clean_params(params)

        params['id'] = id

        cls.ENTRIES[id] = cls(**params)

        return cls.get(id)

    @classmethod

    def get(cls, pk):

        return cls.ENTRIES.get(pk)

    @classmethod

    def clean_params(cls, params):

        return params

class Client(ORMAbstract):

    def get_id(self):

        return self.id

    def get_redirect_uris(self):

        return self.uris

    def get_default_redirect_uri(self):

        return self.uris[0]

    def redirect_uri_is_valid(self, redirect_uri):

        split = urlparse.urlsplit(redirect_uri)

        if split.scheme not in urlparse.uses_query:

            raise OA2Error("Invalid redirect url scheme")

        uris = self.get_redirect_uris()

        return redirect_uri in uris

    def requires_auth(self):

        if self.client_type == 'confidential':

            return True

        return 'secret' in dir(self)

    def check_credentials(self, username, secret):

        return username == self.id and secret == self.secret

class Token(ORMAbstract):

    def to_dict(self):

        params = {

            'access_token': self.token,

            'token_type': self.token_type,

            'expires_in': self.expires,

        }

        if self.refresh_token:

            params['refresh_token'] = self.refresh_token

        return params

class AuthorizationCode(ORMAbstract):

    pass

class User(ORMAbstract):

    pass

class BackendBase(type):

    def __new__(cls, name, bases, attrs):

        super_new = super(BackendBase, cls).__new__

        #parents = [b for b in bases if isinstance(b, BackendBase)]

        #meta = attrs.pop('Meta', None)

        return super_new(cls, name, bases, attrs)

    @classmethod

    def get_orm_options(cls, attrs):

        meta = attrs.pop('ORM', None)

        orm = {}

        if meta:

            for attr in dir(meta):

                orm[attr] = getattr(meta, attr)

        return orm

class SimpleBackend(object):

    __metaclass__ = BackendBase

    base_url = ''

    endpoints_prefix = 'oauth2/'

    token_endpoint = 'token/'

    token_length = 30

    token_expires = 20

    authorization_endpoint = 'auth/'

    authorization_code_length = 60

    authorization_response_types = ['code', 'token']

    grant_types = ['authorization_code']

    response_cls = Response

    request_cls = Request

    client_model = Client

    token_model = Token

    code_model = AuthorizationCode

    user_model = User

    def __init__(self, base_url='', endpoints_prefix='oauth2/', id='oauth2',

                 token_endpoint='token/', token_length=30,

                 token_expires=20, authorization_endpoint='auth/',

                 authorization_code_length=60,

                 redirect_uri_limit=5000, **kwargs):

        self.base_url = base_url

        self.endpoints_prefix = endpoints_prefix

        self.token_endpoint = token_endpoint

        self.token_length = token_length

        self.token_expires = token_expires

        self.authorization_endpoint = authorization_endpoint

        self.authorization_code_length = authorization_code_length

        self.id = id

        self._errors_to_http = kwargs.get('errors_to_http', True)

        self.redirect_uri_limit = redirect_uri_limit

    # Request/response builders

    def build_request(self, method, get, post, meta):

        return self.request_cls(method=method, GET=get, POST=post, META=meta)

    def build_response(self, status, headers=None, body=''):

        return self.response_cls(status=status, headers=headers, body=body)

    # ORM Methods

    def create_authorization_code(self, user, client, code, redirect_uri,

                                  scope, state, **kwargs):

        code_params = {

            'code': code,

            'redirect_uri': redirect_uri,

            'client': client,

            'scope': scope,

            'state': state,

            'user': user

        }

        code_params.update(kwargs)

        code_instance = self.code_model.create(**code_params)

        logger.info(u'%r created' % code_instance)

        return code_instance

    def _token_params(self, value, token_type, authorization, scope):

        created_at = datetime.datetime.now()

        expires = self.token_expires

        expires_at = created_at + datetime.timedelta(seconds=expires)

        token_params = {

            'code': value,

            'token_type': token_type,

            'created_at': created_at,

            'expires_at': expires_at,

            'user': authorization.user,

            'redirect_uri': authorization.redirect_uri,

            'client': authorization.client,

            'scope': authorization.scope,

        }

        return token_params

    def create_token(self, value, token_type, authorization, scope,

                     refresh=False):

        params = self._token_params(value, token_type, authorization, scope)

        if refresh:

            refresh_token = self.generate_token()

            params['refresh_token'] = refresh_token

            # TODO: refresh token expires ???

        token = self.token_model.create(**params)

        logger.info(u'%r created' % token)

        return token

#    def delete_authorization_code(self, code):

#        del self.code_model.ENTRIES[code]

    def get_client_by_id(self, client_id):

        return self.client_model.get(client_id)

    def get_client_by_credentials(self, username, password):

        return None

    def get_authorization_code(self, code):

        return self.code_model.get(code)

    def get_client_authorization_code(self, client, code):

        code_instance = self.get_authorization_code(code)

        if not code_instance:

            raise OA2Error("Invalid code")

        if client.get_id() != code_instance.client.get_id():

            raise OA2Error("Mismatching client with code client")

        return code_instance

    def client_id_exists(self, client_id):

        return bool(self.get_client_by_id(client_id))

    def build_site_url(self, prefix='', **params):

        params = urlencode(params)

        return "%s%s%s%s" % (self.base_url, self.endpoints_prefix, prefix,

                             params)

    def _get_uri_base(self, uri):

        split = urlparse.urlsplit(uri)

        return "%s://%s%s" % (split.scheme, split.netloc, split.path)

    def build_client_redirect_uri(self, client, uri, **params):

        if not client.redirect_uri_is_valid(uri):

            raise OA2Error("Invalid redirect uri")

        params = urlencode(params)

        uri = self._get_uri_base(uri)

        return "%s?%s" % (uri, params)

    def generate_authorization_code(self):

        dg64 = b64encode(sha512(str(uuid.uuid4())).hexdigest())

        return dg64[:self.authorization_code_length]

    def generate_token(self, *args, **kwargs):

        dg64 = b64encode(sha512(str(uuid.uuid4())).hexdigest())

        return dg64[:self.token_length]

    def add_authorization_code(self, user, client, redirect_uri, scope, state,

                               **kwargs):

        code = self.generate_authorization_code()

        self.create_authorization_code(user, client, code, redirect_uri, scope,

                                       state, **kwargs)

        return code

    def add_token_for_client(self, token_type, authorization, refresh=False):

        token = self.generate_token()

        self.create_token(token, token_type, authorization, refresh)

        return token

    #

    # Response helpers

    #

    def grant_accept_response(self, client, redirect_uri, scope, state):

        context = {'client': client.get_id(), 'redirect_uri': redirect_uri,

                   'scope': scope, 'state': state,

                   #'url': url,

                   }

        json_content = json.dumps(context)

        return self.response_cls(status=200, body=json_content)

    def grant_token_response(self, token, token_type):

        context = {'access_token': token, 'token_type': token_type,

                   'expires_in': self.token_expires}

        json_content = json.dumps(context)

        return self.response_cls(status=200, body=json_content)

    def redirect_to_login_response(self, request, params):

        parts = list(urlparse.urlsplit(request.path))

        parts[3] = urlencode(params)

        query = {'next': urlparse.urlunsplit(parts)}

        return Response(302,

                        headers={'Location': '%s?%s' %

                                 (self.get_login_uri(),

                                  urlencode(query))})

    def redirect_to_uri(self, redirect_uri, code, state=None):

        parts = list(urlparse.urlsplit(redirect_uri))

        params = dict(urlparse.parse_qsl(parts[3], keep_blank_values=True))

        params['code'] = code

        if state is not None:

            params['state'] = state

        parts[3] = urlencode(params)

        return Response(302,

                        headers={'Location': '%s' %

                                 urlparse.urlunsplit(parts)})

    def build_response_from_error(self, exception):

        response = Response(400)

        logger.exception(exception)

        error = 'generic_error'

        if exception.error:

            error = exception.error

        body = {

            'error': error,

            'exception': exception.message,

        }

        response.body = json.dumps(body)

        response.content_type = "application/json"

        return response

    #

    # Processor methods

    #

    def process_code_request(self, user, client, uri, scope, state):

        code = self.add_authorization_code(user, client, uri, scope, state)

        return self.redirect_to_uri(uri, code, state)

    #

    # Helpers

    #

    def grant_authorization_code(self, client, code_instance, redirect_uri,

                                 scope=None, token_type="Bearer"):

        if scope and code_instance.scope != scope:

            raise OA2Error("Invalid scope")

        if normalize(redirect_uri) != normalize(code_instance.redirect_uri):

            raise OA2Error("The redirect uri does not match "

                           "the one used during authorization")

        token = self.add_token_for_client(token_type, code_instance)

        self.delete_authorization_code(code_instance)  # use only once

        return token, token_type

    def consume_token(self, token):

        token_instance = self.get_token(token)

        if datetime.datetime.now() > token_instance.expires_at:

            self.delete_token(token_instance)  # delete expired token

            raise OA2Error("Token has expired")

        # TODO: delete token?

        return token_instance

    def _get_credentials(self, params, headers):

        if 'HTTP_AUTHORIZATION' in headers:

            scheme, b64credentials = headers.get(

                'HTTP_AUTHORIZATION').split(" ")

            if scheme != 'Basic':

                # TODO: raise 401 + WWW-Authenticate

                raise OA2Error("Unsupported authorization scheme")

            credentials = b64decode(b64credentials).split(":")

            return scheme, credentials

        else:

            return None, None

        pass

    def _get_authorization(self, params, headers, authorization_required=True):

        scheme, client_credentials = self._get_credentials(params, headers)

        no_authorization = scheme is None and client_credentials is None

        if authorization_required and no_authorization:

            raise OA2Error("Missing authorization header")

        return client_credentials

    def get_redirect_uri_from_params(self, client, params, default=True):

        """

        Accepts a client instance and request parameters.

        """

        redirect_uri = params.get('redirect_uri', None)

        if not redirect_uri and default:

            redirect_uri = client.get_default_redirect_uri()

        else:

            # TODO: sanitize redirect_uri (self.clean_redirect_uri ???)

            # clean and validate

            if not client.redirect_uri_is_valid(redirect_uri):

                raise OA2Error("Invalid client redirect uri")

        return redirect_uri

    #

    # Request identifiers

    #

    def identify_authorize_request(self, params, headers):

        return params.get('response_type'), params

    def identify_token_request(self, headers, params):

        content_type = headers.get('CONTENT_TYPE')

        if content_type != 'application/x-www-form-urlencoded':

            raise OA2Error("Invalid Content-Type header")

        return params.get('grant_type')

    #

    # Parameters validation methods

    #

    def validate_client(self, params, meta, requires_auth=True,

                        client_id_required=True):

        client_id = params.get('client_id')

        if client_id is None and client_id_required:

            raise OA2Error("Client identification is required")

        client_credentials = None

        try:  # check authorization header

            client_credentials = self._get_authorization(params, meta,

                                                         authorization_required=False)

        except:

            pass

        else:

            if client_credentials is not None:

                _client_id = client_credentials[0]

                if client_id is not None and client_id != _client_id:

                    raise OA2Error("Client identification conflicts "

                                   "with client authorization")

                client_id = _client_id

        if client_id is None:

            raise OA2Error("Missing client identification")

        client = self.get_client_by_id(client_id)

        if requires_auth and client.requires_auth():

            if client_credentials is None:

                raise OA2Error("Client authentication is required")

        if client_credentials is not None:

            self.check_credentials(client, *client_credentials)

        return client

    def validate_redirect_uri(self, client, params, headers,

                              allow_default=True, is_required=False,

                              expected_value=None):

        redirect_uri = params.get('redirect_uri')

        if is_required and redirect_uri is None:

            raise OA2Error("Missing redirect uri")

        if redirect_uri is not None:

            if not bool(urlparse.urlparse(redirect_uri).scheme):

                raise OA2Error("Redirect uri should be an absolute URI")

            if len(redirect_uri) > self.redirect_uri_limit:

                raise OA2Error("Redirect uri length limit exceeded")

            if not client.redirect_uri_is_valid(redirect_uri):

                raise OA2Error("Mismatching redirect uri")

            if expected_value is not None and \

                    normalize(redirect_uri) != normalize(expected_value):

                raise OA2Error("Invalid redirect uri")

        else:

            try:

                redirect_uri = client.redirecturl_set.values_list('url',

                                                                  flat=True)[0]

            except IndexError:

                raise OA2Error("Unable to fallback to client redirect URI")

        return redirect_uri

    def validate_state(self, client, params, headers):

        return params.get('state')

        #raise OA2Error("Invalid state")

    def validate_scope(self, client, params, headers):

        scope = params.get('scope')

        if scope is not None:

            scope = scope.split(' ')[0]  # keep only the first

        # TODO: check for invalid characters

        return scope

    def validate_code(self, client, params, headers):

        code = params.get('code')

        if code is None:

            raise OA2Error("Missing authorization code")

        return self.get_client_authorization_code(client, code)

    #

    # Requests validation methods

    #

    def validate_code_request(self, params, headers):

        client = self.validate_client(params, headers, requires_auth=False)

        redirect_uri = self.validate_redirect_uri(client, params, headers)

        scope = self.validate_scope(client, params, headers)

        scope = scope or redirect_uri  # set default

        state = self.validate_state(client, params, headers)

        return client, redirect_uri, scope, state

    def validate_token_request(self, params, headers, requires_auth=False):

        client = self.validate_client(params, headers)

        redirect_uri = self.validate_redirect_uri(client, params, headers)

        scope = self.validate_scope(client, params, headers)

        scope = scope or redirect_uri  # set default

        state = self.validate_state(client, params, headers)

        return client, redirect_uri, scope, state

    def validate_code_grant(self, params, headers):

        client = self.validate_client(params, headers,

                                      client_id_required=False)

        code_instance = self.validate_code(client, params, headers)

        redirect_uri = self.validate_redirect_uri(

            client, params, headers,

            expected_value=code_instance.redirect_uri)

        return client, redirect_uri, code_instance

    #

    # Endpoint methods

    #

    @handles_oa2_requests

    def authorize(self, request, **extra):

        """

        Used in the following cases

        """

        if not request.secure:

            raise OA2Error("Secure request required")

        # identify

        request_params = request.GET

        if request.method == "POST":

            request_params = request.POST

        auth_type, params = self.identify_authorize_request(request_params,

                                                            request.META)

        if auth_type is None:

            raise OA2Error("Missing authorization type")

        if auth_type == 'code':

            client, uri, scope, state = \

                self.validate_code_request(params, request.META)

        elif auth_type == 'token':

            raise OA2Error("Unsupported authorization type")

#            client, uri, scope, state = \

#                self.validate_token_request(params, request.META)

        else:

            #TODO: handle custom type

            raise OA2Error("Invalid authorization type")

        user = getattr(request, 'user', None)

        if not user:

            return self.redirect_to_login_response(request, params)

        if request.method == 'POST':

            if auth_type == 'code':

                return self.process_code_request(user, client, uri, scope,

                                                 state)

            elif auth_type == 'token':

                raise OA2Error("Unsupported response type")

#                return self.process_token_request(user, client, uri, scope,

#                                                 state)

            else:

                #TODO: handle custom type

                raise OA2Error("Invalid authorization type")

        else:

            if client.is_trusted:

                return self.process_code_request(user, client, uri, scope,

                                                 state)

            else:

                return self.grant_accept_response(client, uri, scope, state)

    @handles_oa2_requests

    def grant_token(self, request, **extra):

        """

        Used in the following cases

        """

        if not request.secure:

            raise OA2Error("Secure request required")

        grant_type = self.identify_token_request(request.META, request.POST)

        if grant_type is None:

            raise OA2Error("Missing grant type")

        elif grant_type == 'authorization_code':

            client, redirect_uri, code = \

                self.validate_code_grant(request.POST, request.META)

            token, token_type = \

                self.grant_authorization_code(client, code, redirect_uri)

            return self.grant_token_response(token, token_type)

        elif (grant_type in ['client_credentials', 'token'] or

              self.is_uri(grant_type)):

            raise OA2Error("Unsupported grant type")

        else:

            #TODO: handle custom type

            raise OA2Error("Invalid grant type")