Synnefo

        'resources': {},

    'astakos_oa2': {

        'type': 'astakos_auth',

        'component': 'astakos',

        'prefix': 'oa2',

        'public': True,

        'endpoints': [

            {'versionId': '',

             'publicURL': None},

        ],

        'resources': {},

    }

OA2_PREFIX = get_path(astakos_services, 'astakos_oa2.prefix')

from time import time, mktime

    def __init__(self, method, path, GET=None, POST=None, META=None,

                 secure=False, user=None):

        self.path = path

        #parents = [b for b in bases if isinstance(b, BackendBase)]

        #meta = attrs.pop('Meta', None)

    token_expires = 300

    grant_types = ['authorization_code']

    def create_authorization_code(self, user, client, code, redirect_uri,

                                  scope, state, **kwargs):

            'client': client,

            'state': state,

            'user': user

        code_instance = self.code_model.create(**code_params)

        logger.info('%r created' % code_instance)

        return code_instance

    def _token_params(self, value, token_type, authorization, scope):

            'code': value,

            'expires_at': expires_at,

            'user': authorization.user,

            'redirect_uri': authorization.redirect_uri,

            'client': authorization.client,

            'scope': authorization.scope,

    def create_token(self, value, token_type, authorization, scope,

                     refresh=False):

        params = self._token_params(value, token_type, authorization, scope)

        token = self.token_model.create(**params)

        logger.info('%r created' % token)

        return token

#    def delete_authorization_code(self, code):

#        del self.code_model.ENTRIES[code]

        if client.get_id() != code_instance.client.get_id():

    def add_token_for_client(self, token_type, authorization, refresh=False):

        token = self.generate_token()

        self.create_token(token, token_type, authorization, refresh)

        return token

    def grant_accept_response(self, client, redirect_uri, scope, state):

                   'scope': scope, 'state': state,

                   #'url': url,

                   }

        json_content = json.dumps(context)

        return self.response_cls(status=200, body=json_content)

    def grant_token_response(self, token, token_type):

        context = {'access_token': token, 'token_type': token_type,

                   'expires_in': self.token_expires}

    def redirect_to_login_response(self, request, params):

        parts = list(urlparse.urlsplit(request.path))

        parts[3] = urllib.urlencode(params)

        query = {'next': urlparse.urlunsplit(parts)}

        return Response(302,

                        headers={'Location': '%s?%s' %

                                 (self.get_login_uri(),

                                  urllib.urlencode(query))})

    def redirect_to_uri(self, redirect_uri, code, state=None):

        parts = list(urlparse.urlsplit(redirect_uri))

        params = dict(urlparse.parse_qsl(parts[3], keep_blank_values=True))

        params['code'] = code

        if state is not None:

            params['state'] = state

        parts[3] = urllib.urlencode(params)

        return Response(302,

                        headers={'Location': '%s' %

                                 urlparse.urlunsplit(parts)})

    def process_code_request(self, user, client, uri, scope, state):

        code = self.add_authorization_code(user, client, uri, scope, state)

        return self.redirect_to_uri(uri, code, state)

    def grant_authorization_code(self, client, code_instance, redirect_uri,

                                 scope=None, token_type="Bearer"):

        if scope and code_instance.scope != scope:

            raise OA2Error("Invalid scope")

        if redirect_uri != code_instance.redirect_uri:

            raise OA2Error("The redirect uri does not match "

                           "the one used during authorization")

        token = self.add_token_for_client(token_type, code_instance)

        self.delete_authorization_code(code_instance)  # use only once

        return token, token_type

    def consume_token(self, token):

        token_instance = self.get_token(token)

        expires_at = mktime(token_instance.expires_at.timetuple())

        if time() > expires_at:

            self.delete_token(token_instance)  # delete expired token

            raise OA2Error("Token has expired")

        # TODO: delete token?

        return token_instance

            if scheme != 'Basic':

                # TODO: raise 401 + WWW-Authenticate

                raise OA2Error("Unsupported authorization scheme")

    def _get_authorization(self, params, headers):

        scheme, client_credentials = self._get_credentials(params, headers)

        no_authorization = scheme is None and client_credentials is None

        if no_authorization:

            raise OA2Error("Missing authorization header")

        return client_credentials

    # Request identifiers

    def identify_authorize_request(self, params, headers):

        return params.get('response_type'), params

    def identify_token_request(self, headers, params):

        content_type = headers.get('CONTENT_TYPE')

        if content_type != 'application/x-www-form-urlencoded':

            raise OA2Error("Invalid Content-Type header")

        return params.get('grant_type')

    #

    # Parameters validation methods

    #

    def validate_client(self, params, meta, requires_auth=True,

                        client_id_required=True):

        client_id = params.get('client_id')

        if client_id is None and client_id_required:

            raise OA2Error("Client identification is required")

        client_credentials = None

        try:  # check authorization header

            client_credentials = self._get_authorization(params, meta)

            if client_credentials is not None:

                _client_id = client_credentials[0]

                if client_id is not None and client_id != _client_id:

                    raise OA2Error("Client identification conflicts "

                                   "with client authorization")

                client_id = _client_id

        except:

            pass

        if client_id is None:

            raise OA2Error("Missing client identification")

        client = self.get_client_by_id(client_id)

        if requires_auth and client.requires_auth:

            if client_credentials is None:

                raise OA2Error("Client authentication in required")

        if client_credentials is not None:

            self.check_credentials(client, *client_credentials)

        return client

    def validate_redirect_uri(self, client, params, headers,

                              allow_default=True, is_required=False,

                              expected_value=None):

        redirect_uri = params.get('redirect_uri')

        if is_required and redirect_uri is None:

            raise OA2Error("Missing redirect uri")

        if redirect_uri is not None:

            if not bool(urlparse.urlparse(redirect_uri).scheme):

                raise OA2Error("Redirect uri should be an absolute URI")

            if not client.redirect_uri_is_valid(redirect_uri):

                raise OA2Error("Mismatching redirect uri")

            if expected_value is not None and redirect_uri != expected_value:

                raise OA2Error("Invalid redirect uri")

        return redirect_uri

    def validate_state(self, client, params, headers):

        return params.get('state')

    def validate_scope(self, client, params, headers):

        scope = params.get('scope')

        if scope is not None:

            scope = scope.split(' ')[0]  # keep only the first

        # TODO: check for invalid characters

        return scope

    def validate_code(self, client, params, headers):

        code = params.get('code')

        if code is None:

            raise OA2Error("Missing authorization code")

        return self.get_client_authorization_code(client, code)

    def validate_code_request(self, params, headers):

        client = self.validate_client(params, headers, requires_auth=False)

    def validate_token_request(self, params, headers, requires_auth=False):

        client = self.validate_client(params, headers)

    def validate_code_grant(self, params, headers):

        client = self.validate_client(params, headers,

                                      client_id_required=False)

        code_instance = self.validate_code(client, params, headers)

        redirect_uri = self.validate_redirect_uri(

            client, params, headers,

            expected_value=code_instance.redirect_uri)

        return client, redirect_uri, code_instance

                self.validate_code_request(params, request.META)

            raise OA2Error("Unsupported response type")

#            client, uri, scope, state = \

#                self.validate_token_request(params, request.META)

        user = getattr(request, 'user', None)

            return self.redirect_to_login_response(request, params)

                raise OA2Error("Unsupported response type")

#                return self.process_token_request(user, client, uri, scope,

#                                                 state)

            if client.is_trusted:

                return self.process_code_request(user, client, uri, scope,

                                                 state)

            else:

                return self.grant_accept_response(client, uri, scope, state)

    @handles_oa2_requests

    def grant_token(self, request, **extra):

        """

        Used in the following cases

        """

        if not request.secure:

            raise OA2Error("Secure request required")

        grant_type = self.identify_token_request(request.META, request.POST)

        if grant_type == 'authorization_code':

            client, redirect_uri, code = \

                self.validate_code_grant(request.POST, request.META)

            token, token_type = \

                self.grant_authorization_code(client, code, redirect_uri)

            return self.grant_token_response(token, token_type)

        elif (grant_type in ['client_credentials', 'token'] or

              self.is_uri(grant_type)):

            raise OA2Error("Unsupported grant type")

        else:

            #TODO: handle custom type

            raise OA2Error("Invalid grant type")

import astakos.oa2.models as oa2_models

from django.conf import settings

from django.core.exceptions import ValidationError

from django.core.validators import URLValidator

from django.core.urlresolvers import reverse

from django.conf.urls.defaults import patterns, url

from django.views.decorators.csrf import csrf_exempt

import logging

logger = logging.getLogger(__name__)

        oa2response = self.authorize(oa2request, accept=False)

        return self._build_response(oa2response)

    @csrf_exempt

        oa2request = self.build_request(request)

        oa2response = self.grant_token(oa2request)

        return self._build_response(oa2response)

            return oa2_models.Client.objects.get(identifier=username,

                                                 secret=password)

        except oa2_models.Client.DoesNotExist:

            return oa2_models.Client.objects.get(identifier=clientid)

        except oa2_models.Client.DoesNotExist:

    def get_authorization_code(self, code):

        try:

            return oa2_models.AuthorizationCode.objects.get(code=code)

        except oa2_models.AuthorizationCode.DoesNotExist:

            raise errors.OA2Error("No such authorization code")

    def get_token(self, token):

        try:

            return oa2_models.Token.objects.get(code=token)

        except oa2_models.Token.DoesNotExist:

            raise errors.OA2Error("No such token")

        code.delete()

        logger.info('%r deleted' % code)

    def delete_token(self, token):

        token.delete()

        logger.info('%r deleted' % token)

    def check_credentials(self, client, username, secret):

        if not (username == client.get_id() and secret == client.secret):

            raise errors.InvalidAuthorizationRequest("Invalid credentials")

    code_model = oa2_models.AuthorizationCode.objects

    token_model = oa2_models.Token.objects

    client_model = oa2_models.Client.objects

            'path': django_request.path,

            'secure': settings.DEBUG or django_request.is_secure(),

            #'secure': django_request.is_secure(),

        # TODO: check for valid astakos user

        sep = '/' if self.endpoints_prefix else ''

            url(r'^%s%sauth/?$' % (self.endpoints_prefix, sep),

                self.auth_view,

            url(r'^%s%stoken/?$' % (self.endpoints_prefix, sep),

                self.token_view,

    def is_uri(self, string):

        validator = URLValidator()

        try:

            validator(string)

        except ValidationError:

            return False

        else:

            return True

    def get_login_uri(self):

        return reverse('login')

import datetime

import urlparse

from django.core.exceptions import ValidationError

TOKEN_TYPES = (('Basic', _('Basic')),

               ('Bearer', _('Bearer')))

GRANT_TYPES = (('authorization_code', _('Authorization code')),

               ('password', _('Password')),

               ('client_credentials', _('Client Credentials')))

    client = models.ForeignKey('oa2.Client', on_delete=models.PROTECT)

    is_default = models.BooleanField(default=True)

        ordering = ('is_default', )

        unique_together = ('client', 'url',)

    secret = models.CharField(max_length=255, null=True, default=None)

    is_trusted = models.BooleanField(default=False)

    def save(self, **kwargs):

        if self.secret is None and self.type == 'confidential':

            raise ValidationError("Confidential clients require a secret")

        super(Client, self).save(**kwargs)

        # ignore user specific uri part

        parts = list(urlparse.urlsplit(uri))

        path = parts[2]

        pieces = path.rsplit('/', 3)

        parts[2] = '/'.join(pieces[:-3]) if len(pieces) > 3 else path

        uri = urlparse.urlunsplit(parts)

        # TODO: handle trailing slashes

    user = models.ForeignKey('im.AstakosUser', on_delete=models.PROTECT)

    client = models.ForeignKey('oa2.Client', on_delete=models.PROTECT)

    scope = models.TextField(null=True, default=None)

    created_at = models.DateTimeField(default=datetime.datetime.now())

    state = models.TextField(null=True, default=None)

    def client_id_is_valid(self, client_id):

        return self.client_id == client_id

    def redirect_uri_is_valid(self, redirect_uri, client):

        return (self.redirect_uri == redirect_uri and

                client.redirect_uri_is_valid(redirect_uri))

    def __repr__(self):

        return ("Authorization code: %s "

                "(user: %s, client: %s, redirect_uri: %s, scope: %s)" % (

                    self.code,

                    self.user.log_display,

                    self.client.get_id(),

                    self.redirect_uri, self.scope))

    created_at = models.DateTimeField(default=datetime.datetime.now())

    token_type = models.CharField(max_length=100, choices=TOKEN_TYPES,

                                  default='Bearer')

    grant_type = models.CharField(max_length=100, choices=GRANT_TYPES,

                                  default='authorization_code')

    # authorization fields

    user = models.ForeignKey('im.AstakosUser', on_delete=models.PROTECT)

    redirect_uri = models.CharField(max_length=255)

    client = models.ForeignKey('oa2.Client', on_delete=models.PROTECT)

    scope = models.TextField(null=True, default=None)

    # not really useful

    state = models.TextField(null=True, default=None)

    def __repr__(self):

        return ("Token: %s (token_type: %s, grant_type: %s, "

                "user: %s, client: %s, scope: %s)" % (

                    self.code, self.token_type, self.grant_type,

                    self.user.log_display, self.client.get_id(), self.scope))

from astakos.oa2.models import Client, AuthorizationCode

            return self.post(self.get_url(self.auth_url), data=params,

                             **kwargs)

        print 'self.credentials:', self.credentials

        self.client1_redirect_uri = "https://server.com/handle_code"

        client1.redirecturl_set.create(url=self.client1_redirect_uri)

        client3 = Client.objects.create(identifier="client3", secret='secret',

                                        is_trusted=True)

        self.client3_redirect_uri = "https://server3.com/handle_code"

        client3.redirecturl_set.create(url=self.client3_redirect_uri)

#        # no auth header, client is confidential

#        r = self.client.authorize_code('client1')

#        self.assertEqual(r.status_code, 400)

#        self.assertCount(AuthorizationCode, 0)

#        self.client.set_credentials()

#        r = self.client.authorize_code('client1')

#        self.assertEqual(r.status_code, 400)

#        self.assertCount(AuthorizationCode, 0)

        self.assertTrue('Location' in r)

        p = urlparse.urlparse(r['Location'])

        self.assertEqual(p.netloc, 'testserver:80')

        self.assertEqual(p.path, reverse('login'))

        self.client.set_credentials('client1', 'secret')

        #self.assertEqual(code1.state, '')

        self.assertEqual(code1.state, None)

# Copyright 2013 GRNET S.A. All rights reserved.

#

# Redistribution and use in source and binary forms, with or

# without modification, are permitted provided that the following

# conditions are met:

#

#   1. Redistributions of source code must retain the above

#      copyright notice, this list of conditions and the following

#      disclaimer.

#

#   2. Redistributions in binary form must reproduce the above

#      copyright notice, this list of conditions and the following

#      disclaimer in the documentation and/or other materials

#      provided with the distribution.

#

# THIS SOFTWARE IS PROVIDED BY GRNET S.A. ``AS IS'' AND ANY EXPRESS

# OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED

# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL GRNET S.A OR

# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT

# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF

# USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED

# AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN

# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE

# POSSIBILITY OF SUCH DAMAGE.

#

# The views and conclusions contained in the software and

# documentation are those of the authors and should not be

# interpreted as representing official policies, either expressed

# or implied, of GRNET S.A.

from astakos.oa2.backends import DjangoBackend

oa2_backend = DjangoBackend(endpoints_prefix='')

urlpatterns = oa2_backend.get_url_patterns()

        'resources': {},

    'astakos_oa2': {

        'type': 'astakos_auth',

        'component': 'astakos',

        'prefix': 'oa2',

        'public': True,

        'endpoints': [

            {'versionId': '',

             'publicURL': None},

        ],

        'resources': {},

    }

from astakos.im.settings import BASE_PATH, ACCOUNTS_PREFIX, \

    VIEWS_PREFIX, KEYSTONE_PREFIX, WEBLOGIN_PREFIX, ADMIN_PREFIX, OA2_PREFIX

    (prefix_pattern(OA2_PREFIX), include('astakos.oa2.urls')),