Synnefo

from time import time, mktime

    def __init__(self, method, path, GET=None, POST=None, META=None,

                 secure=False, user=None):

        self.path = path

        #parents = [b for b in bases if isinstance(b, BackendBase)]

        #meta = attrs.pop('Meta', None)

    token_expires = 300

    grant_types = ['authorization_code']

    def create_authorization_code(self, user, client, code, redirect_uri,

                                  scope, state, **kwargs):

            'client': client,

            'state': state,

            'user': user

        code_instance = self.code_model.create(**code_params)

        logger.info('%r created' % code_instance)

        return code_instance

    def _token_params(self, value, token_type, authorization, scope):

            'code': value,

            'expires_at': expires_at,

            'user': authorization.user,

            'redirect_uri': authorization.redirect_uri,

            'client': authorization.client,

            'scope': authorization.scope,

    def create_token(self, value, token_type, authorization, scope,

                     refresh=False):

        params = self._token_params(value, token_type, authorization, scope)

        token = self.token_model.create(**params)

        logger.info('%r created' % token)

        return token

#    def delete_authorization_code(self, code):

#        del self.code_model.ENTRIES[code]

        if client.get_id() != code_instance.client.get_id():

    def add_token_for_client(self, token_type, authorization, refresh=False):

        token = self.generate_token()

        self.create_token(token, token_type, authorization, refresh)

        return token

    def grant_accept_response(self, client, redirect_uri, scope, state):

                   'scope': scope, 'state': state,

                   #'url': url,

                   }

        json_content = json.dumps(context)

        return self.response_cls(status=200, body=json_content)

    def grant_token_response(self, token, token_type):

        context = {'access_token': token, 'token_type': token_type,

                   'expires_in': self.token_expires}

    def redirect_to_login_response(self, request, params):

        parts = list(urlparse.urlsplit(request.path))

        parts[3] = urllib.urlencode(params)

        query = {'next': urlparse.urlunsplit(parts)}

        return Response(302,

                        headers={'Location': '%s?%s' %

                                 (self.get_login_uri(),

                                  urllib.urlencode(query))})

    def redirect_to_uri(self, redirect_uri, code, state=None):

        parts = list(urlparse.urlsplit(redirect_uri))

        params = dict(urlparse.parse_qsl(parts[3], keep_blank_values=True))

        params['code'] = code

        if state is not None:

            params['state'] = state

        parts[3] = urllib.urlencode(params)

        return Response(302,

                        headers={'Location': '%s' %

                                 urlparse.urlunsplit(parts)})

    def process_code_request(self, user, client, uri, scope, state):

        code = self.add_authorization_code(user, client, uri, scope, state)

        return self.redirect_to_uri(uri, code, state)

    def grant_authorization_code(self, client, code_instance, redirect_uri,

                                 scope=None, token_type="Bearer"):

        if scope and code_instance.scope != scope:

            raise OA2Error("Invalid scope")

        if redirect_uri != code_instance.redirect_uri:

            raise OA2Error("The redirect uri does not match "

                           "the one used during authorization")

        token = self.add_token_for_client(token_type, code_instance)

        self.delete_authorization_code(code_instance)  # use only once

        return token, token_type

    def consume_token(self, token):

        token_instance = self.get_token(token)

        expires_at = mktime(token_instance.expires_at.timetuple())

        if time() > expires_at:

            self.delete_token(token_instance)  # delete expired token

            raise OA2Error("Token has expired")

        # TODO: delete token?

        return token_instance

            if scheme != 'Basic':

                # TODO: raise 401 + WWW-Authenticate

                raise OA2Error("Unsupported authorization scheme")

    def _get_authorization(self, params, headers):

        scheme, client_credentials = self._get_credentials(params, headers)

        no_authorization = scheme is None and client_credentials is None

        if no_authorization:

            raise OA2Error("Missing authorization header")

        return client_credentials

    # Request identifiers

    def identify_authorize_request(self, params, headers):

        return params.get('response_type'), params

    def identify_token_request(self, headers, params):

        content_type = headers.get('CONTENT_TYPE')

        if content_type != 'application/x-www-form-urlencoded':

            raise OA2Error("Invalid Content-Type header")

        return params.get('grant_type')

    #

    # Parameters validation methods

    #

    def validate_client(self, params, meta, requires_auth=True,

                        client_id_required=True):

        client_id = params.get('client_id')

        if client_id is None and client_id_required:

            raise OA2Error("Client identification is required")

        client_credentials = None

        try:  # check authorization header

            client_credentials = self._get_authorization(params, meta)

            if client_credentials is not None:

                _client_id = client_credentials[0]

                if client_id is not None and client_id != _client_id:

                    raise OA2Error("Client identification conflicts "

                                   "with client authorization")

                client_id = _client_id

        except:

            pass

        if client_id is None:

            raise OA2Error("Missing client identification")

        client = self.get_client_by_id(client_id)

        if requires_auth and client.requires_auth:

            if client_credentials is None:

                raise OA2Error("Client authentication in required")

        if client_credentials is not None:

            self.check_credentials(client, *client_credentials)

        return client

    def validate_redirect_uri(self, client, params, headers,

                              allow_default=True, is_required=False,

                              expected_value=None):

        redirect_uri = params.get('redirect_uri')

        if is_required and redirect_uri is None:

            raise OA2Error("Missing redirect uri")

        if redirect_uri is not None:

            if not bool(urlparse.urlparse(redirect_uri).scheme):

                raise OA2Error("Redirect uri should be an absolute URI")

            if not client.redirect_uri_is_valid(redirect_uri):

                raise OA2Error("Mismatching redirect uri")

            if expected_value is not None and redirect_uri != expected_value:

                raise OA2Error("Invalid redirect uri")

        return redirect_uri

    def validate_state(self, client, params, headers):

        return params.get('state')

    def validate_scope(self, client, params, headers):

        scope = params.get('scope')

        if scope is not None:

            scope = scope.split(' ')[0]  # keep only the first

        # TODO: check for invalid characters

        return scope

    def validate_code(self, client, params, headers):

        code = params.get('code')

        if code is None:

            raise OA2Error("Missing authorization code")

        return self.get_client_authorization_code(client, code)

    def validate_code_request(self, params, headers):

        client = self.validate_client(params, headers, requires_auth=False)

    def validate_token_request(self, params, headers, requires_auth=False):

        client = self.validate_client(params, headers)

    def validate_code_grant(self, params, headers):

        client = self.validate_client(params, headers,

                                      client_id_required=False)

        code_instance = self.validate_code(client, params, headers)

        redirect_uri = self.validate_redirect_uri(

            client, params, headers,

            expected_value=code_instance.redirect_uri)

        return client, redirect_uri, code_instance

                self.validate_code_request(params, request.META)

            raise OA2Error("Unsupported response type")

#            client, uri, scope, state = \

#                self.validate_token_request(params, request.META)

        user = getattr(request, 'user', None)

            return self.redirect_to_login_response(request, params)

                raise OA2Error("Unsupported response type")

#                return self.process_token_request(user, client, uri, scope,

#                                                 state)

            if client.is_trusted:

                return self.process_code_request(user, client, uri, scope,

                                                 state)

            else:

                return self.grant_accept_response(client, uri, scope, state)

    @handles_oa2_requests

    def grant_token(self, request, **extra):

        """

        Used in the following cases

        """

        if not request.secure:

            raise OA2Error("Secure request required")

        grant_type = self.identify_token_request(request.META, request.POST)

        if grant_type == 'authorization_code':

            client, redirect_uri, code = \

                self.validate_code_grant(request.POST, request.META)

            token, token_type = \

                self.grant_authorization_code(client, code, redirect_uri)

            return self.grant_token_response(token, token_type)

        elif (grant_type in ['client_credentials', 'token'] or

              self.is_uri(grant_type)):

            raise OA2Error("Unsupported grant type")

        else:

            #TODO: handle custom type

            raise OA2Error("Invalid grant type")