Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
10 changed files
with
166 additions
and
99 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,101 @@ | ||
from datetime import datetime | ||
|
||
from django.core.exceptions import ObjectDoesNotExist | ||
from django.template import loader, RequestContext | ||
from django.http import HttpResponse | ||
from django.utils.translation import ugettext_lazy as _ | ||
|
||
|
||
class BearerAuthHandler(): | ||
"""Handles Bearer token authentication calls. | ||
SPEC: http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer | ||
""" | ||
|
||
_token = None | ||
_request = None | ||
_response = None | ||
_error = None | ||
_scope = None | ||
|
||
def __init__(self, request, scope): | ||
self._request = request | ||
self._scope = scope | ||
|
||
self.fetch_token() | ||
self.validate_token() | ||
self.prepare_response() | ||
|
||
def fetch_token(self): | ||
token = None | ||
|
||
# Authorization Request Header Field | ||
authorization_method = self._request.META.get('Authorization') | ||
if authorization_method is not None: | ||
auth_method_type, auth_method_value = authorization_method.split(' ', 1) | ||
if auth_method_type == 'Bearer': | ||
token = auth_method_value | ||
else: | ||
# Form-Encoded Body Parameter or URI Query Parameter | ||
token = self._request.REQUEST.get('access_token') | ||
|
||
if not token: | ||
self._error = 'invalid_request' | ||
else: | ||
self._token = token | ||
|
||
def validate_token(self): | ||
|
||
if self._token is None: | ||
self._error = 'invalid_token' | ||
return False | ||
|
||
from oauthost.models import Token | ||
try: | ||
token = Token.objects.get(access_token=self._token) | ||
except ObjectDoesNotExist: | ||
self._error = 'invalid_token' | ||
return False | ||
|
||
# If token found is granted to all the different token type. | ||
if token.access_token_type != 'bearer': | ||
self._error = 'invalid_token' | ||
return False | ||
|
||
# Token has expired. | ||
if token.expires_at <= datetime.now(): | ||
self._error = 'invalid_token' | ||
return False | ||
|
||
# If target scope is defined, let's verify that the token has access to it. | ||
if self._scope is not None: | ||
if not token.scopes.filter(identifier=self._scope).count(): | ||
self._error = 'insufficient_scope' | ||
return False | ||
|
||
return True | ||
|
||
def prepare_response(self): | ||
|
||
if self._error is not None: | ||
from oauthost.config import OAUTHOST_TEMPLATE_RESTRICTED | ||
|
||
errors = { | ||
'invalid_request': (400, 'Request is malformed. Check request parameters validity.'), | ||
'invalid_token': (401, 'Given access token is invalid'), | ||
'insufficient_scope': (403, 'Access token grants no access to required scope.') | ||
} | ||
|
||
current_error = errors[self._error] | ||
additional_params = { | ||
'error': self._error, 'error_description': current_error[1] | ||
} | ||
additional_params = ',' . join( [ '%s="%s"' % (i[0], i[1]) for i in additional_params.items() ] ) | ||
context = RequestContext(self._request) | ||
self._response = HttpResponse(content=loader.render_to_string(OAUTHOST_TEMPLATE_RESTRICTED, | ||
{'oauthost_title': _('Access Restricted')}, context), status=current_error[0]) | ||
self._response['WWW-Authenticate'] = 'Bearer %s' % additional_params | ||
|
||
def response(self): | ||
return self._response |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,18 +1,20 @@ | ||
import logging | ||
|
||
from django.utils.translation import ugettext_lazy as _ | ||
from oauthost.auth_handlers import BearerAuthHandler | ||
|
||
LOGGER = logging.getLogger('django.oauthost') | ||
|
||
REGISTRY_EP_AUTH_RESPONSE_TYPE = ['code', 'token'] | ||
REGISTRY_EP_TOKEN_GRANT_TYPE = ['authorization_code', 'password', 'client_credentials', 'refresh_token'] | ||
|
||
# Someday here might be something more than bare Bearer. | ||
TOKEN_TYPE_BEARER = 'bearer' | ||
REGISTRY_TOKEN_TYPE = { | ||
(TOKEN_TYPE_BEARER, _('Bearer')), | ||
(TOKEN_TYPE_BEARER, 'Bearer', BearerAuthHandler), | ||
} | ||
|
||
OAUTHOST_TEMPLATE_AUTHORIZE = 'oauthost/authorize.html' | ||
OAUTHOST_TEMPLATE_AUTHORIZE_ERROR = 'oauthost/authorize_error.html' | ||
OAUTHOST_TEMPLATE_AUTHORIZE_PROCEED = 'oauthost/authorize_proceed.html' | ||
OAUTHOST_TEMPLATE_FORBIDDEN = 'oauthost/forbidden.html' | ||
OAUTHOST_TEMPLATE_RESTRICTED = 'oauthost/restricted.html' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
{% extends 'common/base.html' %}{% load i18n %} | ||
{% block oauthost_contents %} | ||
<p>{% blocktrans %}Access to this resource is restricted. Please provide appropriate credentials with the request to proceed.{% endblocktrans %}</p> | ||
{% endblock %} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.