Project

General

Profile

Download (5.09 KB) Statistics
| Branch: | Tag: | Revision:

oidc / ckanext / ozwillo_pyoidc / plugin.py @ 1ae62674

1
import logging
2
import conf
3

    
4
import ckan.plugins as plugins
5
import ckan.plugins.toolkit as toolkit
6
from ckan.common import session, c, request
7
from ckan import model
8
import ckan.lib.base as base
9

    
10
from pylons import config, request
11

    
12
from oidc import OIDCClients
13

    
14
plugin_config_prefix = 'ckanext.ozwillo_pyoidc.'
15

    
16
log = logging.getLogger(__name__)
17
plugin_controller = 'ckanext.ozwillo_pyoidc.plugin:OpenidController'
18

    
19
CLIENT = None
20

    
21
class OzwilloPyoidcPlugin(plugins.SingletonPlugin):
22
    plugins.implements(plugins.IConfigurer)
23
    plugins.implements(plugins.IRoutes)
24
    plugins.implements(plugins.IAuthenticator, inherit=True)
25

    
26
    def before_map(self, map):
27
        map.connect('/organization/{id:.*}/sso',
28
                    controller=plugin_controller,
29
                    action='sso')
30
        map.connect('/organization/{id:.*}/callback',
31
                    controller=plugin_controller,
32
                    action='callback')
33
        map.connect('/user/slo',
34
                    controller=plugin_controller,
35
                    action='slo')
36
        map.redirect('/organization/{id:.*}/logout', '/user/_logout')
37

    
38
        return map
39

    
40
    def after_map(self, map):
41
        return map
42

    
43
    def identify(self):
44
        user = session.get('user')
45
        if user and not toolkit.c.userobj:
46
            userobj = model.User.get(user)
47
            toolkit.c.user = userobj.name
48
            toolkit.c.userobj = userobj
49

    
50
    def login(self):
51
        global CLIENT
52
        if 'organization_id' in session:
53
            g = model.Group.get(session['organization_id'])
54
            conf.CLIENTS['ozwillo']['client_registration'].update({
55
                'client_id': g._extras['client_id'].value,
56
                'client_secret': g._extras['client_secret'].value,
57
                'redirect_uris': [toolkit.url_for(host=request.host,
58
                                                  controller=plugin_controller,
59
                                                  action='callback',
60
                                                  id=g.name,
61
                                                  qualified=True)]
62
                })
63
            log.info('registration info for organization "%s" set' % g.name)
64
            CLIENT = OIDCClients(conf)['ozwillo']
65
            url, ht_args = CLIENT.create_authn_request(session, conf.ACR_VALUES)
66
            if ht_args:
67
                toolkit.request.headers.update(ht_args)
68
            toolkit.redirect_to(url)
69
        else:
70
            toolkit.redirect_to('/')
71

    
72
    def logout(self):
73
        pass
74

    
75
    def update_config(self, config_):
76
        toolkit.add_template_directory(config_, 'templates')
77
        toolkit.add_public_directory(config_, 'public')
78
        toolkit.add_resource('fanstatic', 'ozwillo_pyoidc')
79

    
80
class OpenidController(base.BaseController):
81

    
82
    def sso(self, id):
83
        log.info('SSO for organization "%s"' % id)
84
        session['organization_id'] = id
85
        session.save()
86
        log.info('redirecting to login page')
87
        login_url = toolkit.url_for(host=request.host,
88
                                    controller='user',
89
                                    action='login',
90
                                    qualified=True)
91
        toolkit.redirect_to(login_url)
92

    
93
    def callback(self):
94
        global CLIENT
95
        if CLIENT:
96
            userinfo = CLIENT.callback(request.GET)
97
            log.info('Received userinfo: %s' % userinfo)
98
            userobj = model.User.get(userinfo['nickname'])
99
            if userobj:
100
                userobj.email = userinfo['email']
101
                if 'given_name' in userinfo:
102
                    userobj.fullname = userinfo['given_name']
103
                if 'family_name' in userinfo:
104
                    userobj.fullname += userinfo['family_name']
105
                userobj.save()
106
                session['user'] = userobj.id
107
                session.save()
108

    
109
            org_url = toolkit.url_for(host=request.host,
110
                                      controller="organization",
111
                                      action='read',
112
                                      id=session['organization_id'],
113
                                      qualified=True)
114
            toolkit.redirect_to(org_url)
115

    
116
    def slo(self):
117
        """
118
        Revokes the delivered access token. Logs out the user
119
        """
120
        global CLIENT
121
        logout_url = str(CLIENT.end_session_endpoint)
122
        org_url = toolkit.url_for(host=request.host,
123
                                  controller='organization',
124
                                  action='read',
125
                                  id=session['organization_id'],
126
                                  qualified=True)
127
        redirect_uri = org_url + '/logout'
128

    
129
        # revoke the access token
130
        headers = {'Content-Type': 'application/x-www-form-urlencoded'}
131
        data = 'token=%s&token_type_hint=access_token' % CLIENT.access_token
132
        CLIENT.http_request(CLIENT.revocation_endpoint, 'POST',
133
                            data=data, headers=headers)
134

    
135
        # redirect to IDP logout
136
        logout_url += '?id_token_hint=%s&' % CLIENT.id_token
137
        logout_url += 'post_logout_redirect_uri=%s' % redirect_uri
138
        toolkit.redirect_to(logout_url)
(4-4/4)