Project

General

Profile

Download (5.1 KB) Statistics
| Branch: | Tag: | Revision:

oidc / ckanext / ozwillo_pyoidc / plugin.py @ 880b5def

1 c8204b73 Serghei Mihai
import logging
2 a5f39ab1 Serghei MIHAI
import conf
3 c8204b73 Serghei Mihai
4 b169c797 Serghei MIHAI
import ckan.plugins as plugins
5
import ckan.plugins.toolkit as toolkit
6 a5f39ab1 Serghei MIHAI
from ckan.common import session, c, request
7
from ckan import model
8 c8204b73 Serghei Mihai
import ckan.lib.base as base
9
10
from pylons import config, request
11
12 b71e8531 Serghei MIHAI
import conf
13
from oidc import create_client
14 c8204b73 Serghei Mihai
15
plugin_config_prefix = 'ckanext.ozwillo_pyoidc.'
16
17
log = logging.getLogger(__name__)
18 a5f39ab1 Serghei MIHAI
plugin_controller = 'ckanext.ozwillo_pyoidc.plugin:OpenidController'
19 c8204b73 Serghei Mihai
20 a5f39ab1 Serghei MIHAI
CLIENT = None
21 b169c797 Serghei MIHAI
22
class OzwilloPyoidcPlugin(plugins.SingletonPlugin):
23
    plugins.implements(plugins.IConfigurer)
24 c8204b73 Serghei Mihai
    plugins.implements(plugins.IRoutes)
25
    plugins.implements(plugins.IAuthenticator, inherit=True)
26 b169c797 Serghei MIHAI
27 c8204b73 Serghei Mihai
    def before_map(self, map):
28 a5f39ab1 Serghei MIHAI
        map.connect('/organization/{id:.*}/sso',
29
                    controller=plugin_controller,
30
                    action='sso')
31
        map.connect('/organization/{id:.*}/callback',
32
                    controller=plugin_controller,
33
                    action='callback')
34 1ae62674 Serghei MIHAI
        map.connect('/user/slo',
35
                    controller=plugin_controller,
36
                    action='slo')
37
        map.redirect('/organization/{id:.*}/logout', '/user/_logout')
38
39 c8204b73 Serghei Mihai
        return map
40
41
    def after_map(self, map):
42
        return map
43
44
    def identify(self):
45 a5f39ab1 Serghei MIHAI
        user = session.get('user')
46
        if user and not toolkit.c.userobj:
47
            userobj = model.User.get(user)
48
            toolkit.c.user = userobj.name
49
            toolkit.c.userobj = userobj
50 c8204b73 Serghei Mihai
51
    def login(self):
52 a5f39ab1 Serghei MIHAI
        global CLIENT
53
        if 'organization_id' in session:
54
            g = model.Group.get(session['organization_id'])
55 b71e8531 Serghei MIHAI
            conf.CLIENT['client_registration'].update({
56 a5f39ab1 Serghei MIHAI
                'client_id': g._extras['client_id'].value,
57
                'client_secret': g._extras['client_secret'].value,
58
                'redirect_uris': [toolkit.url_for(host=request.host,
59
                                                  controller=plugin_controller,
60
                                                  action='callback',
61
                                                  id=g.name,
62
                                                  qualified=True)]
63
                })
64
            log.info('registration info for organization "%s" set' % g.name)
65 b71e8531 Serghei MIHAI
            CLIENT = create_client(**conf.CLIENT)
66 a5f39ab1 Serghei MIHAI
            url, ht_args = CLIENT.create_authn_request(session, conf.ACR_VALUES)
67
            if ht_args:
68
                toolkit.request.headers.update(ht_args)
69
            toolkit.redirect_to(url)
70
        else:
71
            toolkit.redirect_to('/')
72 c8204b73 Serghei Mihai
73
    def logout(self):
74 a5f39ab1 Serghei MIHAI
        pass
75 b169c797 Serghei MIHAI
76
    def update_config(self, config_):
77
        toolkit.add_template_directory(config_, 'templates')
78
        toolkit.add_public_directory(config_, 'public')
79
        toolkit.add_resource('fanstatic', 'ozwillo_pyoidc')
80 c8204b73 Serghei Mihai
81
class OpenidController(base.BaseController):
82
83 a5f39ab1 Serghei MIHAI
    def sso(self, id):
84
        log.info('SSO for organization "%s"' % id)
85
        session['organization_id'] = id
86
        session.save()
87
        log.info('redirecting to login page')
88
        login_url = toolkit.url_for(host=request.host,
89
                                    controller='user',
90
                                    action='login',
91
                                    qualified=True)
92
        toolkit.redirect_to(login_url)
93
94
    def callback(self):
95
        global CLIENT
96
        if CLIENT:
97
            userinfo = CLIENT.callback(request.GET)
98
            log.info('Received userinfo: %s' % userinfo)
99
            userobj = model.User.get(userinfo['nickname'])
100
            if userobj:
101
                userobj.email = userinfo['email']
102
                if 'given_name' in userinfo:
103
                    userobj.fullname = userinfo['given_name']
104
                if 'family_name' in userinfo:
105
                    userobj.fullname += userinfo['family_name']
106
                userobj.save()
107
                session['user'] = userobj.id
108
                session.save()
109
110
            org_url = toolkit.url_for(host=request.host,
111
                                      controller="organization",
112
                                      action='read',
113
                                      id=session['organization_id'],
114
                                      qualified=True)
115
            toolkit.redirect_to(org_url)
116 1ae62674 Serghei MIHAI
117
    def slo(self):
118
        """
119
        Revokes the delivered access token. Logs out the user
120
        """
121
        global CLIENT
122 880b5def Serghei MIHAI
        logout_url = CLIENT.end_session_endpoint
123 1ae62674 Serghei MIHAI
        org_url = toolkit.url_for(host=request.host,
124
                                  controller='organization',
125
                                  action='read',
126
                                  id=session['organization_id'],
127
                                  qualified=True)
128
        redirect_uri = org_url + '/logout'
129
130
        # revoke the access token
131
        headers = {'Content-Type': 'application/x-www-form-urlencoded'}
132
        data = 'token=%s&token_type_hint=access_token' % CLIENT.access_token
133
        CLIENT.http_request(CLIENT.revocation_endpoint, 'POST',
134
                            data=data, headers=headers)
135
136
        # redirect to IDP logout
137
        logout_url += '?id_token_hint=%s&' % CLIENT.id_token
138
        logout_url += 'post_logout_redirect_uri=%s' % redirect_uri
139 880b5def Serghei MIHAI
        toolkit.redirect_to(str(logout_url))