|
1
|
import logging
|
|
2
|
import conf
|
|
3
|
|
|
4
|
import ckan.plugins as plugins
|
|
5
|
import ckan.plugins.toolkit as toolkit
|
|
6
|
from ckan.common import session, c, request
|
|
7
|
from ckan import model
|
|
8
|
import ckan.lib.base as base
|
|
9
|
|
|
10
|
from pylons import config, request
|
|
11
|
|
|
12
|
from oidc import OIDCClients
|
|
13
|
|
|
14
|
plugin_config_prefix = 'ckanext.ozwillo_pyoidc.'
|
|
15
|
|
|
16
|
log = logging.getLogger(__name__)
|
|
17
|
plugin_controller = 'ckanext.ozwillo_pyoidc.plugin:OpenidController'
|
|
18
|
|
|
19
|
CLIENT = None
|
|
20
|
|
|
21
|
class OzwilloPyoidcPlugin(plugins.SingletonPlugin):
|
|
22
|
plugins.implements(plugins.IConfigurer)
|
|
23
|
plugins.implements(plugins.IRoutes)
|
|
24
|
plugins.implements(plugins.IAuthenticator, inherit=True)
|
|
25
|
|
|
26
|
def before_map(self, map):
|
|
27
|
map.connect('/organization/{id:.*}/sso',
|
|
28
|
controller=plugin_controller,
|
|
29
|
action='sso')
|
|
30
|
map.connect('/organization/{id:.*}/callback',
|
|
31
|
controller=plugin_controller,
|
|
32
|
action='callback')
|
|
33
|
return map
|
|
34
|
|
|
35
|
def after_map(self, map):
|
|
36
|
return map
|
|
37
|
|
|
38
|
def identify(self):
|
|
39
|
user = session.get('user')
|
|
40
|
if user and not toolkit.c.userobj:
|
|
41
|
userobj = model.User.get(user)
|
|
42
|
toolkit.c.user = userobj.name
|
|
43
|
toolkit.c.userobj = userobj
|
|
44
|
|
|
45
|
def login(self):
|
|
46
|
global CLIENT
|
|
47
|
if 'organization_id' in session:
|
|
48
|
g = model.Group.get(session['organization_id'])
|
|
49
|
conf.CLIENTS['ozwillo']['client_registration'].update({
|
|
50
|
'client_id': g._extras['client_id'].value,
|
|
51
|
'client_secret': g._extras['client_secret'].value,
|
|
52
|
'redirect_uris': [toolkit.url_for(host=request.host,
|
|
53
|
controller=plugin_controller,
|
|
54
|
action='callback',
|
|
55
|
id=g.name,
|
|
56
|
qualified=True)]
|
|
57
|
})
|
|
58
|
log.info('registration info for organization "%s" set' % g.name)
|
|
59
|
CLIENT = OIDCClients(conf)['ozwillo']
|
|
60
|
url, ht_args = CLIENT.create_authn_request(session, conf.ACR_VALUES)
|
|
61
|
if ht_args:
|
|
62
|
toolkit.request.headers.update(ht_args)
|
|
63
|
toolkit.redirect_to(url)
|
|
64
|
else:
|
|
65
|
toolkit.redirect_to('/')
|
|
66
|
|
|
67
|
def logout(self):
|
|
68
|
# revoke all auth tokens
|
|
69
|
# redirect to logout in ozwillo
|
|
70
|
# revoke_endpoint = 'https://portal.ozwillo-preprod.eu/a/revoke'
|
|
71
|
# toolkit.redirect('/user/_logout')
|
|
72
|
pass
|
|
73
|
|
|
74
|
def update_config(self, config_):
|
|
75
|
toolkit.add_template_directory(config_, 'templates')
|
|
76
|
toolkit.add_public_directory(config_, 'public')
|
|
77
|
toolkit.add_resource('fanstatic', 'ozwillo_pyoidc')
|
|
78
|
|
|
79
|
class OpenidController(base.BaseController):
|
|
80
|
|
|
81
|
def sso(self, id):
|
|
82
|
log.info('SSO for organization "%s"' % id)
|
|
83
|
session['organization_id'] = id
|
|
84
|
session.save()
|
|
85
|
log.info('redirecting to login page')
|
|
86
|
login_url = toolkit.url_for(host=request.host,
|
|
87
|
controller='user',
|
|
88
|
action='login',
|
|
89
|
qualified=True)
|
|
90
|
toolkit.redirect_to(login_url)
|
|
91
|
|
|
92
|
def callback(self):
|
|
93
|
global CLIENT
|
|
94
|
if CLIENT:
|
|
95
|
userinfo = CLIENT.callback(request.GET)
|
|
96
|
log.info('Received userinfo: %s' % userinfo)
|
|
97
|
userobj = model.User.get(userinfo['nickname'])
|
|
98
|
if userobj:
|
|
99
|
userobj.email = userinfo['email']
|
|
100
|
if 'given_name' in userinfo:
|
|
101
|
userobj.fullname = userinfo['given_name']
|
|
102
|
if 'family_name' in userinfo:
|
|
103
|
userobj.fullname += userinfo['family_name']
|
|
104
|
userobj.save()
|
|
105
|
session['user'] = userobj.id
|
|
106
|
session.save()
|
|
107
|
|
|
108
|
org_url = toolkit.url_for(host=request.host,
|
|
109
|
controller="organization",
|
|
110
|
action='read',
|
|
111
|
id=session['organization_id'],
|
|
112
|
qualified=True)
|
|
113
|
toolkit.redirect_to(org_url)
|