Project

General

Profile

Download (5.83 KB) Statistics
| Branch: | Tag: | Revision:

oidc / ckanext / ozwillo_pyoidc / plugin.py @ a893339e

1
import logging
2

    
3
import ckan.plugins as plugins
4
import ckan.plugins.toolkit as toolkit
5
from ckan.common import session, c, request
6
from ckan import model
7
import ckan.lib.base as base
8

    
9
from pylons import config, request
10

    
11
import conf
12
from oidc import create_client
13

    
14
plugin_config_prefix = 'ckanext.ozwillo_pyoidc.'
15

    
16
log = logging.getLogger(__name__)
17
plugin_controller = 'ckanext.ozwillo_pyoidc.plugin:OpenidController'
18

    
19
_CLIENTS = {}
20

    
21
class Clients(object):
22

    
23
    @classmethod
24
    def get(cls, g):
25
        global _CLIENTS
26
        if g.id in _CLIENTS:
27
            return _CLIENTS.get(g.id)
28
        client = cls().get_client(g)
29
        _CLIENTS.update({g.id: client})
30
        return client
31

    
32
    def get_client(self, g):
33
        params = conf.CLIENT.copy()
34
        params['client_registration'].update({
35
            'client_id': g._extras['client_id'].value,
36
            'client_secret': g._extras['client_secret'].value,
37
            'redirect_uris': [toolkit.url_for(host=request.host,
38
                                              controller=plugin_controller,
39
                                              action='callback',
40
                                              id=g.name,
41
                                              qualified=True)]
42
        })
43
        return create_client(**params)
44

    
45

    
46
class OzwilloPyoidcPlugin(plugins.SingletonPlugin):
47
    plugins.implements(plugins.IConfigurer)
48
    plugins.implements(plugins.IRoutes)
49
    plugins.implements(plugins.IAuthenticator, inherit=True)
50

    
51
    def before_map(self, map):
52
        map.connect('/organization/{id:.*}/sso',
53
                    controller=plugin_controller,
54
                    action='sso')
55
        map.connect('/organization/{id:.*}/callback',
56
                    controller=plugin_controller,
57
                    action='callback')
58
        map.connect('/user/slo',
59
                    controller=plugin_controller,
60
                    action='slo')
61
        map.redirect('/organization/{id:.*}/logout', '/user/_logout')
62

    
63
        return map
64

    
65
    def after_map(self, map):
66
        return map
67

    
68
    def identify(self):
69
        user = session.get('user')
70
        if user and not toolkit.c.userobj:
71
            userobj = model.User.get(user)
72
            toolkit.c.user = userobj.name
73
            toolkit.c.userobj = userobj
74

    
75
    def login(self):
76
        if 'organization_id' in session:
77
            g = model.Group.get(session['organization_id'])
78
            client = Clients.get(g)
79
            url, ht_args = client.create_authn_request(session, conf.ACR_VALUES)
80
            if ht_args:
81
                toolkit.request.headers.update(ht_args)
82
            toolkit.redirect_to(url)
83
        else:
84
            toolkit.redirect_to('/')
85

    
86
    def logout(self):
87
        log.info('Logging out user: %s' % session['user'])
88
        session['user'] = None
89
        session.save()
90
        g = model.Group.get(session['organization_id'])
91
        if g:
92
            org_url = toolkit.url_for(host=request.host,
93
                                      controller='organization',
94
                                      action='read',
95
                                      id=g.name,
96
                                      qualified=True)
97

    
98
            toolkit.redirect_to(str(org_url))
99
        else:
100
            toolkit.redirect_to('/')
101

    
102
    def update_config(self, config_):
103
        toolkit.add_template_directory(config_, 'templates')
104
        toolkit.add_public_directory(config_, 'public')
105
        toolkit.add_resource('fanstatic', 'ozwillo_pyoidc')
106

    
107
class OpenidController(base.BaseController):
108

    
109
    def sso(self, id):
110
        log.info('SSO for organization "%s"' % id)
111
        session['organization_id'] = id
112
        session.save()
113
        log.info('redirecting to login page')
114
        login_url = toolkit.url_for(host=request.host,
115
                                    controller='user',
116
                                    action='login',
117
                                    qualified=True)
118
        toolkit.redirect_to(login_url)
119

    
120
    def callback(self):
121
        g = model.Group.get(session['organization_id'])
122
        client = Clients.get(g)
123
        userinfo = client.callback(request.GET)
124
        log.info('Received userinfo: %s' % userinfo)
125
        userobj = model.User.get(userinfo['sub'])
126
        if userobj:
127
            if 'given_name' in userinfo:
128
                userobj.fullname = userinfo['given_name']
129
            if 'family_name' in userinfo:
130
                userobj.fullname += userinfo['family_name']
131
            userobj.save()
132
            session['user'] = userobj.id
133
            session.save()
134

    
135
        org_url = toolkit.url_for(host=request.host,
136
                                  controller="organization",
137
                                  action='read',
138
                                  id=g.name,
139
                                  locale=userinfo.get('locale'),
140
                                  qualified=True)
141
        toolkit.redirect_to(str(org_url))
142

    
143
    def slo(self):
144
        """
145
        Revokes the delivered access token. Logs out the user
146
        """
147
        g = model.Group.get(session['organization_id'])
148
        client = Clients.get(g)
149
        logout_url = client.end_session_endpoint
150
        org_url = toolkit.url_for(host=request.host,
151
                                  controller='organization',
152
                                  action='read',
153
                                  id=g.name,
154
                                  qualified=True)
155
        redirect_uri = org_url + '/logout'
156

    
157
        # revoke the access token
158
        headers = {'Content-Type': 'application/x-www-form-urlencoded'}
159
        data = 'token=%s&token_type_hint=access_token' % client.access_token
160
        client.http_request(client.revocation_endpoint, 'POST',
161
                            data=data, headers=headers)
162

    
163
        # redirect to IDP logout
164
        logout_url += '?id_token_hint=%s&' % client.id_token
165
        logout_url += 'post_logout_redirect_uri=%s' % redirect_uri
166
        toolkit.redirect_to(str(logout_url))
(4-4/4)